Preserving Privacy of User Identity Based on Pseudonym Variable in 5G

: The fifth generation (5G) system is the forthcoming generation of the mobile communication system. It has numerous additional features and offers an extensively high data rate, more capacity, and low latency. How-ever, these features and applications have many problems and issues in terms of security, which has become a great challenge in the telecommunication industry. This paper aimed to propose a solution to preserve the user identity privacy in the 5G system that can identify permanent identity by using Variable Mobile Subscriber Identity, which randomly changes and does not use the permanent identity between the user equipment and home network. Through this mechanism, the user identity privacy would be secured and hidden. Moreover, it improves the synchronization between mobile users and home networks. Additionally, its compliance with the Authentication and Key Agreement (AKA) structure was adopted in the previous generations. It can be deployed efficiently in the preceding generations because the current architecture imposes minimal modifications on the network parties without changes in the authentication vector’s message size. Moreover, the addition of any hardware to the AKA carries minor adjustments on the network parties. In this paper, the ProVerif is used to verify the proposed scheme.

and f5 were produced by XORing the Authentication Token (AUTN), which contains the SQN with the MAC. Finally, the AV, which consists of CK, IK, XRES, AUTN, and RAND, is created by the HSS. The AV is sent to the MME, which then forwards the AUTN and RAND upon an authentication request to the UE and saves the XRES [8]. For 5G applications, i.e., healthcare, financial, and other IoT network, the authentication would ensure a high degree of security and privacy. Numerous researchers are interested in and focused on 5G security and privacy to enhance identity privacy and hide permanent IMSI. There are many proposals and researches for user identity privacy. Some studies assumed the new architecture with Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) for 5G networks, as presented in Tab. 1.
Conversely, some researchers have assumed the same architecture of 4G for 5G networks with new proposals for enhanced user identity privacy. Two groups are working on security architecture and AKA proposal in 5G using the standard guideline [9]. Low computation complexity and communication overhead have been achieved due to the consideration of similar security architecture for the previous generations; the proposal can also fit easily in the preceding generations and the current architecture. Furthermore, it imposes minimal modifications to the network parties. However, a new security architecture and the AKA mechanism are also being considered for 5G with the NFV and SDN, as presented in Tab. 1. However, a significant drawback of this proposal is that devices using NFV are required to adjust the most network entities that require costly hardware to be replaced, which may be more expensive and require high computation complexity and communication overhead [10].

