1、ETSI EN 300 920 V7.1 .I (2000-08) European Standard (Telecommunications series) Digital cellular telecommunications system (Phase 2+); Security aspects (GSM 02.09 version 7.1 .I Release 1998) (GSM 02.09 version 7.1.1 Release 1998) 2 ETSI EN 300 920 V7.1.1 (2000-08) Reference RENEMG-O1 0209Q7R1 Keywo
2、rds Digital cellular telecommunications system, Global System for Mobile communications (GSM) ETSI 650 Route des Lucioles F-O6921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 O0 Fax: +33 4 93 65 47 16 Siret No 348 623 562 0001 7 - NAF 742 C Association but non lucratif enregistre la Sous-prf
3、ecture de Grasse (06) No 7803/88 Important notice The pre Individual copies of the present document can be downloaded from: http:llwww.etsi.org ent document may be made available in more than one electronic version or in print. In e of existing or perceived difference in contents between such versio
4、ns, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to rev
5、ision or change of status. Information on the current status of this and other ETSI documents is available at http:llwww.etsi.orcg/lb/status/ If you find errors in the present document, send your comment to: editor et.si.fr Copyright Notification No part may be reproduced except as authorized by wri
6、tten permission. The copyright and the foregoing restriction extend to reproduction in all media. O European Telecommunications Standards Institute 2000. All rights reserved. ETSI (GSM 02.09 version 7.1.1 Release 1998) 3 ETSI EN 300 920 V7.1.1 (2000-08) Contents Intellectual Property Rights 4 Forewo
7、rd . 4 1 Scope 5 1.1 References 5 1.2 Abbreviations . 5 2 General . 6 3 3.1 3.1.1 3.1.2 3.1.3 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.3 3.3.1 3.3.2 3.3.3 3.4 3.4.1 3.4.2 3.4.3 3.5 3.5.1 3.5.2 3.5.3 Security features provided in a GSM PLMN . 6 Subscriber identity confidentiality . 6 Definition 6 Purpose . 6 Fu
8、nctional requirements . 7 Subscriber identity authentication 7 Definition 7 Purpose . 7 Functional requirements . 7 User data confidentiality on physical connections (Voice and Non-voice) 8 Definition 8 Purpose . 8 Functional requirements . 8 Connectionless user data confidentiality 8 Definition 8 P
9、urpose . 8 Functional requirements . 9 Signalling information element confidentiality 9 Definition 9 Purpose . 9 Functional requirements . 9 Authentication during a malfunction of the network 7 Annex A (informative): Change history . 10 History 11 ETSI (GSM 02.09 version 7.1.1 Release 1998) 4 ETSI E
10、N 300 920 V7.1.1 (2000-08) Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR O00
11、3 14: “Intellectual Propero Rights (IPRs); Essential, or potentially Essential, IPRs notifed to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (-). Pursuant to the ETSI IPR Policy, no investigation, including IPR
12、searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR O00 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This European Standard (Telecommunications se
13、ries) has been produced by ETSI Technical Committee Special Mobile Group (SMG). The present document defines security features within the digital cellular telecommunications system. The contents of the present document may be subject to continuing work within SMG and may change following formal SMG
14、approval. Should SMG modify the contents of the present document it will then be re-submitted for formal approval procedures by ETSI with an identifying change of release date and an increase in version number as follows: Version 7.x.y where: 7 GSM Phase 2+ Release 1998; x the second digit is increm
15、ented for changes of substance, Le. technical enhancements, corrections, updates, etc.; y the third digit is incremented when editorial only changes have been incorporated in the specification. National transposition dates Date of adoption of this EN: Date of latest announcement of this EN (doa): Da
16、te of latest publication of new National Standard or endorsement of this EN (dop/e): Date of withdrawal of any conflicting National Standard (dow): 14 July 2000 3 1 October 2000 30 April 200 1 30 April 200 1 ETSI (GSM 02.09 version 7.1.1 Release 1998) 5 ETSI EN 300 920 V7.1.1 (2000-08) 1 Scope Beare
17、r and Teleservices, as respectively defined in GSM 02.02 and GSM 02.03, are the objects which the GSM PLMN operators offer to their customers. Besides these basic telecommunications services, features which aim at up-grading these basic services need also to be offered. Due to the use of radiocommun
18、ications in a PLMN, which are of a special nature compared to classical distribution transmission techniques used in the fixed networks, such a category of features is related to security aspects. In a GSM PLMN, both the users and the network operator have to be protected against undesirable intrusi
19、on of third parties. However, measures should be provided for in order to insure maximum protection of the rights of the individuals concerns. As a consequence, a security feature is either a supplementary service to Tele or Bearer services, which can be selected by the subscriber, or a network func
20、tion involved in the provision of one or several telecommunication services. The purpose of the present document is to define the security features which are to be available in a GSM PLMN, together with the associated levels of protection. The present document is only concerned with those security f
21、eatures which aim at the up-grading of the security in a GSM PLMN. In particular, end-to-end security is outside the scope of the present document. The implementation aspects of security features are described in GSM 03.20. 1 .I Ref e rences The following documents contain provisions which, through
22、reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest versi
23、on applies. A non-specific reference to an ETS shall also be taken to refer to later versions published as an EN with the same number. For this Release 1998 document, references to GSM documents are for Release 1998 versions (version 7.x.y). il GSM O 1.04: “Digital cellular telecommunications system
24、 (Phase 2+); Abbreviations and acronyms“. GSM 02.02: “Digital cellular telecommunications system (Phase 2+); Bearer Services (BS) supported by a GSM Public Land Mobile Network (PLMN)“. GSM 02.03: “Digital cellular telecommunications system (Phase 2+); Teleservices supported by a GSM Public Land Mobi
25、le Network (PLMN)“. GSM 03.20: “Digital cellular telecommunications system (Phase 2+); Security related network functions“. Pl 31 41 51 GSM 11.1 1: “Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface“. 1.2 Ab
26、breviations Abbreviations used in the present document are listed in GSM 01.04. ETSI (GSM 02.09 version 7.1.1 Release 1998) 6 ETSI EN 300 920 V7.1.1 (2000-08) 2 General The use of radiocommunications for transmission to the mobile subscribers makes PLMNs particularly sensitive to: - misuse of their
