A guide to 3GPP security documents

http://www.csirik.net/3gpp.html

******************************************

A guide to 3GPP security documents

Warning: this document is not maintained!

I first wrote this document in 2000, and it has not received updates since 2001. It should therefore be regarded as obsolete. I have nevertheless made it availableas references to it exist and some people may still want to look at it at theirown risk.

Click here if you are impatient

Click here if you are extremely impatient

You can always come back here and read the whole page if you get confused.

Introduction

This page is here for people who want to learn about and study cryptographic aspects of 3GPP security documents. Please email me at user janos located at the site pobox.com with suggestions. Because of the obsolete status of this page, just about the only kind of suggestion I will consider is insertinga pointer to newer or better Web pages of this type.

3GPP, the 3rd Generation Partnership project, serves to producestandards for 3rd generation wireless phones. It kind of grew outof GSM.

In the last few years,GSM took a lot of flak for their approach to crypto algorithmdesign, which relied on keeping the algorithms secret. In fact, their various algorithms have been broken, as described here.(A person knowledgeable about GSM provided an alternative point of view on this: GSM broke entirely new ground in its use of cryptography in a massmarket product - and the first steps were a bit tentative. It was alsodesigned at a time when export restrictions on cryptographic products were agood deal tighter than they are now - which amongst other things meant thatthe algorithms were kept secret and could not benefit from public scrutiny.The result is a system which has generally done a good job of protecting itssubscribers and operators, but in which some holes have appeared, and whichis definitely showing its age today. Several pieces of cryptanalysis havebeen published.)

3GPP has chosen a superior approach to their crypto requirements.They are making open to the public all of their drafts, standards andrecommendations, and rely on their algorithms withstanding thescrutiny of any interested researchers.

My aim in producing this page was to make it clear to any such"interested researchers" where and how these algorithms are published.

This page has nothing to do with North Americanwireless crypto standards promulgated by TIA. For more information on those algorithms, please refer tothis FTP site.

3GPP organizational information

You can find out a lot about 3GPP by going to their Web site. You can probably find out anything that is on this page by going over to their Web site instead. Nevertheless, here area few more concise hints.

3GPP is quite fond of acronyms. The parts of the organization thatproduce documents (that we are interested in) are called TSGs, whichstands for Technical Specification Groups. The TSGs have names likeSA, CN, RAN, etc. This explains a lot of thesubdirectories in the root directory of their FTP server, ftp://ftp.3gpp.org.

The TSG of interest here is called SA, which standsfor Services and System Aspects (I think). It corresponds toftp://ftp.3gpp.org/TSG_SA.

The TSG SA has various working groups, also known as WGs. The WGsare called simply SA1, SA2, SA3, SA4, SA5. The one of interest to usis SA3 (also known as S3), which is responsible for Security.It corresponds toftp://ftp.3gpp.org/TSG_SA/WG3_Security/.

Here is how S3 operates. They meet every couple of months. Eachmeeting has a number. For example, S3 had their meeting#14 in Oslo, Norway, from August 1 to August 4 of 2000.This meeting is often referred to as S3#14.Documents from this meeting are to be found inftp://ftp.3gpp.org/TSG_SA/WG3_Security/TSGS3_14_Oslo/.This directory, and other meetings directories, have varioussubdirectories, the two most interesting ones of them are Report, and Docs. The former contains a report that summarizes what happenedat the meeting and what documents were considered/produced there.

The actual documents are stored in the Docs directory. They have names likeS3-000404.pdf, which denotes S3 document number "0404" in the year 20"00".Now you can see why you need to look at the report to find your wayaround.

S3 is generally responsible for the maintenance and developement ofa certain set of 3GPP documents, which fall into two groups: TSes(technical standards) and TRs (technical reports). However, the S3 isnot allowed to make changes in these documents itself. Instead, ithas to produce CRs (change requests) which are forwarded for approvalup one level, to the TSG SA, at their next plenary meeting. TSG SAwill usually, but not always, approve the CR and agree to make the changes.

Another designation that often occurs in the WG meeting documents is LS,which stands for Liaison Statement. These are produced if S3 reachesa point in their discussion where it becomes necessary to consultanother WG for guidance. This can happen, for example, if some document produced bythat other WG is not clear on something. Since the other WG will notbe in session at the same time, an LS is drafted and sent to them todeal with at their next meeting. The other WG will produce another LS in turn to answer thequestion, and send it back to S3 for its next meeting, and so on.

TSG SA plenary meetings occur somewhat less frequently than S3meetings. They are also numbered, e.g., meeting #8 took placein Duesseldorf, Germany, from June 26 to June 28, 2000. You can find documents about theirmeetings in ftp://ftp.3gpp.org/TSG_SA/TSG_SA/.

