WO2021257047A1 - Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id - Google Patents

Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id Download PDF

Info

Publication number
WO2021257047A1
WO2021257047A1 PCT/US2020/037691 US2020037691W WO2021257047A1 WO 2021257047 A1 WO2021257047 A1 WO 2021257047A1 US 2020037691 W US2020037691 W US 2020037691W WO 2021257047 A1 WO2021257047 A1 WO 2021257047A1
Authority
WO
WIPO (PCT)
Prior art keywords
permanent
dasf
amf
tmsi
request
Prior art date
Application number
PCT/US2020/037691
Other languages
French (fr)
Inventor
Nagaraja Rao
Laurent Thiebaut
Original Assignee
Nokia Technologies Oy
Nokia Of America Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy, Nokia Of America Corporation filed Critical Nokia Technologies Oy
Priority to PCT/US2020/037691 priority Critical patent/WO2021257047A1/en
Publication of WO2021257047A1 publication Critical patent/WO2021257047A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • Various exemplary embodiments disclosed herein relate generally to a method for getting the permanent user equipment (UE) ID(s) that correspond to a ciphered or temporary UE ID.
  • UE user equipment
  • LEAs Law Enforcement Agencies
  • SUP I subscription permanent identifier
  • IMSI international mobile subscriber identity
  • the LEAs may also want to intercept the communications involving some equipment used by suspicious individuals, irrespective who that individual is.
  • the LEAs submit the equipment identifiers such as permanent equipment identifier (PEI), eg, an international mobile equipment identify (IMEI), to the court to seek the warrant.
  • PEI permanent equipment identifier
  • IMEI international mobile equipment identify
  • Typical examples of such equipment is a mobile device or user equipment (UE).
  • DASF Duly Authorized Security Forces
  • DASF may gather the mobile device or UE identity by sniffing the suspicious communication traffic over the air and use that identity to seek the warrant from the court for performing a lawful interception.
  • Various embodiments relate to a method for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, including: receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translating, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and sending the permanent ID of the UE to the DASF.
  • DASF duly authorized security force
  • Various embodiments are described, further including receiving a legal intercept request from the DASF for the permanent ID.
  • Various embodiments are described, further including intercepting communications of the UE with the permanent ID; and providing the intercepted communications to the DASF.
  • non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
  • SUCI subscription concealed identifier
  • SUP I subscription permanent identifier
  • translating the non-permanent ID of the UE to a permanent ID of the UE further includes: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF.
  • NSF network slice selection function
  • AMFs mobility management functions
  • TMSI temporary mobile subscription identifier
  • SUP I subscription permanent identifier
  • translating the non-permanent ID of the UE to a permanent ID of the UE further includes: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
  • AMF mobility management function
  • receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via a administration function (ADMF) that provides a standards based interface.
  • DSF duly authorized security force
  • ADMF administration function
  • Various embodiments are described, further including storing the non-permanent ID of the UE along with the permanent ID of the UE even though the non-permanent ID is no more allocated to the UE.
  • a device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network including: a memory; a processor coupled to the memory, wherein the processor is further configured to: receive a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translate, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and send the permanent ID of the UE to the DASF.
  • DASF duly authorized security force
  • the processor is further configured to receive a legal intercept request from the DASF for the permanent ID.
  • the processor is further configured to: intercept communications of the UE with the permanent ID; and provide the intercepted communications to the DASF.
  • the non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
  • translating the non-permanent ID of the UE to a permanent ID of the UE further includes: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF.
  • NSF network slice selection function
  • AMFs mobility management functions
  • the processor is further configured to receive from the DASF time information regarding the non-permanent ID, wherein the non-permanent ID is a temporary mobile subscription identifier (TMSI) and the permanent ID is a subscription permanent identifier (SUP I).
  • TMSI temporary mobile subscription identifier
  • SUP I subscription permanent identifier
  • TMSI is a 5G short TMSI (5G-S-TMSI).
  • translating the non-permanent ID of the UE to a permanent ID of the UE further includes: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
  • AMF mobility management function
  • receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via an administration function (ADMF) that provides a standards based interface.
  • ADMF administration function
  • a device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network including: a memory; a processor coupled to the memory, wherein the processor is further configured to: store the non permanent ID of the UE along with the permanent ID of the UE and time indication even though the non-permanent ID is no more allocated to the UE; receive a request to translate a non-permanent ID of the UE into a permanent ID of the UE; and answer with the permanent ID of the UE.
  • FIG. 1 illustrates a diagram of the system and process for gathering legal intercepts and seeking a warrant to further monitor a UE associated with a non-permanent ID in the intercept;
  • FIG. 2 illustrates a block diagram of the interaction between the DASF and ASF
  • FIG. 3 illustrates the message flow for the ASF to obtain a permanent ID from a non- permanent ID when the non-permanent ID is a SUCI;
  • FIG. 4 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a 5G-S-TMSI;
  • FIG. 5 illustrates an exemplary hardware diagram of the ASF, AMF, or other network elements of the PLMN or the DASF.
  • identical reference numerals have been used to designate elements having substantially the same or similar structure and/ or substantially the same or similar function.
  • the permanent IDs (SUPI / PEI) of the user equipment (UE) are not sent over the air. Therefore, what the DASF can intercept are just the temporary identifiers (non-permanent IDs).
  • the LEAs cannot use such non permanent IDs to seek a warrant for the lawful interception.
  • the DASF somehow has to obtain the permanent IDs from the local public land mobile network (PLMN) that was sending or receiving the non-permanent IDs over the air and provide those permanent IDs to the LEAs who then can proceed and follow with the normal legal intercept (LI) process.
  • PLMN local public land mobile network
  • a DASF 135 observes communications 185 between a 5G base station gNodeB (gNB) 110 in a PLMN 115 and a UE 105 of a suspicious user. Specifically, the DASF observes some identities of a UEs of suspicious users.
  • gNB 5G base station
  • the mechanism described herein may apply to any interface used by UE to reach the 5G Core such as the radio interface of a ng-ENB or the wireline interface of a wireline access to 5GC or the Wifi interface of a Trusted Wifi access to 5GC.
  • the LEA 150 cannot use such intercepted identities to request a warrant from a court 160 for a lawful intercept authorization as the intercepted IDs are non-permanent IDs such as subscription concealed identifier (SUCI or concealed SUPI) or 5G-GUTI / 5G-S-TMSI. Therefore, for each of those observed non-permanent IDs, the DASF 135 will have to obtain the associated permanent IDs by contacting the PLMN 115 that is sending such non-permanent IDs over the air. The DASF 135 can determine the PLMN 115 to whom the non-permanent ID belongs.
  • SUCI or concealed SUPI subscription concealed identifier
  • 5G-GUTI / 5G-S-TMSI 5G-GUTI / 5G-S-TMSI. Therefore, for each of those observed non-permanent IDs, the DASF 135 will have to obtain the associated permanent IDs by contacting the PLMN 115 that is sending such non-permanent IDs over the air
