Upload
netmaster32
View
213
Download
0
Embed Size (px)
Citation preview
8/6/2019 31253587 UMTS Security
1/35
1
UMTSSecurityUMTSSecurityUMTSSecurityUMTSSecurity
DateDateDateDate:::: 20.11.2009
Revision:Revision:Revision:Revision: 008/UMS/009
Author:Author:Author:Author: JakubBluszcz
Leliwa Technical Bulletin
Copyright2010L
eliwa.
AllR
ightsR
eserved.
8/6/2019 31253587 UMTS Security
2/35
LeliwaTechnicalBulletinUMTSSecurity
2
TableofcontentsTableofcontentsTableofcontentsTableofcontents
TopicTopicTopicTopic PagePagePagePage
Introduction.....................................................................................................3Useridentityconfidentiality .............................................................................3Entityauthentication .......................................................................................7Confidentiality ...............................................................................................15
Dataintegrity ................................................................................................20UMTSGSMinteroperation..........................................................................22 AcronymsandAbbreviations ........................................................................32References ...................................................................................................34Disclaimer.....................................................................................................35
8/6/2019 31253587 UMTS Security
3/35
UMTSSecurityLeliwaTechnicalBulletin
3
IntroductionIntroductionIntroductionIntroduction
Thisdocumentdescribesthesetofsecurityfeaturesthatprovideuserswithsecureaccessto3Gservices,andwhichinparticularprotectagainstattacks
onthe(radio)accesslink.
UMTSoffersthefollowingsecurityfeatures(seeFig.1):
UMTS security features
user identity confidentiality,
authentication of the user toward the network,
authentication of the network toward the user,
confidentiality (ciphering),
data integrity.
Figure1UMTSsecurityfeatures
AsinGSM/GPRS,user(temporary)identification,authenticationandkey
agreementtakesplaceindependentlyineachservicedomain.Userplane
trafficiscipheredusingthecipherkeyagreedforthecorrespondingservice
domainwhilecontrolplanedataiscipheredandintegrityprotectedusingthe
cipherandintegritykeysfromeitheroneoftheservicedomains.
UseridentityconfidentialityUseridentityconfidentialityUseridentityconfidentialityUseridentityconfidentiality
Thepermanentuseridentity(IMSI)ofausertowhomaservicesisdelivered
cannotbeeavesdroppedontheradioaccesslink.Toachievethis,theuseris
normallyidentifiedbyatemporaryidentitybywhichheisknownbythevisited
servingnetwork.
Thismechanismallowstheidentificationofauserontheradioaccesslinkby
meansofaTemporary/Packet-TemporaryMobileSubscriberIdentity
(TMSI/P-TMSI).ATMSI/P-TMSIhaslocalsignificanceonlyintheLocation
Area(LA)orRoutingArea(RA)inwhichtheuserisregistered.Outsidethat
areaitisaccompaniedbyanappropriateLocationAreaIdentification(LAI)or
RoutingAreaIdentification(RAI)inordertoavoidambiguities.The
associationbetweenthepermanentandtemporaryuseridentitiesiskeptby
theVLR/SGSNinwhichtheuserisregistered.
8/6/2019 31253587 UMTS Security
4/35
LeliwaTechnicalBulletinUMTSSecurity
4
MSC/VLR
SGSN
C
oreNetwork
TMSI
P-TMSI
IMSI
IMSI
RAN
TMSIIMSI
P-TMSIIMSI
Figure2Useridentityconfidentiality
TheTMSI/P-TMSI,whenavailable,isnormallyusedtoidentifytheuseron
theradioaccesspath,forinstanceinpagingrequests,locationupdaterequests,attachrequests,servicerequests,connectionre-establishment
requestsanddetachrequests.
Toavoidusertraceability,whichmayleadtothecompromiseofuseridentity
confidentiality,theuserisnotidentifiedforalongperiodbymeansofthe
sametemporaryidentity.Inadditionanysignallingoruserdatathatmight
revealtheuser'sidentityiscipheredontheradioaccesslink.
IfaTMSIprovidedbyanMSisunknowninthenetworke.g.duetoadata
basefailure,thenetworkrequirestheMStoprovideitsIMSI.Inthiscasethe
identificationprocedureisusedbeforetheTMSIreallocationprocedureis
initiated.
ThereallocationofaTMSIcanbeperformedeitherbyauniqueprocedure
describedinthenextsectionorimplicitlybyalocationupdatingprocedure.
TMSIreallocationprocedureTMSIreallocationprocedureTMSIreallocationprocedureTMSIreallocationprocedure
ThepurposeoftheTMSIreallocationprocedureistoallocateanew
TMSI/LAIpairtoauserbywhichhemaysubsequentlybeidentifiedonthe
radioaccesslink.Theprocedureisperformedaftertheinitiationofciphering.
TheallocationofatemporaryidentityisillustratedinFig.3.
TMSIn, LAIn /P-TMSIn, RAIn
(P-)TMSI Allocation Command
(P-) TMSI Allocation Complete
SGSNVLR
Figure3TMSIallocation
8/6/2019 31253587 UMTS Security
5/35
UMTSSecurityLeliwaTechnicalBulletin
5
TheVLRgeneratesanewtemporaryidentity(TMSIn)andstoresthe
associationofTMSInandthepermanentidentityIMSIinitsdatabase.The
VLRthensendstheTMSInandoptionallythenewlocationareaidentityLAIn
totheuser.UponreceipttheuserstoresTMSInandautomaticallyremoves
theassociationwithanypreviouslyallocatedTMSI.
TheusersendsanacknowledgementbacktotheVLR.Uponreceiptofthe
acknowledgementtheVLRremovestheassociationwiththeoldtemporary
identityTMSIoandtheIMSI(iftherewasany)fromitsdatabase.
DistributionofIMSIandauthenticationdataDistributionofIMSIandauthenticationdataDistributionofIMSIandauthenticationdataDistributionofIMSIandauthenticationdata
IncaseauseridentifiesitselfusingaTMSIo/LAIopairthatwasnotassigned
bythevisitedVLRnandthevisitedVLRnandthepreviouslyvisitedVLRo
exchangeauthenticationdata,thevisitedVLRnrequestthepreviouslyvisited
VLRotosendthepermanentuseridentityandoptionallytemporary
authenticationdata.
IfthepreviouslyvisitedVLRocannotbecontactedorcannotretrievetheuser
identity,thevisitedVLRnrequeststheusertoidentifyitselfbymeansofits
permanentuseridentity.
TMSIo, LAIo /P-TMSIo, RAIo
User identity request
SGSNo
VLRo
SGSNnVLRn
Loc. Upd (TMSI) /
RA Upd (P-TMSI)
User identity response
IMSI,quintets / triplets,security context
Figure4DistributionofIMSIbetweenVLRs/SGSNs
TheprocedureisinvokedbythenewlyvisitedVLRn/SGSNnafterthe
receiptofaLocationupdaterequest/Routingareaupdaterequestfromthe
userwhereintheuserisidentifiedbymeansofatemporaryuseridentity
TMSIo/P-TMSIoandthelocationareaidentityLAIo/routingareaidentity
RAIounderthejurisdictionofapreviouslyvisitedVLRo/SGSNothatbelongs
tothesameservingnetworkdomainasthenewlyvisitedVLRn/SGSNn.
TheVLRn/SGSNnsendsaUseridentityrequesttotheVLRo/SGSNo,this
messagecontainsTMSIoandLAIo/P-TMSIoandRAIo.
8/6/2019 31253587 UMTS Security
6/35
LeliwaTechnicalBulletinUMTSSecurity
6
TheVLRo/SGSNosearchestheuserdatainthedatabase.Iftheuseris
found,theVLRo/SGSNosendsauseridentityresponsebackthat:
includestheIMSI
mayincludeanumberofunusedauthenticationvectors(quintetsortriplets),
mayincludethecurrentsecuritycontextdata:CK,IKandKSI(UMTS)
orKcandCKSN(GSM).
IftheusercannotbeidentifiedtheVLRo/SGSNosendsaUseridentity
responseindicatingthattheuseridentitycannotberetrieved.
IftheVLRn/SGSNnreceivesaUseridentityresponsewithanIMSI,it
createsanentryandstoresanyauthenticationvectorsandanydataonthe
currentsecuritycontext.
