ETSI TS 133 401-2016 Digital cellular telecommunications system (Phase 2+) (GSM) Universal Mobile Telecommunications System (UMTS) LTE 3GPP System Architecture Evolution (SAE) Secu.pdf

1、 ETSI TS 13Digital cellular telecoUniversal Mobile Tel3GPP System ASec(3GPP TS 33.40TECHNICAL SPECIFICATION133 401 V12.16.0 (201communications system (Phaelecommunications System (LTE; Architecture Evolution (SAEecurity architecture .401 version 12.16.0 Release 1016-01) hase 2+); (UMTS); AE); 12) ET

2、SI ETSI TS 133 401 V12.16.0 (2016-01)13GPP TS 33.401 version 12.16.0 Release 12Reference RTS/TSGS-0333401vcg0 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Associ

3、ation but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print

4、 versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on

5、a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find

6、errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm

7、except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserv

8、ed. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by t

9、he GSM Association. ETSI ETSI TS 133 401 V12.16.0 (2016-01)23GPP TS 33.401 version 12.16.0 Release 12Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly av

10、ailable for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web se

11、rver (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may bec

12、ome, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should b

13、e interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “

14、need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 133 401 V12.16.0

15、 (2016-01)33GPP TS 33.401 version 12.16.0 Release 12Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 8g31 Scope 9g32 References 9g33 Definitions, symbols and abbreviations . 10g33.1 Definitions 10g33.2 Symbols 12g33.3 Abbreviations . 12g33.4 Conventions 13

16、g34 Overview of Security Architecture . 14g35 Security Features 14g35.1 User-to-Network security . 14g35.1.0 General 14g35.1.1 User identity and device confidentiality . 15g35.1.2 Entity authentication . 15g35.1.3 User data and signalling data confidentiality 15g35.1.3.1 Ciphering requirements . 15g

17、35.1.3.2 Algorithm Identifier Values 15g35.1.4 User data and signalling data integrity 16g35.1.4.1 Integrity requirements . 16g35.1.4.2 Algorithm Identifier Values 16g35.2 Security visibility and configurability 17g35.3 Security requirements on eNodeB 17g35.3.1 General 17g35.3.2 Requirements for eNB

18、 setup and configuration 17g35.3.3 Requirements for key management inside eNB 18g35.3.4 Requirements for handling User plane data for the eNB 18g35.3.4a Requirements for handling Control plane data for the eNB 18g35.3.5 Requirements for secure environment of the eNB 18g35.4 Void 19g36 Security Proce

19、dures between UE and EPC Network Elements . 19g36.0 General . 19g36.1 Authentication and key agreement . 19g36.1.1 AKA procedure . 19g36.1.2 Distribution of authentication data from HSS to serving network 20g36.1.3 User identification by a permanent identity 21g36.1.4 Distribution of IMSI and authen

20、tication data within one serving network domain 22g36.1.5 Distribution of IMSI and authentication data between different serving network domains 23g36.1.6 Distribution of IMSI and UMTS authentication vectors between MMEs or between MME and SGSN 23g36.2 EPS key hierarchy 23g36.3 EPS key identificatio

21、n 26g36.4 Handling of EPS security contexts . 27g36.5 Handling of NAS COUNTs 27g37 Security Procedures between UE and EPS Access Network Elements 29g37.0 General . 29g37.1 Mechanism for user identity confidentiality . 29g37.2 Handling of user-related keys in E-UTRAN 29g37.2.1 E-UTRAN key setting dur

22、ing AKA . 29g3ETSI ETSI TS 133 401 V12.16.0 (2016-01)43GPP TS 33.401 version 12.16.0 Release 127.2.2 E-UTRAN key identification 29g37.2.3 E-UTRAN key lifetimes . 30g37.2.4 Security mode command procedure and algorithm negotiation 30g37.2.4.1 Requirements for algorithm selection . 30g37.2.4.2 Procedu

23、res for AS algorithm selection 31g37.2.4.2.1 Initial AS security context establishment 31g37.2.4.2.2 X2-handover 31g37.2.4.2.3 S1-handover . 31g37.2.4.2.4 Intra-eNB handover . 31g37.2.4.3 Procedures for NAS algorithm selection . 31g37.2.4.3.1 Initial NAS security context establishment . 31g37.2.4.3.

24、2 MME change . 32g37.2.4.4 NAS security mode command procedure 32g37.2.4.5 AS security mode command procedure . 33g37.2.4a Algorithm negotiation for unauthenticated UEs in LSM 34g37.2.5 Key handling at state transitions to and away from EMM-DEREGISTERED . 35g37.2.5.1 Transition to EMM-DEREGISTERED .