Two other organizations that are sometimes mentioned are ETSI and SAGE.ETSI stands for European Telecommunications Standards Institute, which hadclose ties with GSM and is still somehow connected to 3GPP. SAGE standsfor Security Algorithms Group of Experts, and either belongs to or has beenestablished by ETSI. SAGE tends to produce algorithms and algorithm evaluations for 3GPP, or, more specifically, for S3.

3GPP security documents

Now that all that is covered, let's get down to the documents.Most (but not all) 3GPP documents are available in PDF format, whichis what I will give pointers to below, whenever possible. Every document is available ina MS Word format too, but I'll let MS Word enthusiasts worry about that.

• At Eurocrypt 2000, Prof. Michael Walker, who is the chair of the S3 group, gave a lecture entitled On the security of 3GPP networks.I think that this is a very good introduction to the topic.
• The design of 3GPP security is such that not every carrier has to use the same algorithms for authentication and key exchange (AKA). Therefore, instead ofproducing a standard, 3GPP publishes a recommendation or example algorithmfor those providers who do not wish to design and implement their own algorithms. GSM used a similar approach(the infamous COMP128 algorithm became an example), and experience has shown that most carrierschose to implement the example algorithm. The current suggestion for AKA algorithms is calledMILENAGE.

  MILENAGE was introduced at S3#16, which was held in December 2000. Ithas been made official by SA#11 in March 2001. It is based on Rijndael.

  SAGE has released an evaluation of MILENAGE. This can be found right here.

   

• The air interface encryption and integrity algorithms must be the same for all carriers(so that a subscriber can roam into another carrier's territory and still be able tocommunicate with the base stations located there). The 3GPP algorithms used for these purposes are both built around a block ciphercalled KASUMI.(Here is a note on intellectual property rightson KASUMI:The Kasumi documents bear apparently restrictive labels such as,for example, "Subject to a Restriced Usage Undertaking".I contacted members of the 3GPP Security (S3) group for clarification,and two knowledgeable persons independently gave me the same answer.Namely, Mitshubishi has IPR on KASUMI, but they are licencing it freelyfor use in 3G systems. The documents can be readily scrutinizedfor the purpose of determining the suitability of the system for 3G.However, it is not the case that KASUMI can be used for otherpurposes without an agreement with Mitsubishi and 3GPP.For more details, including documents with names such as "IPR Licence Agreement" and "Restriced UsageUndertaking", go to the ETSI3GPP conditions Web page.Disclaimer: I am not a lawyer and this is not legal advice.You are responsible for ensuring that your conduct complies with allapplicable laws, etc.).

   

• Note that the last page of Walker's presentation includes a handy list ofthe TRs and TSes that relate to 3GPP security. These can be helpful in filling in background information on 3GPP terminology or design.

  These documents can generally be found underftp://ftp.3gpp.org/Specs/. The latest versions of the specifications canbe found in the subdirectory corresponding to the latest SA meeting,for exampleftp://ftp.3gpp.org/Specs/2000-12/.

  Here are the pointers to the Release 99 versions from the December 2000 meeting.
  Principles, objectives and requirements

  • TS 33.120, Security principles and objectives (This is not a tutorial introduction to 3GPP security. If you aredisappointed by its contents, also refer to TR 33.102.)
  • TS 21.133, Security threats and requirements
  Architecture, mechanisms and algorithms
  • TR 33.102, 3GPP security architecture
  • TR 33.103, Integration guidelines
  • TR 33.105, Cryptographic algorithm requirements
  • TR 22.022, Personalization of mobile equipment
  Lawful Interception
  • TR 33.106, Lawful interception requirements
  • TR 33.107, Lawful interception architecture and functions
  Technical reports
  • TR 33.900, A guide to 3G security
  • TR 33.901, Criteria for cryptographic algorithm design process
  • TR 33.902, Formal analysis of the 3G authentication protocol
  • TR 33.908, General report on the design, specification and evaluationof 3GPP standard confidentiality and integrity algorithms

That concludes the list of algorithms that I think would be particularly good to look at, but I would be more than happy to provide a link to BEANO if someone tells me what the link is etc.

If you have written, or otherwise know about, research papers about these algorithms, please let me know! I will provide a link to themfrom here.

Acknowledgements

I thank Steve Babbage, Charles Brookson,Daniel Ferguson,Chiara Dotti,Ian Goldberg (who suggested that I createa page like this), Peter Howard, Geir Køien,Jim Reeds, Gert Roelofsen, Greg Rose,Bill Sommerfeld, Marco Tosalli, David Wagner, and others,for useful suggestions.

Closing exhortation

And now, gentle reader, go forth and study those algorithms!

• Example authentication and key exchange algorithm: MILENAGE.
• Air interface encryption and integrity algorithm:KASUMI. (Here is a note on intellectual property rightson KASUMI).

Yours, Janos A. Csirik

This page was last edited on 28th August 2003, but pages linked from here might have been edited more recently. Also, these editsmust have been minor formatting changes since I stopped maintaining the contents back in 2001.HTML4.01.