1、ETSI/IC SMG Released by : ETSI/pT 12 Release date: February 1992 I I Previously distributed version : 3.3.2 (Updated Release 1 /90) l New Released version February 92 : 3.3.2 (Release 92, Phase i) = 3404583 0070084 990 RELEASE NOTE Recommendation GSM 03.20 Security-related Network Functions 1. Reaso
2、n for chancres No changes since the previously distributed version. 3404583 0070085 827 ETS I-GSM Tech n ica I Specification GSM 03.20 Version 3.3.2 UDC: 621.396.21 Key words: European Digital Cellular Telecommunications System, Global System for Mobile Communications (GSM) European digital cellular
3、 telecommunication system (phase 1); Security-related Network Functions ETSI European Telecommunications Standards Institute ETSI Secretariat: B.P.152 . F - 06561 Valbonne Cedex . France TP. + 33 92 94 42 00 TF. + 33 93 65 47 16 Tx. 47 00 40 F Copyright European Telecommunications Standards Institut
4、e 1992. All rights resewed. No part may be reproduced or used except as authorbed by contract or other written permission. The copyright and the foregoing restriction on reproduction and use extend to all media in which the information may be embodied. 3404583 007008b 7b3 PREFATORY NOTE iSI has cons
5、tituted stable and consistent documents which give specifications for the implementation of the European Cellular Telecommunications System. Historically, these documents have been identified as “GSM recommendations“. Some of these recommendations may subsequently become interim European Telecommuni
6、cations Standards (I-iss) or European Telecommunications Standards (ETSs), whilst some continue with the status of ETSI-GSM Technical Specifications. These ETSI-GSM Technical Specifications are for editorial reasons stili referred to as GSM recommendations in some current GSM documents. _, The numbe
7、ring and version control system is the same for ETSI-GSM Technical Specifications as for “GSM recommendations“. W 3404583 0030087 bTT Page 1 GSM 03.20 - version 3.3.2 : January 1991 TABLE OF CONTENTS O. SCOPE 1. GENERAL 2. SUBSCRIBER IDENTITY CONFIDENTIALITY 2.1 Generality 2.2 Identifying method 2.3
8、 Procedures 2.3.1 Location up-dating in the same MSC area 2.3.2 Location up-dating between MSCs area, within the same VLR area : 2.3.3 Location Updating between different VLRs 2.3.4 Re-allocation of a new TMSI 2.3.5 Local TMSI unknown 2.3.6 Location up-dating between VLRs in case of a loss of in for
9、mation : 3. SUBSCRIBER IDENTITY AUMENTICATION 3.1 Generality 3.2 The authentication procedure 3.3 Subscriber Authentication Key Management 3.3.1 No transmitting of the key 3.3.2 Transmitting the authentication key 3.4 Ciphering key sequence number 4. CONFIDENTIALIW OF SIGNALLING INFORMATION ELEMENTS
10、, CONNECTIONLESS DATA AND USER INFORMATION ELEMENTS ON PHYSICAL CONNECTIONS 4.1 Generality 4.2 The ciphering method 4.3 Key setting 4.4 Starting of the ciphering and deciphering procesces 4.5 Synchronisation 4.6 Handsver 5. symmc SUMMARY ANNEX 1 Al .1. Introduction Al .2. Short description of the sc
11、hemes Al .3. List of abbreviations A1.4. Schemes A2.1. Introduction A2.2. Entities and Security Information A3.0. SCOPE A3.1. SPECIFICATIONS FOR ALGORITHM A5 ANNEX 2 ANNEX 3 A3.1.1. Purpose A3.1.2. Implementation indications A3.1.3. External specifications of Algorithm A5 A3.1.4. Internal specificat
12、ion of Algorithm A5 A3.2. ALGORITHM A3 A3.2.1. Purpose A3.2.2. Implementation and operational requirements A3.2.3. Proposal for an Algorithm A3 A3.3.1. Purpose A3.3.2. Implementation and operational requirements A3.3.3. Proposals for an Algorithm A8 A3.3. ALGORITHM A8 3 3 4 4 4 5 5 5 6 7 8 9 10 10 1
13、0 11 11 14 15 16 16 16 17 17 18 18 19 21 21 21 23 24 38 38 38 40 40 40 40 40 42 42 42 42 42 43 43 43 44 44 3404583 0070088 536 Pago 3 GSM 03.20 - version 3.3.2 : Janu8ry 1991 O. SCOPE This recommendation specifies the network functions needed to provide the security related service and functions spe
14、cified in Recommendation GSM 02.09. This recommendation does not address the cryptological algorithms that are needed to provide different security related features. This topic is addressed in Annex 3 Whermw a ctyptological algorithm or mechanism is needed, this is signalled with a reference to Anne
15、x 3 The references refers only to functionalities, and some algorithms may be identical or usa common hardware. i. GENERAL The different security related service and functions that are listed in Recommendation 02.09 are grouped as follows : - Subscriber identity conf identiality; - Subscriber identi
16、ty authentication: - Signalling information element and connectionless us81 data mfidential, - Data confidentiality for physical connections. All functions must be implemented with minimum assumptions about the cryptologial algorithms that are used, and it must be possible that these algorithms are
17、changed during the system life time. Any change in these algorithms must not change the format of the messages exchanged via the interfaces of the system. The system must be prepared for a parallel operation of more than one algorithm during a transitional period. The security procedures must includ