25、 35g37.2.5.2 Transition away from EMM-DEREGISTERED . 36g37.2.5.2.1 General 36g37.2.5.2.2 With existing native EPS NAS security context 36g37.2.5.2.3 With run of EPS AKA . 37g37.2.6 Key handling in ECM-IDLE to ECM-CONNECTED and ECM-CONNECTED to ECM-IDLE transitions 37g37.2.6.1 ECM-IDLE to ECM-CONNECT

26、ED transition. 37g37.2.6.2 Establishment of keys for cryptographically protected radio bearers . 37g37.2.6.3 ECM-CONNECTED to ECM-IDLE transition. 38g37.2.7 Key handling for the TAU procedure when registered in E-UTRAN 38g37.2.8 Key handling in handover . 38g37.2.8.1 General 38g37.2.8.1.1 Access str

27、atum . 38g37.2.8.1.2 Non access stratum 40g37.2.8.2 Void. 40g37.2.8.3 Key derivations for context modification procedure . 40g37.2.8.4 Key derivations during handovers . 40g37.2.8.4.1 Intra-eNB Handover 40g37.2.8.4.2 X2-handover 40g37.2.8.4.3 S1-Handover 41g37.2.8.4.4 UE handling . 41g37.2.9 Key-cha

28、nge-on-the fly 42g37.2.9.1 General 42g37.2.9.2 KeNBre-keying . 42g37.2.9.3 KeNB refresh 43g37.2.9.4 NAS key re-keying 43g37.2.10 Rules on Concurrent Running of Security Procedures . 43g37.3 UP security mechanisms 44g37.3.1 UP confidentiality mechanisms 44g37.3.2 UP integrity mechanisms 44g37.4 RRC s

29、ecurity mechanisms 45g37.4.1 RRC integrity mechanisms . 45g37.4.2 RRC confidentiality mechanisms . 45g37.4.3 KeNB*and Token Preparation for the RRCConnectionRe-establishment Procedure 45g37.5 Signalling procedure for periodic local authentication . 46g38 Security mechanisms for non-access stratum si

30、gnalling 47g38.0 General . 47g38.1 NAS integrity mechanisms . 47g38.1.1 NAS input parameters and mechanism . 47g38.1.2 NAS integrity activation . 48g38.2 NAS confidentiality mechanisms . 48g39 Security interworking between E-UTRAN and UTRAN . 48g39.1 RAU and TAU procedures . 48g3ETSI ETSI TS 133 401

31、 V12.16.0 (2016-01)53GPP TS 33.401 version 12.16.0 Release 129.1.1 RAU procedures in UTRAN . 48g39.1.2 TAU procedures in E-UTRAN . 50g39.2 Handover 51g39.2.1 From E-UTRAN to UTRAN 51g39.2.2 From UTRAN to E-UTRAN 52g39.2.2.1 Procedure 52g39.2.2.2 Derivation of NAS keys and KeNBduring Handover from UT

32、RAN to E-UTRAN . 56g39.3 Recommendations on AKA at IRAT-mobility to E-UTRAN 56g39.4 Attach procedures . 57g39.4.1 Attach in UTRAN . 57g310 Security interworking between E-UTRAN and GERAN . 57g310.1 General . 57g310.2 RAU and TAU procedures . 58g310.2.1 RAU procedures in GERAN . 58g310.2.2 TAU proced

33、ures in E-UTRAN . 58g310.3 Handover 58g310.3.1 From E-UTRAN to GERAN 58g310.3.2 From GERAN to E-UTRAN 58g310.3.2.1 Procedures . 58g310.4 Recommendations on AKA at IRAT-mobility to E-UTRAN 58g310.5 Attach procedures . 59g310.5.1 Attach in GERAN . 59g311 Network Domain Control Plane protection 59g312

34、Backhaul link user plane protection . 59g313 Management plane protection over the S1 interface 60g314 SRVCC between E-UTRAN and Circuit Switched UTRAN/GERAN 61g314.1 From E-UTRAN to Circuit Switched UTRAN/GERAN . 61g314.2 Emergency call in SRVCC from E-UTRAN to circuit switched UTRAN/GERAN 62g314.3

35、SRVCC from circuit switched UTRAN/GERAN to E-UTRAN 62g314.3.1 Procedure 62g315 Security Aspects of IMS Emergency Session Handling 65g315.1 General . 65g315.2 Security procedures and their applicability 66g315.2.1 Authenticated IMS Emergency Sessions 66g315.2.1.1 General 66g315.2.1.2 UE and MME share

36、 a current security context . 66g315.2.2 Unauthenticated IMS Emergency Sessions 67g315.2.2.1 General 67g315.2.2.2 UE and MME share no security context . 68g315.2.3 Void 69g315.2.4 Key generation procedures for unauthenticated IMS Emergency Sessions 69g315.2.4.1 General 69g315.2.4.2 Handover. 69g3Ann

