Content for  TS 33.102  Word version:  17.0.0

Authentication and key setting are triggered by the authentication procedure and described in 6.3. Authentication and key setting may be initiated by the network as often as the network operator wishes. Key setting can occur as soon as the identity of the mobile subscriber (i.e. P-TMSI, TMSI or IMSI) is known by the VLR/SGSN. The CK and IK are stored in the VLR/SGSN and transferred to the RNC when needed. The CK and IK for the CS domain are stored on the USIM and updated at the next authentication from this domain as specified in subclause 6.8.1.5. The CK and IK for the PS domain are stored on the USIM and updated at the next authentication from this domain as specified in subclause 6.8.1.5. If an authentication procedure is performed during a connection (PS or CS mode), the new cipher key CK and integrity key IK shall be taken in use in both the RNC and the ME as part of the security mode set-up procedure (see 6.4.5) that follows the authentication procedure.

When an MS wishes to establish a connection with the network, the MS shall indicate to the network in the MS/USIM Classmark which cipher and integrity algorithms the MS supports. This information itself must be integrity protected. As it is the case that the RNC does not have the integrity key IK when receiving the MS/USIM Classmark this information must be stored in the RNC. The data integrity of the classmark is performed, during the security mode set-up procedure by use of the most recently generated IK (see clause 6.4.5). The network shall compare its integrity protection capabilities and preferences, and any special requirements of the subscription of the MS, with those indicated by the MS and act according to the following rules:

1. If the MS and the network have no versions of the UIA algorithm in common, then the connection shall be released.
2. If the MS and the network have at least one version of the UIA algorithm in common, then the network shall select one of the mutually acceptable versions of the UIA algorithm for use on that connection.

The network shall compare its ciphering capabilities and preferences, and any special requirements of the subscription of the MS, with those indicated by the MS and act according to the following rules:

1. If the MS and the network have no versions of the UEA algorithm in common and the network is not prepared to use an unciphered connection, then the connection shall be released.
2. If the MS and the network have no versions of the UEA algorithm in common and the user (respectively the user's HE) and the network are willing to use an unciphered connection, then an unciphered connection shall be used.
3. If the MS and the network have at least one version of the UEA algorithm in common, then the network shall select one of the mutually acceptable versions of the UEA algorithm for use on that connection.

Because of the separate mobility management for CS and PS services, one CN domain may, independent of the other CN, establish a connection to one and the same MS. Change of ciphering and integrity mode (algorithms) at establishment of a second MS to CN connection shall not be permitted. The preferences and special requirements for the ciphering and integrity mode setting shall be common for both domains. (e.g. the order of preference of the algorithms).

Authentication and key agreement, which generates cipher/integrity keys, is not mandatory at call set-up, and there is therefore the possibility of unlimited and malicious re-use of compromised keys. A mechanism is needed to ensure that a particular cipher/integrity key set is not used for an unlimited period of time, to avoid attacks using compromised keys. The UE shall therefore contain a mechanism to limit the amount of data that is protected by an access link key set. For this purpose, a value called THRESHOLD is set by the operator, stored in the USIM and read out by the ME upon power on. Each time an RRC connection is released the values STARTCS and STARTPS of the bearers that were protected in that RRC connection are compared with THRESHOLD. If STARTCS and/or STARTPS are greater than or equal to THRESHOLD, the ME sets the START value in the ME for the corresponding core network domain(s) to zero, deletes the cipher key and the integrity key stored on the USIM and the ME and sets the KSI to invalid (refer to clause 6.4.4). Otherwise, the STARTCS and STARTPS are stored in the ME. The ME shall write back the values of STARTCS and/or STARTPS to the USIM only when the UE is about to power off in a controlled manner and there are valid UTRAN keys for that domain. When the UE has powered on and before attempting to connect to any network, the ME reads the START values from the USIM and stores them in the volatile memory of ME. If STARTCS and/or STARTPS read from the USIM are greater than or equal to THRESHOLD or the KSI on the USIM is invalid, the ME sets the START value in the ME for the corresponding core network domain(s) to zero. The ME then marks the START values in the USIM as invalid by setting STARTCS and STARTPS to THRESHOLD. In addition for the former case, the ME deletes the cipher key and the integrity key stored on the USIM and sets the KSI to invalid (refer to clause 6.4.4). When an RRC connection is established the ME uses the START values from the volatile memory of the ME. The ME shall trigger the generation of a new access link key set (a cipher key and an integrity key) for a core network domain if either the START value for that domain in the ME is greater than or equal to THRESHOLD or if there are no valid keys in the ME nor in the USIM for that domain. In addition for the former case, the ME deletes the cipher key and the integrity key stored on the USIM, sets the KSI to invalid (refer to clause 6.4.4) and sets the corresponding START value(s) in the ME to zero. This mechanism will ensure that a cipher/integrity key set cannot be reused beyond the limit set by the operator. When the user is attached to a UTRAN, a R99+ ME with a SIM inserted shall use a default value for maximum value of STARTCS or STARTPS as described in clause 6.8.2.4. This maximum value of STARTCS or STARTPS corresponds to THRESHOLD as described in the present clause.

