ETSI 3GPP TS 33 102-2003 See TS 133 102 V5 2 0 (Version 5 2 0 Release 5).pdf

1、 ETSI TS 133 102 V5.2.0 (2003-06)Technical Specification Universal Mobile Telecommunications System (UMTS);3G security;Security architecture(3GPP TS 33.102 version 5.2.0 Release 5)ETSI ETSI TS 133 102 V5.2.0 (2003-06) 1 3GPP TS 33.102 version 5.2.0 Release 5 Reference RTS/TSGS-0333102v520 Keywords U

2、MTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document c

3、an be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, th

4、e reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI doc

5、uments is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reprod

6、uction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Memb

7、ers. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 133 102 V5.2.0 (2003-06) 2 3GPP TS 33.102 version 5.2.0 Release 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have

8、been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standard

9、s“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other

10、IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to tec

11、hnical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryf

12、orm.asp . ETSI ETSI TS 133 102 V5.2.0 (2003-06) 3 3GPP TS 33.102 version 5.2.0 Release 5 Contents Intellectual Property Rights2 Foreword.2 Foreword.6 1 Scope 7 2 References 7 3 Definitions, symbols abbreviations and conventions .8 3.1 Definitions8 3.2 Symbols9 3.3 Abbreviations .10 3.4 Conventions10

13、 4 Overview of the security architecture.11 5 Security features.12 5.1 Network access security .12 5.1.1 User identity confidentiality .12 5.1.2 Entity authentication.13 5.1.3 Confidentiality 13 5.1.4 Data integrity 13 5.1.5 Mobile equipment identification.14 5.2 Network domain security .14 5.2.1 Vo

14、id 14 5.2.2 Void 14 5.2.3 Void 14 5.2.4 Fraud information gathering system .14 5.3 User domain security14 5.3.1 User-to-USIM authentication14 5.3.2 USIM-Terminal Link14 5.4 Application security .15 5.4.1 Secure messaging between the USIM and the network 15 5.4.2 Void 15 5.4.3 Void 15 5.4.4 Void 15 5

15、.5 Security visibility and configurability15 5.5.1 Visibility .15 5.5.2 Configurability15 6 Network access security mechanisms 16 6.1 Identification by temporary identities.16 6.1.1 General16 6.1.2 TMSI reallocation procedure 16 6.1.3 Unacknowledged allocation of a temporary identity 16 6.1.4 Locati

16、on update 17 6.2 Identification by a permanent identity17 6.3 Authentication and key agreement .17 6.3.1 General17 6.3.2 Distribution of authentication data from HE to SN 19 6.3.3 Authentication and key agreement21 6.3.4 Distribution of IMSI and temporary authentication data within one serving netwo

17、rk domain.24 6.3.5 Re-synchronisation procedure 25 6.3.6 Reporting authentication failures from the SGSN/VLR to the HLR 26 6.3.7 Length of authentication parameters.26 6.4 Local authentication and connection establishment .27 6.4.1 Cipher key and integrity key setting .27 6.4.2 Ciphering and integri

18、ty mode negotiation 27 ETSI ETSI TS 133 102 V5.2.0 (2003-06) 4 3GPP TS 33.102 version 5.2.0 Release 5 6.4.3 Cipher key and integrity key lifetime .27 6.4.4 Cipher key and integrity key identification.28 6.4.5 Security mode set-up procedure28 6.4.6 Signalling procedures in the case of an unsuccessful

19、 integrity check.30 6.4.7 Signalling procedure for periodic local authentication .30 6.4.8 Initialisation of synchronisation for ciphering and integrity protection31 6.4.9 Emergency call handling 32 6.4.9.1 Security procedures applied 32 6.4.9.2 Security procedures not applied 32 6.5 Access link dat

20、a integrity .32 6.5.1 General32 6.5.2 Layer of integrity protection .33 6.5.3 Data integrity protection method 33 6.5.4 Input parameters to the integrity algorithm.34 6.5.4.1 COUNT-I 34 6.5.4.2 IK 34 6.5.4.3 FRESH 34 6.5.4.4 DIRECTION .35 6.5.4.5 MESSAGE35 6.5.5 Integrity key selection.35 6.5.6 UIA

