6.8 Security Function

23.0603GPPGeneral Packet Radio Service (GPRS)Release 17Service descriptionStage 2TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

6.8.0 General

The GERAN/UTRAN Security function:

– Guards against unauthorised packet-domain service usage (authentication of the MS by the network and service request validation).

– Provides user identity confidentiality (temporary identification and ciphering).

– Provides user data and signalling confidentiality (ciphering).

– Provides, for Iu mode only, data integrity and origin authentication of signalling data (integrity protection).

– Provides, by UMTS authentication (USIM) only, authentication of the network by the MS.

GERAN/UTRAN security-related network functions are described in TS 43.020 [6] and in TS 33.102 [61].

NOTE: The security functions related to mobility between GERAN/UTRAN access and E-UTRAN access are described in TS 33.401 [91] and TS 23.401 [89].

6.8.1 Authentication

The Authentication function includes two types of authentication: "UMTS authentication" and "GSM authentication". These procedures are independent of the RAN modes, i.e. each procedure may be executed in A/Gb mode or in Iu mode. UMTS authentication requires a USIM for the MS and Authentication Quintets in the SGSN. GSM authentication bases on a SIM for the MS and Authentication Triplets in the SGSN or it bases on a GSM capable USIM for the MS and parameters derived from Authentication Quintets in the SGSN.

"UMTS authentication" implies mutual authentication, i.e. authentication of the MS by the network and authentication of the network by the MS. It also implies establishment of a new UMTS ciphering key (CK) and integrity key (IK) agreement between the SGSN and the MS.

"GSM authentication" implies authentication of the MS by the network and establishment of a new GSM ciphering key (Kc) agreement between the SGSN and the MS.

6.8.1.1 GSM Authentication procedure

The GSM Authentication procedure performs subscriber authentication, or selection of the ciphering algorithm, or both. In A/Gb mode it performs in addition the synchronisation of the start of ciphering. Authentication triplets are stored in the SGSN. The MSC/VLR shall not authenticate the MS via the SGSN upon IMSI attach, nor location update, but may authenticate the MS during CS connection establishment. Security-related network functions are described in TS 43.020 [6].

The GSM Authentication procedure is illustrated in Figure 27.

Figure 27: GSM Authentication Procedure

1) If the SGSN does not have a previously stored authentication vector, a Send Authentication Info (IMSI) message is sent to the HLR. The HLR responds with a Send Authentication Info Ack (Authentication Triplets or quintets) message.

2) The SGSN sends an Authentication and Ciphering Request (RAND, CKSN, Ciphering Algorithm) message to the MS. The MS responds with an Authentication and Ciphering Response (SRES) message.

In A/Gb mode, the MS starts ciphering after sending the Authentication and Ciphering Response message as described in clause "Start of Ciphering".

Change of the ciphering algorithm during PS Handover procedure is described in TS 43.129 [87].

In Iu mode, the SGSN and the MS shall generate the UMTS CK and IK from the GSM Kc using the standardised conversion functions specified for this purpose in TS 33.102 [61].

In Iu mode, the start of ciphering is controlled by the security mode procedure described in TS 33.102 [61].

If the SGSN cannot determine the HLR address to establish the Send Authentication Info dialogue, the GSM Authentication of Procedure fails.

6.8.1.2 UMTS Authentication procedure

The UMTS authentication procedure is described in TS 33.102 [61]. The UMTS authentication procedure executed from the SGSN performs both the mutual authentication and security keys agreement. Authentication quintets are stored in the SGSN. The MSC/VLR shall not authenticate the MS via the SGSN upon IMSI attach nor upon location update, but may authenticate the MS during CS connection establishment.

The UMTS Authentication procedure is illustrated in Figure 28.

Figure 28: UMTS Authentication

1) If the SGSN does not have previously stored UMTS Authentication Vectors (quintets), a Send Authentication Info (IMSI) message is sent to the HLR. Upon receipt of this message, the HLR responds with a Send Authentication Info Ack message including an ordered array of quintets to the SGSN. Each quintet contains RAND, XRES, AUTN, CK, and IK. The generation of quintets in HLR is performed as specified in TS 33.102 [61].

2) At authentication, the SGSN selects the next in-order quintet and transmits the RAND and AUTN, that belong to this quintet, to the MS in the Authentication and Ciphering Request (RAND, AUTN, KSI) message. The SGSN also selects a Key Set Identifier, KSI, and includes this in the message.

3) At reception of this message, the USIM in the MS verifies AUTN and, if accepted, the USIM computes the signature of RAND, RES, in accordance with TS 33.102 [61]. If the USIM considers the authentication as being successful, the MS returns an Authentication and Ciphering Response (RES) message to the SGSN. During generation of authentication vectors, the USIM in the MS also computes a new Ciphering Key, CK, and a new Integrity Key, IK. These keys are stored together with the KSI until KSI is updated at the next authentication.

If the USIM considers the authentication being unsuccessful, e.g., in case of an authentication synchronisation failure, the MS returns the Authentication and Ciphering Failure message to the SGSN. The actions then taken are described in TS 33.102 [61].

In A/Gb mode, the SGSN and the MS shall generate the Kc from the UMTS CK and IK using the standardised conversion function specified for this purpose in TS 33.102 [61].

In A/Gb mode, the MS starts ciphering after sending the Authentication and Ciphering Response message as described in clause "Start of Ciphering".

In Iu mode, the start of ciphering is controlled by the security mode procedure described in TS 33.102 [61].

If the SGSN cannot determine the HLR address to establish the Send Authentication Info dialogue, the UMTS Authentication Procedure fails.

