06-Data Integrity Protection and Encryption

RAN Feature Description Table of Contents

Table of Contents

Chapter 6 Data Integrity Protection and Encryption................................................................6-16.1 Introduction...................................................................................................................... 6-1

6.1.1 Definition...............................................................................................................6-16.1.2 Purposes...............................................................................................................6-16.1.3 Terms and Abbreviations.......................................................................................6-1

6.2 Availability........................................................................................................................ 6-46.2.1 Network Elements Involved...................................................................................6-46.2.2 Software Releases................................................................................................6-46.2.3 Miscellaneous........................................................................................................6-5

6.3 Impact.............................................................................................................................. 6-56.3.1 On System Performance.......................................................................................6-56.3.2 On Other Features.................................................................................................6-5

6.4 Restrictions...................................................................................................................... 6-56.5 Technical Description.......................................................................................................6-5

6.5.1 Data Integrity Protection and Encryption Configuration Model..............................6-56.5.2 System Architecture..............................................................................................6-66.5.3 Algorithms of Data Integrity Protection and Encryption.........................................6-6

6.6 Capabilities....................................................................................................................6-126.7 Implementation..............................................................................................................6-12

6.7.1 Enabling Data Integrity Protection and Encryption..............................................6-136.7.2 Reconfiguring Parameters...................................................................................6-136.7.3 Disabling Data Integrity Protection and Encryption..............................................6-14

6.8 Maintenance Information................................................................................................6-146.8.1 Alarms.................................................................................................................6-146.8.2 Counters..............................................................................................................6-14

6.9 References..................................................................................................................... 6-15

Huawei Technologies Proprietary

i

RAN Feature Description List of Figures

List of Figures

Figure 6-1 Data Integrity Protection and Encryption configuration model.............................6-5

Figure 6-2 Integrity protection and encryption procedures....................................................6-6

Figure 6-3 Encryption and decryption of user and signaling data.........................................6-9

Figure 6-4 Derivation of MAC-I or XMAC-I from a signaling message................................6-10

Figure 6-5 Summary of UMTS access security...................................................................6-11


ii

RAN Feature Description List of Tables

List of Tables

Table 6-1 NEs required for data integrity protection and encryption......................................6-4

Table 6-2 RAN products and related versions.......................................................................6-4

Table 6-3 Algorithms for integrity protection and encryption..................................................6-6

Table 6-4 Parameters of integrity protection and encryption algorithms................................6-8

Table 6-5 Commands for the reconfiguration on the RNC side...........................................6-13

Table 6-6 Data integrity protection and encryption counters................................................6-14


iii

RAN Feature Description Chapter 6 Data Integrity Protection and Encryption

Chapter 6 Data Integrity Protection and Encryption

6.1 Introduction

6.1.1 Definition

To protect user data from illegal interception and networks from illegal access, the WCDMA system introduces data integrity protection and encryption.

The data integrity protection function enables receiving entity (UE or RNC) to verify if the signaling data is illegally changed.

The WCDMA system uses longer cipher keys, as well as more robust encryption and data integrity algorithms for security of user data and networks.

6.1.2 Purposes

The purposes of this feature are as follows:

To enhance network and user data security To protect the data and networks from illegal interception and changing To prevent the imitation behavior

6.1.3 Terms and Abbreviations

I. Terms

Term Description

Quintet, UMTS authentication vector

Temporary protocol of authentication and key, which enables UMTS AKA function for a certain user in a VLR/SGSN. A quintet consists of five elements:

Random Number (RAND)

Expected Response (XRES)

Cipher Key (CK)

Integrity Key (IK)

Authentication Token (AUTN)


1


Term Description

Triplet, GSM authentication vector

Temporary protocol data of authentication and key ,which enables GSM AKA function for a particular user in a VLR/SGSN. A triplet consists of three elements:

Random Number (RAND)

Signed Response (SRES)

Ciphering Key (Kc)

Data integrity No signaling data is changed in an unauthorized manner.

