Pseudonym Mutable Based Privacy for 5G User Identity

Privacy, identity preserving and integrity have become key problems for telecommunication standards. Significant privacy threats are expected in 5G networks considering the large number of devices that will be deployed. As Internet of Things (IoT) and long-term evolution for machine type (LTE-m) are growing very fast with massive data traffic the risk of privacy attacks will be greatly increase. For all the above issues standards’ bodies should ensure users’ identity and privacy in order to gain the trust of service providers and industries. Against such threats, 5G specifications require a rigid and robust privacy procedure. Many research studies have addressed user privacy in 5G networks. This paper proposes a method to enhance user identity privacy in 5G systems through a scheme to protect the international mobile subscriber identity (IMSI) using a mutable mobile subscriber identity (MMSI) that changes randomly and avoids the exchange of IMSIs. It maintains authentication and key agreement (AKA) structure compatibility with previous mobile generations and improves user equipment (UE) synchronization with home networks. The proposed algorithm adds no computation overhead to UE or the network except a small amount in the home subscriber server (HSS). The proposed pseudonym mutable uses the XOR function to send the MMSI from the HSS to the UE which is reducing the encryption overhead significantly. The proposed solution was verified by ProVerif.

and the authentication management field (AMF), the message authentication code (MAC) is computed using f 1 . After that, using f 2 , f 3 , f 4 , and f 5 , the ciphering key (CK), integrity key (IK), anonymity key (AK), and expected response (XRES) are computed over RAND [17]. AK and AMF are produced by XORing the authentication token (AUTN), which contains the SQN with the MAC. Finally, the AV, which consists of CK, IK, XRES, AUTN, and RAND, is created by the HSS. The AV is sent to the MME, which forwards the AUTN and RAND within an authentication request to the UE and saves XRES, as shown in Fig. 2 [18,19].
Authentication in the 5G system should provide a high degree of privacy because it will be used in medicine, communication, business, and IoT as well as to transmit voice and data, which will enable a high data rate with little latency. For these reasons [20], along with widespread applications and high data rates, many studies focus on enhancing identity privacy by hiding the permanent identity IMSI. Many solutions have been suggested to improve the privacy of user identity in the 5G system. Some have assumed new 5G architecture and suggested the use of network function virtualization (NFV) and software-defined networking (SDN) [21], whereas others assume the architecture will be the same as in 4G and accordingly suggest new methods [21]. We discuss these solutions in Section 4.

