D.4 Confidentiality of user information and signalling between MS and SGSN
3GPP43.020Release 17Security related network functionsTS
D.4.1 Generality
In 3GPP TS 42.009, some signalling information elements are considered sensitive and must be protected.
To ensure identity confidentiality (see clause 2), the new TLLI must be transferred in a protected mode at allocation time.
The confidentiality of user information concerns the information transmitted on the logical connection between MS and SGSN.
These needs for a protected mode of transmission are fulfilled by a ciphering function in the LLC layer. It is not an end-to-end confidentiality service.
Four points have to be specified:
– the ciphering method;
– the key setting;
– the starting of the enciphering and deciphering processes;
– the synchronisation.
D.4.2 The ciphering method
The LLC layer information flow is ciphered by the algorithm GPRS-A5 as described in 3GPP TS 41.061. However, GPRS ciphering algorithms requireing 128-bit GPRS-Kc128 shall be given that instead of the 64-bit GPRS-Kc as ciphering key.
NOTE: Specification TS 41.061 is not maintained after Release 4 and, therefore, it does not include the possibility of 128-bit Kc.
D.4.3 Key setting
Mutual key setting is the procedure that allows the mobile station and the network to agree on the key GPRS-Kc to use in the ciphering and deciphering algorithms GPRS-A5. This procedure corresponds to the procedure described in subclause 4.3 besides the different confidential subscriber identity. The GPRS-Kc is handled by the SGSN independently from the MSC. If a MS is using both circuit switched and packet switched, two different ciphering keys will be used independently, one (Kc or Kc128) in the MSC and one (GPRS-Kc or GPRS-Kc128) in the SGSN.
A key setting is triggered by the authentication procedure. Key setting may be initiated by the network as often as the network operator wishes. If an authentication procedure is performed during a data transfer, the new ciphering parameters shall be taken in use immediately at the end of the authentication procedure in both SGSN and MS.
Key setting may not be encrypted and shall be performed as soon as the identity of the mobile subscriber (i.e. TLLI or IMSI) is known by the network.
The transmission of GPRS-Kc to the MS is indirect and uses the authentication RAND value; GPRS-Kc is derived from RAND by using algorithm A8 and the Subscriber Authentication key Ki, in the same way as defined in annex C for Kc.
As a consequence, the procedures for the management of GPRS-Kc are the authentication procedures described in subclause D.3.3.
The values GPRS-Kc are computed together with the SRES values. The security related information (see subclause D.3.3.1) consists of RAND, SRES and GPRS-Kc.
The key GPRS-Kc is stored by the mobile station until it is updated at the next authentication.
Key setting is schematised in figure D.4.1.
|
MS |
Network side |
||||||||||||||||||
|
RAI and TLLI or IMSI |
|||||||||||||||||||
|
> |
|||||||||||||||||||
|
RAND |
|||||||||||||||||||
|
< |
|||||||||||||||||||
|
Ki |
RAND |
RAND |
Ki |
||||||||||||||||
|
V |
V |
V |
V |
||||||||||||||||
|
A8 |
A8 |
||||||||||||||||||
|
GPRS-Kc |
GPRS-Kc |
||||||||||||||||||
|
V |
V |
||||||||||||||||||
|
Store GPRS-Kc |
Store GPRS-Kc |
||||||||||||||||||
Figure D.4.1: Key setting
D.4.4 Ciphering key sequence number
The GPRS-CKSN (Ciphering Key Sequence Number) is a number which is associated with each ciphering key GPRS-Kc. The GPRS-CKSN and GPRS-Kc are stored together in the mobile station and in the network. It permits the consistency check of the keys stored in the MS and in the network. Two independent pairs, Kc and CKSN (for circuit switched), and GPRS-Kc and GPRS-CKSN (for packet switched) may be stored in the MS simultaneously.
However since it is not directly involved in any security mechanism, it is not addressed in this specification but in 3GPP TS 24.008 instead.
D.4.5 Starting of the ciphering and deciphering processes
The MS and the SGSN must co-ordinate the instants at which the ciphering and deciphering processes start. The authentication procedure governs the start of ciphering. The SGSN indicates if ciphering shall be used or not in the Authentication and Ciphering Request message. If ciphering is used, the MS starts ciphering after sending the Authentication and Ciphering Response message. The SGSN starts ciphering when a valid Authentication and Ciphering Response message is received from the MS.
