1、 ETSI TS 133 401 V14.5.0 (2018-01) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE); Security architecture (3GPP TS 33.401 version 14.5.0 Release 14) TECHNICAL SPECIFICATION ETSI ETSI TS 133
2、401 V14.5.0 (2018-01)13GPP TS 33.401 version 14.5.0 Release 14Reference RTS/TSGS-0333401ve50 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non luc
3、ratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the
4、present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific networ
5、k drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors
6、in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except
7、as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo a
8、re trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSM and the GSM logo are trademarks registered and owned
9、by the GSM Association. ETSI ETSI TS 133 401 V14.5.0 (2018-01)23GPP TS 33.401 version 14.5.0 Release 14Intellectual Property Rights Essential patents IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if
10、 any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are availabl
11、e on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, o
12、r may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys n
13、o right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by ETSI 3rd
14、 Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS,
15、 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI D
16、rafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 133 401 V14.5.0 (2018-01)33GPP TS 33.401 version 14.5.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal v
17、erbs terminology 2g3Foreword . 9g31 Scope 10g32 References 10g33 Definitions, symbols and abbreviations . 12g33.1 Definitions 12g33.2 Symbols 13g33.3 Abbreviations . 14g33.4 Conventions 15g34 Overview of Security Architecture . 16g35 Security Features 16g35.1 User-to-Network security . 16g35.1.0 Gen
18、eral 16g35.1.1 User identity and device confidentiality . 17g35.1.2 Entity authentication . 17g35.1.3 User data and signalling data confidentiality 17g35.1.3.1 Ciphering requirements . 17g35.1.3.2 Algorithm Identifier Values 18g35.1.4 User data and signalling data integrity 18g35.1.4.1 Integrity req
19、uirements . 18g35.1.4.2 Algorithm Identifier Values 18g35.2 Security visibility and configurability 19g35.3 Security requirements on eNodeB 19g35.3.1 General 19g35.3.2 Requirements for eNB setup and configuration 19g35.3.3 Requirements for key management inside eNB 20g35.3.4 Requirements for handlin
20、g User plane data for the eNB 20g35.3.4a Requirements for handling Control plane data for the eNB 20g35.3.5 Requirements for secure environment of the eNB 20g35.4 Void 21g36 Security Procedures between UE and EPC Network Elements . 21g36.0 General . 21g36.1 Authentication and key agreement . 21g36.1
21、.1 AKA procedure . 21g36.1.2 Distribution of authentication data from HSS to serving network 22g36.1.3 User identification by a permanent identity 23g36.1.4 Distribution of IMSI and authentication data within one serving network domain 24g36.1.5 Distribution of IMSI and authentication data between d
22、ifferent serving network domains 25g36.1.6 Distribution of IMSI and UMTS authentication vectors between MMEs or between MME and SGSN 25g36.2 EPS key hierarchy 26g36.3 EPS key identification 28g36.4 Handling of EPS security contexts . 29g36.5 Handling of NAS COUNTs 29g37 Security Procedures between U
23、E and EPS Access Network Elements 31g37.0 General . 31g37.1 Mechanism for user identity confidentiality . 31g37.2 Handling of user-related keys in E-UTRAN 31g37.2.1 E-UTRAN key setting during AKA . 31g37.2.2 E-UTRAN key identification 31g3ETSI ETSI TS 133 401 V14.5.0 (2018-01)43GPP TS 33.401 version
24、 14.5.0 Release 147.2.3 E-UTRAN key lifetimes . 32g37.2.4 Security mode command procedure and algorithm negotiation 32g37.2.4.1 Requirements for algorithm selection . 32g37.2.4.2 Procedures for AS algorithm selection 33g37.2.4.2.1 Initial AS security context establishment 33g37.2.4.2.2 X2-handover 3