18、e mechanism to enable reccweq in event of signalling failures. These rscovery procedures must be designed in such a way that they cannot be used to breach the secur of the system. General note on figures : 1- In the figures below, signalling exchanges are referred by functional names. The exact mess
19、ages and message types are specified in Roc. GSM 04.08 and Rec. GSM 09.02. 2- No assumptions are taken for function splitting bawissn MSC (Mobile Switching Centre), MR and BS (Base Station). Signalling is hence described directly between MS and the Id network (ia. MSC, MR, and BS, denoted in the fig
20、ures by BSIMSCNLR). The splitting in Annex 1 is only giwn for illusatha purpose. Addressing fields are not given: all information relate to th signalling layer. The TMSI allows addressing schemes without IMSI, but the actual implementation is specified in the 04. series. 3- e 5- The term HPLMN in th
21、e figures below is useci as a general term which should be understood as HLR (Home Location RegW) or AR (Authentication Centre). What is put in a box is not part of the described procedure but it is relevant to the understanding of the figure. Previous page is blank Pago 4 GISM 03.20 - vorslon 3.3.2
22、 : January 1991 2. SUBSCRIBER IDENTITY CONFIDENTIALITY 2.1 Gonorallty The purposo of this function is to avoid the possibility for an intruder to identify which subscriber is using a giwn resource on the radio path (0.9. (CH Traffic Channel) or signalling resources) by listening to the signalling ex
23、changes on the radio path. This allows first a high level of confidentiality for user data and signaling, and additionally a protscuori against the tracing of the location of a user. The provision of this function implies that the IMSI (Intemational Mobile Subscriber Identity), or any information al
24、lowing a listener to derive easily the IMSI, should not normally be transmitted in clear text in any signaling message on the radio path. Consequently, to obtain the required lewl of protection, it is necessary that: - A protected identifying method is nomially used instead of the IMSI on the radio
25、path: and - The IMSI is not normally used an addressing means on the radio path (see Recammendation GSM 02.09, 3.1.3.): - Signalling information elements that convey an information about the mobile subscriber identi must be ciphered far transmission on the radio path. The identifying method is speci
26、fid in the following section. The ciphering of signalling elements is specified in Section 4. 2.2 Idmntlfylng mothod The meam used to idantyI a mobile subscriber on the radio path cons othc#wb the IMSI b rtquostd to the MS. A new TMSI must bo allocated at laest in each location updating procodwe. Th
27、e allocation of a new TMSI conasporrds implicitly for the MS to he de-alloeaon of the previous one. In tho fixed part of the network, the cancallation of a MS in a MR implies tho daallocation of the corresponding WSI. To cope,with some malfunctioning, 0.9. arising from a software failwe, tho fixed p
28、art of the network can requin tho identification of the MS in clear. This procedure is a breach in the provision of the swvw, and should be used only when n-. When a new TMSI is allocated to a MS, it is tronsmtted to tho MS In a ciphered mode. This ciphered mode is the stme as defined in Section 4 o
29、f this rocommendation. Pago 5 GSY 03.20 - vrrrlon 3.3.2 : J8nUiry 1991 The MS must store iis current TMSI in a non volatile memory, together with the LAI, so that these data are not lost when the MS is off. 2.3 Procoduror This section presents the procedures, or elements of procedures, pertaining to
30、 the management of TMSIS. 2.3.1 Loeatlon up-datlng In tho um. MSC 81 This procedure is part of the location updating procedure taking place when the original location area and the new location area depend on the same MSC. The part of this procedure relative to TMSI management is reduced to a TMSI re
31、-allocation (from TMSlo with “o“ for “old“ to TMSln with “n“ for “new“). MS sends TMSlo as identifying fields at the beginning of the location updating procedure. The procedure is schematised in Figure 2.1. I LAI, TiSIo Muugcnant of meam for neu ciphering (See section 4) Ciph. clmin) Ack. a . Deil l
32、ocat i on U of TMSIO L Figure 2.1 / GSM 03.20 Signalling Functionaiities : Management of metans for new ciphering : The MS and BSIMSCMR agr- on means for ciphering signaling information elements, in particular to r8nsmit TMSln. 2.3.2 Loc8tion up-ditlng botwoon MSCr iroi, wlthln tho um0 tk ir08 : Thi
33、s procedure is part of the location up-dang procedure taking placa when the original location area and the new location area depend on different MSCs, but an the same MR. Tho procedure is schematised on Figure 2.2. m 3404583 0070091 O20 m P8QO 6 GSM 03.20 - vorrlon 3.3.2 : J8nU8ry 1991 Act. 1) Figur