37、ex A (normative): Key derivation functions . 70g3A.1 KDF interface and input parameter construction . 70g3A.1.1 General . 70g3A.1.2 FC value allocations . 70g3A.2 KASMEderivation function 70g3A.3 KeNBderivation function . 71g3A.4 NH derivation function . 71g3A.5 KeNB* derivation function . 71g3A.6 V

38、oid 71g3A.7 Algorithm key derivation functions . 72g3ETSI ETSI TS 133 401 V12.16.0 (2016-01)63GPP TS 33.401 version 12.16.0 Release 12A.8 KASMEto CK, IK derivation at handover . 72g3A.9 NAS token derivation for inter-RAT mobility . 73g3A.10 K“ASMEfrom CK, IK derivation during handover 73g3A.11 K“ASM

39、Efrom CK, IK derivation during idle mode mobility . 73g3A.12 KASMEto CKSRVCC, IKSRVCCderivation . 74g3A.13 KASMEto CK, IK derivation at idle mobility . 74g3A.14 (Void) . 74g3A.15 Derivation of S-KeNBfor dual connectivity 74g3Annex B (normative): Algorithms for ciphering and integrity protection . 75

40、g3B.0 Null ciphering and integrity protection algorithms 75g3B.1 128-bit ciphering algorithm 75g3B.1.1 Inputs and outputs 75g3B.1.2 128-EEA1 . 76g3B.1.3 128-EEA2 . 76g3B.1.4 128-EEA3 . 76g3B.2 128-Bit integrity algorithm . 77g3B.2.1 Inputs and outputs 77g3B.2.2 128-EIA1 77g3B.2.3 128-EIA2 77g3B.2.4

41、128-EIA3 78g3Annex C (informative): Algorithm test data 79g3C.1 128-EEA2 . 79g3C.1.1 Test Set 1 79g3C.1.2 Test Set 2 80g3C.1.3 Test Set 3 81g3C.1.4 Test Set 4 81g3C.1.5 Test Set 5 82g3C.1.6 Test Set 6 83g3C.2 128-EIA2 86g3C.2.1 Test Set 1 87g3C.2.2 Test Set 2 88g3C.2.3 Test Set 3 89g3C.2.4 Test Set

42、4 90g3C.2.5 Test Set 5 91g3C.2.6 Test Set 6 92g3C.2.7 Test Set 7 94g3C.2.8 Test Set 8 96g3C.3 128-EEA1 . 108g3C.4 128-EIA1 108g3C.4.1 Test Set 1 108g3C.4.2 Test Set 2 109g3C.4.3 Test Set 3 109g3C.4.4 Test Set 4 109g3C.4.5 Test Set 5 110g3C.4.6 Test Set 6 110g3C.4.7 Test Set 7 110g3Annex D (normative

43、): Security for Relay Node Architectures 113g3D.1 Introduction 113g3D.2 Solution 113g3ETSI ETSI TS 133 401 V12.16.0 (2016-01)73GPP TS 33.401 version 12.16.0 Release 12D.2.1 General . 113g3D.2.2 Security Procedures 113g3D.2.3 USIM Binding Aspects 116g3D.2.4 Enrolment procedures for RNs . 116g3D.2.5 S

44、ecure management procedures for RNs 117g3D.2.6 Certificate and subscription handling . 117g3D.3 Secure channel profiles 119g3D.3.1 General . 119g3D.3.2 APDU secure channel profile . 119g3D.3.3 Key agreement based on certificate exchange 119g3D.3.3.1 TLS profile 119g3D.3.3.2 Common profile for RN and

45、 UICC certificate 119g3D.3.3.3 RN certificate profile 120g3D.3.3.4 UICC certificate profile 120g3D.3.4 Key agreement for pre-shared key (psk) case. 120g3D.3.5 Identities used in key agreement 121g3Annex E Dual connectivity 122g3E.1 Introduction 122g3E.2 Dual connectivity offload architecture . 123g3

46、E.2.1 Protection of the X2 reference point. 123g3E.2.2 Addition and modification of DRB in SeNB 123g3E.2.3 Activation of encryption/decryption . 123g3E.2.4 Derivation of keys for the DRBs in the SeNB 125g3E.2.4.1 SCG Counter maintenance 125g3E.2.4.2 Security key derivation . 125g3E.2.4.3 Negotiation

47、 of security algorithms 126g3E.2.5 S-KeNBupdate . 126g3E.2.5.1 S-KeNBupdate triggers 126g3E.2.5.2 S-KeNBupdate procedure . 126g3E.2.6 Handover procedures 126g3E.2.7 Periodic local authentication procedure . 126g3E.2.8 Radio link failure recovery . 127g3E.2.9 Avoiding key stream reuse caused by DRB t

48、ype change . 127g3Annex F (informative): Change history . 128g3History 133g3ETSI ETSI TS 133 401 V12.16.0 (2016-01)83GPP TS 33.401 version 12.16.0 Release 12Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document a

49、re subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the th