Related Works
Extensive research has studied the uses of the SN shared group keys, private key, or public-key SN while hiding the permanent identity. In [11], a procedure was developed based on identitybased encryption to challenge this type of encryption. However, the method is called privacy enhanced fast mutual authentication (PEFMA) used to encrypt the IMSI. In this procedure, the SN has public keys, and the UE does not need to join the HN. The permanent identity of UE is hidden once it is encrypted using the public key of the SN. The PEFMA can run without communicating with the HN, as the SN and UE have the public keys.  [12], the Mobility Support System (MSS) is offered as a primary key to keep the permanent identity of the user in a 5G system secured with a slight effect on the communication standards. Contrarily, two crypto libraries, namely, Nettle and Open SSL, are used to implement the 5G communication standard in four Android-based schemes. The developed method for Android execution is evaluated; such an execution involves the unequal method of Elliptic Curve Integrated Encryption Scheme (ECIES). Furthermore, the effect of the applied estimation of encrypting the IMSI in 5G networks is induced by using ECIES without the MAC [13].
In [14], the structures of 3GPP AKA are presented to offer faultless onward privacy for the session key. The USIM card and mobile device interfaces do not influence the new design and, consequently, permit re-use of the present prepared USIM. However, motionless extortions continue to the sitting K'ASME key. The paper proposes to bind the belongings of a secret key K by considering a sensibly slight effect on the legacy of 3GPP constructions.
Another study investigated the IMSI encryption in which the IMSI-NC and CC data have defined and publicized the hidden identifier [15]. However, the routing requests for validation data between HN and visited network as well as the request for other IMSI data to be publicized within the HN are discussed here.
A proposal on Quantum Key GRID based the Authentication and Key Agreement in 5G (QKG-AKA) for dynamic security association, which has also been deployed in 4G [16,17]. Another study proposed the efficient and lightweight secure SEL-AKA algorithm for the 5G scheme. The suggested mechanism is designed regardless of the use of the global public-key infrastructure. These encryption solutions offer user anonymity by employing numerous methods for encrypting the identity via private-key or public-key cryptography. However, the additional calculation and complication may result in increased bandwidth and calculation period and may need new parameters.
Researchers have used pseudonyms to hide the permanent identity in 5G; for instance, [18] proposed a novel scheme for defending the permanent identity by regenerating a pseudonym in the intermediate of the HN and the UE. The pseudonym is locally initiated at the HN and UE, leading to a poor performance by the available USIMs. Two main stages are suggested in this work. First is fast attachment by the UE when the SN or HN does not join any pseudonym. In this situation, the UE allocates a TMSI by the SN and a pseudonym P by the HN. At the second stage, the UE is enforced to detect itself using P, whereas the UE TMSI is no longer at risk within the SN, and a new pseudonym will be used to support the unlinkability.
In [19,20], a new version of the 5G AKA protocol is suggested, in which random numbers replace the sequence numbers since the existing 5G (USMs) can accomplish randomized asymmetric encryption processes; thus, the utilization of random numbers for AKA protocol is conceivable. Furthermore, the suggested solution offers two extra security topographies, i.e., forward security and post-compromise security, which do not exist in the present 5G AKA procedure. Then, the performance is evaluated (both the communication efficiency and computation) by the suggested AKA protocol, and its results are compared with those of the presented 5G AKA procedure.
These methods attempt to develop pseudonym in 5G systems. However, the techniques have various drawbacks: the administration of pseudonyms requires superfluous handling exertion and memory cost. The distribution of pseudonyms to all UE from the system requires an extra bandwidth. Finally, numerous studies suggested new architectures and formats in 5G networks. For example, in [20], a general idea was provided for the security contests in SDN, NFV, and clouds as well as customer solitude contests. Moreover, the authors recommended that shared activities and trust imitations must occur among numerous parts in the procedure, such as network operator, service provider, application designer, user, and manufacturer, on information using and storing to preserve the user privacy in 5G networks.
In [21], the user privacy issues in LTE and WiMAX have been addressed at the MAC and physical layers. The privacy improvement in 5G was indicated by the production of a flexible 5G system architecture that authorizes the generation of trust replicas. Reference [22] proposed two key agreement protocols and the Privacy-Preserving Authentication (PPAKA-IBS and PPAKA-HAMC) to ensure protected and unknown communications in the D2D group.
In [23], in a new structure designed for 5G network security, the scrutiny of independence management and flexible validation of AKA are addressed. The AKA in the 4G network is proven by the symmetric-key, whereas the 5G network needs validation between the UE and SN and other third parties, such as service suppliers. The hybrid and flexible validation of UE could be performed practically using three diverse methods: validation by the service supplier and SN, validation by the service supplier only, and validation by the SN only. Conversely, in [24], 5G is declared to be accepting novel-based multiparty ecologies, in which many performers can cooperate in the overhaul source. According to the authors 5G intensively relies on software replicas, such as slicing and SDN. It is also suggested that the precursors of the 5G system need to go through the regularity of the systems while confirming the users' privacy. The authors in [25] conducted a similar study as [26]; however, they conducted correlational research and presented SDN into the 5G network to support operative validation handover (HO) and fortification of privacy. In [27], an approach based on a trusted third party worked like a disseminated network between the service supplier and the customer. In [28], the complete official archetypal of a procedure from the AKA group is provided. Moreover, missing security objects are identified, and exact requests are removed from the 3GPP principles describing 5G.
In [29], 4G-RAM is proposed to discourse the current subjects of the 4G network and consider it as an excellent communication and information technology network that suits the increasing 5G demands and acute PS schemes. However, the verification and re-authentication processes of 4G-RAM indicated that integrity and confidentiality are sheltered with the dynamic LTE K. Therefore, it overwhelmed the critical privacy susceptibilities of the LTE network, such as the user tracking based on redirection, IMSI, AV de-synchronization, denial-of-service attacks, and man-in-the-middle attack prevention. 4G-RAM is used to minimize access dormancy by suggesting PEPS-AKA and 4G + FRP that contain slight verification signaling related to other new solutions.
Most of the methods aimed to provide mutual entity authentication in 5G networks and suggested a novel verification procedure, with complete communal verification between the SN and UE. Moreover, these methods modified the AKA protocol, message elements, SN, and UE, as well as new extra components, such as NVF and SDN. This is a significant drawback because using those methods is essential to the adjustment of the bodily level network, which could lead the hardware to be replaced; however, this may be more expensive than the conventional AKA protocol.
As discussed above, research on the critical topic of privacy in 5G networks has been conducted. Thus, their comparison is presented in Tab. 2. A snapshot of the related works is also shown.

