07 Tm2201eu04tm 0002 Security Features

Security Features Siemens
Security Features
Contents
1 Overview 3
2 IMEI Check 9
3 (P-)TMSI Allocation 15
4 Authentication 21
5 Ciphering & Integrity Check 35
6 Exercise 47
7 Solution 53
TM2201EU04TM_0002
1
© 2002 Siemens AG
Siemens Security Features
2 TM2201EU04TM_0002
© 2002 Siemens AG
1 Overview
UMTS Security Features TS

TS33.102:
33.102:
Security
Security
Architecture
Architecture
I) Network Access Security:
provide users with secure access to 3G services &
protect against attacks on the radio access link II) Network Domain Security:
enables secure signaling data exchange &
protects against attacks on the wireline network
II)
ME I) I) I)
I) USIM
AN SN HE
III) I) Access Serving Home
Network Network Environment
III) User Domain
Security: IV) Application Domain Security:
secures access to MS enables applications in the user & provider domain to
(e.g. PIN) securely exchange messages (e.g. USIM ATK messages)
IV)
Overview *also: User Services Identity Module
Fig. 1
TM2201EU04TM_0002
3
© 2002 Siemens AG
UMTS Security Features: Overview

Five security feature groups are defined in UMTS (TS 21.133, 33.102, 31.120). Each
of these feature groups meets certain threats and accomplishes certain security
objectives:
I) Network Access Security
The network access security features, which are defined more precisely in the
following chapter, provide users with secure access to UMTS services. Additionally,
some of them protect the user and the network against attacks on the radio access
link. Currently, User Identity Confidentiality (P-TMSI, TMSI Allocation), Entity
Authentication (User / Network Authentication), Confidentiality (Ciphering), Data
Integrity and Mobile Equipment Identification (IMEI Check) are defined as Network
Access Security features.
II) Network Domain Security:
The network domain security features will be defined in future to enable nodes in the
provider domain to securely exchange signaling data and protect against attacks on
the wire-line network.
III) User Domain Security:
The user domain security features have been defined to enable secure access to the
user equipment UE. Currently User-to-USIM Authentication (e.g. PIN; see TS 31.101)
and USIM-Terminal Link security (restricting an ME to an authorized USIM by sharing
a secret; see TS 22.022) are defined.
IV) Visibility and Configurability of Security:
The visibility & configurability of security features have been defined to enable the
user to inform him whether a security feature is in operation. Additionally, the user
should be able to decide whether the use and provision of services should depend on
the security feature. Examples for visibility are the indication of access network
encryption and the indication of the level of security (e.g. 3G or 2G network).
Examples for configurability are enabling/disabling User-USIM authentication,
accepting/rejecting incoming non-ciphered calls, setting-up or not setting-up non-
ciphered calls, accepting/rejecting the use of certain ciphering algorithm.
4 TM2201EU04TM_0002
© 2002 Siemens AG
Network Access Security Features
· IMEI Check providing users with

secure access
· (P-)TMSI Allocation to 3G services &
· Authentication protect against
attacks on the
· Ciphering radio access link
· Data Integrity Check
TS
TS21.133:
21.133:
Security
SecurityThreats
Threats&&Requirements
Requirements
TS
TS33.102
33.102
Security
SecurityArchitecture
Architecture
TS
TS33.120
33.120
Security
SecurityPrinciples
Principles&& Objectives
Objectives
Fig. 2
TM2201EU04TM_0002
5
© 2002 Siemens AG
Network Access Security Features

Similar to GSM, the UMTS system provides some mechanism to guarantee the
network access security. Some features are still the same as in GSM, others have
been enhanced, and also two new aspects have been additionally defined. The
following network access security features have been defined in Rel. ’99:
IMEI Check: To prevent the usage of stolen or not allowed mobile equipment, the
mobile equipment identification can be checked by the network. This feature remains
the same as in GSM.
P-TMSI / TMSI Allocation: To guarantee the user identity confidentiality respectively
the user location confidentiality the permanent user identity IMSI is normally not
transmitted over the radio interface. The user is normally identified by the temporary
identity TMSI / P-TMSI, by which he is known in the serving network. This feature
remains the same as in GSM.
Authentication: In UMTS authentication is extended compared to GSM. Additionally
to the User Authentication a Network Authentication is introduced. User
Authentication is the property that the Serving Network SN checks the real identity of
the user, preventing non-authorized access to the network. Network Authentication is
a check whether the connected SN is really authorized by the user’s Home PLMN to
provide him services. This includes the guarantee that this authorization is recent.
Ciphering: Ciphering prevents eavesdropping of user data and signaling over the
radio interface. UMTS ciphering has been enhanced compared to GSM/GPRS.
Data Integrity Check: The Data Integrity Check has been introduced as a new
security feature in UMTS. It provides security against unauthorized modification of
signaling data respectively the change of data origin.
As in GSM/GPRS, user (temporary) identification, authentication and key agreement

will take place independently in the PS and CS domain. User traffic will be ciphered
using the cipher key agreed for the corresponding service domain. Control data will
be ciphered and integrity protected using the cipher and integrity keys form either one
of the service domains.
The Serving RNC has distribution functionality for the PS and CS domain. Two Iu
signaling connections exist, but only one RRC connection.
6 TM2201EU04TM_0002
© 2002 Siemens AG
Network Access
Security Features
CS Domain Authentication
TMSI / P-TMSI Allocation - User Authentication:
- allocated by VLR / SGSN instead of IMSI
MSC/ network checks real PSTN
user identity;
- protects user identity & location confidentiality
GMSC
prevents misuse / misappropriation
VLR of network resources / services
ISDN
- Network Authentication:
UE checks network authorisation
IMEI Check to provide service
prevents usage of
stolen / not allowed ME
EIR HLR AuC
Node B R
N
C
UE Ciphering IP
= prevents eavesdropping of SGSN GGSN
ME user data / signaling on Uu PS Domain
+ X.25
USIM Data Integrity Check
provides security against unauthorised
modification of signaling data /
change of data origin
Fig. 3
TM2201EU04TM_0002
7
© 2002 Siemens AG
8 TM2201EU04TM_0002
© 2002 Siemens AG
2 IMEI Check
UMTS Security Features
IMEI Check EIR:

white / gray / black list
ME
ME
stolen TS
TS23.002,
23.002,
ME 23.003,
23.003,23.060,
23.060,
not 24.008,
24.008,29.002
29.002
allowed
IMEI Check
Fig. 4
TM2201EU04TM_0002
9
© 2002 Siemens AG
IMEI Check
The IMEI Check is an optional feature, which can be used to prevent the usage of
stolen or not allowed mobile equipment. This feature remains the same as in GSM.
The International Mobile Equipment Identity IMEI identifies uniquely a Mobile

