1、 ETSI TS 135 233 V15.0.0 (2018-07) Universal Mobile Telecommunications System (UMTS); LTE; Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Design conformance test data (3GPP
2、TS 35.233 version 15.0.0 Release 15) TECHNICAL SPECIFICATION ETSI ETSI TS 135 233 V15.0.0 (2018-07)13GPP TS 35.233 version 15.0.0 Release 15Reference RTS/TSGS-0335233vf00 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4
3、 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions an
4、d/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the pri
5、nt of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available a
6、t https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any mea
7、ns, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI
8、 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefi
9、t of its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TS 135 233 V15.0.0 (2018-07)23GPP TS 35.233 version 15.0.0 Release 15Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have b
10、een declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards
11、“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not refere
12、nced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these exc
13、ept for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademar
14、ks. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to
15、 the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“
16、 and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 135 233 V15.0.0 (2018-07)33GPP TS 35.233 version 15.
17、0.0 Release 15Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g33 Definitions 5g33 Definitions 6g34 Preliminary information . 7g34.1 Introduction 7g34.2 Radix 7g34.3 Bit/Byte ordering for Tuak inputs and outputs
18、 . 7g34.4 Tuak inputs and outputs . 7g35 Conformance test data for KECCAK . 9g35.1 Overview 9g35.2 Format 9g35.3 Test set 1. 10g35.4 Test set 2. 10g35.5 Test set 3. 11g35.6 Test set 4. 11g35.7 Test set 5. 12g35.8 Test set 6. 12g36 Conformance test data for Tuak . 13g36.1 Overview 13g36.2 Format 13g3
19、6.3 Test set 1. 13g36.4 Test set 2. 14g36.5 Test set 3. 14g36.6 Test set 4. 15g36.7 Test set 5. 15g36.8 Test set 6. 16g3Annex A (informative): Change history . 17g3History 18g3ETSI ETSI TS 135 233 V15.0.0 (2018-07)43GPP TS 35.233 version 15.0.0 Release 15Foreword This Technical Specification has bee
20、n produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifyi
21、ng change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of
22、 substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction The present document is third of three, which between them form the entire specification of the example algorithms, en
23、titled: - 3GPP TS 35.231: “Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and key generation Functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: algorithm specification “. - 3GPP TS 35.232: “Specification of the Tuak algorithm set: A second exa
24、mple algorithm set for the 3GPP authentication and key generation Functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Implementers test data“. - 3GPP TS 35.233: “ Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f
25、1*, f2, f3, f4, f5 and f5*; Document 3: Design conformance test data“. ETSI ETSI TS 135 233 V15.0.0 (2018-07)53GPP TS 35.233 version 15.0.0 Release 151 Scope The present document and the other Technical Specifications in the series, TS 35.231 4 and TS 35.232 5, contain an example set of algorithms w
26、hich could be used as the authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5* for 3GPP systems. The present document provides sets of input/output test data for black box testing of physical realizations of all algorithms, and in particular: - Test data for the Keccak permuta
27、tion used within Tuak. - Test data for the MILENAGE authentication and key generation algorithms f1, f1*, f2, f3, f4, f5 and f5*. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either spec
28、ific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-s
29、pecific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.102: “3G Security; Security Architecture“. 2 3GPP TS 35.206: “3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentic
30、ation and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification“. 3 “The KECCAK Reference“, version 3.0, 14 January 2011, G. Bertoni, J. Daemen, M. Peeters, G. van Aasche. 4 3GPP TS 35. 231: “Specification of the Tuak Algorithm Set: A second example algorithm
31、set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: algorithm specification “. 5 3GPP TS 35. 232: “Specification of the Tuak algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f
32、4, f5 and f5*; Document 2: Implementers test data“ 6 3GPP TS 33.401: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture“. 3 Definitions 3.1 Definitions For the purposes of the present documen
33、t, the following terms and definitions apply: Tuak: The name of this algorithm set is “Tuak“. It should be pronounced like “too-ack“. 3.2 Symbols For the purposes of the present document, the following symbols apply: AK a 48-bit anonymity key that is the output of either of the functions f5 and f5*
