TMPI

Temporary IP Multimedia Private Identity

Security
Introduced in Rel-8
A temporary identifier used in IMS to protect the user's permanent private identity (IMPI) from exposure over the air interface. It enhances subscriber privacy and security during authentication and registration procedures.

Description

The Temporary IP Multimedia Private Identity (TMPI) is a security mechanism defined within the 3GPP IP Multimedia Subsystem (IMS) architecture. Its primary function is to safeguard the user's permanent IP Multimedia Private Identity (IMPI) from being transmitted in clear text or in a manner that could be intercepted over vulnerable network links, particularly the radio interface. The TMPI is generated and assigned by the network, specifically by the Serving-Call Session Control Function (S-CSCF) or a proxy node, during the IMS registration process. It acts as an alias for the IMPI in subsequent signaling messages that traverse untrusted paths, thereby preventing long-term tracking and identity theft of the subscriber.

The operational flow involves the initial IMS registration where the user equipment (UE) authenticates using its permanent IMPI. Upon successful authentication, the network allocates a TMPI and securely delivers it to the UE, typically within a protected response. For subsequent IMS transactions, such as re-registration or initiating a session, the UE uses this TMPI instead of the IMPI in the P-Preferred-Identity header or other relevant SIP fields when communicating with the Proxy-CSCF (P-CSCF). The network nodes, possessing the mapping between the TMPI and the real IMPI, can internally resolve the identity for service logic and charging. This mechanism is crucial in scenarios where the Gm reference point between the UE and the P-CSCF is not protected by network-level security like IPsec, or in early IMS deployments.

The TMPI is not a standalone credential but works in conjunction with other IMS identities and security associations. It is distinct from the Temporary Mobile Subscriber Identity (TMSI) used in the circuit-switched and packet-switched core network, as it operates at the application layer for SIP-based services. The management of TMPI includes its lifetime, which is tied to the registration session; it becomes invalid upon registration expiry or deregistration. The use of TMPI is a key privacy feature mandated by 3GPP, ensuring that the subscriber's permanent private identity is not unnecessarily exposed, aligning with regulatory requirements for user data protection.

Purpose & Motivation

The TMPI was introduced to address significant privacy and security vulnerabilities in early IMS deployments. The permanent IP Multimedia Private Identity (IMPI), often structured like a Network Access Identifier (NAI) (e.g., user@realm), is a critical long-term credential. Transmitting this identifier in clear text over the air interface, especially before secure associations are established, posed a major risk. Eavesdroppers could capture the IMPI, leading to subscriber tracking, profiling, and potential identity-based attacks. The motivation stemmed from the need to bring IMS security and privacy provisions on par with those in the 3GPP circuit-switched domain, which already used temporary identifiers like TMSI.

Before TMPI, the IMPI could be exposed in initial SIP REGISTER requests or other messages, creating a privacy gap. While security mechanisms like IMS Authentication and Key Agreement (AKA) and IPsec could protect later communications, the initial identity exposure was a weakness. TMPI solves this by decoupling the durable private identity from the identifier used in routine signaling. Its creation was driven by 3GPP's broader security work item on 'IMS Privacy,' ensuring that IMS services do not compromise user anonymity. It addresses the limitation of relying solely on access network security, providing an application-layer privacy safeguard that is independent of the underlying transport.

Key Features

  • Protects the permanent IMPI from over-the-air exposure
  • Generated and assigned by the network upon successful IMS registration
  • Used in SIP signaling (e.g., P-Preferred-Identity header) for subsequent transactions
  • Has a lifetime tied to the IMS registration session
  • Enhances subscriber privacy and mitigates tracking risks
  • Operates at the application layer within the IMS security architecture

Evolution Across Releases

Rel-8 Initial

Introduced as part of the enhanced IMS security and privacy mechanisms. Defined the initial architecture where the TMPI is allocated by the S-CSCF to protect the IMPI during IMS registration and session establishment procedures over potentially insecure links.

TS 24.109TS 33.220

Defining Specifications

SpecificationTitle
TS 24.109 3GPP TS 24.109
TS 33.220 3GPP TR 33.220