H.3 Ciphering and integrity mode negotiation

3GPP43.020Release 17Security related network functionsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause specifies how ciphering and integrity mode is negotiated. Depending on the message, the integrity protection may be implemented at GMM or LLC layer. The layer at which the Message Authentication Code (MAC) is carried is indicated by abbreviations "MAC-GMM" and "MAC-LLC" accordingly.

NOTE 1: Security for PS HO has not been been studied in the scope of Annex H.

NOTE 2: The procedures for Attach and Routing Area Update are identical. The general principle is that if Routing Area Update procedure needs to be authenticated, then the MAC is carried at GMM layer. If there is no authentication and a valid security association is used, then the MAC is carried at LLC layer.

The message sequence flow below (figure H.3-1) describes the information transfer at initial connection establishment, authentication and start of integrity protection and ciphering (if used). In this sequence, the MS does not have a valid security association for this network.

Figure H.3-1: Attach with authentication

1) MS sends an Attach request to the eSGSN. The cipher algorithms and integrity algorithms supported by the MSshall be included in the MS network capability parameters. The MS network capability shall contain one set of encryption algorithms and one set of integrity algorithms. The MS network capability optionally contains an indication that the MS supports user plane integrity. Furthermore, the message includes MS radio access capability.

2) eSGSN obtains AVs (quintets) from HLR/HSS based on IMSI.

3) eSGSN checks for the presence of a non-NULL integrity algorithm in the MS network capability parameters. If present the eSGSN continues according to the provisons in the present Annex, otherwise the eSGSN continues according to the provisons in Annex D of the present specification. Then the eSGSN selects one cipher algorithm and one integrity algorithm from the MS network capability and then derives the cipher key (Kc128) and the integrity key (Ki128).

4) eSGSN sends Authentication and Ciphering request including the chosen cipher algorithm and integrity algorithm and MS network capability to MS. The message shall include also the MS radio access capability that was sent unprotected in step 1). The Authentication and Ciphering request is integrity protected by the message authentication code MAC-GMM.

5) If the MAC-GMM is not present, the MS shall terminate the connection. MS runs UMTS AKA with the USIM and derives the Kc128and the Ki128 from the CK/IK. The MS verifies the message authentication code MAC-GMM, and if the check of the MAC-GMM is successful then MS checks that the echoed MS network capability and the echoed MS radio access capability are the same as the ones it sent. If the verification of MAC-GMM fails the MS terminates the procedure.

6) The MS stores locally a counter IOV_updates. The first value after successful authentication is IOV_updates=0. MS sends Authentication and Ciphering response to the eSGSN. MS calculates the MAC-GMM using the integrity key Ki128 and the network selected integrity algorithm and sends it in Authentication and Ciphering response along with RES.

7) The eSGSN receives the Authentication and Ciphering Response message and verifies the MAC-GMM, and checks the RES. After successful authentication, the eSGSN shall maintain a counter of IOV updates in a local, MS specific variable called IOV_updates. The value after successful authentication is IOV_updates=0. eSGSN increments the IOV_updates by 1 before it is used in the IOV-MAC calculation, so the first used value will be IOV_updates=1. eSGSN initiates a LLC XID signalling prodecure for updating the i-IOV-UI (and IOV-UI if ciphering is in use). These messages are clear text messages but they carry a protected IOV container from eSGSN to MS. Further details on the protected IOV container are described in clause H.9. The IOV values shall not be sent unprotected.

8) If ciphering is used, the MS activates it by assigning the ciphering key Kc128 and the network selected ciphering algorithm, and uses it for the subsequent messages.

9) If ciphering is used, eSGSN activates it by assigning the ciphering key Kc128 and the network selected ciphering algorithm, and uses it for the subsequent messages. If the MS indicated support for user plane integrity then eSGSN decides whether to provide user plane integrity. For this decision, the eSGSN may use information from the subscriber profile.

10) The Attach Accept message is sent integrity protected with MAC-LLC. If the eSGSN decided to provide user plane integrity the SGSN includes an indicator that user plane integrity is provided.

11) The MS verifies the MAC-LLC, and the ciphering and integrity mode negotiation is completed.

NOTE 3: The SGSN makes the final decision on the security services provided. The MS may have a local security policy mandating the use of user plane integrity. If the SGSN decides to not enable user plane integrity the MS may decide to reject the connection. This is similar to a situation where a local security policy on the MS mandates the use of ciphering, but the SGSN does not enable ciphering.

