Can you afford not to read this book?........ The Universal Mobile Telecommunication System (UMTS) offers a consistent set of services to mobile computer and phone users and numerous different radio access technologies will co-exist within the UMTS system's core network - security is, therefore, of the utmost importance. UMTS Security focuses on the standardized security features of UMTS and brings together material previously only available in specifications, design documents and presentations in one concise form. In addition, this unique volume also covers non-standard implementation specific features that allow differentiation between operators and manufacturers. * Describes the security solutions specified for UMTS * Provides a comprehensive presentation of the UMTS security specifications and explains the role of the security functionality in the UMTS system * Presents the UMTS security system in its totality from the theoretical background through to the design process * Discusses the new security features included in Release 4 and 5 By providing a unified treatment of the security services provided by the UMTS system, this volume will provide invaluable information and have instant appeal to planners, constructers and implementers of UMTS networks, and developers and analysts of application oriented security services that make use of UMTS communication networks. It will also be of considerable interest to postgraduates and researchers of modern communication security technology.

Table of Contents:
Preface xi PART I: SECURITY ARCHITECTURE FOR UMTS 1 1 Introduction to Security and to UMTS 3 1.1 Security in Telecommunications 3 1.1.1 General security principles 4 1.1.2 GSM security 7 1.2 The Background to 3G 11 1.3 The 3G Partnership Project (3GPP) 12 1.4 3GPP Network Architecture 14 1.4.1 Elements in the architecture 15 1.4.2 Protocols in the 3GPP system 18 1.5 WCDMA Radio Technology 20 1.5.1 CDMA: an example 22 1.5.2 Basic facts of WCDMA 23 1.5.3 Handovers 25 1.5.4 Power control 25 2 UMTS Security Features in Release 1999 29 2.1 Access Security to UMTS 29 2.1.1 Mutual authentication 30 2.1.2 Temporary identities 42 2.1.3 UTRAN encryption 44 2.1.4 Integrity protection of RRC signalling 54 2.1.5 Set-up of UTRAN security mechanisms 59 2.1.6 Summary of access security in the CS and PS domains 63 2.2 Interworking with GSM 63 2.2.1 Interworking scenarios 65 2.2.2 Cases with SIM 66 2.2.3 Cases with USIM 67 2.2.4 Handovers from one system to another 68 2.3 Additional Security Features in Release 1999 69 2.3.1 Ciphering indicator 69 2.3.2 Identification of the UE 69 2.3.3 Security for Location Services (LCs) 70 2.3.4 User-to-USIM authentication 70 2.3.5 Security in the USIM application toolkit 70 2.3.6 Mobile Execution Environment (MExE) 70 2.3.7 Lawful interception 71 3 Security Features in Releases 4 and 5 73 3.1 Network Domain Security 73 3.1.1 MAPsec 74 3.1.2 IPsec 81 3.1.3 IPsec-based mechanisms in UMTS 84 3.1.4 Role of firewalls 86 3.2 IMS Security 87 3.2.1 Basics of SIP 87 3.2.2 IMS architecture 90 3.2.3 Architecture for securing access to the IMS 91 3.2.4 Principles for IMS access security 93 3.2.5 Use of HTTP Digest AKA 95 3.2.6 Security mode set-up 100 3.2.7 Integrity protection with ESP 101 3.2.8 Error case handling 104 3.3 Other Security Systems 106 3.3.1 Higher layer security systems 106 3.3.2 Link layer security systems 108 PART II: CRYPTOGRAPHIC ALGORITHMS 111 4 Introduction to Cryptography 113 4.1 The Science of Cryptology 113 4.1.1 Cryptographic systems 113 4.1.2 Security and vulnerability 115 4.1.3 Developing cryptology into a publicly available science 116 4.1.4 Public cryptographic development efforts 118 4.2 Requirements and Analysis of Cryptographic Algorithms 119 4.2.1 Block ciphers 120 4.2.2 Stream ciphers 125 4.2.3 