spec: Warning the Subscriber If the Pseudonymous IMSI Does Not Change
diff --git a/docs/imsi-pseudo-spec.adoc b/docs/imsi-pseudo-spec.adoc
index f13d858..eaacd0c 100644
--- a/docs/imsi-pseudo-spec.adoc
+++ b/docs/imsi-pseudo-spec.adoc
@@ -130,6 +130,7 @@
can delay assigning new pseudonymous IMSIs until new IMSIs are available again.
.Examples for additional subscriber data in HLR
+[options="header"]
|===
| Subscriber ID | imsi_pseudo | imsi_pseudo_i
// example IMSIs taken from Wikipedia
@@ -174,6 +175,30 @@
the next pseudonymous IMSI arrives from the HLR. A reference implementation is
provided in <<reference-src>>.
+===== Counter Storage
+
+The following counter variables are stored in the SIM applet.
+
+[options="header",cols="20%,12%,68%"]
+|===
+| Name | Initial value | Description
+
+| imsi_pseudo_i
+| 1
+| See <<hlr-imsi-pseudo-i>>.
+
+| imsi_pseudo_lu
+| 0
+| Amount of Location Updating procedures done with the same pseudonymous IMSI.
+
+| imsi_pseudo_lu_max
+| (decided by operator)
+| Maximum amount of Location Updating procedures done with the same
+ pseudonymous IMSI, before the SIM applet shows a warning to the subscriber.
+|===
+
+===== Switch to Next Pseudonymous IMSI
+
The SIM applet registers to a suitable SMS trigger (3GPP TS 03.19, Section
6.2). When an SMS from the HLR in the structure of <<sms-structure>> arrives,
the applet must verify that the SMS is not outdated by comparing imsi_pseudo_i
@@ -184,12 +209,27 @@
The SIM applet registers a timer with min_sleep_time from the SMS. When the
timer triggers, the IMSI of the SIM is overwritten with the new pseudonymous
IMSI, the TMSI and GSM Ciphering key Kc (3GPP TS 31.102, Section 4.4.3.1) are
-invalidated. The current imsi_pseudo_i value is stored to compare it with the
-next SMS. Afterwards, the EF~IMSI~ changing procedure in 3GPP TS 11.14, Section
-6.4.7.1 is executed to apply the new IMSI.
+invalidated. The current imsi_pseudo_i from the SMS is stored in the SIM applet
+to compare it with the next SMS. imsi_pseudo_lu is reset to 0. Afterwards,
+the EF~IMSI~ changing procedure in 3GPP TS 11.14, Section 6.4.7.1 is executed
+to apply the new IMSI.
// FIXME: do we need to enforce the LU now, with an arbitrary CM Service
// Request, or would this only be necessary for Osmocom? (OS#4404)
+
+===== Warning the Subscriber If the Pseudonymous IMSI Does Not Change
+
+An attacker could potentially block the next pseudonymous IMSI SMS on purpose.
+Because the SIM applet cannot decide the next pseudonymous IMSI, it would have
+the same pseudonymous IMSI for a long time. Then it could become feasible for
+an attacker to track the subscriber by their pseudonymous IMSI. Therefore the
+SIM applet should warn the subscriber if the pseudonymous IMSI does not change.
+
+The SIM applet registers to EVENT_EVENT_DOWNLOAD_LOCATION_STATUS (3GPP TS
+03.19, Section 6.2) and increases imsi_pseudo_lu by 1 when the event is
+triggered. If imsi_pseudo_lu reaches imsi_pseudo_lu_max, the SIM applet
+displays a warning to the subscriber.
+
[[process-update-location-hlr]]
=== Process Update_Location_HLR
@@ -236,9 +276,9 @@
When Update Location Request arrives, the HLR does not look up the subscriber
by the IMSI, but by the pseudonymous IMSI instead. Unless the subscriber has
-two pseudonymous IMSI allocated and used the old pseudonymous IMSI in the
-Update Location Request, this is followed by the existing logic to continue with
-Insert Subscriber Data Request.
+two pseudonymous IMSI allocated and used the new pseudonymous IMSI in the
+Update Location Request, this is followed by the existing logic to continue
+with Insert Subscriber Data Request.
===== Update Location Request With New Pseudonymous IMSI
@@ -326,11 +366,6 @@
the HLR has both the old and the new pseudonymous IMSI allocated at this point,
the subscriber is not locked out of the network.
-An attacker might block the next pseudonymous IMSI SMS on purpose. Then the
-subscriber would have the same pseudonymous IMSI for a long time. A suitable
-defense is warning the subscriber if the IMSI does not change
-(<<warn-no-imsi-change>>).
-
=== Next Pseudonymous IMSI SMS arrives out of order
The next pseudonymous IMSI SMS may arrive out of order. Either, because the
@@ -385,8 +420,6 @@
end encryption from the HLR to the SIM. It was considered for this
specification, but found to be out of scope.
-[[warn-no-imsi-change]]
-=== Warning the User if the IMSI Does Not Change
=== User-configurable Minimum Duration Between IMSI Changes
<<<