The GSM system has several security services for security, these security services use confidential information that is stored in the AuC and in the customers SIM (Subscriber Identity Module) chip. The SIM chip may be plugged into any MS, however for the SIM chip to allow access to the MS the user must enter a PIN (Personal Identification Number), the SIM chip contain personal, secret data. The following are the security services offered by GSM:
-
Authentication and Access Control : For any MS to be used on the GSM network a number of events have to take place, the first event includes the authentication of a valid user for the SIM, the user enters their secret PIN to access the SIM. Then the MS contacts the AuC (See Figure 16 (Authentication Request)).
-
Confidentiality : All data that is related to the user is encrypted, after authentication the BTS and MS apply encryption to data, voice and signaling. This confidentiality only exist between the BTS and MS, however it does not exist end-to-end or within the whole fixed GSM/telephone network.
-
Anonymity : The GSM system also provides a level of anonymity, all of the data is encrypted before transmission, and user identifiers that would show the identity of a user are not used over the air. Instead the GSM system uses a temporary identitfier (TMSI), this is newly assigned by the VLR after each location update. Further more the VLR can change the TMSI at any time.
The GSM system uses three different algorithms to provide security services, the A3 algorithm is used primarily for authentication, A5 is used for the encryption/decryption and A8 which is used for the generation of a cipher key. Out of the three algorithms A5 was the only one that was publicly available, where as A3 and A8 were secret, but standard with open interfaces. However that change in 1998 when A3 and A8 were published on the internet.