1、 ETSI TS 135 231 V15.0.0 (2018-07) Universal Mobile Telecommunications System (UMTS); LTE; Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification (3GPP TS 35
2、.231 version 15.0.0 Release 15) TECHNICAL SPECIFICATION ETSI ETSI TS 135 231 V15.0.0 (2018-07)13GPP TS 35.231 version 15.0.0 Release 15Reference RTS/TSGS-0335231vf00 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 6
3、5 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or
4、in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of
5、 the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at htt
6、ps:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, e
7、lectronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018
8、. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of
9、its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TS 135 231 V15.0.0 (2018-07)23GPP TS 35.231 version 15.0.0 Release 15Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been d
10、eclared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, wh
11、ich is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced
12、in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except f
13、or any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. F
14、oreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the
15、corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and
16、“cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 135 231 V15.0.0 (2018-07)33GPP TS 35.231 version 15.0.0 R
17、elease 15Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g33 Definitions 6g33.1 Definitions 6g33.2 Symbols 6g34 Preliminary information . 6g34.1 Introduction 6g34.2 Notation 7g34.2.1 Radix . 7g34.2.2 Bit-numberi
18、ng for inputs and outputs . 7g34.2.3 Assignment operations 7g34.2.4 Void 8g34.3 Void 8g35 Inputs and outputs 8g35.1 Tuak inputs and outputs . 8g35.2 Keccak and its inputs and outputs 9g35.3 Other inputs and substrings 9g36 Definition of the example algorithms . 10g36.1 Derivation of TOPC10g36.2 Spec
19、ification of the function f1 10g36.3. Specification of the function f1* 12g36.4 Specification of the functions f2, f3, f4 and f5 . 12g36.5 Specification of the function f5* 14g37 Implementation considerations . 14g37.1 TOPCcomputed on or off the UICC? . 14g37.2 Further customization . 15g37.3 Resist
20、ance to side channel attacks 15g3Annex A (normative): Tuak diagrams . 16g3Annex B (informative): TuakApplication Programme Interface ( AP) in ANSI CI 17g3Annex C (normative): Specification of the Keccak permutation used within Tuak 18g3Annex D (informative): Example source code for Tuak (ANSI C) 20g
21、3Annex E (informative): Example source code for Keccak (ANSI C) . 23g3Annex F (informative): Change history . 27g3History 28g3ETSI ETSI TS 135 231 V15.0.0 (2018-07)43GPP TS 35.231 version 15.0.0 Release 15Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Projec
22、t (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in versi
23、on number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, correctio
24、ns, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction The present document is one of three, which between them form the entire specification of the example algorithms, entitled: - 3GPP TS 35.231: “Specification of the Tuak
25、 algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification “. - 3GPP TS 35.232: “Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and k
26、ey generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Implementers test data“. - 3GPP TS 35.233: “Specification of the Tuak algorithm Set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Design confor
27、mance test data“. ETSI ETSI TS 135 231 V15.0.0 (2018-07)53GPP TS 35.231 version 15.0.0 Release 151 Scope The present document and the other Technical Specifications in the series, TS 35.232 15 and 35.233 16 contain an example set of algorithms which could be used as the authentication and key genera
28、tion functions f1, f1*, f2, f3, f4, f5 and f5* for 3GPP systems. All seven functions are operator-specifiable rather than being fully standardised and other algorithms could be envisaged. 2 References The following documents contain provisions which, through reference in this text, constitute provis
29、ions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a refere
30、nce to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.102: “3G Security; Security Architecture3G Security; Specification of the MILENAGE algorithm set: An example
31、algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification.3 “The KECCAK Reference“, version 3.0, 14 January 2011, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche, (available at http:/keccak.noekeon.org/Keccak-referenc
32、e-3.0.pdf). 4 “KECCAK Implementation Overview“, version 3.2, 29 May 2012, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche, R. van Keer (available at http:/keccak.noekeon.org/Keccak-implementation-3.2.pdf). 5 “SAKURA: a flexible coding for tree hashing“, 3 June 2013, G. Bertoni, J. Daemen, M. Peeter
