Presentation on

Authentication and Ciphering

in 3G and Simulation

Submitted by
Shailendra kumar
bagri
 Objective
 Introduction of 3G
 3G Architecture
 USIM Cards and its Features
 Authentication and Ciphering Parameters in
3G
 Difference Between 2G(GSM) and 3G(UMTS)
Parameters
 Utility of Ciphering and Authentication
Procedures
 Authentication Procedure in 3G Network
 Ciphering Procedure in 3G Network
 Implementation of Ciphering in 3G
 Summary
 References
 OBJECTIVE OF THIS PROJECT

Implementation of Authentication
Algorithm and Ciphering
Procedure in 3G Mobile
Communication Technology.
 The Universal Mobile Telecommunication system
(UMTS) is a realization of third generation (3G)
networks, which intend to establish a single integrated
and secure network.

Mobile/wireless Internet is becoming available with

3G mobile communication systems.

Wireless networks are as such less secure and

mobility further adds to security risk. Therefore, it is
desirable that 3G is at least as secure as fixed
networks.
 TARGET OF
3G
The third generation, 3G, is expected to
complete the globalisation process of
mobile communication.

Development of
UMTS(3G)
• Research on the suitability of CDMA and TDMA for
3G started in 1991.
• 3GPP was created in Denmark in 1998, it specifies
UMTS standards.
CELLULAR GENERATION
 Some requirements for 3G were shortlisted as follow:

– Requirements:

• Worldwidely valid system having standardized open major

interfaces

• Clearly added value to GSM and backward compatible at

least with GSM and ISDN

• Must support multimedia

• World widely available generic radio access providing

wideband capacity

• Services must be independent from radio access technology

 3G SECURITY

3G security tries to correct the problems with GSM by

addressing security weaknesses and by adding new
features.
The 3G security has the following security features:
Mutual authentication and key agreement between
MS and network.
Encryption of user traffic and signaling data over
the air interface.
Integrity protection of signaling data over the air
interface.
 The encryption of the user traffic and the signaling
data over the air interface is performed through an
algorithm called KASUMI, which has an open design
process, taking a longer cipher key length (128-bit)
derived during authentication.

KASUMI has a block size of 64 bits and a key size of

128 bits. It is a Feistel cipher with eight rounds, and
like MISTY1 and MISTY2, it has a recursive structure,
with subcomponents also having a Feistel-like form
3G /UMTS ARCHITURE
A UMTS network consist of three interacting domains;
i) Core Network (CN),
ii) UMTS Terrestrial Radio Access Network (UTRAN) and
iii) User Equipment (UE).

The main function of the core network is to provide switching,

routing and transit for user traffic. Core network also contains
the databases and network management functions.

The basic Core Network architecture for UMTS is based on

GSM network with GPRS. All equipment has to be modified
for UMTS operation and services.

The UTRAN provides the air interface access method for User
Equipment. Base Station is referred as Node-B and control
equipment for Node-B's is called Radio Network Controller
(RNC).
 The functions of Node-B
 are:
 Air interface Transmission / Reception