Optionally, if the MS already has a security association with the network (see figure H.3-2), the network may decide to continue using earlier negotiated security parameters for ciphering and integrity protection without re-authentication after receiving an unciphered Attach Request message (1) with a valid MAC-LLC. Both the MS and the network shall use the latest security parameters for ciphering and integrity protection. The SGSN starts ciphering (if used) when sending the ciphered Attach Accept message (2) to the MS. The Attach Accept message may optionally include an indication if UP integrity protection is used. The MS starts ciphering (if used) uplink signalling messages and data after receiving an Attach Accept message (3) from the network with a valid MAC-LLC.

Figure H.3-2: Attach without authentication

Optionally, if the MS already has a security association with the network (see figure H.3-3), the network may decide to continue using earlier negotiated ciphering and integrity keys but with new algorithms and IOV-UI/i-IOV-UI values without re-authentication. The Authentication and Ciphering request and response (3, 4) are protected with the old algorithms. Protected new IOV-UI, and i-IOV-UI values are sent to the MS in the underlying LLC signalling in a protected IOV container (5), the protected IOV container is described in clause H.9. The IOV values shall not be sent unprotected. The new algorithms are taken into use (6, 7). Attach Accept (8) and Attach Complete (9) are used to test the new security parametrs. Attach Accept can optionally be used to refresh the UP integrity protection indication value.

Figure H.3-3: Attach with change of algorithm but without authentication

Optionally, if the MS already has a security association with the network (see figure H.3-4), the network may decide to continue using earlier negotiated security parameters for ciphering and integrity protection without authentication after receiving an unciphered Attach Request message (1) if the P-TMSI signature can be verified in the old eSGSN.

Figure H.3-4: Attach at inter-SGSN change without authentication

1) MS sends an Attach Request to the eSGSNn. The message is protected using MAC-LLC. In this procedure, the message includes the P-TMSI signature, MS network capability, and MS radio access capability parameters. The MS network capability optionally contains an indication that the MS supports user plane integrity.

2) eSGSNn is not able to verify the MAC-LLC in the LLC layer because it has no integrity key. The LLC layer silently discards the MAC-LLC and forwards the Attach Request to the GMM layer. The GMM layer processes the Attach Request. eSGSNn requests the security context information from the eSGSNo. In this scenario, the security relies on eSGSNo verifying the P-TMSI signature. If there is no P-TMSI signature added by the MS to the Attach Request, eSGSNn must not proceed to step3) but must re-authenticate the MS (see Figure H.3-1).

3) eSGSNn sends the P-TMSI signature and other relevant information to eSGSNo.

4) eSGSNo verifies the P-TMSI signature and, if the verification is successful, the GMM layer requests the LLC layer the current value of the IOV_updates counter.

5) The eSGSNo returns the IMSI, the IOV_updates counter and the other security related information to the eSGSNn. The security related information shall include indication that the MS support user plane integrity if it was sent by the MS to the eSGSNo. eSGSNo shall tell the eSGSNn if the subscriber profile indicated that UP integrity was required. eSGSNo shall keep the security related information other than P-TMSI signature. The P-TMSI signature is removed.

If the eSGSNn does not support the current integrity algorithm used between the eSGSNo and the MS, then a new authentication needs to be initiated. This is not further described in this signalling flow.

The eSGSNn decides whether to provide user plane integrity based on the indication from eSGSNo regarding MS support for user plane integrity and subscriber profile information.

6) The GMM layer in the eSGSNn initiates a LLC XID signalling procedure for updating the i-IOV-UI for integrity protection and the IOV-UI for ciphering (if ciphering is in use) . The LLC layer needs the following security information received from the eSGSNo in order to protect the re-negotiation of IOV values: the integrity algorithm, the integrity key Ki128, and the IOV_updates counter. The LLC layer initiates the LLC XID signalling procedure to construct and deliver the protected IOV container to the MS (see clause H.9). The IOV values shall not be sent unprotected.

7) After the IOV values have been delivered to the MS securely, the GMM layer in the eSGSNn activates integrity protection and ciphering, if used, in the LLC layer by assigning the integrity key, the integrity algorithm, the ciphering key and the ciphering algorithm. eSGSNn sends the Attach Accept message that is protected with MAC-LLC. This message includes the new P-TMSI signature, and echoed MS network capability, and echoed MS radio access capability parameters. If the eSGSN decided to provide user plane integrity the SGSN includes an indicator that user plane integrity is provided.

8) The MS verifies the message authentication code MAC-LLC, and if the check of the MAC-LLC is successful then MS checks that the echoed MS network capability and MS radio access capability parameters are the same as the ones it sent. If the verification of MAC-LLC fails the MS terminates the procedure. The MS sends the Attach Complete message that is protected with MAC-LLC.

9) eSGSNn verifies the MAC-LLC, and if successful, updates the new location of the MS to HLR.

10) HLS cancels the location from eSGSNo. At this phase, the eSGSNo can remove the security related information related to the MS. If the MS location is not cancelled by HLR, the security related information shall not be removed.