Content for TS 33.204 Word version: 17.0.0

5.1 Security services provided by TCAPsec 5.2 Properties and tasks of an SS7-SEG 5.3 Policy requirements for the TCAPsec Security Policy Database (SPD) 5.4 TCAPsec security association attribute definition 5.5 TCAPsec structure of protected messages 5.6 TCAPsec algorithms

5 TCAP user security (TCAPsec) p. 9

5.1 Security services provided by TCAPsec p. 9

The security services provided by TCAPsec are:

data integrity;
data origin authentication;
anti-replay protection;
confidentiality (optional).

5.2 Properties and tasks of an SS7-SEG p. 9

An SS7-SEG shall maintain the following databases:

SPD-SEG: A database containing TCAPsec policy information (see clause 5.3);
SAD-SEG: A database containing TCAPsec SA information. SS7-SEG shall monitor the SA hard expiry time and expired SAs shall be deleted from the database (see clause 5.4).

SS7-SEG shall be able to perform the following operations:

Secure TCAP user signalling (i.e. send/receive protected or unprotected messages) according to information in SPD-SEG and SAD-SEG. The structure of protected messages is defined in clause 5.5 and the protection algorithms are defined in clause 5.6.

5.3 Policy requirements for the TCAPsec Security Policy Database (SPD) p. 10

The security policies for TCAPsec key management are specified in the SS7-SEG's SPD. SPD entries define per peer network whether protection shall be applied, and if protection shall be applied then which protection mode shall be used. SPD entries of different SS7-SEGs within the same network shall be consistent.

Fallback to unprotected mode:

The "fallback to unprotected mode" (enabled/disabled) is a parameter for the receiving direction per network, if enabled it allows the receiving network to accept unprotected traffic as well as protected traffic. If disabled, only protected traffic is to be accepted
The use of the fallback indicator is specified in Annex B;
The security measures specified in this TS are only fully useful for a particular network if it disallows fallback to unprotected mode for TCAP user messages received from any other network.

Explicit policy configuration:

The SPD shall contain an entry for each network the SS7-SEG is allowed to communicate with.
Protection granularity:
SPD administration shall be allowed on TCAP user application part level for each network the SS7-SEG is allowed to communicate with.

Migration support between protection modes:

An SPD entry may contain two protection modes for the same network. If this is the case then both protection modes shall be acceptable for incoming messages, but only one (preferred) protection mode shall be used for outgoing messages.

5.4 TCAPsec security association attribute definition p. 10

The TCAPsec security association shall contain the following data elements which can be classified in two groups

SA Identification attributes i.e. Network Ids and SPI:
In sending direction the SA identification is based on Destination Network Id. Per Destination Network Id more than one SA may exist. In the case where more than one valid SA is available at the SAD, the sending SS7-SEG shall choose the SA with the earliest soft expiry time.
In receiving direction the used SPI from within the TCAPsec security header can be used to retrieve the Origin Network Id.
Assigned cryptographic parameters per SPI:

Key and algorithm identifiers and SA lifetime.

SA Identification attributes:

Destination Network Id:
The Destination Network Id is a concatenation of the Country Code (CC) and National Destination Code (NDC) of the receiving network. The Destination Network-Id is used to identify which SAD-entry shall be used when traffic protection is needed.
Security Parameters Index (SPI):
SPI is a 32-bit value that is used in combination with Destination Network Id to uniquely identify a TCAPsec SA. The SPI is used to identify which SAD entry shall be used when de-protecting traffic. Therefore the SPI needs to be assigned by the destination network.
Origin Network Id:
The Origin Network Id is a concatenation of the Country Code (CC) and National Destination Code (NDC) of the sending network.

Cryptographic parameters per SPI:

SS7 Security Gateway Encryption Algorithm identifier (SEA):
Identifies the encryption algorithm. Mode of operation of algorithm is implicitly defined by the algorithm identifier. Mapping of algorithm identifiers is defined in clause 5.6.
SS7 Security Gateway Encryption Key (SEK):
Contains the encryption key. The length of SEK is defined according to the algorithm identifier.
SS7 Security Gateway Integrity Algorithm identifier (SIA):
Identifies the integrity algorithm. Mode of operation of algorithm is implicitly defined by the algorithm identifier. Mapping of algorithm identifiers is defined in clause 5.6.
SS7 Security Gateway Integrity Key (SIK):
Contains the integrity key. The length of SIK is defined according to the algorithm identifier.
SA Hard Expiry Time:
Defines the actual expiry time of the SA. The Hard Expiry Time shall be given in UTC time with format YYYY-MM-DDThh:mm:ssTZD as described by W3C DTF [7].
SA Soft Expiry Time:
Defines Soft Expiry Time of the SA for outbound traffic. The format of the Soft Expiry Time is the same as the Hard Expiry Time. The SA Soft Expiry Time is determined by the Originating Network and shall expire before the SA Hard Expiry Time.

After the Hard Expiry Time has been reached, the SA shall no longer be used for inbound or outbound traffic. When the Soft Expiry Time is reached, the SA shall not be used any longer for the outbound traffic unless no other valid SA exists.

5.5 TCAPsec structure of protected messages p. 11

TCAPsec provides following protection modes and these are defined as follows:

Protection Mode 1: Integrity, Authenticity
Protection Mode 2: Confidentiality, Integrity, and Authenticity

In case a TCAP message does not require protection (as indicated by the SPD) then the message shall be routed unchanged by the SS7-SEG.

TCAP messages protected by means of TCAPsec include a Security Header and a Protected Payload.