  • the DASF 135 sends a request 140 including the non-permanent ID to the PLMN 155 to get the permanent ID associated with the non-permanent ID.
  • the PLMN 115 has an authorized security function (ASF) 125 that determines the permanent ID associated with the non-permanent ID in the request 140.
  • the PLMN 115 sends a message 145 that includes the permanent ID associated with the intercepted non-permanent ID to the DASF 135.
  • the DASF 135 provides that permanent ID to the LEA 150.
  • the DASF 135 may also be the LEA 150.
  • the LEA 150 sends a request 155 that includes the permanent ID to the court 160 requesting that the court 160 issue a lawful intercept authorization.
  • the court 160 issues a warrant authorizing legal intercepts associated with the permanent ID and sends a message 165 to the LEA with the warrant.
  • LEA 150 may use a law enforcement monitoring facility (LEMF) 170 to submit an LI request 175 including the permanent ID to a LI system 120 in the PLMN 115.
  • the PLMN LI system 120 intercepts the communications of the UE having the permanent ID.
  • the PLMN 115 sends a message to provide the intercepted LI data or LI Product 180 to the LEMF 170.
  • the non-permanent IDs that the DASF receive can be in one of the following two formats:
  • SUCI Concealed User ID as defined in the 3GPP Technical Specification (TS) 23.003 (Numbering, addressing and identification) being sent in association with a requested Network Slice Selection Assistance Information (NSSAI) (set of requested slices); and
  • NSSAI Network Slice Selection Assistance Information
  • the DASF 135 may contact only the local PLMN 115 (i.e., in the same country or other jurisdiction) that corresponds to the 5G access network (AN) where the DASF 135 has detected the non-permanent ID ⁇ i.e., the SUCI or 5G-S- TMSI).
  • a mapping between the non-permanent ID (SUCI) and the permanent ID is maintained in an authentication function (AUSF) that resides in the home PLMN (HPLMN).
  • the DASF 135 may only contact the local PLMN (in the same country or jurisdiction) that corresponds to the 5G AN where the DASF 135 has detected the non-permanent ID ⁇ i.e., SUCI or 5G-S-TMSI). In other words, the DASF 135 cannot contact the HPLMN to which the permanent ID belongs when the UEs 105 are roaming.
  • the local PLMN is the visited PLMN (VPLMN). In 5G mobile networks, the VPLMN does not currently have a mechanism that remembers the association between the non permanent ID and the permanent ID.
  • a method is needed to determine the permanent ID in the VPLMN, that is, in the PLMN that does not have the AUSF. Furthermore, the HPLMN is not aware of such mapping when the non-permanent ID is a 5G-S-TMSI.
  • the AMF may be the most likely candidate network function (NF) that may provide the needed mapping from a non-permanent ID to a permanent ID.
  • NF network function
  • the non-permanent IDs sent over the radio by the 5G AN to the UEs may be one of SUCI and 5G-S-TMSI.
  • Non-permanent ID user IDs are defined in TS 23.003 ( ⁇ 2.10 ET 2.11) and the following provides a summary of the SUCI and 5G-S-TMSI.
  • the 5G-S-TMSI is the shortened form of the 5G-GUTI (without ⁇ MCC> ⁇ MNC> ⁇ AMF Region ID>, i.e., ⁇ MCO ⁇ MNC ⁇ AMF Region IDXAMF Set IDXAMF Pomter> ⁇ 5G-TMSI>) to enable more efficient radio signaling procedures (e.g. , paging and service request) when the AMF Region ID is implicit.
  • the mobile is paged with the 5G-S-TMSI.
  • the 5G-S-TMSI shall be constructed from the AMF Set ID, the AMF Pointer and the 5G-TMSI as follows:
  • ⁇ 5G-S-TMSI> ⁇ AMF Set IDXAMF Pointer> ⁇ 5G-TMSI>
  • the DASF that retrieves the non-permanent ID in the local PLMN may provide that non-permanent ID (i.e., SUCI plus Requested NSSAI, or the 5G-S-TMSI) to the local PLMN to receive the permanent ID of that UE.
  • non-permanent ID i.e., SUCI plus Requested NSSAI, or the 5G-S-TMSI
  • the PLMN 115 includes an ASF 125 (which is a new function added to the PLMN 115) that receives the non-permanent ID of a UE 115 from the DASF 135 and in return provides the permanent ID (SUPI, PEI) 145. It is assumed that the ASF 125 has obtained specific credentials allowing it to get a privileged access to any NF of the local PLMN and that the ASF 125 is located in the VPLMN and is subject to the visited location’s jurisdiction and laws.
  • the AMF adds the following new functionality to the serving PLMN (where the serving PLMN corresponds to the home PLMN/HPLMN when the UE is not roaming and the serving PLMN corresponds to the home VPLMN when the UE is roaming).
  • the AMFs in serving PLMNs store the mapping SUCI - SUPI and 5G GUTI - SUPI even though the SUCI is not needed anymore by the AMF or if the 5G GUTI of the UE has been reallocated. This storage is kept even though the UE is no more served by the AMF (set) (e.g., because the UE has moved and is served by another AMF region or is detached).
  • This storage is associated with the time slot during which this 5G GUTI has been allocated to the SUPI. Note that storing the 5G-S-TMSI or storing the 5G GUTI are equivalent
  • the Nnssf_NSSelection_Get service operation is enhanced to determine the IDs of the AMF(s) that will have such mapping information.
  • the ASF is not seeking an AMF set that could support the requested NSSAI (as provided currently by the network slice selection function (NSSF)) but is seeking the AMF that supports a given SUCI.
  • NSSAI network slice selection function
  • the ASF needs to know the list of AMF set(s) and then of AMF within these sets that are potential candidates to serve a requested NSSAI it has observed on an Access type. So the Nnssf_NSSelection_Get service is modified so that only a NSSAI is requested and a list of all AMF sets that are candidate to support this requested NSSAI is sent back.
  • the ASF has received a 5G-S-TMSI, no new mechanism is needed and then the ASF gets the address of the AMF that serves a GUAMI (subset of 5G-S-TMSI).
  • An AMF service operation may be defined that provides the permanent identifiers (SUPI, PEI, . . .) of the UE corresponding to either an input SUCI or an input 5G-S-TMSI associated with a time indication.
  • This dedicated service operation may be reserved to the ASF (a privileged Network Function) in order to preserve user’s privacy.
  • FIG. 2 illustrates a block diagram of the interaction between the DASF and ASF.
  • the DASF 235 sends a message 240 to the ASF 225 with the non-permanent ID.
  • the ASF 225 may need to determine the AMF set ID to determine which AMF may have the needed mapping between the non- permanent ID and the permanent ID.
  • the ASF 225 sends a message 210 to the NSSF 205 that includes the requested NSSAI.
  • the NSSF 205 sends a message 215 to the ASF 225 that includes the list of potential AMF set ID(s).
  • the ASF 225 then may send a request to 250 to the AMFs in these sets such as AMF 230 that includes the SUCI or 5G-TSMI.
  • the AMF 230 sends a message 255 back to the ASF 225 that includes the SUPI and/or PEI. For the AMFs in the set that do not have the needed mapping, no permanent ID is returned. The ASF 225 then sends a message 245 to the DASF 235 with the permanent ID.
  • an administrative function (ADMF) 260 may provide an interface between the ASF 225 and the DAS 235.
  • the ADMF 260 submits a request via the LI_FH1 interface defined in the 3GPP TS 33.127/TS 33.128.
  • the use of ADMF 265 allows for the use of a standardized interface to an external entity such as the DASF 235. To support this approach, the LI_HI1 interface will have to be enhanced.
  • the interface between ADMF 260 and the ASF 225 could also be the LI_X1 interface also defined in TS 33.127 and TS 33.128.
  • FIG. 3 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a SUCI.
  • a UE 305 issues a register operation and sends the SUCI and requested NSSAI 350; this is as defined in current 3GPP TS 23.502 ⁇ 4.2.2.
  • the 5G AN 315 selects an AMF, for example between AMF(s) of AMF set A 340, AMF set B 330, AMF set C 380 and AMF set D 385.
  • an AMF of set B 330 is based on the Requested NSSAI selected for the UE 305.
  • the SUCI and the requested NSSAI are captured by DASF.
  • the UE registration completes as defined in current 3GPP TS 23.502 ⁇ 4.2.2 with the modification that as part of this procedure, the AMF stores the mapping of (SUCI, Access type) to (SUPI, PEI).
  • the DASF issues a request 351 to the ASF 310 for the translation into the corresponding permanent ID (SUPI / PEI).
