1、 ETSI TS 1Universal Mobile TelSpecification of the TUalgorithm set fokey generation funDocument 1(3GPP TS 35.2TECHNICAL SPECIFICATION135 231 V13.0.0 (2016elecommunications System (LTE; TUAK algorithm set: A secondfor the 3GPP authentication aunctions f1, f1*, f2, f3, f4, f5 ant 1: Algorithm specific
2、ation .231 version 13.0.0 Release 1316-01) (UMTS); n example and and f5*; 13) ETSI ETSI TS 135 231 V13.0.0 (2016-01)13GPP TS 35.231 version 13.0.0 Release 13Reference RTS/TSGS-0335231vd00 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94
3、 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in elect
4、ronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing do
5、cument is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documen
6、ts is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by
7、any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all medi
8、a. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizationa
9、l Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 135 231 V13.0.0 (2016-01)23GPP TS 35.231 version 13.0.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. Th
10、e information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available fr
11、om the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314
12、(or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using
13、their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the
14、 present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliver
15、ables except when used in direct citation. ETSI ETSI TS 135 231 V13.0.0 (2016-01)33GPP TS 35.231 version 13.0.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g33 Definitions 6g33.1 Definitions 6g33.2
16、 Symbols 6g34 Preliminary information . 7g34.1 Introduction 7g34.2 Notation 7g34.2.1 Radix . 7g34.2.2 Bit-numbering for inputs and outputs . 7g34.2.3 Assignment operations 7g34.2.4 Void 8g34.3 Void 8g35 Inputs and outputs 8g35.1 Tuak inputs and outputs . 8g35.2 Keccak and its inputs and outputs 9g35
17、.3 Other inputs and substrings 10g36 Definition of the example algorithms . 10g36.1 Derivation of TOPC10g36.2 Specification of the function f1 11g36.3. Specification of the function f1* 12g36.4 Specification of the functions f2, f3, f4 and f5 . 12g36.5 Specification of the function f5* 14g37 Impleme
18、ntation considerations . 14g37.1 TOPCcomputed on or off the UICC? . 14g37.2 Further customization . 15g37.3 Resistance to side channel attacks 15g3Annex A (normative): Tuak diagrams . 16g3Annex B (informative): TuakApplication Programme Interface ( AP) in ANSI CI 17g3Annex C (normative): Specificati
19、on of the Keccak permutation used within Tuak 18g3Annex D (informative): Example source code for Tuak (ANSI C) 20g3Annex E (informative): Example source code for Keccak (ANSI C) . 23g3Annex F (informative): Change history . 27g3History 28g3ETSI ETSI TS 135 231 V13.0.0 (2016-01)43GPP TS 35.231 versio
20、n 13.0.0 Release 13Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the prese
21、nt document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under chan
22、ge control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction The present document is one of three, which between th
23、em form the entire specification of the example algorithms, entitled: - 3GPP TS 35.231: “Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification “. - 3GPP TS
24、35.232: “Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Implementers“ test data“. - 3GPP TS 35.233: “Specification of the Tuak algorithm Set: A second example algorithm set
25、for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Design conformance test data“. ETSI ETSI TS 135 231 V13.0.0 (2016-01)53GPP TS 35.231 version 13.0.0 Release 131 Scope The present document and the other Technical Specifications in the series, TS 35
26、.232 15 and 35.233 16 contain an example set of algorithms which could be used as the authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5* for 3GPP systems. All seven functions are operator-specifiable rather than being fully standardised and other algorithms could be envisage
27、d. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, sub
28、sequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP
29、TS 33.102: “3G Security; Security Architecture3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification.3 “The KECCAK Reference“, version 3.0, 14 Jan
30、uary 2011, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche, (available at http:/keccak.noekeon.org/Keccak-reference-3.0.pdf). 4 “KECCAK Implementation Overview“, version 3.2, 29 May 2012, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche, R. van Keer (available at http:/keccak.noekeon.org/Keccak-imp
31、lementation-3.2.pdf). 5 “SAKURA: a flexible coding for tree hashing“, 3 June 2013, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche, (available at http:/keccak.noekeon.org/Sakura.pdf). 6 “Securing the AES finalists against Power Analysis Attacks“, in FSE 2000, Seventh Fast Software Encryption Worksh
32、op, Thomas S. Messerges, ed. Schneier, Springer Verlag, 2000. 7 “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems“, P. C. Kocher, in CRYPTO96, Lecture Notes in Computer Science #1109, Springer Verlag, 1996. 8 “Side Channel Cryptanalysis of Product Ciphers“, in ESORICS