  Modulation / Demodulation

  CDMA Physical Channel coding

  Error Handing

  Closed loop power control

3G ARCHITURE BLOCK
DIAGRAM
 The functions of RNC
are:
 Radio Resource Control

Admission Control

Channel Allocation

Power Control Settings

Handover Control

Ciphering

Broadcast Signalling
BLOCKS USED IN UMTS
ARCHITURE
BTS Base Transceiver Station
BSC Base Station Controller
BSS Base Sub Station
RNC Radio Network Controller
RNS Radio Network Subsystem
MSC Mobile Switching Center
VLR Visitor Location Register
HLR Home Location Register
EIR Equipment Identity Register
AUC Authentication Center
SGSN Serving GPRS Support Node
GGSN Gateway GPRS Support Node
GMSC Gateway Mobile Switching
 USIM CARDS AND ITS
FEATURES
The subscription - specific information set is called a USIM.
The USIM is also called “SIM” because the services actually
follow SIM card identification information in every respect. The
corresponding information is originally stored in the HLR of the
home network of the subscriber.
Users of the packet data domain (PS) can also use an
additional ISIM application in the UICC for the IMS services.
The clear difference between a GSM SIM and USIM is that a
USIM is, by default, downloadable and its information is
accessible and updatable through the radio path. A
functionality making USIM information accessible to TE
applications is the USIM Application Toolkit (USAT).
SUBSCRIBER IDENTITY MODULE IN GSM
 A USIM basically contains five types of data:
Administrative Data :
These are data assigned by the USIM manufacturer
and service provider/operator that cannot be altered,
such as key values for security algorithms, IMSI and
access class information.

Temporary network data:

These contains information, such as current location
area ID, TMSI and calculated ciphering key value(s).

Service-related data: These hold information about

the availability or permissibility of different services
and their internal data
Application data:
The USIM may store small applications needed
for specific services.

Personal data:
These cover the data the user stores in the SIM
(e.g., SMSs and abbreviated dialling).

The optional ISIM application for IMS subscription

contains the user’s security keys
The IP Multimedia Private user Identity (IMPI), IP
Multimedia Public User identity (IMPU),
 USIM FEATURES
Physically, a UMTS SIM card (USIM) is similar to a
GSM Subscriber Identity Module (SIM), but it has more
advanced features.

USIM contains more memory space.

USIM contains more processing power.

USIM is downloadable.
 AUTHENTICATION AND
CIPHERING
Authentication - Whenever a MS requests access to
a network, the network must authenticate the MS.
Authentication verifies the identity and validity of the
SIM card to the network and ensures that the
subscriber is authorized access to the network.

Ciphering - Ciphering refers to the process of

changing plaintext data into encrypted data using a
special key and a special encryption algorithm.
 AUTHENTICATION AND
CIPHERING PARAMETERS
IN 3G
AUTHENTICATION PARAMETERS:-

In 3G (UMTS) system , the authentication centre AUC

produces five parameters-

Random Number Parameter (RANDu).

 Authentication checking Parameter XRES
Cipher key (CK).
Integrity Key (IK).
Authentication Token (AUTN token).
 CIPHERING PARAMETERS:-

The input parameters to the algorithm are:

1-The cipher key CK, which is 128 bits long

2- The time dependent input COUNT-C of length 32 bits

3- The bearer identity BEARER

4- The direction of transmission DIRECTION; and

5- The length of the required key stream LENGTH

DIFFERENCE BETWEEN GSM(2G)
AND UMTS(3G)PARAMETERS
The differences is illustrated with the help of table
given below:

DESCRIPTION GSM UMTS

Random Number Parameter RAND RANDu

Authentication checking parameter to be

SRES XRES
compared (authentication response)
Cipher Key Kc CK
Integrity Key -- IK
Authentication Token -- AUTN
 AUTHENTICATION PROCEDURE
IN 3G NETWORK
Figure shows at the GSM authentication and key agreement
mechanism.
The following enhancements to this mechanism
were seen as a priority for 3G:

Mutual authentication

Assurance that authentication information and keys

are not being re-used (key freshness)

Integrity protection of signalling messages.

Use of stronger encryption (a combination of key

length and algorithm design)
3G AUTHENTICATION PROCEDURE USING
QUINTETS
The procedure for distribution of authentication data from the
HE to service domain starts with the VLR or SGSN sending a
request to the user’s HLR/AuC. Upon receipt of that request the
HLR/AuC sends an ordered array of n quintets (the equivalent
of a GSM "triplet") to the VLR or SGSN. To create these
quintets the HLR/AuC:

1) Generates a fresh sequence number SQN from a

counter SQNHE.

2) Generates an unpredictable challenge RAND.

3) Computes a message authentication code for

authentication MAC-A = f1K(SQN || RAND || AMF)
where f1 is a message authentication function;
4) Computes an expected response XRES = f2K
(RAND) where f2 is a (possibly truncated) message
authentication function.