IftheVLRn/SGSNnreceivesaUseridentityresponseindicatingthattheusercouldnotbeidentified,itinitiatestheuseridentificationproceduredescribed
inthenextsection.
IdentificationbyapermanentidentityIdentificationbyapermanentidentityIdentificationbyapermanentidentityIdentificationbyapermanentidentity
Themechanismisinvokedwhenevertheusercannotbeidentifiedbymeans
ofatemporaryidentity.Inparticular,itisusedwhentheuserregistersforthe
firsttimeinaservingnetwork,orwhentheservingnetworkcannotretrieve
theIMSIfromtheTMSI/P-TMSIbywhichtheuseridentifiesitselfonthe
radiopath.
IMSI
User identity request
User identity response
SGSNVLR
Figure5Identificationbythepermanentidentity
ThemechanismisinitiatedbythevisitedVLR/SGSNthatrequeststhe
usertosenditspermanentidentity.
Theuser'sresponsecontainstheIMSIincleartext.Thisrepresentsa
breachintheprovisionofuseridentityconfidentiality.
8/6/2019 31253587 UMTS Security
7/35
UMTSSecurityLeliwaTechnicalBulletin
7
EntityauthenticationEntityauthenticationEntityauthenticationEntityauthentication
Twosecurityfeaturesrelatedtoentityauthenticationareprovided:
userauthentication:userauthentication:userauthentication:userauthentication:thepropertythattheservingnetwork
corroboratestheuseridentityoftheuser,
networkauthentication:networkauthentication:networkauthentication:networkauthentication:thepropertythattheusercorroboratesthathe
isconnectedtoaservingnetworkthatisauthorisedbytheuser'sHE
toprovidehimservices;thisincludestheguaranteethatthis
authorisationisrecent.
Theentityauthenticationoccursateachconnectionset-upbetweentheuser
andthenetwork.Twomechanismshavebeenincluded:anauthentication
mechanismusinganauthenticationvectordeliveredbytheuser'sHEtothe
servingnetwork,andalocalauthenticationmechanismusingtheintegritykey
establishedbetweentheuserandservingnetworkduringtheprevious
executionoftheauthenticationandkeyestablishmentprocedure.
Serving
Network
user authentication
network authentication
Figure6Entityauthentication
AuthenticationandkeyagreementAuthenticationandkeyagreementAuthenticationandkeyagreementAuthenticationandkeyagreement
Themechanismdescribedhereachievesmutualauthenticationbytheuser
andthenetworkshowingknowledgeofasecretkeyKwhichisshared
betweenandavailableonlytotheUSIMandtheAuCintheuser'sHE.In
additiontheUSIMandtheHEkeeptrackofcountersSQNMSandSQNHE
respectivelytosupportnetworkauthentication.ThesequencenumberSQNHEisanindividualcounterforeachuserandthesequencenumberSQNMS
denotesthehighestsequencenumbertheUSIMhasaccepted.
Themethodwaschoseninsuchawayastoachievemaximumcompatibility
withtheGSMsecurityarchitectureandfacilitatemigrationfromGSMto
UMTS.Themethodiscomposedofachallenge/responseprotocolidentical
totheGSMsubscriberauthenticationandkeyestablishmentprotocol
8/6/2019 31253587 UMTS Security
8/35
LeliwaTechnicalBulletinUMTSSecurity
8
combinedwithasequencenumber-basedone-passprotocolfornetwork
authentication.
AnoverviewofthemechanismisshowninFig.7.
Authentication data request (IMSI)
SGSNVLR HLR
Authentication data response (AV(1..n))
Generate authenticationvectors AV(1..n)
Store authentication vectors
Select authentication vector AV(i)
User authentication request (RAND(i), AUTN(i))
Verify AUTN(i),compute RES(i)
User authentication response (RES(i))
Compare RES(i) and XRES(i)
Select CK(i) and IK(i)Compute CK(i) and IK(i)
Distributionof
authenticationvectors
fromH
EtoSN
Authenticationand
keyestablishment
Figure7Authenticationandkeyagreement
TheAuthenticationdatarequestincludestheIMSIandtherequestingnode
type(PSorCS).UponreceiptofarequestfromtheVLR/SGSN,theHE/AuC
sendsanorderedarrayofnauthenticationvectorsAV(1..n),(theequivalent
ofaGSMtriplet)totheVLR/SGSN.Theauthenticationvectorsareorderedbasedonsequencenumber.Eachauthenticationvectorconsistsofthe
followingcomponents:arandomnumberRAND,anexpectedresponse
XRES,acipherkeyCK,anintegritykeyIKandanauthenticationtoken
AUTN.Eachauthenticationvectorisgoodforoneauthenticationandkey
agreementbetweentheVLR/SGSNandtheUSIM.
WhentheVLR/SGSNinitiatesanauthenticationandkeyagreement,it
selectsthenextauthenticationvectorfromtheorderedarrayandsendsthe
parametersRANDandAUTNtotheuser.Authenticationvectorsina
particularnodeareusedonanFIFObasis.TheUSIMcheckswhetherAUTN
canbeacceptedand,ifso,producesaresponseRESwhichissentbackto
theVLR/SGSN.TheUSIMalsocomputesCKandIK.TheVLR/SGSN
comparesthereceivedRESwithXRES.IftheymatchtheVLR/SGSN
considerstheauthenticationandkeyagreementexchangetobesuccessfully
completed.TheestablishedkeysCKandIKwillthenbetransferredbythe
USIMandtheVLR/SGSNtotheentitieswhichperformcipheringandintegrity
functions.
VLR/SGSNscanoffersecureserviceevenwhenHE/AuClinksare
unavailablebyallowingthemtousepreviouslyderivedcipherandintegrity
keysforausersothatasecureconnectioncanstillbesetupwithoutthe
needforanauthenticationandkeyagreement.Authenticationisinthatcase
8/6/2019 31253587 UMTS Security
9/35
UMTSSecurityLeliwaTechnicalBulletin
9
basedonasharedintegritykey,bymeansofdataintegrityprotectionof
signallingmessages.
GenerationofauthenticationvectorsGenerationofauthenticationvectorsGenerationofauthenticationvectorsGenerationofauthenticationvectors
Fig.8showsthegenerationofanauthenticationvectorAVbytheHE/AuC.
Generate SQN
Generate RAND
f1 f2 f3 f4 f5
MAC XRES CK IK AK
SQN RANDAMFK
AUTN := SQN AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
Figure8Generationofauthenticationvectors
TheHE/AuCstartswithgeneratingafreshsequencenumberSQNandan
unpredictablechallengeRAND.ForeachusertheHE/AuCkeepstrackofa
counterSQNHE.
Subsequentlythefollowingvaluesarecomputed:
aMessageAuthenticationCodeMACMessageAuthenticationCodeMACMessageAuthenticationCodeMACMessageAuthenticationCodeMAC=f1K(SQN||RAND||AMF)
wheref1isamessageauthenticationfunction;
aneXpectedRESponseXREeXpectedRESponseXREeXpectedRESponseXREeXpectedRESponseXRESSSS=f2K(RAND)wheref2isamessage
authenticationfunction;
aCipherKeyCKCipherKeyCKCipherKeyCKCipherKeyCK=f3K(RAND)wheref3isakeygeneratingfunction;
anIntegrityKeyIKIntegrityKeyIKIntegrityKeyIKIntegrityKeyIK=f4K(RAND)wheref4isakeygenerating
function; anAnonymityKeyAKAnonymityKeyAKAnonymityKeyAKAnonymityKeyAK=f5K(RAND)wheref5isakeygenerating
functionorf50.
FinallytheauthenticationtokenAUTN=SQNAK||AMF||MACis
constructed.
AKisananonymitykeyusedtoconcealthesequencenumberasthelatter
mayexposetheidentityandlocationoftheuser.Theconcealmentofthe
sequencenumberistoprotectagainstpassiveattacksonly.