  • the request 351 contains the SUCI, requested NSSAI, and the corresponding location (for example cell ID and tracking area) where the DASF intercepted the non permanent ID.
  • the ASF 310 issues a Nnssf_NSSelection_Get Request (requested NSSAI, get all possible AMF) 352 to the NSSF 320 to get all possible AMF sets that may serve the requested NSSAI it has observed over the 5G AN 315.
  • the NSSF 320 answers with all possible AMF sets 353, which here for example would be either AMF set A 340 and AMF set B 330.
  • the ASF 310 next issues a request to look for the AMF(s) that support the sets provided by the NSSF asking for support of NamfUserldGET service operation.
  • this operation may get a dedicated token (eg., as found in 3GPP TS 33.501 ⁇ 14.3.2 Nnrf_AccessToken_Get Service Operation) allowing it to contact the AMF(s) for this operation (only an ASF can get such a token from the NRF, ensuring that other network entities cannot get information on the mapping between a 5G-S-TMSI and a corresponding permanent user identity).
  • the ASF 310 issues a NamfUserldGET Request (SUCI) 354 to an AMF from set A 340, and the ASF 310 receives a messages 355 that indicates that the UE 305 is not served by the AMF set A 340.
  • SUCI NamfUserldGET Request
  • the ASF 310 issues a NamfUserldGET Request (SUCI) 356 to an AMF from set B 330 and receives a message 357 that includes the requested UE permanent identifiers (SUP I, PEI). As described above, the ASF 310 may communicate the UE permanent identifiers (SUPI, PEI) to the DASF.
  • FIG. 4 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a 5G-S-TMSI.
  • a UE 405 that has already received a 5G-S-TMSI from the local PLMN issues a RRC connection request 450 providing the 5G-S-TMSI or gets paged via the 5G-S-TMSI; this is as defined in the current 3GPP TS 23.502 and 38.331.
  • the 5G AN 415 selects an AMF and is constrained by the 5G-S-TMSI content. That is, the UE 405 is for example served by an AMF of set B 430.
  • the 5G-S-TMSI is captured by a
  • the DASF issues a request 451 for the translation of the 5G-S-TMSI into the corresponding permanent ID (SUPI / PEI) to the ASF 405.
  • the request 451 includes the 5G-S-TMSI and the location (for example cell ID and tracking area) and time (where and when input has been detected).
  • the ASF 405 issues a request 452 to look for the AMF that support the GUAMI identified in the input 5G-S-TMSI, asking for support of the NamfUserldGET service operation.
  • this operation gets a dedicated token from the NRF (eg., as found in 3GPP TS 33.501 ⁇ 14.3.2 Nnrf_AccessToken_Get Service Operation) allowing the ASF 405 to contact the AMF(s) for this operation (only an ASF can get such a token from the NRF, ensuring that other network entities cannot get information on the mapping between a 5G-S-TMSI and a corresponding permanent user identity).
  • the AMF 440 issues a NamfUserldGET Response 453 to the ASF 410 that includes the requested UE permanent identifiers (SUPI, PEI). As described above, the ASF 410 may communicate the UE permanent identifiers (SUPI, PEI) to the DASF.
  • the examples given above has been described in the context of 5G networks.
  • the embodiments described herein may also be applied to other wireless orwireline networks that conceal the permanent ID of the UE using a non-permanent ID.
  • a function in the wireless network captures and stores the mapping between the non-permanent ID and the permanent ID.
  • Another function may then interface with a DASF that service a request for the mapping of a non-permanent ID to a permanent ID.
  • This permanent ID then give the DASF the information needed to see a warrant from a court to initiate the lawful intercept of communications with UE.
  • FIG. 5 illustrates an exemplary hardware diagram of the ASF, AMF, or other network elements of the PLMN or the DASF.
  • the device 500 includes a processor 520, memory 530, user interface 540, network interface 550, and storage 560 interconnected via one or more system buses 510. It will be understood that FIG. 5 constitutes, in some respects, an abstraction and that the actual organization of the components of the device 500 may be more complex than illustrated.
  • the processor 520 may be any hardware processing device capable of executing instructions stored in memory 530 or storage 560 or otherwise processing data.
  • the processor may include a microprocessor, a graphics processing unit (GPU), field programmable gate array (FPGA), application-specific integrated circuit (ASIC), any processor capable of parallel computing, or other similar devices.
  • GPU graphics processing unit
  • FPGA field programmable gate array
  • ASIC application-specific integrated circuit
  • the memory 530 may include various memories such as, for example LI, L2, or L3 cache or system memory. As such, the memory 530 may include static random-access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
  • SRAM static random-access memory
  • DRAM dynamic RAM
  • ROM read only memory
  • the user interface 540 may include one or more devices for enabling communication with a user and may present information to users.
  • the user interface 540 may include a display, a touch interface, a mouse, and/or a keyboard for receiving user commands.
  • the user interface 540 may include a command line interface or graphical user interface that may be presented to a remote terminal via the network interface 550.
  • the network interface 550 may include one or more devices for enabling communication with other hardware devices.
  • the network interface 550 may include a network interface card (NIC) configured to communicate according to the Ethernet protocol or other communications protocols, including wireless protocols.
  • the network interface 550 may implement a TCP/IP stack for communication according to the TCP/IP protocols.
  • the storage 560 may include one or more machine-readable storage media such as read-only memory (ROM), random-access memory (RAM), magnetic disk storage media, optical storage media, flash-memory devices, or similar storage media.
  • the storage 560 may store instructions for execution by the processor 520 or data upon which the processor 520 may operate.
  • the storage 560 may store a base operating system 561 for controlling various basic operations of the hardware 500.
  • the storage 562 may store instructions for implementing the functions of the ASF and the translation of the non-permanent ID into the permanent ID.
  • the memory 530 may also be considered to constitute a “storage device” and the storage 560 may be considered a “memory.” Various other arrangements will be apparent. Further, the memory 530 and storage 560 may both be considered to be “non-transitory machine-readable media.” As used herein, the term “non-transitory” will be understood to exclude transitory signals but to include all forms of storage, including both volatile and non-volatile memories. While the system 500 is shown as including one of each described component, the various components may be duplicated in various embodiments.
  • the processor 520 may include multiple microprocessors that are configured to independently execute the methods described herein or are configured to perform steps or subroutines of the methods described herein such that the multiple processors cooperate to achieve the functionality described herein. Such plurality of processors may be of the same or different types. Further, where the device 500 is implemented in a cloud computing system, the various hardware components may belong to separate physical systems. For example, the processor 520 may include a first processor in a first server and a second processor in a second server. The embodiments described herein provide a technological advancement over the prior PLMN systems.
  • the visited PLMN was not able to provide the permanent ID of the UE and the home PLMN that would be able to provide the mapping is not available. Accordingly, the DASF did not have the information needed to obtain a warrant to obtain lawful intercepts from the UE.
  • the embodiments described herein provide additional functionality that allows for the translation of the intercepted non permanent ID to the associated permanent ID that the DASF may then use to get a warrant and to request lawful intercepts using the permanent ID.
  • non-transitory machine-readable storage medium will be understood to exclude a transitory propagation signal but to include all forms of volatile and non volatile memory.

