E.3 CTS local security system

03.203GPPRelease 1999Security related network functionsTS

The subclauses below are described under normal operation. Abnormal operation is described in document [4].

The CTS local security applies for licensed band or license exempt band.

In the following sub-clauses the functions and procedures related to the CTS local security are defined. The following system elements and interfaces according to GSM 03.56 are involved:

– The CTS-FP (consisting of the CTS-FPE and the FP-SIM);

– The CTS-MS (consisting of the CTS-ME and the MS-SIM);

– The CTS radio interface between the CTS-MS and the CTS-FP.

E.3.1 Mobile Subscriber identity confidentiality

The purpose of this function is to avoid the possibility of an intruder identifying which subscriber is present on the CTS radio interface by listening to signalling exchanges or the user traffic. This allows both a high level of confidentiality for user data and signalling against the tracing of users.

The provision of this function implies that the mobile subscriber identity (IMSI), or any information allowing a listener to derive the identity easily, should not normally be transmitted in clear text in any signalling message on the CTS radio interface. Consequently, to obtain the required level of protection, it is necessary that:

– the subscriber identity (IMSI) is not normally used as an addressing method on the CTS radio interface (see GSM 02.09);

– when the signalling procedures and operating conditions (see GSM 03.56) permit it; signalling information elements that convey information about the mobile subscriber identity shall be ciphered for transmission on the CTS radio interface.

E.3.1.1 Identifying method

The means used to identify a mobile subscriber on the CTS radio interface consists of a CTSMSI (CTS Mobile Subscriber Identity). This CTSMSI is a local number, having a meaning only for a given CTS-MS/CTS-FP pair.

The CTSMSI is assigned by the CTS-FP to the CTS-MS by signalling procedures at enrolment and is valid until updated by the CTS-FP. During normal operation, this CTSMSI identifies a CTS-MS uniquely among all CTS-MSs enrolled onto one CTS-FP.

See also GSM 03.56.

The CTS-MS shall store the CTSMSI in the MS-SIM, together with the IFPEI.

The CTS-FP shall store the CTSMSI in the CTS-FPE, together with the IMEI and the IMSI. The IMEI is stored in order to allow tracking of mobile equipment as required in GSM 02.56.

The storage requirements are given in clause E.9.

E.3.1.2 Procedures

This subclause presents the procedures, or elements of procedures, pertaining to the management of the CTSMSI with respect to the local security.

E.3.1.2.1 CTSMSI assignment

This procedure is part of the enrolment procedure of a CTS-MS onto a CTS-FP (see subclause E.3.4.1).

The CTS-FP generates randomly a CTSMSI not equal to any of the existing CTSMSIs stored in the CTS-FP. The resulting CTSMSI is sent encrypted to the CTS-MS.

E.3.1.2.2 CTSMSI update

This procedure is part of general access procedure of a CTS-MS/CTS-FP pair.

The CTSMSI shall be updated by the CTS-FP as part of each MS/FP signalling exchange in order to preserve identity confidentiality. The CTS-FP generates randomly a CTSMSI not equal to any of the existing CTSMSIs stored in the CTS-FP. The resulting CTSMSI is the new CTSMSI for the CTS-MS/CTS-FP pair and is sent encrypted to the accessing CTS-MS. The CTS-MS stores the new CTSMSI on the MS-SIM. After successful storage, it acknowledges the update of the CTSMSI to the CTS-FP. Upon reception of the acknowledgement from the CTS-MS, the CTS-FP stores the new CTSMSI and deletes the old CTSMSI.

See also GSM 03.56.

E.3.1.2.3 CTS local identification

This procedure is part of general access procedures of a CTS-MS/CTS-FP pair.

The CTS-MS transmits the CTSMSI to the CTS-FP in the initial message in order to give its identity.

If the CTS-MS announces a CTSMSI which is unknown at the CTS-FP, then the CTS-FP requires the IMSI; if the IMSI is unknown, the CTS-FP shall deny access to that CTS-MS. The CTS-FP may consider that the CTS-MS is not enrolled into it.

The reason that the CTSMSI is unknown is generally not a matter of security and not considered here.

See also GSM 03.56.

E.3.2 Identity authentication

According to the definitions given in GSM 02.56, a local mutual authentication is required, containing both, the authentication of the mobile subscriber identity at the CTS-FP and the authentication of the CTS-FP identity at the CTS‑MS.

