PMD

Pseudonym Mediation Device functionality

Security
Introduced in R99
The Pseudonym Mediation Device (PMD) functionality is a network-based privacy feature defined for 3GPP networks. It acts as an intermediary that translates temporary identifiers (pseudonyms) used over the radio interface into permanent subscriber identifiers (like IMSI) within the core network, helping to protect user identity from eavesdroppers. It is a key component for subscriber identity confidentiality.

Description

The Pseudonym Mediation Device (PMD) functionality is a security and privacy mechanism specified within 3GPP standards, particularly in TS 23.271 (Location Services) and TS 33.117 (Lawful Interception architecture). It is not necessarily a standalone physical node but a logical function that can be integrated within core network elements like the Home Location Register (HLR), Home Subscriber Server (HSS), or a dedicated node. Its primary role is to maintain the separation between a user's permanent long-term identity and the temporary, frequently changing identities used over the air interface to prevent tracking.

In operation, when a subscriber attaches to the network, the core network assigns a temporary identifier, such as a Temporary Mobile Subscriber Identity (TMSI) in GSM/UMTS or a Globally Unique Temporary Identity (GUTI) in LTE/5G. This pseudonym is used in most signaling messages over the radio access network to avoid transmitting the permanent International Mobile Subscriber Identity (IMSI). However, within the secure core network domain, various functions (e.g., charging, lawful interception, location services) require mapping back to the permanent subscriber identity.

The PMD functionality performs this mediation. It maintains the binding between the currently allocated pseudonym (TMSI/GUTI) and the corresponding IMSI. When a network function receives a request or a record containing only a pseudonym, it can query the PMD to resolve it to the IMSI. Crucially, this resolution happens only within the protected core network, ensuring the IMSI is never exposed on the radio link. The PMD must be a highly secure and trusted entity with strict access controls, as it holds the key mapping for user privacy.

Its architecture involves interfaces with other core network entities. For lawful interception, the PMD (or a Mediation Function that includes PMD capabilities) provides the identity mapping to the Lawful Interception system, allowing authorized agencies to correlate intercepted communications with a specific subscriber's permanent identity, as required by legal frameworks. In location services, it enables location requests based on a pseudonym to be correctly routed to the serving node holding that subscriber's context.

Purpose & Motivation

The PMD functionality was created to resolve a fundamental tension in cellular network design: the need for network operations and lawful interception to identify subscribers uniquely, versus the privacy requirement to protect subscribers from being tracked or identified by eavesdroppers on the radio interface. Without such a mechanism, the permanent IMSI would need to be transmitted frequently, making subscribers vulnerable to location tracking and identity theft via IMSI catchers.

The problem it addresses is maintaining subscriber identity confidentiality while preserving necessary network functionality. Early cellular systems had limited use of temporary identifiers, and the mapping was often handled in a distributed, non-standardized way. The standardization of the PMD functionality, particularly in the context of lawful interception (LI), provided a clear, secure, and standardized method for authorized entities to resolve pseudonyms. This was crucial for complying with legal requirements for LI across different countries and network architectures.

Historically, its development was driven by the evolution of privacy features (like TMSI) in 2G/3G and the subsequent need for a standardized mediation point for lawful interception mandates introduced in the late 1990s and early 2000s. It ensures that even as networks use stronger over-the-air privacy techniques, the ability for lawful, authorized identity resolution for legal, operational, and emergency service purposes remains intact and is performed in a controlled, auditable manner within the secure network core.

Key Features

  • Mediates between temporary radio identifiers (TMSI, GUTI) and permanent subscriber identities (IMSI)
  • Operates within the secure core network domain to protect the IMSI from radio interface exposure
  • Essential for Lawful Interception (LI) to provide identity resolution to interception systems
  • Supports location-based services by enabling requests with pseudonyms to be mapped to subscribers
  • Can be implemented as a standalone node or integrated into HLR/HSS/mediation functions
  • Enforces strict access control and security policies due to its sensitive role

Evolution Across Releases

R99 Initial

Introduced the Pseudonym Mediation Device (PMD) functionality within the 3GPP lawful interception architecture (TS 33.107/108). Defined its role as a mediation function that provides pseudonym to permanent identity (IMSI) resolution for intercepted communication content and intercept related information (IRI). Established it as a key component for enabling lawful interception in networks employing subscriber identity confidentiality (TMSI).

TS 21.905TS 23.271TS 23.273TS 25.411TS 29.173TS 32.271TS 32.272TS 32.278

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 23.271 3GPP TS 23.271
TS 23.273 3GPP TS 23.273
TS 25.411 3GPP TS 25.411
TS 29.173 3GPP TS 29.173
TS 32.271 3GPP TR 32.271
TS 32.272 3GPP TR 32.272
TS 32.278 3GPP TR 32.278