44.2.5 GPRS authentication and ciphering

3GPP51.010-1Mobile Station (MS) conformance specificationPart 1: Conformance specificationTS

44.2.5.1 Test of authentication

The purpose of this procedure is to verify the user identity. A correct response is essential to guarantee the establishment of the connection. If not, the connection will drop.

44.2.5.1.1 Authentication accepted

44.2.5.1.1.1 Conformance requirement

A Mobile Station shall correctly respond in an authentication and ciphering procedure by sending a response with the SRES information field set to the same value as the one produced by the authentication and ciphering algorithm in the network.

Reference(s):

3GPP TS 04.08 / 3GPP TS 24.008 subclause 4.7.7.

44.2.5.1.1.2 Test purpose

To test the behaviour of the MS if the network accepts the authentication and ciphering procedure.

44.2.5.1.1.3 Method of test

Initial conditions

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II.

Mobile Station:

The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

A GPRS attach is performed, and the SS initiates an authentication and ciphering procedure.

The SS checks the value SRES sent by the MS in the AUTHENTICATION AND CIPHERING RESPONSE message.

The MS initiates a routing area updating procedure and the SS checks the value of the GPRS Ciphering Key Sequence Number sent by the MS in the ROUTING AREA REQUEST message.

Maximum duration of test

10 minutes.

Expected sequence

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

SS

The SS activates cell A.

2

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 18.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Set GPRS-CKSN-1

RAND

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES

7

SS

The SS checks the SRES value.

"Auth. Response Parameter (extension)" IE might be included if the RES value is more than 4 octets long.

8

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1

9

MS -> SS

ATTACH COMPLETE

The following messages are sent and shall be received on cell B.

10

SS

Activate cell B with a lower signal strength than cell A The RF level of cell A is lowered until cell B is preferred by the MS.

11

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1

GPRS-CKSN-1

12

SS

The value of GPRS-CKSN is checked

13

SS -> MS

ROUTING AREA UPDATING ACCEPT

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4

14

MS -> SS

ROUTING AREA UPDATING COMPLETE

15

MS

The MS is switched off or power is removed (see PICS).

16

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

17

SS

Reset the RF level of cell A to default state. Deactivate cell B.

18

MS

The MS is set in MS operation mode B (see PICS) and the test is repeated from step 3 to step 16.

Specific message contents

None.

44.2.5.1.2 Authentication rejected

44.2.5.1.2.1 Conformance requirement

1. Upon receipt of an AUTHENTICATION AND CIPHERING REJECT message, the MS shall set the GPRS update status to GU3 ROAMING NOT ALLOWED and shall delete the P-TMSI, P-TMSI signature, RAI and GPRS ciphering key sequence number stored.

2. The SIM shall be considered as invalid until switching off or the SIM is removed.

3. If the AUTHENTICATION AND CIPHERING REJECT message is received, the MS shall abort any GMM procedure, shall stop the timers T3310 and T3330 (if running) and shall enter state GMM-DEREGISTERED.

Reference(s):

3GPP TS 04.08 / 3GPP TS 24.008 subclause 4.7.7.5.

44.2.5.1.2.2 Test purpose

To test the behaviour of the MS if the network rejects the authentication and ciphering procedure.

44.2.5.1.2.3 Method of test

Initial conditions

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II.

Mobile Station:

The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

The test sequence is repeated for k = 1, 2.

A complete GPRS attach procedure is performed. The SS rejects the following authentication and ciphering procedure. The MS is paged with its former P-TMSI and shall not respond.

The Cell is changed into a new Routing Area.

The SS checks that the MS does not perform normal routing area updating.

The SS then checks that the MS does not perform a GPRS attach.

The SS checks that the MS does not perform a GPRS detach if switched off.

The MS is switched on or powered up. The SS checks that the MS performs a GPRS Attach procedure.

Maximum duration of test

10 minutes.

Expected sequence

The test sequence is repeated for k = 1, 2.

For k =1, the MS is set in MS operation mode C. If MS operation mode C not supported then k = 2.

For k = 2 the MS is set in MS operation mode B.

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

SS

The SS activates cell A.

2

MS

The MS is powered up or switched on and initiates an attach (see PICS).

3

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

4

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-1

5

MS -> SS

ATTACH COMPLETE

6

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Set GPRS-CKSN-1

RAND

7

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES

8

SS -> MS

AUTHENTICATION AND CIPHERING REJECT

9

SS -> MS

The SS pages the MS with mobile identity P-TMSI-1 and paging order for TBF establishment according to the channel combination of the cell.