The key set identifier (KSI) is a number which is associated with the cipher and integrity keys derived during authentication. The key set identifier is allocated by the network and sent with the authentication request message to the mobile station where it is stored together with the calculated cipher key CK and integrity key IK. KSI in UMTS corresponds to CKSN in GSM. The USIM stores one KSI/CKSN for the PS domain key set and one KSI/CKSN for the CS domain key set. The purpose of the key set identifier is to make it possible for the network to identify the cipher key CK and integrity key IK which are stored in the mobile station without invoking the authentication procedure. This is used to allow re-use of the cipher key CK and integrity key IK during subsequent connection set-ups. KSI and CKSN have the same format. The key set identifier is three bits. Seven values are used to identify the key set. A value of '111' is used by the mobile station to indicate that a valid key is not available for use. At deletion of the cipher key and integrity key, the KSI is set to '111'. The value '111' in the other direction from network to mobile station is reserved.

This clause describes one common procedure for both ciphering and integrity protection set-up. It is mandatory to start integrity protection of signalling messages by use of this procedure at each new signalling connection establishment between MS and VLR/SGSN. The five exceptions when it is not mandatory to start integrity protection are:

• If the only purpose with the signalling connection establishment and the only result is periodic location registration, i.e. no change of any registration information.
• If there is no MS-VLR/SGSNsignalling after the initial L3 signalling message sent from MS to VLR/SGSN, i.e. in the case of deactivation indication sent from the MS followed by connection release.
• If the only MS-VLR/SGSN signalling after the initial L3 signalling message sent from MS to VLR/SGSN, and possible user identity request and authentication (see below), is a reject signalling message followed by a connection release. However, it shall be mandatory for the VLR/SGSN to start integrity protection before sending a reject signalling message that causes the CSG list on the UE to be modified.
• If the call is an emergency call teleservice as defined in TS 22.003, see clause 6.4.9.2 below.
• If the PS connection establishment is for an emergency session, see clause 6.4.9.2 below.

When the integrity protection shall be started, the only procedures between MS and VLR/SGSN that are allowed after the initial connection request (i.e. the initial Layer 3 message sent to VLR/SGSN) and before the security mode set-up procedure are the following:

• Identification by a permanent identity (i.e. request for IMSI, IMEI or IMEISV), and
• Authentication and key agreement.

The message sequence flow below describes the information transfer at initial connection establishment, possible authentication and start of integrity protection and possible ciphering.

Detailed description of the flow above: The Security mode command to MS starts the downlink integrity protection, i.e. this and all following downlink messages sent to the MS are integrity protected using the new integrity configuration. The Security mode complete from MS starts the uplink integrity protection, i.e. this and all following messages sent from the MS are integrity protected using the new integrity configuration. When ciphering shall be started, the Ciphering Activation time information that is exchanged between SRNC and MS during the Security mode set-up procedure sets the RLC Sequence Number/Connection Frame Number when to start ciphering in Downlink respective Uplink using the new ciphering configuration. Mechanisms are defined to allow networks to overcome early UE implementation faults [22]. A potential early UE implementation fault could be a faulty UEA1 implementation. To allow networks to handle early UEs which have faulty UEA1 implementations, the SGSN/VLR may configure the security mode command based on the UE's IMEISV so that certain UEs which claim to support UEA1 shall have security established without ciphering (i.e. with UEA0), while other UEs which claim to support UEA1 shall have security established with ciphering (i.e. with UEA1). This procedure shall involve the SGSN/VLR retrieving the IMEISV from the UE before the security mode set-up procedure has started. If the above procedure to handle UEs which have faulty UEA1 implementations is implemented and the security mode set-up procedure results in security being established without ciphering (i.e. with UEA0) then the SGSN/VLR shall request the IMEISV from the UE for a second time immediately after the security mode set-up procedure has been completed. This second IMEISV request is integrity protected. If the IMEISV request is not successful, or if the second IMEISV received is different from the IMEISV received before the security mode set-up procedure was started then the connection shall be released.

