Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  16.3.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   6.2…   6.3…   6.5…   6.8…   6.9…   6.10…   6.12…   6.14   6.15   6.16   7…   7A…   7B…   8…   9…   10…   11…   13…   13.3…   13.4…   14…   15…   A…   B…   C…   D…   G…   K…   O…

 

C (Normative)  Protection schemes for concealing the subscription permanent identifierWord‑p. 207

C.1  Introduction

The present Annex specifies the protection schemes for concealing the subscription permanent identifier. Each protection scheme is identified by a Protection Scheme Identifier. The Protection Scheme Identifiers are as follows:
null-scheme 0x0;
Profile <A> 0x1;
Profile <B> 0x2.
The values 0x3 - 0xB are reserved for future standardized protection schemes. The values 0xC - 0xF are reserved for proprietary protection schemes specified by the home operator.
Care should be taken when using unique schemes for small groups of users, as this may impact the effectiveness of the privacy scheme for these users.
The size of the Scheme Output of the protection schemes is as follows:
null-scheme size of input, i.e., size of username used in case of NAI format or MSIN in case of IMSI;
Profile <A> total of 256-bit public key, 64-bit MAC, plus size of input;
Profile <B> total of 264-bit public key, 64-bit MAC, plus size of input.
The maximum size of a Scheme Output for proprietary protection schemes shall be total of 3000 octets plus size of input.
The UE shall not send, and the network may reject SUCIs larger than the maximum size of scheme-output.
Up

C.2  Null-scheme

The null-scheme shall be implemented such that it returns the same output as the input, which applies to both encryption and decryption.
When using the null-scheme, the SUCI does not conceal the SUPI and therefore the newly generated SUCIs do not need to be fresh.
Up

C.3  Elliptic Curve Integrated Encryption Scheme (ECIES)Word‑p. 208

C.3.1  General

The use of ECIES for concealment of the SUPI shall adhere to the SECG specifications [29] and [30]. Processing on UE side and home network side are described in high level in clauses C.3.2 and C.3.3.
When the SUPI is of type IMSI, the subscription identifier part of the IMSI (i.e., MSIN) that is used to construct the scheme-input shall be coded as hexadecimal digits using packed BCD coding where the order of digits within an octet is same as the order of MSIN digits specified in Figure 9.11.3.4.3a of TS 24.501. If the MSIN is composed of an odd number of digits, then the bits 5 to 8 of final octet shall be coded as "1111".
When the SUPI is of type network specific identifier, the subscription identifier part of the SUPI that is used to construct the scheme-input shall follow the encoding rules specified in Annex B.2.1.2 of TS 33.220.
Up

C.3.2  Processing on UE side

The ECIES scheme shall be implemented such that for computing a fresh SUCI, the UE shall use the provisioned public key of the home network and freshly generated ECC (elliptic curve cryptography) ephemeral public/private key pair according to the ECIES parameters provisioned by home network. The processing on UE side shall be done according to the encryption operation defined in [29]. with the following changes to Section 3.8 and step 5 and 6 of Section 5.1.3.
  • generate keying data K of length enckeylen + icblen + mackeylen.
  • Parse the leftmost enckeylen octets of K as an encryption key EK, the middle icblen octets of K as an ICB, and
    the rightmost mackeylen octets of K as a MAC key MK.
    The final output shall be the concatenation of the ECC ephemeral public key, the ciphertext value, the MAC tag value, and any other parameters, if applicable.
    The Figure C.3.2-1 illustrates the UE's steps.
    \fig:tinv-33-501-ny#Figure C.3.2-1: Encryption based on ECIES at UE
  • Up

    C.3.3  Processing on home network sideWord‑p. 209
    The ECIES scheme shall be implemented such that for deconcealing a SUCI, the home network shall use the received ECC ephemeral public key of the UE and the private key of the home network. The processing on home network side shall be done according to the decryption operation defined in [29]. with the following changes to Section 3.8 and step 6 and 7 of Section 5.1.4.
  • generate keying data K of length enckeylen + icblen + mackeylen.
  • Parse the leftmost enckeylen octets of K as an encryption key EK, the middle icblen octets of K as an ICB, and
    the rightmost mackeylen octets of K as a MAC key MK.
    The Figure C.3.3-1 illustrates the home network's steps.
    \fig:tinv-33-501-ny#Figure C.3.3-1: Decryption based on ECIES at home network
  • Up