10

MS

No response from the MS to the request. This is checked for 10 s.

The following messages are sent and shall be received on cell B.

11

SS

The SS deactivates cell A and activates cell B.

12

MS

Cell B is preferred by the MS.

13

MS

No ROUTING AREA UPDATING REQUEST sent to the SS
(SS waits 30 seconds).

14

MS

If possible (see PICS) the MS initiates an attach by MMI or by AT command.

15

MS

No ATTACH REQUEST sent to the SS
(SS waits 30 seconds).

16

MS

The MS is switched off (see PICS).

17

SS

No DETACH REQUEST sent to the SS
(SS waits 30 seconds).

18

The MS is powered up or switched on.

Step 19 is only performed for k =2

19

{Location Update Procedure}

Macro. Location Update Procedure initiated from the MS. Parameter mobile identity is IMSI.

19a

MS initiates an attach (see PICS).

20

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS only attached’

Mobile identity = IMSI

21

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS attach’

Mobile identity = P-TMSI-1

P-TMSI-1 signature
Routing area identity = RAI-4

22

MS -> SS

ATTACH COMPLETE

23

MS

The MS is switched off or power is removed. (see Pics)

24

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

25

MS

If k=1 then the test is repeated for k=2.

Specific message contents

None.

44.2.5.1.3 Authentication accepted with USIM

44.2.5.1.1.1 Conformance requirement

A Mobile Station shall correctly respond in an authentication and ciphering procedure by sending a response with the SRES information field set to the same value as the one produced by the authentication and ciphering algorithm in the network.

In a UMTS authentication challenge, if the AUTHENTICATION_AND_CIPHERING REQUEST message includes the UMTS authentication parameters GPRS CKSN, RAND and AUTN, then upon receipt of the message, the MS verifies the AUTN parameter and if this is accepted, the MS processes the challenge information and sends an AUTHENTICATION_AND_CIPHERING RESPONSE message to the network.

Reference(s):

3GPP TS 24.008 subclause 4.7.7.2.

44.2.5.1.1.2 Test purpose

To verify that the MS is able to authenticate itself for GPRS transmission using the USIM application through an UMTS challenge.

44.2.5.1.1.3 Method of test

Initial conditions

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II, SGSN is R99

Mobile Station:

Test USIM is plugged into the MS.
The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

A GPRS attach is performed, and the SS initiates an authentication and ciphering procedure with an UMTS challenge request.

The SS checks the value RES sent by the MS in the AUTHENTICATION AND CIPHERING RESPONSE message (calculated with UMTS AKA algorithm).

The MS initiates a routing area updating procedure and the SS checks the value of the GPRS Ciphering Key Sequence Number sent by the MS in the ROUTING AREA REQUEST message.

Expected sequence

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

SS

The SS activates cell A.

2

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 18.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request UMTS authentication.
Set GPRS-CKSN-1

RAND & AUTN included (see specific message content)

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

RES

7

SS

The SS checks the RES value.

8

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1

9

MS -> SS

ATTACH COMPLETE

The following messages are sent and shall be received on cell B.

10

SS

Activate cell B with a lower signal strength than cell A The RF level of cell A is lowered until cell B is preferred by the MS.

11

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1

GPRS-CKSN-1

12

SS

The value of GPRS-CKSN is checked

13

SS -> MS

ROUTING AREA UPDATING ACCEPT

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4

14

MS -> SS

ROUTING AREA UPDATING COMPLETE

15

MS

The MS is switched off or power is removed (see PICS).

16

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

17

SS

Reset the RF level of cell A to default state. Deactivate cell B.

18

MS

The MS is set in MS operation mode B (see PICS) and the test is repeated from step 3 to step 16.

Specific message contents

AUTHENTICATION AND CIPHERING REQUEST in step 5:

Same as default content except:

Information element

Value/remark

IE AUTN

Calculated as defined for Test USIM

44.2.5.2 Test of ciphering mode setting

The purpose of this procedure is to let the network to trigger the start and stop of stream ciphering.

The SS shall start and synchronise ciphering and deciphering according to 3GPP TS 03.20 / 3GPP TS 33.102, 3GPP TS 33.220. The bitstream shall be generated according to the commanded algorithm GExA.

