UMTS Security

"...perfectly described by its title...well structured...definitive and highly recommended..." (The IEE Communications Engineer, June/July 2004)

Valtteri Niemi received a PhD degree in Mathematics from the University of Turku, Finland in 1989. After serving in various positions at University of Turku, he became an Associate Professor in Mathematics at the University of Vaasa, Finland, during 1993-97. He joined Nokia Research Center, Helsinki in 1997 where he has contributed in several roles for Nokia research in the wireless security area, including cryptological aspects. In 2008, he moved to the new NRC laboratory in Lausanne, Switzerland, where his main focus is on privacy-enhancing technologies. He was nominated as a Nokia Fellow in January 2009. He has participated to the 3GPP SA3 standardization group from the beginning. During 2003-2009 he was the chairman of the group. Before 3GPP, Niemi took part in ETSI SMG 10 for GSM security work. He has published more than 40 scientific articles and he is a co-author of three books. Kaisa Nyberg is the author of UMTS Security, published by Wiley.

Preface xi PART I: SECURITY ARCHITECTURE FOR UMTS 1 1 Introduction to Security and to UMTS 3 1.1 Security in Telecommunications 3 1.1.1 General security principles 4 1.1.2 GSM security 7 1.2 The Background to 3G 11 1.3 The 3G Partnership Project (3GPP) 12 1.4 3GPP Network Architecture 14 1.4.1 Elements in the architecture 15 1.4.2 Protocols in the 3GPP system 18 1.5 WCDMA Radio Technology 20 1.5.1 CDMA: an example 22 1.5.2 Basic facts of WCDMA 23 1.5.3 Handovers 25 1.5.4 Power control 25 2 UMTS Security Features in Release 1999 29 2.1 Access Security to UMTS 29 2.1.1 Mutual authentication 30 2.1.2 Temporary identities 42 2.1.3 UTRAN encryption 44 2.1.4 Integrity protection of RRC signalling 54 2.1.5 Set-up of UTRAN security mechanisms 59 2.1.6 Summary of access security in the CS and PS domains 63 2.2 Interworking with GSM 63 2.2.1 Interworking scenarios 65 2.2.2 Cases with SIM 66 2.2.3 Cases with USIM 67 2.2.4 Handovers from one system to another 68 2.3 Additional Security Features in Release 1999 69 2.3.1 Ciphering indicator 69 2.3.2 Identification of the UE 69 2.3.3 Security for Location Services (LCs) 70 2.3.4 User-to-USIM authentication 70 2.3.5 Security in the USIM application toolkit 70 2.3.6 Mobile Execution Environment (MExE) 70 2.3.7 Lawful interception 71 3 Security Features in Releases 4 and 5 73 3.1 Network Domain Security 73 3.1.1 MAPsec 74 3.1.2 IPsec 81 3.1.3 IPsec-based mechanisms in UMTS 84 3.1.4 Role of firewalls 86 3.2 IMS Security 87 3.2.1 Basics of SIP 87 3.2.2 IMS architecture 90 3.2.3 Architecture for securing access to the IMS 91 3.2.4 Principles for IMS access security 93 3.2.5 Use of HTTP Digest AKA 95 3.2.6 Security mode set-up 100 3.2.7 Integrity protection with ESP 101 3.2.8 Error case handling 104 3.3 Other Security Systems 106 3.3.1 Higher layer security systems 106 3.3.2 Link layer security systems 108 PART II: CRYPTOGRAPHIC ALGORITHMS 111 4 Introduction to Cryptography 113 4.1 The Science of Cryptology 113 4.1.1 Cryptographic systems 113 4.1.2 Security and vulnerability 115 4.1.3 Developing cryptology into a publicly available science 116 4.1.4 Public cryptographic development efforts 118 4.2 Requirements and Analysis of Cryptographic Algorithms 119 4.2.1 Block ciphers 120 4.2.2 Stream ciphers 125 4.2.3 Message authentication codes 127 5 3GPP Algorithm Specification Principles 131 6 Confidentiality and Integrity Algorithms 135 6.1 Requirements for the Confidentiality Algorithm 135 6.1.1 Functional requirements 135 6.1.2 Algorithm operation 136 6.1.3 Interfaces to the algorithm 137 6.2 Requirements for the Integrity Algorithm 139 6.2.1 Overview 139 6.2.2 Interface 140 6.3 Design Task Force 142 6.4 Getting Started 142 6.4.1 SAGE contribution to SA3 143 6.4.2 Modes around MISTY1 143 6.4.3 Particular security criteria 144 6.5 Design Process 144 6.5.1 The teams 145 6.5.2 Design documentation 145 6.5.3 Conclusion of evaluation 148 6.6 Confidentiality Algorithm 149 6.6.1 The f8 stream cipher mode 149 6.6.2 Description of f8 149 6.6.3 Security 151 6.7 Extension of the UMTS Confidentiality Algorithm 152 6.7.1 Background 152 6.7.2 List of variables 153 6.7.3 Core function KGCORE 154 6.7.4 A5/3 algorithm for GSM encryption 157 6.7.5 A5/3 algorithm for ECSD encryption 158 6.7.6 GEA3 algorithm for GPRS encryption 160 6.7.7 Specification of the 3GPP confidentiality algorithm f8 161 6.7.8 Summary of the confidentiality functions 162 6.8 Integrity Algorithm 163 6.8.1 The f9 MAC mode 163 6.8.2 Description 164 6.8.3 Security 165 6.9 Implementation 168 6.9.1 Length of data 168 6.10 IPR Issues and Exportability 169 6.10.1 IPR issues 169 6.10.2 Exportability 169 7 Kernel Algorithm KASUMI 171 7.1 Introduction 171 7.2 MISTY Block Cipher Algorithms 172 7.2.1 Design principles of MISTY1 172 7.2.2 Secur