    C.3.4  ECIES profiles

    C.3.4.0  General

    Unless otherwise stated, the ECIES profiles follow the terminology and processing specified in SECG version 2 [29] and [30]. The profiles shall use "named curves" over prime fields.
    For generating successive counter blocks from the initial counter block (ICB) in CTR mode, the profiles shall use the standard incrementing function in section B.1 of NIST Special Publication 800-38A [16] with m = 32 bits. The ICB corresponds to T1 in section 6.5 of [16].
    The value of the MAC tag in ECIES, shall be the L most significant octects of the output generated by the HMAC function, where L equals to the maclen.
    Profile A shall use its own standardized processing for key generation (section 6 of RFC 7748 [46]) and shared secret calculation (section 5 of RFC 7748 [46]). The Diffie-Hellman primitive X25519 (section 5 of RFC 7748 [46]) takes two random octet strings as input, decodes them as scalar and coordinate, performs multiplication, and encodes the result as an octet string. The shared secret output octet string from X25519 shall be used as the input Z in the ECIES KDF (section 3.6.1 of [29]). As the point compression is not applied for profile A, the prefix rule for compression type defined in [29] section 5.1.3 shall not be used in profile A, i.e., there shall be no prefix for the ephemeral public key of Profile A.
    Profile B shall use point compression to save overhead and shall use the Elliptic Curve Cofactor Diffie-Hellman Primitive (section 3.3.2 of [29]) to enable future addition of profiles with cofactor h ≠ 1. For curves with cofactor h = 1 the two primitives (section 3.3.1 and 3.3.2 of [29]) are equal.
    The profiles shall not use backwards compatibility mode (therefore are not compatible with version 1 of SECG).
    Up

    C.3.4.1  Profile AWord‑p. 210
    The ME and SIDF shall implement this profile. The ECIES parameters for this profile shall be the following:
  • EC domain parameters : Curve25519 [46]
  • EC Diffie-Hellman primitive : X25519 [46]
  • point compression : N/A
  • KDF : ANSI-X9.63-KDF [29]
  • Hash : SHA-256
  • SharedInfo1 : (the ephemeral public key octet string - see [29] section 5.1.3)
  • MAC : HMAC-SHA-256
  • mackeylen : 32 octets (256 bits)
  • maclen : 8 octets (64 bits)
  • SharedInfo2 : the empty string
  • ENC : AES-128 in CTR mode
  • enckeylen : 16 octets (128 bits)
  • icblen : 16 octets (128 bits)
  • backwards compatibility mode : false
  • Up

    C.3.4.2  Profile B

    The ME and SIDF shall implement this profile. The ECIES parameters for this profile shall be the following:
  • EC domain parameters : secp256r1 [30]
  • EC Diffie-Hellman primitive : Elliptic Curve Cofactor Diffie-Hellman Primitive [29]
  • point compression : true
  • KDF : ANSI-X9.63-KDF [29]
  • Hash : SHA-256
  • SharedInfo1 : (the ephemeral public key octet string - see [29] section 5.1.3)
  • MAC : HMAC-SHA-256
  • mackeylen : 32 octets (256 bits)
  • maclen : 8 octets (64 bits)
  • SharedInfo2 : the empty string
  • ENC : AES-128 in CTR mode
  • enckeylen : 16 octets (128 bits)
  • icblen : 16 octets (128 bits)
  • backwards compatibility mode : false
  • Up

    C.4  Implementers' test dataWord‑p. 211

    C.4.1  General

    The test data sets presented here are for encryption based on ECIES at UE with protection schemes defined in this clause.