44.2.5.2.1 Ciphering mode / start ciphering

44.2.5.2.1.1 Conformance requirements

1. When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the attach procedure, with Ciphering indicator information element set to ‘ciphering mode off’, the Mobile Station shall:

1.1. responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

1.2. not start ciphering.

2. When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the routing area updating procedure, with Ciphering indicator information element set to ‘ciphering mode on’, the Mobile Station shall:

2.1. responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

2.2. start ciphering and deciphering with the algorithm indicated by the Ciphering algorithm information element;

2.3. the ciphering uses the cipher key determined during the authentication procedure.

Reference(s):

3GPP TS 04.08 / 3GPP TS 24.008 subclause 4.7.7.

44.2.5.2.1.2 Test purpose

To test the behaviour of the MS if the network accepts the authentication and ciphering procedure with ciphering.

44.2.5.2.1.3 Method of test

Initial conditions

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II.

Mobile Station:

For execution counter K = 4 (GEA4) Test USIM has to be plugged into the MS
The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

– Supported encryption Algorithm: GEA1 (TSPC_Feat_GEA1)

– Supported encryption Algorithm: GEA2 (TSPC_Feat_GEA2)

– Supported encryption Algorithm: GEA3 (TSPC_Feat_GEA3)

– Supported encryption Algorithm: GEA4 (TSPC_Feat_GEA4)

PIXIT statements:

Test procedure

A GPRS attach is performed. Authentication procedure without ciphering is performed.

The MS initiates a routing area updating procedure, and the SS initiates an authentication and ciphering procedure to start ciphering. GEA1, GEA2, GEA3 or GEA4 encryption is used depending on the execution counter K.

The test is performed for all GEAx encryption algorithm supported by the MS.

Maximum duration of test

15 minutes.

Expected sequence

The sequence is performed for execution counter K=1 when the MS supports GEA1, for K=2 when the MS supports GEA2, for K=3 when the MS supports GEA3 and for K=4 when the MS supports GEA4.

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

SS

The SS activates cell A.

2

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 28.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI
Message not ciphered

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering off

Set GPRS-CKSN-1

RANDFor K=4 AUTN

Message not ciphered

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

For K=1,2,3 SRES

For K=4 RES

"Auth. Response Parameter (extension)" IE might be included if the RES value is more than 4 octets long.

Message not ciphered

7

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1
Message not ciphered

8

MS -> SS

ATTACH COMPLETE

Message not ciphered

9

SS -> MS

PAGING REQUEST TYPE 1

Mobile identity = P-TMSI-2
Paging order is for TBF establishment.

Message not ciphered

10

MS -> SS

UPLINK RLC DATA BLOCK

LLC PDU implicitly indicating paging response.

Message not ciphered

The following messages are sent and shall be received on cell B.

11

SS

Activate cell B with a lower signal strength than cell A The RF level of cell A is lowered until cell B is preferred by the MS.

12

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1
Message not ciphered

13

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering on with encryption:

GEA1 for K=1,

GEA2 for K=2,

GEA3 for K=3.

GEA4 for K=4.

Set GPRS-CKSN-2

RAND

For K=4 AUTN
Message not ciphered

14

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

For K=1,2,3 SRES

For K=4 RES

"Auth. Response Parameter (extension)" IE might be included if the RES value is more than 4 octets long.

Message not ciphered

15

SS -> MS

ROUTING AREA UPDATING ACCEPT

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4
Message ciphered

16

MS -> SS

ROUTING AREA UPDATING COMPLETE

Message ciphered

17

SS -> MS

PAGING REQUEST TYPE 1

Mobile identity = P-TMSI-1
Paging order is for TBF establishment.
Message not ciphered

18

MS -> SS

UPLINK RLC DATA BLOCK

LLC PDU implicitly indicating paging response.

Message may be ciphered depending on the type of LLC PDU that are sent. The ‘E’ bit is therefore not checked.

19

SS -> MS

P-TMSI REALLOCATION COMMAND

Mobile identity = P-TMSI-2

P-TMSI-2 signature
Routing area identity = RAI-4

Message ciphered

20

MS -> SS

P-TMSI REALLOCATION COMPLETE

Message ciphered

21

SS -> MS

IDENTITY REQUEST

Identity type = IMEI
Message not ciphered

22

MS -> SS

IDENTITY RESPONSE

Mobile identity = IMEI
Message not ciphered

23

SS -> MS

P-TMSI REALLOCATION COMMAND

Mobile identity = P-TMSI-1

P-TMSI-1 signature
Routing area identity = RAI-4

Message ciphered

24

MS -> SS

P-TMSI REALLOCATION COMPLETE

Message ciphered

25

MS

The MS is switched off or power is removed (see PICS).