27、resources by unauthorized persons using manipulated Mobile Stations, who try to impersonate authorized subscribers; and - eavesdropping of the various information which are exchanged on the radio path. It can be seen that PLMNs intrinsically do not provide the same level of protection to their opera
28、tors and subscribers as the traditional telecommunication networks provide. This fact leads to the need to implement security features in a GSM PLMN in order to protect: i) the access to the mobile services; ii) any relevant item from being disclosed at the radio path, mainly in order to ensure the
29、privacy of user-related information. Two levels of protection are therefore assumed: - where security features are provided, as defined in clause 3, the level of protection at the radio path of the corresponding items is as good as the level of protection provided in the fixed networks; where no spe
30、cial provision is made, the level of protection at the radio path is null. All items which are not dealt with in clause 3 are therefore considered to need no protection. - 3 Security features provided in a GSM PLMN The following security features are considered: - subscriber identity (IMSI) confiden
31、tiality; - subscriber identity (IMSI) authentication; - - connectionless user data confidentiality; user data confidentiality on physical connections; - signalling information element confidentiality. The implementation of these five security features is mandatory on both the fixed infrastructure si
32、de and the MS side. This means that all GSM PLMNs and all MSs shall be able to support every security feature. Use of these five security features is at the discretion of the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of these five security features is mandator
33、y unless otherwise agreed by all the affected PLMN operators (see also subclause 3.3.3). 3.1 3.1.1 Subscriber identity confidentiality Definit ion The subscriber identity confidentiality feature is the property that the IMSI is not made available or disclosed to unauthorized individuals, entities or
34、 processes. 3.1.2 Purpose This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the improvement of all other security features (e.g. user data confidentiality) and provides for the p
35、rotection against tracing the location of a mobile subscriber by listening to the signalling exchanges on the radio path. ETSI (GSM 02.09 version 7.1.1 Release 1998) 7 ETSI EN 300 920 V7.1.1 (2000-08) 3.1.3 Functional requirements This feature necessitates the confidentiality of the subscriber ident
36、ity (IMSI) when it is transferred in signalling messages (see subclause 3.5) together with specific measures to preclude the possibility to derive it indirectly from listening to specific information, such as addresses, at the radio path. The means used to identify a mobile subscriber on the radio p
37、ath consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in GSM 03.20. When used, the subscriber identity confidentiality feature shall apply for all signalling sequences on the radio path. However, in the case of location register failure, or in case the MS has n
38、o TMSI available, open identification is allowed on the radio path. 3.2 Subscriber identity authentication 3.2.1 Definit ion International Mobile Subscriber identity (IMSI) authentication is the corroboration by the land-based part of the system that the subscriber identity (IMSI or TMSI), transferr
39、ed by the mobile subscriber within the identification procedure at the radio path, is the one claimed. 3.2.2 Purpose The purpose of this authentication security feature is to protect the network against unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the possi
40、bility for intruders to impersonate authorized users. 3.2.3 Functional requirements The authentication of the GSM PLMN subscriber identity may be triggered by the network when the subscriber applies for: - a change of subscriber-related information element in the VLR or HLR (including some or all of
41、 location updating involving change of VLR, registration or erasure of a supplementary service); or an access to a service (including some or all of set-up of mobile originating or terminated calls, activation or deactivation of a supplementary service); or - - first network access after restart of
42、MSC/VLR, or in the event of cipher key sequence number mismatch. Physical security means must be provided to preclude the possibility to obtain sufficient information to impersonate or duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station equip
43、 ment. If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not due to network malfunction, then the access to the GSM PLMN shall be denied to the requesting party. 3.2.4 Authentication during a malfunction of the network If an MS is re
44、gistered and has been successfully authenticated, whether active or not active on a call, calls are permitted (including continuation and hand-over). If an MS has already been registered (and therefore been already authenticated) and can not be successfully reauthenticated due to the network malfunc
45、tion (e.g. the HPLMN was not able to provide authentication pairs RAND, SRES), calls are permitted. If an MS attempts to register and can not be successfully authenticated due to the network malfunction, calls are not permitted. ETSI (GSM 02.09 version 7.1.1 Release 1998) 8 ETSI EN 300 920 V7.1.1 (2
46、000-08) If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases apply. 3.3 User data confidentiality on physical connections (Voice and Non-voice) 3.3.1 Definit ion The user data confidentiality feature on physical connections is the
47、property that the user information exchanged on traffic channels is not made available or disclosed to unauthorized individuals, entities or processes. 3.3.2 Purpose The purpose of this feature is to ensure the privacy of the user information on traffic channels. 3.3.3 Functional requirements Encryp
48、tion will normally be applied to all voice and non-voice communications. Although a standard algorithm will normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one algorithm. In this case, the infrastructure is responsible for deciding which
49、 algorithm to use (including the possibility not to use encryption, in which case confidentiality is not applied). When necessary, the MS shall signal to the network indicating which of up to seven ciphering algorithms it supports. The serving network then selects one of these that it can support (based on an order of priority preset in the network), and signals this to the MS. The selected algorithm is then used by the MS and network. The network shall not provide service to an MS which indicates that it does not support any of the ciphering algorithm(s) required by GSM 02.07. The
