Data Integrity Protection and Encryption RAN12.

Feature Parameter Description

Issue Date

01 2010-03-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: Email: http://www.huawei.com support@huawei.com

WCDMA RAN Data Integrity Protection and Encryption

Contents

Contents
1 Introduction ................................................................................................................................1-1
1.1 Scope ............................................................................................................................................ 1-1 1.2 Intended Audience ........................................................................................................................ 1-1 1.3 Change History.............................................................................................................................. 1-1

2 Overview .....................................................................................................................................2-1 3 Technical Description ..............................................................................................................3-1

3.1 Integrity Protection of Signaling .................................................................................................... 3-1 3.1.1 Integrity Algorithm ................................................................................................................. 3-1 3.1.2 Integrity Protection Procedure .............................................................................................. 3-1 3.2 Encryption of Signaling and User Data ......................................................................................... 3-2 3.2.1 Encryption Algorithm............................................................................................................. 3-2 3.2.2 Ciphering Procedure............................................................................................................. 3-3 3.3 Negotiation of Encryption and Integrity Algorithms ....................................................................... 3-5

4 Parameters .................................................................................................................................4-1 5 Counters ......................................................................................................................................5-1 6 Glossary ......................................................................................................................................6-1 7 Reference Documents .............................................................................................................7-1

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

iii

WCDMA RAN Data Integrity Protection and Encryption

1 Introduction

1 Introduction
1.1 Scope
To protect user data from illegal interception and to protect networks from illegal modification, the WCDMA system introduces data integrity protection (WRFD-011401 Integrity Protection) and encryption (WRFD-011402 Encryption). This document describes the mechanism of the data integrity protection and encryption.

1.2 Intended Audience

This document is intended for:

Personnel who are familiar with WCDMA basics. Personnel who need to understand data integrity protection and encryption feature. Personnel who work with Huawei products.

1.3 Change History

This section provides information on the changes in different document versions. There are two types of changes, which are defined as follows:

Feature change: refers to the change in the data integrity protection and encryption feature. Editorial change: refers to the change in wording or the addition of the information that was not described in the earlier version.

Document Issues
The document issues are as follows:

01 (2010-03-30) Draft (2009-12-05)

01 (2010-03-30)
This is the document for the first commercial release of RAN12.0. Compared with issue Draft (2009-12-05) of RAN12.0, this issue optimizes the description.

Draft (2009-12-05)
This is the draft of the document for RAN12.0. Compared with issue 02 (2009-06-30) of RAN11.0, this issue optimizes the description.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

1-1

WCDMA RAN Data Integrity Protection and Encryption

2 Overview

2 Overview
To protect user data from illegal interception and to protect networks from illegal modification, the WCDMA system introduces the function of data integrity protection and encryption. The 3G system uses longer cipher keys and more robust encryption and data integrity algorithms for the security of user data and networks. The integrity protection mechanism handles the control of integrity protection of signaling data and the coordination of integrity keys between different core networks (PS and CS). It enables the receiving entity (the UE or the RNC) to check whether the signaling data is illegally changed. It encrypts and decrypts the signaling data by using a certain integrity algorithm with an integrity key (IK). The encryption mechanism handles the control of ciphering of data and signaling data and the coordination encryption keys between different core networks (PS and CS). It encrypts and decrypts data and signaling by using a certain encryption algorithm with a cipher key (CK). The function of data integrity protection and encryption is applied for the following purposes:

To enhance the security of networks and user data To protect the data and networks from illegal interception and modification To prevent the imitation behavior

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

2-1

WCDMA RAN Data Integrity Protection and Encryption

3 Technical Description

3 Technical Description
3.1 Integrity Protection of Signaling
This section describes the integrity algorithm parameters and the integrity protection procedure.

3.1.1 Integrity Algorithm

Currently, the RNC supports only UMTS Integrity Algorithm 1 (UIA1), that is, integrity algorithm f9. The support for the algorithm can be set through the IntegrityProtectAlgo parameter on the RNC side. The UE is required to support the encryption and integrity algorithms. The sub-parameter UL_INTER_PROTECT_SWITCH of PROCESSSWITCH specifies whether to enable integrity protection for uplink RRC messages.

