1、3404583 0078408 I125 Released: 1 July 1993 GSM 03.20 Version: 4.2.1 Date: 25 June 1993 Key words: Work Item No: European digital cellular telecommunication system (phase 2); Security Related Network Functions ETSI European Telecommunications Standards Institute ETSI Secretariat: Route des Lucioles,
2、F-O692 1 Sophia Antipolis Cedex . France TP. + 33 92 94 42 O0 TF. + 33 93 65 47 16 Tx. 47 O0 40 F _ _ *his is an unpublished work the copyright in which vests in the European Telecommunications Standards Institute. All rights reserved. The information contained herein is the property of ETSI and no
3、pan may be reproduced or used except as authorised by contract or other written permission. The copyright and the foregoing restriction on *onmAgv,-*;nm qn.4 ,cc r-rm.4 -II -A:- ;- . h:rh +Ci- :m-+:- -.I hr nmhnA;aA = 3YOY.583 0078407 Ob2 Page 3 GSM 03.20 - version 4.2.1 : June 1993 CONTENTS O. SCOP
4、E 1. GENERAL 2. SUBSCRIBER IDENTITY CONFIDENTIALITY 2.1 Generality 2.2 Identifying method 2.3 Procedures 2.3.1 Location updating in the same MSC area 2.3.2 Location updating in a new MSCs area, within the same VLR area 2.3.3 Location updating in a new VLR; old VLR reachable 2.3.4 Location Updating i
5、n a new VLR; old VLR not reachable 2.3.5 Reallocation of a new TMSI 2.3.6 Local TMSI unknown 2.3.7 Location updating in a new VLR in case of a loss of information 2.3.8 Unsuccessful TMSI allocation 3. SUBSCRIBER IDENTITY AUTHENTICATION 3.1 Generality 3.2 The authentication procedure 3.3 Subscriber A
6、uthentication Key management 3.3.1 General authentication procedure 3.3.2 Authentication at location updating in a new VLR, using TMSI 3.3.3 Authentication at location updating in a new VLR, using IMSI 3.3.4 Authentication at location updating in a new VLR, using TMSI, 3.3.5 Authentication at locati
7、on updating in a new VLR, using TMSI, 3.3.6 Authentication with IMSI if authentication with TMSI fails 3.3.7 Re-use of security related information in failure situations TMSI unknown in old VLR old VLR not reachable 5 5 6 6 7 7 8 9 10 11 12 13 14 14 15 15 15 16 16 18 19 20 21 21 22 4. CONFIDENTIALIT
8、Y OF SIGNALLING INFORMATION ELEMENTS, CONNECTIONLESS DATA AND USER INFORMATION ELEMENTS ON PHYSICAL CONNECTIONS 23 4.1 Generality 23 4.2 The ciphering method 23 4.3 Key setting 24 4.4 Ciphering key sequence number 25 4.5 Starting of the ciphering and deciphering processes 25 4.6 Synchronisation 26 4
9、.7 Handover 26 4.8 Negotiation of A5 algorithm 26 5. SYNTHETIC SUMMARY 27 Previous page is blank 3404583 0078410 883 = Page 4 GSM 03.20 - version 4.2.1 : June 1993 ANNEX A (informative) SECURITY ISSUES RELATED TO SIGNALLING SCHEMES AND KEY MANAGEMENT A. 1 introduction A.2 Short description of the sc
10、hemes A.3 List of abbreviations A.4 Schemes ANNEX B (informative) SECURITY INFORMATION TO BE STORED IN THE ENTITIES OF THE GSM SYSTEM B. 1 Introduction 8.2 Entities and security information ANNEX C (normative) EXTERNAL SPECIFICATIONS OF SECURITY RELATED ALGORITHMS C.0 SCOPE C. 1 SPECIFICATIONS FOR A
11、LGORITHM A5 C. 1 . 1 Purpose C. 1.2 implementation indications C. 1.3 External specifications of Algorithm A5 C. 1.4 Internal specification of Algorithm A5 (2.2 ALGORITHM A3 C.2.1 Purpose C. 2.2 Implementation and operational requirements C.3 ALGORITHM A8 C. 3.1 Purpose C.3.2 Implementation and oper
12、ational requirements 29 29 29 31 32 45 45 45 47 47 47 47 49 50 50 50 50 51 51 51 48 3404583 00784LL 7LT Page 5 GSM 03.20 - version 4.2.1 : June 1993 o. SCOPE This technical specification specifies the network functions needed to provide the security related service and functions specified in technic
13、al specification GSM 02.09. This technical specification does not address the cryptological algorithms that are needed to provide different security related features. This topic is addressed in Annex C. Wherever a cryptological algorithm or mechanism is needed, this is signalled with a reference to
14、Annex C. The references refers only to functionalities, and some algorithms may be identical or use common hardware. 1. GENERAL The different security related services and functions that are listed in technical specification GSM 02.09 are grouped as follows: - Subscriber identity confidentialitv; -
15、Subscriber identity authentication; - Signalling information element and connectionless user data confidentiality and data confidentiality for physical connections (ciphering). It shall be possible to introduce new authentication and ciphering algorithms during the systems lifetime. The fixed networ
16、k may support more than one authentication and ciphering algorithm. The security procedures include mechanisms to enable recovery in event of signalling failures. These recovery procedures are designed to minimize the risk of a breach in the security of the system. General on figures: 1- 2- 3- 4- 5-
17、 In the figures below, signalling exchanges are referred to by functional names. The exact messages and message types are specified in technical specification GSM 04.08 and technical specification GSM 09.02. No assumptions are made for function splitting between MSC (Mobile Switching Centre), VLR (V
