F.4 Key derivation

3GPP43.020Release 17Security related network functionsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The key derivation of the encryption is performed in two steps:

1. derivation of a short term key VSTK on the GCR-side and USIM; VSTK_RAND generation on the GCR-side and sending it to the ME via the BSS for use on the USIM;

2. derivation of the actual encryption key V_Kc in the BSS and ME.

Figure F.1: Key derivation

F.4.1 Key derivation within the USIM / GCR

This function is performed on:

– the set-up of a voice group or broadcast call by the GCR;

– entry to a voice group or broadcast call by the USIM.

On the set-up of a voice group/broadcast call the GCR generates the VSTK_RAND (See Annex G). Also an appropriate group key V_Ki (identified by VK_Id, Group_Id and Service_type) is selected by the GCR. Using the function A8_V a short term key VSTK is derived using as input parameters:

– V_Ki (Group_Id , VK_Id, Service_type);

– VSTK_RAND.

Output of A8_V is:

– VSTK

Figure F.2

The GCR sends the parameters Group_Id, VK_Id, VSTK_RAND, VSTK, A5_Id via the anchor-MSC and the relay-MSC’s to the BSS. The BSS signals the Group_Id, VSTK_RAND and VK_Id to the ME.

On the ME-side, each ME sends the Group_Id of the voice group or broadcast call, the identifier of the key VK_Id, the Service_type and the VSTK_RAND to the USIM. The USIM performs the calculation of the short term key VSTK using the function A8_V and returns it (together with the encryption algorithm identifier A5_Id).

F.4.2 Key derivation within the ME/BSS

This function is performed by the ME on:

– entry to a voice group/broadcast call;

– cell reselection;

– changing of the value of CELL_GLOBAL_COUNT;

– Handover.

On the network side the function is performed by the BSS on

– set-up of a voice group/broadcast call in a cell;

– changing of the value of CELL_GLOBAL_COUNT.

For each cell the BSS and ME calculate an encryption key V_Kc using the key modification function KMF. Input parameter of the KMF are:

– VSTK: the short term key for this voice call group and this call;

– CGI: the cell global identifier which identifies a cell world-wide uniquely;

– CELL_GLOBAL_COUNT: this parameter shall be incremented by the BSS when the TDMA-frame-number wraps around.

NOTE: The MS and network SHALL be aligned regarding the value of the CELL_GLOBAL_COUNT. In case of transmissions on the FACCH, this requires that the network transmits a part of the whole of the TDMA frame number together with the CELL_GLOBAL_COUNT.

The output of the key modification function is the actually cipher key V_Kc.

Figure F.3

To provide the required information to the ME the parameters CELL_GLOBAL_COUNT and CGI are included in various messages from the BSS to the ME (i.e. CELL_GLOBAL_COUNT on the NCH, FACCH and PCH, and the CGI on the BCCH and the FACCH).

F.4.3 Encryption algorithm selection

The encryption algorithm identifier A5_Id is stored in the GCR and the USIM. For each group key V_Ki(Group_Id, VK_Id_, Service_type) there is a unique A5_Id.

A5_Id is transmitted from the GCR to the BSS. The ME fetches the A5_Id together with the VSTK from the USIM.

NOTE 1: It is possible that different algorithm identifiers are bound to different V_Ki of the same group.

NOTE 2: The algorithm identifier A5_Id stored in the GCR and on the USIM shall match with the encryption capabilities of the ME’s used by the group and the BSS where the voice group calls are allowed to take place.

F.4.4 Algorithm requirements

F.4.4.1 A8_V

The key derivation function A8_V has the following input and output parameter:

Input Parameter:

VSTK_RAND: 36 bit value (see annex G);

V_Ki (Group_Id, VK_Id, Service_type): 128 bit secret key;

Output:

VSTK: 128 bit short term key

A8_V is an operator specific algorithm. The calculation time for A8_V shall not exceed 500 ms.

A8_V is implemented in the GCR and on the USIM.

F.4.4.2 KMF

The key derivation function KMF has the following input and output parameter:

Input Parameter:

VSTK: 128 bit short term key;

CGI: the cell global identifier: 56 bit (TS 23.003 [F6]);

CELL_GLOBAL_COUNT: 2 bit.

Output:

V_Kc 128 bit encryption key.

The KMF is implemented in the BSS and in the ME.

The specification of KMF can be found in clause F.6