ETSI TS 133 401-2017 Digital cellular telecommunications system (Phase 2+) (GSM) Universal Mobile Telecommunications System (UMTS) LTE 3GPP System Architecture Evolution (SAE) Secu.pdf

1、 ETSI TS 1Digital cellular telecommUniversal Mobile Tel3GPP System ASec(3GPP TS 33.4TECHNICAL SPECIFICATION133 401 V13.5.0 (2017mmunications system (Phase elecommunications System (LTE; Architecture Evolution (SAEecurity architecture .401 version 13.5.0 Release 1317-01) e 2+) (GSM); (UMTS); AE); ) E

2、TSI ETSI TS 133 401 V13.5.0 (2017-01)13GPP TS 33.401 version 13.5.0 Release 13Reference RTS/TSGS-0333401vd50 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Associa

3、tion but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print

4、versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a

5、 specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If

6、you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and m

7、icrofilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All righ

8、ts reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and o

9、wned by the GSM Association. ETSI ETSI TS 133 401 V13.5.0 (2017-01)23GPP TS 33.401 version 13.5.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publ

10、icly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI

11、 Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or

12、may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These s

13、hould be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “

14、may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 133 401 V

15、13.5.0 (2017-01)33GPP TS 33.401 version 13.5.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 9g31 Scope 10g32 References 10g33 Definitions, symbols and abbreviations . 11g33.1 Definitions 11g33.2 Symbols 13g33.3 Abbreviations . 13g33.4 Convent

16、ions 15g34 Overview of Security Architecture . 16g35 Security Features 16g35.1 User-to-Network security . 16g35.1.0 General 16g35.1.1 User identity and device confidentiality . 17g35.1.2 Entity authentication . 17g35.1.3 User data and signalling data confidentiality 17g35.1.3.1 Ciphering requirement

17、s . 17g35.1.3.2 Algorithm Identifier Values 18g35.1.4 User data and signalling data integrity 18g35.1.4.1 Integrity requirements . 18g35.1.4.2 Algorithm Identifier Values 18g35.2 Security visibility and configurability 19g35.3 Security requirements on eNodeB 19g35.3.1 General 19g35.3.2 Requirements

18、for eNB setup and configuration 19g35.3.3 Requirements for key management inside eNB 20g35.3.4 Requirements for handling User plane data for the eNB 20g35.3.4a Requirements for handling Control plane data for the eNB 20g35.3.5 Requirements for secure environment of the eNB 20g35.4 Void 21g36 Securit

19、y Procedures between UE and EPC Network Elements . 21g36.0 General . 21g36.1 Authentication and key agreement . 21g36.1.1 AKA procedure . 21g36.1.2 Distribution of authentication data from HSS to serving network 22g36.1.3 User identification by a permanent identity 23g36.1.4 Distribution of IMSI and

20、 authentication data within one serving network domain 24g36.1.5 Distribution of IMSI and authentication data between different serving network domains 25g36.1.6 Distribution of IMSI and UMTS authentication vectors between MMEs or between MME and SGSN 25g36.2 EPS key hierarchy 26g36.3 EPS key identi

21、fication 28g36.4 Handling of EPS security contexts . 29g36.5 Handling of NAS COUNTs 29g37 Security Procedures between UE and EPS Access Network Elements 31g37.0 General . 31g37.1 Mechanism for user identity confidentiality . 31g37.2 Handling of user-related keys in E-UTRAN 31g37.2.1 E-UTRAN key sett

22、ing during AKA . 31g3ETSI ETSI TS 133 401 V13.5.0 (2017-01)43GPP TS 33.401 version 13.5.0 Release 137.2.2 E-UTRAN key identification 31g37.2.3 E-UTRAN key lifetimes . 32g37.2.4 Security mode command procedure and algorithm negotiation 32g37.2.4.1 Requirements for algorithm selection . 32g37.2.4.2 Pr

23、ocedures for AS algorithm selection 33g37.2.4.2.1 Initial AS security context establishment 33g37.2.4.2.2 X2-handover 33g37.2.4.2.3 S1-handover . 33g37.2.4.2.4 Intra-eNB handover . 33g37.2.4.3 Procedures for NAS algorithm selection . 33g37.2.4.3.1 Initial NAS security context establishment . 33g37.2

24、.4.3.2 MME change . 34g37.2.4.4 NAS security mode command procedure 34g37.2.4.5 AS security mode command procedure . 35g37.2.4a Algorithm negotiation for unauthenticated UEs in LSM 36g37.2.5 Key handling at state transitions to and away from EMM-DEREGISTERED . 36g37.2.5.1 Transition to EMM-DEREGISTE

25、RED . 36g37.2.5.2 Transition away from EMM-DEREGISTERED . 37g37.2.5.2.1 General 37g37.2.5.2.2 With existing native EPS NAS security context 38g37.2.5.2.3 With run of EPS AKA . 38g37.2.6 Key handling in ECM-IDLE to ECM-CONNECTED and ECM-CONNECTED to ECM-IDLE transitions 39g37.2.6.1 ECM-IDLE to ECM-CO