25、3g37.2.4.2.3 S1-handover . 33g37.2.4.2.4 Intra-eNB handover . 33g37.2.4.3 Procedures for NAS algorithm selection . 33g37.2.4.3.1 Initial NAS security context establishment . 33g37.2.4.3.2 MME change . 34g37.2.4.4 NAS security mode command procedure 34g37.2.4.5 AS security mode command procedure . 35
26、g37.2.4a Algorithm negotiation for unauthenticated UEs in LSM 36g37.2.5 Key handling at state transitions to and away from EMM-DEREGISTERED . 37g37.2.5.1 Transition to EMM-DEREGISTERED . 37g37.2.5.2 Transition away from EMM-DEREGISTERED . 38g37.2.5.2.1 General 38g37.2.5.2.2 With existing native EPS
27、NAS security context 38g37.2.5.2.3 With run of EPS AKA . 39g37.2.6 Key handling in ECM-IDLE to ECM-CONNECTED and ECM-CONNECTED to ECM-IDLE transitions 39g37.2.6.1 ECM-IDLE to ECM-CONNECTED transition. 39g37.2.6.2 Establishment of keys for cryptographically protected radio bearers . 39g37.2.6.3 ECM-C
28、ONNECTED to ECM-IDLE transition. 40g37.2.7 Key handling for the TAU procedure when registered in E-UTRAN 40g37.2.8 Key handling in handover . 41g37.2.8.1 General 41g37.2.8.1.1 Access stratum . 41g37.2.8.1.2 Non access stratum 42g37.2.8.2 Void. 42g37.2.8.3 Key derivations for context modification pro
29、cedure . 42g37.2.8.4 Key derivations during handovers . 43g37.2.8.4.1 Intra-eNB Handover 43g37.2.8.4.2 X2-handover 43g37.2.8.4.3 S1-Handover 43g37.2.8.4.4 UE handling . 44g37.2.9 Key-change-on-the fly 44g37.2.9.1 General 44g37.2.9.2 KeNBre-keying . 44g37.2.9.3 KeNB refresh 45g37.2.9.4 NAS key re-key
30、ing 45g37.2.10 Rules on Concurrent Running of Security Procedures . 45g37.2.11 Suspend and resume of RRC connection 46g37.2.11.1 General 46g37.2.11.2 RRC connection suspend 46g37.2.11.3 RRC connection resume to a new eNB . 47g37.2.11.4 RRC connection resume to the same eNB 48g37.3 UP security mechan
31、isms 48g37.3.1 UP confidentiality mechanisms 48g37.3.2 UP integrity mechanisms 48g37.4 RRC security mechanisms 49g37.4.1 RRC integrity mechanisms . 49g37.4.2 RRC confidentiality mechanisms . 49g37.4.3 KeNB*and Token Preparation for the RRCConnectionRe-establishment Procedure 49g37.4.4 RRCConnection
32、re-establishment procedure for Control Plane CIoT EPS optimisation . 50g37.5 Signalling procedure for periodic local authentication . 51g38 Security mechanisms for non-access stratum signalling and data via MME . 52g38.0 General . 52g38.1 NAS integrity mechanisms . 52g38.1.1 NAS input parameters and
33、 mechanism . 52g3ETSI ETSI TS 133 401 V14.5.0 (2018-01)53GPP TS 33.401 version 14.5.0 Release 148.1.2 NAS integrity activation . 52g38.2 NAS confidentiality mechanisms . 53g39 Security interworking between E-UTRAN and UTRAN . 53g39.1 RAU and TAU procedures . 53g39.1.1 RAU procedures in UTRAN . 53g39
34、.1.2 TAU procedures in E-UTRAN . 54g39.2 Handover 56g39.2.1 From E-UTRAN to UTRAN 56g39.2.2 From UTRAN to E-UTRAN 57g39.2.2.1 Procedure 57g39.2.2.2 Derivation of NAS keys and KeNBduring Handover from UTRAN to E-UTRAN . 61g39.3 Recommendations on AKA at IRAT-mobility to E-UTRAN 61g39.4 Attach procedu
35、res . 62g39.4.1 Attach in UTRAN . 62g310 Security interworking between E-UTRAN and GERAN . 62g310.1 General . 62g310.2 RAU and TAU procedures . 63g310.2.1 RAU procedures in GERAN . 63g310.2.2 TAU procedures in E-UTRAN . 63g310.3 Handover 63g310.3.1 From E-UTRAN to GERAN 63g310.3.2 From GERAN to E-UT
36、RAN 63g310.3.2.1 Procedures . 63g310.4 Recommendations on AKA at IRAT-mobility to E-UTRAN 63g310.5 Attach procedures . 64g310.5.1 Attach in GERAN . 64g311 Network Domain Control Plane protection 64g312 Backhaul link user plane protection . 64g313 Management plane protection over the S1 interface 65g
37、314 SRVCC between E-UTRAN and Circuit Switched UTRAN/GERAN 66g314.1 From E-UTRAN to Circuit Switched UTRAN/GERAN . 66g314.2 Emergency call in SRVCC from E-UTRAN to circuit switched UTRAN/GERAN 67g314.3 SRVCC from circuit switched UTRAN/GERAN to E-UTRAN 67g314.3.1 Procedure 67g315 Security Aspects of
