TIA-946-A-2008 Enhanced Cryptographic Algorithms《增强密码规则系统》.pdf

1、 TIA-946-A-2008 APPROVED: MARCH 5, 2008 REAFFIRMED: MARCH 6, 2013 TIA-946-A (Revision of TIA-946) WARNING - This document may contain technical data whose export may be restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) or the Export Administration Act of 1979, as amende

2、d (Title 50, U.S.C., App. 2401 et seq.). Violations of these export laws are subject to severe criminal penalties. Individuals are encouraged to consult with counsel. May 2008Enhanced Cryptographic Algorithms NOTICE TIA Engineering Standards and Publications are designed to serve the public interest

3、 through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assisting the purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Public

4、ations shall not in any respect preclude any member or non-member of TIA from manufacturing or selling products not conforming to such Standards and Publications. Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or in

5、ternationally. Standards and Publications are adopted by TIA in accordance with the American National Standards Institute (ANSI) patent policy. By such action, TIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Public

6、ation. This Standard does not purport to address all safety problems associated with its use or all applicable regulatory requirements. It is the responsibility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitati

7、ons before its use. (From Project No. 3-0095-RV1-1-RF1, formulated under the cognizance of the TIA TR-45 Mobile (b) there is no assurance that the Document will be approved by any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or change

8、d in the standards development or any editing process. The use or practice of contents of this Document may involve the use of intellectual property rights (“IPR”), including pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IP

9、R consisting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from the holder thereof is requested, all in accordance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the s

10、cope or validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or conditions, which are instead left to the parties involved, nor will TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warran

11、t or represent that procedures or practices suggested or provided in the Manual have been complied with as respects the Document or its contents. If the Document contains one or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, develo

12、pment or publication of standards (whether designated as a standard, specification, recommendation or otherwise), whether such reference consists of mandatory, alternate or optional elements (as defined in the TIA Engineering Manual, 4thedition) then (i) TIA disclaims any duty or obligation to searc

13、h or investigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Reference; (ii) TIAs policy of encouragement of voluntary disclosure (see Engineering Manual Section 6.5.1) of Essential Patent(s) and published pending patent applications shall apply; and (

14、iii) Information as to claims of IPR in the records or publications of the other SSO shall not constitute identification to TIA of a claim of Essential Patent(s) or published pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certi

15、fy, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document. ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APP

16、ROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAIMS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIAN

17、CE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED TO IN THE DOCUMENT OR PRODUCED OR RENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING

18、 TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING

19、 NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF THE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. Enhanced Cryptographic Algorithms

20、 TIA-946-A i Table of Contents 1 1. INTRODUCTION 1 2 1.1. Notations 1 3 1.2. Definitions 1 4 1.3. References 2 5 1.3.1. Normative 2 6 1.3.2. Informative 2 7 2. PROCEDURES 3 8 2.1. Enhanced Hash Algorithms 3 9 2.1.1. SHA-1 and SHA-256 3 10 2.1.2. SHA-based MAC 4 11 2.1.2.1. SHA-1 Based MAC Calculatio

21、n Procedure 4 12 2.1.2.2. SHA-256 Based MAC Calculation Procedure 6 13 2.1.2.3. UIM-Present MAC (UMAC) Generation Procedure 8 14 2.2. Authentication and Key Agreement 9 15 2.2.1. AKA 9 16 2.2.2. SHA-Based Functions for AKA 9 17 2.2.2.1. Constants 10 18 2.2.2.2. Random Number (RAND) Generation Proced

22、ure f0 11 19 2.2.2.3. Message Authentication (MACA) Generation Procedure f1 14 20 2.2.2.4. Resynchronization Message Authentication (MACS) Generation Procedure f1* 15 21 2.2.2.5. Message Authentication (RES & XRES) Generation Procedure f2 16 22 2.2.2.6. Key Generation Procedure f3 17 23 2.2.2.7. Int

23、egrity Key (IK) Generation Procedures f4 20 24 2.2.2.8. Anonymity Key (AK) Generation Procedure f5 21 25 2.2.2.9. Resynchronization Anonymity Key (AKS) Generation Procedure f5* 22 26 2.2.3. UIM Authentication 23 27 2.2.3.1. Constants 23 28 2.2.3.2. UIM Authentication Key (UAK) Generation Procedure f

24、11 24 29 2.2.4. One-Way Roaming to 2G systems 25 30 2.2.4.1. GSM Triplet Generation from SSD 25 31 2.2.4.2. 2G Key Generation from 3G Keys 27 32 2.2.5. Key Strength Reduction 28 33 2.3. Enhanced Voice and Data Privacy 29 34 2.3.1. TDMA (TIA-136) 29 35 2.3.2. CDMA (TIA/EIA/IS-2000) 29 36 2.3.2.1. Enc

