The subscriber identity confidentiality feature is the property that the IMSI is not made available or disclosed to unauthorized individuals, entities or processes.

This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the improvement of all other security features (e.g. user data confidentiality) and provides for the protection against tracing the location of a mobile subscriber by listening to the signalling exchanges on the radio path.

This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is transferred in signalling messages (see subclause 3.5) together with specific measures to preclude the possibility to derive it indirectly from listening to specific information, such as addresses, at the radio path. The means used to identify a mobile subscriber on the radio path consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in GSM 03.20. When used, the subscriber identity confidentiality feature shall apply for all signalling sequences on the radio path. However, in the case of location register failure, or in case the MS has no TMSI available, open identification is allowed on the radio path.

International Mobile Subscriber identity (IMSI) authentication is the corroboration by the land based part of the system that the subscriber identity (IMSI or TMSI), transferred by the mobile subscriber within the identification procedure at the radio path, is the one claimed.

The purpose of this authentication security feature is to protect the network against unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the possibility for intruders to impersonate authorized users.

The authentication of the GSM PLMN subscriber identity may be triggered by the network when the subscriber applies for:

• a change of subscriber related information element in the VLR or HLR (including some or all of: location updating involving change of VLR, registration or erasure of a supplementary service); or
• an access to a service (including some or all of: set up of mobile originating or terminated calls, activation or deactivation of a supplementary service); or
• first network access after restart of MSC/VLR;

or in the event of cipher key sequence number mismatch. Physical security means must be provided to preclude the possibility to obtain sufficient information to impersonate or duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station equipment. If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not due to network malfunction, then the access to the GSM PLMN shall be denied to the requesting party.

If an MS is registered and has been successfully authenticated, whether active or not active on a call, calls are permitted (including continuation and hand over). If an MS has already been registered (and therefore been already authenticated) and can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was not able to provide authentication pairs RAND, SRES), calls are permitted. If an MS attempts to register and can not be successfully authenticated due to the network malfunction, calls are not permitted. If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases apply.

The user data confidentiality feature on physical connections is the property that the user information exchanged on traffic channels is not made available or disclosed to unauthorized individuals, entities or processes.

The purpose of this feature is to ensure the privacy of the user information on traffic channels.

Encryption will normally be applied to all voice and non voice communications. Although a standard algorithm will normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one algorithm. In this case, the infrastructure is responsible for deciding which algorithm to use (including the possibility not to use encryption, in which case confidentiality is not applied). When necessary, the MS shall signal to the network indicating which of up to seven ciphering algorithms it supports. The serving network then selects one of these that it can support (based on an order of priority preset in the network), and signals this to the MS. The selected algorithm is then used by the MS and network. The ME has to check if the user data confidentiality is switched on using one of the seven algorithms. In the event that the ME detects that this is not the case, or ceases to be the case (e.g. during handover), then an indication is given to the user. This ciphering indicator feature may be disabled by the SIM (see GSM 11.11). In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in the ME shall be enabled by default. The nature of the indicator and the trigger points for its activation are for the ME manufacturer to decide. During the establishment of a call the trigger point shall be at call initiation at the latest. In the case of handover the trigger point shall be the completion of handover at the latest. The manufacturer may provide the means to enable the user to temporarily disable the feature. This should be done in such a way that the user can protect it from misuse.

The connectionless user data confidentiality feature is the property that the user information which is transferred in a connectionless packet mode over a signalling channel is not made available or disclosed to unauthorized individuals, entities or processes.

The purpose of this feature is to ensure the privacy of the user information on signalling channels (e.g. short messages).

The signalling information element confidentiality feature is the property that a given piece of signalling information which is exchanged between MSs and base stations is not made available or disclosed to unauthorized individuals, entities or processes.

The purpose of this feature is to ensure the privacy of users related signalling elements.

When used, this feature applies on selected fields of signalling messages which are exchanged between MSs and base stations. The signalling information elements included in the message used to establish the connection (protocol discriminator, connection reference, message type and MS identity (IMSI, TMSI or IMEI according to the circumstance)) are not protected. The following signalling information elements related to the user are protected whenever used after connection establishment:

• International Mobile Equipment Identity (IMEI).
• International Mobile Subscriber Identity (IMSI).
• Calling subscriber directory number (mobile terminating calls).
• Called subscriber directory number (mobile originated calls).

The IMSI is stored securely within the SIM. The IMEI shall not be changed after the ME's final production process. It shall resist tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and software). The security policy for the Software Version Number (SVN) is such that it cannot be readily changed by the user, but can be updated with changes to the software. The security of the SVN shall be separate from that of the IMEI.