6.8.2 User Identity Confidentiality

6.8.2.1 User Identity Confidentiality (A/Gb mode)

A Temporary Logical Link Identity (TLLI) identifies a user in A/Gb mode. The relationship between TLLI and IMSI is known only in the MS and in the SGSN. TLLI is derived from the P‑TMSI allocated by the SGSN or built by the MS as described in clause "NSAPI and TLLI for A/Gb mode".

NOTE: Following inter-RAT mobility from E‑UTRAN, the MS will use values for the TLLI and P‑TMSI as instructed by the old MME.

6.8.2.2 User Identity Confidentiality (Iu mode)

A Radio Network Temporary Identity (RNTI) identifies a user between the MS and an Iu mode RAN. The relationship between RNTI and IMSI is known only in the MS and in the RAN. A P‑TMSI identifies a user between the MS and the SGSN. The relationship between P‑TMSI and IMSI is known only in the MS and in the SGSN.

NOTE: Following inter-RAT mobility from E‑UTRAN, the MS will use a value for the P‑TMSI as instructed by the old MME.

6.8.2.3 P‑TMSI Signature

P‑TMSI Signature is optionally sent by the SGSN to the MS in Attach Accept and Routeing Area Update Accept messages. If the P‑TMSI Signature has been sent by the SGSN to the MS since the current P‑TMSI was allocated, then the MS shall include the P‑TMSI Signature in the next Routeing Area Update Request, Detach Request, and Attach Request for identification checking purposes. If the P‑TMSI Signature was sent, then the SGSN shall compare the P‑TMSI Signature sent by the MS with the signature stored in the SGSN. If the values do not match, the SGSN should use the security functions to authenticate the MS. If the values match or if the P‑TMSI Signature is missing, the SGSN may use the security functions to authenticate the MS. The P‑TMSI Signature parameter has only local significance in the SGSN that allocated the signature.

NOTE: Following inter‑RAT mobility from E‑UTRAN, the P‑TMSI signature is also used for a different function and may carry other information from the MS to the old MME (see TS 23.401 [89]) without modification by the new SGSN.

If the network supports ciphering, the SGSN shall send the P‑TMSI Signature ciphered to the MS. Routeing Area Update Request and Attach Request, into which the MS includes the P‑TMSI Signature, are not ciphered.

6.8.2.4 P-TMSI Reallocation Procedure

The SGSN may attempt to reallocate the P‑TMSI at any time that the MS is in GERAN/UTRAN PS coverage. The reallocation procedure can be performed by the P‑TMSI Reallocation procedure, or it can be included in the Attach or Routeing Area Update procedures. The P-TMSI reallocation during PS Handover procedure is described in TS 43.129 [87].

The P‑TMSI Reallocation procedure is illustrated in Figure 29.

Figure 29: P‑TMSI Reallocation Procedure

1) The SGSN sends a P‑TMSI Reallocation Command (new P‑TMSI, P‑TMSI Signature, RAI) message to the MS. P‑TMSI Signature is an optional parameter that the MS, if received, shall return to the SGSN in the next Attach and Routeing Area Update procedures.

2) The MS returns a P‑TMSI Reallocation Complete message to the SGSN.

6.8.3 User Data and GMM/SM Signalling Confidentiality

6.8.3.1 Scope of Ciphering

In A/Gb mode, the scope of ciphering is from the ciphering function in the SGSN to the ciphering function in the MS. Ciphering is done in the LLC layer, and from the perspective of the A/Gb mode MS-BTS radio path, an LLC PDU is transmitted as plain text.

In Iu mode, the scope of ciphering is from the ciphering function in the RAN to the ciphering function in the MS.

Figure 30: Scope of Ciphering

6.8.3.2 Ciphering Algorithm

TS 41.061 [2] contains the requirements for the GPRS Encryption Algorithm (GEA) for A/Gb mode. The A/Gb mode ciphering key Kc is an input to the algorithm. The standard key management procedures for the Kc shall be used.

In Iu mode ciphering is performed with the UMTS Encryption Algorithm (UEA). The Iu mode Ciphering Key CK is an input to the algorithm.

6.8.3.3 Start of Ciphering

In A/Gb mode, the MS starts ciphering after sending the Authentication and Ciphering Response message. The SGSN starts ciphering when a valid Authentication and Ciphering Response message is received from the MS. In the routeing area update case, if ciphering was used before the routeing area update, and if the authentication procedure is omitted, then the SGSN shall resume ciphering with the same algorithm when a ciphered Routeing Area Update Accept message is sent, and the MS shall resume ciphering when a ciphered Routeing Area Update Accept message is received.

In Iu mode, the start of ciphering is controlled by the security mode procedure described in TS 33.102 [61].

6.8.4 Identity Check Procedures

The Identity Check procedure is illustrated in Figure 31.

Figure 31: Identity Check Procedure

1) The SGSN sends Identity Request (Identity Type) to the MS. The MS responds with Identity Response (Mobile Identity).

2) If the SGSN decides to check the IMEI against the EIR, it sends Check IMEI (IMEI) to EIR. The EIR responds with Check IMEI Ack (IMEI).

6.8.5 Data Integrity Procedure (Iu mode)

The Data Integrity procedure is performed between the MS and the RAN. It is applicable only to radio signalling. The Iu mode integrity check is made with the UMTS Integrity Algorithm (UIA). The UMTS Integrity Key IK is an input to the algorithm. The start of the data integrity procedure is controlled by the security mode procedure as described in TS 33.102 [61].