Equipment ME. Two versions of IMEI are defined (TS 23.003):
IMEI: The IMEI is composed of a Type Approval Code TAC (6 digits), a Final
Assembly Code FAC (2 digits) to identifies the place of manufacture/final assembly, a
Serial Number SNR (6 digits) as individual serial number uniquely identifying each
equipment within each TAC and FAC and a Spare digit (1 digit) being zero, when
transmitted by the MS / UE.
IMEISV (IMEI & Software Version number): The IMEISV is composed of the Type
Approval Code TAC, Final Assembly Code FAC, Serial Number SNR and a Software
Version Number SVN (2 digits), which identifies the ME software version number.
The security requirements of the IMEI are defined in 3GPP TS 22.016.
The IMEI should be surely stored in the ME. In certain cases, the Serving Network
SN may request the UE to send it the IMEI. This shall be done only after
authentication. In the case of emergency calls, no IMEI check should be performed.
The Equipment Identity Register EIR (TS 23.002) is responsible for storing the
IMEIs in the network. The ME is classified as "white listed", "gray listed", "black listed"
or it may be unknown as specified in TS 22.016 and TS 29.002.
The white list is composed of all number series of equipment identities that are
permitted for use. The black list contains all equipment identities that belong to
equipment that need to be barred. Besides the black and white list, administrations
have the possibility to use a gray list. Equipment on the gray list are not barred, but
are tracked by the network (for evaluation or other purposes).
An EIR shall as a minimum contain a "white list".
10 TM2201EU04TM_0002
© 2002 Siemens AG
IMEI Check
IMEI Check
(optional) EIR:
white / gray / black list
EIR:
EIR:
not in case of
TS
TS23.002
ME emergency calls 23.002
IMEI: International Mobile station Equipment Identity
TAC FAC SNR Spare

Type Approval Code Final Assembly Code Serial Number 1 digit = 4 Bit
6 digits = 24 Bit 2 digits = 8 Bit 6 digits = 24 Bit
IMEI(SV):
IMEISV: IMEI & Software Version number
IMEI(SV):
TS
TS23.003
23.003
TAC FAC SNR SVN
Type Approval Code Final Assembly Code Serial Number 2 digit = 8 Bit
6 digits = 24 Bit 2 digits = 8 Bit 6 digits = 24 Bit
SVN: Software Version Number
Fig. 5
TM2201EU04TM_0002
11
© 2002 Siemens AG
IMEI Check Procedure

The IMEI(SV) shall only be send after authentication (TS 33.102).
It shall be possible to perform the IMEI check at any access attempt, except IMSI
detach, and during an established call at any time when a dedicated radio resource is
available, in accordance with the security policy of the PLMN operator (TS 22.016).
The network shall terminate any access attempt or ongoing call when receiving any
of the answers "black-listed" (i.e., on the black list) or "unknown" equipment (i.e. not
on the white list) from the EIR. An indication of "illegal ME" shall in these cases be
given to the user. Furthermore this is equivalent to an authentication failure hence
any call establishment or any location updating is forbidden for the MS / UE, it cannot
answer to paging, it is just allowed to perform Emergency Calls.
Emergency calls must never be terminated as a result of the IMEI check procedure.
The procedures to check the IMEI are described in TS 23.060 and TS 29.002.
12 TM2201EU04TM_0002
© 2002 Siemens AG
IMEI Check
Authentication TS
TS33.102
33.102
IMEI
IMEICheck
Check
• •optional
optional
• •after
afterauthentication
1) Identity Request • •totobe
authentication
2) Identity Request beperformed
performedatatany
anyaccess
accessattempt
attempt
[Identity Type] &&during
duringestablished
establishedcalls
callsatatany
anytime
time
• •not
notinincase
caseofofemergency
emergencycalls
calls
• •not
notatatIMSI
IMSIDetach
Detach
3) Identity Response
[IMEI/IMEISV] 4) Identity Response
5) Check IMEI
[IMEI/IMEISV]
6) Check IMEI Ack.

[status: white/gray/black]
Decision: TS
TS29.002
29.002
Continue / Block
S- VLR
UE RNC EIR
SGSN
Fig. 6
TM2201EU04TM_0002
13
© 2002 Siemens AG
14 TM2201EU04TM_0002
© 2002 Siemens AG
3 (P-)TMSI Allocation
MSC/VLR
TMSI
P-TMS
I
ME SGSN
IMSI? Þ
TS
TS23.002,
Mr. / Ms. XY! 23.002,
23.003,
23.003,23.060,
23.060,
24.008,
24.008,29.002
29.002
(P-)TMSI Allocation
Fig. 7
TM2201EU04TM_0002
15
© 2002 Siemens AG
(P-)TMSI Allocation
A unique International Mobile Subscriber Identity IMSI shall be allocated to each
mobile subscriber in the GSM system.
To achieve user identity confidentiality and user location confidentiality, the user is
normally identified by a temporary identity (Temporary Mobile Subscriber Identity
TMSI or Packet-TMSI) by which he is known by the Serving Network SN. To avoid
user traceability, which may lead to compromise of user identity confidentiality, the
user should not be identified for a long period by means of the same (P-) TMSI (TS
33.102). (P-)TMSI should be used at any Location Update Request, Service Request,
Detach Request, connection re-establishment request, etc.
A (P-)TMSI has local significance only in the LAI or RAI in which to user is registered.
Outside that area it should be accompanied by an appropriate LAII or RAI in order
avoid ambiguities. The association between IMSI and TMSI / P-TMSI is kept by the
VLR / SGSN in which the user is registered.
IMSI structure
The IMSI is composed of three parts: Mobile Country Code MCC, Mobile Network
Code MNC and Mobile Subscriber Identity Code MSIN. The MCC (3 digits; CCITT
administered) identifies uniquely the country of the mobile subscriber. The MNC (2
digits) identifies the Home PLMN of the mobile subscriber. The MSIN identifies the
mobile subscriber within a GSM PLMN. The IMSI shall consist of numerical
characters (O through 9) only. The overall number of digits in IMSI shall not exceed
15 digits.
(P-)TMSI structure
Since the (P-)TMSI has only local significance (i.e. within a VLR/SGSN area), the
structure and coding of it can be chosen by agreement between operator and
manufacturer in order to meet local needs. The P-TMSI / TMSI consists of 3 / 4
octets. It can be coded using a full hexadecimal representation.
16 TM2201EU04TM_0002
© 2002 Siemens AG
Subscriber Identity TMSI

