IMPI

IP Multimedia CN subsystem Private Identity

Identifier →
Introduced in Rel-6 Also in: Security, Core Network

IMPI is a permanent, globally unique private user identifier used for authentication and registration within the IMS, stored securely in the HSS and ISIM, and is fundamental for secure service access.

Category
Identifier
Introduced
Rel-6
Where
Services › Codecs
Also touches
2 segments
Specifications
18 specs
IMPI Description Purpose Related Classification Detected Changes Specifications

Description

The IP Multimedia CN subsystem Private Identity (IMPI) is a critical identifier within the 3GPP IMS architecture, defined as a permanent and globally unique credential assigned to a user. It is stored securely in the Home Subscriber Server (HSS) and within the IP Multimedia Services Identity Module (ISIM) application on the user's Universal Integrated Circuit Card (UICC). The IMPI is used exclusively for authentication and registration procedures, never for routing SIP messages or public communication. It typically follows the format of a Network Access Identifier (NAI), such as user@realm. During IMS registration, the User Equipment (UE) presents the IMPI along with authentication vectors derived from a shared secret key to the Serving-Call Session Control Function (S-CSCF) via the Proxy-CSCF (P-CSCF). The S-CSCF verifies the credentials with the HSS using authentication protocols like Digest AKAv1-MD5 or later, more secure methods. This process establishes a secure registration binding between the IMPI and the user's IP address, enabling subsequent service authorization. The IMPI's separation from public identities ensures that the user's private authentication key is never exposed on the network, providing a foundational layer of security. It is intrinsically linked to a user's subscription and remains constant, unlike temporary identifiers, forming the anchor for the user's IMS service profile and associated public identities (IMPUs).

Purpose & Motivation

The IMPI was created to provide a secure, subscription-based authentication mechanism for the IMS, which was introduced in 3GPP Release 5 to enable IP-based multimedia services over packet-switched networks. Prior to IMS, circuit-switched mobile networks used the International Mobile Subscriber Identity (IMSI) for authentication, but a new identity was needed for the SIP-based, all-IP service layer that is independent of the underlying access network (e.g., GPRS, WLAN, fixed broadband). The IMPI solves the problem of securely identifying and authenticating a user to the IMS core without revealing permanent credentials during service invocation. It enables a single user with multiple devices or service profiles to have a consistent private identity for authentication, while maintaining multiple public identities for communication. Its creation was motivated by the need for a robust security model that separates authentication (private) from addressing (public), a principle borrowed from Internet security architectures, to prevent impersonation and ensure that only authorized subscribers can access and use IMS services like VoLTE, ViLTE, and RCS.

Classification

Part ofIMS
Specific typesISIMTMPI
Related approachesIMSIIMPUHSS

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (45 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-6, normative work from Rel-15.

Rel-15 3 changes

In Release 15, the IMPI function was updated to support Mission Critical Services, including an update to the ISIM for configuration data. Furthermore, the release provided clarifications for the Zh Multimedia-Authentication-Request command. These changes were part of broader enhancements for service identities and authentication within the IP Multimedia subsystem.

  • Description of MC system identity TS 23.280CR0138
  • Clarification of Zh Multimedia-Authentication-Request command TS 29.109CR0107
  • Mission Critical Services configuration data update to ISIM TS 31.103CR2
Rel-16 6 changes

In Release 16, the IMPI function was enhanced for Mission Critical Push-To-Talk (MCPTT) services with new capabilities for private calls. These included the support of functional aliases in private and private emergency calls, including the use of multiple functional aliases. Furthermore, call forwarding for MCPTT private calls was introduced, with configurable settings and a specific "not reachable" condition.

  • Restricting incoming private communications TS 23.379CR0186
  • Support of functional aliases in private calls and private emergency calls TS 23.379CR0187
  • Support of multiple functional alias use in private calls TS 23.379CR0190
  • Add configuration for call forwarding for MCPTT private calls TS 23.379CR0210
  • Add call forwarding for MCPTT private calls TS 23.379CR0211
  • Add condition "not reachable" to call forwarding for MCPTT private calls TS 23.379CR0228
Rel-17 20 changes

In Release 17, the enhancements for IMPI within MCPTT services primarily focused on enabling and securing the use of functional aliases as target addresses for private calls. New capabilities were introduced, including call transfer, announced call redirection, and call forwarding based on manual input, specifically for MCPTT private calls. The release also added clarifications and corrections for procedures like private call setup and media plane security when using these functional aliases.

