F.6 Specification of the Key Modification Function (KMF)
3GPP43.020Release 17Security related network functionsTS
SHA‑1 (FIPS PUB 180‑1 [F7]) is used for generating V_Kc:
V_Kc= SHA-1(VSTK | CGI | CELL_GLOBAL_COUNT | VSTK)
From the 160 bit output of SHA-1, the bits numbered as [0] to [127] are taken as 128 bit V_Kc.
Annex G (informative):
Generation of VSTK_RAND
All data variables in this Annex are presented with the most significant substring on the left hand side and the least significant substring on the right hand side. A substring may be a bit, byte or other arbitrary length bitstring. Where a variable is broken down into a number of substrings, the leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the least significant.
Since the length of VSTK_RAND (36 bits) is small, care should be taken that a VSTK_RAND isn’t generated twice (so-called collision) during the lifetime of V_Ki. On the other hand, the predictibility of VSTK_RAND shall be avoided. The following scheme could be used in order to generate 4096 VSTK_RAND for each V_Ki with a probability < 10-6 that a collision occurs.
NOTE: A collision probability of <10-4 could still give a sufficient security margin and may allow, depending on the VSTK_RAND structure that is chosen, that more VSTK can be generated from one V_Ki.
The GCR maintains a COUNTER (12 bits) for each voice group. After each generation of a VSTK_RAND for a specific voice group, COUNTER for that voice group is incremented by one.
The left most 12 bits (COUNTER) of VSTK_RAND are set to COUNTER. The remaining 24 bits (RANDOM) are generated randomly, i.e. unpredictably for each new VSTK_RAND.
Therefore VSTK_RAND = COUNTER | RANDOM.
NOTE: For security reasons, any adopted scheme shall contain at least 24 true random bits.
If COUNTER wraps around, a new V_Ki is required for that group.
Table G.1 gives the maximum number of voice group calls that are possible with a full random generated VSTK_RAND:
Table G.1: Maximum number of voice group calls that are possible with a with a full random generated VSTK_RAND
|
Length of VSTK_RAND |
Max collision prob for fixed V_Ki |
Number of calls |
|
36 |
10-6 |
371 |
|
36 |
10-4 |
TBD371 |
Table G.2 gives the maximum number of voice group calls that are possible with a VSTK_RAND, as structured in this annex.
Table G.2: Maximum number of voice group calls that are possible with a VSTK_RAND
|
Total challenge length |
Length of counter |
Length of random part |
Max collision prob for fixed V_Ki |
Max collision prob for one fixed counter |
Number of calls for one fixed counter |
Total number of calls for fixed V_Ki |
|
36 |
12 |
24 |
10-6 |
2.44 × 10-10 |
1 |
4096 |
|
36 |
12 |
24 |
10-4 |
2.44 × 10-8 |
1 |
4096 |
Explanation of the columns of table G.2:
Max collision probability for fixed V_Ki: what we have determined, for security reasons, should be the maximum probability that the same value of VSTK_RAND (and hence the same value of VSTK) is used twice before the value of V_Ki is changed. 10-6 is a strong security setting; 10-4 is not quite so strong, but probably adequate.
Max collision probability for one fixed counter: : suppose that VSTK_RAND is made up of N_c counter bits and N_r random bits. We assume that the counter part will take all possible 2N_c values before V_Ki is updated. Having selected our required "Max collision prob for fixed V_Ki", this is the corresponding maximum permitted probability that the same value of the N_r random bits (and hence the same value of VSTK) is used twice for a fixed value of the N_c counter bits.
Annex H (normative):
Access security related functions for enhanced General Packet Radio Service (GPRS) in relation to Cellular Internet of Things (CIoT)