TMSI/ /P-TMSI
P-TMSI
• •protect
protectuser
useridentity
identityconfidentiality
confidentiality
• •normally
normallyused
usedinincase
caseofofunciphered
unciphered
user id. transmission
user id. transmission
IMSI • •allocated by VLR/SGSN
allocated by VLR/SGSN
International Mobile Subscriber Identity • local significance only in the LA/RA
• local significance only in the LA/RA
(15 digits) where
wherethetheuser
userisisregistered
registered
Þ accompanied by LAI/RAI
Þ accompanied by LAI/RAI
• •structure: operator-dependent
structure: operator-dependent
• •Re-allocation
Re-allocationas asoften
oftenasaspossible
possible
MCC MNC MSIN (only
(onlyciphered
with
ciphered&&ininconjunction
other procedures)
conjunction
3 digits 2 digits 10 digits with other procedures)
TS
TS33.102
33.102
TS
TS23.003
23.003
Packet-TMSI
3 bytes SGSN
TMSI
4 bytes VLR
UE MCC: Mobile Country Code
MNC: Mobile Network Code
MSIN: Mobile Subscriber
Identification Number
Fig. 8
TM2201EU04TM_0002
17
© 2002 Siemens AG
(P-)TMSI Usage & Re-Allocation

The (P-)TMSI, when available, is normally used to identify the user on the radio
access path, for instance in paging request, Location Area / Routing Area LA / RA
Update Requests, Attach / Detach requests, Service Requests, Connection Re-
establishment Requests,...
If the user cannot be identified by means of a (P-)TMSI, he is requested to identify
himself by his permanent identity IMSI (“User Identity Request / Response”).
(P-)TMSI Re-Allocation (“(P-)TMSI Allocation Command / Complete”) is performed to
allocate a new TMSI/LAI respectively P-TMSI/RAI pair to a user by which he may
subsequently be identified on the radio access link. It should be performed after
initiation of ciphering. The Re-Allocation is initiated by the VLR / SGSN.
The procedures P-(TMSI) usage & re-allocation procedures and mechanism are
described e.g. in TS 23.060 and TS 31.102.
18 TM2201EU04TM_0002
© 2002 Siemens AG
Examples of (P-)TMSI Usage / Re-Allocation TS

TS33.102
33.102
Paging Paging
Paging
[(IMSI) / (P-)TMSI, Paging Cause]
Initial Direct Transfer Initial UE Message NAS Signaling

Connection
[Establ. Cause*; old RAI/LAI & (P-)TMSI]
Establishment*
User Identity Request User Identity Request

Identification
User Identity Response User Identity Response by (P-)TMSI
not possible
[IMSI] [IMSI]
Authentication & Cipher Start
(P-)TMSI Allocation Command (P-)TMSI Allocation Command

[(P-)TMSI + LAI/RAI] (P-)TMSI
(P-)TMSI Allocation Complete (P-)TMSI Allocation Complete Re-Allocation
S- VLR
UE *e.g. LUP, RUP, Attach,
Detach, Service Request RNC TS
TS23.060
23.060 SGSN
NAS: Non-Access Stratum
Fig. 9
TM2201EU04TM_0002
19
© 2002 Siemens AG
20 TM2201EU04TM_0002
© 2002 Siemens AG
4 Authentication

UMTS
Authentication:
chosen to achieve
maximum compatibility
with GSM security
architecture
USIM AuC
AN SN HE
ME Access Serving Home
enhanced
mechanism
& keys
TS
TS33.102
33.102
Authentication
Fig. 10
TM2201EU04TM_0002
21
© 2002 Siemens AG
Authentication
In UMTS different to GSM both sides of the radio transmission check the correct
identity of their counterpart. Not only the user identity is checked by the Serving
Network SN. Additionally, the authorization of the SN to provide services is checked
by the UE. Both, user and network authentication should occur at each connection
set-up (TS 33.102).
So the objective of the Authentication process is to enable User Authentication
similar to the GSM Authentication and additionally Network Authentication.
Furthermore, the Authentication process provides the keys for Ciphering and
Integrity Check to the User Equipment UE.
The authentication process should occur at each connection set-up between the user
and the network.
It has been chosen in such a way to achieve maximum compatibility with the GSM
security architecture and facilitate migration from GSM to UMTS.
Nevertheless, the security mechanism and keys for authentication have been
enhanced significantly.
22 TM2201EU04TM_0002
© 2002 Siemens AG
User&&Network
Network
User Authentication: Authentication User
Authentication
Authentication
User identity alright? Basics shouldoccur
should occuratateach
connectionset-up
each
set-up
connection
USIM AuC
New! AN SN HE
Access Serving Home
Providing Keys for:

• Ciphering
• Signaling Data Integrity
Network Authentication:
SN authorised by HE
to provide me services?
Fig. 11
TM2201EU04TM_0002
23
© 2002 Siemens AG
Authentication – Basic Principle

For Authentication, Ciphering and Integrity Check a secret Key K is the pre-requisite.
This secret Key K is shared between and available only to the USIM and the AuC in
the user’s Home PLMN (TS 33.102). The function of K is similar to the GSM
individual Key Ki, but it is of enhanced length (K: 128 bit; Ki: 64 bit).
Additionally, several different operator-dependent functions are necessary in the
HPLMN’s AuC and in the USIM to generate the so-called Authentication Vector AV,
which is necessary for Authentication, Ciphering and Integrity Check. AV is often also
denoted as Quintet, in analogy to the GSM Authentication Triples.
Authentication is performed independently in the CS or PS domain.
If no Authentication Vectors correlated to the user are stored in the serving
VLR/SGSN, VLR/SGSN are initiating the Authentication process with an
“Authentication Data Request” via the HLR of the user’s HPLMN to the AuC. The
“Authentication Data Request” shall include the IMSI. On basis of this order, the AuC
generates a set of n Authentication Vectors AVs. This AVs are send back in an
“Authentication Data Response” from Auc via HLR to the VLR/SGSN.
The VLR/SGSN stores the Authentication Vectors AVs and continues the
Authentication sending some Authentication parameter to the USIM (“Authentication
Request”). The UE stores the parameter, calculates keys for ciphering and integrity
check and performs the network authentication. If the network authentication is
successfully completed the UE answers with “Authentication Response” to the
VLR/SGSN request, delivering a parameter for user authentication. VLR/SGSN
perform user authentication.
If user authentication is successful, VLR/SGSN continue with connection set-up.
If user’s AVs are already stored in the VLR/SGSN, “Authentication Data Request”
and “Authentication Data Response” are not necessary in the Authentication process.
24 TM2201EU04TM_0002
© 2002 Siemens AG
Basic Principles
K
secret Key
128 bit length
IMSI Þ K;
f1...f5
Authentication AuC
Data Request [IMSI]
USIM Authentication HLR
Data Response
[AV(1..n)]
VLR / SGSN
Authentication Request
[Authentication Parameter] Authentication Vector
Network / Quintet
Authentication Authentication Response
User
Authentication
K: secret Key
Visited PLMN Home PLMN SQN: Sequence Number
f1...f5: message authentication /
key generating Functions
Fig. 12
TM2201EU04TM_0002
25
© 2002 Siemens AG
Authentication Vector AV
Each Authentication Vector consists of the following components (TS 33.102):
l a Random Number RAND, which is randomly generated, i.e. non-predictable. It’s
length is 128 bit.
l an Expected Response XRES, which is used for User Authentication. It shall
have a flexible length of 32 – 128 bit.
l a Cipher Key CK, which is necessary for Ciphering. It shall have a fixed length of
128 bit.
l an Integrity Key IK, which is used for Signaling Data Integrity Check. It’s length is
128 bit.
l an Authentication Token AUTN, which is used for Network Authentication. AUTN
consists of three different parts, described later on. Its total length is 128 bit.
A set of n Authentication Vectors AVs is send on VLR/SGSN request from HLR/AuC