    C.4.2  Null-scheme

    C.4.2.1  IMSI-based SUPI |R16|

    The following test data set corresponds to ECIES-based encryption in the UE for IMSI-based SUPI and null-scheme.
    IMSI consists of MCC|MNC: '274012' and MSIN: '001002086'
    ECIES Scheme Input
    Scheme Input: '00012080F6'
    ECIES Scheme Output
    Scheme Output: '00012080F6'

    C.4.2.2  Network specific identifier-based SUPI |R16|

    The following test data set corresponds to ECIES-based encryption in the UE for network specific identifier-based SUPI and null-scheme.
    SUPI is: verylongusername1@3gpp.com
    ECIES Scheme Input
    Scheme Input: '766572796C6F6E67757365726E616D6531'
    ECIES Scheme Output
    Scheme Output: useridverylongusername1

    C.4.3  ECIES Profile A

    C.4.3.1  IMSI-based SUPI |R16|

    The following test data set corresponds to SUCI computation in the UE for IMSI-based SUPI and ECIES Profile A.
    IMSI consists of MCC|MNC: '274012' and MSIN: '001002086'
    ECIES test data
    The ECIES Scheme Output is computed in the UE as defined in Figure C.3.2-1 of clause C.3.2 with the following data
    Home Network Private Key:
    'c53c22208b61860b06c62e5406a7b330c2b577aa5558981510d128247d38bd1d'
    Home Network Public Key:
    '5a8d38864820197c3394b92613b20b91633cbd897119273bf8e4a6f4eec0a650'
    Eph. Private Key:
    'c80949f13ebe61af4ebdbd293ea4f942696b9e815d7e8f0096bbf6ed7de62256'
    Eph. Public Key:
    'b2e92f836055a255837debf850b528997ce0201cb82adfe4be1f587d07d8457d'
    Eph. Shared Key:
    '028ddf890ec83cdf163947ce45f6ec1a0e3070ea5fe57e2b1f05139f3e82422a'
    Eph. Enc. Key:
    '2ba342cabd2b3b1e5e4e890da11b65f6'
    ICB:
    'e2622cb0cdd08204e721c8ea9b95a7c6'
    Plaintext block:
    '00012080f6'
    Cipher-text vaue:
    'cb02352410'
    Eph. mac key:
    'd9846966fb7cf5fcf11266c5957dea60b83fff2b7c940690a4bfe57b1eb52bd2'
    MAC-tag value:
    'cddd9e730ef3fa87'
    Scheme Output:
    'b2e92f836055a255837debf850b528997ce0201cb82adfe4be1f587d07d8457dcb02352410cddd9e730ef3fa87'
    Up

    C.4.3.2  Network specific identifier-based SUPI |R16|Word‑p. 212
    The following test data set corresponds to SUCI computation in the UE for network specific identifier-based SUPI and ECIES Profile A.
    SUPI is: verylongusername1@3gpp.com
    ECIES test data
    The ECIES Scheme Output is computed in the UE as defined in Figure C.3.2-1 of clause C.3.2 with the following data
    Home Network Private Key:
    'C53C22208B61860B06C62E5406A7B330C2B577AA5558981510D128247D38BD1D'
    Home Network Public Key:
    '5A8D38864820197C3394B92613B20B91633CBD897119273BF8e4A6f4EEC0A650'
    Eph. Private Key:
    'BE9EFF3E9F22A4B42A3D236E7A6C500B3F2E7E0C7449988BA800D664BF4FCD97'
    Eph. Public Key:
    '977D8B2FDAA7B64AA700D04227D5B440630EA4EC50F9082273A26BB678C92222'
    Eph. Shared Key:
    '511C1DF473BB88317F923501F8BA944FD3B667D25699DCB552DBCEF60BBDC56D'
    Eph. Enc. Key:
    'FE77B87D87F40428EDD71BCA69D79059'
    Plaintext block:
    '766572796C6F6E67757365726E616D6531'
    Cipher-text vaue:
    '8E358A1582ADB15322C10E515141D2039A'
    Eph. mac key:
    'D87B69F4FE8CD6B211264EA5E69F682F151A82252684CDB15A047E6EF0595028'
    MAC-tag value:
    '12E1D7783A97F1AC'
    Scheme Output:
    ecckey977D8B2FDAA7B64AA700D04227D5B440630EA4EC50F9082273A26BB678C92222.cip8E358A1582ADB15322C10E515141D2039A.mac12E1D7783A97F1AC
    Up