User Identity Privacy Issues
User identity privacy is the main issue in mobile communication security, whereas the IMSI exposure is the main issue in user identity privacy. The IMSI is used in the network to identify the UE; therefore, assailants may capture it. Such a vulnerability is usually noted as IMSI catching [30]. For that, the 3GPP allocates several diverse short-term identities, such as C-RNTI, GUTI, and M-TMSI, to a mobile user for different networking services within the mobile network. To improve the confidentiality of the UE identity, the mobile user, instead of using the permanent one (IMSI), can use these temporary identities to identify itself to start a new service request from the network [31,32]. Although this procedure is employed to enhance user identity privacy, the user's permanent identity stays exposed to IMSI catchers. There are some circumstances where the UE uses the IMSI (in clear text) to identify itself; following are some cases for such scenarios: (a) The SN might not get well the GUTI of the UE. (b) UE starts the first attachment. (c) UE performs the HO between MMEs, and the new MME could not get the GUTI of the UE from the previous MME. (d) MME could not recover the permanent identity of the UE. In the 5G system, user identity privacy must be improved to keep an extra privacy level and to achieve safe interchanging of information with mutual authentication. In the 5G system, a robust identity administration mechanism is requested to defend the user's identity from unauthorized access of users. The 5G network will be dealing with the environment by different bearings and comprise several investors.

AKA Protocol
To provide both the established and shared IK and cipher key CK and to achieve mutual authentication between the HN and UE, the AKA process is applied for the physical channel of E-UTRAN. The details of the AKA protocol are discussed in a previous report [14].
The Evolved Packet System-Authentication and Key Agreement (EPS-AKA) process involves two sub-processes. The first sub-process is directed toward the AKA whereas the second to the distribution of validation data from the HN to the MME. The first sub-algorithm is executed by the MME while receiving the authentication data response from the HSS. Contrarily, the second sub-process is executed by the MME while receiving the attached request from the UE.
The HSS and UE share a permanent top-secret key K. Two SQNs, i.e., SQN UE and SQN HE , are also preserved by the UE HSS to enhance the network's authentication. SQN UE is the uppermost sequence number acknowledged by the USIM, whereas SQN HE is a counter for each UE equipment that is utilized to generate the AVs in the HSS. The EPS-AKA provides a set of MAC functions {f1, f2} and key generation functions {f3, f4, f5}. K, as presented in Fig. 2 Figure 2: AKA protocol by using the IMSI to identify the UE in the network and accomplish the authentication process authentication and key agreement (AKA)

Privacy-Preserving Scheme for the 5G System
To preserve user identity privacy, the permanent identity of the IMSI must be hidden completely by replacing it with the Variable Mobile Subscriber Identity (VMSI); the HSS node can only plan its IMSI for a specific UE. The UE uses the VMSI when it is required to represent its IMSI. In this way, the UE identity privacy is well maintained because the UE and HSS only know the IMSI of the UE, as presented in Fig. 3.
The HSS sends a fresh, unpredictable VMSI called (V FRESH ) that is confidential to the UE in the authentication process. To implement this idea, we suggest essential variations in the features and usages of some basic validation boundaries, which are SQN and RAND. In addition, we recommend encryption of the RAND using SQN token as a key, generated randomly at every run for the EAKA protocol, and using the challenge RAND to provide the UE with the sequence number SQN HE and the new VMSI. The RAND challenge is secured, including the token SQN HE , to get the UE sequence number (SQN UE ). The UE uses the RAND challenge to get the new SQN HE and the new VMSI (V NEW ) through a regular authentication procedure. The UE replaces its VMSI with a new VMSI (V NEW ), which would be used the next time the authentication process is carried out. In implementing the proposed solution, the EAKA protocol is introduced. Tab. 3 presents all the acronyms and their descriptions, which are used in the ProVerif code, obtained figures, and algorithms. In the beginning, the UE transmits a message containing its VMSI; the message also includes the VMSI FIRST to the SN (MME). Whenever the UE wants to join the network, the MME sends an endorsement data request to the HN (HSS) for the incoming VMSI. The HSS generates a new VMSI and sends it to the MME, and the MME then forwards the VMSI to the UE. The details of the EAKA protocol are discussed in Sections A and B.