to VLR/SGSN. The AVs are stored in the VLR/SGSN. Each AV is good for one
authentication and key agreement (for ciphering & integrity check) between the
VLR/SGSN and the USIM.
When the VLR/SGSN initiates an Authentication and key agreement, it selects the
next AV and sends the parameters RAND and AUTN to the UE. The USIM checks
whether AUTN can be accepted (Network Authentication) and computes a
Response RES. RES is send back to the VLR/SGSN. The VLR/SGSN compare the
received RES with the AV parameter XRES (User Authentication). If they are equal,
User Authentication is successfully completed.
26 TM2201EU04TM_0002
© 2002 Siemens AG
Authentication Vector AV
• consisting of 3 parts
Used for data • Used for network
randomly generated, Used for user Used for
authentication
i.e. non-predictable authentication encryption integrity check
RAND XRES CK IK AUTN

Random Number Expected Response Cipher Key Integrity Key Authentication Token
128 bit 32 - 128 bit 128 bit 128 bit 48 + 16 + 64 bit
USIM VLR / SGSN

(store AV(1..n))
Authentication Request
· generate RES(i) = [RAND(i), AUTN(i)]
f2(RAND(i),K) Authentication Response User Authentication:
· AUTN(i) for [RES(i)] Compare
Network Authentication XRES(i) & RES(i)
RES: Response
Fig. 13
TM2201EU04TM_0002
27
© 2002 Siemens AG
Generation of Authentication Vectors AVs

After receiving the “Authentication Data Request” from the VLR/SGSN, the AuC
generates new Avs (TS 33.102). Every AV consists of the following five parameters:
Random Number RAND, Expected Response RES, Cipher Key CK, Integrity Key IK
and Authentication Token AUTN.
Random Number RAND: The AuC starts with generating a fresh sequence number
SQN and an unpredictable challenge RAND.
Expected Response XRES: The secret Key K, RAND and f2 are necessary to
compute XRES. XRES = f2(K,RAND); f2 is a (possibly truncated) message
authentication function. XRES is used for User Authentication.
Cipher Key CK: K, RAND and f3 are used to compute CK. CK = f3(K,RAND); f3 is a
key generating function. CK is used for Ciphering.
Integrity Key IK: K, RAND and f4 are used to compute IK. IK = f4(K,RAND); f4 is a
key generating function. IK is used for Signaling Data Integrity Check.
Authentication Token AUTN: K, RAND, SQN, AMF and f5 are necessary to
compute AUTN. AUTN consists of three parts: AUTN = SQN * AK || AMF || MAC.
The first part of AUTN is calculated by an “exclusive or” (XOR) connection of the
Sequence Number SQN and the Anonymity Key AK. AK = f5(K,RAND); f5 is a key
generating function or f5 = 0. AK is used to conceal SQN as the latter may expose
the identity and location of the user. The concealment of SQN is to protect against
passive attacks only. If no concealment is needed then f5 = 0 (AK = 0).
The second part of AUTN is the Authentication and key Management Field AMF.
AMF is part of the user’s database in the AuC. Operator-dependent, different f1..f5
algorithm may be defined. AMF may be used to indicate the algorithm and key used
to generate a particular authentication vector.
The third part of AUTN is the Message Authentication Code MAC. MAC =
f1(K,SQN,RAND,AMF); f1 is a message authentication function.
28 TM2201EU04TM_0002
© 2002 Siemens AG
AV Generation
AuC
Database
SQN Generator (IMSI;K) RAND Generator
AMF
Authentication &
SQN key Management K RAND
Sequence Number Field secret Key Random Number
f1 f2 f3 f4 f5
MAC XRES CK IK AK
Message Authentication Expected Response
Code Cipher Key Integrity Key Anonymity Key
® User
® Network Authentication ® Ciphering ® Ciphering ® SQN Anonymity
Authentication
AV = RAND
Random number
XRES
Expected Response
CK
Cipher Key
IK
Integrity Key
AUTN
Authentication Token
AMF
® selection of f1-5 version SQN Å AK AMF MAC
® different f1-5 versions possible 48 bit 16 bit 64 bit
(operator-dependent)
Fig. 14
TM2201EU04TM_0002
29
© 2002 Siemens AG
Authentication in the USIM

With the “Authentication Request” message, the authentication parameter RAND and
AUTN are transmitted from the VLR/SGSN to the USIM. The purpose of this
procedure is to authenticate user & network and to establish a new pair of cipher and
integrity keys CK & IK between the VLR/SGSN and the USIM.
Upon receipt of RAND and AUTN the USIM first computes the Anonymity Key AK =
f5(K,RAND) and retrieves the Sequence Number SQN. SQN = (SQN XOR AK) XOR
AK.
Second, the USIM calculates the Expected Message Authentication Code XMAC.
XMAC = f1(K,SQN,RAND,AMF). For network authentication, XMAC is compared with
MAC (included in AUTN). If they are different, the USIM sends back the
“Authentication Reject” message to the VLR/SGSN and abandons the connection
set-up. “Authentication Reject” includes an indication of the cause for the rejection. In
the case of “Authentication Reject”, the VLR/SGSN shall initiate an Authentication
Failure Report procedure towards the HLR.
If the network authentication is all right, the USIM verifies that the received SQN is in
the correct range.
If the USIM considers SQN to be not in the correct range, it sends “Synchronization
Failure” back to the VLR/SGSN including the appropriate parameter, and abandons
the connection set-up.
If SQN is in the correct range, the USIM computes RES. RES = f2(K,RAND).
Furthermore, the USIM calculates the Cipher Key CK = f3(K,RAND) and the Integrity
Key IK = f4(K,RAND). CK and IK are stored in the USIM for the following ciphering of
user data and integrity check of signaling data.
Finally, RES is included in the “Authentication Response” message and sends back
from the USIM to the VLR/SGSN. The VLR/SGSN needs the RES for User
Authentication. If RES = XRES from the selected AV, the authentication of the user
has been successful. If they are different, the VLR/SGSN shall initiate an
Authentication Failure Report procedure towards the HLR.
30 TM2201EU04TM_0002
© 2002 Siemens AG
Authentication in the USIM

