H.5 Algorithms for ciphering and integrity protection
3GPP43.020Release 17Security related network functionsTS
H.5.0 General
The following algorithms are specified:
– GEA0 for null-encryption.
– GEA4/GIA4 for ciphering and integrity protection based on Kasumi 128.
– GEA5/GIA5 for ciphering and integrity protection based on SNOW 3G.
The MS shall support integrity algorithms GIA4 and GIA5. The MS shall support ciphering algorithms GEA0, GEA4 and GEA5. No other GPRS encryption algorithms shall be supported in the MS for the enhanced security features described in the present Annex.
The eSGSN shall support an integrity algorithm GIA4 or GIA5. The eSGSN shall support a ciphering algorithm GEA0, GEA4 or GEA5.If encryption is supported by eSGSN, only GEA4 or GEA5 shall be used with GIA4 or GIA5.
H.5.1 Null ciphering algorithm
If GEA0 is selected, the ciphering function implemented in the LLC layer shall be disabled according to TS 44.064 [20].
NOTE : GEA0 provide no security.
H.5.2 Ciphering algorithm
H.5.2.1 Inputs and outputs
H.5.2.1.1 General
The input parameters to the ciphering algorithm GEA4 are as specified in TS 55.226 [21] and described in TS 43.061 [2].
The input parameters to the GEA5 are the 128-bit ciphering key Kc128, the 32-bit INPUT, the 1-bit DIRECTION and the 32-bit CONSTANT-F. The INPUT and the DIRECTION parameters are as described in 41.061 [2].
NOTE: The input parameters used in GEA4 and GEA5 are not identical. GEA5 uses CONSTANT-F which is missing from GEA4.
Figure H.5.2.1-1 illustrates the use of the ciphering algorithm GEA5 to encrypt plaintext by applying a keystream using a bit per bit binary addition of the plaintext and the keystream. The plaintext may be recovered by generating the same keystream using the same input parameters and applying a bit per bit binary addition with the ciphertext.
Figure H.5.2.1-1: Ciphering of data with GEA5.
Based on the input parameters the algorithm generates the output keystream block KEYSTREAM which is used to encrypt the input plaintext block PLAINTEXT to produce the output ciphertext block CIPHERTEXT.
H.5.2.1.2 CONSTANT-F
If the CONSTANT-F parameter is used as an input to the ciphering algorithm, the 8-bit input value FRAMETYPE is specified as follows:
– LLC UI-frame: FRAMETYPE = 0;
– LLC I-frame: FRAMETYPE = 1; (reserved for future usage)
NOTE: Acknowledged operation are not supported at stage 3 specifications.
H.5.2.2 GEA5
GEA5 is based on SNOW 3G, and is specified in TS 55.251 [25].
H.5.3 Integrity algorithm
H.5.3.1 Inputs and outputs
H.5.3.1.1 General
The input parameters to the integrity algorithm are the 128-bit integrity key Ki128, the 32-bit INPUT-I, the message (MESSAGE), the 1-bit DIRECTION and the 32-bit CONSTANT-F.
DIRECTION bit is 0 for uplink and 1 for downlink.
Figure H.5.3.1-1 illustrates the integrity algorithm GIA to authenticate the integrity of messages.
Figure H.5.3.1-1: Derivation of MAC/XMAC.
Based on these input parameters the sender computes a 32-bit message authentication code (MAC) using the integrity algorithm GIA. The message authentication code is then appended to the message when sent. The receiver computes the expected message authentication code (XMAC) on the message received in the same way as the sender computed its message authentication code on the message sent and verifies the data integrity of the message by comparing it to the received message authentication code, i.e. MAX.
H.5.3.1.2 INPUT-I
If the integrity algorithm is used at LLC layer, the following rules apply for the INPUT-I generation:
The INPUT-I parameter is generated according to the following algorithm if the LLC frame is a UI frame:
INPUT -I = ( ( i-IOV‑UI SX ) + LFN + OC ) modulo 232
The INPUT -I parameter is generated according to the following algorithm if the LLC frame is an I frame:
INPUT -I = ( i-IOV‑I + LFN + OC ) modulo 232
where:
– i-IOV‑UI is a 32 bit random value generated by SGSN.
– i-IOV‑I is a 32 bit random value generated by SGSN.
NOTE: INPUT-I rules for I-frames are specified for potential future usage. Acknowledged operation are not supported at stage 3 specifications.
All other values of INPUT -I (i.e. SX, LFN, OC) are as specified for INPUT (ciphering), see TS 44.064 Annex A [20].
If the integrity algorithm is used at GMM layer, the following rules apply for the INPUT-I generation:
– All INPUT-I bits shall be set to 0 if the integrity algorithm is to calculate the GMM-MAC.
H.5.3.1.3 CONSTANT-F
The 8-bit input value FRAMETYPE needed for the CONSTANT-F calculation is specified as follows:
– At LLC layer with UI-frames: FRAMETYPE = 0b0xxxxxx0;
Where xxxxxx represents the six lowest bits of the IOV_updates counter.
– At LLC layer reserved for future with I-frames: FRAMETYPE = 0b0xxxxxx 1;
– Where xxxxxx represents the six lowest bits of the IOV_updates counter.
– At LLC layer for MAC-IOV: FRAMETYPE = 0b11111110 (254) ;
– At GMM layer for MAC-GMM: FRAMETYPE = 0b11111111 (255);
NOTE: The FRAMETYPE values for UI-frames, and I-frames are not constants but re-calculated every time new IOV values are updated. This quarantees 64 IOV value updates without collision, and lowers the prob ability of collision significantly even when the six lowest bits of the IOV_updates counter rolls over.
H.5.3.2 GIA4
GIA4 is based on Kasumi 128, and is specified in TS 55.241 [26].
H.5.3.3 GIA5
GIA5 is based on SNOW 3G, and is specified in TS 55.251[25].