A. Enhanced HSS Algorithm
Upon enhancing the HSS algorithm, there are two VMSI values for each UE stored in HSS, namely, V and V NEW . V is employed to support the VMSI currently used by the UE. However, V NEW sends the newly produced VMSI assigned to the UE to be used in the following stages to replace its permanent identity. The HN (HSS) saves the extra values V and V NEW in its database with the secret key K and the IMSI for each UE, as presented in Fig. 4. This procedure ensures that the HSS can continuously communicate with the current VMSI saved in the UE with the original IMSI saved in the HSS to identify each UE. Likewise, the SN that hosts the MME preserves V and V NEW in its database for every UE within its area of service to be able to identify each user's equipment. There is a permanent memory storage that contains b = 2 34 unique VMSI entrances named as VMSI-Index and saved in the HSS (see Fig. 3 Figure 4: The VMSI-Index and the HSS's database A VMSI status with a POSITIVE indicator for a specific VMSI in the VMSI-Index indicates that the VMSI is available and is not used by any UE. Finally, a function ENCODE is specified by an operator and used to encrypt V NEW and SQN HE with the key SQN in the HSS to create the encrypted RAND. To implement the EAKA protocol, there are some changes in the HSS protocol presented in Algorithm 1.
Firstly, the HSS should confirm that an incoming VMSI is legal and currently not used by several UEs by discovering the received VMSI in the database of the HSS before it decides whether to receive a VMSI-based validation request or not. The request is barred when no attachment is found. The HSS locates the secret key K and the corresponding UE's IMSI when a match is found.
The HSS issues a not-in-use (fresh) VMSI named V FRESH to the assigned UE, and information linked to the UE is updated at the HSS like the sequence number SQN HE and the VMSIs, after the HSS validates that the received VMSI is the latest VMSI transmitted to the UE by checking VMSI = V NEW .
The SQN HE is handled at the HSS, which confirms that the previous validation process was successful. Once it receives the V NEW from the UE, the HSS immediately updates the SQN HE (see Algorithm 1).   Fig. 4. 7. The AV is transmitted to the MME, which must forward RAND and AUTN to the UE.
First, the HSS confirms that an incoming VMSI is valid and now in use by other UE locating the incoming VMSI in the HSS's database (step 1), before it decides whether to accept the VMSI-based authentication demand or not. The request is rejected when no matches are found. Moreover, the HSS locates the secret key K and the corresponding UE's IMSI when a match is found. In step 2, the HSS allocates a fresh (not-in-use) VMSI called V FRESH to the concerned UE and updates information related to the UE in the HSS like the sequence number SQN HE and the VMSIs, after the HSS confirms that the VMSI that arrived is the latest one transmitted to the UE by checking VMSI = V NEW (sub-steps 2.1 through 2.4).

B. The Enhanced UE Algorithm
The algorithm can be enhanced using a unique VMSI value that must be preserved in the UE smart card (USIM). The service provider embeds an individual VMSI value named VMSI FIRST into the USIM before the first connection. The HSS database also stores the VMSI FIRST value in the V NEW for each USIM's IMSI and is set to the NEGATIVE status of the VMSI FIRST entrance in the VMSI-Index. Throughout the first run of the EAKA protocol, the VMSI FIRST is used only once. In other times, the specific function DECODE is used by the service provider to decrypt a RAND at the UE and use the unsystematic key SQN comprised in AUTN to extract the V NEW and SQN HE . When UE receives AUTN and RAND, it validates the AUTN and calculates the validation reaction message, as presented in Algorithm 2.

Algorithm 2:
The enhanced UE and EAKA protocol. The enhanced UE and EAKA protocol.
Step 1. If step (5)  The MME sends an authentication to reject the message to the UE if XRES = SRES, as presented in Algorithm 2.

C. Formal Verification
For the performance measurement and implementation of the cryptographic protocols, the ProVerif tool is used. This tool is not limited to cryptographic primitives; it also supports hash functions, asymmetric and symmetric encryption, digital signature evidence, etc. ProVerif is compatible with the Linux, Mac, and Windows operating systems. It is used to verify the capability properties, declarations, and observational and communication correspondence.
These competencies are essential and valuable to the security and privacy domain. ProVerif studies, examines, and validates privacy possessions. Furthermore, developing possessions such as verifiability, privacy, and traceability could also be deliberated. The proposed protocol is analyzed in terms of the infinite number of sittings and infinite space of messages. Also, ProVerif is proficient in the modernization of attack: wherever the possessions could not be verified, ProVerif attempts to rebuild an operation suggestion that fabricates the wanted controls. Some authors suggested a new architecture, and others proposed a novel verification procedure, with complete communal verification between the SN and UE. Contrarily, others modified the AKA protocol, message elements, SN, and UE, as well as new extra components such as NVF and SDN.
In this paper, the suggested EAKA enforces protected validation and identification and preserves the privacy of the UEs, i.e., unlinkability and user anonymity threats, as presented in Tab. 3, which are applied in the fixed procedure by ProVerif, as shown in the Appendix. The ProVerif code is also given in the Appendix. The proposal's fundamental idea is that an outside observer (enemy) cannot see any differences in the procedure sequence because any two implementations vary only in user identities where the evidence is produced by utilizing the database of messages [32][33][34].

