1、 ETSI TS 135 206 V5.1.0 (2003-06)Technical Specification Universal Mobile Telecommunications System (UMTS);3G Security;Specification of the MILENAGE algorithm set:An example algorithm Set for the 3GPP Authenticationand Key Generation functions f1, f1*, f2, f3, f4, f5 and f5*;Document 2: Algorithm sp
2、ecification(3GPP TS 35.206 version 5.1.0 Release 5)ETSI ETSI TS 135 206 V5.1.0 (2003-06) 1 3GPP TS 35.206 version 5.1.0 Release 5 Reference RTS/TSGS-0335206v510 Keywords UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 34
3、8 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in pr
4、int. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. U
5、sers of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment t
6、o: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM ar
7、e Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI
8、TS 135 206 V5.1.0 (2003-06) 2 3GPP TS 35.206 version 5.1.0 Release 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non
9、-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/
10、home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to
11、the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as b
12、eing references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp . ETSI ETSI TS 135 206 V5.1.0 (2003-06) 3 3GPP TS 35.206 version 5.1.0 Release 5 Contents Intellectual Property Rights2 F
13、oreword.2 Foreword.5 Introduction 5 0 The name “MILENAGE“.6 1 Outline of the document.6 1.1 References 6 2 INTRODUCTORY INFORMATION .7 2.1 Introduction 7 2.2 Notation7 2.2.1 Radix.7 2.2.2 Conventions 7 2.2.3 Bit/Byte ordering 7 2.2.4 List of Symbols.8 2.3 List of Variables .8 2.4 Algorithm Inputs an
14、d Outputs 8 3 The algorithm framework and the specific example algorithms 9 4 Definition of the example algorithms.10 4.1 Algorithm Framework10 4.2 Specific Example Algorithms.10 5 Implementation considerations.11 5.1 OPCcomputed on or off the USIM?.11 5.2 Customising the choice of block cipher .11
15、5.3 Further customisation.12 5.4 Resistance to side channel attacks12 Annex 1: Figure of the Algorithms 13 Annex 2: Specification of the Block Cipher Algorithm Rijndael14 A2.1 Introduction 14 A2.2 The State and External Interfaces of Rijndael14 A2.3 Internal Structure15 A2.4 The Byte Substitution Tr
16、ansformation.15 A2.5 The Shift Row Transformation.16 A2.6 The Mix Column Transformation 16 A2.7 The Round Key addition 17 A2.8 Key schedule 17 A2.9 The Rijndael S-box.18 Annex 3: Simulation Program Listing - Byte Oriented .19 Annex 4: Rijndael Listing - 32-Bit Word Oriented26 Annex A (informative):
17、Change history .32 History 33 ETSI ETSI TS 135 206 V5.1.0 (2003-06) 4 3GPP TS 35.206 version 5.1.0 Release 5 Foreword This Technical Specification (TS) has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TS
18、G and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for inform
19、ation; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been in
20、corporated in the document. Introduction This document has been prepared by the 3GPP Task Force, and contains an example set of algorithms which may be used as the authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. (It is not mandatory that the particular algorithms specifi
21、ed in this document are used all seven functions are operator-specifiable rather than being fully standardised). This document is one five, which between them form the entire specification of the example algorithms, entitled: - 3GPP TS 35.205: “3rd Generation Partnership Project; Technical Specifica
22、tion Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General“. - 3GPP TS 35.206: “3rd Generation Partnership Project; Technical
23、Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm Specification“. - 3GPP TS 35.207: “3rd Generation Partne
24、rship Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Implementors Test Data“. - 3GPP TS 35.208
25、: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 4: Design Conformanc
26、e Test Data“. - 3GPP TR 35.909: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
27、 Document 5: Summary and results of design and evaluation“. ETSI ETSI TS 135 206 V5.1.0 (2003-06) 5 3GPP TS 35.206 version 5.1.0 Release 5 0 The name “MILENAGE“ The name of this algorithm set is “MILENAGE“. It should be pronounced like a French word something like “mi-le-nahj“. 1 Outline of the docu
28、ment Section 2 introduces the algorithms and describes the notation used in the subsequent sections. Section 3 explains how the algorithms are designed as a framework in such a way that various “customising components“ can be selected in order to customise the algorithm for a particular operator. Se
29、ction 4 defines the example algorithms. The algorithm framework is defined in section 4.1; in section 4.2, specific instances of the components are selected to define the specific example algorithm set. Section 5 explains various options and considerations for implementation of the algorithms, inclu