USIM Authentication Request
[RAND(i), AUTN(i)] VLR / SGSN
Generate: (stores AV(1..n))
· RES Authentication Response
· XMAC [RES(i)] Compare:
· CK or Authentication Reject · XRES(i) = RES(i) ?
· IK [XMAC ¹ MAC] Þ User Authentication
K RAND SQN Å AK AMF MAC AUTN
f5 AK Å
SQN
f4 f3 f2 f1
IK CK RES XMAC
Integrity Ciphering to network XMAC = MAC ? XMAC:

AMF:
Authentication & Check ® User ® Network Expected Message
Authentication Code
key Management
Field
Authentication Authentication AK: Anonymity Key
Fig. 15
TM2201EU04TM_0002
31
© 2002 Siemens AG
Synchronization Failure
At the beginning of the Authentication process, the AuC generates the Sequence
Number SQN. SQN shall have a length of 48 bit. The structure & content of SQN is
operator-dependent. SQN may contain information used to restrict the Authentication
Vector AV validity time or to verify the Serving Network SN Identity.
SQN, being a part of AUTN, is transmitted via VLR/SGSN (“Authentication Data
Response”) to the USIM (“Authentication Request”).
The USIM regenerates SQN and verifies that the received SQN is in the correct
range.
If the USIM considers SQN to be not in the correct range, it sends the
“Synchronization Failure” message back to the VLR/SGSN including the appropriate
parameter, and abandons the connection set-up.
Upon receiving a “Synchronization Failure” message from the UE, the VLR/SGSN
sends an “Authentication Data Request” with a Synchronization Failure Indication to
the AuC of the user’s Home Environment HE together with RAND and the
appropriate parameter received from the UE.
The AuC checks the parameter, generates a fresh set of AVs and sends them with
an “Authentication Data Response” message to the VLR/SGSN.
Whenever the VLR/SGSN receives a new set of AVs from the AuC in an
“Authentication Data Response” to an “Authentication Data Request” with
Synchronization Failure Indication it deletes the old AVs for that UE. The VLR/SGSN
may now start a new authentication process to the UE based on a new AV from the
AuC.
32 TM2201EU04TM_0002
© 2002 Siemens AG
SQN generates SQN:

Synchronisation Failure • length = 48 bit
• content operator-dependent
e.g. for restricted AV validity time,
verification of SN Id.
• SQN Å AK Î AUTN
• Re-generates SQN
• SQN in correct range ? AuC
No Þ Synchronisation Failure Authentication
Yes Þ continue Data Request [IMSI]
Authentication
Authentication Data HLR
Response [AV(1..n)]
USIM ] ]
e st tion ..n)
qu dic V(1
a
VLR / SGSN Re e In e [A
ta r s
. DaFailu pon
Authentication Request th n. es
[RAND(i), AUTN(i)] Au hro a R
c t
yn Da
Synchronisation Failure [S th.
Au
&
or Authentication Response
[RES(i)]
Network
Fig. 16
TM2201EU04TM_0002
33
© 2002 Siemens AG
34 TM2201EU04TM_0002
© 2002 Siemens AG
5 Ciphering & Integrity Check

Ciphering
prevents eavesdropping
of user data / signalling AV Request:
Providing Keys
Key for Ciphering &
Integrity Check
Setting
VLR / AuC
S-RNC SGSN HLR
SN
Serving HE
Network Home
UE Environment
Data Integrity Check Mandatory!!
provides security against
Mandatory!!
unauthorised modification of
• signalling data /
• change of data origin
Ciphering & Integrity Check
Fig. 17
TM2201EU04TM_0002
35
© 2002 Siemens AG
Ciphering & Integrity Check

To start the security features Ciphering (optional) & Integrity Check (mandatory),
three steps are necessary:
Connection Establishment
At the connection start the RRC Connection Establishment also informs the network
about the UEs security capabilities. They include the MEs UMTS Encryption
Algorithms UEAs and UMTS Integrity Algorithms UIAs. In Rel. ’99 only 2 UEAs and 1
UIA are defined (TS 33.102): UEA0 = “no encryption”, UEA1 = Kasumi encryption,
UIA1 = Kasumi algorithm. The S-RNC stores the UEs security capabilities.
Authentication & Key Generation in UE

Authentication & key setting may be initiated by the network as often as the network
operator wishes. Key setting can occur as soon as the identity of the mobile
subscriber, i.e. (P-)TMSI or IMSI, is known by the VLR/SGSN.
The security parameter RAND is transmitted with the "Authentication Request"
message from the VLR / SGSN to the UE. The USIM uses RAND to generate the
Cipher Key CK for ciphering and the Integrity Key IK for integrity check. Now CK & IK
are available in the USIM and in the VLR/SGSN.
Security Mode Set-Up

Sending the "Security Mode Command" to the S-RNC, the VLR/SGSN initiate
integrity & ciphering. This command includes the IK & CK to be used.
The S-RNC decides which UEA & UIA will be used, taking into account the UEs
security capabilities. If the requirements in the “Security Mode Command” cannot be
fulfilled, the S-RNC sends a “Security Mode Reject” message to the VLR/SGSN.
Next, the S-RNC starts the DL integrity protection. It is mandatory to start integrity
protection of signaling messages at each new signaling connection establishment
between the UE and the VLR/SGSN (exceptions listed in TS 33.102).
The S-RNC sends the “Security Mode Command” to the UE. This message includes
the selected UIA and also UEA, if ciphering shall be started. Furthermore, parameter
for integrity check, an indication on the core domain (CS/PS) and optionally the time
of cipher start are included.
The UE verifies the received “Security Mode Command” message (Integrity Check)
and starts UL integrity protection.
Finally, the UE sends “Security Mode Complete” to the S-RNC. The security mode
set-up is terminated with the “Security Mode Complete" message, which is send from
the S-RNC to the VLR/SGSN. This message includes the selected UIA & UEA.
36 TM2201EU04TM_0002
© 2002 Siemens AG
Connection Set-up: UMTS