34、e 2.2 I GSM 032 Note (1) : From a securw point of view, he order of the procedures is irrelevant. Signalling fundonalitit#, : Loc. Up-dat : stands for Location Updating. The BSIMSCNLR indicates that the location of the MS must be up-datsd. 2.3.3 Locatlon Updrtlng bowoon dlfforont MRa This procedure
35、is part of the normal location updating procedwo, using TMSI and LAI, when the original location ama and the new location area depend on different VLRs. MS is Mill registered in MRO (“oy for old or original) and asks for its registration in VLRn (In” for new). LAI and TMSlo are sent by MS as identif
36、ying field during the location updating procedure. The procedure is schemased on Figuro 2.3. m 3404583 O070092 T67 m Pago 7 GSM 03.20 - vorrlon 3.3.2 : Jlnuir Sec.Rel.lnf of TMSln clph. (TMSln) 1) Loc. Up-dit. 1) /YF C-el(.tlml + Deal location U of TMSIO Figure 2.3 /GSM 03.20 .Note (1) : From a secu
37、rity point of view, the order of the proaxlures is irrelevant. Signalling functionalities : Sec.Rel .Inf o.: Stands for Security Related information. The MSCMRn needs 1991 some information for ciphering: these information are obtained from MSCNLRo. Cancellation : The HLR indicates to MRo that the MS
38、 is now under control of another VLR. The “old“ TMSI id free for allocation. 2.3.4 Roiillocation of now TMSI This function can be initiated by the network side at any time. The procedure can be included in other procedures, through the means of optional parameters. The execution of this function id
39、left to the network operator. This procedure is schematised in Figure 2.4. D 3404583 0070093 9T3 Page 8 GSM 03.20 - version 3.3.2 : Janurry 1991 I I Allocation I of TMSn Ciph. (TWSIn) I Deal lout ion U O? 1m1o I Figure 2.4 /GSM 03.20 2.3.5 Local TMSI unknown This procedure is a variant of the proced
40、ure described in Section 2.3.1 and Section 2.3.2, and happens when a data loss has occurred in a VLR and when a MS uses an unknown TMSI, ag. for a communication request or for a location up-dating request in a location area managed by the same VLR. This prtxedure is schematisod in Figure 2.5. I I I
41、I -1 I Menwmtt of mm for im I cipherinn (see uction 4) Ciph. (TIISIn) Ack. d L Figure 2.5 /GSM 03.20 Note (i) : Any message in which TMSlo is usad as an identifying means in a location area managed by the same MR. m 3404583 0070094 83T m Page 9 QSM 03.20 - vrrslon 3.3.2 : January 1991 2.3.6 Location
42、 up-dating botworn MRs In caso of a loss of In formation : This variant of the procedure described in 2.3.3 arises when VLR in charge of the MS has suffered a loss of data. In that case the relation between TMSlo and IMSI is lost, and the identification of the MS in clear is necessary. The procedure
43、 is schematised in Figure 2.6. aM9aWnt of means for neu ciphering (see section 4) ciph. (TMSIn) 1) Loc. Up-Lt. 1) I - II - Deallocation U of TMlo Figure 2.6 / GSM 03.20 Note (1) : Form a security point of view, the order of the procedures is irrelevant. 3404583 0070095 776 Pago IO QSM 03.20 - vordon
44、 3.3.2 : Jinuiw 1991 3. SUBSCRIBER IDENTITY AUTHENTICATION Definition and operationai requiremenls of subscriber identity authentication are given in Recommendation GSM 02.09. The authentication procedure will bs also used to pdm the cipher keysetting (SZIO Saction 4) on dedicated signalling channel
45、s. Thwdore, it is pwfd after the subscriber identity (TMSI/IMSI) is known by the nework and before the channel is encrypted. Two network functions are nv: the authentication procedure itself, and the key management inside the fixed sub-system. 3.2 Tho 8uthoncaon procoduro The authentication procedur
46、e corisists in the following exchange between the fixed sub-system and the MS. - The fixed su- ansmits a non-predictable numbw RAND to the MS. - The MS computes the signature of RAND, say SRES, using algorithm A3, and some setcret informriaon : the Subscriber Authmtication Key, denoted Ki in the seq
47、uel. - The MS transmits the signature SRES to the fixed sub-system. - The fixed sub-systm tests SRES for vaiidiy. The general procedure is schematisod in Figure 3.1. Figuro 3.1 / GSM 03.20 Algorithm A3 is specified In Annex 3. 3404583 0070096 602 Pago 11 GSM 03.20 - vonfon 3.3.2 : Janu8ry 7991 3.3 S
48、ubscrlbor Authontlcatlon Koy Managomont The Subscriber Authentication Key Ki is allocated at subscription time. together with the IMS1. The Subscriber Authentication Key is stored on the network side in the HPLMN (Home Public Land Mobile Network), in an Authentication Centre. A PLMN may contain one
49、or more Authentication Centres. An Authentication Centre can be implemented together with other functions, e.g. in a HLR (Home Location Register). Two management modes are specified. The second one, specified in Section 3.3.2, is less secure than the first one, specified in Section 3.3.1, and should not be used between two PLMNs. The procedures are such that the decision to w one or the other of the two methods inside one PLMN is done by the network operator. 3.3.1 No trsnrmlttlng of tho key 3.3.1.1 Qenoral ruthonticatlon procoduro When needed for each MS, the BSI