3.1.2 Integrity Protection Procedure

Integrity protection is implemented at the RRC layer of the radio interface by the UE and RNC. Figure 3-1 shows how to authenticate data integrity of a signaling message by using the integrity algorithm f9. Figure 3-1 Derivation of MAC-I or XMAC-I from a signaling message

Table 3-1 describes the input parameters to the integrity algorithm.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

3-1

WCDMA RAN Data Integrity Protection and Encryption

3 Technical Description

Table 3-1 Input parameters to the integrity algorithm Item IK Name Integrity key Description IK is 128 bits long. It is used to establish CS connections (IKCS) between the CS domain and the UE, or PS connections (IKPS) between the PS domain and the UE. The most recently received IK, either IKCS or IKPS, is used for integrity protection. For UMTS subscribers, IK is generated during the implementation of UMTS Authentication and Key Agreement (AKA) and stored in the USIM with a copy in the ME. IK can be sent:

From the USIM to the ME upon request of the ME From the HLR/AuC to the VLR/SGSN and stored in the VLR/SGSN as part of a quintet In the RANAP message SECURITY MODE COMMAND from the VLR/SGSN to the RNC

COUNT-I

Integrity COUNT_I is 32 bits long. For Signaling Radio Bearers (SRBs) from sequence number SRB0 to SRB4, there is one COUNT-I value for each uplink SRB and one COUNT-I value for each downlink SRB. The COUNT-I consists of the Hyper Frame Number (HFN) and the RRC Sequence Number (RRC SN). The HFN is 28 bits long, and the RRC SN is 4 bits long. Each time an RRC message is sent, the RRC SN increases by 1. At each RRC SN cycle, the HFN increases by 1.

FRESH

Fresh

FRESH is 32 bits long. It is a random number generated by the RNC and is sent to the UE through the RRC message SECURITY MODE COMMAND. FRESH ensures that the MAC-I is unique.

DIRECTION

Direction bit

DIRECTION is 1 bit long. It is used to indicate uplink or downlink. The value 0 indicates uplink, and the value 1 indicates downlink.

MESSAGE

Signaling data

Message data

Based on these input parameters, the sender uses the integrity algorithm f9 to compute MAC-I, that is, the message authentication code for data integrity. The MAC-I is then appended to the message when it is sent over the radio access link. The receiver uses the same algorithm to compute XMAC-I and then verifies the data integrity by comparing the XMAC-I with the received MAC-I.

3.2 Encryption of Signaling and User Data

This section describes the encryption algorithm parameters and the ciphering procedure.

3.2.1 Encryption Algorithm

The RNC supports two encryption algorithms:

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

3-2

WCDMA RAN Data Integrity Protection and Encryption

3 Technical Description

UMTS Encryption Algorithm 0 (UEA0): no encryption UMTS Encryption Algorithm 1 (UEA1): encryption algorithm f8

Which algorithm to use can be set through the EncryptionAlgo parameter on the RNC side.

3.2.2 Ciphering Procedure

Encryption and decryption are implemented in the UE and the RNC (at layer 2). Figure 3-2 shows how to encrypt and decrypt the signaling and user data by using the encryption algorithm f8. Figure 3-2 Encryption and decryption of signaling and user data

Table 3-2 describes the input parameters to the integrity algorithm.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

3-3

WCDMA RAN Data Integrity Protection and Encryption

3 Technical Description

Table 3-2 Input parameters to the encryption algorithm Item CK Name Cipher key Description CK is 128 bits long. It is used to establish CS connections (CKCS) between the CS domain and the UE, or PS connections (CKPS) between the PS domain and the UE. The user data for the CS domain is always encrypted by the CK received from the CS domain, and that for the PS domain is encrypted by the CK received from the PS domain. The signaling data is always encrypted by the most recently received CK, either CKCS or CKPS. For UMTS subscribers, CK is generated during the implementation of UMTS Authentication and Key Agreement (AKA). It is stored in the USIM with a copy in the ME. The CK can be sent:

From the USIM to the ME upon request of the ME From the HLR/AuC to the VLR/SGSN and stored in the VLR/SGSN as part of the quintet In the RANAP message SECURITY MODE COMMAND from the VLR/SGSN to the RNC

COUNT-C

Cipher sequence number

COUNT-C is 32 bits long. For Radio Bearers (RBs) using the RLC Acknowledged Mode (AM) or Unacknowledged Mode (UM), there is one COUNT-C value for each uplink RB and one COUNT-C value for each downlink RB. The COUNT-C consists of the Hyper Frame Number (HFN) and the RLC Sequence Number (RLC SN). The HFN increases by 1 at each RLC SN cycle. All the RBs using the RLC Transparent Mode (TM) in one CN domain correspond to one COUNT-C, which is uplink and downlink insensitive. The COUNT-C consists of the HFN and the Connection Frame Number (CFN). The HFN increases by 1 at each CFN cycle.
NOTE Under AM, the RLC HFN is 20 bits long and the RLC SN is 12 bits long.

Under UM, the RLC HFN is 25 bits long and the RLC SN is 7 bits long. Under TM, the HFN is 24 bits long and the CFN is 8 bits long.

DIRECTION

Direction bit DIRECTION is 1 bit long. It is used to indicate uplink or downlink. The value 0 indicates uplink, and the value 1 indicates downlink.

LENGTH BEARER

Length indication

LENGTH is 16 bits long. It is used to indicate only the length of the required keystream block instead of the actual bits in the block.

Radio bearer BEARER is 5 bits long. It is used to identify the radio bearer type. identifier

As shown in Figure 3-2, the UMTS encryption mechanism is based on the stream cipher concept. To be more specific, plaintext data is added bit by bit to pseudo-random mask data generated by CK and other parameters. The benefit of such an encryption mechanism is that the generation of the pseudo-random mask data is independent of the plaintext data. Therefore, the final encryption process is fast. The decryption on the receiving side is the same, because adding the pseudo-random mask bits twice has the same result as adding zeros once.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

3-4

WCDMA RAN Data Integrity Protection and Encryption

3 Technical Description

3.3 Negotiation of Encryption and Integrity Algorithms

This section describes the negotiation between the UE and the network. In addition, it describes methods of encryption and integrity algorithms employed on the CN side. When a UE wishes to establish a connection with the network, the UE indicates to the network in the UE/USIM classmark which encryption and integrity algorithms the UE supports. The UE/USIM classmark information itself must be integrity protected. The RNC does not have the integrity key IK when receiving the UE/USIM classmark. Therefore, this information must be stored in the RNC. The data integrity check of the UE/USIM classmark is performed, during the security mode setup procedure by using the most recently generated IK. The network compares its integrity-related information with that indicated by the UE. Such information includes integrity protection capabilities, integrity protection preferences, and any special requirements of the subscription of the UE. Then, the network acts according to the following rules:

If the network and the UE have no versions of the UIA algorithm in common, the connection is released. If the network and the UE have at least one version of the UIA algorithm in common, the network chooses one of the mutually acceptable versions for use on that connection.

The network compares its encryption-related information with that indicated by the UE. Such information includes ciphering capabilities, ciphering preferences, and any special requirements of the subscription of the UE. Then, the network acts according to the following rules:

If the network and the UE have no versions of the UEA algorithm in common and the network is not prepared to use an unciphered connection, then the connection is released. If the network and the UE have no versions of the UEA algorithm in common and the user and the network are willing to use an unciphered connection, then an unciphered connection is used. If the network and the UE have at least one version of the UIA algorithm in common, the network chooses one of the mutually acceptable versions for use on that connection.

