1、 TIA/EIA STANDARD Cellular Digital Packet Data (CDPD) System Specification Airlink Security TIA/EIA-732-406 (Upgrade of TIA/EIA/IS-732-406) JULY 2001 TELECOMMUNICATIONS INDUSTRY ASSOCIATION The Telecommunications Industry Association represents the communications sector of ANSI/TIA/EIA-732-406-2001
2、Approved: June 8, 2001 TIA/EIA-732-406 NOTICE TIA/EIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assisting the purchaser
3、in selecting and obtaining with minimum delay the proper product for his particular need. Existence of such Standards and Publications shall not in any respect preclude any member or nonmember of TIA/EIA from manufacturing or selling products not conforming to such Standards and Publications, nor sh
4、all the existence of such Standards and Publications preclude their voluntary use by those other than TIA/EIA members, whether the standard is to be used either domestically or internationally. Standards and Publications are adopted by TIA/EIA in accordance with the American National Standards Insti
5、tute (ANSI) patent policy. By such action, TIA/EIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all applicable re
6、gulatory requirements. It is the responsibility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. (From Standards Proposal No. 4033-406-UG, formulated under the cognizance of the TIA TR-45.6
7、Subcommittee on Adjunct Data Packet Wireless Technology.) Published by TELECOMMUNICATIONS INDUSTRY ASSOCIATION 2001 Standards and Technology Department 2500 Wilson Boulevard Arlington, VA 22201 PRICE: Please refer to current Catalog of EIA ELECTRONIC INDUSTRIES ALLIANCE STANDARDS and ENGINEERING PUB
8、LICATIONS or call Global Engineering Documents, USA and Canada (1-800-854-7179) International (303-397-7956) All rights reserved Printed in U.S.A. PLEASE! DONT VIOLATE THE LAW! This document is copyrighted by the TIA and may not be reproduced without permission. Organizations may obtain permission t
9、o reproduce a limited number of copies through entering into a license agreement. For information, contact: Global Engineering Documents 15 Inverness Way East Englewood, CO 80112-5704 or call U.S.A. and Canada 1-800-854-7179, International (303) 397-7956 406iTIA/EIA-732-40612345678910111213141516171
10、8192021222324252627282930313233343536373839404142434445464748495051525354555657585960Contents1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406-11.1 Objectives of the CDPD Security System . . . . . . . . . . . . . . . . . . . . . . . .
11、. . . . . . . . . . . . . . .406-12 Overview of the Security Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406-22.1 Functions Performed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-22.2 Model of Operation . . . .
12、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-32.2.1 Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-32.2.2 Data Encryption and Decryption . . . . . . . .
13、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-32.2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-32.3 Services Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14、. . . . . . . . . . . . . . . . . . . . . . . . .406-42.3.1 Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-42.3.2 Encryption and Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15、 . . . . . . . .406-42.3.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-42.3.4 Upgradeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-43
16、 Protocol Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406-53.1 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-53.1.1 Key Exchange . . . . . . . . . . . . . . . . .
17、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-53.1.2 Secret Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-63.1.3 Key Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18、 . . . . . . . . . . . . . . . . . . . . . . . . . .406-63.1.4 Key Resynchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-73.2 Encryption and Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19、 . . . . . . . . .406-83.2.1 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-93.2.2 Test Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20、 . . .406-93.3 M-ES Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-94 PDU Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406-124.1 Key Exchange Messages . . . . . . .
21、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-134.1.1 MD-IS Key Exchange Message (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-134.1.1.1 Message Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22、 . . . . . . . . . . . . . . . . . . . .406-134.1.1.2 Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-134.1.1.3 Key Sequence Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-134
23、.1.1.4 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-144.1.1.5 Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-144.1.1.6 Prime Modulus .
24、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-144.1.1.7 MD-IS Secret Half . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-144.1.2 M-ES Key Exchange Message (EKE) . . . . . . . . . . . .