Secured TCAP user messages have the following structure:

Security Header

Protected Payload

For detailed message structure see TS 29.204. In all protection modes, the security header is transmitted in cleartext.

The intermediate unprotected TCAP message representation is the cleartext concatenation of DialoguePortion and ComponentPortion of the original TCAP message (after message reassembly if this applies).

For protection mode 1, the protected payload is the concatenation of the intermediate unprotected TCAP message representation and the message authentication code.

For protection mode 2, the protected payload is the concatenation of the result of applying the encryption function to the intermediate unprotected TCAP message representation, and the message authentication code.

For integrity and authenticity in protection mode 1, the message authentication code is calculated on the concatenation of the security header and the intermediate unprotected TCAP message representation. The message authentication code in protection mode 2 is calculated on concatenation of the security header and the result of applying the encryption function to the intermediate unprotected TCAP message representation.

5.5.1 TCAPsec security header p. 12

For Protection Mode 1, the security header is a sequence of the following elements:

Security header = SPI || TVP

For Protection Mode 2, the security header is a sequence of the following elements:

Security header = SPI || TVP || SS7-SEG Id || Prop

where

Security Parameters Index (SPI):
See Clause 5.4
TVP:
The TVP, used for replay protection of secured TCAP user message, is a 32 bit time-stamp. The receiving network entity will accept an operation only if the time-stamp is within a certain time-window. The resolution of the clock from which the time-stamp is derived is 0.1 seconds. The size of the time-window at the receiving network entity is not standardised.
SS7-SEG Id:
1 octet used to create different IV values for different SS7-SEGs within the same TVP period. It is necessary and sufficient that SS7-SEG Id is unique per network. (This is sufficient because sending keys are unique per network) The SS7-SEG Id shall be a unique number within the network.
Proprietary field (PROP):
1 octet used to create different IV values for different protected TCAP user messages within the same TVP period for one network entity. The usage of the proprietary field is not standardised.

5.5.2 Protected payload p. 12

5.5.2.1 Protection Mode 1 p. 12

The protected payload of secured TCAP user messages in protection mode 1 takes the following form:

Cleartext|| f7(Security Header||Cleartext)

where "Cleartext" is the concatenation of DialoguePortion and ComponentPortion of the original TCAP message (after message reassembly if this applies). Therefore, in Protection Mode 1 the protected payload is a concatenation of the following information elements:

Cleartext
Message authentication code (MAC-M) calculated by the function f7

Authentication of origin and message integrity are achieved by applying the message authentication code (MAC-M) function f7 with the integrity key defined by the security association to the concatenation of Security Header and Cleartext. The MAC-M length shall be 32 bits.

5.5.2.2 Protection Mode 2 p. 13

The protected payload of secured TCAP user Messages in protection mode 2 takes the following form:

f6( Cleartext) || f7(Security Header|| f6( Cleartext))

where "Cleartext" is the concatenation of DialoguePortion and ComponentPortion of the original TCAP message (after message reassembly if this applies). Confidentiality is achieved by encrypting Cleartext using the encryption function f6 with the confidentiality key defined by the security association and the initialisation vector (IV). Authentication of origin and integrity are achieved by applying the message authentication code (MAC-M) function f7 with the integrity key defined by the security association to the concatenation of Security Header and ciphertext. The MAC-M length shall be 32 bits. The length of the ciphertext is the same as the length of the cleartext.

5.6 TCAPsec algorithms p. 13

5.6.1 Mapping of TCAPsec SA encryption algorithm identifiers p. 13

The SEA algorithm indication fields in the TCAPsec SA are used to identify the encryption algorithm and algorithm mode to be used. The mapping of algorithm identifiers is defined below.

Table 1: SS7 Security Gateway encryption algorithm identifiers

Encryption Algorithm identifier	Description
0	AES in counter mode with 128-bit key length (MANDATORY)
1	-not yet assigned-
:	-not yet assigned-
15	-not yet assigned-

5.6.1.1 Description of SEA-0 p. 13

The SEA-0 algorithm is AES [5] used in counter mode with a 128-bit key and 128-bit counter blocks as described in clause 6.5 of FIPS 800-38A Recommendation for Block Cipher Modes of Operation [3]. The initial counter block T1 is initialized with IV. Successive counter blocks Tj (J>1) are derived by applying an incrementing function over the entire block Tj-1 (J≥2) (see Appendix B.1: The standard incrementing function of [3]).

5.6.2 Mapping of TCAPsec SA integrity algorithm identifiers p. 13

The SIA algorithm indication fields in the TCAPsec SA are used to identify the integrity algorithm and algorithm mode to be used. The mapping of algorithm identifiers is defined below.

Table 2: SS7 Security Gateway integrity algorithm identifiers

Integrity Algorithm identifier	Description
0	AES in a CBC MAC mode with a 128-bit key (MANDATORY)
1	-not yet assigned-
:	-not yet assigned-
15	-not yet assigned-

5.6.2.1 Description of SIA-0 p. 14

The SIA-0 algorithm is the ISO/IEC 9797 Part 1: padding method 2, MAC algorithm 1 (initial transformation=1, output transformation=1). No IV used. The MAC-length m is 32-bits (see clause 5.6.1). See ISO/IEC 9797 [4] for more information.

5.6.3 Construction of IV p. 14

The IV used in the encryption shall be constructed as follows:

IV = TVP || SS7-SEG Id || Prop || Pad

The padding field is used to expand TVP || SS7-SEG Id || Prop to the IV length required by the cryptographic scheme in use.

The IV length shall be 16 octets. The padding (Pad) shall be 10 octets with all bits set to zero.