1、 TIA DOCUMENT Enhanced Cryptographic Algorithms TIA-946 JUNE 2003 TELECOMMUNICATIONS INDUSTRY ASSOCIATION The Telecommunications Industry Association represents the communications sector of Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo repro
2、duction or networking permitted without license from IHS-,-,-NOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assist
3、ing the purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling products not conforming to such Publications. Neither shall
4、 the existence of such Documents preclude their voluntary use by non-TIA members, either domestically or internationally. TIA DOCUMENTS TIA Documents contain information deemed to be of technical value to the industry, and are published at the request of the originating Committee without necessarily
5、 following the rigorous public review and resolution of comments which is a procedural part of the development of a American National Standard (ANS). Further details of the development process are available in the TIA Engineering Manual, located at http:/www.tiaonline.org/standards/sfg/engineering_m
6、anual.cfm TIA Documents shall be reviewed on a five year cycle by the formulating Committee and a decision made on whether to reaffirm, revise, withdraw, or proceed to develop an American National Standard on this subject. Suggestions for revision should be directed to: Standards & Technology Depart
7、ment, Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201 U.S.A. (From Project No. 3-0095, formulated under the cognizance of the TIA TR-45 Committee on Mobile and Personal Communications Systems.) Published by TELECOMMUNICATIONS INDUSTRY ASSOCIATION 2003 Standards &
8、Technology Department 2500 Wilson Boulevard Arlington, VA 22201 U.S.A. PRICE: Please refer to current Catalog of TIA TELECOMMUNICATIONS INDUSTRY ASSOCIATION STANDARDS AND ENGINEERING PUBLICATIONS or call Global Engineering Documents, USA and Canada (1-800-854-7179) International (303-397-7956) or se
9、arch online at http:/www.tiaonline.org/standards/search_n_order.cfm All rights reserved Printed in U.S.A. Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-NOTICE OF DISCLAIMER AN
10、D LIMITATION OF LIABILITY The document to which this Notice is affixed (the “Document”) has been prepared by one or more Engineering Committees or Formulating Groups of the Telecommunications Industry Association (“TIA”). TIA is not the author of the Document contents, but publishes and claims copyr
11、ight to the Document pursuant to licenses and permission granted by the authors of the contents. TIA Engineering Committees and Formulating Groups are expected to conduct their affairs in accordance with the TIA Engineering Manual (“Manual”), the current and predecessor versions of which are availab
12、le at http:/www.tiaonline.org/standards/sfg/engineering_manual.cfm. TIAs function is to administer the process, but not the content, of document preparation in accordance with the Manual and, when appropriate, the policies and procedures of the American National Standards Institute (“ANSI”). TIA doe
13、s not evaluate, test, verify or investigate the information, accuracy, soundness, or credibility of the contents of the Document. In publishing the Document, TIA disclaims any undertaking to perform any duty owed to or for anyone. The use or practice of contents of this Document may involve the use
14、of intellectual property rights (“IPR”), including pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR consisting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from
15、 the holder thereof is requested, all in accordance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope or validity of any claims of IPR. TIA does not enforce or monitor compliance with the contents of the Document. TIA doe
16、s not certify, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document. ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FIT
17、NESS OR APPROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NON-INFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAIMS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTE
18、NTS COMPLIANCE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED TO IN THE DOCUMENT OR PRODUCED OR RENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM
