6 Functional requirements

01.563GPPCTS Authentication and Key Generation Algorithms RequirementsGSM Cordless Telephony System (CTS), Phase 1TS

ETSI SAGE are required to design an algorithm set which satisfies the functional requirements specified in this clause.

6.1 Composition of the Algorithm Set and Type and Parameters of Algorithms

As specified in GSM 03.20 annex E, the algorithm set contains the following algorithms:

B1: Shall be used to compute the Kc from Ka and CH1. The algorithm shall have the following properties:

Input 1: Bit string of length |Ka|;

Input 2: Bit string of length |CH1|;

Output: Bit string of length |Kc|.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2 and the Output (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2.

B2: Shall be used to compute Ka from RIMS, RIFP, and FPAC. The algorithm shall have the following properties:

Input 1: Bit string of length |FPAC|;

Input 2: Bit string of length |RIMS|;

Input 3: Bit string of length |RIFP|;

Output: Bit string of length Ka.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2, Input 3 and Output 1 (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2 and Input 3.

B3: Shall be used to compute (X)SRES1 from Ka and CH1. The algorithm shall have the following properties:

Input 1: Bit string of length |Ka|;

Input 2: Bit string of length |CH1|;

Output: Bit string of length |(X)SRES1|.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2 and the Output (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2.

B4: Shall be used to compute (X)SRES2 from Ka and CH2.The algorithm shall have the following properties:

Input 1: Bit string of length |Ka|;

Input 2: Bit string of length |CH2|;

Output: Bit string of length |(X)SRES2|.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2 and the Output (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2.

The mutual authentication offered by B3 and B4 shall be protected against a reflection attack (e.g. by using a key offset method).

B5: Shall be used to compute MAC1 from Kop and Data1. The algorithm shall have the following properties:

Input 1: Bit string of length |Kop|;

Input 2: Bit string of length |Data1|;

Output: Bit string of length |MAC1|.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2 and the Output (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2.

B6: Shall be used to compute MAC2 from Kop and Data2. The algorithm shall have the following properties:

Input 1: Bit string of length |Kop|;

Input 2: Bit string of length |Data2|;

Output: Bit string of length |MAC2|.

The algorithm should be designed such that it is difficult to infer any information about Input 1 from the knowledge of Input 2 and the Output (even if the details of the algorithm are known). Similarly it shall be difficult to infer any information about the Output from only the knowledge of Input 2.

As long as the resilience requirements on the algorithm set are not violated, all algorithms in the set do not need to be distinct and complete. Indeed large parts of algorithm specifications might be identical.

Figure 1 shows the use of B3 and B4 to obtain mutual authentication between a CTS-MS and a CTS-FP, and the use of B1 for generating the ciphering key Kcx.

Figure 1: Mutual authentication of CTS-MS and CTS-FP using B3 and B4 and ciphering key Kcx generation by B1

Figure 2 shows the use of B2 to generate the key Ka.

Figure 2: Generation of initial key Ka

Figure 3:Computation of the result of the authentication of the CTS-FP using Kop and B5 algorithm

Figure 4 : Generation of the signature of the data sequence Data2 using Kop and B6

6.1.1 FPAC

The CTS-FP is equipped with a manufacturer installed FPAC code. The FPAC is unstructured data. The FPAC is used to facilitate initial mutual authentication of CTS-MS and CTS-FP and to facilitate encryption set-up.

The length of the FPAC is 128 bits.

6.1.2 CH1 and CH2

The challenge from CTS-FP to CTS-MS (CH1) and the challenge from CTS-MS to CTS-FP (CH2) are random 128 bit strings.

6.1.3 Ka

The authentication key is unstructured data. It is generated by algorithm B2 from FPAC and two random inputs RIMS (generated by CTS-FP and sent to CTS-MS) and RIFP (generated by CTS-MS and sent to CTS-FP). The length is 128 bits.

6.1.4 Kc

The ciphering key (Kc) is unstructured data. It is generated by algorithm B1 from the authentication key Ka and the random challenge CH1. The length is 64 bits.

6.1.5 Kop

The authentication key (Kop) is unstructured data. This key is generated from an authentication key stored on the FP-SIM and a key generation algorithm A8’ as described in GSM03.20 Annex E. The length is 128 bits.