GENERATION OF QUINTETS IN AUC

5) Computes a cipher key CK = f3K (RAND) where f3
is a key generating function.

6) Computes an integrity key IK = f4K (RAND) where

f4 is a key generating function.

7) Computes an authentication key AK = f5K (RAND)

where f5 is a key generating function and computes
the concealed sequence number SQN Å AK = SQN
xor AK. If SQN is to be concealed.

8) Assembles the authentication token AUTN = SQN [Å

AK] || AMF || MAC-A and the quintet Q = (RAND,
XRES, CK, IK, AUTN) and updates the counter
SQNHE.
Each quintet consists of the following components:
1. A challenge RAND
2. An expected response XRES
3. A cipher key CK
4. An integrity key IK
5. An authentication token, AUTN = SQN [ AK] || AMF || MAC-A

Each quintet is good for one authentication and key agreement

between the VLR or SGSN and the ME/USIM.

1.When the VLR or SGSN initiates over-the-air authentication and

key agreement procedure it selects the next quintet from an array
held in the VLR and sends the parameters RAND and AUTN to
the user.
2. The USIM checks whether AUTN can be accepted and, if so,
produces a response RES that is sent back to the VLR or SGSN.
The USIM also computes a session cipher key (CK) and an
integrity key (IK).
The extended figure of 3G Authentication using
quintets is given below:
3. The VLR or SGSN compares the received RES with
XRES. If they match the VLR or SGSN considers the
authentication and key agreement exchange to be
successfully completed and selects the corresponding
CK and IK from the quintet.

4. The established keys CK and IK will then be

transferred by the USIM and the VLR or SGSN to the
entities which perform ciphering and integrity
functions, i.e., the ME at the user side and the RNC at
the network side.
GENERATION OF
AUTHENTICATION DATA IN USIM
The processing in the USIM upon receipt of a
(RAND, AUTN) is described in detail below:

GENERATION OF AUTHENTICATION DATA IN USIM

1) If the sequence number is concealed, the USIM
computes the anonymity key AK = f5K (RAND) and
retrieves from AUTN the unconcealed sequence number
SQN = (SQN AK) xor AK.

2) The USIM then computes XMAC-A = f1K (SQN ||

RAND || AMF) and compares XMAC-A with MAC-A
included in AUTN.

3) If they are different, the USIM triggers the ME to send

back a user authentication response with indication of
integrity failure to the VLR or SGSN and abandons the
procedure. The next stages are for the case where
XMAC-A and MAC-A are equal.
4) Next the USIM verifies that the received
sequence number SQN is acceptable.

5)
6
If the sequence number SQN is not acceptable, the
USIM computes the re-synchronisation token AUTS
and triggers the ME to send back a user authentication
response back to the VLR or SGSN, with an indication
of synchronisation failure, including the re-
synchronisation token AUTS, and abandons the
procedure. The remaining paragraphs therefore apply
for the case where SQN is acceptable
6) The USIM then computes the response RES =
f2K(RAND) and triggers the ME to send back a user
authentication response back to the VLR or SGSN,
with an indication of successful receipt of the signed
challenge and including the response RES.

7) Finally the user computes the cipher key CK = f3K

(RAND) and the integrity key IK = f4K (RAND).
DATA INTEGRITY ON THE AIR
INTERFACE

AIR INTERFACE INTEGRITY MECHANISM

To protect against false base station attacks, the
receiving entity (MS or SN) must be able to verify that
signalling data has not been modified in an unauthorised
way since it was sent by the sending entity (SN or MS).

This is achieved by the inclusion of a data integrity

function for signalling data. GSM does not have this
functionality.

The Message Authentication Code (MAC) function f9 is

used to authenticate the data integrity and data origin of
signalling data transmitted between the Mobile
Equipment (ME) and the Radio Network Controller
(RNC). The MAC function f9 is allocated to the ME and
the RNC. For 3GRelease 99, f9 is based on the Kasumi
algorithm.
The input parameters to the algorithm are:
• the integrity key IK, which is 128 bits long.