21、identification.35 6.6 Access link data confidentiality35 6.6.1 General35 6.6.2 Layer of ciphering.36 6.6.3 Ciphering method .36 6.6.4 Input parameters to the cipher algorithm 36 6.6.4.1 COUNT-C.36 6.6.4.2 CK.37 6.6.4.3 BEARER.38 6.6.4.4 DIRECTION .38 6.6.4.5 LENGTH.38 6.6.5 Cipher key selection38 6.

22、6.6 UEA identification38 6.7 Void38 6.8 Interoperation and handover between UMTS and GSM 39 6.8.1 Authentication and key agreement of UMTS subscribers 39 6.8.1.1 General39 6.8.1.2 R99+ HLR/AuC 40 6.8.1.3 R99+ VLR/SGSN .41 6.8.1.4 R99+ ME.42 6.8.1.5 USIM.42 6.8.2 Authentication and key agreement for

23、GSM subscribers43 6.8.2.1 General43 6.8.2.2 R99+ HLR/AuC 43 6.8.2.3 VLR/SGSN .44 6.8.2.4 R99+ ME.44 6.8.3 Distribution and use of authentication data between VLRs/SGSNs .44 6.8.4 Intersystem handover for CS Services from UTRAN to GSM BSS45 6.8.4.1 UMTS security context .46 6.8.4.2 GSM security conte

24、xt46 6.8.5 Intersystem handover for CS Services from GSM BSS to UTRAN46 6.8.5.1 UMTS security context .47 6.8.5.2 GSM security context47 6.8.6 Intersystem change for PS Services from UTRAN to GSM BSS47 6.8.6.1 UMTS security context .47 6.8.6.2 GSM security context48 6.8.7 Intersystem change for PS s

25、ervices from GSM BSS to UTRAN.48 6.8.7.1 UMTS security context .48 6.8.7.2 GSM security context48 7 Void49 ETSI ETSI TS 133 102 V5.2.0 (2003-06) 5 3GPP TS 33.102 version 5.2.0 Release 5 8 Application security mechanisms.49 8.1 Void49 8.2 Void49 8.3 Mobile IP security 49 Annex A (informative): Requir

26、ements analysis.50 Annex B: Void 51 Annex C (informative): Management of sequence numbers 52 C.1 Generation of sequence numbers in the Authentication Centre .52 C.1.1 Sequence number generation schemes .52 C.1.1.1 General scheme.52 C.1.1.2 Generation of sequence numbers which are not time-based .53

27、C.1.1.3 Time-based sequence number generation.53 C.1.2 Support for the array mechanism .53 C.2 Handling of sequence numbers in the USIM .53 C.2.1 Protection against wrap around of counter in the USIM 54 C.2.2 Verification of sequence number freshness in the USIM .54 C.2.3 Notes 54 C.3 Sequence numbe

28、r management profiles.55 C.3.1 Profile 1: management of sequence numbers which are partly time-based55 C.3.2 Profile 2: management of sequence numbers which are not time-based 56 C.3.3 Profile 3: management of sequence numbers which are entirely time-based .56 C.3.4 Guidelines for the allocation of

29、the index values in the array scheme .57 C.4 Guidelines for interoperability in a multi-vendor environment57 Annex D: Void 58 Annex E: Void 59 Annex F (informative): Example uses of AMF60 F.1 Support multiple authentication algorithms and keys 60 F.2 Changing sequence number verification parameters6

30、0 F.3 Setting threshold values to restrict the lifetime of cipher and integrity keys .60 Annex G (informative): Change history .61 History 62 ETSI ETSI TS 133 102 V5.2.0 (2003-06) 6 3GPP TS 33.102 version 5.2.0 Release 5 Foreword This Technical Specification (TS) has been produced by the 3rdGenerati