25、ryption Key Generation 29 37 2.3.2.2. Enhanced Privacy Algorithm 29 38 2.3.2.2.1. Algorithm 29 39 2.3.2.2.2. ESP_privacykey Procedure 30 40 2.3.2.2.3. ESP_maskbits Procedure 31 41 2.3.2.2.4. ESP_AES Procedure 33 42 3. REFERENCE IMPLEMENTATIONS 34 43 TIA-946-A Enhanced Cryptographic Algorithms ii 3.1

26、. CDMA Enhanced Privacy 34 1 3.1.1. Rijndael 34 2 3.1.2. ESP Procedures 41 3 3.2. Authentication and Key Agreement 44 4 3.2.1. SHA-1 44 5 3.2.2. SHA-256 49 6 3.2.3. AKA Functions f0-f5 and f11 54 7 3.2.4. GSM Triplet Generation Function fh 63 8 3.2.5. CDMA_3G_2G_Conversion Function 64 9 3.2.6. KeySt

27、rengthRedAlg Function 65 10 3.3. EHMAC-SHA-1 66 11 3.4. EHMAC-SHA-256 69 12 4. TEST VECTORS 73 13 4.1. CDMA Enhanced Privacy 73 14 4.1.1. Test Program Output 73 15 4.1.2. Test Program 73 16 4.2. SHA-Based Functions for AKA 75 17 4.2.1. Test Program Output 75 18 4.2.2. Test Program 78 19 4.3. Test Ve

28、ctors for EHMAC-SHA-1 84 20 4.3.1. Test Program Output 84 21 4.3.2. Test Program 84 22 4.4. Test Vectors for EHMAC-SHA-256 86 23 4.4.1. Test Program Output 86 24 4.4.2. Test Program 87 25 26 Enhanced Cryptographic Algorithms TIA-946-A iii List of Exhibits 1 EXHIBIT 2-1. PSEUDO RANDOM GENERATOR. 13 2

29、 EXHIBIT 2-2. KEY SCHEDULER19 3 EXHIBIT 3-1 HEADER FOR RIJNDAEL.34 4 EXHIBIT 3-2 RIJNDAEL BOX DATA .34 5 EXHIBIT 3-3 RIJNDAEL ALGORITHM36 6 EXHIBIT 3-4 HEADER FOR ESP.41 7 EXHIBIT 3-5 ESP_KEYSCHED AND ESP_MASKBITS42 8 EXHIBIT 3-6 SHA-1 HEADER .44 9 EXHIBIT 3-7 SHA-1 CODE 44 10 EXHIBIT 3-8 SHA-256 CO

30、DE 49 11 EXHIBIT 3-9 AKA FUNCTION HEADER.54 12 EXHIBIT 3-10 AKA FUNCTION CODE55 13 EXHIBIT 3-11 FUNCTION FH HEADER 63 14 EXHIBIT 3-12 FUNCTION FH CODE .63 15 EXHIBIT 3-13 CDMA_3G_2G_CONVERSION FUNCTION HEADER64 16 EXHIBIT 3-14 CDMA_3G_2G_CONVERSION FUNCTION CODE .64 17 EXHIBIT 3-15 KEYSTRENGTHREDALG

31、 FUNCTION HEADER 65 18 EXHIBIT 3-16 KEYSTRENGTHREDALG FUNCTION CODE .65 19 EXHIBIT 3-17 EHMAC HEADER 66 20 EXHIBIT 3-18 EHMAC CODE .66 21 EXHIBIT 3-19 UMAC_GENERATION CODE 69 22 EXHIBIT 3-20 EHMAC-SHA-256 HEADER .69 23 EXHIBIT 3-21 EHMAC-SHA-256 CODE.70 24 25 TIA-946-A Enhanced Cryptographic Algorit

32、hms iv 1 2 3 4 5 6 7 8 9 10 11 This page intentionally left blank 12 13 Enhanced Cryptographic Algorithms TIA-946-A 1 1. Introduction 1 This document describes detailed cryptographic procedures for 2 wireless system applications. These procedures are used to perform the 3 security services of mutual

33、 authentication between mobile stations and 4 base stations, subscriber message encryption, and key agreement within 5 wireless equipment. This document contains both textual descriptions 6 and reference implementations for the procedures. The textual 7 descriptions are provided as an aid to the rea

34、der. In the event of a 8 conflict between the text description and the reference code, it is 9 recommended that implementations agree with the reference code. 10 1.1. Notations 11 The notation 0x indicates a hexadecimal (base 16) number. 12 Binary numbers are expressed as a string of zero(s) and/or

35、one(s) 13 followed by a lower-case “b”. 14 Data arrays are indicated by square brackets, as Array . Array indices 15 start at zero (0). Where an array is loaded using a quantity that spans 16 several array elements, the most significant bits of the quantity are 17 loaded into the element having the