Related Work
User privacy has been a concern through all previous generations of mobile systems, including GSM, UMTS, and LTE [22] in particular. Much work discusses 5G privacy and related issues. Primarily, the following three topics have been studied: (1) using a private key, a public key, or mutual group keys to encrypt the permanent identity; (2) the use of pseudonyms to hide the permanent identity; and (3) changing the AKA protocol and suggesting a design to hide the permanent identity [23]. A wide variety of research uses shared group keys, a private key, or a public key of the SN to hide the permanent identity. A procedure built on identity-based encryption, namely privacy enhanced fast mutual authentication (PEFMA), has been used to encrypt the IMSI [24]. In this procedure, the server network need not join the UE by the HN, and the SN has public keys. The UE directs the permanent identity after encrypting it by the public key of the server network. PEFMA can run without communicating with the network, as the SN and UE have the public keys. A mobility support system (MSS) [25] presented a fundamental key to hold a user's permanent identity in the 5G system with secrecy and with slight effect on the communication standard (the modification was transparent and compatible with the standard). Two crypto libraries, Nettle and Open SSL, were used to test  four Android-based strategies. An Android execution of one of the tests was evaluated, comprising the unequal method elliptic curve integrated encryption scheme (ECIES). The effect of the applied estimation of encrypting the IMSI in 5G networks was provided through the usage of ECIES (without MAC) [26]. The structures of 3GPP AKA were presented [27] to propose guaranteed privacy during the whole communication session for the session key. The USIM card and mobile device interface were not affected, allowing reuse of deployed USIMs. The authors concluded that it is possible to bind the assets of a defrayal of K and that achievement is conceivable with a slight effect on legacy 3GPP construction.
There was another study to encrypt the IMSI [28]. The paper identified three identifications, namely the IMSI, NC (network code), and CC (country code), that must be publicized and are vulnerable to attack. In this regard, the authors reevaluated and answered research questions about the privacy of the three identities. The paper did not address the vulnerability caused by routing requirements for data validation between the home network (HN) and visited network (VN), and the VN could also request other information from the home network that may lead to the compromise of IMSI privacy.
All of these solutions use numerous methods to encrypt the identity with either a private key or through public-key cryptography. However, the additional calculation may add overhead in terms of time and bandwidth [29]. Many researchers have used pseudonyms to hide the permanent identity in 5G. For instance, researchers [30] presented a novel scheme to defend the permanent identity by generating a pseudonym in the middle of the HN and UE. The pseudonym is generated locally at the HN, and the UE is prevented from performing available USIMs. Two stages are suggested. First is an initial attachment by the user equipment, when the SN or HN does not join any pseudonym with it. In this situation, the UE is allocated a TMSI by the SN and a pseudonym P by the HN. In the second stage, the UE is forced to detect the identification using P, where the UE does not exchange the TMSI with the SN with strong support for unlinkability.
New concepts have been proposed [31], such as using the 3GPP system to use and manage a locally randomized address for the UE WLAN MAC address, which replaces the general MAC address to avoid privacy risks. These methods tried to boost pseudonym usage in 5G systems. However, the methods have shortcomings. The administration of pseudonyms requires redundant backup with space and memory cost. The distribution of pen names to all user equipment from the system uses extra bandwidth. Finally, there are several new architectures and layouts in 5G systems. For example, a general idea was provided for security contests in SDN, NFV, and clouds [32]. It was believed that there must be shared engagements and trust replicas among members such as network operators, service providers, application designers, users, and manufacturers on information use and storage to maintain user privacy.
Issues related to LTE and WiMAX have been considered at the MAC level and the physical layer [33]. Improving security in 5G is advised through creating a flexible architecture that needs authorized trusted replicas. A reporting service protocol was suggested to take advantage of the architecture of 5G systems in the status of low dormancy, great-speediness contacts, or abridged price [34]. The privacy of participants and users faces the contradiction of internal and external challenges that force arrangements of small cells, D2D communications, or cloud access. A ProSe purpose and ProSe app server in the 5G evolved packet core (EPC) were presented to offer proximity-based application amenities for D2D operators and to handle the communication of D2D procedures [35]. The ProSe utility interrelates with the MME and HSS and cooperates with the ProSe app server on numerous structures, including the packing of user-specific preparations, administration of ProSe amenity recording, security, privacy fortification, annulment, and device detection.
Key agreement protocols and privacy-preserving authentication (PPAKA-IBS and PPAKA-HAMC) were proposed to assure protected and unknown communications of the D2D group [36] [37]. Their change stayed at the protocol level of devices, and a set of users of D2D mutually validated each other by leaking their individual identification while exchanging their public D2D set session keys. A new structure was designed for 5G network security such that the scrutiny of individuality administration and malleable validation is delivered [38]. The AKA in 4G mobile systems was proved as a symmetric key. 5G needs validation between user equipment and service networks and with third parties such as service suppliers. The hybrid and flexible validation of user equipment could be practical in the methods of validation by the service supplier and the SN, service supplier only, and SN only.
A fast validation pattern in SDN is suggested to boost the benefits of SDN. 5G has been declared to be accepting novel-based multi-party ecosystems where many performers can cooperate in the renovation techniques [39]. 5G will also strongly rely on softwarization models such as slicing and SDN. As the prototypes of 5G networks rely on softwarization, it has been suggested that the standard should include a set of regulations to ensure the privacy of users. Another study [40] proposed accorporating SDN into 5G networks as a step to support operative validation handover and fortification of privacy using softwarization techniques. The notion of a trusted third party is suggested to work like a disseminated network between the supplier and customer [41][42][43][44]. The complete official archetype of a procedure from the AKA group is provided. The 3GPP philosophy for 5G security is to hide users' identification in clear cipher requests. 3GPP conducts a complete, systematic, and secure estimation of SDN-enabled 5G with respect to safety and privacy [45].
An automatic examination pinpoints the minimal safety essential to every security aim, and some threats do not occur, except under abnormal circumstances.
Most of the proposed methods aim to provide mutual entity authentication in 5G networks. Most have proposed a verification procedure with complete communal verification between the serving network and user equipment and modified the AKA protocol, message elements, SN and UE, and new components such as and SDN [46][47][48][49]. A main drawback of these methods is the need of network physical component adjustments that could lead the hardware to be changed, which adds cost.