Abstract

A method for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, including: receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translating, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and sending the permanent ID of the UE to the DASF.

Description

OBTAINING PERMANENT USER EQUIPMENT (UE) ID THAT CORRESPONDS TO A CIPHERED OR TEMPORARY UE ID
TECHNICAL FIELD
Various exemplary embodiments disclosed herein relate generally to a method for getting the permanent user equipment (UE) ID(s) that correspond to a ciphered or temporary UE ID.
BACKGROUND
When the lawful interception on an individual has to be done, Law Enforcement Agencies (LEAs) first seek a warrant from the court. For this, the LEAs have to identify the individual that they want to lawfully intercept. The identity of the individual is typically done with the phone numbers or via a subscription permanent identifier (SUP I), e.g., an international mobile subscriber identity (IMSI). However, in some situations, the LEAs may also want to intercept the communications involving some equipment used by suspicious individuals, irrespective who that individual is. For this, the LEAs submit the equipment identifiers such as permanent equipment identifier (PEI), eg, an international mobile equipment identify (IMEI), to the court to seek the warrant. Typical examples of such equipment is a mobile device or user equipment (UE). Sometimes, the Duly Authorized Security Forces (DASF) may gather the mobile device or UE identity by sniffing the suspicious communication traffic over the air and use that identity to seek the warrant from the court for performing a lawful interception.
SUMMARY
A summary of various exemplary embodiments is presented below. Some simplifications and omissions may be made in the following summary, which is intended to highlight and introduce some aspects of the various exemplary embodiments, but not to limit the scope of the invention. Detailed descriptions of an exemplary embodiment adequate to allow those of ordinary skill in the art to make and use the inventive concepts will follow in later sections.
[0001] Various embodiments relate to a method for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, including: receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translating, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and sending the permanent ID of the UE to the DASF.
Various embodiments are described, further including receiving a legal intercept request from the DASF for the permanent ID. Various embodiments are described, further including intercepting communications of the UE with the permanent ID; and providing the intercepted communications to the DASF.
Various embodiments are described, wherein the non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
Various embodiments are described, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further includes: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF. Various embodiments are described, further including receiving from the DASF time information regarding the non-permanent ID, wherein the non-permanent ID is a temporary mobile subscription identifier (TMSI) and the permanent ID is a subscription permanent identifier (SUP I). Yarious embodiments are described, wherein the TMSI is a 5G short TMSI (5G-S-TMSI).
Various embodiments are described, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further includes: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
Various embodiments are described, wherein receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via a administration function (ADMF) that provides a standards based interface.
Various embodiments are described, further including storing the non-permanent ID of the UE along with the permanent ID of the UE even though the non-permanent ID is no more allocated to the UE.
Further various embodiments relate to a device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, including: a memory; a processor coupled to the memory, wherein the processor is further configured to: receive a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translate, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and send the permanent ID of the UE to the DASF.
Various embodiments are described, wherein the processor is further configured to receive a legal intercept request from the DASF for the permanent ID. Various embodiments are described, wherein the processor is further configured to: intercept communications of the UE with the permanent ID; and provide the intercepted communications to the DASF. Yarious embodiments are described, wherein the non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
Various embodiments are described, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further includes: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF.
Various embodiments are described, wherein the processor is further configured to receive from the DASF time information regarding the non-permanent ID, wherein the non-permanent ID is a temporary mobile subscription identifier (TMSI) and the permanent ID is a subscription permanent identifier (SUP I).
Various embodiments are described, wherein the TMSI is a 5G short TMSI (5G-S-TMSI).
Various embodiments are described, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further includes: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
Various embodiments are described, wherein receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via an administration function (ADMF) that provides a standards based interface. Further various embodiments relate to a device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, including: a memory; a processor coupled to the memory, wherein the processor is further configured to: store the non permanent ID of the UE along with the permanent ID of the UE and time indication even though the non-permanent ID is no more allocated to the UE; receive a request to translate a non-permanent ID of the UE into a permanent ID of the UE; and answer with the permanent ID of the UE.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to better understand various exemplary embodiments, reference is made to the accompanying drawings, wherein:
FIG. 1 illustrates a diagram of the system and process for gathering legal intercepts and seeking a warrant to further monitor a UE associated with a non-permanent ID in the intercept;
FIG. 2 illustrates a block diagram of the interaction between the DASF and ASF;
FIG. 3 illustrates the message flow for the ASF to obtain a permanent ID from a non- permanent ID when the non-permanent ID is a SUCI;
FIG. 4 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a 5G-S-TMSI; and
FIG. 5 illustrates an exemplary hardware diagram of the ASF, AMF, or other network elements of the PLMN or the DASF. To facilitate understanding, identical reference numerals have been used to designate elements having substantially the same or similar structure and/ or substantially the same or similar function. DETAILED DESCRIPTION
The description and drawings illustrate the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the invention and are included within its scope. Furthermore, all examples recited herein are principally intended expressly to be for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art and are to be construed as being without limitation to such specifically recited examples and conditions. Additionally, the term, “or,” as used herein, refers to a non-exclusive or (i.e., and/or), unless otherwise indicated (eg., “or else” or “or in the alternative”). Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.