The CS and PS domains use the same preferences and special requirements for the ciphering and integrity mode setting, for example, the preference of the algorithms. If there are RABs connecting the UE to both CS and PS domains, the two domains must employ the same encryption policy, that is, whether to encrypt signaling and user data or not. If encryption is required, the user data for the CS domain is always encrypted by the CK received from the CS domain, and that for the PS domain is encrypted by the CK received from the PS domain. The signaling data, however, is always encrypted by the latest CK received from either the PS or CS domain.
The algorithms of integrity protection and encryption cannot be changed when the UE is connected to another CN.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

3-5

WCDMA RAN Data Integrity Protection and Encryption

4 Parameters

4 Parameters
Table 4-1 Parameter description Parameter ID NE MML Description Meaning: The integrity protection algorithm supported by RNC. Only UIA1 is supported currently. GUI Value Range: UIA1 Actual Value Range: For each switch of this parameter, the value can be: ON or OFF. Unit: None Default Value: UIA1-1 EncryptionAl BSC6900 SET go UUEA(Optional) Meaning: The encryption algorithm supported by RNC. Both UEA0 and UEA1 can be selected at one time. GUI Value Range: UEA0~0 UEA1 Actual Value Range: For each switch of this parameter, the value can be: ON or OFF. Unit: None Default Value: None PROCESSS BSC6900 SET Meaning: 1) INVOKE_TRACE_SWITCH. When it is checked, WITCH URRCTRLSWITC RNC will start Invoke Trace procedure upon receiving H(Optional) INVOKE TRACE Message form CN, otherwise, RNC won't start the Invoke Trace procedure though it receives the INVOKE TRACE message. 2) SYS_INFO_UPDATE_FOR_IU_RST. When it is checked, RNC will broadcast SYSTEM INFORMATION messages to UE when Iu reset, otherwise, RNC won't broadcast SYSTEM INFORMATION messages to UE when IU reset. 3) DRNC_DIRECT_DSCR. When it is checked, DRNC will start DSCR procedure directly in RRC states other than CELL_DCH, otherwise, DRNC will transfer RRC CELL UPDATE message to SRNC. 4) RNC_SHARE_SWITCH. When it is checked, RNC traffic share function will be valid, otherwise, RNC traffic function cannot be used. 5)RNCAP_IMSI_HO_SWITCH.When it is checked, Imsi handover function will be used,otherwise it will be not used. 6) TERMINAL_VERSION_DEBASE_SWITCH. When it is checked, terminal version R4 will debase to R99. 7)SYS_HO_OUT_CIPHER_SWITCH.When it is checked ,the RNC will add ciphering byte at GSM HANDOVER COMMAND if the GSM system do not add any cipher information at that message. 8)SYS_HO_CIPHER_CONFIG.When it is checked , the cipher configuration in the added cipher byte in GSM will be A5/1.When it is no checked ,the cipher configuration is A5/0. 9)BARRED_CELL_FOR_CSDOMAIN_RST.When it is checked, cell will be bared when CS domain is invalid, otherwise the CS domain will be bared when CS domain is invalid. It is invalid If SYS_INFO_UPDATE_FOR_IU_RST is
Issue 01 (2010-03-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd 4-1

IntegrityProt BSC6900 SET ectAlgo UUIA(Optional)