8/6/2019 31253587 UMTS Security
10/35
LeliwaTechnicalBulletinUMTSSecurity
10
AnauthenticationandkeymanagementfieldAMFisincludedinthe
authenticationtokenofeachauthenticationvector.ExampleusesofAMF
includes:
supportmultipleauthenticationalgorithmsandkeys(Thismechanismisusefulfordisasterrecoverypurposes.AMFmaybeusedtoindicate
thealgorithmandkeyusedtogenerateaparticularauthentication
vector.)
changingsequencenumberverificationparameters(Thismechanism
isusedtochangedynamicallythelimitonthedifferencebetweenthe
highestSEQacceptedsofarandareceivedsequencenumberSEQ.)
settingthresholdvaluestorestrictthelifetimeofcipherandintegrity
keys(TheUSIMcontainsamechanismtolimittheamountofdata
thatisprotectedbyanaccesslinkkeyset.TheAMFfieldmaybe
usedbytheoperatortosetoradjustthislimitintheUSIM).
Fig.9showsthesummaryofallauthenticationparameters.
var. 4-16 octetsauthentication RESponseRES
128 bitsIntegrity KeyIK
128 bitsCipher KeyCK
64 bitsMessage Authentication CodeMAC-S
64 bitsMessage Authentication CodeMAC
16 bitsAuthentication Management FieldAMF
48 bitsAnonymity KeyAK
48 bitsSeQuence NumbersSQN
128 bitsRANDom challengeRAND
128 bitsauthentication KeyK
LengthParameter name
Figure9Authenticationparameters
8/6/2019 31253587 UMTS Security
11/35
UMTSSecurityLeliwaTechnicalBulletin
11
AuthenticatAuthenticatAuthenticatAuthenticationandkeyagreementionandkeyagreementionandkeyagreementionandkeyagreement
Thepurposeofthisprocedureistoauthenticatetheuserandestablishanew
pairofcipherandintegritykeysbetweentheVLR/SGSNandtheUSIM.
Duringtheauthentication,theUSIMverifiesthefreshnessoftheauthenticationvectorthatisused.
User authentication request (RAND || AUTN)
SGSNVLR
User authentication response (RES)
User authentication reject (CAUSE)
Figure10Authenticationandkeyestablishment
TheVLR/SGSNinvokestheprocedurebyselectingthenextunused
authenticationvectorintheVLR/SGSNdatabaseandsendstotheUSIMthe
randomchallengeRANDandanauthenticationtokenfornetwork
authenticationAUTN.
UponreceipttheuserproceedsasshowninFig.11.
f5
AK
RAND AUTN
SQNAK AMF MAC
SQN
f1 f2 f3 f4
XMAC RES CK IK
K
Verify MAC = XMAC Verify that SQN is in the correct range
Figure11UserauthenticationfunctionintheUSIM
UponreceiptofRANDandAUTNtheUSIMfirstcomputestheanonymitykey
AK=f5K(RAND)andretrievesthesequencenumberSQN=(SQNAK)
AK.
8/6/2019 31253587 UMTS Security
12/35
LeliwaTechnicalBulletinUMTSSecurity
12
NexttheUSIMcomputesXMAC=f1K(SQN||RAND||AMF)andcompares
thiswithMACwhichisincludedinAUTN.Iftheyaredifferent,theusersends
UserauthenticationrejectbacktotheVLR/SGSNwithanindicationofthe
causeandtheuserabandonstheprocedure.Inthiscase,VLR/SGSN
initiatesanAuthenticationfailurereportproceduretowardstheHLR.VLR/SGSNmayalsodecidetoinitiateanewidentificationandauthentication
proceduretowardstheuser.
NexttheUSIMverifiesthatthereceivedsequencenumberSQNisinthe
correctrange.Ifcorrect,theUSIMcomputesRES=f2K(RAND)andincludes
thisparameterinaUserauthenticationresponsebacktotheVLR/SGSN.
FinallytheUSIMcomputesthecipherkeyCK=f3K(RAND)andtheintegrity
keyIK=f4K(RAND).
IftheUSIMalsosupportsconversionfunctionc3,itderivestheGSMcipher
keyKcfromtheUMTScipher/integritykeysCKandIK.
UponreceiptofUserauthenticationresponsetheVLR/SGSNcomparesRES
withtheeXpectedRESponseXRESfromtheselectedauthenticationvector.
IfXRESequalsRESthentheauthenticationoftheuserhaspassed.The
VLR/SGSNalsoselectstheappropriatecipherkeyCKandintegritykeyIK
fromtheselectedauthenticationvector.IfXRESandRESaredifferent,
VLR/SGSNinitiatesanAuthenticationfailurereportproceduretowardsthe
HLRandmayalsodecidetoinitiateanewidentificationandauthentication
proceduretowardstheuser.
SequenceSequenceSequenceSequencenumbersnumbersnumbersnumbersTheverificationoftheSQNbytheUSIMwillcausetheMStorejectan
attemptbytheVLR/SGSNtore-useaquintettoestablishaparticularUMTS
securitycontextmorethanonce.IngeneralthereforetheVLR/SGSNcanuse
aquintetonlyonce.
Themechanismsforverifyingthefreshnessofsequencenumbersinthe
USIMtosomeextentallowstheout-of-orderuseofsequencenumbers.This
istoensurethattheauthenticationfailurerateduetosynchronisationfailures
issufficientlylow.ThisrequiresthecapabilityoftheUSIMtostoreinformation
onpastsuccessfulauthenticationevents(e.g.sequencenumbers).The
mechanismensuresthatasequencenumbercanstillbeacceptedifitisamongthelastx=32sequencenumbersgenerated.Thesameminimum
numberxneedstobeusedacrossthesystemstoguaranteethatthe
synchronisationfailurerateissufficientlylowundervarioususagescenarios,
inparticularsimultaneousregistrationintheCS-andthePS-servicedomains
andusermovementbetweenVLRs/SGSNswhichdonotexchange
authenticationinformation.
IftheUSIMconsidersthesequencenumbertobenotinthecorrectrange,it
sendsSynchronisationfailurebacktotheVLR/SGSNandabandonsthe
procedure,seeFig.12.
8/6/2019 31253587 UMTS Security
13/35
UMTSSecurityLeliwaTechnicalBulletin
13
User authentication request (RAND || AUTN)
SGSNVLR
User authentication reject
(AUTS, CAUSE = synchronisation failure)
Figure12Synchronisationfailure
ThesynchronisationfailuremessagecontainstheparameterAUTS.Itis
AUTS=Conc(SQNMS)||MAC-S.Conc(SQNMS)=SQNMSf5*K(RAND)is
theconcealedvalueofthecounterSQNMSintheMS,andMAC-S=
f1*K(SQNMS||RAND||AMF)whereRANDistherandomvaluereceivedin
thecurrentuserauthenticationrequestandAMFisadummyvalueofall
zeros.f1*isamessageauthenticationcode(MAC)functionandf5*isthekeygeneratingfunctionusedtocomputeAKinre-synchronisationprocedures,
bothwiththepropertythatnovaluableinformationcanbeinferredfromthe
functionvaluesoff1*andf5*aboutthoseoff1,...,f5,f5*andviceversa.
TheconstructionoftheparameterAUTSinshownintheFig.13.
f5*
AK
RAND
SQNMSAK
AMF
MAC-S
SQNMS
f1*
K
AUTS = SQNMS AK || MAC-S
Figure13ConstructionoftheparameterAUTS
RRRReeee----synchronisationproceduresynchronisationproceduresynchronisationproceduresynchronisationprocedure
AVLR/SGSNmaysendtwotypesofauthenticationdatarequeststotheHE/AuC,the(regular)one,describedearlierinthischapterandoneusedin
caseofsynchronisationfailures,describedinthissection.
Uponreceivingasynchronisationfailuremessagefromtheuser,the
VLR/SGSNsendsanauthenticationdatarequestwithasynchronisation
failureindicationtotheHE/AuC,togetherwiththeparameters:
RANDsenttotheMSintheprecedinguserauthenticationrequest,
and
AUTSreceivedbytheVLR/SGSNintheresponsetothatrequest,
8/6/2019 31253587 UMTS Security
14/35
LeliwaTechnicalBulletinUMTSSecurity
14
WhentheHE/AuCreceivesanauthenticationdatarequestwitha
synchronisationfailureindication"itretrievesSQNMSfromConc(SQNMS)by
computingConc(SQNMS)f5*K(RAND)andchecksifSQNHEisinthecorrect
range,i.e.ifthenextsequencenumbergeneratedSQNHEusingwouldbe
acceptedbytheUSIM.
IfSQNHEisinthecorrectrangethentheHE/AuCsendsanauthentication
dataresponsewithanewbatchofauthenticationvectorstotheVLR/SGSN.