26

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

Message ciphered

27

SS

Cell B is powered down and Cell A is restored to full power.

28

MS

The MS is set in MS operation mode B (see PICS) and the test is repeated from step 3 to step 26.

Note that due to the test of ciphering, it is in this test case indicated whether each message is ciphered or not.

Specific message contents

AUTHENTICATION AND CIPHERING REQUEST in step 5:

Same as default content except:

Information element

Value/remark

IE AUTN

Not present for K = 1

Not present for K = 2

Not present for K = 3

Present for K = 4, calculated as defined for Test USIM

Ciphering Algorithm

Type of Algorithm

No ciphering

AUTHENTICATION AND CIPHERING REQUEST in step 13:

Same as default content except:

Information element

Value/remark

IE AUTN

Not present for K = 1

Not present for K = 2

Not present for K = 3

Present for K = 4, calculated as defined for Test USIM

Ciphering Algorithm

Type of Algorithm

GEA/1 for K = 1

GEA/2 for K = 2

GEA/3 for K = 3

GEA/4 for K = 4

44.2.5.2.2 Ciphering mode / stop ciphering

44.2.5.2.2.1 Conformance requirements

1. When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the attach procedure, with Ciphering indicator information element set to ‘ciphering mode on’, the Mobile Station shall:

1.1. responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

1.2. start ciphering and deciphering with the algorithm indicated by the Ciphering algorithm information element;

1.3. the ciphering uses the cipher key determined during the authentication procedure.

2. When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the routing area updating procedure, with Ciphering indicator information element set to ‘ciphering mode off’, the Mobile Station shall:

2.1. responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

2.2. stop ciphering.

Reference(s):

3GPP TS 04.08 / 3GPP TS 24.008 subclause 4.7.7.

44.2.5.2.2.2 Test purpose

To test the behaviour of the MS if the network accepts the authentication and ciphering procedure without ciphering.

44.2.5.2.2.2 Method of test

Initial conditions

System Simulator:

Two cells, cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II.

Mobile Station:

The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

A GPRS attach is performed, and the SS initiates an authentication and ciphering procedure to start ciphering.

A RA updating procedure is initiated, and authentication procedure without ciphering is performed. Ciphering is turned off.

Maximum duration of test

15 minutes.

Expected sequence

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 22.

2

SS

The SS activates cell A.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI
Message not ciphered

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering on

Set GPRS-CKSN-1

RAND
Message not ciphered

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES
Message not ciphered

7

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1
Message ciphered

8

MS -> SS

ATTACH COMPLETE

Message ciphered

9

SS -> MS

The SS pages the MS with mobile identity P-TMSI-2 and paging order for TBF establishment according to the channel combination of the cell.
Message not ciphered

10

MS -> SS

Verify that the MS initiates a TBF connection

And sends an UPLINK RLC DATA BLOCK as a

Response to the paging request.

Message may or may not be ciphered

The following messages are sent and shall be received on cell B.

11

SS

Activate cell B with a lower signal strength than cell A. The RF level of cell A is lowered until cell B is preferred by the MS.

12

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1
Message not ciphered

13

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering off

Set GPRS-CKSN-2

RAND
Message not ciphered

14

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES
Message not ciphered

15

SS -> MS

ROUTING AREA UPDATING ACCEPT

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4
Message not ciphered

16

MS -> SS

ROUTING AREA UPDATING COMPLETE

Message not ciphered

17

SS -> MS

The SS pages the MS with mobile identity P-TMSI-1 and paging order for TBF establishment according to the channel combination of the cell.
Message not ciphered

18

MS -> SS

Verify that the MS initiates a TBF connection

And sends an UPLINK RLC DATA BLOCK as a

Response to the paging request.

Message not ciphered

19

MS

The MS is switched off or power is removed (see PICS).

20

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

Message not ciphered

21

SS

Cell B is switched off and Cell A is restored to full power.

22

MS

The MS is set in MS operation mode B (see PICS) and the test is repeated from step 3 to step 20.