33、s, G. van Aasche, (available at http:/keccak.noekeon.org/Sakura.pdf). 6 “Securing the AES finalists against Power Analysis Attacks“, in FSE 2000, Seventh Fast Software Encryption Workshop, Thomas S. Messerges, ed. Schneier, Springer Verlag, 2000. 7 “Timing Attacks on Implementations of Diffie-Hellma
34、n, RSA, DSS, and Other Systems“, P. C. Kocher, in CRYPTO96, Lecture Notes in Computer Science #1109, Springer Verlag, 1996. 8 “Side Channel Cryptanalysis of Product Ciphers“, in ESORICS98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998, J. Kelsey, B. Schneier, D. Wagner, C. Hall. 9 “
35、DES and differential power analysis“, in CHES99, Lecture Notes in Computer Science #1717, Springer Verlag, 1999, L. Goubin, J. Patarin. 10 “Differential Power Analysis“, in CRYPTO99, Lecture Notes in Computer Science #1666, Springer Verlag, 1999, P. Kocher, J. Jaffe, B. Jun. 11 “On Boolean and Arith
36、metic Masking against Differential Power Analysis“, in CHES00, Lecture Notes in Computer Science series, Springer Verlag, 2000, L. Goubin, J.-S. Coron. 12 3GPP TS 33.401: “3GPP System Architecture Evolution (SAE); Security architecture“. 13 ETSI TS 103 383: “Smart Cards; Embedded UICC; Requirements
37、Specification“. 14 3GPP TR 21.905: “Vocabulary for 3GPP specifications“. 15 3GPP TS 35.232: “3G Security; Specification of the Tuak Algorithm Set: a Second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Implementers test da
38、ta“. ETSI ETSI TS 135 231 V15.0.0 (2018-07)63GPP TS 35.231 version 15.0.0 Release 1516 3GPP TS 35.233: “3G Security; Specification of the Tuak Algorithm Set: a second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Design co
39、nformance test data“. 3 Definitions 3.1 Definitions For the purposes of the present document, the terms and definitions given in TR 21.905 14 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905 14. Tuak: The name
40、 of this algorithm set is “Tuak“. It should be pronounced like “too-ack“. 3.2 Symbols = The assignment operator The bitwise exclusive-OR operation | The concatenation of the two operands Xi The ithbit of the variable X. (X = X0 | X1 | X2 | ) g518 the permutation Keccak-f1600 (See clause 5.2 and anne
41、x C) The following represent variables used in the algorithm: AK a 48-bit anonymity key that is the output of either of the functions f5 and f5* AMF a 16-bit authentication management field that is an input to the functions f1 and f1* CK a 128-bit or 256-bit confidentiality key that is the output of
42、 the function f3 IK a 128-bit or 256-bit integrity key that is the output of the function f4 IN a 1600-bit value that is used as the input to the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* INSTANCE an 8-bit value that is used to specify different modes of operation
43、 and different parameter lengths within the algorithm set K a 128-bit or 256-bit subscriber key that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* MAC-A a 64-bit, 128-bit or 256-bit network authentication code that is the output of the function f1 MAC-S a 64-bit, 128-bit or 256-bit re
44、synchronization authentication code that is the output of the function f1* OP Operator Variant Algorithm Configuration Field (used in MILENAGE) OUT a 1600-bit value that is taken as the output of the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* RAND a 128-bit random
45、challenge that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* RES a 32-bit, 64-bit, 128-bit or 256-bit signed response that is the output of the function f2 SQN a 48-bit sequence number that is an input to either of the functions f1 and f1*. (For f1* this input is more precisely called
46、 SQNMS.) See informative Annex C of 1 for methods of encoding sequence numbers SQNMS (See SQN) TOP a 256-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1, f1*, f2, f3, f4, f5 and f5* TOPCa 256-bit value derived from TOP and K and used within the computation
47、of the functions 4 Preliminary information 4.1 Introduction Within the security architecture of the 3GPP system there are seven security functions related to authentication and key agreement: f1, f1*, f2, f3, f4, f5 and f5*. The operation of these functions falls within the domain of one operator, a
48、nd the functions are therefore to be specified by each operator rather than being fully standardized. The algorithms specified in the present document are examples that may be used by an operator who does not wish to design his own. ETSI ETSI TS 135 231 V15.0.0 (2018-07)73GPP TS 35.231 version 15.0.
49、0 Release 15The algorithm specified is called Tuak (pronounced “too-ack“). It is not mandatory that the particular algorithms specified in the present document are used. The inputs and outputs of all seven algorithms are defined in clause 4.4. 4.2 Notation 4.2.1 Radix The prefix 0x is used to indicate hexadecimal numbers. 4.2.2 Bit-numbering for inputs and outputs 3GPP TS 33.102 1 includes the following convention. (There is similar text in the specification of MILENAGE, as defined in 3GPP TS 35.206 2): Al