OtherwiseitverifiesAUTSandiftheverificationissuccessfultheHE/AuC
resetsthevalueofthecounterSQNHEtoSQNMS.
WhenevertheVLR/SGSNreceivesanewbatchofauthenticationvectorsit
deletestheoldonesforthatuserintheVLR/SGSNandtheusermaynowbe
authenticatedbasedonanewauthenticationvector.
RAND, AUTN
SGSNVLR
AUTS
HLR/AuC
RAND, AUTS
{Qi}
Figure14Re-synchronisationmechanism
ReportingauthenticationfailuresReportingauthenticationfailuresReportingauthenticationfailuresReportingauthenticationfailures
Thepurposeofthisprocedureistoprovideamechanismforreporting
authenticationfailuresfromtheservingenvironmentbacktothehome
environment,seeFig.15.
SGSNVLR HLR
Authentication failure report
(IMSI, failure cause, access type, authenticationre-attempt, VLR/SGSN address and RAND)
Figure15ReportingauthenticationfailurefromVLR/SGSNtoHLR
TheprocedureisinvokedbytheservingnetworkVLR/SGSNwhenthe
authenticationprocedurefails.TheAuthenticationfailurereportcontains
amongotherparameters:subscriberidentity,failurecausecode(wrong
networksignature/wronguserresponse),VLR/SGSNaddressandRAND.
TheHEmaycancelthelocationoftheuserafterreceivinganauthentication
failurereportandstoresthereceiveddatasothatfurtherprocessingtodetect
possiblefraudsituationscouldbeperformed.
8/6/2019 31253587 UMTS Security
15/35
UMTSSecurityLeliwaTechnicalBulletin
15
ConfidentialityConfidentialityConfidentialityConfidentiality
Foursecurityfeaturesrelatedtoconfidentialityareprovided:
cipheralgorithmagreementcipheralgorithmagreementcipheralgorithmagreementcipheralgorithmagreement(MSandtheSNsecurelynegotiatethe
algorithmthattheyusesubsequently),
cipherkeyagreementcipherkeyagreementcipherkeyagreementcipherkeyagreement(MSandtheSNagreeonacipherkeythatthey
usesubsequently),
confidentialityofuserdataconfidentialityofuserdataconfidentialityofuserdataconfidentialityofuserdata(userdatacannotbeoverheardonthe
radioaccessinterface),
confidentialityofsignallinconfidentialityofsignallinconfidentialityofsignallinconfidentialityofsignallingdatagdatagdatagdata(signallingdatacannotbeoverheard
ontheradioaccessinterface).
CipherkeyandintegritykeysettingCipherkeyandintegritykeysettingCipherkeyandintegritykeysettingCipherkeyandintegritykeysetting
Authenticationandkeysettingaretriggeredbytheauthenticationprocedure
describedearlierinthischapter.TheCKandIKarestoredintheVLR/SGSN
andtransferredtotheRNCwhenneeded.TheCKandIKfortheCSdomain
andseparatelyforPSdomainarestoredontheUSIMandupdatedatthe
nextauthenticationfromeachdomain.
Authentication
SGSNVLRRNC
CK, IK CK, IK
Figure16Cipherkeyandintegritykeysetting
CipheringandinCipheringandinCipheringandinCipheringandintegritymodenegotiationtegritymodenegotiationtegritymodenegotiationtegritymodenegotiation
WhenanMSwishestoestablishaconnectionwiththenetwork,theMSindicatestothenetworkintheMS/USIMClassmarkwhichcipherandintegrity
algorithmstheMSsupports.Thisinformationitselfisintegrityprotected.Asit
isthecasethattheRNCdoesnothavetheintegritykeyIKwhenreceiving
theMS/USIMClassmarkthisinformationmustbestoredintheRNC.The
dataintegrityoftheclassmarkisperformed,duringthesecuritymodeset-up
procedurebyuseofthemostrecentlygeneratedIK.
8/6/2019 31253587 UMTS Security
16/35
LeliwaTechnicalBulletinUMTSSecurity
16
CipherkeyandintegritykeyidentificationCipherkeyandintegritykeyidentificationCipherkeyandintegritykeyidentificationCipherkeyandintegritykeyidentification
Thekeysetidentifier(KSI)isanumberwhichisassociatedwiththecipher
andintegritykeysderivedduringauthentication.Thekeysetidentifieris
allocatedbythenetworkandsentwiththeauthenticationrequestmessagetotheMSwhereitisstoredtogetherwiththecalculatedcipherkeyCKand
integritykeyIK.KSIinUMTScorrespondstoCKSNinGSM.TheUSIM
storesoneKSI/CKSNforthePSdomainkeysetandoneKSI/CKSNforthe
CSdomainkeyset.
Thepurposeofthekeysetidentifieristomakeitpossibleforthenetworkto
identifythecipherkeyCKandintegritykeyIKwhicharestoredintheMS
withoutinvokingtheauthenticationprocedure.Thisisusedtoallowre-useof
thecipherkeyCKandintegritykeyIKduringsubsequentconnectionset-ups.
KSIandCKSNhavethesameformat.Thekeysetidentifieristhreebits
(sevenvaluesareusedtoidentifythekeysetandavalueof111isusedbytheMStoindicatethatavalidkeyisnotavailableforuse).
Authentication
SGSNVLR
CK, IK,
KSI
KSI
Ciphering, integrity protection
KSI
after some time
CK, IK,
KSI
Figure17Cipherkeyandintegritykeyidentification
CipherkeyandintegritykeylifetimeCipherkeyandintegritykeylifetimeCipherkeyandintegritykeylifetimeCipherkeyandintegritykeylifetime
Authenticationandkeyagreement,whichgeneratescipher/integritykeys,isnotmandatoryatcallset-up,andthereisthereforethepossibilityofunlimited
andmaliciousre-useofcompromisedkeys.TheUSIMthereforecontainsa
mechanismtolimittheamountofdatathatisprotectedbyanaccesslinkkey
set.
ThelifetimeofcipherandintegritykeysislimitedbyTHRESHOLDvalues
thatcanbesetoradjustbytheoperatorandsendtotheUSIMinsideAMF
fieldoftheauthenticationvector.
Thecipheringandintegrityprotectionalgorithmsaredrivenbycounters
(COUNT-CandCOUNT-I)thatatconnectionestablishmentneedtobe
initialised.ForthatpurposetheMEandtheUSIMhavetheabilitytostorea
8/6/2019 31253587 UMTS Security
17/35
UMTSSecurityLeliwaTechnicalBulletin
17
STARTvalue.TheMEandtheUSIMstoreaSTARTCSvaluefortheCS
cipher/integritykeysandaSTARTPSvalueforthePScipher/integritykeys.
ThelengthofSTARTis20bits.
Atradioconnectionestablishmentforaparticularservingnetworkdomain(CSorPS)theMEsendstheSTARTCSandtheSTARTPSvaluetotheRNCin
theRRCconnectionsetupcompletemessage.TheMEmarkstheSTART
valuesintheUSIMasinvalidbysettingSTARTCSandSTARTPSto
THRESHOLD.
ThecipheringsequencenumberCOUNT-Candintegritysequencenumber
COUNT-Iareboth32bitslong.TheMEandtheRNCinitialisethe20most
significantbitsoftheCOUNT-CandOUNT-ItothecurrentvalueofSTART
andtheremainingbitstozeroatthestartofciphering.ThantheCOUNT-C
andCOUNT-IisincrementedateachRLCcycle.
DuringauthenticationandkeyagreementtheSTARTvalueassociatedwiththenewkeysetofthecorrespondingservicedomainissetto0intheUSIM
andintheME.
0 5 6 9 2
0 0 0 0 0
Authentication
SGSNVLR
Ciphering, integrity protection
after some time0 5 6 9 2
0 8 4 7 1
Ciphering, integrity protection
after some time
Authentication
0 0 0 0 0
Ciphering, integrity protection
START=5692
START=THRESHOLD0 8 4 7 1
THRESHOLD=8000
Figure18Cipherkeyandintegritykeylifetime
SecuritymodesetSecuritymodesetSecuritymodesetSecuritymodeset----upprocedureupprocedureupprocedureupprocedure
Thissectiondescribesonecommonprocedureforbothcipheringand
integrityprotectionset-up.