With the advent of 5G mobile networks, for security reasons, the permanent IDs (SUPI / PEI) of the user equipment (UE) are not sent over the air. Therefore, what the DASF can intercept are just the temporary identifiers (non-permanent IDs). However, the LEAs cannot use such non permanent IDs to seek a warrant for the lawful interception. In other words, the DASF somehow has to obtain the permanent IDs from the local public land mobile network (PLMN) that was sending or receiving the non-permanent IDs over the air and provide those permanent IDs to the LEAs who then can proceed and follow with the normal legal intercept (LI) process. FIG. 1 illustrates a diagram of the system and process for gathering legal intercepts and seeking a warrant to further monitor a UE associated with a non-permanent ID in the intercept. A DASF 135 observes communications 185 between a 5G base station gNodeB (gNB) 110 in a PLMN 115 and a UE 105 of a suspicious user. Specifically, the DASF observes some identities of a UEs of suspicious users. It is noted that although the interface where the DASF observes some identities of UEs of suspicious users is described as an interface to a gNB, the mechanism described herein may apply to any interface used by UE to reach the 5G Core such as the radio interface of a ng-ENB or the wireline interface of a wireline access to 5GC or the Wifi interface of a Trusted Wifi access to 5GC. If the DASF 135 provides the intercepted identity to a LEA 150, the LEA 150 cannot use such intercepted identities to request a warrant from a court 160 for a lawful intercept authorization as the intercepted IDs are non-permanent IDs such as subscription concealed identifier (SUCI or concealed SUPI) or 5G-GUTI / 5G-S-TMSI. Therefore, for each of those observed non-permanent IDs, the DASF 135 will have to obtain the associated permanent IDs by contacting the PLMN 115 that is sending such non-permanent IDs over the air. The DASF 135 can determine the PLMN 115 to whom the non-permanent ID belongs.
Next, the DASF 135 sends a request 140 including the non-permanent ID to the PLMN 155 to get the permanent ID associated with the non-permanent ID. The PLMN 115 has an authorized security function (ASF) 125 that determines the permanent ID associated with the non-permanent ID in the request 140. The PLMN 115 sends a message 145 that includes the permanent ID associated with the intercepted non-permanent ID to the DASF 135. Then the DASF 135 provides that permanent ID to the LEA 150. Note in some embodiments the DASF 135 may also be the LEA 150. Then, the LEA 150 sends a request 155 that includes the permanent ID to the court 160 requesting that the court 160 issue a lawful intercept authorization. The court 160 issues a warrant authorizing legal intercepts associated with the permanent ID and sends a message 165 to the LEA with the warrant. LEA 150 may use a law enforcement monitoring facility (LEMF) 170 to submit an LI request 175 including the permanent ID to a LI system 120 in the PLMN 115. The PLMN LI system 120 intercepts the communications of the UE having the permanent ID. The PLMN 115 sends a message to provide the intercepted LI data or LI Product 180 to the LEMF 170. [0002] The steps of converting the non-permanent ID to a permanent ID currently do not exist in
5G mobile systems and are the focus of the embodiments disclosed herein.
[0003] The non-permanent IDs that the DASF receive can be in one of the following two formats:
• SUCI = Concealed User ID as defined in the 3GPP Technical Specification (TS) 23.003 (Numbering, addressing and identification) being sent in association with a requested Network Slice Selection Assistance Information (NSSAI) (set of requested slices); and
• 5G-S-TMSI as defined in 3GPP Technical Specification TS 23.003.
To get the permanent ID from a non-permanent ID, the DASF 135 may contact only the local PLMN 115 (i.e., in the same country or other jurisdiction) that corresponds to the 5G access network (AN) where the DASF 135 has detected the non-permanent ID {i.e., the SUCI or 5G-S- TMSI). A mapping between the non-permanent ID (SUCI) and the permanent ID is maintained in an authentication function (AUSF) that resides in the home PLMN (HPLMN). As described above, the DASF 135 may only contact the local PLMN (in the same country or jurisdiction) that corresponds to the 5G AN where the DASF 135 has detected the non-permanent ID {i.e., SUCI or 5G-S-TMSI). In other words, the DASF 135 cannot contact the HPLMN to which the permanent ID belongs when the UEs 105 are roaming. The local PLMN is the visited PLMN (VPLMN). In 5G mobile networks, the VPLMN does not currently have a mechanism that remembers the association between the non permanent ID and the permanent ID. Considering the need to have a homogeneous solution (valid for both roamers and non-roamers), a method is needed to determine the permanent ID in the VPLMN, that is, in the PLMN that does not have the AUSF. Furthermore, the HPLMN is not aware of such mapping when the non-permanent ID is a 5G-S-TMSI.
In the VPLMN, because the access and mobility management function (AMF) may transiently have the permanent ID as it is involved in most of the mobile device mobility/ configuration related activities, the AMF may be the most likely candidate network function (NF) that may provide the needed mapping from a non-permanent ID to a permanent ID. This requires an enhancement to the AMF procedures. Even if such an enhancement is made, a method is needed in the VPLMN that can be used to determine the AMF that has such a mapping. Then, a procedure is to be defined to retrieve the permanent ID if such an enhancement to AMF is made and to identify potential AMFs that may provide the needed mapping.
As described above, the non-permanent IDs sent over the radio by the 5G AN to the UEs may be one of SUCI and 5G-S-TMSI. Non-permanent ID user IDs are defined in TS 23.003 (§ 2.10 ET 2.11) and the following provides a summary of the SUCI and 5G-S-TMSI.
[0004] The 5G-GUTI shall be constructed from the GUAMI and the 5G-TMSI as follows: <5G-GUTI> = <GUAMI><5G-TMSI> where <GUAMI> = <MCC><MNC><AMF Identifier> (global AMF identifier) and <AMF Identifier> = <AMF Region IDXAMF Set IDXAMF Pointer> (AMF identifier in the local PLMN).
The 5G-S-TMSI is the shortened form of the 5G-GUTI (without <MCC><MNC> <AMF Region ID>, i.e., <MCO<MNC<AMF Region IDXAMF Set IDXAMF Pomter><5G-TMSI>) to enable more efficient radio signaling procedures ( e.g. , paging and service request) when the AMF Region ID is implicit. For paging purposes, the mobile is paged with the 5G-S-TMSI. Basically, the 5G-S-TMSI shall be constructed from the AMF Set ID, the AMF Pointer and the 5G-TMSI as follows:
<5G-S-TMSI> = <AMF Set IDXAMF Pointer><5G-TMSI>
In summary, the DASF that retrieves the non-permanent ID in the local PLMN (i.e., from the air) may provide that non-permanent ID (i.e., SUCI plus Requested NSSAI, or the 5G-S-TMSI) to the local PLMN to receive the permanent ID of that UE.
