Today's topic is International Mobile Subscriber Identity (IMSI) and Globally Unique Temporary Identifier (GUTI). These two are parameters (identifiers) used in identifying UEs in LTE networks.
What is IMSI?
IMSI is a unique ID that globally identifies a mobile subscriber. It is composed of two parts, PLMN ID and MSIN, as shown in Figure below. A PLMN ID is an ID that globally identifies a mobile operator (e.g. combination of MCC (450) and MNC (05) for SK Telecom in Korea). MSIN is a unique ID that identifies a mobile subscriber within a mobile operator.
Then, why do mobile operators need to identify its mobile subscribers?
First because that way the operators can tell whether to allow a subscriber attempting to access their network (LTE network) or not. Second they need to identify their subscribers to decide which QoS policy (bandwidth, priority, etc.) to apply to each of them, and finally to charge for the services rendered to each subscriber.
When a user subscribes to a mobile network, the user gets a device and a USIM/SIM card that has an IMSI in it.
By then, the LTE network should already have the same IMSI registered as well. IMSIs are stored in an HSS and an SPR, the LTE entities. In the HSS, a key to be used along with an IMSI in authenticating subscribers, and QoS profile to be used by the user are stored. So, when users attempt to access (i.e. who send Attach Request message), the HSS (the MME on behalf of the HSS, to be accurate. See LTE Authentication for further explanation) denies the users with an unregistered IMSI, but allows ones with a valid registered IMSI by delivering authentication information and QoS profile to the MME. An SPR works with an PCRF to apply a policy to a subscriber. We will revisit SPRs and PCRFs later sometime.
What is GUTI?
Now, we know what IMSI is. But, what is GUTI then?
As mentioned above, IMSI is one of the most important parameters that identify a subscriber. So, if it is exposed over radio link, serious security problem can be caused. Let's say, a hacker somehow finds out your IMSI over the radio link and uses the IMSI in his device. He can disguise himself as you and use LTE services without paying a penny. Then, you will end up paying for the services that you don't use. (Of course, you can fix this problem through device authentication (using the unique serial number). We will not talk about how you fix it now, though.
So, to keep an IMSI secure, an alternate value that a subscriber (UE) can use instead of the IMSI (whenever possible) to access the LTE network was needed. That is why GUTI is used. Unlike an IMSI, a GUTI is not permanent and is changed into a new value whenever generated.
When a UE initially attaches to an LTE network (e.g. turning on the UE), it sends its IMSI to the network for authentication to have itself identified. In other words, it uses the IMSI as its ID. Once connection is established (i.e. once successfully authenticated), the network (MME) delivers a GUTI value through Attach Accept message to the UE, which then remembers the value to use it as its ID instead of the IMSI when it re-attaches to the network (i.e. when it is turned off and then on again later).
The network (MME) can also allocate a GUTI to a UE during TAU process. That is, the GUTI, the temporary ID that identifies the UE, can be changed into a new value even while the UE stays attached to the network.
The network also remembers the GUTI value it allocated to the UE, and thus can recognize the UE even when it requests access using the GUTI, not the IMSI.
As such, since "GUTIs that are temporary values and can be changed as needed" are used as IDs for UEs, they have a greater chance of staying secure even when exposed frequently over the radio link.
The format of a GUTI is illustrated in the lower part of the following figure. Since a GUTI is allocated by an MME, it contains an MME identifier (MMEI) that shows which MME allocates the GUTI and an M-TMSI, a temporary value that uniquely identifies a subscriber in that particular MME.