6.1.6 Data1

The data sequence (Data1) is unstructured data. It length is n bytes.

6.1.7 Data2

The data sequence (Data2) is unstructured data. It length is n bytes.

6.1.8 MAC1

The authentication result (MAC1) is unstructured data. (MAC1) is computed form Kop and Data1 using the B5 algorithm. MAC1=B5(Kop, Data1).The length is 128 bits.

6.1.9 MAC2

The signature (MAC2) is unstructured data. The signature (MAC2) is generated using Kop and a sequence Data2. MAC2=B6(Kop, Data2). The length is 128 bits.

6.1.10 SRES1 and SRES2

The response sent from CTS-MS to CTS-FP (SRES1) and the response sent from CTS-FP to CTS-MS (SRES2) are 32 bit values computed from the authentication key (Ka) and the challenges CH1 and CH2 respectively. SRES1=B3(Ka,CH1) and SRES2=B4(Ka,CH2).

6.1.11 RIMS and RIFP

The generation of Ka through algorithm B2 involves the use of two random values RIMS and RIFP. RIMS is sent from CTS-FP to CTS-MS and RIFP is sent from CTS-MS to CTS-FP. Both RIMS and RIFP are 64 bits long.

6.1.12 SRES1 and SRES2

The response expected by the CTS-FP (XSRES1) and the response expected by the CTS-MS (XSRES2) are 32 bit values computed from the authentication key (Ka) and the challenges CH1 and CH2 respectively. XSRES1=B3(Ka,CH1) and XSRES2=B3(Ka,CH2).

6.2 Interfaces to the Algorithm

The dimensioning and definition of the interface parameters to the algorithms described in subclause 6.1 are listed below. In this listing X[i] denoted the i-th bit of the variable X.

FPAC 128 bits: FPAC[0], FPAC[1], …, FPAC[127]

CH1 128 bits: CH1[0], CH1[1],…, CH1[127]

CH2 128 bits: CH2[0], CH2[1],…, CH2[127]

Ka 128 bits: Ka[0], Ka[1],…, Ka[127]

Kc 64 bits: Kc [0], Kc [1],…, Kc [63]

Kop 128 bits: Kop[0], Kop[1],…, Kop[127]

Data1 n bytes: Data1[0], Data1[1],…, Data1[8n-1]

Data2 n bytes: Data2[0], Data2[1],…, Data2[8n-1]

MAC1 128 bits: MAC1[0], MAC1[1],…, MAC1[127]

MAC2 128 bits: MAC2[0], MAC2[1],…, MAC2[127]

SRES1 32 bits SRES1[0], SRES1[1],…, SRES1[31]

SRES2 32 bits SRES2[0], SRES2[1],…, SRES2[31]

RIMS 64 bits: RIMS[0], RIMS[1],…, RIMS[63]

RIFP 64 bits: RIFP[0], RIFP[1],…, RIFP[63]

XSRES1 32 bits XSRES1[0], XSRES1[1],…, XSRES1[31]

XSRES2 32 bits XSRES2[0], XSRES2[1],…, XSRES2[31]

6.3 Implementation and Operational Considerations

The algorithm should be designed for software implementations

As a reference, the set of the algorithms should be implementable on a 6805-family of microprocessors, in particular the Motorola SC21 series and Philips 83C852 series, running at 4 MHz. However the performance of the implementation of the algorithms should favourably scale when implementation is carried out on a 16-bit or 32-bit processor which support similar logical and arithmetical operations as found on the 6805-family but with larger word size.

For the reference platform it should be possible to realise an efficient state of the art implementation such that

– for each of the algorithms B1, B3, B4, the time for one operation is less than 200 milliseconds;

– for the algorithm B2 the time for one operation is less than 250 milliseconds;

– the complete set of algorithms can be implemented using less than 3000 bytes ROM and 128 bytes RAM.

6.4 Resilience of Algorithm set

The algorithm set should be designed with a view to its continued use for a period of at least 15 years.

The algorithm set should be designed such that:

– the strength of the individual algorithms should not be significantly less than indicated by its key parameter(s);

– the requirements on the individual algorithms listed in subclause 6.1 should be fulfilled.

ETSI SAGE are required to design the algorithm set to a strength which reflects the above requirements but imposes minimal restrictions on the exportability of equipment that is fitted with the algorithm.