31、on Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and

32、 an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical en

33、hancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETSI TS 133 102 V5.2.0 (2003-06) 7 3GPP TS 33.102 version 5.2.0 Release 5 1 Scope This specification defines the security architecture, i.e., the security

34、features and the security mechanisms, for the third generation mobile telecommunication system. A security feature is a service capability that meets one or several security requirements. The complete set of security features address the security requirements as they are defined in “3G Security: Thr

35、eats and Requirements“ (TS 21.133 1) and implement the security objectives and principles described in TS 33.120 2. A security mechanism is an element that is used to realise a security feature. All security features and security mechanisms taken together form the security architecture. An example o

36、f a security feature is user data confidentiality. A security mechanism that may be used to implement that feature is a stream cipher using a derived cipher key. This specification defines 3G security procedures performed within 3G capable networks (R99+), i.e. intra-UMTS and UMTS-GSM. As an example

37、, UMTS authentication is applicable to UMTS radio access as well as GSM radio access provided that the serving network node and the MS are UMTS capable. Interoperability with non-UMTS capable networks (R98-) is also covered. 2 References The following documents contain provisions which, through refe

38、rence in this text, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version a

39、pplies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 21.133: “3rd Generation Partnership Project (3GPP); Technical Specification Group

40、 (TSG) SA; 3G Security; Security Threats and Requirements“. 2 3GPP TS 33.120: “3rd Generation Partnership Project (3GPP); Technical Specification Group (TSG) SA; 3G Security; Security Principles and Objectives“. 3 3GPP TR 21.905: “3rd Generation Partnership Project (3GPP); Technical Specification Gr

41、oup Services and System Aspects; Vocabulary for 3GPP Specifications (Release 1999)“. 4 3GPP TS 23.121: “3rd Generation Partnership Project (3GPP); Technical Specification Group Services and System Aspects; Architecture Requirements for Release 99“. 5 3GPP TS 31.101: “3rd Generation Partnership Proje

42、ct (3GPP); Technical Specification Group Terminals; UICC-terminal interface; Physical and logical characteristics“. 6 3GPP TS 22.022: “3rd Generation Partnership Project (3GPP); Technical Specification Group Services and System Aspects; Personalisation of UMTS Mobile Equipment (ME); Mobile functiona

43、lity specification“. 7 3GPP TS 23.048: “3rd Generation Partnership Project (3GPP); Technical Specification Group Terminals; Security Mechanisms for the (U)SIM application toolkit; Stage 2“. 8 ETSI GSM 03.20: “Digital cellular telecommunications system (Phase 2+); Security related network functions“.

44、 9 3GPP TS 23.060: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Service description; Stage 2“. ETSI ETSI TS 133 102 V5.2.0 (2003-06) 8 3GPP TS 33.102 version

45、 5.2.0 Release 5 10 ISO/IEC 9798-4: “Information technology - Security techniques - Entity authentication - Part 4: Mechanisms using a cryptographic check function“. 11 3GPP TS 35.201: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Specification of th

46、e 3GPP confidentiality and integrity algorithms; Document 1: f8 and f9 specifications“. 12 3GPP TS 35.202: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi algorithm

47、specification“. 13 3GPP TS 35.203: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Specification of the 3GPP confidentiality and integrity algorithms; Document 3: Implementers test data“. 14 3GPP TS 35.204: “3rd Generation Partnership Project; Technica

48、l Specification Group Services and System Aspects; Specification of the 3GPP confidentiality and integrity algorithms; Document 4: Design conformance test data“. 15 3GPP TS 31.111: “3rd Generation Partnership Project; Technical Specification Group Terminals; USIM Application Toolkit (USAT)“. 16 3GPP

49、 TS 22.048: “3rd Generation Partnership Project (3GPP); Technical Specification Group Terminals; Security Mechanisms for the (U)SIM Application Toolkit; Stage 1“. 17 3GPP TS 25.331: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; RRC Protocol Specification“. 18 3GPP TS 25.321: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; MAC protocol specification“. 19 3GPP TS 25.322: “3rd Generation Partnership Project; Technical Specification Group Radi