UMTS security context

A state established between a UE and a serving network domain as a result of the execution of UMTS AKA. In this state, both sides store UMTS security context data. The data consists of at least UMTS CK, IK and key set identifier (KSI). When CK or IK is converted into Kc to work in a GSM BSS, both sides remain in the UMTS security context state.

GSM security context

A state established between a UE and a serving network domain as a result of the execution of GSM AKA. In this state, both ends store GSM security context data. The data consists at least of GSM cipher Kc and cipher key sequence number (CKSN).

Authentication vector Either a quintet or a triplet

R98-A network node or ME that conforms to R97 or R98 specifications

R99+A network node or ME that conforms to specifications of R99 or later releases

R99 + ME capable of UMTS AKA

Either an R99 + UMTS only ME, an R99 + GSM/UMTS ME, or an R99 + GSM only ME that supports USIM-ME interface

R99 + ME incapable of UMTS AKA

An R99 + GSM only ME that does not support USIM-ME interface

II. Symbols

This chapter uses the following symbols:


2


f 1: message authentication function used to calculate message authentication code (MAC)

f 8: encryption algorithm f 9: integrity algorithm

III. Abbreviations

Abbreviation Full Spelling

AKA Authentication and Key Agreement

AUTN Authentication Token

BSS Base Station System

BTS Base Transceiver Station

CK Cipher Key

CKSN Cipher Key Sequence Number

CS Circuit Switched

HE Home Environment

HLR Home Location Register

IK Integrity Key

IMSI International Mobile Subscriber Identity

KSI Key Set Identifier

LAI Location Area Identity

MACMessage Authentication Code included in AUTN, computed using f1

MS Mobile Station

MSC Mobile Services Switching Center

PS Packet Switched

RAND Random Number

RNC Radio Network Controller

SGSN Serving GPRS Support Node

SQN Sequence number


3


Abbreviation Full Spelling

SN Serving Network

UE User Equipment

UEA UMTS Encryption Algorithm

UIA UMTS Integrity Algorithm

UMTS Universal Mobile Telecommunications System

USIM User Services Identity Module

UTRAN Universal Terrestrial Radio Access Network

Uu Radio interface between UTRAN and UE

VLR Visitor Location Register

XRES Expected Response

6.2 Availability

6.2.1 Network Elements Involved

Table 6-1 describes the NEs involved with data integrity protection and encryption.

Table 6-1 NEs required for data integrity protection and encryption

UE NodeB RNCMSC

ServerMGW SGSN GGSN HLR

√ √ √ - - - - -

Note:

–: not required √: required

Note:

This chapter describes only the availability of the NodeB and the RNC.


4


6.2.2 Software Releases

Table 6-2 describes the versions of RAN products that support data integrity protection and encryption.

Table 6-2 RAN products and related versions

Product Version

RNC BSC6800 V100R002 and later releases

NodeB

DBS3800 V100R005 and later releases

BTS3812A V100R005 and later releases

BTS3812E V100R005 and later releases

6.2.3 Miscellaneous

This feature requires UE and network to support the encryption and integrity algorithms.

6.3 Impact

6.3.1 On System Performance

None.

6.3.2 On Other Features

None.

6.4 RestrictionsNone

6.5 Technical Description

6.5.1 Data Integrity Protection and Encryption Configuration Model

The configuration model for Data Integrity Protection and Encryption is as show in Figure 6-2.


5


GlobalParaClass

RNC

RadioClass

UEA .Class

Encryption algorithm

UIA.Class

Integrity protection algorithm

Figure 6-2 Data Integrity Protection and Encryption configuration model

6.5.2 System Architecture

As shown in Figure 6-3, encryption and integrity protection are implemented on Uu interface. The object of integrity protection is signaling, and that of encryption can either be signaling or data.

UE RNC

Integrity Procedure

Signaling

Encrypt Procedure

Signaling and Data

Figure 6-3 Integrity protection and encryption procedures

6.5.3 Algorithms of Data Integrity Protection and Encryption

I. Algorithm Introduction

Table 6-1 describes the algorithms for integrity protection and encryption.

