Content for  TS 33.102  Word version:  17.0.0

For UMTS subscribers, authentication and key agreement will be performed as follows:

• UMTS AKA shall be applied when the user is attached to a UTRAN.
• UMTS AKA shall be applied when the user is attached to a GSM BSS, in case the user has a ME capable of UMTS AKA and also the VLR/SGSN is R99+. In this case, the 64-bit GSM cipher key Kc is derived from the UMTS cipher/integrity keys CK and IK, by the VLR/SGSN on the network side and by the USIM on the user side.The 128-bit GSM cipher key Kc 128 is derived from the UMTS cipher/integrity keys CK and IK, by the VLR/SGSN on the network side and by the ME on the user side if needed to support 128-bit ciphering algorithms in GSM as described in subclause 6.3.3 of this specification.
• GSM AKA shall be applied when the user is attached to a GSM BSS, in case the user has a ME not capable of UMTS AKA. In this case, the GSM user response SRES and the 64-bit GSM cipher key Kc are derived from the UMTS user response RES and the UMTS cipher/integrity keys CK and IK. A R98- VLR/SGSN uses the stored Kc and RES and a R99+ VLR/SGSN derives the SRES from RES and Kc from CK, IK.
• GSM AKA shall be applied when the user is attached to a GSM BSS, in case the VLR/SGSN is R98-. In this case, the USIM derives the GSM user response SRES and the GSM cipher key Kc from the UMTS user response RES and the UMTS cipher/integrity keys CK, IK.

The execution of the UMTS (resp. GSM) AKA results in the establishment of a UMTS (resp. GSM) security context between the user and the serving network domain to which the VLR/SGSN belongs. The user needs to separately establish a security context with each serving network domain. Figure 18 shows the different scenarios that can occur with UMTS subscribers in a mixed network architecture.

Note that the UMTS parameters RAND, AUTN and RES are sent transparently through the UTRAN or GSM BSS and that the GSM parameters RAND and SRES are sent transparently through the GSM BSS. In case of a GSM BSS, ciphering is applied in the GSM BSS for services delivered via the MSC/VLR, and by the SGSN for services delivered via the SGSN. In the latter case the GSM cipher keys Kc or Kc 128 are not sent to the GSM BSS. In case of a UTRAN, ciphering and integrity are always applied in the RNC, and the UMTS cipher/integrity keys CK an IK are always sent to the RNC.

Upon receipt of an authentication data request from a R99+ VLR/SGSN for a UMTS subscriber, a R99+ HLR/AuC shall send quintets, generated as specified in 6.3. Upon receipt of an authentication data request from a R98- VLR/SGSN for a UMTS subscriber, a R99+ HLR/AuC shall send triplets, derived from quintets using the following conversion functions:

1. c1: RAND[GSM] = RAND
2. c2: SRES[GSM] = XRES*1 xor XRES*2 xor XRES*3 xor XRES*4
3. c3: Kc[GSM] = CK1 xor CK2 xor IK1 xor IK2

whereby XRES* is 16 octets long and XRES* = XRES if XRES is 16 octets long and XRES* = XRES || 0...0 if XRES is shorter than 16 octets, XRES*i are all 4 octets long and XRES* = XRES*1 || XRES*2 || XRES*3 || XRES*4, CKi and IKi are both 64 bits long and CK = CK1 || CK2 and IK = IK1 || IK2

The AKA procedure will depend on the terminal capabilities, as follows: UMTS subscriber with R99+ ME When the user has R99+ ME, the VLR/SGSN shall send the ME a UMTS authentication challenge (i.e. RAND and AUTN) using a quintet that is either:

1. retrieved from the local database,
2. provided by the HLR/AuC, or
3. provided by the previously visited R99+ VLR/SGSN.

When the ME is capable of the USIM-ME interface, then UMTS AKA is performed and the VLR/SGSN receives the UMTS response RES.

• UMTS AKA results in the establishment of a UMTS security context; the UMTS cipher/integrity keys CK and IK and the key set identifier KSI are stored in theVLR/SGSN.
• When the user is attached to a UTRAN, the UMTS cipher/integrity keys are sent to the RNC, where the cipher/integrity algorithms are allocated.
• When the user is attached to a GSM BSS, UMTS AKA is followed by the derivation of the GSM cipher keys Kc (and Kc 128 when needed)from the UMTS cipher/integrity keys. When the user receives service from an MSC/VLR, the derived cipher keys Kc (and Kc 128 when needed) are then sent to the BSC (and forwarded to the BTS). When the user receives service from an SGSN, the derived cipher key Kc or Kc 128 applied in the SGSN itself.
• UMTS authentication and key freshness is always provided to UMTS subscribers with R99+ ME independently of the radio access network.