Upon GPRS Attach, if ciphering is to be used, an Authentication and Ciphering Request message shall be sent to the MS to start ciphering.
If the GPRS-CKSN stored in the network does not match the GPRS-CKSN received from the MS in the Attach Request message, then the network should authenticate the MS.
As an option, the network may decide to continue ciphering without authentication after receiving a Routing Area Update Request message with a valid GPRS-CKSN. Both the MS and the network shall use the latest ciphering parameters. The MS starts ciphering after a receiving a valid ciphered Routing Area Update Accept message from the network. The SGSN starts ciphering when sending the ciphered Routing Area Update Accept message to the MS.
Upon delivery of the Authentication and Ciphering Response message or the Routing Area Update Accept message, the GPRS Mobility and Management entity in both SGSN and MS shall be aware if ciphering has started or not. LLC provides the capability to send both ciphered and unciphered PDUs. The synchronisation of ciphering at LLC frames level is done by a bit in the LLC header indicating if the frame is ciphered or not. Only a few identified signalling messages (e.g., Routing Area Update Request message) described in 3GPP TS 24.008 may be sent unciphered, any other frames sent unciphered shall be deleted. Once the encryption has been started, neither the MS nor the network shall go to an unciphered session.
D.4.6 Synchronisation
The enciphering stream at one end and the deciphering stream at the other end must be synchronised, for the enciphering bit stream and the deciphering bit streams to coincide. Synchronisation is guaranteed by driving Algorithm GPRS-A5 by an explicit variable INPUT per established LLC and direction.
These initial INPUT values shall not be identical for the different LLC link. The initial INPUT value shall be determined by the network. It may be identical for uplink and downlink value because the direction is given to the ciphering algorithm as described in 3GPP TS 41.061 and illustrated on the figure D.4.2. In a given direction, the INPUT value shall be unique for each frame.
The calculation of the INPUT value is described in GSM. The use of the INPUT value is described in 3GPP TS 41.061 and illustrated on the figure D.4.2.
Figure D.4.2: Use of the INPUT parameter
D.4.7 Inter SGSN routing area update
When an Inter SGSN routing area update occurs, the necessary information (e.g. key Kc, INPUT parameters) is transmitted within the system infrastructure to enable the communication to proceed from the old SGSN to the new one, and the Synchronisation procedure is resumed. The key Kc may remains unchanged at Inter SGSN routing area update. Since Kc128 is not transferred between SGSNs at inter SGSN routing area update, but re-calculated by the target SGSN from the received CK/IK, it remains the same.
D.4.8 Negotiation of GPRS-A5 algorithm
Not more than seven versions of the GPRS-A5 algorithm will be defined.
When an MS wishes to establish a connection with the network, the MS shall indicate to the network which version(s) of the GPRS-A5 algorithm it supports. The negotiation of GPRS-A5 algorithm happens during the authentication procedure.
The network may renegotiate the version of the GPRS-A5 algorithm in use at inter SGSN routing area update by performing an authentication procedure.
The network shall compare its ciphering capabilities and preferences, and any special requirements of the subscription of the MS, with those indicated by the MS and may take one of the following decisions:
1) If the MS and the network have no versions of the GPRS A5 algorithm in common and the network is not prepared to use an unciphered connection, then the connection is released.
2) If the MS and the network have at least one version of the GPRS A5 algorithm in common, then the network shall select one of the mutually acceptable versions of the GPRS A5 algorithms for use on that connection.
3) If the MS and the network have no versions of the GPRS A5 algorithm in common and the network is willing to use an unciphered version, then an unciphered connection shall be used.
Since the use of 128-bit ciphering algorihms (e.g., GEA4) requires that the MS is in UMTS security context, the SGSN shall not select GEA4 if the SGSN does not share a UMTS security context with the MS.
D.4.9 Support of GPRS-A5 Algorithms in MS
It is mandatory for GEA3 and non-encrypted mode (i.e. GEA0) to be implemented in mobile stations. GEA4 may be implemented in the mobile stations. In particular, it is prohibited to implement GEA1 and GEA2 in mobile stations.
No other GPRS encryption algorithms shall be supported in mobile stations.