Table 6-1 Algorithms for integrity protection and encryption

Algorithm Description

UMTS Integrity Algorithm (UIA)

According to protocols, currently RNC supports only UIA1, namely, the f9 integrity protection.

UMTS Encryption Algorithm (UEA)

According to protocols, RNC supports only two encryption algorithms:

UEA0: no encryption

UEA1: f8 encryption algorithm


6


Parameter name Encryption algorithm

Parameter ID ENCRYPTIONALGO

GUI range UEA0, UEA1

Physical range& unit -

Default value -

Optional / Mandatory Optional

MML command SET UEA

Description:

The encryption algorithm supported by RNC. Both UEA0 and UEA1 can be selected at one time.

Parameter name Integrity protection algorithm

Parameter ID INTEGRITYPROTECTALGO

GUI range UIA1

Physical range& unit -

Default value UIA1

Optional / Mandatory Optional

MML command SET UIA

Description:

The integrity protection algorithm supported by RNC. Only UIA1 is supported currently.

Configuration Rule and Restriction:

UE is required to support the encryption and integrity algorithms.

Table 6-2 describes the parameters of the algorithms.


7


Table 6-2 Parameters of integrity protection and encryption algorithms

Parameter Name Description

IKIntegrity key

IK is composed of 128 bits.It is used to establish CS connection (IKCS) between CS domain and UE, or PS connection (IKPS) between PS domain and UE, or using the latest IK received from either IKCS or IKPS for integrity protection. For UMTS subscribers, IK is established during the implementation of UMTS AKA and stored in the USIM card with a copy in ME.

IK can be sent:

From the USIM card to ME upon request of ME

From the HLR/AuC to the VLR/SGSN and stored in the VLR/SGSN as part of a quintet

From the VLR/SGSN to the RNC in the (RANAP) security mode command message

CKCipher key

CK is 128 bits long. It is used to establish CS connection (CKCS) between CS domain and UE, or PS connection (CKPS) between PS service domain and UE. Signaling Radio Barrier (SRB) CK refers to the latest CK received from either CKCS or CKPS. For UMTS subscribers, CK is established during the implementation of UMTS AKA. It is stored in the USIM card with a copy in ME.

CK can be sent:

From the USIM card to ME upon request of ME

From the HLR/AuC to the VLR/SGSN and stored in the VLR/SGSN as part of the quintet

From the VLR/SGSN to the RNC in the (RANAP) security mode command message.

II. UTRAN Encryption of Signaling and Data

Authentication allows safe communications between UE and network. CN and UE share a CK after a successful authentication

Encryption and decryption are implemented in UE and the RNC (L2). Therefore, it needs the CN sends the CK to the RNC in a RANAP security mode command message, and then RNC sends the CK to UE in a RRC security mode command message to initiate the encryption.


8


As shown in Figure 6-4, the UMTS encryption mechanism is based on the stream cipher concept. To be more specific, plain text data is added bit by bit to pseudo-random mask data generated by CK and other parameters. The benefit of such encryption mechanism is that the generation of the pseudo-random mask data is independent of the plain text data. Therefore, the final encryption process is fast. The decryption on the receiving side is the same, because adding the pseudo-random mask bits twice has the same result as adding zeros once.

PLAINTEXTBLOCK

f8

COUNT - C/32 DIRECTION/1BEARER/5 LENGTH

CK/128

KEYSTREAMBLOCK(MASK)

CIPHERTEXTBLOCK

f8

COUNT - C/32

BEARER/5 LENGTH

CK/128

KEYSTREAMBLOCK(MASK)

PLAINTEXTBLOCK

SenderUE or RNC

ReceiverRNC or UE

DIRECTION/1

Figure 6-4 Encryption and decryption of user and signaling data

The algorithm involves following parameters:

Cipher Key (CK) Cipher sequence number (COUNT-C) Direction bit (DIRECTION) Length indication (LENGTH) Radio bearer identifier (BEARER)

Since the pseudo-random mask data does not depend on the plain text, there has to be another parameter that changes every time when a new mask is generated. Otherwise, two different plain texts, say P1 and P2, would be protected by the same mask. When P1 is added to P2 bit by bit, the encrypted counterpart of P1 is added to that of P2 at the same time. The resultant bit strings of these two processes are exactly the same because two identical masks cancel each other in the bit-by-bit addition. In this case, any attacker can get the bit-by-bit sum of P1 and P2 and wiretap the encrypted messages on the radio interface.

