Now some of you may be aware of a particular identity that your phone has on the network. It's called IMSI. Different generations have different versions of that identity. But it is, no matter what generation, there will be some Identity which would be generically called subscriber permanent identifier. That would be associated with you for the lifetime of your subscription. If you happen to be subscribed for the same service for years on end, with the same SIM card. Your IMSI may never change. Your subscriber identity is truly permanent in that regard. Because that subscriber identity can potentially be maliciously used to identify the personality of a certain user. It is paramount that all cellular on networks, including 5G, make their best effort in order to protect that subscriber permanent identity and 5G has multiple mechanisms to do that. First of all, 5G minimizes or if possible, altogether eliminates the occasions where your permanent identifier need to be shared with the network. Even so, some of the variance of that permanent identifier. If at all, they need to be shared. That information which can in any way be used to identify a certain user. That information, if at all it needs to be shared. Will only be shared with them network after encryption context has been established between the user and the network end-to-end. Until encryption context is established, the network will not ask the user to share any sort of sensitive information that can potentially be used to identify that user, not just its permanent identifying. However, there is certain other kind of information that is not user sensitive. For example, how the network routes your data packets to you. That information doesn't need to be protected as much. Hence, such kind of generic information can be sent even without encryption being enabled so as not to add a system complexity. But any information that can be in any way used to track or identify individual users. That information either will not be shared with the network at all to minimize it's compromising occasions. Or if at all a variant of that information needs to be shared. It will be shared only after end-to-end encryption with the network has been enabled. Furthermore, a 5G network enhances user privacy by minimizing the use of this permanent identifier for user operation and rather using multiple temporary identifiers. Once the UE has connected to the network and has been authenticated by the network. In general, your phone can be in two states active or idle when you are actively transmitting or receiving some data on your phone, it is an active mode. Whereas when your phone is lying on your desk or your nightstand not doing anything, in those conditions, your phone is set to be in idle mode. In both of those modes, network assigns one or more temporary identifiers to your authenticated phone so that the network doesn't need to refer to its permanent identifier. Furthermore, these temporary identifiers are recycled periodically. In that even if the network assigns a certain temporary ID to your phone it is valid only for a matter of few minutes or a few hours, beyond which it is recycled and discarded. That even if an attacker, by some means gets hold of temporary ID of certain user, the attacker cannot continue tracking that user maliciously indefinitely. But because that temporary ID will be recycled after a certain amount of time. That kind of attack will be taunted by definition and that point in time and thereby it prevents any unnecessary user tracking by malicious entities. Using temporary identifiers for UEs post authentication operation is another prominent way that the network ensures user privacy. But at this point, a question might have popped in your mind. That, hey, you mention that all the important business happens after authentication and encryption context has been established. But how does the network establish authentication or encryption context, or the security context. In general, with the UE without knowing what that UE is. Isn't that kind of a catch-22 wherein you are looking to establish security framework, but you haven't yet verified who that UE is. How do we solve that Catch-22. To speak. 5G operates its security mechanisms in a bootstrap manner in that, when the UE tries to connect to a 5G network. The UE doesn't send all their personal information in one go. It sends a little bit of information to the network information that is actually nonsensitive generic in nature. Using that information, the network establishes the first phase of the security. Based on that, UE sends the second batch of information. Based on that, the network establishes second stage of security. In this step-by-step bootstrap manner by establishing incremental authentication and security in multiple steps. That is how 5G network ensures that the user has been fully authenticated before it can access the service. UE on the other hand, makes sure that it is sending sensitive information if at all, only after the requisite security and authentication framework has been completely established. These are some of the high level mechanisms that 5G uses in order to not just provide enhanced data security, but also enhanced user privacy for a wide variety of user devices and applications.
