1、 ETSI TS 100 920 V8.1.0 (2006-06)Technical Specification Digital cellular telecommunications system (Phase 2+);Security aspects(3GPP TS 02.09 version 8.1.0 Release 1999)GLOBAL SYSTEM FOR MOBILE COMMUNICATIONSRETSI ETSI TS 100 920 V8.1.0 (2006-06) 1 3GPP TS 02.09 version 8.1.0 Release 1999 Reference
2、RTS/TSGS-030209v810 Keywords GSM ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual cop
3、ies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format
4、(PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current stat
5、us of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced excep
6、t as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONT
7、Mand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 100 920 V8.1.0 (2006-06) 2 3GPP TS 02.09 version 8.1.0 Release 1999 I
8、ntellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property
9、Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, includin
10、g IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has b
11、een produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross refe
12、rence between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp . ETSI ETSI TS 100 920 V8.1.0 (2006-06) 3 3GPP TS 02.09 version 8.1.0 Release 1999 Contents Intellectual Property Rights2 Foreword.2 Foreword.4 1 Scope 5 1.1 References 5 1.2 Abbreviations .5
13、 2 General .6 3 Security features provided in a GSM PLMN .6 3.1 Subscriber identity confidentiality .6 3.1.1 Definition6 3.1.2 Purpose .6 3.1.3 Functional requirements .7 3.2 Subscriber identity authentication 7 3.2.1 Definition7 3.2.2 Purpose .7 3.2.3 Functional requirements .7 3.2.4 Authentication
14、 during a malfunction of the network 7 3.3 User data confidentiality on physical connections (Voice and Non-voice)8 3.3.1 Definition8 3.3.2 Purpose .8 3.3.3 Functional requirements .8 3.4 Connectionless user data confidentiality 8 3.4.1 Definition8 3.4.2 Purpose .8 3.4.3 Functional requirements .9 3
15、.5 Signalling information element confidentiality9 3.5.1 Definition9 3.5.2 Purpose .9 3.5.3 Functional requirements .9 Annex A (informative): Change history .10 History 11 ETSI ETSI TS 100 920 V8.1.0 (2006-06) 4 3GPP TS 02.09 version 8.1.0 Release 1999 Foreword This Technical Specification has been
16、produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying
17、 change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of s
18、ubstance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETSI TS 100 920 V8.1.0 (2006-06) 5 3GPP TS 02.09 version 8.1.0 Release 1999 1 Scope Bearer and Teleservices, as respectively def
19、ined in GSM 02.02 and GSM 02.03, are the objects which the GSM PLMN operators offer to their customers. Besides these basic telecommunications services, features which aim at up-grading these basic services need also to be offered. Due to the use of radiocommunications in a PLMN, which are of a spec
20、ial nature compared to classical distribution transmission techniques used in the fixed networks, such a category of features is related to security aspects. In a GSM PLMN, both the users and the network operator have to be protected against undesirable intrusion of third parties. However, measures
21、should be provided for in order to insure maximum protection of the rights of the individuals concerns. As a consequence, a security feature is either a supplementary service to Tele or Bearer services, which can be selected by the subscriber, or a network function involved in the provision of one o
22、r several telecommunication services. The purpose of the present document is to define the security features which are to be available in a GSM PLMN, together with the associated levels of protection. The present document is only concerned with those security features which aim at the up-grading of
23、the security in a GSM PLMN. In particular, end-to-end security is outside the scope of the present document. The implementation aspects of security features are described in GSM 03.20. 1.1 References The following documents contain provisions which, through reference in this text, constitute provisi
24、ons of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. For this Release 1999 document
25、, references to GSM documents are for Release 1999 versions (version 8.x.y). 1 GSM 01.04: “Digital cellular telecommunications system (Phase 2+); Abbreviations and acronyms“. 2 GSM 02.02: “Digital cellular telecommunications system (Phase 2+); Bearer Services (BS) supported by a GSM Public Land Mobi
26、le Network (PLMN)“. 3 GSM 02.03: “Digital cellular telecommunications system (Phase 2+); Teleservices supported by a GSM Public Land Mobile Network (PLMN)“. 4 GSM 03.20: “Digital cellular telecommunications system (Phase 2+); Security related network functions“. 5 GSM 11.11: “Digital cellular teleco
27、mmunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface“. 1.2 Abbreviations Abbreviations used in the present document are listed in GSM 01.04. ETSI ETSI TS 100 920 V8.1.0 (2006-06) 6 3GPP TS 02.09 version 8.1.0 Release 1999 2 General T
28、he use of radiocommunications for transmission to the mobile subscribers makes PLMNs particularly sensitive to: - misuse of their resources by unauthorized persons using manipulated Mobile Stations, who try to impersonate authorized subscribers; and - eavesdropping of the various information which a
29、re exchanged on the radio path. It can be seen that PLMNs intrinsically do not provide the same level of protection to their operators and subscribers as the traditional telecommunication networks provide. This fact leads to the need to implement security features in a GSM PLMN in order to protect:
