I mentioned in an earlier post that there’s a pretty complicated “alphabet soup” of acronyms, identifiers, and numbers in LTE world. We’ve already covered the different physical components (UEs, eNodeBs, and EPCs) so in this post, I’m going to cover some of the basic numbers and identifiers used in an LTE network.
- IMSI: The IMSI is a 15-digit number that uniquely identifies the SIM card, and is used throughout the network to identify the card/customer/user. The IMSI is actually comprised of two separate numbers: the first 5 or 6 digits are the PLMN (Public Land Mobile Network) ID, and the following 9 or 10 digits are the MSIN (Mobile Subscription Identification Number).
- PLMN: The PLMN is a 5 or 6 digit number (depending on the country) that is, itself, broken up into two categories: the three-digit Mobile Country Code (MCC) and the two or three digit Mobile Network Code (MNC). The MCC is the same for each country (for example, the USA is 310) and the MNC is unique within the country (AT&T is 016, therefore its total PLMN is 310016). You can find a table of PLMN IDs on Wikipedia here.
- MSIN: A network is in charge of all the MSINs under its PLMN, and is allowed to allocate its MSINs however it wants. In my test network, I simply chose the values 0000000000 to 0000000999. If I was AT&T, this would be tacked on to the PLMN to create an end IMSI of 3100160000000000 to 3100160000000999.
- MSISDN: The MSISDN (Mobile Station International Subscriber Directory Number) is just a fancy way of saying “the SIM’s phone number”.
- KI: The KI is the SIM’s “secret key” that it uses to encrypt all traffic it sends over the network. The KI is typically randomly generated for each SIM, and it’s incredibly important that this value never be leaked or stolen, because that would allow everything from eavesdropping to SIM impersonation.
- OP: The OP (Operator Code) is the network’s “secret key.” The EPC uses the OP to encrypt all traffic it sends to all cell phones, and also uses the OP to prove that it is who it says it is. Unlike the KI, there is only one OP for the entire network – so it must not be lost or stolen, otherwise, attackers would be able to impersonate the network and trick phones into connecting to it.
- OPc: The OPc is generated by combining the SIM’s KI with the Network’s OP, and is stored on the SIM. The SIM uses the OPc to make sure that the Network is who it says it is, and also to decrypt all data sent to it from the EPC. The reason that the SIM stores the OPc, and not the OP, is that you can’t discover the OP from the OPc. This means that if a single SIM gets lost, stolen, or compromised, the OP is still safe.
The Community LTE Project 