18、isitor Location Register) and 6SS (Base Station Subsystem. Signalling is described directly between MS and the local network (.e. BSS, MSC and VLR denoted in the figures by BSS/MSC/VLR). The splitting in Annex A is given only for illustrative purposes. Addressing fields are not given; all informatio
19、n relates to the signalling layer. The TMSI allows addressing schemes without IMSI, but the actual implementation is specified in the GSM 04- series. The term HPLMN in the figures below is used as a general term which should be understood as HLR (Home Location Register) or AuC (Authentication Centre
20、). What is put in a box is not part of the described procedure but it is relevant to the understanding of the figure. 3404583 0078412 656 m Paga 6 GSM 03.20 - version 4.2.1 : June 1993 2. SUBSCRIBER IDENTITY CONFIDENTIALITY 2.1 Generality The purpose of this function is to avoid the possibility for
21、an intruder to identify which subscriber is using a given resource on the radio path (e.9. TCH (Traffic Channel) or signalling resources) by listening to the signalling exchanges on the radio path. This allows both a high level of confidentiality for user data and signalling and protection against t
22、he tracing of a users location. The provision of this function implies that the IMSI (International Mobile Subscriber Identity), or any information allowing a listener to derive the IMSI easily, should not normally be transmitted in clear text in any signaling message on the radio path. Consequently
23、, to obtain the required level of protection, it is necessary that: - A protected identifying method is normally used instead of the IMSI on the radio path; and - The IMSI is not normally used as addressing means on the radio path (see technical specification GSM 02.09); - When the signalling proced
24、ures permit it, signalling information elements that convey information about the mobile subscriber identity must be ciphered for transmission on the radio path. The identifying method is specified in the following section. The ciphering of communication over the radio path is specified in section 4
25、. 3404583 0078433 592 Page 7 GSM 03.20 - version 4.2.1 : June 1993 2.2 Identifying method The means used to identify a mobile subscriber on the radio path consists of a TMSI (Temporary Mobile Subscriber Identity). This TMSI is a local number, having a meaning only in a given location area; the TMSI
26、must be accompanied by the LAI (Location Area Identification) to avoid ambiguities. The maximum length and guidance for defining the format of a TMSI are specified in technical specification GSM 03.03, The network ieg a VLR) manages suitable data bases to keep the relation between TMSls and IMSls. W
27、hen a TMSI is received with an LAI that does not correspond to the current VLR, the IMSI of the MS must be requested from the VLR in charge of the indicated location area if its address is known; otherwise the IMSI is requested from the MS. A new TMSI must be allocated at least in each location upda
28、ting procedure. The allocation of a new TMSI corresponds implicitly for the MS to the de-allocation of the previous one. In the fixed pan of the network, the cancellation of the record for an MS in a VLR implies the de-allocation of the corresponding TMSI. To cope with some malfunctioning, eg arisin
29、g from a software failure, the fixed part of the network can require the identification of the MS in clear. This procedure is a breach in the provision of the service, and should be used only when necessary. When a new TMSI is allocated to an MS, it is transmitted to the MS in a ciphered mode. This
30、ciphered mode is the same as defined in section 4 of this technical specification. The MS must store its current TMSI in a non volatile memory, together with the LAI, so that these data are not lost when the MS is switched off. 2.3 Procedures This section presents the procedures, or elements of proc
31、edures, pertaining to the management of TMSls. rn 3404583 0078414 429 rn Page 8 GSM 03.20 - version 4.2.1 : June 1993 2.3.1 Location updating in the same MSC area This procedure is part of the location updating procedure which takes place when the original location area and the new location area dep
32、end on the same MSC. The part of this procedure relative to TMSI management is reduced to a TMSI re-allocation (from TMSlo with “o“ for “old“ to TMSln with “n“ for “new“). The MS sends TMSlo as an identifying field at the beginning of the location updating procedure. The procedure is schematised in
33、figure 2.1 HrMgmMt of means for new ciphering (see section L) Cipher(TMS1n) A 1 locrt ion I De-rllocition of THSlo Signalling Functionalities: Management of means for new ciphering: The MS and BSS/MSC/VLR agree on means for ciphering signalling information elements, in particular to transmit TMSln.