It can be noted that the IMSI is not tied to the equipment identity (IMEI) as the security related data derived from the enrolment procedure are stored on the MS-SIM; therefore a subscriber can remove his MS-SIM card and insert it in another CTS-ME without locally re-enrolling onto the CTS-FP.

The authentication procedure will also be used to set the ciphering key (see subclause E.3.3).

E.3.2.1 The mutual authentication procedure

A pre-condition of the procedure described below is, that both involved parties, the CTS-MS and the CTS-FP share the knowledge of the authentication key Ka.

The authentication procedure consists of the following exchange between the CTS-FP and the CTS-MS:

– The CTS-FP transmits an unpredictable number CH1 to the CTS-MS;

– The CTS-MS transmits an unpredictable number CH2 to the CTS-FP;

– The CTS-MS computes the response SRES1 from CH1 and the individual authentication key Ka using the algorithm B3;

– The CTS-FP computes the expected response XSRES1 from CH1 and the individual authentication key Ka using the algorithm B3;

– The CTS-MS transmits SRES1 to the CTS-FP;

– The CTS-FP tests SRES1 for validity, i.e. it compares SRES1 and XSRES1;

– The CTS-FP computes the response SRES2 from CH2 and the individual authentication key Ka using the algorithm B4;

– The CTS-MS computes the expected response XSRES2 from CH2 and the individual authentication key Ka using the algorithm B4;

– The CTS-FP transmits SRES2 to the CTS-MS;

– The CTS-MS tests SRES2 for validity, i.e. it compares SRES2 and XSRES2.

Note that the order of transmission of information as mentioned above and as shown in the figure shall not imply any implementation. Protocols to exchange the information shall be implemented with respect to efficiency of calculation time and effective messaging.

Figure E1: General mutual authentication procedure

E.3.2.1.1 Authentication failure

An authentication failure (from security point of view) occurs, if:

– The CTS-MS and the CTS-FP have different Ka;

– The algorithm B3 or B4 are not implemented as specified (i.e. non type approved equipment).

In this case the side which has detected the failure shall indicate "authentication failure" to the other side and cancel the connection with the other side.

E.3.2.2 Authentication Key management.

The Ka associated with a CTS-MS/CTS-FP pair is generated randomly during enrolment procedure as described in subclause E.3.4.1. As defined in GSM 02.56, keys of the CTS shall be controlled by the PLMN operator. In order to fulfil this requirement, all relevant information to reproduce Ka is transmitted to the PLMN operator as described in subclause E.3.4.1 and in subclause E.4.

E.3.3 Confidentiality of user information and signalling between CTS-MS and CTS-FP

In GSM 02.56 some signalling information is considered sensitive and must be protected.

The needs for a protected mode of transmission are fulfilled with an OSI layer 1 confidentiality function. The scheme described below assumes that the signalling information is transmitted on a dedicated channel.

Four points have to be specified:

– the ciphering method;

– the key setting;

– the starting of the enciphering and deciphering algorithms;

– the synchronisation.

E.3.3.1 The ciphering method

The OSI layer 1 data flow (transmitted on a dedicated channel) is ciphered on a bit by bit basis or stream cipher; i.e.; the data flow on the CTS radio interface is obtained by the bit per bit binary addition of the user data flow and the ciphering bit stream generated by the algorithm A5/2 using a key determined as specified in subclause E.10.1. The key is denoted below by Kc and is called the CTS Ciphering Key. The Kc is specific to one CTS-MS/CTS-FP pair.

Deciphering is performed by exactly the same method.

Algorithm A5/2 is one of the A5 algorithms specified in GSM 03.20, Annex C. Only A5/2 algorithm is supported on the CTS-FP to enable local ciphering. The CTS-MS supports at least the A5/2 algorithm.

E.3.3.2 Key setting

Mutual key setting is the procedure that allows the CTS-MS and the CTS-FP to agree on the key Kc to use in the ciphering and deciphering algorithm A5/2.

A key setting is triggered by the mutual authentication procedure.

Key setting must occur on a channel not yet encrypted and as soon as the CTSMSI is known by the CTS-FP.

