A mechanism to support the use of multiple authentication and key agreement algorithms is useful for disaster recovery purposes. AMF may be used to indicate the algorithm and key used to generate a particular authentication vector. The USIM keeps track of the authentication algorithm and key identifier and updates it according to the value received in an accepted network authentication token.

This mechanism is used in conjunction with the mechanism for the verification of sequence number freshness in the USIM described in C.2.2. The USIM shall also be able to put a limit L on the difference between SEQ MS (the highest SEQ accepted so far) and a received sequence number SEQ. A mechanism to change this parameter L dynamically is useful since the optimum for these parameters may change over time. AMF is used to indicate a new value of L to be used by the USIM.

According to clause 6.4.3, the USIM contains a mechanism to limit the amount of data that is protected by an access link key set. The AMF field may be used by the operator to set or adjust this limit in the USIM. For instance, there could be two threshold values and the AMF field instructs the USIM to switch between them. The USIM keeps track of the limit to the key set life time and updates it according to the value received in an accepted network authentication token.

RNCs may be deployed at exposed locations where they run a higher risk of physical attack than RNCs in physically protected parts of the operator domain. For such deployments, RNCs adhering to the security requirements in this Annex should be used. RNCs in other deployments are not required to adhere to these requirements. RNCs may be found in exposed locations e.g. when RNC and NB are co-located in one node (collapsed RNC / NBs).

In order to protect the Iu and Iur interfaces as required by Annex X.2.3 and Annex X.2.4, it is required to implement IPsec ESP as specified and profiled by TS 33.210, with confidentiality, integrity and replay protection. IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310. For Iu and Iur, tunnel mode IPsec is mandatory to implement. On the core network side a SEG may be used to terminate the IPsec tunnel. Transport mode IPsec is optional for implementation on Iu and Iur. If the sender of IPsec traffic uses DiffServ Code Points (DSCPs) to distinguish different QoS classes, either by copying DSCP from the inner IP header or directly setting the encapsulating IP header's DSCP, the resulting traffic may be reordered to the point where the receiving node's anti-replay check discards the packet. If different DSCPs are used on the encapsulating IP header, then to avoid packet discard under one IKE SA and with the same set of traffic selectors, distinct child-SAs should be established for each of the traffic classes (using the DSCPs as classifiers) as is specified in RFC 4301.

This A shows how the AUTS calculation could be modified in order to avoid keystream re-use during AKA re-synchronisations procedure. The f5* function given in clause 6.3.3 only has RAND as a non-key input and hence if an authentication challenge (RAND, AUTN) is replayed, then the same AK is calculated which is then used to protect different SQN MS values. This possibly leaks some bits of SQN MS as shown in Borgaonkar et al (2019) [43]. If this is a concern to an operator, then a modified f5* function using MAC-S as an additional input can be used as shown in Figure J.1-1 with the dashed line showing the change from clause 6.3.3.

When using the modified f5* function, the re-synchronisation proceeds as described in clauses 6.3.3 and 6.3.5 with the following changes:

• in clause 6.3.3, the USIM calculates AUTS = Conc(SQN MS ) || MAC S where Conc(SQN MS) = SQN MS ⊕ f5*K(RAND, MAC-S) and MAC-S is calculated as given in clause 6.3.3; and
• in clause 6.3.5, the HE/AuC retrieves SQN MS from Conc(SQN MS) by computing Conc(SQN MS) ⊕ f5*K(RAND, MAC-S).