EAKA Solution Benchmarking
In this section, the current solution is compared with some very related works in the literature. The benchmarking starts with methods of the first classification, i.e., methods that adopt public-key cryptography to enhance privacy. This classification comprises the works of [35][36][37]. Utilization of public-key cryptography to encrypt the IMSI was the core characteristic of the operations of this class.
The core dissimilarity between the EAKA solution and the existing solutions with regard to user identity privacy is a metaphysical one. The existing methods for the UE require the accomplishment of the operation of encryption before the transfer of the IMSI. Then, the HSS decrypts the IMSI, which is encrypted before processing the demand, as presented in Fig. 5. Fig. 6 shows the computation delay, in which the proposed solution achieved lower computation delays compared with the existing ones. Although the UE's privacy can be conserved throughout the attachment process, the public-key cryptography can enhance it. The high processing, data traffic overhead, and complexity as a product of communicating encrypted IMSIs from one MME to another in the authentication procedures and HO are still substantial. The various method proposals must study the UE's processing power to preserve the processing exertions tolerable at the UE. It presents the issue of improving user identity confidentiality for 5G and new concepts using the 3GPP standard that locally manages a randomized address for the UE's WLAN MAC address as a replacement for a generally managed MAC address to alleviate the recognized risk.
In addition, a different version of the 5G AKA procedure is proposed. In this new procedure, the SQNs are swapped with random numbers. The current USIMs are now capable of performing randomized asymmetric encryption operations. The use of random numbers for the 5G AKA protocol is conceivable.
The EAKA solution is better than the existing ones; the existing methods are complicated and have numerous cryptography functions. The UE's WLAN MAC management and a different version of the 5G AKA would require memory cost and extra processing effort. Thus, the amount of processing effort for user elements is enormous as they are re-processed with every authentication process.   [19] lies in the management of the SQN. In fact, by reiterating and transmitting PMSI that included multiple false attachment requests to the HN, an adversary can carry out the server HSS to be out of sync. This is because the method proposed in [19] continuously increases the sequence number at the HSS, which would allow an attacker to conduct a denial-of-service (DoS) attack toward the HSS. Conversely, the EAKA solution eliminates this probability as the sequence number is increased at both the HN and UE only on a successful run of the EAKA protocol. Figs. 6 and 7 show the computation overhead on the HSS and UE, comparing the PMSI, AKA, and EAKA. These figures show that the time elapsed in the EAKA is closer to that in the AKA than that in the PMSI, and the time elapsed in the UE is more diminutive than that in the HSS because the overhead in the UE is negligible. Eqs. (1) and (2) are used to calculate the time elapsed: When the EAKA is applied in ProVerif, an outside attacker cannot see any differences in the procedure consequence because many implementations vary only in user identities. Moreover, when the number of authentication increases, the IMSI security also increases. Every time the VMSI is randomly changing, the choices become difficult for the attacker, the same as AKA, because the IMSI is kept without any modification. Fig. 8 presents the level of IMSI security in AKA remains constant regardless of the number of authentications. In comparison, the IMSI security level in EAKA is increased because the values of the VMSI randomly change. The proposed scheme sets the mainstream of computation overhead in the HN, which requires memory to save the extra values V and V NEW in its database with the secret key K and the IMSI for each UE, as presented in Fig. 4. In comparison to the conventional method using AKA, a negligible computation overhead is placed in the UE. The computation overhead is negligible as the HN's computational power is unlimited (see Fig. 6). As shown in the process of the algorithm in the UE, we also suggest that the overhead of computation in the UE is negligible, as presented in Fig. 7.

Conclusion
This paper presented a solution to preserve user identity privacy in the 5G system by enhancing the AKA protocol (EAKA), which proposed a variable pseudonym to identify the user in the 5G network rather than using permanent identity in the previous generations. The EAKA hides the identity of the user completely by using a temporary identity, i.e., VMSI. The temporary identity changes in every attachment, and the permanent IMSI is never used, even in the first attachment. The proposed solution does not add any computation overhead to the UE or the network, except light processing in the HSS. The proposed solution is compared with the AKA and the existing works. It is demonstrated that the EAKA can be used to enhance user privacy in the 5G network without any change in the AKA procedure or architecture. Moreover, it can be implemented in the previous generations to enhance user privacy, as verified by the ProVerif tool.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.