Kc is generated using CH1, the algorithm B1 and the CTS Authentication key Ka, as defined in subclause E.10.1. Kc is stored in the CTS-ME and the CTS-FPE as described in subclause E.8.

Figure E2: Cipher Key setting

E.3.3.3 Starting of the ciphering and deciphering processes

The CTS-MS and the CTS-FP must co-ordinate the instants at which the enciphering and deciphering processes start. This procedure takes place under control of the CTS-FP some time after the completion of the authentication procedure. No information elements for which protection is needed must be sent before the ciphering and deciphering processes are operating.

The transition from clear text mode to ciphered mode proceeds as follows:

The CTS-FP starts deciphering and sends in clear text to the CTS-MS a specific message, here called "Start cipher". After the message "Start cipher" has been correctly received by the CTS-MS, the CTS-MS will commence both the enciphering and deciphering. Finally, enciphering in the CTS-FP starts as soon as a frame or a message from the CTS-MS has been correctly deciphered at the CTS-FP.

The starting of enciphering and deciphering processes is shown in figure E3.

Figure E3: Starting of the enciphering and deciphering processes

E.3.3.4 Synchronisation

The ciphering stream at one end and the deciphering stream at the other end must be synchronised, for the enciphering bit stream and the deciphering bit stream to coincide. The underlying synchronisation scheme is described in GSM 03.20, Annex C.

E.3.4 Structured procedures with CTS local security relevance

The following structured procedures are mainly related to the local security or at least involve CTS local security functions and procedures.

E.3.4.1 Local Part of the Enrolment of a CTS-MS onto a CTS-FP

According to GSM 02.56 and GSM 03.56 the CTS-MS/CTS-FP enrolment is the procedure, which generates an association between a certain CTS-MS and a certain CTS-FP, i.e. a CTS-MS/CTS-FP pair is established. The following CTS local security aspects are covered by the enrolment:

– The enrolment includes a means of authorisation to use the CTS-FP, i.e. the CTS-PIN is necessary in the enrolment procedure. It is mandatory that the CTS-PIN is activated.

– The authentication key Ka is generated and distributed to the CTS-MS and the CTS-FP.

– The CTSMSI is initially allocated and submitted from the CTS-FP to the CTS-MS

– The IFPEI is transmitted from the CTS-FP to the CTS-MS.

E.3.4.1.1 Local part of the enrolment procedure

The procedure described assumes that the CTS-MS or the CTS-FP have the knowledge of the radio parameters to be used on the CTS radio interface to enable initial connection (see GSM 02.56 and GSM 03.56).

As specified in GSM 02.56 and GSM 03.56, only a CTS-MS subscribed to an operator which has roaming agreement with the CTS-FP’s operator shall be allowed to enrol to that CTS-FP.

The following procedure is followed:

– An enrolment state is triggered by MMI at the CTS-MS and at the CTS-FP;

– The user enters the CTS-PIN at the CTS-MS;

– The CTS-MS derives the FPAC from the CTS-PIN. The FPAC also resides in the CTS-FP, thus the knowledge of the CTS-PIN gives authorisation to perform enrolment;

– An initial connection is established on the CTS radio interface;

– The CTS-MS and the CTS-FP exchange random initial values (RIMS and RIFP);

– The CTS-MS and the CTS-FP both calculate an authentication key Ka  = B2(FPAC, RIMS, RIFP);

– The CTS-MS and CTS-FP perform a mutual authentication according to subclause 3.2.1 using Ka . Since Ka is derived from the CTS-PIN, this mutual authentication proves the authorisation of the user;

– The CTS-MS and CTS-FP determine a ciphering key Kc = B1(Ka, RIMS) and switch to ciphering mode according to the procedure described in subclause E.3.3;

– The CTS-MS transmits (encrypted) to the CTS-FP the IMSI, and the IMEI;

– In order to avoid double enrolment, the CTS-FP checks if the IMSI is already enrolled;

– The CTS-FP checks the GSM operator’s identity of the CTS-MS and determines whether the CTS-MS subscriber is allowed to enrol on that CTS-FP;

– In case of licensed band the Supervising part of the enrolment is performed if required (see subclause E.4.4.3.4.);

– The CTS-FP determines the CTSMSI;

– The CTS-FP transmits (encrypted) the Ka, the IFPEI and the CTSMSI;

– The CTS-MS stores the Ka, the CTSMSI and the IFPEI on the MS-SIM;

– The CTS-FP stores the Ka, the IMSI, the IMEI, CTSMSI in a non volatile memory of the CTS-FPE;

– The enrolment procedure is completed (possible non security related procedures).