UMTSIntegrity
IntegrityAlgorithm
AlgorithmUIA*
1
UIA*:1:
Key Setting & Security Mode Set-Up • •UIA1
UIA1==Kasumi
Kasumialgorithm
algorithm
UMTS 2
UMTSEncryption
EncryptionAlgorithm
AlgorithmUEA*
UEA*2: :
• •UEA0
UEA0==nonoencryption
encryption
Connection Establishment • •UEA1
includes: UE security capabilities (UIAs / UEAs) UEA1==Kasumi
Kasumiencryption
encryption
further
furtherUIA/UEA
UIA/UEAplaned
planed
••
stores UIAs, UEAs
•
Authentication Request Authentication Request
[RAND, AUTN] [RAND, AUTN] Authentication
generates:
RES, XMAC, Authentication Response Authentication Response & Key
CK, IK [RES] [RES] Generation
••
•
Security Mode Command Security
[ IK, CK, UIAs, UEAs]
Mode
Security Mode Command • Select UIA & UEA Set-Up
[UIA, UEA*, CN domain, • start Integrity
start Integrity Parameter, Cipher Start]
Integrity
Security Mode Complete Security Mode Complete
start (De-)Ciphering start (De-)Ciphering
S- VLR
UE *1 also denoted by f9
RNC SGSN
*2 also denoted by f8
Fig. 18
TM2201EU04TM_0002
37
© 2002 Siemens AG
Data Integrity Check: Basic Principle

The Data Integrity Check is used between the UE and the VLR/SGSN to protect
signaling data against unauthorized modification and change of data origin.
It is mandatory to start integrity protection at each new signaling connection
establishment between the UE and the VLR/SGSN. Exceptions (e.g. emergency call)
are listed in TS 33.102.
Integrity protection starts after the “Security Mode Command”. The messages
“Security Mode Command”, “Security Mode Complete” and all following messages
are integrity protected.
The principle of the Integrity Check is the following:
The signaling data to be protected and the Integrity Key IK are used in the transmitter
(UE or S-RNC) as input for the UMTS Integrity Algorithm UIA. The result of this
calculation is a kind of a check sum of this data. This check sum is appended to the
signaling data to be transmitted.
Signaling data and appended check sum are send from transmitter (UE or S-RNC) to
receiver (S-RNC or UE).
In the receiver, the signaling data and the IK (stored in the receiver) are again used
as input for the same UIA. The newly generated check sum (expected check sum) is
compared to the transmitted check sum.
If during transmission signaling data are modified or someone tries to simulate the
users signaling, the expected check sum and the transmitted check sum differ and
the non-authorized modification becomes visible.
38 TM2201EU04TM_0002
© 2002 Siemens AG
Data Integrity Check

Basic Principle
provides security against:
• unauthorised modification of control data
• change of data origin
Control Data:
· start of Integrity protection mandatory
S-
UE · nearly all control data Integrity protected* RNC
*not in case of
emergency calls
Transmitter Receiver
Encrypted Encrypted
Control Data Control
Control
Data Data
check sum check sum
check sum
IK dependent generator IK
check sum generator IK
Expected
Equal? Encrypted
check sum check sum
* exceptions listed in TS33.102 (6.5.1)
Fig. 19
TM2201EU04TM_0002
39
© 2002 Siemens AG
Data Integrity Check – UMTS Integrity Algorithm UIA

The UMTS Integrity Algorithm UIA (different types of UIA can be used; currently only
UIA1 using a Kasumi algorithm is defined; see TS 33.102/6.5.6) is often also denoted
as f9.
The transmitter (UE or S-RNC) uses the Control Data and the integrity parameter
Integrity Key IK, Integrity Sequence Number COUNT-I, a random value generated
by the network side FRESH and the direction bit DIRECTION as input for f9.
Based on these input parameters the transmitter computes the Message
Authentication Code for data Integrity MAC-I (i.e. the check sum):
MAC-I = f9(Control Data,IK,COUNT-I,FRESH,DIRECTION).
The MAC-I is appended to the control data and transmitted over the radio link.
The receiver computes the Expected Message Authentication Code for data Integrity
XMAC-I in the same way as the transmitter computed MAC-I. The data integrity of
the control data is checked by comparing XMAC-I with the received MAC-I.
Remarks to the integrity parameter:

Integrity Key IK: There may be one IK for CS connections IK(CS) and one for PS
connections IK(PS). The data integrity of radio bearers for user data is not protected.
FRESH: There is only one FRESH parameter value per user. The input parameter
FRESH protects the network against replay of signaling messages by the UE. At
connection set-up the S-RNC generates a random value FRESH and sends it to the
UE in the RRC “Security Mode Command” message. The value FRESH is
subsequently used by the UE and S-RNC throughout the duration of a single
connection. This mechanism assures the network that the user is not replaying any
old MAC-Is.
COUNT-I: the integrity sequence number COUNT-I is composed on basis of the RRC
sequence number RRC SN and the RRC Hyperframe Number RRC HFN.
DIRECTION: the direction identifier bit indicates UL or DL direction (DIRECTION = 0
for UL and 1 for DL).
40 TM2201EU04TM_0002
© 2002 Siemens AG

UMTS Integrity Algorithm UIA
• random value
Transmitter • S-RNC generated
• valid for connection
Receiver
(UE or S-RNC) UL = 0 duration (UE or S-RNC)
Integrity DL = 1 • prevents replaying
Sequence No. of old MAC-Is
COUNT-I FRESH
COUNT-I FRESH
IK Direction
IK Direction Integrity Key direction bit
Integrity Key direction bit
f9 (UIA)
Control Data f9 (UIA)
MAC-I Control Data XMAC-I

encrypted MAC-I
check sum
(X)MAC-I: (Expected) Message Authentication Code for Integrity
Equal?
• Select UIA & UEA
• start Integrity
RRC: Security Mode Command - compute MAC-I,
- generate FRESH
[UIA, UEA, CN domain, Cipher Start,
• verify MAC-I
• start Integrity FRESH, MAC-I] S-
- ...
RRC: Security Mode Complete RNC
UE [MAC-I]
Fig. 20
TM2201EU04TM_0002
41
© 2002 Siemens AG
Ciphering – UMTS Encryption Algorithm UEA