If two bit strings of meaningful data are added to P1 and P2 bit by bit, the resultant bit string will reveal them totally. This interrupts the encryption of messages P1 and P2.


9


III. UMTS Intergrity Protection of Signalling

The purpose of integrity protection is to authenticate individual signaling messages. Independent authentications ensure correct identification of the communicating parties.

Integrity protection is implemented at the RRC layer of the radio interface by the UE and RNC. The IK is generated during AKA, and sent to RNC with CK in the security mode command message.

Figure 6-5 shows how to authenticate the data integrity of a signaling message with integrity algorithm f9.

f 9

COUNT -I/32 DIRECTION/1

MESSAGE FRESH/32

IK/128

MAC –I/32

f 9

COUNT -I/32 DIRECTION/1

MESSAGE FRESH/32

IK/128

XMAC –I/32

SenderUE or RNC

ReceiverRNC or UE

Figure 6-5 Derivation of MAC-I or XMAC-I from a signaling message

This algorithm involves the following parameters:

Integrity Key (IK) Integrity sequence number (COUNT-I) A random value generated at the network side (FRESH) Direction bit (DIRECTION) Signaling data (MESSAGE)

Based on these input parameters, UE uses integrity algorithm f9 to calculate MAC-I, that is, the message authentication code for data integrity. The MAC-I is then appended to the message when it is sent over the radio access link. The receiver calculates XMAC-I by the same algorithm and verifies the data integrity by comparing the XMAC-I with the received MAC-I.


10


IV. Summary of Access Security

AKA Algorithms

Encryption and IntegrityProtection Algorithms

AKA Algorithms

VLR

RES

Encryption and IntegrityProtection Algorithms

K SQN AuC

Authentication Vectors

K SQNUSIM

Securecommunication

CKcs,I Kcs

HLR/AUC

SGSN

CKps,I Kps

RNC

CKps,I Kps

ME

USIM

RAND,AUTN

CKcs,I Kcs

Figure 6-6 Summary of UMTS access security

As a summary of this section, Figure 6-6 shows the most important access security mechanisms and the relationship between them. For clarity, the figure does not show all the parameters.


11


V. Negotiation of Encryption and Integrity Mode

Before connecting to the network, UE sends an MS/USIM Classmark message to confirm its encryption and integrity algorithms. This message needs no integrity protection because RNC receives and stores the message without using IK. The latest generated IK is used to protect the data integrity of the message during the setup of the security mode.

The network compares the information with UE, including integrity protection capabilities, preference, and special requirements that are signed on CN and indicated by UE. Then, the network acts according to the following rules:

If the network and UE do not share any version of UIA algorithm, the connection will be released.

If the network and UE share at least one version of UIA algorithm, the network will choose one of the mutually acceptable versions for the connection.

The network compares the information with UE, including integrity protection capabilities, preference, and special requirements that are signed on CN and indicated by UE. Then the network acts according to the following rules:

If the network and UE do not share any version of UEA algorithm, and the CN does not indicate that unencrypted connection can be set up, then no unencrypted connection can be set up, and the connection will be released.

If the network and UE do not share any version of UEA algorithm in use, and UE (home environment of UE) and CN allow an unencrypted connection, the unencrypted connection will be used.

If the network and UE share at least one UEA algorithm, the network will choose one of the mutually acceptable versions for the connection.