The supervision of failed integrity checks shall be performed both in the MS and the SRNC. In case of failed integrity check (i.e. faulty or missing MAC) is detected after that the integrity protection is started the concerned message shall be discarded. This can happen on the RNC side or on the MS side.

The following procedure is used by the RNC to periodically perform a local authentication. At the same time, the amount of data sent during the RRC connection is periodically checked by the RNC and the UE. The RNC is monitoring the COUNT-C value associated to each radio bearer. The procedure is triggered whenever any of these values reaches a critical checking value. The granularity of these checking values and the values themselves are defined by the visited network. All messages in the procedure are integrity protected.

1. When a checking value is reached (e.g. the value in some fixed bit position in the hyperframe number is changed), a Counter Check message is sent by the RNC. The Counter Check message contains the most significant parts of the COUNT-C values (which reflect amount of data sent and received) from each active radio bearer.
2. The UE compares the COUNT-C values received in the Counter Check message with the values of its radio bearers. Different UE COUNT-C values are included within the Counter Check Response message.
3. If the RNC receives a counter check response message that does not contain any COUNT-C values, the procedure ends. If the RNC receives a counter check response that contains one or several COUNT-C values, the RNC may release the connection.

The ciphering and integrity protection algorithms are driven by counters (COUNT-C and COUNT-I) that at connection establishment need to be initialised. For that purpose the ME and the USIM have the ability to store a START value. The ME and the USIM store a STARTCS value for the CS cipher/integrity keys and a STARTPS value for the PS cipher/integrity keys. The length of START is 20 bits. The ME only contains (valid) START values when it is powered-on and a USIM is inserted. When the ME is powered-off or the USIM is removed, the ME deletes its START values and the Kc 128 if one was derived. After power-on or insertion of a USIM, the USIM sends its START values to the ME, and the ME stores them. At radio connection establishment for a particular serving network domain (CS or PS) the ME sends the STARTCS and the STARTPS value to the RNC in the RRC connection setup complete message. The ME and the RNC initialise the 20 most significant bits of the RRC HFN (for integrity protection), the RLC HFN (for ciphering) and the MAC-d HFN (for ciphering) to the START value of the corresponding service domain; the remaining bits are initialised to 0. Also the RRC SN (for integrity protection) and the RLC SN (for ciphering) are initialised to 0. During an ongoing radio connection, the STARTCS value in the ME and in the SRNC is defined as the 20 most significant bits of the maximum of all current COUNT-C and COUNT-I values for all signalling radio bearers and CS user data radio bearers protected using CK CS and/or IK CS, incremented by2, i.e.:

• If current STARTCS < STARTCS' then STARTCS = STARTCS', otherwise STARTCS is unchanged.

Likewise, during an ongoing radio connection, the STARTPS value in the ME and in the SRNC is defined as the 20 most significant bits of the maximum of all current COUNT-C and COUNT-I values for all signalling radio bearers and PS user data radio bearers protected using CK PS and/or IK PS, incremented by2, i.e.:

• If current STARTPS < STARTPS' then STARTPS = STARTPS', otherwise STARTPS is unchanged.

If any of the COUNT-C or COUNT-I assigned to the radio bearers of the same CN domain reaches its maximum value, the ME and SRNC shall set START of the corresponding CN domain to its maximum value. The handling of the START values for new keys obtained from an authentication and key agreement run is described in clause 4.1.1.8 of TS 24.008 and clause 8.1.12.3.1 of TS 25.331.

PLMNs shall support an emergency call teleservice as defined in TS 22.003 which fulfils the additional service requirements defined in TS 22.101. The PS domain of a PLMN may support establishment of PS connections for the purposes of IP multimedia subsystem emergency sessions as defined in TS 23.167 which fullfills service requirements defined in TS 22.101. IMS Emergency Session Support in the PS domain is specified in TS 23.060.