  • Support of functional aliases as called party address in MCPTT emergency private calls TS 23.379CR0225
  • Call restrictions when using a specific functional alias for private calls TS 23.379CR0226
  • Add call transfer for MCPTT private calls TS 23.379CR0229
  • Functional alias of Called party in private call TS 23.379CR0232
  • Add announced call redirection for MCPTT private calls TS 23.379CR0246
  • Add call forwarding based on manual input for MCPTT private calls TS 23.379CR0247

+ 14 more changes

Rel-18 11 changes

In Release 18, the enhancements for the IMPI function primarily focused on enabling and managing private Mission Critical Push-To-Talk (MCPTT) calls using functional aliases. New procedures were introduced for initiating and updating private calls towards migrated users and for handling call forwarding and transfer between several MCPTT systems. Additionally, updates were made to the information elements for ending a private call and to the ISIM application file for IMS Data Channel configuration.

  • Private call using functional alias towards a partner MC system TS 23.280CR0317
  • Migration procedure during and ongoing private communication TS 23.280CR0330
  • Private call towards a migrated MC service user TS 23.280CR0353
  • Updating private call using FA TS 23.280CR0399
  • Private call forwarding between several MCPTT systems TS 23.379CR0310
  • Private call transfer between several MCPTT systems TS 23.379CR0313

+ 5 more changes

Rel-19 4 changes

In Release 19, the IMPI function was enhanced to support the signing and verification of third-party user identity information within the IMS. Additionally, new procedures were introduced to handle location information for emergency private and ad hoc call requests and to resolve routing ambiguities for private calls.

  • Signing and verification of third party user identity information in IMS TS 33.203CR0285
  • Floor remote request in emergency communication for private call TS 23.379CR0451
  • Location information for emergency private and ad hoc call requests TS 23.379CR0463
  • Ambiguity on routing private calls TS 23.379CR0427
Rel-20 1 change

In Release 20, the new development for the IMPI function was its inclusion in a generic procedure for migration during an ongoing private communication, specifically to accommodate the addition of MCData. This update integrated the IP Multimedia CN subsystem Private Identity into the established migration process for that service.

  • Adding MCData to generic procedure for migration during an ongoing private communication TS 23.280CR0657

Explore further

Broader topics and technologies where IMPI plays a role.

Topics
SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)MEC (Edge Computing)LTE / LTE-AdvancedLawful Intercept
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference IMPI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 22.066 vj00 Mobile Number Portability Stage 1 Rel-19
TS 23.179 vd50 MCPTT Functional Architecture Rel-13
TS 23.280 vk10 Common Architecture for Mission Critical Services Rel-20
TS 23.379 vk00 MCPTT Functional Architecture Rel-20
TS 23.700 vk00 XR Services Application Enablement Layer Rel-20
TS 24.109 vj00 HTTP Digest AKA & GAA Stage 3 Rel-19
TS 26.237 vj00 IMS for PSS and MBMS Control Rel-19
TS 29.109 vj00 GAA Bootstrapping Interfaces (Zh, Dz, Zn, Zpn) Rel-19
TS 31.103 vj00 ISIM Application Specification Rel-19
TS 31.829 vd00 ISIM Conformance Requirements Technical Report Rel-13
TS 32.182 vj00 UDC Common Baseline Information Model (CBIM) Rel-19
TS 33.107 vj00 Lawful Interception Architecture & Functions Rel-19
TS 33.141 vj00 Security for Presence Service (Ut reference point) Rel-19
TS 33.203 vj10 IMS Security Specification Rel-19
TS 33.222 vj00 Secure HTTP Access in GAA Rel-19
TS 33.804 vc00 Non-UICC SSO using SIP Digest credentials Rel-12
TR 33.978 v1800 Interim Security for Early IMS Rel-8