30、i) the access to the mobile services; ii) any relevant item from being disclosed at the radio path, mainly in order to ensure the privacy of user-related information. Two levels of protection are therefore assumed: - where security features are provided, as defined in clause 3, the level of protecti
31、on at the radio path of the corresponding items is as good as the level of protection provided in the fixed networks; - where no special provision is made, the level of protection at the radio path is null. All items which are not dealt with in clause 3 are therefore considered to need no protection
32、. 3 Security features provided in a GSM PLMN The following security features are considered: - subscriber identity (IMSI) confidentiality; - subscriber identity (IMSI) authentication; - user data confidentiality on physical connections; - connectionless user data confidentiality; - signalling inform
33、ation element confidentiality. The implementation of these five security features is mandatory on both the fixed infrastructure side and the MS side. This means that all GSM PLMNs and all MSs shall be able to support every security feature. Use of these five security features is at the discretion of
34、 the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of these five security features is mandatory unless otherwise agreed by all the affected PLMN operators (see also clause 3.3.3). 3.1 Subscriber identity confidentiality 3.1.1 Definition The subscriber identity con
35、fidentiality feature is the property that the IMSI is not made available or disclosed to unauthorized individuals, entities or processes. 3.1.2 Purpose This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a traffic channel or any signallin
36、g means). It allows for the improvement of all other security features (e.g. user data confidentiality) and provides for the protection against tracing the location of a mobile subscriber by listening to the signalling exchanges on the radio path. ETSI ETSI TS 100 920 V8.1.0 (2006-06) 7 3GPP TS 02.0
37、9 version 8.1.0 Release 1999 3.1.3 Functional requirements This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is transferred in signalling messages (see clause 3.5) together with specific measures to preclude the possibility to derive it indirectly from listening
38、 to specific information, such as addresses, at the radio path. The means used to identify a mobile subscriber on the radio path consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in GSM 03.20. When used, the subscriber identity confidentiality feature shall app
39、ly for all signalling sequences on the radio path. However, in the case of location register failure, or in case the MS has no TMSI available, open identification is allowed on the radio path. 3.2 Subscriber identity authentication 3.2.1 Definition International Mobile Subscriber identity (IMSI) aut
40、hentication is the corroboration by the land-based part of the system that the subscriber identity (IMSI or TMSI), transferred by the mobile subscriber within the identification procedure at the radio path, is the one claimed. 3.2.2 Purpose The purpose of this authentication security feature is to p
41、rotect the network against unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the possibility for intruders to impersonate authorized users. 3.2.3 Functional requirements The authentication of the GSM PLMN subscriber identity may be triggered by the network when
42、the subscriber applies for: - a change of subscriber-related information element in the VLR or HLR (including some or all of: location updating involving change of VLR, registration or erasure of a supplementary service); or - an access to a service (including some or all of: set-up of mobile origin
43、ating or terminated calls, activation or deactivation of a supplementary service); or - first network access after restart of MSC/VLR; or in the event of cipher key sequence number mismatch. Physical security means must be provided to preclude the possibility to obtain sufficient information to impe
44、rsonate or duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station equipment. If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not due to network malfunction, then the access to
45、the GSM PLMN shall be denied to the requesting party. 3.2.4 Authentication during a malfunction of the network If an MS is registered and has been successfully authenticated, whether active or not active on a call, calls are permitted (including continuation and hand-over). If an MS has already been
46、 registered (and therefore been already authenticated) and can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was not able to provide authentication pairs RAND, SRES), calls are permitted. If an MS attempts to register and can not be successfully authenticated due
47、 to the network malfunction, calls are not permitted. ETSI ETSI TS 100 920 V8.1.0 (2006-06) 8 3GPP TS 02.09 version 8.1.0 Release 1999 If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases apply. 3.3 User data confidentiality on phy
48、sical connections (Voice and Non-voice) 3.3.1 Definition The user data confidentiality feature on physical connections is the property that the user information exchanged on traffic channels is not made available or disclosed to unauthorized individuals, entities or processes. 3.3.2 Purpose The purp
49、ose of this feature is to ensure the privacy of the user information on traffic channels. 3.3.3 Functional requirements Encryption will normally be applied to all voice and non-voice communications. Although a standard algorithm will normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one algorithm. In this case, the infrastructure is responsible for deciding which algorithm to use (including the possibility not to use encryption, in which case confidentiality is not applied). When necessary, the MS sh