When the ME is not capable of the USIM-ME interface, then GSM AKA is performed and the VLR/SGSN receives the GSM response SRES.

• GSM AKA results in the establishment of a GSM security context; the 64-bit GSM cipher key Kc and the cipher key sequence number CKSN are stored in the VLR/SGSN.

The R99+ VLR/SGSN shall reject authentication if SRES is received in response of a UMTS challenge (RAND, AUTN) over an Iu-Interface. The R99+ VLR/SGSN shall accept authentication if a valid SRES is received in response of a UMTS challenge (RAND, AUTN) over A or Gb-Interface. This will happen in case a UICC is inserted in a ME that is not capable of UMTS AKA and is attached to a GSM BSS. In this case the R99+ VLR/SGSN uses function c2 to convert RES (from the quintet) to SRES to verify the received SRES. UMTS subscriber with R98- ME When the user has R98- ME, the R99+ VLR/SGSN sends the ME a GSM authentication challenge using a triplet that is either:

1. derived by means of the conversion functions c2 and c3 in the R99+ VLR/SGSN from a quintet that is:
   1. retrieved from the local database,
   2. provided by the HLR/AuC, or
   3. provided by the previously visited R99+ VLR/SGSN, or
2. provided as a triplet by the previously visited VLR/SGSN.

GSM AKA results in the establishment of a GSM security context; the 64-bit GSM cipher key Kc and the cipher key sequence number CKSN are stored in the VLR/SGSN. In this case the user is attached to a GSM BSS. When the user receives service from an MSC/VLR, the 64-bit GSM cipher key is sent to the BSC (and forwarded to the BTS). When the user receives service from an SGSN, the derived cipher key Kc is applied in the SGSN itself. UMTS authentication and key freshness cannot be provided to UMTS subscriber with R98- ME.

Release 99+ ME that has UTRAN radio capability shall support the USIM-ME interface as specified in TS 31.102. Rel4- ME that has no UTRAN radio capabilities may support the USIM-ME interface as specified in TS 31.102. Rel5+ ME that has no UTRAN radio capabilities shall support the USIM-ME interface as specified in TS 31.102. A ME capable of UMTS AKA with a USIM active and attached to a UTRAN shall only participate in UMTS AKA and shall not participate in GSM AKA. A ME capable of UMTS AKA with a USIM active and attached to a GSM BSS shall participate in UMTS AKA and may participate in GSM AKA. Participation in GSM AKA is required to allow registration in a R98- VLR/SGSN. However, the use of GSM AKA in the MS shall be disabled on a particular visited network if instructed to do so by the USIM application. The mechanism is based on an EF 'Disabled Authentications' in the USIM application containing the unauthorized authentication methods per visited network. If the EF 'Disabled Authentications' is present and active, then the authentication methods marked as disabled shall not be used by the MS in the corresponding visited network. The disabled authentication method may be defined on a global, per country or per network basis. The relevant file in the USIM application is managed by the home operator based on information supplied to the home operator by the visited network. A ME that not capable of UMTS AKA with a USIM active can only participate in GSM AKA. The execution of UMTS AKA results in the establishment of a UMTS security context; the UMTS cipher/integrity keys CK and IK and the key set identifier KSI are passed to the ME. If the USIM supports conversion function c3 and/or GSM AKA, the ME shall also receive a 64-bit GSM cipher key Kc derived at the USIM. If the ME supports 128-bit ciphering algorithms A5 and/or GEA for GSM, the ME shall also support the key derivation function for Kc 128 as specified in Annex B.5. The execution of GSM AKA results in the establishment of a GSM security context; the 64-bit GSM cipher key Kc and the cipher key sequence number CKSN are stored in the ME.