Message authentication codes 127 5 3GPP Algorithm Specification Principles 131 6 Confidentiality and Integrity Algorithms 135 6.1 Requirements for the Confidentiality Algorithm 135 6.1.1 Functional requirements 135 6.1.2 Algorithm operation 136 6.1.3 Interfaces to the algorithm 137 6.2 Requirements for the Integrity Algorithm 139 6.2.1 Overview 139 6.2.2 Interface 140 6.3 Design Task Force 142 6.4 Getting Started 142 6.4.1 SAGE contribution to SA3 143 6.4.2 Modes around MISTY1 143 6.4.3 Particular security criteria 144 6.5 Design Process 144 6.5.1 The teams 145 6.5.2 Design documentation 145 6.5.3 Conclusion of evaluation 148 6.6 Confidentiality Algorithm 149 6.6.1 The f8 stream cipher mode 149 6.6.2 Description of f8 149 6.6.3 Security 151 6.7 Extension of the UMTS Confidentiality Algorithm 152 6.7.1 Background 152 6.7.2 List of variables 153 6.7.3 Core function KGCORE 154 6.7.4 A5/3 algorithm for GSM encryption 157 6.7.5 A5/3 algorithm for ECSD encryption 158 6.7.6 GEA3 algorithm for GPRS encryption 160 6.7.7 Specification of the 3GPP confidentiality algorithm f8 161 6.7.8 Summary of the confidentiality functions 162 6.8 Integrity Algorithm 163 6.8.1 The f9 MAC mode 163 6.8.2 Description 164 6.8.3 Security 165 6.9 Implementation 168 6.9.1 Length of data 168 6.10 IPR Issues and Exportability 169 6.10.1 IPR issues 169 6.10.2 Exportability 169 7 Kernel Algorithm KASUMI 171 7.1 Introduction 171 7.2 MISTY Block Cipher Algorithms 172 7.2.1 Design principles of MISTY1 172 7.2.2 Security of MISTY 176 7.3 Changes between MISTY1 and KASUMI 178 7.3.1 Changes to the data encryption part 178 7.3.2 Changes to the key-scheduling part 179 7.4 Description of KASUMI 179 7.4.1 General structure 179 7.4.2 KASUMI encryption function 181 7.4.3 Key schedule 187 7.5 Mathematical Analysis of KASUMI by the Task Force 188 7.5.1 Properties of components 188 7.5.2 Differential cryptanalysis 192 7.5.3 Truncated differentials 195 7.5.4 Linear cryptanalysis 196 7.5.5 Higher order differential attacks 196 7.6 Public Research on KASUMI 197 7.7 Implementation issues 198 7.7.1 Parallel operation 198 7.7.2 Implementation attacks 199 8 Authentication and Key Generation Algorithm 201 8.1 Design Task Force 201 8.2 Requirements 202 8.2.1 Authentication specification 202 8.2.2 Functional requirements for UMTS authentication 205 8.2.3 General requirements 209 8.2.4 Additional requirements from SA3 209 8.3 Design Process 210 8.3.1 Work plan 210 8.3.2 SAGE’s contribution to the UMTS security architecture 212 8.3.3 Cryptographic requirements 213 8.3.4 Operator-variant algorithm configuration field 214 8.3.5 Criteria for the cryptographic kernel 214 8.4 Description of the Modes 216 8.4.1 The algorithm framework 216 8.4.2 Notation 216 8.4.3 Specification of the modes 217 8.5 The MILENAGE Architecture 219 8.5.1 Use of OP 220 8.5.2 Rotation and offset constants 220 8.5.3 Protection against side-channel attacks 220 8.5.4 The number of kernel operations 220 8.5.5 Modes of operation 221 8.6 Kernel Algorithm 221 8.6.1 Block ciphers versus hash functions 221 8.6.2 The kernel of MILENAGE 223 8.7 Customization Options 224 8.7.1 Operator variant parameter 224 8.7.2 Kernel algorithm 225 8.7.3 Rotation and offset parameters 225 8.7.4 Length of RES 226 8.8 Conversion to and Compatibility with A3/A8 226 8.8.1 Conversion rules 227 8.8.2 GSM–MILENAGE 228 8.9 Security analysis of MILENAGE 230 8.9.1 Assumptions and security claims 230 8.9.2 Operational context 231 8.9.3 The soundness of the f2–f5* construction 232 8.9.4 Soundness of the f1–f1* construction and its cryptographic separation from the other modes 234 8.9.5 Investigation of forgery or distinguishing attacks with 264 queries 236 8.9.6 Conclusions 240 Notation of Parameters, Sets and Functions 243 Abbreviations 249 References 257 Index 267