36、lowest index. Similarly, where a 18 quantity is loaded from several array elements, the element having the 19 lowest index provides the most significant bits of the quantity. 20 Big-endian byte ordering is assumed in this specification. 21 This document uses ANSI C language programming syntax to spe

37、cify 22 the behavior of the cryptographic algorithms (see 5). This 23 specification is not meant to constrain implementations. Any 24 implementation that demonstrates the same behavior at the external 25 interface as the algorithm specified herein, by definition, complies with 26 this standard. 27 1

38、.2. Definitions 28 Internal Stored Data Stored data that is defined locally within the cryptographic procedures 29 and is not accessible for examination or use outside those procedures. 30 MSB Most Significant Bit. 31 XOR Bitwise logical exclusive or function. 32 Word A data unit that contains 32 bi

39、ts or 4 bytes where byte 0 is the most 33 significant byte and byte 3 is the least significant byte. 34 TIA-946-A Enhanced Cryptographic Algorithms 2 1.3. References 1 1.3.1. Normative 2 1. Federal Information Processing Standard FIPS 180-2, “Secure Hash Standard,” 3 August 1, 2002 4 2. Alliance for

40、 Telecommunications Industry Solutions (ATIS) T1TRQ3GPP 5 33.102-350, “3G Security Security Architecture,” July, 2000. 6 3. Alliance for Telecommunications Industry Solutions (ATIS) T1TRQ3GPP 7 33.103-330, “3G Security Integration Guidelines,” July, 2000. 8 4. Alliance for Telecommunications Industr

41、y Solutions (ATIS) T1TRQ3GPP 9 33.105-340, “Cryptographic Algorithm Requirements,” July, 2000. 10 1.3.2. Informative 11 5. ANSI/ISO 9899-1999, “Programming Languages - C” 12 6. A Million Random Digits with 100,000 Normal Deviates, The RAND 13 Corporation, 1955, online at 14 http:/www.rand.org/public

42、ations/classics/randomdigits . 15 7. Federal Information Processing Standard FIPS 197, “Advanced Encryption 16 Standard (AES),” November 26, 2001. 17 8. Telecommunications Industry Association, TR-45 AHAG, “Common 18 Cryptographic Algorithms, Revision D.1”, September 13, 2000. 19 9. Telecommunicatio

43、ns Industry Association, ANSI/TIA/EIA-41-D-97, “Cellular 20 Radiotelecommunications Intersystem Operations,” December 1997. 21 Enhanced Cryptographic Algorithms TIA-946-A 3 2. Procedures 1 2.1. Enhanced Hash Algorithms 2 2.1.1. SHA-1 and SHA-256 3 The hash function used in this document are SHA-1 an

44、d SHA-256, 4 defined in 1. Refer to 3.2.1 for a reference implementation of the 5 SHA-1 algorithm. In this document, the function F( ) refers to the 6 SHA-1 algorithm. 7 Test vectors for SHA-1 and SHA-256 are given in 1. 8 SHA-1 and SHA-256 use an iterated construction where the input 9 message is p

45、rocessed block by block. The basic building block is called 10 the compression function. The compression function used in this 11 document differs from the SHA-1 and SHA-256 hash functions defined 12 in 1 by the way its payload and chaining variable inputs are loaded. 13 In this document, the functi

46、on fK( ) refers to the compression function 14 with key K exclusive-ored with the initialization vector. 15 TIA-946-A Enhanced Cryptographic Algorithms 4 2.1.2. SHA-based MAC 1 2.1.2.1. SHA-1 Based MAC Calculation Procedure 2 Procedure name: 3 ehmacsha 4 Inputs from calling process: 5 key_length int

47、eger 6 key 8*key_length bits 7 message message_length bits 8 message_length integer 9 message_offset integer 10 MAC_length integer 11 12 Inputs from internal stored data: 13 None. 14 Outputs to calling process: 15 MAC 8*MAC_length bits 16 Outputs to internal stored data: 17 None. 18 19 The ehmacsha

48、procedure computes a message authentication code 20 (MAC) using a secret key. Refer to 3.3 for a reference implementation 21 of the ehmacsha algorithm. 22 When the Mobile Station performs authentication in accordance with 23 air interface procedures that invoke AKA (see 2.2), the key used for the 24

49、 MAC calculation should be the 128-bit key IK generated using 25 procedure f4 (see 2.2.2.7). 26 The MAC initialization procedures for the MAC calculation should be 27 performed whenever a new key is generated. Initialization shall 28 proceed as follows: 29 1. Define two strings: ipad = the byte 0x36 repeated 64 times 30 and opad = the byte 0x5C repeated 64 times. 31 2. append zeros to the end of the key to create a 64 byte string. 32 3. XOR (bitwise exclusive-OR) the 64 byte string computed in 33 step 2 with ipad defined in step 1. 34 Enhanced Cryptographic Algorith