Note that due to the test of ciphering, it is in this test case indicated whether each message is ciphered or not.

Specific message contents

None.

44.2.5.2.3 Ciphering mode / IMEISV request

44.2.5.2.3.1 Conformance requirements

1 When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the attach procedure, with Ciphering indicator information element set to ‘ciphering mode on’ and ‘IMEISV requested’, the Mobile Station shall:

1.1 responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

1.2 include IMEISV;

1.3 start ciphering and deciphering with the algorithm indicated by the Ciphering algorithm information element;

1.4 the ciphering uses the cipher key determined during the authentication procedure.

2 When the MS receives the AUTHENTICATION AND CIPHERING REQUEST message during the routing area updating procedure, with Ciphering indicator information element set to ‘ciphering mode off’ and ‘IMEISV not requested’, the Mobile Station shall:

2.1 responds with an AUTHENTICATION AND CIPHERING RESPONSE message;

2.2 not include IMEISV;

2.3 not start ciphering.

Reference(s):

3GPP TS 04.08 / 3GPP TS 24.008 subclause 4.7.7.

44.2.5.2.3.2 Test purpose

To test the behaviour of the MS with respect to return IMEISV on request only.

44.2.5.2.3.3 Method of test

Initial conditions

System Simulator:

Two cells, cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II.

Mobile Station:

The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

A GPRS attach is performed, and the SS initiates an authentication and ciphering procedure. IMEISV is requested.

The MS initiates a routing area updating procedure, and the SS initiates a new authentication and ciphering procedure without requesting IMEISV.

Maximum duration of test

15 minutes.

Expected sequence

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 21.

2

SS

The SS activates cell A.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI
Message not ciphered

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering on

IMEISV requested
Message not ciphered

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES

Mobile identity = IMEISV
Message not ciphered

7

SS -> MS

ATTACH ACCEPT

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1
Message ciphered

8

MS -> SS

ATTACH COMPLETE

Message ciphered

9

SS -> MS

The SS pages the MS with mobile identity P-TMSI-2 and paging order for TBF establishment according to the channel combination of the cell.
Message not ciphered

10

MS -> SS

Verify that the MS initiates a TBF connection

and sends an UPLINK RLC DATA BLOCK as a

response to the paging request.

Message may or may not be ciphered

The following messages are sent and shall be received on cell B.

11

SS

Activate cell B with a lower signal strength than cell A The RF level of cell A is lowered until cell B is preferred by the MS.

12

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1
Message not ciphered

13

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request authentication.
Ciphering off

IMEISV not requested
Message not ciphered

14

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

SRES

No IMEISV included
Message not ciphered

15

SS -> MS

ROUTING AREA UPDATING ACCEPT

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4
Message not ciphered

16

MS -> SS

ROUTING AREA UPDATING COMPLETE

Message not ciphered

17

SS -> MS

The SS pages the MS with mobile identity P-TMSI-1 and paging order for TBF establishment according to the channel combination of the cell.
Message not ciphered

18

MS -> SS

Verify that the MS initiates a TBF connection

and sends an UPLINK RLC DATA BLOCK as a

response to the paging request.

Message not ciphered

19

MS

The MS is switched off or power is removed (see PICS).

20

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

Message not ciphered

21

MS

The MS is set in MS operation mode B (see PICS), cell B is switched off, Cell A is restored to full power and the test is repeated from step 3 to step 20.

Note that due to the test of ciphering, it is in this test case indicated whether each message is ciphered or not.

Specific message contents

None.

44.2.5.2.4 Ciphering mode/Cipher key Kc128 and algorithm changes

44.2.5.2.4.1 Conformance requirement

A Mobile Station shall correctly respond in an authentication and ciphering procedure by sending a response with the SRES information field set to the same value as the one produced by the authentication and ciphering algorithm in the network.

In a UMTS authentication challenge, if the AUTHENTICATION_AND_CIPHERING REQUEST message includes the UMTS authentication parameters GPRS CKSN, RAND and AUTN, then upon receipt of the message, the MS verifies the AUTN parameter and if this is accepted, the MS processes the challenge information and sends an AUTHENTICATION_AND_CIPHERING RESPONSE message to the network.