33、98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998, J. Kelsey, B. Schneier, D. Wagner, C. Hall. 9 “DES and differential power analysis“, in CHES99, Lecture Notes in Computer Science #1717, Springer Verlag, 1999, L. Goubin, J. Patarin. 10 “Differential Power Analysis“, in CRYPTO99, Le
34、cture Notes in Computer Science #1666, Springer Verlag, 1999, P. Kocher, J. Jaffe, B. Jun. 11 “On Boolean and Arithmetic Masking against Differential Power Analysis“, in CHES00, Lecture Notes in Computer Science series, Springer Verlag, 2000, L. Goubin, J.-S. Coron. 12 3GPP TS 33.401: “3GPP System A
35、rchitecture Evolution (SAE); Security architecture“. 13 ETSI TS 103 383: “Smart Cards; Embedded UICC; Requirements Specification“. 14 3GPP TR 21.905: “Vocabulary for 3GPP specifications“. 15 3GPP TS 35.232: “3G Security; Specification of the Tuak Algorithm Set: a Second example algorithm set for the
36、 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Implementers“ test data“. ETSI ETSI TS 135 231 V13.0.0 (2016-01)63GPP TS 35.231 version 13.0.0 Release 1316 3GPP TS 35.233: “3G Security; Specification of the Tuak Algorithm Set: a second example algorithm
37、 set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Design conformance test data“. 3 Definitions 3.1 Definitions For the purposes of the present document, the terms and definitions given in TR 21.905 14 and the following apply. A term defined in
38、 the present document takes precedence over the definition of the same term, if any, in TR 21.905 14. Tuak: The name of this algorithm set is “Tuak“. It should be pronounced like “too-ack“. 3.2 Symbols = The assignment operator The bitwise exclusive-OR operation | The concatenation of the two operan
39、ds Xi The ithbit of the variable X. (X = X0 | X1 | X2 | ) the permutation Keccak-f1600 (See clause 5.2 and annex C) The following represent variables used in the algorithm: AK a 48-bit anonymity key that is the output of either of the functions f5 and f5* AMF a 16-bit authentication management field
40、 that is an input to the functions f1 and f1* CK a 128-bit or 256-bit confidentiality key that is the output of the function f3 IK a 128-bit or 256-bit integrity key that is the output of the function f4 IN a 1600-bit value that is used as the input to the permutation when computing the functions f1
41、, f1*, f2, f3, f4, f5 and f5* INSTANCE an 8-bit value that is used to specify different modes of operation and different parameter lengths within the algorithm set K a 128-bit or 256-bit subscriber key that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* MAC-A a 64-bit, 128-bit or 256-b
42、it network authentication code that is the output of the function f1 MAC-S a 64-bit, 128-bit or 256-bit resynchronization authentication code that is the output of the function f1* OP Operator Variant Algorithm Configuration Field (used in MILENAGE) OUT a 1600-bit value that is taken as the output o
43、f the permutation when computing the functions f1, f1*, f2, f3, f4, f5 and f5* RAND a 128-bit random challenge that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* RES a 32-bit, 64-bit, 128-bit or 256-bit signed response that is the output of the function f2 SQN a 48-bit sequence number
44、 that is an input to either of the functions f1 and f1*. (For f1* this input is more precisely called SQNMS.) See informative Annex C of 1 for methods of encoding sequence numbers SQNMS (See SQN) TOP a 256-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1, f1
45、*, f2, f3, f4, f5 and f5* TOPCa 256-bit value derived from TOP and K and used within the computation of the functions ETSI ETSI TS 135 231 V13.0.0 (2016-01)73GPP TS 35.231 version 13.0.0 Release 134 Preliminary information 4.1 Introduction Within the security architecture of the 3GPP system there ar
46、e seven security functions related to authentication and key agreement: f1, f1*, f2, f3, f4, f5 and f5*. The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified by each operator rather than being fully standardized. The algorithms spe
47、cified in the present document are examples that may be used by an operator who does not wish to design his own. The algorithm specified is called Tuak (pronounced “too-ack“). It is not mandatory that the particular algorithms specified in the present document are used. The inputs and outputs of all
48、 seven algorithms are defined in clause 4.4. 4.2 Notation 4.2.1 Radix The prefix 0x is used to indicate hexadecimal numbers. 4.2.2 Bit-numbering for inputs and outputs 3GPP TS 33.102 1 includes the following convention. (There is similar text in the specification of MILENAGE, as defined in 3GPP TS 3
49、5.206 2): All data variables in the present document are presented with the most significant substring on the left hand side and the least significant substring on the right hand side. A substring may be a bit, byte or other arbitrary length bit string. Where a variable is broken down into a number of substrings, the left-most (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the least significant. So, for example, RAND0 is the most-significant