[0005] In FIG. 1, the PLMN 115 includes an ASF 125 (which is a new function added to the PLMN 115) that receives the non-permanent ID of a UE 115 from the DASF 135 and in return provides the permanent ID (SUPI, PEI) 145. It is assumed that the ASF 125 has obtained specific credentials allowing it to get a privileged access to any NF of the local PLMN and that the ASF 125 is located in the VPLMN and is subject to the visited location’s jurisdiction and laws.
The AMF adds the following new functionality to the serving PLMN (where the serving PLMN corresponds to the home PLMN/HPLMN when the UE is not roaming and the serving PLMN corresponds to the home VPLMN when the UE is roaming). The AMFs in serving PLMNs store the mapping SUCI - SUPI and 5G GUTI - SUPI even though the SUCI is not needed anymore by the AMF or if the 5G GUTI of the UE has been reallocated. This storage is kept even though the UE is no more served by the AMF (set) (e.g., because the UE has moved and is served by another AMF region or is detached). This storage is associated with the time slot during which this 5G GUTI has been allocated to the SUPI. Note that storing the 5G-S-TMSI or storing the 5G GUTI are equivalent The Nnssf_NSSelection_Get service operation is enhanced to determine the IDs of the AMF(s) that will have such mapping information. To address the case where the ASF has received a SUCI in association with a requested NSSAI, the ASF is not seeking an AMF set that could support the requested NSSAI (as provided currently by the network slice selection function (NSSF)) but is seeking the AMF that supports a given SUCI. Thus, the ASF needs to know the list of AMF set(s) and then of AMF within these sets that are potential candidates to serve a requested NSSAI it has observed on an Access type. So the Nnssf_NSSelection_Get service is modified so that only a NSSAI is requested and a list of all AMF sets that are candidate to support this requested NSSAI is sent back. To address the case where the ASF has received a 5G-S-TMSI, no new mechanism is needed and then the ASF gets the address of the AMF that serves a GUAMI (subset of 5G-S-TMSI).
Once the AMF that has such mapping information is identified, the ASF retrieves the permanent ID from that AMF. An AMF service operation (API) may be defined that provides the permanent identifiers (SUPI, PEI, . . .) of the UE corresponding to either an input SUCI or an input 5G-S-TMSI associated with a time indication. This dedicated service operation may be reserved to the ASF (a privileged Network Function) in order to preserve user’s privacy.
FIG. 2 illustrates a block diagram of the interaction between the DASF and ASF. The DASF 235 sends a message 240 to the ASF 225 with the non-permanent ID. The ASF 225 may need to determine the AMF set ID to determine which AMF may have the needed mapping between the non- permanent ID and the permanent ID. In this case, the ASF 225 sends a message 210 to the NSSF 205 that includes the requested NSSAI. The NSSF 205 sends a message 215 to the ASF 225 that includes the list of potential AMF set ID(s). The ASF 225 then may send a request to 250 to the AMFs in these sets such as AMF 230 that includes the SUCI or 5G-TSMI. The AMF 230 sends a message 255 back to the ASF 225 that includes the SUPI and/or PEI. For the AMFs in the set that do not have the needed mapping, no permanent ID is returned. The ASF 225 then sends a message 245 to the DASF 235 with the permanent ID. In an alternative embodiment, an administrative function (ADMF) 260 may provide an interface between the ASF 225 and the DAS 235. The ADMF 260 submits a request via the LI_FH1 interface defined in the 3GPP TS 33.127/TS 33.128. The use of ADMF 265 allows for the use of a standardized interface to an external entity such as the DASF 235. To support this approach, the LI_HI1 interface will have to be enhanced. The interface between ADMF 260 and the ASF 225 could also be the LI_X1 interface also defined in TS 33.127 and TS 33.128.
[0006] The message flow for when the ASF retrieves the permanent ID associated with a received non-permanent ID will now be shown for when a SUCI is received and for when a 5G-S-TSMI is received. FIG. 3 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a SUCI. A UE 305 issues a register operation and sends the SUCI and requested NSSAI 350; this is as defined in current 3GPP TS 23.502 § 4.2.2. As part of this process the 5G AN 315 selects an AMF, for example between AMF(s) of AMF set A 340, AMF set B 330, AMF set C 380 and AMF set D 385. In this example, an AMF of set B 330 is based on the Requested NSSAI selected for the UE 305. The SUCI and the requested NSSAI are captured by DASF. The UE registration completes as defined in current 3GPP TS 23.502 § 4.2.2 with the modification that as part of this procedure, the AMF stores the mapping of (SUCI, Access type) to (SUPI, PEI).
Next, the DASF issues a request 351 to the ASF 310 for the translation into the corresponding permanent ID (SUPI / PEI). The request 351 contains the SUCI, requested NSSAI, and the corresponding location (for example cell ID and tracking area) where the DASF intercepted the non permanent ID. Then the ASF 310 issues a Nnssf_NSSelection_Get Request (requested NSSAI, get all possible AMF) 352 to the NSSF 320 to get all possible AMF sets that may serve the requested NSSAI it has observed over the 5G AN 315. The NSSF 320 answers with all possible AMF sets 353, which here for example would be either AMF set A 340 and AMF set B 330.
[0007] The ASF 310 next issues a request to look for the AMF(s) that support the sets provided by the NSSF asking for support of NamfUserldGET service operation. As this operation is restricted for use, it may get a dedicated token (eg., as found in 3GPP TS 33.501 § 14.3.2 Nnrf_AccessToken_Get Service Operation) allowing it to contact the AMF(s) for this operation (only an ASF can get such a token from the NRF, ensuring that other network entities cannot get information on the mapping between a 5G-S-TMSI and a corresponding permanent user identity). First, the ASF 310 issues a NamfUserldGET Request (SUCI) 354 to an AMF from set A 340, and the ASF 310 receives a messages 355 that indicates that the UE 305 is not served by the AMF set A 340.
Then, the ASF 310 issues a NamfUserldGET Request (SUCI) 356 to an AMF from set B 330 and receives a message 357 that includes the requested UE permanent identifiers (SUP I, PEI). As described above, the ASF 310 may communicate the UE permanent identifiers (SUPI, PEI) to the DASF. FIG. 4 illustrates the message flow for the ASF to obtain a permanent ID from a non permanent ID when the non-permanent ID is a 5G-S-TMSI. A UE 405 that has already received a 5G-S-TMSI from the local PLMN issues a RRC connection request 450 providing the 5G-S-TMSI or gets paged via the 5G-S-TMSI; this is as defined in the current 3GPP TS 23.502 and 38.331. As part of this process, the 5G AN 415 selects an AMF and is constrained by the 5G-S-TMSI content. That is, the UE 405 is for example served by an AMF of set B 430. Next, the 5G-S-TMSI is captured by a