26、NNECTED transition. 39g37.2.6.2 Establishment of keys for cryptographically protected radio bearers . 39g37.2.6.3 ECM-CONNECTED to ECM-IDLE transition. 39g37.2.7 Key handling for the TAU procedure when registered in E-UTRAN 40g37.2.8 Key handling in handover . 40g37.2.8.1 General 40g37.2.8.1.1 Acces

27、s stratum . 40g37.2.8.1.2 Non access stratum 42g37.2.8.2 Void. 42g37.2.8.3 Key derivations for context modification procedure . 42g37.2.8.4 Key derivations during handovers . 42g37.2.8.4.1 Intra-eNB Handover 42g37.2.8.4.2 X2-handover 42g37.2.8.4.3 S1-Handover 43g37.2.8.4.4 UE handling . 43g37.2.9 Ke

28、y-change-on-the fly 44g37.2.9.1 General 44g37.2.9.2 KeNBre-keying . 44g37.2.9.3 KeNB refresh 45g37.2.9.4 NAS key re-keying 45g37.2.10 Rules on Concurrent Running of Security Procedures . 45g37.2.11 Suspend and resume of RRC connection 46g37.2.11.1 General 46g37.2.11.2 RRC connection suspend 46g37.2.

29、11.3 RRC connection resume to a new eNB . 46g37.2.11.4 RRC connection resume to the same eNB 47g37.3 UP security mechanisms 48g37.3.1 UP confidentiality mechanisms 48g37.3.2 UP integrity mechanisms 48g37.4 RRC security mechanisms 48g37.4.1 RRC integrity mechanisms . 48g37.4.2 RRC confidentiality mec

30、hanisms . 49g37.4.3 KeNB*and Token Preparation for the RRCConnectionRe-establishment Procedure 49g37.5 Signalling procedure for periodic local authentication . 50g38 Security mechanisms for non-access stratum signalling and data via MME . 51g38.0 General . 51g38.1 NAS integrity mechanisms . 51g38.1.

31、1 NAS input parameters and mechanism . 51g3ETSI ETSI TS 133 401 V13.5.0 (2017-01)53GPP TS 33.401 version 13.5.0 Release 138.1.2 NAS integrity activation . 51g38.2 NAS confidentiality mechanisms . 52g39 Security interworking between E-UTRAN and UTRAN . 52g39.1 RAU and TAU procedures . 52g39.1.1 RAU p

32、rocedures in UTRAN . 52g39.1.2 TAU procedures in E-UTRAN . 53g39.2 Handover 55g39.2.1 From E-UTRAN to UTRAN 55g39.2.2 From UTRAN to E-UTRAN 56g39.2.2.1 Procedure 56g39.2.2.2 Derivation of NAS keys and KeNBduring Handover from UTRAN to E-UTRAN . 60g39.3 Recommendations on AKA at IRAT-mobility to E-UT

33、RAN 60g39.4 Attach procedures . 61g39.4.1 Attach in UTRAN . 61g310 Security interworking between E-UTRAN and GERAN . 61g310.1 General . 61g310.2 RAU and TAU procedures . 62g310.2.1 RAU procedures in GERAN . 62g310.2.2 TAU procedures in E-UTRAN . 62g310.3 Handover 62g310.3.1 From E-UTRAN to GERAN 62g

34、310.3.2 From GERAN to E-UTRAN 62g310.3.2.1 Procedures . 62g310.4 Recommendations on AKA at IRAT-mobility to E-UTRAN 62g310.5 Attach procedures . 63g310.5.1 Attach in GERAN . 63g311 Network Domain Control Plane protection 63g312 Backhaul link user plane protection . 63g313 Management plane protection

35、 over the S1 interface 64g314 SRVCC between E-UTRAN and Circuit Switched UTRAN/GERAN 65g314.1 From E-UTRAN to Circuit Switched UTRAN/GERAN . 65g314.2 Emergency call in SRVCC from E-UTRAN to circuit switched UTRAN/GERAN 66g314.3 SRVCC from circuit switched UTRAN/GERAN to E-UTRAN 66g314.3.1 Procedure

36、66g315 Security Aspects of IMS Emergency Session Handling 69g315.1 General . 69g315.2 Security procedures and their applicability 70g315.2.1 Authenticated IMS Emergency Sessions 70g315.2.1.1 General 70g315.2.1.2 UE and MME share a current security context . 70g315.2.2 Unauthenticated IMS Emergency S

37、essions 71g315.2.2.1 General 71g315.2.2.2 UE and MME share no security context . 72g315.2.3 Void 73g315.2.4 Key generation procedures for unauthenticated IMS Emergency Sessions 73g315.2.4.1 General 73g315.2.4.2 Handover. 73g316 Void 73g3Annex A (normative): Key derivation functions . 74g3A.1 KDF int

38、erface and input parameter construction . 74g3A.1.1 General . 74g3A.1.2 FC value allocations . 74g3A.2 KASMEderivation function 74g3A.3 KeNBderivation function . 75g3ETSI ETSI TS 133 401 V13.5.0 (2017-01)63GPP TS 33.401 version 13.5.0 Release 13A.4 NH derivation function . 75g3A.5 KeNB* derivation f