Themessagesequenceflowbelowdescribestheinformationtransferat
initialconnectionestablishment,possibleauthenticationandstartofintegrity
protectionandpossibleciphering.
8/6/2019 31253587 UMTS Security
18/35
LeliwaTechnicalBulletinUMTSSecurity
18
SGSNVLRSRNC
RRC connection establishment(START values)
Initial L3 message (user identity, KSI)
Authentication and key generation
Security mode cmd. (CK, IK) Sec. mode cmd. (CN dom., FRESH, MAC-I)
Verification
Security mode complete (MAC-I)
Verification
Security mode complete (MAC-I)Ciphering / deciphering
Figure19Localauthenticationandconnectionset-up
RRCconnectionestablishmentincludesthetransferfromMStoRNCof
thecipheringcapabilities(UEAs)andtheintegritycapabilities(UIAs)ofthe
MS.OptionallytheGSMClassmarks2and3andtheSTARTvaluesforthe
CS/PSservicedomainareincluded.TheSTARTvaluesandtheUEsecurity
capabilityinformationarestoredintheSRNC.
TheMSsendstheInitialL3message(Locationupdaterequest,CM
servicerequest,Routingareaupdaterequest,Attachrequest,Paging
responseetc.)totheVLR/SGSN.Thismessagecontainstheuseridentity
andtheKSI.Useridentityrequest,authenticationoftheuserandgenerationofnew
securitykeys(IKandCK)maybeperformed.AnewKSIwillthenalsobe
allocated.
TheVLR/SGSNinitiatesintegrityandcipheringbysendingtheRANAP
messageSecurityModeCommandtoSRNCthatcontainstheIKandCKto
beused.Ifanewauthenticationandsecuritykeygenerationhasbeen
performed,thisisindicatedinthemessagesenttotheSRNC.Theindication
ofnewgeneratedkeysimpliesthattheSTARTvalueistoberesetatstart
useofthenewkeys.Otherwise,itistheSTARTvaluealreadyavailableinthe
SRNCthatisused.TheSRNCgeneratestheRRCmessageSecuritymodecommand.The
messageincludestherandomvalueFRESHtobeusedforintegrity
protection.BecauseofthattheMScanhavetwocipheringandintegritykey
sets,thenetworkmustindicatewhichkeysettouse.Thisisobtainedby
includingaCNtypeindicatorinformationintheSecuritymodecommand
message.BeforesendingthismessagetotheMS,theSRNCgeneratesthe
MAC-I(MessageAuthenticationCodeforIntegrity)andattachesthis
informationtothemessage.
TheMScomputesXMAC-IonthemessagereceivedbyusingtheUIA,the
storedCOUNT-IandthereceivedFRESHparameter.TheMSverifiesthe
8/6/2019 31253587 UMTS Security
19/35
UMTSSecurityLeliwaTechnicalBulletin
19
integrityofthemessagebycomparingthereceivedMAC-Iwiththegenerated
XMAC-I.
TheMScompilestheRRCmessageSecuritymodecompleteand
generatestheMAC-Iforthismessage.Ifverificationisnotsuccessful,theprocedureendsintheMS.
Atreceptionoftheresponsemessage,theSRNCcomputestheXMAC-I
onthemessage.TheSRNCverifiesthedataintegrityofthemessageby
comparingthereceivedMAC-IwiththegeneratedXMAC-I.
ThetransferoftheRANAPmessageSecuritymodecompletefromSRNC
totheVLR/SGSNendstheprocedure.
TheSecuritymodecommandtoMSstartsthedownlinkintegrityprotection,
i.e.thisandallfollowingdownlinkmessagessenttotheMSareintegrity
protectedusingthenewintegrityconfiguration.TheSecuritymodecomplete
fromMSstartstheuplinkintegrityprotection,i.e.thisandallfollowingmessagessentfromtheMSareintegrityprotectedusingthenewintegrity
configuration.Whencipheringshallbestarted,theCipheringActivationtime
informationthatisexchangedbetweenSRNCandMSduringtheSecurity
modeset-upproceduresetstheRLCSequenceNumber/ConnectionFrame
NumberwhentostartcipheringinDownlinkrespectiveUplinkusingthenew
cipheringconfiguration.
CipheringmethodCipheringmethodCipheringmethodCipheringmethod
Fig.20illustratestheuseofthecipheringalgorithmf8toencryptplaintextbyapplyingakeystreamusingabitperbitbinaryadditionoftheplaintextand
thekeystream.Theplaintextmayberecoveredbygeneratingthesame
keystreamusingthesameinputparametersandapplyingabitperbitbinary
additionwiththeciphertext.
f8CK
BEARER
COUNT-C DIRECTION
LENGTH
KEYSTREAMBLOCK
PLAINTEXT
BLOCKCIPHERTEXT
BLOCK
f8CK
BEARER
COUNT-C DIRECTION
LENGTH
KEYSTREAMBLOCK
PLAINTEXT
BLOCK
Sender Receiver
Figure20Cipheringofuserandsignallingdata
8/6/2019 31253587 UMTS Security
20/35
LeliwaTechnicalBulletinUMTSSecurity
20
TheinputparameterstothealgorithmarethecipherkeyCK,atime
dependentinputCOUNT-C,thebeareridentityBEARER,thedirectionof
transmissionDIRECTIONandthelengthofthekeystreamrequiredLENGTH.
Basedontheseinputparametersthealgorithmgeneratestheoutput
keystreamblockKEYSTREAMwhichisusedtoencrypttheinputplaintextblockPLAINTEXTtoproducetheoutputciphertextblockCIPHERTEXT.
ThereisoneBEARERparameterperradiobearerassociatedwiththesame
userandmultiplexedonasingle10msphysicallayerframe.Theradiobearer
identifierisinputtoavoidthatfordifferentkeystreamanidenticalsetofinput
parametervaluesisused.
TheDIRECTIONidentifierisinputtoavoidthatforthekeystreamsfortheup-
linkandforthedown-linkwouldusetheidenticalsetofinputparameter
values.
TheLENGTHindicatordeterminesthelengthoftherequiredkeystreamblock.
ThereisoneCKforCSconnections(CKCS),establishedbetweentheCS
servicedomainandtheuserandoneCKforPSconnections(CKPS)
establishedbetweenthePSservicedomainandtheuser.Theradiobearers
forCSuserdataarecipheredwithCKCS.TheradiobearersforPSuserdata
arecipheredwithCKPS.Thesignallingradiobearersareusedfortransferof
signallingdataforservicesdeliveredbybothCSandPSservicedomains.
ThesesignallingradiobearersarecipheredbytheCKoftheservicedomain
forwhichthemostrecentsecuritymodenegotiationtookplace.
DataintegrityDataintegrityDataintegrityDataintegrity
Threesecurityfeaturesrelatedtodataintegrityareprovided:
integrityalgorithmagreementintegrityalgorithmagreementintegrityalgorithmagreementintegrityalgorithmagreement(theMSandtheSNsecurelynegotiate
theintegrityalgorithmthattheyusesubsequently),
integritykeyagreementintegritykeyagreementintegritykeyagreementintegritykeyagreement(theMSandtheSNagreeonanintegritykey
thattheyusesubsequently),
dataintegrityandoriginauthenticationofsignallingdatadataintegrityandoriginauthenticationofsignallingdatadataintegrityandoriginauthenticationofsignallingdatadataintegrityandoriginauthenticationofsignallingdata(theproperty
thatthereceivingentity(MSorSN)isabletoverifythatsignalling
datahasnotbeenmodifiedinanunauthorisedwaysinceitwassent
bythesendingentity(SNorMS)andthatthedataoriginofthe
signallingdatareceivedisindeedtheoneclaimed).
Integritykeyagreementandintegrityalgorithmagreementisrealisedby
meansofamechanismthataredescribedearlierinthischapter.