User Identity Privacy Issues
User identity privacy is one of the main issues in mobile network security, where the user identity is mainly in IMSI. The IMSI is used to identify user equipment (UE) and may be vulnerable to attacks commonly known as IMSI catching [50]. For that, the 3GPP allocates a number of short-term identities such as GUTI, M temporary mobile subscriber identity (M-TMSI), and C-RNTI to UE for various network services. To enhance the privacy of user identity, instead of using the permanent IMSI, UE can use these temporary identities, initiate a request, and access network services [51].
Although this procedure is used to enhance user identity privacy, the user's permanent identity remains exposed to IMSI catchers. There are some circumstances in which UE sends IMSI in clear text [52], such as when: (1) the mobile management entity (MME) might not get the GUTI from the UE; (2) the UE starts the initial network association; (3) the UE performs a handover (HO) between MMEs in the case of loss of the GUTI message; and (4) the MME cannot recover the IMSI from the temporary identifiers sent by the UE [53].
Moreover, if the UE uses impermanent identifiers such as C-RNTI and TMSIs, it would not be sufficient to protect the permanent identity from attacks because the temporary identities remain useable for a long period of time in the same coverage cell and can be reused over dissimilar regions, which allows for passive assaults against the permanent identity [54]. In the 5G system, the privacy of a user's identity should be improved to help users safely exchange information with mutual authentication [46,47]. A robust identity administration mechanism is needed to prevent unauthorized access because the 5G network will work with different hardware components from several vendors.
In 4G, when the UE initiates the network association process, it sends identifiers in plaintext, where it will be vulnerable to privacy attack. Many proposals for the 5G network have been introduced to hide the permanent IMSI [55].
The 3GPP works to protect the user's identity for privacy by hiding the IMSI. The solutions are based on the procedures of the SN to assign a randomly generated, temporary identity for UE, such as GUTIs, TMSIs, and C-RNTI. The permanent identity is used only when a temporary identity has not yet been assigned or as an error retrieval mechanism [56]. The recovery mechanism is necessary to prevent UE lockout if mistakes occur, such as when the SN or UE misses the temporary identity. However, the UE returns to use the permanent identity when the SN requests it from the UE. This retrieval mechanism enables IMSI-catchers to get the IMSI from the UE [57]. Therefore, current ways to protect user identity privacy do not prevent an active attacker from catching the IMSI, and the requirement for these problems is to have a genuine system with short-term cache memory to avoid IMSI catching. Additionally, there is no fortification to eliminate passive attackers who are extant when permanent identity requirements are obtained [6,8,34].

Privacy Enhancing Scheme for 5G System: (PES-5G)
To enhance the privacy of user identity in the 5G system, it is required to have a way to completely hide the permanent identity IMSI by replacing it with the mutable mobile subscriber identity (MMSI), where only the HSS server can plan for the privacy for a specific UE. The UE will use the MMSI when demanded to present its IMSI. User identity privacy is well-maintained because no component knows the IMSI except the UE and the home subscriber server [58].
In the authentication process, the HSS sends a fresh unpredictable MMSI (MFRESH) confidentiality to the UE. To implement this idea, changes in the features and usage of some basic authentication limitations, that is, SQN and RAND, are suggested. The XOR function is suggested to encrypt the RAND using the SQN token as a key, which is generated randomly at every run for the enhanced AKA protocol and using the challenge RAND to provide the UE with the sequence number SQNHE and the new MMSI. The RAND challenge, which is secure, includes the token SQNHE and is used to get the sequence number to the UE (SQNUE) [59]. The UE uses the RAND challenge to get the new SQNHE and new MMSI (MNEW) through a regular authentication procedure. The UE informs its MMSI of the new MMSI (MNEW) if the authentication process passes and identifies itself with its IMSI by using it the next time. To implement the suggested solution, an enhanced AKA protocol is suggested, as shown in Fig. 3. In the initial attachment for each time the UE needs to connect to the network, the UE transmits an access request message to the serving network (MME), which consists of its MMSI each time the user equipment needs to connect to the network. The MME sends a validation data demand to the home network (HSS) with the incoming MMSI [53]. The HSS generates a new MMSI and supplies it to the MME, which forwards the MMSI to the UE. The EAKA protocol details are discussed below.

