1、 TIA STANDARD Enhanced Cryptographic Algorithms- Addendum 1 TIA-946-1E (Addendum to TIA-946) October 2006 TELECOMMUNICATIONS INDUSTRY ASSOCIATION The Telecommunications Industry Association represents the communications sector of Copyright Telecommunications Industry Association Provided by IHS unde
2、r license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-NOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability
3、 and improvement of products, and assisting the purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling produ
4、cts not conforming to such Standards and Publications. Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or internationally. Standards and Publications are adopted by TIA in accordance with the American National Standa
5、rds Institute (ANSI) patent policy. By such action, TIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all applicab
6、le regulatory requirements. It is the responsibility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. (From Project No. 3-0095-AD1E, formulated under the cognizance of the TIA TR-45 Mobile (
7、b) there is no assurance that the Document will be approved by any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or changed in the standards development or any editing process. The use or practice of contents of this Document may invol
8、ve the use of intellectual property rights (“IPR”), including pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR consisting of patents and published pending patent applications are claimed and called to TIAs attention, a sta
9、tement from the holder thereof is requested, all in accordance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope or validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or condi
10、tions, which are instead left to the parties involved, nor will TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warrant or represent that procedures or practices suggested or provided in the Manual have been complied with as respec
11、ts the Document or its contents. If the Document contains one or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, development or publication of standards (whether designated as a standard, specification, recommendation or otherwise),
12、 whether such reference consists of mandatory, alternate or optional elements (as defined in the TIA Engineering Manual, 4thedition) then (i) TIA disclaims any duty or obligation to search or investigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Refe
13、rence; (ii) TIAs policy of encouragement of voluntary disclosure (see Engineering Manual Section 6.5.1) of Essential Patent(s) and published pending patent applications shall apply; and (iii) Information as to claims of IPR in the records or publications of the other SSO shall not constitute identif
14、ication to TIA of a claim of Essential Patent(s) or published pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certify, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the con
15、tents of the Document. ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APPROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INT
16、ELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAIMS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIANCE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUC
17、T OR SERVICE REFERRED TO IN THE DOCUMENT OR PRODUCED OR RENDERED TO COMPLY WITH THE CONTENTS. Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA SHALL NOT BE LIABLE FOR ANY AND
18、 ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UP
19、ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF THE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA W
20、ITHOUT SUCH LIMITATIONS. Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Algorithms TIA-946-1E i Table of Contents 1 1. INTRODUCTION 1 2 1.1. Notations 1