DASF. The UE procedure finishes as defined in the current 3GPP TS 23.502 § 4.2.2 with the modification that the AMF stores the mapping (5G-S-TMSI) to (SUPI, PEI) together with timing indication. Next, the DASF issues a request 451 for the translation of the 5G-S-TMSI into the corresponding permanent ID (SUPI / PEI) to the ASF 405. The request 451 includes the 5G-S-TMSI and the location (for example cell ID and tracking area) and time (where and when input has been detected). The, the ASF 405 issues a request 452 to look for the AMF that support the GUAMI identified in the input 5G-S-TMSI, asking for support of the NamfUserldGET service operation. As this operation is restricted for use, it gets a dedicated token from the NRF (eg., as found in 3GPP TS 33.501 § 14.3.2 Nnrf_AccessToken_Get Service Operation) allowing the ASF 405 to contact the AMF(s) for this operation (only an ASF can get such a token from the NRF, ensuring that other network entities cannot get information on the mapping between a 5G-S-TMSI and a corresponding permanent user identity).
The AMF 440 issues a NamfUserldGET Response 453 to the ASF 410 that includes the requested UE permanent identifiers (SUPI, PEI). As described above, the ASF 410 may communicate the UE permanent identifiers (SUPI, PEI) to the DASF.
The examples given above has been described in the context of 5G networks. The embodiments described herein may also be applied to other wireless orwireline networks that conceal the permanent ID of the UE using a non-permanent ID. A function in the wireless network captures and stores the mapping between the non-permanent ID and the permanent ID. Another function may then interface with a DASF that service a request for the mapping of a non-permanent ID to a permanent ID. This permanent ID then give the DASF the information needed to see a warrant from a court to initiate the lawful intercept of communications with UE.
FIG. 5 illustrates an exemplary hardware diagram of the ASF, AMF, or other network elements of the PLMN or the DASF. As shown, the device 500 includes a processor 520, memory 530, user interface 540, network interface 550, and storage 560 interconnected via one or more system buses 510. It will be understood that FIG. 5 constitutes, in some respects, an abstraction and that the actual organization of the components of the device 500 may be more complex than illustrated.
The processor 520 may be any hardware processing device capable of executing instructions stored in memory 530 or storage 560 or otherwise processing data. As such, the processor may include a microprocessor, a graphics processing unit (GPU), field programmable gate array (FPGA), application-specific integrated circuit (ASIC), any processor capable of parallel computing, or other similar devices.
The memory 530 may include various memories such as, for example LI, L2, or L3 cache or system memory. As such, the memory 530 may include static random-access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The user interface 540 may include one or more devices for enabling communication with a user and may present information to users. For example, the user interface 540 may include a display, a touch interface, a mouse, and/or a keyboard for receiving user commands. In some embodiments, the user interface 540 may include a command line interface or graphical user interface that may be presented to a remote terminal via the network interface 550.
The network interface 550 may include one or more devices for enabling communication with other hardware devices. For example, the network interface 550 may include a network interface card (NIC) configured to communicate according to the Ethernet protocol or other communications protocols, including wireless protocols. Additionally, the network interface 550 may implement a TCP/IP stack for communication according to the TCP/IP protocols. Various alternative or additional hardware or configurations for the network interface 550 will be apparent. The storage 560 may include one or more machine-readable storage media such as read-only memory (ROM), random-access memory (RAM), magnetic disk storage media, optical storage media, flash-memory devices, or similar storage media. In various embodiments, the storage 560 may store instructions for execution by the processor 520 or data upon which the processor 520 may operate. For example, the storage 560 may store a base operating system 561 for controlling various basic operations of the hardware 500. The storage 562 may store instructions for implementing the functions of the ASF and the translation of the non-permanent ID into the permanent ID.
It will be apparent that various information described as stored in the storage 560 may be additionally or alternatively stored in the memory 530. In this respect, the memory 530 may also be considered to constitute a “storage device” and the storage 560 may be considered a “memory.” Various other arrangements will be apparent. Further, the memory 530 and storage 560 may both be considered to be “non-transitory machine-readable media.” As used herein, the term “non-transitory” will be understood to exclude transitory signals but to include all forms of storage, including both volatile and non-volatile memories. While the system 500 is shown as including one of each described component, the various components may be duplicated in various embodiments. For example, the processor 520 may include multiple microprocessors that are configured to independently execute the methods described herein or are configured to perform steps or subroutines of the methods described herein such that the multiple processors cooperate to achieve the functionality described herein. Such plurality of processors may be of the same or different types. Further, where the device 500 is implemented in a cloud computing system, the various hardware components may belong to separate physical systems. For example, the processor 520 may include a first processor in a first server and a second processor in a second server. The embodiments described herein provide a technological advancement over the prior PLMN systems. Previously when a DASF intercepted the non-permanent ID of a device on a visited PLMN, the visited PLMN was not able to provide the permanent ID of the UE and the home PLMN that would be able to provide the mapping is not available. Accordingly, the DASF did not have the information needed to obtain a warrant to obtain lawful intercepts from the UE. The embodiments described herein provide additional functionality that allows for the translation of the intercepted non permanent ID to the associated permanent ID that the DASF may then use to get a warrant and to request lawful intercepts using the permanent ID.
Any combination of specific software running on a processor to implement the embodiments of the invention, constitute a specific dedicated machine.
As used herein, the term “non-transitory machine-readable storage medium” will be understood to exclude a transitory propagation signal but to include all forms of volatile and non volatile memory.
Although the various exemplary embodiments have been described in detail with particular reference to certain exemplary aspects thereof, it should be understood that the invention is capable of other embodiments and its details are capable of modifications in various obvious respects. As is readily apparent to those skilled in the art, variations and modifications can be affected while remaining within the spirit and scope of the invention. Accordingly, the foregoing disclosure, description, and figures are for illustrative purposes only and do not in any way limit the invention, which is defined only by the claims.

