ISIM

IMS Subscriber Identity Module

Security
Introduced in Rel-5
The ISIM is a dedicated application on a UICC (smart card) that securely stores the subscriber's identity and authentication credentials for the IP Multimedia Subsystem (IMS). It enables secure access to IMS services like VoLTE and video calling by providing a unique private identity (IMPI) and facilitating authentication with the network.

Description

The IMS Subscriber Identity Module (ISIM) is a specialized software application residing on a Universal Integrated Circuit Card (UICC), commonly known as a SIM card. It is distinct from the classic SIM application used for cellular network access (CS domain) and the USIM application for 3G/4G packet access (PS domain). The ISIM application is dedicated exclusively to the IP Multimedia Subsystem (IMS), which provides multimedia services like Voice over LTE (VoLTE), video calls, and instant messaging over the mobile packet core.

Architecturally, the ISIM contains a set of securely stored files and parameters essential for IMS registration and service invocation. The most critical data is the IMS Private User Identity (IMPI), a unique global identifier for the subscriber in the IMS realm (often formatted like a NAI, e.g., [email protected]). It also stores the corresponding IMS Public User Identity (IMPU), which is the address used for communication (e.g., a SIP URI). Furthermore, the ISIM holds long-term authentication credentials: a shared secret key and the associated authentication algorithm parameters. These credentials are used in the IMS Authentication and Key Agreement (IMS AKA) procedure.

When a user wishes to access IMS services, the mobile device's IMS client reads the necessary identities from the ISIM. During registration, the device and the network perform the IMS AKA protocol. The device uses the secret key from the ISIM to compute a response to a challenge from the network. This process authenticates the subscriber to the IMS network and establishes secure session keys for protecting SIP signaling. The ISIM thus acts as the root-of-trust for IMS access, analogous to how USIM authenticates the user to the packet core network.

The ISIM application interoperates with other applications on the same UICC. A device may use the USIM for accessing the LTE/5G network (for bearer connectivity) and the ISIM simultaneously for accessing IMS services over that bearer. This separation allows for independent management of credentials and services. The ISIM's role is foundational for IMS security and service portability, as the subscriber's IMS identity and credentials are physically stored on a portable, tamper-resistant card.

Purpose & Motivation

The ISIM was created to provide a secure, portable, and standardized identity module specifically for the IMS, which is a service architecture separate from the traditional cellular access networks. Before ISIM, early IMS implementations often used soft credentials (username/password stored in the device) or attempted to derive IMS identities from cellular identities (like IMSI). These approaches had security weaknesses (soft credentials are vulnerable) or limitations in flexibility (tight coupling to cellular subscription).

A dedicated module was necessary because IMS authentication (IMS AKA) is different from the cellular network authentication (used by SIM/USIM). IMS uses SIP-based protocols and requires identities formatted as URIs or NAIs, not MSISDN or IMSI. The ISIM provides a secure hardware container for these new identity formats and the associated cryptographic keys, ensuring a high level of security equivalent to that of cellular access. It also enables service portability; a user can move their UICC to a new device and immediately have their IMS identity and services available.

Its introduction in Release 5 coincided with the initial standardization of IMS. It solved the problem of how to securely and manageably provision IMS subscriptions to end-users. By leveraging the existing UICC platform, it allowed operators to offer IMS services using a familiar, secure distribution mechanism (the SIM card). The ISIM established a clear separation of credentials, allowing a user to have independent subscriptions for cellular access and IMS services, even if provided by the same operator.

Key Features

  • Stores the IMS Private User Identity (IMPI) and Public User Identity (IMPU)
  • Contains long-term secret key for IMS Authentication and Key Agreement (IMS AKA)
  • Implemented as a dedicated application on a UICC (smart card)
  • Provides hardware-based security for IMS credentials, resistant to tampering
  • Enables secure IMS registration and service access (e.g., VoLTE)
  • Operates independently from USIM/SIM applications on the same UICC

Evolution Across Releases

Rel-5 Initial

The ISIM application was initially standardized as part of the first mature IMS specifications. It defined the file structure on the UICC to store IMS identities (IMPI, IMPU) and authentication credentials, establishing the secure foundation for subscriber access to IMS services like voice and video over IP.

TS 21.905TS 22.944TS 22.980TS 23.228TS 23.700TS 24.167TS 24.186TS 24.229TS 31.103TS 31.829TS 31.901TS 32.181TS 32.182TS 32.808TS 33.141TS 33.203TS 33.812TS 33.978

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 22.944 3GPP TS 22.944
TS 22.980 3GPP TS 22.980
TS 23.228 3GPP TS 23.228
TS 23.700 3GPP TS 23.700
TS 24.167 3GPP TS 24.167
TS 24.186 3GPP TS 24.186
TS 24.229 3GPP TS 24.229
TS 31.103 3GPP TR 31.103
TS 31.829 3GPP TR 31.829
TS 31.901 3GPP TR 31.901
TS 32.181 3GPP TR 32.181
TS 32.182 3GPP TR 32.182
TS 32.808 3GPP TR 32.808
TS 33.141 3GPP TR 33.141
TS 33.203 3GPP TR 33.203
TS 33.812 3GPP TR 33.812
TS 33.978 3GPP TR 33.978