8/6/2019 31253587 UMTS Security
21/35
UMTSSecurityLeliwaTechnicalBulletin
21
DDDDataintegrityprotectionmethodataintegrityprotectionmethodataintegrityprotectionmethodataintegrityprotectionmethod
Fig.21illustratestheuseoftheintegrityalgorithmf9toauthenticatethedata
integrityofasignallingmessage.
f9IK
MESSAGE
COUNT-I DIRECTION
FRESH
MAC-I
Sender Receiver
f9IK
MESSAGE
COUNT-I DIRECTION
FRESH
XMAC-I
Figure21DerivationofMAC-I(orXMAC-I)onasignallingmessage
TheinputparameterstothealgorithmaretheIntegrityKey(IK),theintegrity
sequencenumber(COUNT-I),arandomvaluegeneratedbythenetworkside
(FRESH),thedirectionbitDIRECTIONandthesignallingdataMESSAGE.
Basedontheseinputparameterstheusercomputesmessageauthentication
codefordataintegrityMAC-Iusingtheintegrityalgorithmf9.TheMAC-Iis
thenappendedtothemessagewhensentovertheradioaccesslink.The
receivercomputesXMAC-Ionthemessagereceivedinthesamewayasthe
sendercomputedMAC-IonthemessagesentandverifiesthedataintegrityofthemessagebycomparingittothereceivedMAC-I.
Thenetwork-sidenonceFRESHFRESHFRESHFRESHis32bitslong.TheinputparameterFRESH
protectsthenetworkagainstreplayofsignallingmessagesbytheuser.At
connectionset-uptheRNCgeneratesarandomvalueFRESHandsendsitto
theuserinthe(RRC)Securitymodecommand.ThevalueFRESHis
subsequentlyusedbyboththenetworkandtheuserthroughouttheduration
ofasingleconnection.Thismechanismassuresthenetworkthattheuseris
notreplayinganyoldMAC-Is.
TheremaybeoneIKIKIKIKforCSconnections(IKCS),establishedbetweentheCS
servicedomainandtheuserandoneIKforPSconnections(IKPS)establishedbetweenthePSservicedomainandtheuser.Thedataintegrity
ofradiobearersforuserdataisnotprotected.Thesignallingradiobearers
areusedfortransferofsignallingdataforservicesdeliveredbybothCSand
PSservicedomains.Thesesignallingradiobearersaredataintegrity
protectedbytheIKoftheservicedomainforwhichthemostrecentsecurity
modenegotiationtookplace.
Therestoftheinputparametershaveexactlythesamemeaningasfor
algorithmforcipheringdescribedintheprevioussection.
8/6/2019 31253587 UMTS Security
22/35
LeliwaTechnicalBulletinUMTSSecurity
22
UnsuccessfulintegritycheckUnsuccessfulintegritycheckUnsuccessfulintegritycheckUnsuccessfulintegritycheck
ThesupervisionoffailedintegritychecksisperformedbothintheMSandthe
SRNC.Incaseoffailedintegritycheck(i.e.faultyormissingMAC)is
detectedafterthattheintegrityprotectionisstartedtheconcernedmessageisdiscarded.
UMTSUMTSUMTSUMTSGSMinteroperationGSMinteroperationGSMinteroperationGSMinteroperation
UMTSUMTSUMTSUMTSsubscriberconnectedtoGSMBSSsubscriberconnectedtoGSMBSSsubscriberconnectedtoGSMBSSsubscriberconnectedtoGSMBSS
UMTSAKAisappliedwhentheuserisattachedtoaGSMBSS,incasethe
userhasaMEcapableofUMTSAKAandalsotheVLR/SGSNisR99+.In
thiscase,theGSMcipherkeyKcisderivedfromtheUMTScipher/integrity
keysCKandIK,bytheVLR/SGSNonthenetworksideandbytheUSIMon
theuserside.
SGSNVLR HLR/AuC
{RAND,XRES, CK, IK, AUTN}
RAND, AUTNUMTS AKA
USIM
RES
CK, IK Kc CK, IK Kc
BSCKc
GSM EA A5/x
Figure22UserattachedtoGSMBSSwithUMTSAKAcapableME
(VLR/SGSNR99+)
GSMAKAisappliedwhentheuserisattachedtoaGSMBSS,incasethe
userhasaMEnotcapableofUMTSAKA.Inthiscase,theGSMuser
responseSRESandtheGSMcipherkeyKcarederivedfromtheUMTSuser
responseRESandtheUMTScipher/integritykeysCKandIK.AR98-
VLR/SGSNusesthestoredKcandRESandaR99+VLR/SGSNderivesthe
SRESfromRESandKcfromCK,IK.
8/6/2019 31253587 UMTS Security
23/35
UMTSSecurityLeliwaTechnicalBulletin
23
SGSNVLR HLR/AuC
{RAND,XRES, CK, IK, AUTN}
RAND
GSM AKA
USIM
SRES
BSCKc
GSM EA A5/x
CK, IK Kc,RES SRES
CK, IK Kc,
RES SRES
Figure23UserattachedtoGSMBSSwithUMTSAKAnon-capableME
(VLR/SGSNR99+)
GSMAKAisappliedwhentheuserisattachedtoaGSMBSS,incasethe
VLR/SGSNisR98-.Inthiscase,theUSIMderivestheGSMuserresponse
SRESandtheGSMcipherkeyKcfromtheUMTSuserresponseRESand
theUMTScipher/integritykeysCK,IK.
SGSN
VLRHLR/AuC
{RAND,SRES, Kc}RAND
GSM AKA
USIM
SRES
BSCKc
GSM EA A5/x
CK, IK Kc,RES SRES
CK, IK Kc,RES SRES
Figure24UserattachedtoGSMBSS(VLR/SGSNR99-)
Fig.25showsthedifferentscenariosthatcanoccurwithUMTSsubscribers
inamixednetworkarchitecture.
8/6/2019 31253587 UMTS Security
24/35
LeliwaTechnicalBulletinUMTSSecurity
24
UMTS AKAnon-capable ME
GSM BSS
VLR/SGSN
Release 99+HLR/AuC
CK, IK KcRES SRES
VLR/SGSN Release 99+CK, IK KcRES SRESCK, IK Kc
Release 98-
UTRAN
UMTS AKA capable ME ME
USIM
CK, IK
Kc CK, IK
Kc CK, IK
KcRES SRES CK, IK
KcRES SRES
Quintets Triplets
CK, IK [Kc] [Kc] [Kc]
RAND, AUTN, RES RAND, AUTN, RES RAND, [AUTN], SRES RAND, SRES
CK, IK, Kc CK, IK, Kc Kc Kc
UMTS security GSM security
Figure25AuthenticationandkeyagreementofUMTSsubscribers
IncaseofaGSMBSS,cipheringisappliedintheGSMBSSforservices
deliveredviatheMSC/VLR,andbytheSGSNforservicesdeliveredviathe
SGSN.InthelattercasetheGSMcipherkeyKcisnotsenttotheGSMBSS.
IncaseofaUTRAN,cipheringandintegrityarealwaysappliedintheRNC,
andtheUMTScipher/integritykeysCKanIKarealwayssenttotheRNC.
c1: RAND[GSM] = RAND
c2: SRES[GSM] = XRES*1 XRES*2 XRES*3 XRES*4
c3: Kc[GSM] = CK1 CK2 IK1 IK2
XRES* is 16 octets long and XRES* = XRES if XRES is 16 octets long and XRES*= XRES || 0...0 if XRES is shorter than 16 octets,
XRES*i are all 4 octets long and XRES* = XRES*1 || XRES*2 || XRES*3 || XRES*4,
CKi and IKi are both 64 bits long and CK = CK1 || CK2 and IK = IK1 || IK2.
Figure26Conversionfunctions
GSMsubscribersconnectedtoUTRANGSMsubscribersconnectedtoUTRANGSMsubscribersconnectedtoUTRANGSMsubscribersconnectedtoUTRAN
ForGSMsubscribers,GSMAKAisalwaysused.WheninanUTRAN,the
UMTSCKandIKarederivedfromtheGSMcipherkeyKcbytheMEandthe
VLR/SGSN,bothR99+entities.
Fig.28showsthedifferentscenariosthatcanoccurwithGSMsubscribers
usingeitherR98-orR99+MEinamixednetworkarchitecture.