Similar to GSM, UMTS performs encryption of user data and signaling to prevent
eavesdropping on the radio interface.
For CS and PS data encryption is performed between the S-RNC and the UE.
Like in GSM the “plain text” is ciphered in the transmitter connecting it via XOR
operation with a cipher sequence (UMTS: Keystream Block). The ciphered text block
is transmitted via radio interface. In the receiver the plain text is recovered connecting
the ciphered text block via XOR operation with the cipher sequence / Keystream
Block.
The algorithm producing the Keystream Block is the UMTS Encryption Algorithm
UEA. UEA is often denoted as f8. Different UEA implementations are possible.
Currently only UEA0 (no ciphering) and UEA1 (Kasumi encryption) are available.
The UMTS keystream block is generated in the UE and S-RNC feeding the cipher
parameter Cipher Key CK, Ciphering Sequence Number COUNT-C, bearer
identity BEARER, transmission direction DIRECTION and the length of the
keystream LENGTH into f8.
Keystream Block = f8(CK,COUNT-C,BEARER,DIRECTION,LENGTH).
Remarks on the cipher parameter:

Cipher Key CK: There may be one CK for CS connections CK(CS) and one for PS
connections CK(PS).
COUNT-C: The ciphering sequence number COUNT-C is generated by MAC or RLC
frame and sequence information.
BEARER: the radio bearer identifier BEARER is input to avoid that for different
keystream an identical set of input parameter values is used.
DIRECTION: the direction identifier bit indicates UL or DL direction (DIRECTION = 0
for UL and 1 for DL).
LENGTH: The length indicator LENGTH indicates the length of the required
keystream block. LENGTH shall affect only the length of the Keystream block, not the
actual bits in it.
42 TM2201EU04TM_0002
© 2002 Siemens AG
Ciphering
UMTS Encryption Algorithm UEA not in case of
emergency calls
UE S-
RNC
UL = 0 1 Bearer parameter /
Cipher
Sequence No.
DL = 1
UE or S-RNC user radio bearer indicate length
of required
Direction Bearer Length keystream block
COUNT-C direction bit radio bearer id. length indicator
CKPS & CKCS
CK f8 (UEA)
Cipher Key
“cipher sequence”
Keystream block
Plain text block

Å Keystream block
= ciphered text block
ciphered text block

Å Keystream block = Plain text block
Fig. 21
TM2201EU04TM_0002
43
© 2002 Siemens AG
UMTS Security Features: Summary

The UMTS system provides some mechanism to guarantee the network access
security. Some features are still the same as in GSM, others have been enhanced,
and two new aspects have been additionally defined. The following network access
security features have been defined in Rel. ’99:
IMEI Check:
To prevent the usage of stolen or not allowed mobile equipment, the mobile
equipment identification can be checked by the network. This feature remains the
same as in GSM.
P-TMSI / TMSI Allocation:

To guarantee the user identity confidentiality respectively the user location
confidentiality the permanent user identity IMSI is normally not transmitted over the
radio interface. The user is normally identified by the temporary identity TMSI / P-
TMSI, by which he is known in the serving network. This feature remains the same as
in GSM.
Authentication:
In UMTS authentication is extended compared to GSM. Additionally to the User
Authentication a Network Authentication is introduced.
User Authentication is the property that the Serving Network SN checks the real
identity of the user, preventing non-authorized access to the network.
Network Authentication is a check whether the connected SN is really authorized
by the user’s Home PLMN to provide him services. This includes the guarantee that
this authorization is recent.
Ciphering
Ciphering prevents eavesdropping of user data and signaling over the radio interface.
UMTS ciphering has been enhanced compared to GSM/GPRS.

The Data Integrity Check has been introduced as a new security feature in UMTS. It
provides security against unauthorized modification of signaling data respectively the
change of data origin.
44 TM2201EU04TM_0002
© 2002 Siemens AG

TMSI / P-TMSI Allocation Authentication
- allocated by VLR / SGSN instead of IMSI - User Authentication:
- protects user identity & location confidentiality network checks real user identity;
prevents misuse / misappropriation
of network resources / services
- Network Authentication:
UE checks network authorisation
to provide service
Ciphering Data Integrity Check

prevents eavesdropping of provides security against unauthorised
user data / signalling on Uu modification of signalling data /
IMEI Check change of data origin
prevents usage of
stolen / not allowed ME
UE S- VLR
RNC Summary SGSN
Fig. 22
TM2201EU04TM_0002
45
© 2002 Siemens AG
46 TM2201EU04TM_0002
© 2002 Siemens AG
6 Exercise
TM2201EU04TM_0002
47
© 2002 Siemens AG
48 TM2201EU04TM_0002
© 2002 Siemens AG
Exercise
Title: UMTS Security Features
Objectives: The participant will be able to understand the basic security
features of UMTS
Pre-requisite: none
Task
Please answer the following questions.

Query
1. Please list the Network Access Security Features you remember

¨
¨
¨
¨
¨
¨
2. The IMEI check:

¨ is used to check the users identity
¨ is used to check the mobile equipment
¨ is used to check to users authorization to use a certain service
¨ is used to check the USIM
TM2201EU04TM_0002
49
© 2002 Siemens AG
3. The TMSI and P-TMSI are allocated to an UE:

¨ to start ciphering of data over the radio interface
¨ to prevent eavesdropping of the users actual identity at connection setup
¨ to check the users identity at connection setup
¨ after authentication and cipher start
¨ at connection setup with the "Initial UE Message"
4. The Authentication Procedure is used:

¨ to check whether the user is authorized to take access to the network
¨ to check whether the serving network is authorized to provide services
¨ to check whether the sequence number is all right, i.e. a synchronization failure
appears
¨ to provide the cipher key and integrity key to the User Equipment
¨ none of the above
5. Which of the following security parameter does the UMTS Authentication Vector
AV incorporate:
¨ Random Number RAND
¨ Sequence Number SQN
¨ Expected Response XRES
¨ Response RES
¨ Message Authentication Code MAC
¨ Expected Message Authentication Code XMAC
¨ Cipher Key CK
¨ Integrity Key IK
¨ Authentication Token AUTN
50 TM2201EU04TM_0002
© 2002 Siemens AG
6. The Sequence Number SQN:

¨ is used for Network Authentication
¨ is used to synchronize network and UE by time and frequency
¨ is used to generate the Message Authentication Code MAC
¨ can be used to restrict the validity the of the Authentication Vectors
¨ can be used to perform a verification of the Serving Network
¨ is only a future option in UMTS
7. Which network elements are performing ciphering / deciphering in UMTS:

¨ UE and Node B
¨ UE and RNC
¨ UE and Node B for CS traffic, UE and SGSN for PS traffic
¨ UE and GMSC for CS traffic, UE and GGSN for PS traffic
8. What is the Integrity Check good for?