34、AMF a 16-bit authentication management field that is an input to the functions f1 and f1* ETSI ETSI TS 135 233 V15.0.0 (2018-07)63GPP TS 35.233 version 15.0.0 Release 15CK a 128-bit or 256-bit confidentiality key that is the output of the function f3 IK a 128-bit or 256-bit integrity key that is the
35、 output of the function f4 IN a 1600-bit value that is used as the input to the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* K a 128-bit or 256-bit subscriber key that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* MAC-A a 64-bit, 128-bit or 256-bit net
36、work authentication code that is the output of the function f1 MAC-S a 64-bit, 128-bit or 256-bit resynchronization authentication code that is the output of the function f1* TOP a 256-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1, f1*, f2, f3, f4, f5 and
37、 f5* TOPC a 256-bit value derived from TOP and K and used within the computation of the functions OUT a 1600-bit value that is taken as the output of the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* RAND a 128-bit random challenge that is an input to the functions f1
38、, f1*, f2, f3, f4, f5 and f5* RES a 32-bit, 64-bit, 128-bit or 256-bit signed response that is the output of the function f2 SQN a 48-bit sequence number that is an input to either of the functions f1 and f1*. (For f1* this input is more precisely called SQNMS) See informative Annex C of 1 for metho
39、ds of encoding sequence numbers. 3 Definitions 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Tuak: The name of this algorithm set is “Tuak“. It should be pronounced like “too-ack“. 3.2 Symbols For the purposes of the present document, the follow
40、ing symbols apply: AK a 48-bit anonymity key that is the output of either of the functions f5 and f5* AMF a 16-bit authentication management field that is an input to the functions f1 and f1* CK a 128-bit or 256-bit confidentiality key that is the output of the function f3 IK a 128-bit or 256-bit in
41、tegrity key that is the output of the function f4 IN a 1600-bit value that is used as the input to the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* K a 128-bit or 256-bit subscriber key that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5* MAC-A a 64-bit,
42、 128-bit or 256-bit network authentication code that is the output of the function f1 MAC-S a 64-bit, 128-bit or 256-bit resynchronization authentication code that is the output of the function f1* TOP a 256-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1,
43、f1*, f2, f3, f4, f5 and f5* TOPC a 256-bit value derived from TOP and K and used within the computation of the functions OUT a 1600-bit value that is taken as the output of the permutation g518 when computing the functions f1, f1*, f2, f3, f4, f5 and f5* RAND a 128-bit random challenge that is an in
44、put to the functions f1, f1*, f2, f3, f4, f5 and f5* RES a 32-bit, 64-bit, 128-bit or 256-bit signed response that is the output of the function f2 SQN a 48-bit sequence number that is an input to either of the functions f1 and f1*. (For f1* this input is more precisely called SQNMS) See informative
45、 Annex C of 1 for methods of encoding sequence numbers. ETSI ETSI TS 135 233 V15.0.0 (2018-07)73GPP TS 35.233 version 15.0.0 Release 154 Preliminary information 4.1 Introduction Within the security architecture of the 3GPP system there are seven security functions f1, f1*, f2, f3, f4, f5 and f5*. Th
46、e operation of these functions falls within the domain of one operator, and the functions are therefore to be specified by each operator rather than being fully standardized. The algorithms specified in the present document are examples that may be used by an operator who does not wish to design his
47、 own. The inputs and outputs of all seven algorithms are defined in clause 4.4. 4.2 Radix Unless stated otherwise, all test data values presented in the present document are in hexadecimal. 4.3 Bit/Byte ordering for Tuak inputs and outputs 3GPP TS 33.102 1 includes the following convention. (There i
48、s similar text in the specification of MILENAGE, as defined in 3GPP TS 35.206 2): All data variables in the present document are presented with the most significant substring on the left hand side and the least significant substring on the right hand side. A substring may be a bit, byte or other arb
49、itrary length bit string. Where a variable is broken down into a number of substrings, the left-most (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the least significant. So, for example, RAND0 is the most-significant bit of RAND and RAND127 is the least significant bit of RAND. This convention applies to all inputs and outputs to Tuak, as listed in tables 1-9 below. However, when describing intermediate states of Tuak (e.g. inputs and outputs for the Keccak permutation), variables are