Enhanced HSS Algorithm
There are two MMSI values, M and MNEW, for each UE, which must be stored in the HSS to enhance the HSS algorithm. M supplies the MMSI presently in use, and MNEW supplies the freshly produced MMSI [60], which is assigned to the UE to use in the following stage to block its permanent identity. The home network (HSS) saves the extra values of M and MNEW in its database against the secret key K and IMSI for the UE, as shown in Tab. 1.
Tab. 1 is to be saved at the UE with the mapping IMSI at the HSS. It exclusively identifies the UE. The serving network (SN) also saves M and MNEW in its database for the UE within its area of service [61]. There is a group of base stations that contains b = 234 unique MMSI entrances, named MMSI-Index, which is saved in the HSS. This indicates that the home network (HSS) can continuously join the active MMSI.
Every MMSI entrance in the MMSI-index has a value named MMSI-status against it. An MMSI previously assigned to multiple UEs will have NEGATIVE in its MMSI-status to indicate that this MMSI is not ready to be used. An MMSI-status of POSITIVE against a specific MMSI in the MMSI-index signifies that the MMSI is available for use and is not used by any UE [62]. The function ENCODE is specified by an operator to encrypt MNEW and SQNHE using the key SQN in the HSS to produce the encrypted RAND. To implement the EAKA protocol requires some changes in the protocol HSS process, as shown in Algorithm 1.
The HSS should validate that an incoming MMSI is lawful and presently in use by several UEs by discovering the received MMSI in the database of the HSS before deciding whether to receive an MMSIbased validation demand. The demand is vetoed when no attachment is found. The home network (HSS) locates the secret key K and the corresponding UE's IMSI when a match is found [63]. The HSS allocates a used (fresh) MMSI; MFRESH is to be assigned to the UE, and information related to the UE : : : : is updated at the HSS (i.e., the sequence number SQNHE). Second, the HSS validates that the received MMSI is the latest MMSI transmitted to the UE by checking that MMSI = MNEW. The sequence number is manipulated to some extent at the HSS. If the HSS confirms that the previous validation occasion was successful after getting MNEW from the UE, only then does the HSS update SQNHE (see Algorithm 1). This scheme has the following advantages: (1) There is no encryption, and it sends MMSI by excluding the XORing function.
(2) The HSS always stays in synchronization with the UE (USIM). After proper validation, SQNUE and SQNHE have the same value at any time, so AVs in transmission would not affect the synchronization because the standards of SQNUE and SQNHE stay in sync.
(3) An attacker that directs several validation requests with an MMSI that was previously used by some UE cannot force the HSS to be out of sync. Likewise, a hacker who resends interrupted RAND and AUTN to the UE cannot force the UE to be out of sync.
(4) In a replay attack, if the hacker resends RAND and AUTN to the UE, it would be easily detected [64].
(5) It causes no authentication failure because synchronization failure does not occur. For the good functioning of this scheme, the MME must bring only one authentication vector from the HSS at a time [65].
The SQN is used as the input key for a function of encryption, namely ENCODE, to protect the confidentiality of the challenge RAND by the HSS. SQN, in addition to the random key, is also secured by a secured AK key. Because an unsystematic key SQN is created using a specific-operator function, attackers cannot obtain the SQN. By encrypting SQNHE and MNEW using the random key SQN, the RAND is produced to provide the UE with the MMSI [66].

Enhanced UE Algorithm
To enhance the UE algorithm, a unique MMSI value must be preserved in the smart card (USIM) of the user equipment that the UE must use when demanded to provide its permanent identity (IMSI). The service provider embeds an MMSI value, MMSI FIRST , in the USIM before the first connection. The HSS database also stores MMSI FIRST in M NEW for each USIM's IMSI and sets to NEGATIVE the status of the MMSI FIRST entered in the MMSI-Index. Throughout the first run of the EAKA protocol, MMSI FIRST is used only once. Service providers often set the function DECODE in their base stations (BSs) to decrypt RAND commands at the UE. Also, they use the random key (i.e., SQN attached with the AUTN message) to extract M NEW and SQN HE . When it receives AUTN and RAND, the UE validates AUTN and calculates the message of validation reaction, as shown in Algorithm 2.

Formal Verification
ProVerif software is used to automatically examine the safety of cryptographic protocols. It supports hash functions, asymmetric and symmetric encryption, and digital signatures. ProVerif can prove spread capability possessions, declarations, and observational and communication correspondence. These capabilities are valuable to the security and privacy domain, as they examine the verification and privacy procedures. Furthermore, the development of procedures such as verifiability, privacy, and traceability could also be considered. Analysis of protocol is performed with respect to an infinite number of instances and an infinite number of messages. There is also the capability of attack recovery. Whenever the procedure cannot be verified, ProVerif attempts to rebuild and implement suggestions that can fabricate the wanted events [67].
The main result of this paper is that EAKA imposes protected validation and identification and preserves the privacy of user identity (i.e., unlinkability and user anonymity). An outside observer (enemy) sees no difference in the outcomes of two implementations of the procedure that differ only in the user identities.