In a UMTS authentication challenge, the new UMTS ciphering key, the new GSM ciphering key and the new UMTS integrity key calculated from the challenge information shall overwrite the previous UMTS ciphering key, GSM ciphering key and UMTS integrity key. The new UMTS ciphering key, GSM ciphering key and UMTS integrity key are stored on the USIM together with the ciphering key sequence number. Furthermore, in A/Gb mode when after the authentication procedure an A5 ciphering algorithm that requires a 128-bit ciphering key is taken into use, then a new GSM Kc128 shall also be calculated as described in the subclause 4.3.2.3a

Reference(s):

3GPP TS 24.008 subclause 4.7.7.2.

3GPP TS 24.008 subclause 4.3.2.2.

44.2.5.2.4.2 Test purpose

To verify that the MS uses correctly Kc and Kc128 when the GPRS Encryption Algorithm is changed from GEA2/GEA3 to GEA4 and from GEA4 to GEA2/GEA3.

44.2.5.2.4.3 Method of test

Initial conditions

System Simulator:

Two cells (not simultaneously activated), cell A in MCC1/MNC1/LAC1/RAC1, cell B in MCC1/MNC1/LAC1/RAC2.

Both cells are operating in network operation mode II, SGSN is R99

Mobile Station:

Test USIM is plugged into the MS. The MS has a valid IMSI. MS is Idle Updated on cell A.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

– Supported encryption Algorithm: GEA2 (TSPC_Feat_GEA2)

– Supported encryption Algorithm: GEA3 (TSPC_Feat_GEA3)

PIXIT statements:

Test procedure

A GPRS attach is performed, and the SS initiates an authentication and ciphering procedure with an UMTS challenge request; type of algorithm is GEA2 or GEA3 dependent on supported algorithm.

The SS checks the value RES sent by the MS in the AUTHENTICATION AND CIPHERING RESPONSE message (calculated with UMTS AKA algorithm).

The cell A is deactivated and cell B activated .

The MS initiates a routing area updating procedure and the SS initiates an authentication and ciphering procedure with an UMTS challenge request. The SS sends ROUTING ARE UPDATING ACCEPT ciphered with GEA4 and the MS answer with ciphered ROUTING ARE UPDATING COMPLETE.

The cell B is deactivated and cell A activated

The MS initiates a routing area updating procedure and the SS initiates an authentication and ciphering procedure with an UMTS challenge request. The SS sends ROUTING ARE UPDATING ACCEPT ciphered with GEA2/GEA3 and the MS answer with ciphered ROUTING ARE UPDATING COMPLETE.

Expected sequence

The sequence is executed with GEAx = GEA3 when GEA2 is not supported or GEA2 when GEA2 is supported.

Step

Direction

Message

Comments

The following messages are sent and shall be received on cell A.

1

SS

The SS activates cell A.

2

MS

The MS is set in MS operation mode C (see PICS). If MS operation mode C not supported, goto step 23.

3

MS

The MS is powered up or switched on and initiates an attach (see PICS).

4

MS -> SS

ATTACH REQUEST

Attach type = ‘GPRS attach’

Mobile identity = IMSI

5

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request UMTS authentication.
Set GPRS-CKSN-1

RAND & AUTN included (see specific message content)

Type of algorithm: GEAx

6

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

The SS checks the RES value.

"Auth. Response Parameter (extension)" IE included if the RES value is more than 4 octets long.

7

SS -> MS

ATTACH ACCEPT

Message ciphered with GEAx

Attach result = ‘GPRS only attached’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1

8

MS -> SS

ATTACH COMPLETE

Message ciphered

9

SS

The SS deactivates cell A and activates cell B.

The following messages are sent and shall be received on cell B.

10

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-2 signature

Routing area identity = RAI-1

GPRS-CKSN-1

11

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request UMTS authentication.

Set GPRS-CKSN-1

RAND & AUTN included (see specific message content)

Type of algorithm: GEA4

12

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

The SS checks the RES value.

"Auth. Response Parameter (extension)" IE included if the RES value is more than 4 octets long.

13

SS -> MS

ROUTING AREA UPDATING ACCEPT

Message ciphered with GEA4

Update result = ‘RA updated’

Mobile identity = P-TMSI-1

P-TMSI-1 signature

Routing area identity = RAI-4

14

MS -> SS

ROUTING AREA UPDATING COMPLETE

Message ciphered

15

SS

The SS deactivates cell B and activates cell A.

The following messages are sent and shall be received on cell A.

