Rev.0 1

UIM, ESN

and Equipment Identifiers

Source: Bob PlunkettChair, UIM AdHoc, TSG-S 3GPP2Fujitsu Network Communications(972) 479-2084bobplunkett@sprintmail.com

Copyright StatementThe contributor grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner's name any Organizational Partner's standards publication even though it may include portions of the contribution; and at the Organizational Partner's sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner's standards publication. The contributor must also be willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions, as appropriate.

NoticePermission is granted to 3GPP2 participants to copy any portion of this contribution for the legitimate purpose of the 3GPP2. Copying this contribution for monetary gain or other non-3GPP2 purpose is prohibited.

Rev.0 2

What is ESN Used For?

Registration Optionally used in most air interface standards as part of registration

messages.

Fraud Control Many existing systems use ESN - MIN/IMSI matching for purposes of fraud

control.

Authentication Used in the generation of SSD and AuthR.

Embedded in IMSI Used in some of the IMSI formats.

CDMA Reverse Traffic Channel Encoding Provides MS specific channel separation/isolation based on a unique ESN.

Rev.0 3

ESN Treatment Scenarios

Scenario 1 - Substituting UIM_ID for ESN (32 bit). A 32 bit UIM_ID would be used wherever ESN is used today.

Scenario 2 - Continue to use the ESN in the MS. The 32 bit ESN of the terminal would continue to be used in all

existing procedures.

Scenario 3 - ESN stays in the MS but a new number called SSN for authentication procedures. Involves a hybrid solution whereby ESN is used in legacy

networks, SSN in networks capable of direct UIM support.

Rev.0 4

#1: Substituting UIM_ID for ESN (32 bit)

UIM_ID is substituted for the Mobile Station ESN in all procedures.

Transparent to existing networks and permits UIM roaming on legacy networks without impact.

New networks could be upgraded to support separate UIM and Terminal identifiers.

May require a regulatory change It needs to be clarified if this scenario requires a regulatory change.

One possible interpretation is that the ESN would continue to exist in the terminal. It would simply no longer be used.

Authentication would execute in the UIM.

Rev.0 5

#1 - Issues

Size of Term_ID A new Term_ID would be required. Note that this could be the existing

MS ESN but could be larger to accommodate future growth.

Size of UIM_ID The UIM_ID could remain the same size as the existing ESN or it could

be increased to some larger number. If a larger size was chosen, existing procedures would use a 32 bit subset of the number.

By using a subset number there are some issues with ESN uniqueness.

New Messages to query full Term_ID and UIM_IDs. New messages would be needed to extract both the Term_ID and the

UIM_ID over the air Interface since the ESN would no longer be used in existing procedures and only a subset of the UIM_ID would be used in the procedures.

Rev.0 6

#1 - Some more issues

Could create a commercial grade cloning platform. Without additional security procedures between a UIM and the

terminal, it would be possible to build an interface to the terminal that permitted easy cloning of MIN/ESNs.

How long do we protect networks that have not implemented authentication?

RF Fingerprinting based on ESN would be lost. RF Fingerprinting networks would need access to the new terminal

identifier.

Rev.0 7

#1 - UIM_ID Subsetting Issues

On occasion (very rarely) you may get two subscribers with the same 32 bit subset. Non-unique in the network - 2 subscribers - 1 ESN. May require some changes to existing networks.

Could cause problems on the reverse channel. Very, very rarely. Could be mitigated by some small changes to the Air Interface.

Problems can be mitigated by ESN assignment management.

Rev.0 8

#2 - Continue to use the ESN in the MS

The terminal ESN could continue to be used in all procedures.

Relies upon the fact that the ESN is transferred from the phone to the network as part of the Authentication procedures.

The network Authentication procedures would then have to take into account the current ESN identified and discard any previously used values.

Authentication would execute in the UIM (A-Key is in the UIM).

New messages are still required for UIM_ID.

Rev.0 9

#2 Issues

Still a limited number space if the 32 bit ESN continues to be used.

This approach requires a manual update of MIN/ESN for non-authenticating networks where the UIM transfer between terminals occurred between networks. Customer and Customer Service Impacting.

Network Authentication implementations may assume MIN/ESN binding. May require changes to existing networks.

IMSI/TIMSI includes the ESN in some instances. Dynamic binding of the ESN to the IMSI/TIMSI must be supported by the

networks.

Is there also an issue with SSD sharing here as well?

Rev.0 10

#3 - SSN Hybrid Solution

ESN stays in the MS and uses a new number called SSN for authentication procedures.

Decouples ESN from Authentication procedures and from subscription in general.

SSN is known only to the UIM manufacturer and the operator.

The approach would not permit SSD sharing without IS-41 changes.

Requires IS-41 changes to support SSN transfers.

New messages are still required for UIM_ID.