25、 . . . . . . . . . . . . . . . . . . . . . . . . . .406-154.1.2.1 Message Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-154.1.2.2 Key Sequence Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26、. . . . .406-154.1.2.3 M-ES Secret Half . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-154.2 MNRP Parameter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-164.2.1 Authentication Para
27、meter Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-164.2.1.1 Parameter Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-164.2.1.2 Length . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-16TIA/EIA-732-406406ii1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859604.2.1.3 Authentication Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29、. . . . . . . . . .406-164.2.1.4 Authentication Sequence Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-174.2.1.5 Authentication Random Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-174.2.2 Authentication Update Parameter O
30、ption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-184.2.2.1 Parameter Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-184.2.2.2 Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31、. . . . . . . . . . . . . . . . . . . . . .406-184.2.2.3 Authentication Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-184.2.2.4 Authentication Random Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406-18406iii1
32、23456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960TIA/EIA-732-406PART 406 Airlink SecurityForewordThis foreword is not part of the StandardThis Standard has been produced by the TR-45.6 Subcommittee of the TIA/EIA/TR-45 Committee.This docum
33、ent contains significant portions of material originally submitted by the Cellular Digital Packet Data Forum Inc.This document set constitutes the Cellular Digital Packet Data (CDPD) System Specification. CDPD is a technology intended to provide packet data networking services to mobile hosts. The m
34、edia used to provide these services consists of radio channels typically used for Advanced Mobile Phone System (AMPS) cellular service.Document StructureThis Standard is published as a series of Parts. Each Part contains information pertaining to one aspect of the system.The functional structure of
35、the Cellular Digital Packet Data System Specification is as follows:a71 Introduction and OverviewTIA/EIA-732-406 Airlink Security406iv123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960This document provides an overview of the CDPD Network
36、and serves as a guide to the remainder of the system specification for specific detailed information.In this Part, design objectives are described and are followed by the design concepts used to realize the stated objectives. The resultant network is then described in terms of its external interface
37、s, major network elements and network services. A listing of key identifiers in CDPD is then followed by a comprehensive glossary of CDPD terms and a reference list of non-CDPD documents.This Part contains the detailed listing of all Parts of the Cellular Digital Packet Data Specifications.a71 Part
38、300 to Part 799Protocols and InterfacesThese Parts form the heart of the CDPD System Specification. They define the communications architecture of CDPD, including communications layer entities, services, protocol stacks, the three key interfaces, Radio Resource Control, Mobility Management, Accounti
39、ng Management, Support Services and Network Management.a71 Part 800 to Part 899Supplementary Protocol InformationThese Parts contain further specification of the primary CDPD protocols. State transition matrices are used to define protocol state machines, and Protocol Implementation Conformance Stat
40、ements (PICS) are provided for implementors.a71 Part 900 to Part 999Protocol Test SpecificationsFollowing an overview of protocol testing, these Parts contain Abstract Test Suites (ATSs) and Protocol Implementation eXtra Information for Test (PIXIT) for the protocols specified in Part 300 to Part 79
41、9.a71 Part 1000 to Part 1999Guidelines for Service ProvidersThese Parts describe guidelines for CDPD Service Providers.4061123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960Introduction TIA/EIA-732-406PART 406 Airlink Security1 Introductio
42、nThis Part defines the security services provided by the CDPD Network across the Airlink Interface, and specifies the algorithms and protocols that are used to support those procedures.1.1 Objectives of the CDPD Security SystemThe security services provided across the Airlink Interface support the f
43、ollowing security functions:a71 Data Link ConfidentialityAll information contained in the information fields of SN-DATA PDUs, including the NEIs of the M-ESs, is transmitted across the Airlink in an encrypted form, once secret keys have been determined.a71 M-ES AuthenticationEach NEI used by the M-E
44、S shall be authenticated by the CDPD Network to ensure that only the authorized possessor of the NEI is using the NEI.a71 Key ManagementAll secret keys required to operate the encryption algorithms supporting the first two functions are managed by the network.a71 UpgradeabilityTIA/EIA-732-406 Airlin
45、k Security4062123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960The network can support upgrade or replacement of the algorithms used to support the first three functions.a71 Access ControlThe network can support restrictions on access by
46、or to different NEIs, such as restrictions by location, screening lists, and so on. Access control is not specifically an airlink function.The security services across the Airlink Interface do not support any other security functions, including the following:a71 Bilateral AuthenticationThe security
47、services do not validate the CDPD Network to the M-ES across the Airlink. The security services do not support bilateral authentication of the NEIs of the source and destination N-Entities.a71 End-to-end Data ConfidentialityThe security services do not provide end-to-end data confidentiality. They o
48、nly provide data confidentiality over the Airlink.a71 Data IntegrityThe security services do not provide protection against modification of encrypted data transmitted across the Airlink.a71 Non-repudiationThe security services do not provide protection against repudiation of commitments entered into
49、 by a user of the security services.a71 Traffic Flow ConfidentialityThe security services do not provide protection against monitoring of the volume of data exchanged by users of the security services.Users of the Airlink security services who require any of these other security services shall provide them by other means.2 Overview of the Security Protocol2.1 Functions PerformedBoth the M-ES and the MD-IS perform the following security functions:a71 Exchange of secret keys to be used for encryption and decryption of data transmitted across the Airlinka71 Encryption and decryption