16

MS -> SS

ROUTING AREA UPDATING REQUEST

Update type = ‘RA updating’

P-TMSI-1 signature

Routing area identity = RAI-4

GPRS-CKSN-1

17

SS -> MS

AUTHENTICATION AND CIPHERING REQUEST

Request UMTS authentication.

Set GPRS-CKSN-1

RAND & AUTN included (see specific message content)

Type of algorithm: GEAx

18

MS -> SS

AUTHENTICATION AND CIPHERING RESPONSE

The SS checks the RES value.

"Auth. Response Parameter (extension)" IE included if the RES value is more than 4 octets long.

19

SS -> MS

ROUTING AREA UPDATING ACCEPT

Message ciphered with GEAx

Update result = ‘RA updated’

Mobile identity = P-TMSI-2

P-TMSI-2 signature

Routing area identity = RAI-1

20

MS -> SS

ROUTING AREA UPDATING COMPLETE

Message ciphered

21

MS

The MS is switched off or power is removed (see PICS).

22

MS -> SS

DETACH REQUEST

Message not sent if power is removed.

Detach type = ‘power switched off, GPRS detach’

23

MS

The MS is set in MS operation mode B (see PICS) and the test is repeated from step 3 to step 22.

Specific message contents

AUTHENTICATION AND CIPHERING REQUEST in step 5:

Same as default content except:

Information element

Value/remark

IE AUTN

Calculated as defined for Test USIM

Ciphering Algorithm

Type of Algorithm

GPRS Encryption Algorithm

– GEA2 when supported

– GEA3 when GEA2 is not supported

AUTHENTICATION AND CIPHERING REQUEST in step 11:

Same as default content except:

Information element

Value/remark

IE AUTN

Calculated as defined for Test USIM

Ciphering Algorithm

Type of Algorithm

GPRS Encryption Algorithm GEA4

AUTHENTICATION AND CIPHERING REQUEST in step 17:

Same as default content except:

Information element

Value/remark

IE AUTN

Calculated as defined for Test USIM

Ciphering Algorithm

Type of Algorithm

GPRS Encryption Algorithm

– GEA2 when supported

– GEA3 when GEA2 is not supported

44.2.5.2.5 Ciphering mode / Non support of GEA1

44.2.5.2.5.1 Conformance requirement

It is mandatory for GEA3 and non encrypted mode (i.e. GEA0) to be implemented in mobile stations. GEA4 may be implemented in the mobile stations.

NOTE 1: Mobile stations are not allowed to implement GEA1 from Release 11 onwards.

NOTE 2: It is strongly discouraged to support GEA2 in mobile stations from Release 11 onwards.

Reference(s):

3GPP TS 43.020 Annex D.4.9

44.2.5.2.5.2 Test Purpose

To verify that MS does not apply GEA1 ciphering algorithm.

44.2.5.2.5.3 Method of Test

Initial Conditions

System Simulator:

One cell operating in network operation mode II.

Mobile Station:

MS has a valid IMSI. MS is Idle Updated.

Specific PICS statements:

– MS operation mode B (TSPC_operation_mode_B).

– MS operation mode C (TSPC_operation_mode_C).

– Switch off on button (TSPC_Feat_OnOff).

– Automatic GPRS attach procedure at switch on or power on (TSPC_AddInfo_on_auto_GPRS_AP).

PIXIT statements:

Test procedure

MS sends ATTACH REQUEST. The SS checks that GPRS Encryption Algorithm GEA/1 bit is 0.

The SS sends GMM CIPHERING AND AUTHENTICATION REQUEST with Cipher algorithm GEA1. MS sends GMM STATUS message with Cause Value #95.

Maximum duration of test

5 minutes.

Expected sequence

Step

Direction

Message

Comments

1

MS

The MS is set in MS operation mode B or C (see PICS).

2

MS

The MS is powered up or switched on and initiates an attach (see PICS).

3

MS -> SS

ATTACH REQUEST

GPRS Encryption Algorithm GEA/1= 0

Attach type = ‘GPRS attach’

Mobile identity = IMSI

Message not ciphered

4

SS -> MS

GMM AUTHENTICATION AND CIPHERING REQUEST

Request authentication.

Cipher algorithm = GEA1

Ciphering On

Set GPRS-CKSN-1

RAND

Message not ciphered

5

MS -> SS

GMM STATUS

Cause Value #95

Message not ciphered

6

SS -> MS

ATTACH REJECT

GMM cause = ”Network failure’

Message not ciphered

Specific message contents

None.