21、3 1.2. Definitions 1 4 1.3. References 2 5 1.3.1. Normative 2 6 1.3.2. Informative 2 7 2. PROCEDURES 3 8 2.1. Enhanced Hash Algorithm 3 9 2.1.1. SHA-1 3 10 2.1.2. SHA-based MAC 4 11 2.1.2.1. MAC Calculation Procedure 4 12 2.1.2.2. UIM-Present MAC (UMAC) Generation Procedure 6 13 2.2. Authentication
22、and Key Agreement 7 14 2.2.1. AKA 7 15 2.2.2. SHA-Based Functions for AKA 8 16 2.2.2.1. Constants 8 17 2.2.2.2. Random Number (RAND) Generation Procedure f0 9 18 2.2.2.3. Message Authentication (MACA) Generation Procedure f1 12 19 2.2.2.4. Resynchronization Message Authentication (MACS) Generation P
23、rocedure f1* 13 20 2.2.2.5. Message Authentication (RES & XRES) Generation Procedure f2 14 21 2.2.2.6. Ciphering Key (CK) Generation Procedure f3 15 22 2.2.2.7. Integrity Key (IK) Generation Procedures f4 18 23 2.2.2.8. Anonymity Key (AK) Generation Procedure f5 19 24 2.2.2.9. Resynchronization Anon
24、ymity Key (AKS) Generation Procedure f5* 20 25 2.2.3. UIM Authentication 21 26 2.2.3.1. Constants 21 27 2.2.3.2. UIM Authentication Key (UAK) Generation Procedure f11 22 28 2.2.4. One-Way Roaming to 2G systems 23 29 2.2.4.1. GSM Triplet Generation from SSD 23 30 2.2.4.2. 2G Key Generation from 3G Ke
25、ys 25 31 2.2.5. Key Strength Reduction 26 32 2.3. Enhanced Voice and Data Privacy 27 33 2.3.1. TDMA (TIA-136) 27 34 2.3.2. CDMA (TIA/EIA/IS-2000) 27 35 2.3.2.1. Encryption Key Generation 27 36 2.3.2.2. Enhanced Privacy Algorithm 27 37 2.3.2.2.1. Algorithm 27 38 2.3.2.2.2. ESP_privacykey Procedure 28
26、 39 2.3.2.2.3. ESP_maskbits Procedure 29 40 2.3.2.2.4. ESP_AES Procedure 31 41 3. REFERENCE IMPLEMENTATIONS 32 42 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946-1E Enha
27、nced Cryptographic Algorithms ii 3.1. CDMA Enhanced Privacy 32 1 3.1.1. Rijndael 32 2 3.1.2. ESP Procedures 39 3 3.2. Authentication and Key Agreement 42 4 3.2.1. SHA-1 42 5 3.2.2. AKA Functions f0-f5 and f11 47 6 3.2.3. GSM Triplet Generation Function fh 55 7 3.2.4. CDMA_3G_2G_Conversion Function 5
28、6 8 3.2.5. KeyStrengthRedAlg Function 57 9 3.3. EHMAC-SHA-1 58 10 4. TEST VECTORS 63 11 4.1. CDMA Enhanced Privacy 63 12 4.1.1. Test Program Output 63 13 4.1.2. Test Program 63 14 4.2. SHA-Based Functions for AKA 65 15 4.2.1. Test Program Output 65 16 4.2.2. Test Program 68 17 4.3. Test Vectors for
29、EHMAC-SHA-1 74 18 4.3.1. Test Program Output 74 19 4.3.2. Test Program 74 20 21 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Algorithms TIA-946-1E iii
30、List of Exhibits 1 EXHIBIT 2-1. PSEUDO RANDOM GENERATOR. 11 2 EXHIBIT 2-2. KEY SCHEDULER17 3 EXHIBIT 3-1 HEADER FOR RIJNDAEL.32 4 EXHIBIT 3-2 RIJNDAEL BOX DATA .32 5 EXHIBIT 3-3 RIJNDAEL ALGORITHM34 6 EXHIBIT 3-4 HEADER FOR ESP.39 7 EXHIBIT 3-5 ESP_KEYSCHED AND ESP_MASKBITS40 8 EXHIBIT 3-6 SHA-1 HEA
31、DER .42 9 EXHIBIT 3-7 SHA-1 CODE 42 10 EXHIBIT 3-8 AKA FUNCTION HEADER.47 11 EXHIBIT 3-9 AKA FUNCTION CODE48 12 EXHIBIT 3-10 FUNCTION FH HEADER 55 13 EXHIBIT 3-11 FUNCTION FH CODE .56 14 EXHIBIT 3-12 CDMA_3G_2G_CONVERSION FUNCTION HEADER56 15 EXHIBIT 3-13 CDMA_3G_2G_CONVERSION FUNCTION CODE .57 16 E
32、XHIBIT 3-14 KEYSTRENGTHREDALG FUNCTION HEADER 57 17 EXHIBIT 3-15 KEYSTRENGTHREDALG FUNCTION CODE .57 18 EXHIBIT 3-16 EHMAC HEADER 58 19 EXHIBIT 3-17 EHMAC CODE .59 20 EXHIBIT 3-18 UMAC_GENERATION CODE 61 21 EXHIBIT 4-1 ESP_MASKBITS TEST OUTPUT .63 22 EXHIBIT 4-2 ESP_MASKBITS TEST PROGRAM .63 23 EXHI
33、BIT 4-3 AKA FUNCTION TEST OUTPUT.65 24 EXHIBIT 4-4 AKA FUNCTION TEST PROGRAM.68 25 26 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946-1E Enhanced Cryptographic Algorithm
34、s iv 1 2 3 4 5 6 7 8 9 10 11 This page intentionally left blank 12 13 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Algorithms TIA-946-1E 1 1. Introduct
35、ion 1 This document describes detailed cryptographic procedures for 2 wireless system applications. These procedures are used to perform the 3 security services of mutual authentication between mobile stations and 4 base stations, subscriber message encryption, and key agreement within 5 wireless eq