Key Features of EAKA
The privacy of user identity in the offered solution is discussed and considered against numerous potential assaults.
1) Protection of identity privacy: EAKA protects the permanent identity IMSI from the disclosure problem by means of mutable temporary identifier MMSIs. The permanent identity IMSI is never used and is securely saved in the UE and HN forever, so no person and no component in the SN knows about it. The IMSI stays in the USIM, and the database of the HSS and is never used in any interacting procedure during the USIM's period.
2) Replay attack: The user is defended from replay attack by using SQN in this EAKA. Assume that in the effective process of the enhanced AKA protocol, an adversary has interrupted an AV (RAND and AUTN) planned for a specific UE. The SQN stored in the UE is different from the SQN included in the RAND. In this case, the received SQN might be less than the SQN in the UE. The UE can easily detect that a replay attack occurred and tries to retransmit the authentication credentials to the UE.
3) Guessing user identity: It is not possible to presume the user identity because the total number of possible temporary identities MMSIs is t = 2n where n is the number of bits of MMSI, and the probability that an attacker predicts a POSITIVE MMSI is M = 1/t. Because t is a large number, the possibility of correctly guessing a user's MMSI is clearly insignificant.

4) Anonymity of user:
The individuality of the UE is a significant feature of user privacy. The suggested scheme gives a strong guarantee of preserving the identity of the UE. An assailant cannot distinguish the permanent identity of a specific user because it is found only in the database of the HSS and UMSI and is never used or transmitted. Therefore, no one in or out of the network knows about it. An attacker has no way to recognize the permanent identity MMSI assigned to a user because the HSS hides the MMSI before transferring it to the UE. Therefore, the MMSI to a specific UE remains unseen even if used to identify a user.
Also, there is no benefit to knowing the MMSI of an allocated fresh MMSI that is distinct from a previously used MMSI when the UE is effectively known by the HN. The new MMSI allocated to the UE is unsystematic and unconnected to the latest MMSI used by the UE. The attacker cannot discriminate the designated UE because the MMSIs are assigned to a specific user aspect as a random bit stream that cannot be linked to a certain user's equipment. 5) Untraceability of user: Traceability of a user means the probability of knowing earlier identifying requirements and replies of the same user. The proposed solution removes the traceability of users and defends them from tracking attacks by presenting pseudonyms that are used instead of the permanent identifier (IMSI). The pseudonyms (MMSI) assigned to a user change whenever the user attaches to the HN and cannot be perceived or used in external attacks; therefore, the user's untraceability is preserved. 6) Unlinkability of the user: It is impossible for an attacker to sniff the responses and identity because the MMSI identifier is used only one time by the UE. The MMSIs are randomly mutable and unrelated in the system (from the side of the observer); hence, unlinkability of the user is provided. 7) DoS attack: It is impossible for denial of service (DoS) attackers to send many association requests that repeat the use of a real MMSI. A user only places a specified MMSI identifier once before it is replaced by the home local area network (HSS). The network does not accept obtaining several attach requirements parameterized with a similar MMSI. Therefore, attach requirements reached with similar MMSIs are thrown away by the service provider, and a DoS attack is impossible.

8) Synchronizing between HSS and UE:
The home network (HSS) uses the SQN just once when it obtains a fresh MMSI (M NEW ). It is privately transferred to the UE and stays hidden from the attacker and is not used by the UE; therefore, the attacker cannot disturb the effectiveness of HSS synchronization. Likewise, the UE cannot be forced to be out of synchronization by a hacker who retransmits interrupted RAND and AUTN to the UE.

Conclusion
The need to ensure security and privacy for users on the Internet is an important issue. Most attacks can exploit privacy bugs. IMSI is a critical entity in the network that an attacker can utilize to prohibit network usage or exploit network resources. As the IoT is growing fast and will be deployed with 5G, massive data traffic will need to be exchanged, and the risk of privacy attacks will be greatly increase. In such a network environment, protecting the privacy of the IMSI is considered a vital issue. We presented an enhancement solution for user identity privacy in a 5G network by EAKA, which proposes MMSI for user identification in lieu of IMSI. The EAKA protocol hides the user identity by changing the MMSI in every network attachment without using the permanent IMSI, even at the first attachment. The proposed solution adds no computation overhead to UE or the network except a small amount in the HSS. The proposed solution uses the XOR function to send the MMSI from the HSS to the UE to reduce the encryption overhead. The proposed solution was verified by ProVerif. Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.