34、H 3404583 0078415 365 Page 9 GSM 03.20 - version 4.2.1 : June 1993 2.3.2 Location updating in a new MSCs area, within the same VLR area This procedure is part of the location updating procedure which takes place when the original location area and the new location area depend on different MSCs, but
35、on the same VLR. The procedure is schematised on figure 2.2. -1 Management of mans for ncw ciphering (see section L) De-allocation Note (1 1: From a security point of view, the order of the procedures is irrelevant. Figure 2.2/GSM 03.20 Signalling functionalities: Loc.Updating: stands for Location U
36、pdating. The BSS/MSC/VLR indicates that the location of the MS must be updated. 3404583 00784lb 2TL Page 10 GSM 03.20 - version 4.2.1 : June 1993 2.3.3 Location updating in a new VLR; old VLR reachable This procedure is part of the normal location updating procedure, using TMSI and LAI, when the ori
37、ginal location area and the new location area depend on different VLRs. The MS is still registered in VLRo (“o“ for old or originall and requests registration in VLRn (“n“ for new). LAI and TMSlo are sent by MS as identifying fields during the location updating procedure. The procedure is schematise
38、d in figure 2.3. Manmgunent of mans for new ciphering (see section 4) of TWSIn De-r 1 L ocit i on of TMS I o Note (1 I: From a security point of view, the order of the procedures is irrelevant. Figure 2.3/GSM 03.20 Signalling functionaiities: Sec.Rel.lnfo.: Stands for Security Related information. T
39、he MSCNLRn needs some information for authentication and ciphering; this information is obtained from MSCNLRo. Cancellation: The HLR indicates to VLRo that the MS is now under control of another VLR. The “old“ TMSI is free for allocation. 3404583 00784l17 138 Page 11 GSM 03.20 - version 4.2.1 : June
40、 1993 2.3.4 Location Updating in a new VLR; old VLR not reachable This variant of the procedure in section 2.3.3 arises when the VLR receiving the LAI and TMSlo cannot identify the VLRo. In that case the relation between TMSlo and IMSI is lost, and the identification of the MS in clear is necessary.
41、 The procedure is schematised in figure 2.4 rcechabkc Identity Rcqwst ianagantnt of means for new ciphering (see section 6) of THSIn Cipher(lHS1n) 1) II Loc.Upditing 1) Note (1): From a security point of view, the order of the procedures is irrelevant. Figure 2.4lGSM 03.20 Page 12 GSM 03.20 - versio
42、n 4.2.1 : June 1993 2.3.5 Reallocation of a new TMSI This function can be initiated by the network whenever a radio connection exists. The procedure can be included in other procedures, eg through the means of optional parameters. The execution of this function IS left to the network operator. When
43、a new TMSI is allocated to an MS the network must prevent the old TMSI from being allocated again until the MS has acknowledged the allocation of the new TMSI. If an IMSI record is deleted in the VLR by O the association between the other TMSI and the IMSI shall then be deleted, to allow the unused
44、TMSI to be allocated to another MS. For a network-originated transaction, the network shall identify the MS by its IMSI. When radio contact has been established, the network shall instruct the MS to delete any stored TMSI. When the MS has acknowledged this instruction, the network shall delete the a
45、ssociation between the IMSI of the MS and any TMSI; this will allow the released TMSls to be allocated to another MS. In either of the cases above, the network may initiate the normal TMSI reallocation procedum. Repeated failure of TMSI reallocation (passing a limit set by the operatori may be repor
46、ted for O if there are no sets which are not marked as used then the VLR may use a set which is marked as used. It is an operator option to define how many times a set of security related information may be re-used in the VLR; when a set of security related information has been re-used as many times
47、 as is permitted by the operator, it shall be deleted. If a VLR successfully requests security related information from the HLR or previous VLR, it shall discard any security related information which is marked as used. If a VLR receives from another VLR a request for security related information, i
48、t shall send only the sets which are not marked as used. If an HLR receives a request for security related information, it shall send any sets which are not marked as used; those sets shall then be deleted or marked as used. If there are no sets which are not marked as used, the HLR may as an operat
49、or option send sets which are marked as used. It is an operator option to define how many times a set of security related information may be re-sent bv the HLA; when a set of security related information has been sent as many times as is permitted by the operator, it shall be deleted. 3404583 0078429 95T = Page 23 GSM 03.20 - version 4.2.1 : June 1993 4. CONFIDENTIALITY OF SIGNALLING INFORMATION ELEMENTS, CONNECTIONLESS DATA AND USER INFORMATION ELEMENTS ON PHYSICAL CONNECTIONS 4.1 Generality In technical specification GSM 02.09, some signalling information elements