Neither the mode nor the algorithm of integrity protection and encryption can be changed when UE is connected to another CN. The CS and PS domains share the same preferences and special requirements for setting the encryption and integrity modes, for example, the preference of the algorithms.

If there are RABs connecting UE to both CS and PS domains, the user data for CS domain is always encrypted by the CK received from the CS domain, and that for PS domain by the CK received from the PS domain. However, the signaling data shall always be encrypted by the latest CK received from the PS or CS domain.

6.6 CapabilitiesNone.


12


6.7 ImplementationHuawei WCDMA network supports integrity protection algorithm UIA1, as well as the encryption algorithms UEA0 and UEA1. According to related protocols, the CS and PS domains of CN must use the same algorithm. Therefore, RNC must choose at least one integrity protection algorithm and one encryption algorithm, and ensure that there is intersection of the chosen algorithms between CN and RNC.

The default settings are as follows:

Integrity protection algorithm: UIA1 Encryption algorithm: UEA0 and UEA1

6.7.1 Enabling Data Integrity Protection and Encryption

This feature does not need extra hardware or initialization. It takes effect automatically.

For the network planning or optimization, the data can be adjusted on the RNC LMT as required.

6.7.2 Reconfiguring Parameters

I. Parameter Reconfiguration on the RNC Side

Table 6-1 describes the commands used for the reconfiguration on the RNC side.

Table 6-1 Commands for the reconfiguration on the RNC side

Function Command

About the encryption algorithm that the RNC supports

To query the encryption algorithm that the RNC supports

LST UEA

To set the encryption algorithm that the RNC supports

SET UEA

About the integrity protection algorithm that the RNC supports

To query the integrity protection algorithm that the RNC supports

LST UIA

To set the integrity protection algorithm that the RNC supports

SET UIA

II. Parameter Reconfiguration on the NodeB Side

None.


13


III. Examples

//Set the encryption algorithms to UEA0 and UEA1.

SET UEA: ENCRYPTIONALGO=UEA0-1&UEA1-1;

//Set the integrity protection algorithm to UIA1.

SET UIA: INTEGRITYPROTECTALGO=UIA1-1;

6.7.3 Disabling Data Integrity Protection and Encryption

Data integrity protection and encryption can be set and reconfigured, but not disabled.

6.8 Maintenance Information

6.8.1 Alarms

None.

6.8.2 Counters

The counters related with data integrity protection and encryption belong to RNC -> SM.RNC, where RNC is measurement object type, and SM.RNC is measurement unit. Table 6-2 lists the counters.

Table 6-2 Data integrity protection and encryption counters

Item Description

VS.IU.Att.SecMode Number of SECURITY MODE COMMAND Messages Received by RNC from CN

VS.IU.SuccSecModeNumber of SECURITY MODE COMPLETE Messages Sent from RNC to CN

VS.IU.RejSecMd.RnlNumber of SECURITY MODE REJECT Messages Sent from RNC to CN due to Radio Network Layer Cause

VS.IU.RejSecMd.TnlNumber of SECURITY MODE REJECT Messages Sent from RNC to CN due to Transport Layer Cause

VS.IU.RejSecMd.NASNumber of SECURITY MODE REJECT Messages Sent from RNC to CN due to NAS Cause

VS.IU.RejSecMd.OptNumber of SECURITY MODE REJECT Messages Sent from RNC to CN due to Network Optimization

VS.IU.RejSecMd.UnspNumber of SECURITY MODE REJECT Messages Sent from RNC to CN due to Unspecified Failure


14


Item Description

VS.Uu.Att.SecModeNumber of SECURITY MODE COMMAND Messages Sent from RNC to UE

VS.Uu.Succ.SecModeNumber of SECURITY MODE COMPLETE Messages Received by RNC from UE

6.9 References 3GPP TS 33.102 "3rd Generation Partnership Project; Technical Specification

Group Services and System Aspects; 3G Security; Security Architecture" 3GPP TS 31.111 "USIM Application Toolkit (USAT)"


15

Documents

06-Data Integrity Protection and Encryption