38、 IMS Emergency Session Handling 70g315.1 General . 70g315.2 Security procedures and their applicability 71g315.2.1 Authenticated IMS Emergency Sessions 71g315.2.1.1 General 71g315.2.1.2 UE and MME share a current security context . 71g315.2.2 Unauthenticated IMS Emergency Sessions 72g315.2.2.1 Gener
39、al 72g315.2.2.2 UE and MME share no security context . 73g315.2.3 Void 74g315.2.4 Key generation procedures for unauthenticated IMS Emergency Sessions 74g315.2.4.1 General 74g315.2.4.2 Handover. 74g316 Void 74g3Annex A (normative): Key derivation functions . 75g3A.1 KDF interface and input parameter
40、 construction . 75g3A.1.1 General . 75g3A.1.2 FC value allocations . 75g3A.2 KASMEderivation function 75g3A.3 KeNBderivation function . 76g3ETSI ETSI TS 133 401 V14.5.0 (2018-01)63GPP TS 33.401 version 14.5.0 Release 14A.4 NH derivation function . 76g3A.5 KeNB* derivation function . 76g3A.6 Void 76g
41、3A.7 Algorithm key derivation functions . 77g3A.8 KASMEto CK, IK derivation at handover . 77g3A.9 NAS token derivation for inter-RAT mobility . 78g3A.10 KASMEfrom CK, IK derivation during handover . 78g3A.11 KASMEfrom CK, IK derivation during idle mode mobility . 78g3A.12 KASMEto CKSRVCC, IKSRVCCder
42、ivation . 79g3A.13 KASMEto CK, IK derivation at idle mobility . 79g3A.14 (Void) . 79g3A.15 Derivation of S-KeNBfor dual connectivity 79g3A.16 Derivation of LWIP-PSK . 79g3A.17 Derivation of K_n for IOPS subscriber key separation 80g3A.18 Derivation of S-KWTfor LWA . 80g3Annex B (normative): Algorith
43、ms for ciphering and integrity protection . 81g3B.0 Null ciphering and integrity protection algorithms 81g3B.1 128-bit ciphering algorithm 81g3B.1.1 Inputs and outputs 81g3B.1.2 128-EEA1 . 82g3B.1.3 128-EEA2 . 82g3B.1.4 128-EEA3 . 82g3B.2 128-Bit integrity algorithm . 83g3B.2.1 Inputs and outputs 83
44、g3B.2.2 128-EIA1 83g3B.2.3 128-EIA2 83g3B.2.4 128-EIA3 84g3Annex C (informative): Algorithm test data 85g3C.1 128-EEA2 . 85g3C.1.1 Test Set 1 85g3C.1.2 Test Set 2 86g3C.1.3 Test Set 3 87g3C.1.4 Test Set 4 87g3C.1.5 Test Set 5 88g3C.1.6 Test Set 6 89g3C.2 128-EIA2 92g3C.2.1 Test Set 1 93g3C.2.2 Test
45、Set 2 94g3C.2.3 Test Set 3 95g3C.2.4 Test Set 4 96g3C.2.5 Test Set 5 97g3C.2.6 Test Set 6 98g3C.2.7 Test Set 7 100g3C.2.8 Test Set 8 102g3C.3 128-EEA1 . 114g3C.4 128-EIA1 114g3C.4.1 Test Set 1 114g3ETSI ETSI TS 133 401 V14.5.0 (2018-01)73GPP TS 33.401 version 14.5.0 Release 14C.4.2 Test Set 2 115g3C
46、.4.3 Test Set 3 115g3C.4.4 Test Set 4 115g3C.4.5 Test Set 5 116g3C.4.6 Test Set 6 116g3C.4.7 Test Set 7 116g3Annex D (normative): Security for Relay Node Architectures 119g3D.1 Introduction 119g3D.2 Solution 119g3D.2.1 General . 119g3D.2.2 Security Procedures 119g3D.2.3 USIM Binding Aspects 122g3D.2
47、.4 Enrolment procedures for RNs . 122g3D.2.5 Secure management procedures for RNs 123g3D.2.6 Certificate and subscription handling . 123g3D.3 Secure channel profiles 125g3D.3.1 General . 125g3D.3.2 APDU secure channel profile . 125g3D.3.3 Key agreement based on certificate exchange 125g3D.3.3.1 TLS
48、profile 125g3D.3.3.2 Common profile for RN and UICC certificate 125g3D.3.3.3 RN certificate profile 126g3D.3.3.4 UICC certificate profile 126g3D.3.4 Key agreement for pre-shared key (psk) case. 126g3D.3.5 Identities used in key agreement 127g3Annex E (normative): Dual connectivity 128g3E.1 Introduct
49、ion 128g3E.2 Dual connectivity offload architecture . 129g3E.2.1 Protection of the X2 reference point. 129g3E.2.2 Addition and modification of DRB in SeNB 129g3E.2.3 Activation of encryption/decryption . 129g3E.2.4 Derivation of keys for the DRBs in the SeNB 131g3E.2.4.1 SCG Counter maintenance 131g3E.2.4.2 Security key derivation . 131g3E.2.4.3 Negotiation of security algorithms 132g3E.2.5 S-KeNBupdate . 132g3E.2.5.1 S-KeNBupdate triggers 132g3E.2.5.2 S-KeNBupdate procedure . 132g3E.2.6 Handover procedures 132g3E.2.7 Periodic local authentication procedure . 132g3E.2.8