19、 OR RELATING TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TOR
20、T (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF THE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. Copyright Telecommuni
21、cations Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-PLEASE! DONT VIOLATE THE LAW! This document is copyrighted by the TIA and may not be reproduced without prior permission of the Telecommunications Ind
22、ustry Association. For information consult our website at http:/www.tiaonline.org/about/faqDetail.cfm?id=18 Organizations may obtain permission to reproduce a limited number of copies through entering into a license agreement. For information, contact: Global Engineering Documents 15 Inverness Way E
23、ast Englewood, CO 80112-5704 U.S.A. or call U.S.A. and Canada 1-800-854-7179, International (303) 397-7956 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic
24、 Algorithms TIA-946 i Table of Contents 1 1. INTRODUCTION 1 2 1.1. Notations 1 3 1.2. Definitions 1 4 2. PROCEDURES 2 5 2.1. Enhanced Hash Algorithm 2 6 2.1.1. SHA-1 2 7 2.1.2. SHA-based MAC 3 8 2.1.2.1. MAC Calculation Procedure 3 9 2.1.2.2. UIM-Present MAC (UMAC) Generation Procedure 5 10 2.2. Aut
25、hentication and Key Agreement 6 11 2.2.1. AKA 6 12 2.2.2. SHA-Based Functions for AKA 7 13 2.2.2.1. Constants 7 14 2.2.2.2. Random Number (RAND) Generation Procedure f0 8 15 2.2.2.3. Message Authentication (MACA) Generation Procedure f1 11 16 2.2.2.4. Resynchronization Message Authentication (MACS)
26、Generation Procedure f1* 12 17 2.2.2.5. Message Authentication (RES & XRES) Generation Procedure f2 13 18 2.2.2.6. Ciphering Key (CK) Generation Procedure f3 14 19 2.2.2.7. Integrity Key (IK) Generation Procedures f4 16 20 2.2.2.8. Anonymity Key (AK) Generation Procedure f5 17 21 2.2.2.9. Resynchron
27、ization Anonymity Key (AKS) Generation Procedure f5* 18 22 2.2.3. UIM Authentication 19 23 2.2.3.1. Constants 19 24 2.2.3.2. UIM Authentication Key (UAK) Generation Procedure f11 20 25 2.2.4. One-Way Roaming to 2G systems 21 26 2.2.4.1. GSM Triplet Generation from SSD 21 27 2.2.4.2. 2G Key Generatio
28、n from 3G Keys 23 28 2.2.5. Key Strength Reduction 24 29 2.3. Enhanced Voice and Data Privacy 25 30 2.3.1. TDMA (TIA-136) 25 31 2.3.2. CDMA (TIA/EIA/IS-2000) 25 32 2.3.2.1. Encryption Key Generation 25 33 2.3.2.2. Enhanced Privacy Algorithm 25 34 2.3.2.2.1. Algorithm 25 35 2.3.2.2.2. ESP_privacykey
29、Procedure 26 36 2.3.2.2.3. ESP_maskbits Procedure 27 37 2.3.2.2.4. ESP_AES Procedure 29 38 3. REFERENCE IMPLEMENTATIONS 30 39 3.1. CDMA Enhanced Privacy 30 40 3.1.1. Rijndael 30 41 3.1.2. ESP Procedures 37 42 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot
30、 for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946 Enhanced Cryptographic Algorithms ii 3.2. Authentication and Key Agreement 40 1 3.2.1. SHA-1 40 2 3.2.2. AKA Functions f0-f5 and f11 45 3 3.2.3. GSM Triplet Generation Function fh 53 4 3.2.4. CDMA_3G_2G_Conversio
31、n Function 54 5 3.2.5. KeyStrengthRedAlg Function 55 6 3.3. EHMAC-SHA-1 56 7 4. TEST VECTORS 61 8 4.1. CDMA Enhanced Privacy 61 9 4.1.1. Test Program Output 61 10 4.1.2. Test Program 61 11 4.2. SHA-Based Functions for AKA 63 12 4.2.1. Test Program Output 63 13 4.2.2. Test Program 66 14 4.3. Test Vec
32、tors for EHMAC-SHA-1 72 15 4.3.1. Test Program Output 72 16 4.3.2. Test Program 72 17 18 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Algorithms TIA-94
33、6 iii List of Exhibits 1 EXHIBIT 2-1. PSEUDO RANDOM GENERATOR. 10 2 EXHIBIT 2-2. KEY SCHEDULER. 15 3 EXHIBIT 3-1 HEADER FOR RIJNDAEL 30 4 EXHIBIT 3-2 RIJNDAEL BOX DATA. 30 5 EXHIBIT 3-3 RIJNDAEL ALGORITHM . 32 6 EXHIBIT 3-4 HEADER FOR ESP 37 7 EXHIBIT 3-5 ESP_KEYSCHED AND ESP_MASKBITS . 38 8 EXHIBIT
34、 3-6 SHA-1 HEADER. 40 9 EXHIBIT 3-7 SHA-1 CODE 40 10 EXHIBIT 3-8 AKA FUNCTION HEADER 45 11 EXHIBIT 3-9 AKA FUNCTION CODE . 46 12 EXHIBIT 3-10 FUNCTION FH HEADER 53 13 EXHIBIT 3-11 FUNCTION FH CODE. 54 14 EXHIBIT 3-12 CDMA_3G_2G_CONVERSION FUNCTION HEADER 54 15 EXHIBIT 3-13 CDMA_3G_2G_CONVERSION FUNC
35、TION CODE. 55 16 EXHIBIT 3-14 KEYSTRENGTHREDALG FUNCTION HEADER 55 17 EXHIBIT 3-15 KEYSTRENGTHREDALG FUNCTION CODE . 55 18 EXHIBIT 3-16 EHMAC HEADER 56 19 EXHIBIT 3-17 EHMAC CODE. 57 20 EXHIBIT 3-18 UMAC_GENERATION CODE 59 21 EXHIBIT 4-1 RIJNDAEL TEST OUTPUT. 61 22 EXHIBIT 4-2 RIJNDAEL TEST PROGRAM.