¨ It is used to cipher all user data & signaling
¨ It is used to check all user data & signaling according to modifications / change
of origin
¨ It is used to prevent modification / change of origin of signaling data
¨ It is just a future option in UMTS, which can be used by every network operator
on his own decision.
TM2201EU04TM_0002
51
© 2002 Siemens AG
9. Ciphering in UMTS is:

¨ used for user traffic and signaling
¨ used for user traffic only
¨ performed with different Cipher Keys CKs for CS and PS domain
¨ performed with the same CK because the RNC & UE are responsible for
ciphering
10. Which of the following security features is mandatory to be performed during a

"normal" connection / connection setup (e.g. PS data transmission):
¨ IMEI check
¨ TMSI / P-TMSI usage
¨ Network Authentication
¨ User Authentication
¨ Ciphering
¨ Integrity Check
52 TM2201EU04TM_0002
© 2002 Siemens AG
7 Solution
TM2201EU04TM_0002
53
© 2002 Siemens AG
54 TM2201EU04TM_0002
© 2002 Siemens AG
Solution
Title:
Objectives:
Pre-requisite:
Task
In the following section, there are the answers to the exercises.

Query
1. Please list the Network Access Security Features you remember

þ IMEI Check
þ (P-)TMSI Allocation
þ Network Authentication
þ User Authentication
þ Ciphering
þ Integrity Check
2. The IMEI check:

¨ is used to check the users identity
þ is used to check the mobile equipment
¨ is used to check to users authorization to use a certain service
¨ is used to check the USIM
TM2201EU04TM_0002
55
© 2002 Siemens AG
3. The TMSI and P-TMSI are allocated to an UE:

¨ to start ciphering of data over the radio interface
þ to prevent eavesdropping of the users actual identity at connection setup
¨ to check the users identity at connection setup
þ after authentication and cipher start
¨ at connection setup with the "Initial UE Message"
4. The Authentication Procedure is used:

þ to check whether the user is authorized to take access to the network
þ to check whether the serving network is authorized to provide services
þ to check whether the sequence number is all right, i.e. a synchronization failure
appears
þ to provide the cipher key and integrity key to the User Equipment
5. Which of the following security parameters does the UMTS Authentication Vector
AV incorporate:
þ Random Number RAND
þ Sequence Number SQN
þ Expected Response XRES
¨ Response RES
þ Message Authentication Code MAC
¨ Expected Message Authentication Code XMAC
þ Cipher Key CK
þ Integrity Key IK
þ Authentication Token AUTN
56 TM2201EU04TM_0002
© 2002 Siemens AG
6. The Sequence Number SQN:

þ is necessary for Network Authentication
¨ is used to synchronize network and UE by time and frequency
þ is used to generate the Message Authentication Code MAC
þ can be used to restrict the validity the of the Authentication Vectors
þ can be used to perform a verification of the Serving Network
¨ is only a future option in UMTS
7. Which network elements are performing ciphering / deciphering in UMTS:

¨ UE and Node B
þ UE and RNC
¨ UE and Node B for CS traffic, UE and SGSN for PS traffic
¨ UE and GMSC for CS traffic, UE and GGSN for PS traffic
8. What is the Integrity Check good for?

¨ It is used to cipher all user data & signaling
¨ It is used to check all user data & signaling according to modifications / change
of origin
þ It is used to prevent modification / change of origin of signaling data
¨ It is just a future option in UMTS, which can be used by every network operator
on his own decision.
TM2201EU04TM_0002
57
© 2002 Siemens AG
9. Ciphering in UMTS is:

þ used for user traffic and signaling
¨ used for user traffic only
þ performed with different Cipher Keys CKs for CS and PS domain
¨ performed with the same CK because the RNC & UE are responsible for
ciphering
10. Which of the following security features is mandatory to be performed during a

"normal" connection / connection setup (e.g. PS data transmission):
¨ IMEI check
¨ TMSI / P-TMSI Re-Allocation
¨ Network Authentication
¨ User Authentication
¨ Ciphering
þ Integrity Check
58 TM2201EU04TM_0002
© 2002 Siemens AG

07 Tm2201eu04tm 0002 Security Features

Uploaded by

Copyright:

Available Formats

07 Tm2201eu04tm 0002 Security Features

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07 Tm2201eu04tm 0002 Security Features

Uploaded by

Copyright:

Available Formats

Security Features Siemens

UMTS Security Features TS

Overview *also: User Services Identity Module

UMTS Security Features: Overview

Network Access Security Features

· IMEI Check providing users with

· Data Integrity Check

Network Access Security Features

As in GSM/GPRS, user (temporary) identification, authentication and key agreement

UMTS Security Features

IMEI Check EIR:

The International Mobile Equipment Identity IMEI identifies uniquely a Mobile

IMEI: International Mobile station Equipment Identity

TAC FAC SNR Spare

SVN: Software Version Number

IMEI Check Procedure

6) Check IMEI Ack.

UMTS Security Features

Subscriber Identity TMSI

(P-)TMSI Usage & Re-Allocation

Examples of (P-)TMSI Usage / Re-Allocation TS

Initial Direct Transfer Initial UE Message NAS Signaling

User Identity Request User Identity Request

Authentication & Cipher Start

(P-)TMSI Allocation Command (P-)TMSI Allocation Command

UMTS Security Features

Providing Keys for:

Authentication – Basic Principle

A set of n Authentication Vectors AVs is send on VLR/SGSN request from HLR/AuC

RAND XRES CK IK AUTN

USIM VLR / SGSN

Generation of Authentication Vectors AVs

Authentication in the USIM

Authentication in the USIM

K RAND SQN Å AK AMF MAC AUTN

Integrity Ciphering to network XMAC = MAC ? XMAC:

SQN generates SQN:

5 Ciphering & Integrity Check

UMTS Security Features

Ciphering & Integrity Check

Ciphering & Integrity Check

Authentication & Key Generation in UE

Security Mode Set-Up

Connection Set-up: UMTS

Data Integrity Check: Basic Principle

Data Integrity Check

Data Integrity Check – UMTS Integrity Algorithm UIA

Remarks to the integrity parameter:

Data Integrity Check

MAC-I Control Data XMAC-I

Ciphering – UMTS Encryption Algorithm UEA

Remarks on the cipher parameter:

Plain text block

ciphered text block

UMTS Security Features: Summary

P-TMSI / TMSI Allocation:

Data Integrity Check

UMTS Security Features