The USIM shall support UMTS AKA and may support backwards compatibility with the GSM system, which consists of: Feature 1: Feature 2: Feature 3: When the ME provides the USIM with RAND and AUTN, UMTS AKA shall be executed. If the verification of AUTN is successful, the USIM shall respond to the ME with the UMTS user response RES and the UMTS cipher/integrity keys CK and IK. The ME shall store CK and IK as current security context data on the USIM. If the USIM supports access to 64-bit GSM cipher key derivation (feature 1), the USIM shall also derive the 64-bit GSM cipher key Kc from the UMTS cipher/integrity keys CK and IK using conversion function c3 and send the derived Kc to the ME. In case the verification of AUTN is not successful, the USIM shall respond with an appropriate error indication to the ME. When the ME provides the USIM with only RAND, and the USIM supports GSM AKA (Feature 2), GSM AKA shall be executed. The USIM first computes the UMTS user response RES and the UMTS cipher/integrity keys CK and IK. The USIM then derives the GSM user response SRES and the 64-bit GSM cipher key Kc using the conversion functions c2 and c3 and send the GSM user response SRES and the 64-bit GSM cipher key Kc to the ME. The ME shall store the 64-bit GSM cipher key Kc as the current security context on the USIM. In case the USIM does not support 64-bit GSM cipher key derivation (Feature 1) or GSM AKA (Feature 2), the ME shall be informed. An ME with a USIM that does not support GSM cipher key derivation (Feature 1) shall not perform the GSM cipher key derivation (conversion function c3) in the ME and therefore cannot operate in any GSM BSS with 64-bit key ciphering enabled. An ME with a USIM that does not support GSM AKA (Feature 2) cannot operate under a R98- VLR/SGSN. A USIM that does not support GSM AKA (Feature 2) cannot work within a ME that is not capable of UMTS AKA.

For GSM subscribers, GSM AKA shall always be used. The execution of the GSM AKA results in the establishment of a GSM security context between the user and the serving network domain to which the VLR/SGSN belongs. The user needs to separately establish a security context with each serving network domain. When in a UTRAN, the UMTS cipher/integrity keys CK and IK are derived from the GSM cipher key Kc by the ME and the VLR/SGSN, both R99+ entities. Figure 19 shows the different scenarios that can occur with GSM subscribers using either R98- or R99+ ME in a mixed network architecture.

Note that the GSM parameters RAND and RES are sent transparently through the UTRAN or GSM BSS. In case of a GSM BSS, ciphering is applied in the GSM BSS for services delivered via the MSC/VLR, and by the SGSN for services delivered via the SGSN. In the latter case the GSM cipher key Kc is not sent to the GSM BSS. In case of a UTRAN, ciphering is always applied in the RNC, and the UMTS cipher/integrity keys CK an IK are always sent to the RNC.

Upon receipt of an authentication data request for a GSM subscriber, a R99+ HLR/AuC shall send triplets generated as specified in TS 43.020.

The R99+ VLR/SGSN shall perform GSM AKA using a triplet that is either:

1. retrieved from the local database,
2. provided by the HLR/AuC, or
3. provided by the previously visited VLR/SGSN.

GSM AKA results in the establishment of a GSM security context; the GSM cipher key Kc and the cipher key sequence number CKSN are stored in the VLR/SGSN. When the user is attached to a UTRAN, the R99+ VLR/SGSN derives the UMTS cipher/integrity keys from the GSM cipher key using the following conversion functions:

1. c4: CK[UMTS] = Kc || Kc;
2. c5: IK[UMTS] = Kc1 xor Kc2 || Kc || Kc1 xor Kc2;

whereby in c5, Kci are both 32 bits long and Kc = Kc1 || Kc2. The UMTS cipher/integrity keys are then sent to the RNC where the ciphering and integrity algorithms are allocated. When the user is attached to a GSM BSS and the user receives service from an MSC/VLR, the cipher key Kc is sent to the BSC (and forwarded to the BTS). When the user receives service from an SGSN, the cipher key Kc is applied in the SGSN itself.

R99+ ME with a SIM inserted, shall participate only in GSM AKA. GSM AKA results in the establishment of a GSM security context; the GSM cipher key Kc and the cipher key sequence number CKSN are stored in the ME. When the user is attached to a UTRAN, R99+ ME shall derive the UMTS cipher/integrity keys CK and IK from the GSM cipher key Kc using the conversion functions c4 and c5. The ME shall handle the STARTCS and STARTPS as described in clause 6.4.8 with the exception that the START values shall be stored in non-volatile memory on the ME rather than on the GSM SIM. If a different SIM is inserted then the ME shall delete the GSM cipher keys for the PS and CS domain (Kc), the derived UMTS cipher/integrity keys (CK and IK) for the PS and CS domain, and reset the START values to zero. The ME shall then trigger a new authentication and key agreement at the next connection establishment by indicating to the network that no valid keys are available for use using the procedure described in clause 6.4.4. When the user is attached to a UTRAN, a R99+ ME with a SIM inserted shall use a default value of all ones for maximum value of STARTCS or STARTPS. The ME shall handle the maximum value of STARTCS or STARTPS as described in clause 6.4.3 with the exception that the maximum value of STARTCS or STARTPS is stored on the ME rather than on the GSM SIM.