• An integrity sequence number (COUNT-I) and a

random value generated by the radio network controller
(FRESH). COUNT-I and FRESH are each 32 bits long.
Together, they provide replay protection.

• A direction identifier (DIRECTION) .

• The RRC signalling message content (MESSAGE).

CIPHERING/CONFIDENTIALITY
procedure in 3G
The input parameters to the algorithm are:

• The cipher key CK, which is 128 bits long.

• The time dependent input COUNT-C of length 32 bits

• The bearer identity BEARER.

• The direction of transmission DIRECTION; and

• The length of the required key stream LENGTH

AIR INTERFACE CONFIDENTIALITY MECHANISM
Based on these input parameters the algorithm
generates the output key stream block KEYSTREAM,
which is used to encrypt the input plaintext block
PLAINTEXT to produce the output ciphertext block
CIPHERTEXT.
 USER TRAFFIC CONFIDENTIALITY

The following security features are provided with respect

to confidentiality of data on the network access link:

Ciphering algorithm agreement: The MS and the SN can

securely negotiate the ciphering algorithm that they use.

Cipher key agreement: The MS and the SN agree on a

cipher key that they may use subsequently; This is
realised as part of the protocol that also provides entity
authentication.
• Confidentiality of user and signalling data: Neither user
data nor sensitive signalling data can be overheard on
the radio access interface. This security feature is the
same as in GSM, but the entities between which
protection is afforded are different. In UMTS, the
protection extends to the Radio Network Controller
(RNC) so that microwave links between the base
stations and the RNC are also covered.
USER IDENTITY CONFIDENTIALITY
The following security features related to user identity
confidentiality are provided:
• User identity confidentiality: The permanent user
identity (IMSI) of a user to whom services are delivered
cannot be eavesdropped on the radio access link.

• User location confidentiality: The presence or the

arrival of a user in a certain area cannot be determined
by eavesdropping on the radio access link.
• User untraceability: An intruder cannot deduce
whether different services are delivered to the same
user by eavesdropping on the radio access link.
 IMPLEMENTATION OF CIPHERING /F8
ALGORITHM
• STEP 1: START
• STEP 2: Enter the values of count[ ] with 32 bits ,Bearer[ ] with
5 bits ,Dir with 1 bit , key modifier[ ] with 128 bits ,key[ ] with
128 bits ,Rand[ ] with 128 bits
• STEP 3 : Enter the string and calculate its length (L).
• STEP 4: Calculate ASCII code of each character in string &
then convert the ASCII code in 8 bits binary code & store it in
IBS [ ] i.e input bit stream. Now length in bits LEN = len *8.
• STEP 5: Calculate number of Blocks (BLK).
BLK = LEN/64 if LEN%64 == 0
else
BLK = LEN/64+1
IMPLEMENTATION OF CIPHERING /F8
ALGORITHM
STEP 6: Calculate register A with 64 bits by
concatenating 32 bits of counter then 5 bits of
bearer then 1 bit dir then 1 dir bit &then 26 ‘0’ bits
to get total of 64 bits.
STEP 7: Calculate the confidential key (CK) by
taking XOR of key K [ ] &Rand [ ].
STEP 8: Calculate KASUMI of A with 128 bit key
which we will get by taking XOR of key modifier &
confidential key .Store the 64 bit output in register
A.
STEP 9: Assume KSB(0) = zero & BLKCNT to zero
initially.
STEP 10: We will calculate further values of key
stream blk by taking kasumi of 64 bit input which we
will get by taking XOR of A & blkcnt &KSB(n-1) with
confidential key as 128 bit key .

STEP 11: We will calculate keystream KS by the

values of KSB.

STEP 12: We will get Cipher text block by taking

XOR of plaintext block by keystream.

STEP 13: To decrypt we will take XOR of Cipher

text which is at the input end where decryption will
take place with keystream KS to get original plain
text
STEP 14: To convert plain text in to string we will
take 8 bit pairs from starting & calculate ASCII &
then convert it in to string.

STEP 15: END