8/6/2019 31253587 UMTS Security
25/35
UMTSSecurityLeliwaTechnicalBulletin
25
R98- UE
GSM BSS
VLR/SGSN
Release 98- or Release 99+
HLR/AuC
VLR/SGSN Release 99+
Kc CK, IK
Release 98-
UTRAN
R99+ UE R99+ or R98- UE
SIM
Triplets Triplets
CK, IK [Kc] [Kc] [Kc]
RAND, SRES RAND, SRES RAND, SRES RAND, SRES
Kc Kc Kc Kc
GSM security
Fig27AuthenticationandkeyagreementforGSMsubscribers
WhentheuserisattachedtoaUTRAN,theR99+VLR/SGSNderivesthe
UMTScipher/integritykeysfromtheGSMcipherkeyusingthefollowing
conversionfunctions:
c4: CK[UMTS] = Kc || Kc
c5: IK[UMTS] = Kc1 Kc2 || Kc || Kc1 Kc2
Kci are both 32 bits long and Kc = Kc1 || Kc2
Figure28Conversionfunctions
CShandover(UTRANtoGERAN)CShandover(UTRANtoGERAN)CShandover(UTRANtoGERAN)CShandover(UTRANtoGERAN)
Ifcipheringhasbeenstartedwhenanintersystemhandoveroccursfrom
UTRANtoGSMBSS,thenecessaryinformation(e.g.Kc,supported/allowed
GSMcipheringalgorithms)istransmittedwithinthesysteminfrastructure
beforetheactualhandoverisexecutedtoenablethecommunicationto
proceedfromtheoldRNCtothenewGSMBSS,andtocontinuethe
communicationincipheredmode.Theintersystemhandoverwillimplya
changeofcipheringalgorithmfromaUEAtoaGSMA5.TheGSMBSS
includestheselectedGSMcipheringmodeinthehandovercommand
messagesenttotheMSviatheRNC.
Theintegrityprotectionofsignallingmessagesisstoppedathandoverto
GSMBSS.
AtthenetworksidetheMSC/VLRderivestheGSMcipherkeyKcfromthe
UMTScipher/integritykeysCKandIKusedbeforetheintersystemhandover
8/6/2019 31253587 UMTS Security
26/35
LeliwaTechnicalBulletinUMTSSecurity
26
(usingtheconversionfunctionc3)andsendsKctothetargetBSC(which
forwardsittotheBTS).
Attheuserside,theMEappliesthederivedGSMcipherkeyKcfromthekey
setwhichwasusedbeforetheintersystemhandover.
CK, IK Kc
MSC
BSCGSM A5
RNCUEA
A5/x
CK, IK Kc
UMTS security context
Kc
MSC
BSCGSM A5
RNCUEA
A5/x
GSM security context
Figure29CShandover(UTRANtoGSMBSS)
TheconversionisonlyneededifbeforethehandovertheUMTSsecuritycontextwasestablished(USIMintheME).Theconversionisnotneededin
casewhenbeforethehandovertheGSMsecuritycontextwasestablished
(SIMintheME).
CShandover(GERANtoUTRAN)CShandover(GERANtoUTRAN)CShandover(GERANtoUTRAN)CShandover(GERANtoUTRAN)
Ifcipheringhasbeenstartedwhenanintersystemhandoveroccursfrom
GSMBSStoUTRAN,thenecessaryinformation(e.g.CK,IK,STARTvalue
information,supported/allowedUMTSalgorithms)istransmittedwithinthe
systeminfrastructurebeforetheactualhandoverisexecutedtoenablethecommunicationtoproceedfromtheoldGSMBSStothenewRNC,andto
continuethecommunicationincipheredmode.Theintersystemhandoverwill
implyachangeofcipheringalgorithmfromaGSMA5toaUEA.
Theintegrityprotectionofsignallingmessagesisstartedimmediatelyafter
theintersystemhandoverfromGSMBSStoUTRANiscompleted.
Atthenetworkside,theMSC/VLRderives,theUMTScipher/integritykeys
CKandIKfromthekeysetusedbeforetheintersystemhandover.
Attheuserside,theMEappliestheUMTScipher/integritykeysCKandIK
fromthekeysetwhichwasusedbeforetheintersystemhandover.
8/6/2019 31253587 UMTS Security
27/35
UMTSSecurityLeliwaTechnicalBulletin
27
Kc CK, IK
MSC
RNCUEA
BSCGSM A5
Kc CK, IK
GSM security context
CK, IK
MSC
RNCUEA
BSCGSM A5
UMTS security context
Figure30CShandover(GSMBSStoUTRAN)
TheconversionisonlyneededifbeforethehandovertheGSMsecurity
contextwasestablished(e.g.SIMintheME).Theconversionisnotneeded
incasewhenbeforethehandovertheUMTSsecuritycontextwas
established(USIMintheME).
PSsystemchange(UTRANtoGERAN)PSsystemchange(UTRANtoGERAN)PSsystemchange(UTRANtoGERAN)PSsystemchange(UTRANtoGERAN)IncaseofanintersystemchangetoaGSMBSS,theSGSNderivestheGSM
cipherkeyKcfromtheUMTScipher/integritykeysCKandIKagreedduring
thelatestAKAprocedureandappliesit.
Attheuserside,theMEappliesthederivedGSMcipherkeyKcreceived
fromtheUSIM/SIMduringthelatestAKAprocedure.
8/6/2019 31253587 UMTS Security
28/35
LeliwaTechnicalBulletinUMTSSecurity
28
SGSN
BSCGEA
RNCUEA
CK, IK Kc
CK, IK KcUMTS security context
SGSN
BSCGEA
RNCUEA
GSM security context
Figure31PSsystemchange(UTRANtoGSMBSS)
TheconversionisonlyneededifbeforethehandovertheUMTSsecurity
contextwasestablished(USIMintheME).Theconversionisnotneededin
casewhenbeforethehandovertheGSMsecuritycontextwasestablished
(SIMintheME).
PSsystemchange(GERANtoUTRAN)PSsystemchange(GERANtoUTRAN)PSsystemchange(GERANtoUTRAN)PSsystemchange(GERANtoUTRAN)
UMTSsecuritycontextUMTSsecuritycontextUMTSsecuritycontextUMTSsecuritycontext
IncaseofanintersystemchangetoaUTRAN,theSGSN,theUMTS
cipher/integritykeysCKandIKagreedduringthelatestUMTSAKA
procedurearesenttothetargetRNC.
Attheuserside,inbothcases,theMEappliestheUMTScipher/integrity
keysCKandIKreceivedfromtheUSIMduringthelatestUMTSAKA
procedure.
SGSN
RNCUEA
BSCGEA
UMTS security context
CK, IK
Figure32PSsystemchange(GERANtoUTRAN)UMTSsecuritycontext
8/6/2019 31253587 UMTS Security
29/35
UMTSSecurityLeliwaTechnicalBulletin
29
GSMsecuritycontextGSMsecuritycontextGSMsecuritycontextGSMsecuritycontext
EstablishedforaUMTSsubscriberEstablishedforaUMTSsubscriberEstablishedforaUMTSsubscriberEstablishedforaUMTSsubscriber
AGSMsecuritycontextforaUMTSsubscriberisestablishedincasetheuserhasaR99+MEbuttheSGSNisR98.Asresult,incaseofintersystem
changetoaUTRANcontrolledbyanotherR99+SGSN,theinitialR98-
SGSNsendstheGSMKcagreedduringthelatestGSMAKAprocedureto
thenewSGSNcontrollingthetargetRNC.
SincethenewR99+SGSNhasnoindicationofwhetherthesubscriberis
GSMorUMTS,aR99+SGSNshallperformanewUMTSAKAwhen
receivingKcfromaR98-SGSN.AUMTSsecuritycontextusingfresh
quintetsisthenestablishedbetweentheR99+SGSNandtheUSIM.Thenew
SGSNbecomesthenewanchorpointfortheservice.
SGSNRNCUEA
BSCGEA
GSM security contextKc
SGSNR99+
R98USIM
HLR/AuCUMTS AKA
Figure33PSsystemchange(GERANtoUTRAN)GSMsecuritycontextfor
UMTSsubscriber
EstablishedforaGSMsubscriberEstablishedforaGSMsubscriberEstablishedforaGSMsubscriberEstablishedforaGSMsubscriber
Atthenetworkside,threecasesaredistinguished:
a) IncaseofanintersystemchangetoaUTRANcontrolledbythesame
SGSN,theSGSNderivesUMTScipher/integritykeysCKandIKfromthe
GSMcipherkeyKc(usingtheconversionfunctionsc4andc5)agreedduring
thelatestGSMAKAprocedureandsendsthemtothetargetRNC.