WCDMA RAN Data Integrity Protection and Encryption

4 Parameters

Parameter ID

NE

MML

Description not checked. 10)CR2284R1_SWITCH.in section 8.6.6.28 of TS25.331 of R5 Before 2006, it describes that the HFN should add one when UE is ciphering in the situation of Timing re-initialized hard handover,while not specified in RB SETUP process in the section of 8.6.4.3. so it is not clear whether to add or not in RB SETUP in DRD scenarios. CR2284R1 clarify that HFN should add one in RB SETUP process with Timing re-initialized hard handover. when it is checked ,RNC accepts this CR2284R1; when it is not checked ,RNC does not accept this CR2284R1. 11)CR2284R1_COMPATIBLE_SWITCH.CR2284R1 causes the compatible problem.if UE is not consistent with RNC regarding whether accept the CR2284R1 or not,it will cause the problem of streaming when UEs are communicating with each other.So RNC creates this switch . when it is checked, RNC is auto-adaptive to accept the CR2284R1 according to UE version information. The principles that RNC judges UE whether to accept the CR2284R1 are as follows: R5 and above UE accepts the CR; R99/R4 UE ,if it receives the START LIST value from RB SETUP COMPLETE,RNC figures that UE accepts the CR; R99/R4 UE ,if it only receives the START value from RB SETUP COMPLETE,RNC figures that UE does not accept the CR ; when it is not checked, whether RNC accept the CR or not is according to CR2284R1_SWITCH. The relations between these two switches CR2284R1_SWITCH and CR2284R1_COMPATIBLE_SWITCH are as follows: (1)CR2284R1_COMPATIBLE_SWITCH is checked, RNC is self-compatible,so the CR2284R1_SWITCH is invalid; (2)CR2284R1_COMPATIBLE_SWITCH is not checked, the CR2284R1_SWITCH is valid. 12)CDT_MSG_FULL_TRACE:When it is checked,CDT trace function which starts tracing from message RRC CONNECT REQUEST. 13)COMBINE_OPERATION_DRD_SWITCH.When it is on,RNC will not reject the message RB SETUP CMP without the IE active time. 14)UL_INTER_PROTECT_SWITCH.When the switch is off,RNC will not do integrity protection check for uplink RRC messages. 15)SYS_HO_IN_CIPHER_SWITCH.When it is checked, don't receive the encrypted ability infomation from RELOC REQ ,default configured of encrypted parameter are UIA1 and UEA0. 16)UPLINK_MDC_ENHENCEMENT_SWITCH.When it is checked ,uplink MDC enhancement function will be used.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

4-2

WCDMA RAN Data Integrity Protection and Encryption

4 Parameters

Parameter ID

NE

MML

Description 17)NODEB_PRIVATE_INTERFACE_SWITCH.When it is checked ,the NodeB private interface data can be taken to the NodeB or DRNC through the IUB or IUR protocol message. 18)RNC_QUERY_UE_IMEI_SWITCH.when it is checked,RNC send Identity Request Message to UE and save the IMEI information of UE if RNC receive the Identity Response Message. GUI Value Range: INVOKE_TRACE_SWITCH, SYS_INFO_UPDATE_FOR_IU_RST, DRNC_DIRECT_DSCR, RNC_SHARE_SWITCH, RNCAP_IMSI_HO_SWITCH, TERMINAL_VERSION_DEBASE_SWITCH, SYS_HO_OUT_CIPHER_SWITCH, SYS_HO_CIPHER_CONFIG, BARRED_CELL_FOR_CSDOMAIN_RST, CR2284R1_SWITCH, CDT_MSG_FULL_TRACE, CR2284R1_COMPATIBLE_SWITCH, COMBINE_OPERATION_DRD_SWITCH, UL_INTER_PROTECT_SWITCH, SYS_HO_IN_CIPHER_SWITCH, UPLINK_MDC_ENHENCEMENT_SWITCH, NODEB_PRIVATE_INTERFACE_SWITCH Actual Value Range: This parameter is set to 0 or 1 according to the related domains. Unit: None Default Value: None

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

4-3

WCDMA RAN Data Integrity Protection and Encryption

5 Counters

5 Counters
For details, see the BSC6900 UMTS Performance Counter Reference.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

5-1

WCDMA RAN Data Integrity Protection and Encryption

6 Glossary

6 Glossary
For the acronyms, abbreviations, terms, and definitions, see the Glossary.

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

6-1

WCDMA RAN Data Integrity Protection and Encryption

7 Reference Documents

7 Reference Documents
[1] 3GPP TS 33.102 "3G Security; Security Architecture" [2] 3GPP TS 31.111 "USIM Application Toolkit (USAT)"

Issue 01 (2010-03-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

7-1