CTS-PIN

CTS-Personal Identification Number

Security
Introduced in Rel-8
A security credential used in the Circuit Switched FallBack (CSFB) mechanism for user authentication and authorization when a device falls back to a 2G/3G circuit-switched network. It ensures secure access to legacy voice services from LTE devices.

Description

The CTS-Personal Identification Number (CTS-PIN) is a security feature defined within the 3GPP specifications to facilitate secure user authentication during Circuit Switched FallBack (CSFB) procedures. CSFB is a mechanism that allows a User Equipment (UE) attached to a 4G LTE network, which is packet-switched only for voice, to fall back to a legacy 2G (GSM) or 3G (UMTS) circuit-switched network to establish a voice call. The CTS-PIN is a critical component in this handover, acting as a shared secret between the UE and the network to verify the user's identity and authorize access to the circuit-switched domain.

Architecturally, the CTS-PIN is stored in two key locations: within the Universal Subscriber Identity Module (USIM) of the user's device and in the Home Location Register (HLR) or Home Subscriber Server (HSS) in the network core. When a CSFB procedure is triggered, the Mobile Switching Center (MSC) serving the target 2G/3G network requests authentication vectors from the HLR/HSS. These vectors are derived using the CTS-PIN as one of the inputs, alongside other parameters like a random challenge (RAND). The MSC sends the RAND to the UE, which uses its locally stored CTS-PIN and the same cryptographic algorithm to compute a response (SRES). The network compares the received SRES with its own calculated value; a match authenticates the user and allows the circuit-switched call to proceed.

The role of the CTS-PIN is to bridge the security context between the LTE Evolved Packet System (EPS) and the legacy circuit-switched core network. Since LTE uses different authentication and key agreement procedures (EPS AKA) focused on the packet-switched domain, the CTS-PIN provides a standalone credential specifically for fallback scenarios. It operates independently of the LTE security keys, ensuring that authentication for circuit-switched services can occur even if the primary EPS security context is not directly transferable to the 2G/3G MSC. This separation of security domains is crucial for maintaining robust protection across heterogeneous network technologies.

Key components involved in CTS-PIN operation include the UE's USIM (which stores the PIN and performs cryptographic computations), the HLR/HSS (which stores the PIN and generates authentication vectors), and the MSC (which orchestrates the authentication challenge-response process). The specification ensures that the CTS-PIN is used with algorithms compatible with GSM or UMTS authentication, such as the COMP128 variants. Its implementation is mandatory for UEs and networks supporting CSFB to prevent unauthorized access to circuit-switched resources and to maintain service continuity for voice calls as networks transitioned from 3G to 4G.

Purpose & Motivation

CTS-PIN was created to address the security gap introduced by the Circuit Switched FallBack (CSFB) feature in 3GPP Release 8. As LTE networks were deployed as packet-switched only for data and voice (via IMS/VoLTE), early deployments often lacked full IMS coverage, requiring a fallback to legacy circuit-switched networks for voice calls. However, LTE's native authentication mechanism (EPS AKA) was not directly compatible with the authentication protocols used in 2G/3G circuit-switched cores. Without a dedicated credential like the CTS-PIN, a UE falling back to GSM or UMTS would be unable to authenticate securely, potentially leading to service denial or reliance on weaker, network-specific security workarounds.

The primary problem CTS-PIN solves is enabling secure and standardized user authentication when transitioning between the LTE packet-switched domain and legacy circuit-switched domains. Prior to its introduction, operators might have used less secure methods or allowed unauthenticated access during fallback, compromising network integrity. CTS-PIN provides a consistent, cryptographically robust secret that is provisioned in the USIM and network database, ensuring that only legitimate subscribers can access circuit-switched services during CSFB. This was particularly important during the transitional phase of network evolution, where LTE and 2G/3G infrastructures coexisted for years.

Historically, the motivation stemmed from the need to maintain backward compatibility and service continuity for voice, which remained a critical revenue stream for operators. By defining CTS-PIN in the specifications, 3GPP ensured that security did not degrade when leveraging existing circuit-switched investments, thereby facilitating a smoother migration to LTE. It addressed the limitation of previous approaches where authentication was tied solely to the native domain of each network technology, creating silos that hindered seamless mobility.

Key Features

  • Enables secure user authentication during Circuit Switched FallBack (CSFB) to 2G/3G networks
  • Stored as a shared secret in the USIM and network HLR/HSS
  • Used with legacy GSM/UMTS authentication algorithms (e.g., COMP128)
  • Operates independently of LTE EPS security keys and procedures
  • Prevents unauthorized access to circuit-switched resources during inter-RAT mobility
  • Ensures service continuity for voice calls in early LTE deployments lacking IMS/VoLTE

Evolution Across Releases

Rel-8 Initial

Introduced CTS-PIN as part of the initial CSFB feature specification. Defined its storage in the USIM and HSS/HLR, and its use for authentication when a UE falls back from LTE to GSM or UMTS circuit-switched networks for voice services. Established the basic challenge-response mechanism using legacy algorithms.

TS 43.020

Defining Specifications

SpecificationTitle
TS 43.020 3GPP TR 43.020