Claims

What is claimed is:
1. A method for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, comprising: receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE; translating, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and sending the permanent ID of the UE to the DASF.
2. The method of claim 1, further comprising receiving a legal intercept request from the DASF for the permanent ID.
3. The method of claim 2, further comprising: intercepting communications of the UE with the permanent ID; and providing the intercepted communications to the DASF.
4. The method of claim 1, wherein the non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
5. The method of claim 4, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further comprises: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non-permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF.
6. The method of claim 1, further comprising receiving from the DASF time information regarding the non-permanent ID, wherein the non-permanent ID is a temporary mobile subscription identifier (TMSI) and the permanent ID is a subscription permanent identifier (SUP I).
7. The method of claim 6, wherein the TMSI is a 5G short TMSI (5G-S-TMSI).
8. The method of claim 7, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further comprises: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
9. The method of claim 1, wherein receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via a administration function (ADMF) that provides a standards based interface.
10. The method of claim 1, further comprising storing the non-permanent ID of the UE along with the permanent ID of the UE even though the non-permanent ID is no more allocated to the UE.
11. A device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, comprising: a memory; a processor coupled to the memory, wherein the processor is further configured to: receive a request from a duly authorized security force (DASF) including a non permanent ID of a UE; translate, by the visited network, the non-permanent ID of the UE to a permanent ID of the UE; and send the permanent ID of the UE to the DASF.
12. The device of claim 11, wherein the processor is further configured to receive a legal intercept request from the DASF for the permanent ID.
13. The device of claim 12, wherein the processor is further configured to: intercept communications of the UE with the permanent ID; and provide the intercepted communications to the DASF.
14. The device of claim 11, wherein the non-permanent ID is a subscription concealed identifier (SUCI) and the permanent ID is a subscription permanent identifier (SUP I).
15. The device of claim 14, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further comprises: requesting from a network slice selection function (NSSF) a set of mobility management functions (AMFs) that may have the translation between the non-permanent ID and the permanent ID; receiving the set of AMFs that may have the translation between the non-permanent ID and the permanent ID; sending ID a translation request to an AMF in the received set of AMFs; and receiving the permanent ID from the AMF.
16. The device of claim 11, wherein the processor is further configured to receive from the DASF time information regarding the non-permanent ID, wherein the non-permanent ID is a temporary mobile subscription identifier (TMSI) and the permanent ID is a subscription permanent identifier (SUPI).
17. The device of claim 16, wherein the TMSI is a 5G short TMSI (5G-S-TMSI).
18. The device of claim 17, wherein translating the non-permanent ID of the UE to a permanent ID of the UE further comprises: sending ID a translation request to an mobility management function (AMF) identified in the 5G-S-TMSI; and receiving the permanent ID from the AMF.
19. The device of claim 11, wherein receiving a request from a duly authorized security force (DASF) including a non-permanent ID of a UE includes receiving the request via an administration function (ADMF) that provides a standards based interface.
20. A device for obtaining a permanent ID of a user equipment (UE) from a non-permanent ID of the UE from a serving network, comprising: a memory; a processor coupled to the memory, wherein the processor is further configured to: store the non-permanent ID of the UE along with the permanent ID of the UE and time indication even though the non-permanent ID is no more allocated to the UE; receive a request to translate a non-permanent ID of the UE into a permanent ID of the UE; and answer with the permanent ID of the UE.
PCT/US2020/037691 2020-06-15 2020-06-15 Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id WO2021257047A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2020/037691 WO2021257047A1 (en) 2020-06-15 2020-06-15 Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2020/037691 WO2021257047A1 (en) 2020-06-15 2020-06-15 Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id

Publications (1)

Publication Number Publication Date
WO2021257047A1 true WO2021257047A1 (en) 2021-12-23

Family

ID=79268171

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2020/037691 WO2021257047A1 (en) 2020-06-15 2020-06-15 Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id

Country Status (1)

Country Link
WO (1) WO2021257047A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140287757A1 (en) * 2011-10-19 2014-09-25 Telefonaktiebolaget L M Ericsson (Publ) Methods and Devices for Deriving a Permanent UE Identifier
US20150139087A1 (en) * 2013-01-17 2015-05-21 Achim Luft Lawful interception for device-to-device (d2d) communication
US20180337960A1 (en) * 2015-07-15 2018-11-22 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for removing redundant received data flows of interception in ims domains
US20200169867A1 (en) * 2016-03-17 2020-05-28 Baicells Technologies Co. Ltd. Interception method, core network device and base station

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140287757A1 (en) * 2011-10-19 2014-09-25 Telefonaktiebolaget L M Ericsson (Publ) Methods and Devices for Deriving a Permanent UE Identifier
US20150139087A1 (en) * 2013-01-17 2015-05-21 Achim Luft Lawful interception for device-to-device (d2d) communication
US20180337960A1 (en) * 2015-07-15 2018-11-22 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for removing redundant received data flows of interception in ims domains
US20200169867A1 (en) * 2016-03-17 2020-05-28 Baicells Technologies Co. Ltd. Interception method, core network device and base station

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ETSI ANONYMOUS: "5G; System Architecture for the 5G System", 3GPP TS 23.501 VERSION 15.3.0 RELEASE 15, 1 September 2018 (2018-09-01), pages 2018 - 9, XP055724468, Retrieved from the Internet <URL:https://www.etsi.org/deliver/etsi_ts/123500_123599/123501/15.03.00_60/ts_123501v150300p.pdf> [retrieved on 20200824] *

Similar Documents

Publication Publication Date Title
US10893026B2 (en) Privacy managing entity selection in communication system
US20230019000A1 (en) Service authorization method, apparatus, and system
EP3881574B1 (en) Methods and apparatuses for network function selection in 5g for a user
US7321778B2 (en) Provision of location information
EP2858395B1 (en) Method and system for accessing mobile network
KR20110091305A (en) Method and apparatus for selecting public land mobile network for emergency call in multiple operator core network
US20110009113A1 (en) Access control using temporary identities in a mobile communication system including femto base stations
CN117099386A (en) Method, system, and computer readable medium for mitigating location tracking and denial of service (DoS) attacks utilizing access and mobility management function (AMF) location services
EP1715626A1 (en) A method for processing the request of position information from a user equipment
CN109644335B (en) Identification information processing method, database control system and related equipment
JP2019525549A (en) Method for remote provisioning of user equipment in a cellular network
US11356839B2 (en) Location verification and enforcement for content access devices
JP7121213B2 (en) Public alert messages through N3GPP access
US11789803B2 (en) Error handling framework for security management in a communication system
US10609739B2 (en) Internet protocol address and port-based identity service
US20230370823A1 (en) Network capability exposure method, device, and storage medium
US10397965B2 (en) System and method of determining real-time location and status of voice-over Wi-Fi (VoWiFi) users in heterogeneous network environment
EP2469945A1 (en) WLAN location services
US20220312188A1 (en) Network operations to receive user consent for edge computing
US11228896B2 (en) Authorization of roaming for new radio subscribers via an alternative radio access technology
JP2020502894A (en) Service ordering method and device
Sørseth et al. Experimental analysis of subscribers’ privacy exposure by lte paging
WO2021257047A1 (en) Obtaining permanent user equipment (ue) id that corresponds to a ciphered or temporary ue id
US20130095792A1 (en) Wireless telecommunications network, and a method of authenticating a message
US20220255996A1 (en) Systems and methods for exposing user equipment identities to applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20941209

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20941209

Country of ref document: EP

Kind code of ref document: A1