    C.4.4  ECIES Profile BWord‑p. 213

    C.4.4.1  IMSI-based SUPI |R16|

    The following test data set corresponds to ECIES-based encryption in the UE for IMSI-based SUPI and ECIES Profile B.
    IMSI consists of MCC|MNC: '274012' and MSIN: '001002086'
    ECIES test data
    The Scheme Output is computed in the UE as defined in Figure C.3.2-1 of clause C.3.2 with following data:
    Home Network Public Key:
    if compressed: '0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1',
    otherwise uncompressed: '0472DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD15A7DED52FCBB097A4ED250E036C7B9C8C7004C4EEDC4F068CD7BF8D3F900E3B4'
    Home Network Private Key: 'F1AB1074477EBCC7F554EA1C5FC368B1616730155E0041AC447D6301975FECDA'
    Eph. Public Key:
    If compressed: '039AAB8376597021E855679A9778EA0B67396E68C66DF32C0F41E9ACCA2DA9B9D1'
    Otherwised uncompressed: '049AAB8376597021E855679A9778EA0B67396E68C66DF32C0F41E9ACCA2DA9B9D1D1F44EA1C87AA7478B954537BDE79951E748A43294A4F4CF86EAFF1789C9C81F'
    Eph. Private Key: '99798858A1DC6A2C68637149A4B1DBFD1FDFF5ADDD62A2142F06699ED7602529'
    Eph. Shared Key: '6C7E6518980025B982FBB2FF746E3C2E85A196D252099A7AD23EA7B4C0959CAE'
    Eph. Enc. Key: ' 8A65C3AED80295C12BD55087E965702A'
    ICB: 'EF285B4061C3BAEE858AB6EC68487DAE'
    Scheme-input corresponding to the plaintext-block: '00012080F6'
    Cipher-text vaue: '46A33FC271'
    Eph. mac key: : 'A5EBAC0BC48D9CF7AE5CE39CD840AC6C761AEC04078FAB954D634F923E901C64'
    MAC-tag value: '6AC7DAE96AA30A4D'
    Scheme Output:
    '039AAB8376597021E855679A9778EA0B67396E68C66DF32C0F41E9ACCA2DA9B9D146A33FC2716AC7DAE96AA30A4D'
    Up

    C.4.4.2  Network specific identifier-based SUPI |R16|Word‑p. 214
    The following test data set corresponds to ECIES-based encryption in the UE for network specific identifer-based SUPI and ECIES Profile B.
    SUPI is: verylongusername1@3gpp.com
    ECIES test data
    The Scheme Output is computed in the UE as defined in Figure C.3.2-1 of clause C.3.2 with following data:
    Home Network Public Key:
    if compressed: '0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1',
    otherwise uncompressed: '0472DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD15A7DED52FCBB097A4ED250E036C7B9C8C7004C4EEDC4F068CD7BF8D3F900E3B4'
    Home Network Private Key: 'F1AB1074477EBCC7F554EA1C5FC368B1616730155E0041AC447D6301975FECDA'
    Eph. Public Key:
    If compressed: '03759BB22C563D9F4A6B3C1419E543FC2F39D6823F02A9D71162B39399218B244B'
    Eph. Private Key: '90A5898BD29FFA3F261E00E980067C70A2B1B992A21F5B4FEF6D4DF69FE804AD'
    Eph. Shared Key: 'BC3529ED79541CF8C007CE9806330F4A5FF15064D7CF4B16943EF8F007597872'
    Eph. Enc. Key: '84F9A78995D39E6968047547ECC12C4F'
    Scheme-input corresponding to the plaintext-block: '766572796C6F6E67757365726E616D6531'
    Cipher-text vaue: 'BE22D8B9F856A52ED381CD7EAF4CF2D525'
    Eph. mac key: '39D5517E965F8E1252B61345ED45226C5F1A8C69F03D6C91437591F0B8E48FA0'
    MAC-tag value: '3CDDC61A0A7882EB'
    Scheme Output:
    ecckey03759BB22C563D9F4A6B3C1419E543FC2F39D6823F02A9D71162B39399218B244B.cipBE22D8B9F856A52ED381CD7EAF4CF2D525.mac3CDDC61A0A7882EB
    Up


    Up   Top   ToC