If a failure occurs during this local security procedure, intermediate values related to this procedure shall be deleted and the enrolment shall be aborted.

Figure E4: Local part of the enrolment procedure

E.3.4.2 General Access procedure

Once the CTS-MS is enrolled onto a CTS-FP, the CTS-MS may access the CTS-FP for user communication on the fixed network or for local CTS related procedures or as part of the local security for CTS supervising procedures. The access procedures shall generally involve the following sub-procedures:

– Identification as described in subclause E.3.1.2;

– Mutual authentication using the Ka defined during the enrolment in order to authenticate the identities on the CTS radio interface as described in subclause E.3.2.1;

– Generation of a new Kc and starting to cipher the link on the CTS radio interface as described in subclause E.3.3;

– Update of the CTSMSI because it has been used in clear text for identification, as described in subclause E.3.1.2.2;

Figure E5: The general access procedure

Authentication and start of ciphered connection shall usually be performed before any sensitive signalling data or user data is transmitted on the CTS radio interface. In the following sub-subclauses, some specific access procedures are described with respect the CTS local security.

E.3.4.2.1 Attachment

The attachment procedure is used to attach a CTS-MS to a CTS-FP. A pre-condition is, that the CTS-MS is enrolled with the CTS-FP.

The attachment procedure shall be performed whenever the CTS-MS is switched on within the range of a CTS-FP or when it comes into the range of the CTS-FP.

The attachment procedure shall include all sub-procedures of the general access procedure as described above.

Additionally the IMEI of the CTS-MS may be transmitted to the CTS-FP at attachment, in order to support the tracking or IMEI as described in subclause E.4.5.

E.3.4.2.2 CTS local security data update

The CTS local security data update procedure is performed in order to determine a new temporary identity CTSMSI and a new cipher key Kc. This procedure may be a part of a non security related procedure or it is used for the main purpose of local security data update.

A regular CTSMSI update procedure shall be defined in order to insure user confidentiality.

The CTS local security data update contains all sub-procedures of the general access procedure. It is initiated by the CTS-FP.

E.3.4.3 De-enrolment of a CTS-MS

According to GSM 02.56 the de-enrolment of a CTS-MS is the procedure which cancels the association between a certain CTS-MS and a certain CTS-FP.

A de-enrolment procedure of a CTS-MS from a CTS-FP can be either initiated by the CTS-FP (network or FP command) or by a user specific action to de-enrol one or several CTS-MS from a CTS-FP.

E.3.4.3.1 De-enrolment initiated by the CTS-FP

The following procedure is followed:

– The CTS-FP sends a de-enrolment command to the CTS-MS;

– The CTS-MS and the CTS-FP perform mutual authentication according to subclause E.3.2.1 using Ka;

– The CTS-MS deletes data related to CTS-FP i.e. Ka, CTSMSI, IFPEI, and confirms de-enrolment;

– The CTS-FP deletes data related to that CTS-MS i.e. Ka, CTSMSI, IMSI, IMEI;

– The de-enrolment is completed (possible non security related procedures).

E.3.4.3.2 De-enrolment initiated by a CTS-MS

The de-enrolment procedure when initiated by a CTS-MS is an MMI procedure that requires the knowledge of the CTS-PIN. The following procedure applies:

When remote MMI is used:

– the user enters a specific de-enrolment menu or command at the CTS-MS;

– attachment is performed on the MS/FP interface;

– the user enters the CTS-PIN at the CTS-MS;

– The CTS-FP checks the CTS-PIN and sends a list of all enrolled CTS-MSs to the CTS-MS;

– The list is displayed at the CTS-MS and the user selects one (or several) CTS-MS(s) for de-enrolment;

– The list of CTS-MS(s) which are selected for de-enrolment, is sent to the CTS-FP;

– Data related to the de-enrolled CTS-MSs, i.e. the Ka, the IMSI, the CTSMSI, the IMEI are deleted in the CTS-FP;

– The de-enrolment is completed (possible non security related procedures).