39、unction . 75g3A.6 Void 75g3A.7 Algorithm key derivation functions . 76g3A.8 KASMEto CK, IK derivation at handover . 76g3A.9 NAS token derivation for inter-RAT mobility . 77g3A.10 K“ASMEfrom CK, IK derivation during handover 77g3A.11 K“ASMEfrom CK, IK derivation during idle mode mobility . 77g3A.12 K

40、ASMEto CKSRVCC, IKSRVCCderivation . 78g3A.13 KASMEto CK, IK derivation at idle mobility . 78g3A.14 (Void) . 78g3A.15 Derivation of S-KeNBfor dual connectivity 78g3A.16 Derivation of LWIP-PSK . 78g3A.17 Derivation of K_n for IOPS subscriber key separation 79g3A.18 Derivation of S-KWTfor LWA . 79g3Ann

41、ex B (normative): Algorithms for ciphering and integrity protection . 80g3B.0 Null ciphering and integrity protection algorithms 80g3B.1 128-bit ciphering algorithm 80g3B.1.1 Inputs and outputs 80g3B.1.2 128-EEA1 . 81g3B.1.3 128-EEA2 . 81g3B.1.4 128-EEA3 . 81g3B.2 128-Bit integrity algorithm . 82g3B

42、.2.1 Inputs and outputs 82g3B.2.2 128-EIA1 82g3B.2.3 128-EIA2 82g3B.2.4 128-EIA3 83g3Annex C (informative): Algorithm test data 84g3C.1 128-EEA2 . 84g3C.1.1 Test Set 1 84g3C.1.2 Test Set 2 85g3C.1.3 Test Set 3 86g3C.1.4 Test Set 4 86g3C.1.5 Test Set 5 87g3C.1.6 Test Set 6 88g3C.2 128-EIA2 91g3C.2.1

43、Test Set 1 92g3C.2.2 Test Set 2 93g3C.2.3 Test Set 3 94g3C.2.4 Test Set 4 95g3C.2.5 Test Set 5 96g3C.2.6 Test Set 6 97g3C.2.7 Test Set 7 99g3C.2.8 Test Set 8 101g3C.3 128-EEA1 . 113g3C.4 128-EIA1 113g3C.4.1 Test Set 1 113g3ETSI ETSI TS 133 401 V13.5.0 (2017-01)73GPP TS 33.401 version 13.5.0 Release

44、13C.4.2 Test Set 2 114g3C.4.3 Test Set 3 114g3C.4.4 Test Set 4 114g3C.4.5 Test Set 5 115g3C.4.6 Test Set 6 115g3C.4.7 Test Set 7 115g3Annex D (normative): Security for Relay Node Architectures 118g3D.1 Introduction 118g3D.2 Solution 118g3D.2.1 General . 118g3D.2.2 Security Procedures 118g3D.2.3 USIM

45、 Binding Aspects 121g3D.2.4 Enrolment procedures for RNs . 121g3D.2.5 Secure management procedures for RNs 122g3D.2.6 Certificate and subscription handling . 122g3D.3 Secure channel profiles 124g3D.3.1 General . 124g3D.3.2 APDU secure channel profile . 124g3D.3.3 Key agreement based on certificate e

46、xchange 124g3D.3.3.1 TLS profile 124g3D.3.3.2 Common profile for RN and UICC certificate 124g3D.3.3.3 RN certificate profile 125g3D.3.3.4 UICC certificate profile 125g3D.3.4 Key agreement for pre-shared key (psk) case. 125g3D.3.5 Identities used in key agreement 126g3Annex E (normative): Dual connec

47、tivity 127g3E.1 Introduction 127g3E.2 Dual connectivity offload architecture . 128g3E.2.1 Protection of the X2 reference point. 128g3E.2.2 Addition and modification of DRB in SeNB 128g3E.2.3 Activation of encryption/decryption . 128g3E.2.4 Derivation of keys for the DRBs in the SeNB 130g3E.2.4.1 SCG

48、 Counter maintenance 130g3E.2.4.2 Security key derivation . 130g3E.2.4.3 Negotiation of security algorithms 131g3E.2.5 S-KeNBupdate . 131g3E.2.5.1 S-KeNBupdate triggers 131g3E.2.5.2 S-KeNBupdate procedure . 131g3E.2.6 Handover procedures 131g3E.2.7 Periodic local authentication procedure . 131g3E.2.

49、8 Radio link failure recovery . 132g3E.2.9 Avoiding key stream reuse caused by DRB type change . 132g3Annex F (informative): Isolated E-UTRAN Operation for Public Safety . 133g3F.1 General Description 133g3F.2 IOPS security solution 133g3F.3 Security Considerations 134g3F.3.1 Malicious switching of USIM applications 134g3F.3.2 Compromise of local HSSs 134g3F.4 Mitigation of compromise of a local HSS 134g3F.4.0 Introduction 134g3F.4.1 Subscriber key separation mechanism 134g3F.4.2 Key derivation mechanism for subscriber key separation . 135g3F.5 Actions in case of comp