36、uipment. 6 This document includes changes resulting from the publication of 7 3GPP2 document S.S0078-0. 8 1.1. Notations 9 The notation 0x indicates a hexadecimal (base 16) number. 10 Binary numbers are expressed as a string of zero(s) and/or one(s) 11 followed by a lower-case “b”. 12 Data arrays ar
37、e indicated by square brackets, as Array . Array indices 13 start at zero (0). Where an array is loaded using a quantity that spans 14 several array elements, the most significant bits of the quantity are 15 loaded into the element having the lowest index. Similarly, where a 16 quantity is loaded fr
38、om several array elements, the element having the 17 lowest index provides the most significant bits of the quantity. 18 Big-endian byte ordering is assumed in this specification. 19 This document uses ANSI C language programming syntax to specify 20 the behavior of the cryptographic algorithms (see
39、 5).ANSI/ISO 9899-21 1990, “Programming Languages - C”). This specification is not meant 22 to constrain implementations. Any implementation that demonstrates 23 the same behavior at the external interface as the algorithm specified 24 herein, by definition, complies with this standard. 25 1.2. Defi
40、nitions 26 AND Bitwise logical AND function. 27 Internal Stored Data Stored data that is defined locally within the cryptographic procedures 28 and is not accessible for examination or use outside those procedures. 29 LSB Least Significant Bit. 30 MSB Most Significant Bit. 31 OR Bitwise logical incl
41、usive OR function. 32 XOR Bitwise logical exclusive OR function. 33 Word A data unit that contains 32 bits or 4 bytes where byte 0 is the most 34 significant byte and byte 3 is the least significant byte. 35 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot
42、for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946-1E Enhanced Cryptographic Algorithms 2 1.3. References 1 1.3.1. Normative 2 1. Federal Information Processing Standard FIPS 180-2, “Secure Hash Standard,” 3 August 1, 2002 4 2. Alliance for Telecommunications Indu
43、stry Solutions (ATIS) T1TRQ3GPP 5 33.102-350, “3G Security Security Architecture,” July, 2000. 6 3. Alliance for Telecommunications Industry Solutions (ATIS) T1TRQ3GPP 7 33.103-330, “3G Security Integration Guidelines,” July, 2000. 8 4. Alliance for Telecommunications Industry Solutions (ATIS) T1TRQ
44、3GPP 9 33.105-340, “Cryptographic Algorithm Requirements,” July, 2000. 10 1.3.2. Informative 11 5. ANSI/ISO 9899-1999, “Programming Languages - C” 12 6. A Million Random Digits with 100,000 Normal Deviates, The RAND 13 Corporation, 1955, online at 14 http:/www.rand.org/publications/classics/randomdi
45、gits . 15 7. Federal Information Processing Standard FIPS 197, “Advanced Encryption 16 Standard (AES),” November 26, 2001. 17 8. Telecommunications Industry Association, TR-45 AHAG, “Common 18 Cryptographic Algorithms, Revision D.1”, September 13, 2000. 19 9. Telecommunications Industry Association,
46、 ANSI/TIA/EIA-41-D-97, “Cellular 20 Radiotelecommunications Intersystem Operations,” December 1997. 21 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Alg
47、orithms TIA-946-1E 3 2. Procedures 1 2.1. Enhanced Hash Algorithm 2 2.1.1. SHA-1 3 The hash function used in this document is SHA-1, defined in 1.FIPS 4 publication FIPS 180-1, “Secure Hash Standard,” April 17, 1995. Refer 5 to 3.2.1 for a reference implementation of the SHA-1 algorithm. In this 6 d
48、ocument, the function F( ) refers to the SHA-1 algorithm. 7 Test vectors for SHA-1 are given in 1FIPS 180-1. 8 SHA-1 uses an iterated construction where the input message is 9 processed block by block. The basic building block is called the 10 compression function. The compression function used in this document 11 differs from the SHA-1 hash function defined in 1FIPS publication 12 FIPS 180-1, “Secure Hash Standard,” April 17, 1995 by the way its 13 payload and chaining variable inputs are loaded. In this document, the 14 function fK( ) refers to the compression function with key K exclusive-