36、 61 23 EXHIBIT 4-3 AKA FUNCTION TEST OUTPUT 63 24 EXHIBIT 4-4 AKA FUNCTION TEST PROGRAM 66 25 26 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946 Enhanced Cryptographic A
37、lgorithms iv 1 2 3 4 5 6 7 8 9 10 11 This page intentionally left blank 12 13 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Enhanced Cryptographic Algorithms TIA-946 1 1. Intr
38、oduction 1 This document describes detailed cryptographic procedures for wireless 2 system applications. These procedures are used to perform the security 3 services of mutual authentication between mobile stations and base 4 stations, subscriber message encryption, and key agreement within 5 wirele
39、ss equipment. 6 This document includes changes resulting from the publication of 7 3GPP2 document S.S0078-0. 8 1.1. Notations 9 The notation 0x indicates a hexadecimal (base 16) number. 10 Binary numbers are expressed as a string of zero(s) and/or one(s) 11 followed by a lower-case “b”. 12 Data arra
40、ys are indicated by square brackets, as Array . Array indices 13 start at zero (0). Where an array is loaded using a quantity that spans 14 several array elements, the most significant bits of the quantity are 15 loaded into the element having the lowest index. Similarly, where a 16 quantity is load
41、ed from several array elements, the element having the 17 lowest index provides the most significant bits of the quantity. 18 Big-endian byte ordering is assumed in this specification. 19 This document uses ANSI C language programming syntax to specify 20 the behavior of the cryptographic algorithms
42、 (see ANSI/ISO 9899-21 1990, “Programming Languages - C”). This specification is not meant 22 to constrain implementations. Any implementation that demonstrates 23 the same behavior at the external interface as the algorithm specified 24 herein, by definition, complies with this standard. 25 1.2. De
43、finitions 26 AND Bitwise logical AND function. 27 Internal Stored Data Stored data that is defined locally within the cryptographic procedures 28 and is not accessible for examination or use outside those procedures. 29 LSB Least Significant Bit. 30 MSB Most Significant Bit. 31 OR Bitwise logical in
44、clusive OR function. 32 XOR Bitwise logical exclusive OR function. 33 Word A data unit that contains 32 bits or 4 bytes where byte 0 is the most 34 significant byte and byte 3 is the least significant byte. 35 Copyright Telecommunications Industry Association Provided by IHS under license with EIANo
45、t for ResaleNo reproduction or networking permitted without license from IHS-,-,-TIA-946 Enhanced Cryptographic Algorithms 2 2. Procedures 1 2.1. Enhanced Hash Algorithm 2 2.1.1. SHA-1 3 The hash function used in this document is SHA-1, defined in FIPS 4 publication FIPS 180-1, “Secure Hash Standard
46、,” April 17, 1995. Refer 5 to 3.2.1 for a reference implementation of the SHA-1 algorithm. In this 6 document, the function F( ) refers to the SHA-1 algorithm. 7 Test vectors for SHA-1 are given in FIPS 180-1. 8 SHA-1 uses an iterated construction where the input message is 9 processed block by bloc
47、k. The basic building block is called the 10 compression function. The compression function used in this document 11 differs from the hash function defined in FIPS publication FIPS 180-1, 12 “Secure Hash Standard,” April 17, 1995 by the way its payload and 13 chaining variable inputs are loaded. In
48、this document, the function fK( ) 14 refers to the compression function with key K exclusive-ored with the 15 initialization vector. 16 Copyright Telecommunications Industry Association Provided by IHS under license with EIANot for ResaleNo reproduction or networking permitted without license from I
49、HS-,-,-Enhanced Cryptographic Algorithms TIA-946 3 2.1.2. SHA-based MAC 1 2.1.2.1. MAC Calculation Procedure 2 Procedure name: 3 ehmacsha 4 Inputs from calling process: 5 key_length integer 6 key key_length bits 7 message bit string 8 MAC_length integer 9 10 Inputs from internal stored data: 11 None. 12 Outputs to calling process: 13 MAC 8*MAC_length bits 14 Outputs to internal stored data: 15 No