SGSN
RNCUEA
BSCGEA
GSM security context
Kc CK, IK
Kc CK, IK
SIM
Figure34PSsystemchange(GERANtoUTRAN)GSMsecuritycontextfor
GSMsubscriber(sameSGSN)
8/6/2019 31253587 UMTS Security
30/35
LeliwaTechnicalBulletinUMTSSecurity
30
b) IncaseofanintersystemchangefromaR99+SGSNtoaUTRAN
controlledbyanotherSGSN,theinitialSGSNsendstheGSMKcagreed
duringthelatestGSMAKAproceduretothe(new)SGSNcontrollingthe
targetRNC.ThenewSGSNbecomesthenewanchorpointfortheservice.
ThenewSGSNstorestheGSMcipherkeyKcandderivestheUMTScipher/integritykeysCKandIKwhicharethenforwardedtothetargetRNC.
SGSNRNCUEA
BSCGEA
GSM security context
Kc CK, IK
SGSNR99+
Kc
Kc CK, IK
SIM
Figure35PSsystemchange(GERANtoUTRAN)GSMsecuritycontextfor
GSMsubscriber(SGSNR99+toanotherSGSN)
c) IncaseofanintersystemchangefromanR98-SGSNtoaUTRAN
controlledbyanotherSGSN,theinitialSGSNsendstheGSMcipherkeyKc
agreedduringthelatestGSMAKAproceduretothe(new)SGSNcontrolling
thetargetRNC.ThenewSGSNbecomesthenewanchorpointforthe
service.ToensureuseofUMTSkeysforapossibleUMTSsubscriber
(superfluousinthiscase),aR99+SGSNwillperformanewAKAwhenaR99+MEiscomingfromaR98-SGSN.
SGSNRNCUEA
BSCGEA
GSM security context
Kc CK, IK
SGSN
R98-
Kc
SIM
GSM AKA
HLR/AuC
Figure36PSsystemchange(GERANtoUTRAN)GSMsecuritycontextfor
GSMsubscriber(SGSNR98-toanotherSGSN)
Attheuserside,inallcases,theMEderivestheUMTScipher/integritykeys
CKandIKfromtheGSMcipherkeyKc(usingtheconversionfunctionsc4
andc5)receivedfromtheSIMduringthelatestGSMAKAprocedureand
8/6/2019 31253587 UMTS Security
31/35
UMTSSecurityLeliwaTechnicalBulletin
31
appliesthem.Incasec)thesekeyswillbeover-writtenwithanewCK,IKpair
duetothenewAKA.
8/6/2019 31253587 UMTS Security
32/35
LeliwaTechnicalBulletinUMTSSecurity
32
AcronymsandAbbreviationsAcronymsandAbbreviationsAcronymsandAbbreviationsAcronymsandAbbreviations
3G3G3G3G ThirdGenerationAKAKAKAK AnonymityKeyAKAAKAAKAAKA AuthenticationandKeyAgreementAMFAMFAMFAMF AuthenticationManagementFieldAUCAUCAUCAUC AuthenticationCentreAUTNAUTNAUTNAUTN AUthenticationTokeN
AUTSAUTSAUTSAUTS AutomaticUpdateTransactionSystemAVAVAVAV AuthenticationVectorBSCBSCBSCBSC BaseStationControllerBSSBSSBSSBSS BaseStationSystemBTSBTSBTSBTS BaseTransceiverStationCKCKCKCK CipheringKeyCKSNCKSNCKSNCKSN CipheringKeySequenceNumberCNCNCNCN CoreNetwork
CSCSCSCS CircuitSwitching/ConvergenceSublayer/CodingScheme
FIFOFIFOFIFOFIFO FirstIn,FirstOut
GERANGERANGERANGERAN GSM/EDGERadioAccessNetworkGPRSGPRSGPRSGPRS GeneralPacketRadioServiceGSMGSMGSMGSM GlobalSystemforMobileCommunicationsHEHEHEHE HomeEnvironmentHLRHLRHLRHLR HomeLocationRegisterIKIKIKIK IntegrityProtectionKeyIMSIIMSIIMSIIMSI InternationalMobileSubscriberIdentityLALALALA LocationArea/LinkAdaptationLAILAILAILAI LocationAreaIdentity
MACMACMACMAC MediaAccessControl/MessageAuthenticationCode
MACMACMACMAC----IIII MessageAuthenticationCodeforIntegrityMEMEMEME MobileEquipmentMSMSMSMS MobileStationPSPSPSPS PacketSwitching/PresenceServicePPPP----TMSITMSITMSITMSI PacketTMSIRARARARA RoutingAreaRAIRAIRAIRAI RoutingAreaIdentityRANRANRANRAN RadioAccessNetworkRANAPRANAPRANAPRANAP RANApplicationPartRANDRANDRANDRAND RandomNumberRESRESRESRES authenticationRESponse
RLCRLCRLCRLC RadioLinkControl
8/6/2019 31253587 UMTS Security
33/35
UMTSSecurityLeliwaTechnicalBulletin
33
RNCRNCRNCRNC RadioNetworkControllerRRCRRCRRCRRC RadioResourceControlSEQSEQSEQSEQ SequenceNumberSGSNSGSNSGSNSGSN ServingGPRSSupportNode
SIMSIMSIMSIM SubscriberIdentityModuleSNSNSNSN ServingNetwork/SubscriberNumberSQNSQNSQNSQN SeQuenceNumberSRNCSRNCSRNCSRNC ServingRadioNetworkControllerTMSITMSITMSITMSI TemporaryMobileSubscriberIdentityUEAUEAUEAUEA UserEncryptionAlgorithmUMTSUMTSUMTSUMTS UniversalMobileTelecommunicationSystemUSIMUSIMUSIMUSIM UMTSSubscriberIdentityModuleUTRANUTRANUTRANUTRAN UMTSTerrestrialRadioAccessnetworkVLRVLRVLRVLR VisitorLocationRegisterXRESXRESXRESXRES eXpectedRESponse
8/6/2019 31253587 UMTS Security
34/35
LeliwaTechnicalBulletinUMTSSecurity
34
ReferencesReferencesReferencesReferences
Thissectioncontainsthelocationsofvariousspecifications,document
referencesandusefulinformationwhereyoucanlearnmoreaboutthis
subject.
[1] 33.1023Gsecurity;Securityarchitecture
[2] 25.331RadioResourceControl(RRC);Protocolspecification
[3] 25.321MediumAccessControl(MAC)protocolspecification
[4] 25.322RadioLinkControl(RLC)protocolspecification
[5] 25.413UTRANIuinterfaceRadioAccessNetworkApplicationPart
(RANAP)signalling
[6] 24.301Non-Access-Stratum(NAS)protocolforEvolvedPacketSystem(EPS);Stage3
8/6/2019 31253587 UMTS Security
35/35
UMTSSecurityLeliwaTechnicalBulletin
DisclaimerDisclaimerDisclaimerDisclaimer
ThisdocumentisbasedonLeliwatrainingmaterials.
Informationinthisdocumentissubjecttochangewithoutnotice.Leliwa
assumesnoresponsibilityforanyerrorsthatmayappearinthisdocument.
Thisdocumentmaybefreelyredistributed.Youcanstoreitonanyservers
andmakeitavailableforpublicdownload.Insuchcaseitmustbeclearly
indicatedthatitcomesfromLeliwawebsitewww.leliwa.com
Ifyoureceivedonlythisfile,youcandownloadmoreLeliwaTechnical
Bulletinsfromthefollowingaddress:
http://www.leliwa.com/downloads
Ifyouwanttobeinformedwhenthenewbulletinsareuploaded,pleasesend
ablanke-mailwithSubject="Update_request"[email protected]
clickthislink:mailto:[email protected]?subject=Update_request
LeliwaSp.zo.o.LeliwaSp.zo.o.LeliwaSp.zo.o.LeliwaSp.zo.o.Plebiscytowa1.122PL-44-100GliwicePolandGPS:N50.2981,E018.6561telephone:+48323766305fax:+48323766307Skype:leliwa_polandemail:[email protected]
LeliwaTelecomABLeliwaTelecomABLeliwaTelecomABLeliwaTelecomABOrrpelsvgen66SE-16766BROMMASwedenGPS:N59.3260,E17.9464telephone:+4684459430email:[email protected]