30、ding considerations to be borne in mind when modifying the customising components. Illustrative pictures are given in Annex 1. Annex 2 gives a specification of the block cipher algorithm which is used as a cryptographic kernel in the definition of the example algorithms. Annexes 3 and 4 contain sour
31、ce code in the C programming language: Annex 3 gives a complete and straightforward implementation of the algorithm set, while Annex 4 gives an example of an alternative high-performance implementation just of the kernel function. 1.1 References The following documents contain provisions which, thro
32、ugh reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest v
33、ersion applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.102 v3.5.0: “3rd Generation Partnership Project; Technical Specificati
34、on Group Services and System Aspects; 3G Security; Security Architecture“. 2 3GPP TS 33.105 v3.4.0: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Cryptographic Algorithm Requirements“. 3 3GPP TS 35.206: “3rd Generation Partnership Projec
35、t; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm Specification“ (this document). 4 3GPP TS 3
36、5.207: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Implementors
37、 Test Data“. 5 3GPP TS 35.208: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
38、Document 4: Design Conformance Test Data“. ETSI ETSI TS 135 206 V5.1.0 (2003-06) 6 3GPP TS 35.206 version 5.1.0 Release 5 6 Joan Daemen and Vincent Rijmen: “AES Proposal: Rijndael“, available at http:/csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf or http:/www.esat.kuleuven.ac.be/
39、rijmen/rijndael/rijndaeldocV2.zip 7 http:/csrc.nist.gov/encryption/aes/ 8 Thomas S. Messerges, “Securing the AES finalists against Power Analysis Attacks“, in FSE 2000, Seventh Fast Software Encryption Workshop, ed. Schneier, Springer Verlag, 2000. 9 P. C. Kocher, “Timing Attacks on Implementations
40、of Diffie-Hellman, RSA, DSS, and Other Systems“, in CRYPTO96, Lecture Notes in Computer Science #1109, Springer Verlag, 1996. 10 J. Kelsey, B. Schneier, D. Wagner, C. Hall, “Side Channel Cryptanalysis of Product Ciphers“, in ESORICS98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998.
41、11 L. Goubin, J. Patarin, “DES and differential power analysis“, in CHES99, Lecture Notes in Computer Science #1717, Springer Verlag, 1999. 12 P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis“, in CRYPTO99, Lecture Notes in Computer Science #1666, Springer Verlag, 1999. 13 L. Goubin, J.-S.
42、Coron, “On boolean and arithmetic masking against differential power analysis“, in CHES00, Lecture Notes in Computer Science series, Springer Verlag (to appear). 2 INTRODUCTORY INFORMATION 2.1 Introduction Within the security architecture of the 3GPP system there are seven security functions f1, f1*
43、, f2, f3, f4, f5 and f5*. The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified by each operator rather than being fully standardised. The algorithms specified in this document are examples that may be used by an operator who does n
44、ot wish to design his own. The inputs and outputs of all seven algorithms are defined in section 2.4. 2.2 Notation 2.2.1 Radix We use the prefix 0x to indicate hexadecimal numbers. 2.2.2 Conventions We use the assignment operator =, as used in several programming languages. When we write = we mean t
45、hat assumes the value that had before the assignment took place. For instance, x = x + y + 3 means (new value of x) becomes (old value of x) + (old value of y) + 3. 2.2.3 Bit/Byte ordering All data variables in this specification are presented with the most significant bit (or byte) on the left hand
46、 side and the least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of substrings, the ETSI ETSI TS 135 206 V5.1.0 (2003-06) 7 3GPP TS 35.206 version 5.1.0 Release 5 leftmost (most significant) substring is numbered 0, the next most significant is numb
47、ered 1, and so on through to the least significant. 2.2.4 List of Symbols = The assignment operator. The bitwise exclusive-OR operation | The concatenation of the two operands. ExkThe result of applying a block cipher encryption to the input value x using the key k. rot(x,r) The result of cyclically
48、 rotating the 128-bit value x by r bit positions towards the most significant bit. If x = x0 | x1 | x127, and y = rot(x,r), then y = xr | xr+1 | x127 | x0 | x1 | xr-1. Xi The ithbit of the variable X. (X = X0 | X1 | X2 | ). 2.3 List of Variables AK a 48-bit anonymity key that is the output of either
49、 of the functions f5 and f5*. AMF a 16-bit authentication management field that is an input to the functions f1 and f1*. c1,c2,c3,c4,c5 128-bit constants, which are XORed onto intermediate variables. CK a 128-bit confidentiality key that is the output of the function f3. IK a 128-bit integrity key that is the output of the function f4. IN1 a 128-bit value constructed from SQN and AMF and used in the computation of the functions f1 and f1*. K a 128-bit subscriber key that is an input
