ETSI ETS 300 929 ed.2 (1997-08)

SLOVENSKI STANDARD
01-december-2003
'LJLWDOQLFHOLþQLWHOHNRPXQLNDFLMVNLVLVWHPID]D±2PUHåQHIXQNFLMHY]YH]L]
YDUQRVWMR*60UD]OLþLFD
Digital cellular telecommunications system (Phase 2+) (GSM); Security related network
functions (GSM 03.20 version 5.1.1)
Ta slovenski standard je istoveten z: ETS 300 929 Edition 2
ICS:
33.070.50 Globalni sistem za mobilno Global System for Mobile
telekomunikacijo (GSM) Communication (GSM)
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN ETS 300 929
TELECOMMUNICATION August 1997
STANDARD Second Edition
Source: ETSI SMG Reference: RE/SMG-030320QR
ICS: 33.020
Key words: Digital cellular telecommunications system, Global System for Mobile communications (GSM)
R
GLOBAL SYSTEM FOR
MOBILE COMMUNICATIONS
Digital cellular telecommunications system (Phase 2+);
Security related network functions
(GSM 03.20 version 5.1.1)
ETSI
European Telecommunications Standards Institute
ETSI Secretariat
Postal address: F-06921 Sophia Antipolis CEDEX - FRANCE
Office address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCE
X.400: c=fr, a=atlas, p=etsi, s=secretariat - Internet: secretariat@etsi.fr
Tel.: +33 4 92 94 42 00 - Fax: +33 4 93 65 47 16
Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright
and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 1997. All rights reserved.

Page 2
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
Whilst every care has been taken in the preparation and publication of this document, errors in content,
typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to
"ETSI Editing and Committee Support Dept." at the address shown on the title page.

Page 3
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
Contents
Foreword .5
0 Scope .7
0.1 Normative references .7
0.2 Abbreviations .7
1 General.8
2 Subscriber identity confidentiality .9
2.1 Generality.9
2.2 Identifying method.9
2.3 Procedures.10
2.3.1 Location updating in the same MSC area .10
2.3.2 Location updating in a new MSCs area, within the same VLR area .11
2.3.3 Location updating in a new VLR; old VLR reachable .12
2.3.4 Location Updating in a new VLR; old VLR not reachable.13
2.3.5 Reallocation of a new TMSI .14
2.3.6 Local TMSI unknown.15
2.3.7 Location updating in a new VLR in case of a loss of information.16
2.3.8 Unsuccessful TMSI allocation .16
3 Subscriber identity authentication.17
3.1 Generality.17
3.2 The authentication procedure .17
3.3 Subscriber Authentication Key management.18
3.3.1 General authentication procedure.18
3.3.2 Authentication at location updating in a new VLR, using TMSI.19
3.3.3 Authentication at location updating in a new VLR, using IMSI .20
3.3.4 Authentication at location updating in a new VLR, using TMSI, TMSI
unknown in "old" VLR.21
3.3.5 Authentication at location updating in a new VLR, using TMSI, old VLR
not reachable.22
3.3.6 Authentication with IMSI if authentication with TMSI fails .22
3.3.7 Re-use of security related information in failure situations.23
4 Confidentiality of signalling information elements, connectionless data and user information
elements on physical connections.24
4.1 Generality.24
4.2 The ciphering method .24
4.3 Key setting .25
4.4 Ciphering key sequence number .26
4.5 Starting of the ciphering and deciphering processes.26
4.6 Synchronization.26
4.7 Handover .27
4.8 Negotiation of A5 algorithm.27
5 Synthetic summary.28
Annex A (informative): Security issues related to signalling schemes and key management .29
A.1 Introduction.29
A.2 Short description of the schemes.29
A.3 List of abbreviations .30

Page 4
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
Annex B (informative): Security information to be stored in the entities of the GSM system . 44
B.1 Introduction. 44
B.2 Entities and security information. 44
B.2.1 Home Location Register (HLR). 44
B.2.2 Visitor Location Register (VLR). 44
B.2.3 Mobile services Switching Centre (MSC)/Base Station System (BSS). 44
B.2.4 Mobile Station (MS). 45
B.2.5 Authentication Centre (AuC) . 45
Annex C (normative): External specifications of security related algorithms. 46
C.0 Scope. 46
C.1 Specifications for Algorithm A5. 46
C.1.1 Purpose. 46
C.1.2 Implementation indications. 46
C.1.3 External specifications of Algorithm A5. 48
C.1.4 Internal specification of Algorithm A5. 48
C.2 Algorithm A3 . 48
C.2.1 Purpose. 48
C.2.2 Implementation and operational requirements. 48
C.3 Algorithm A8 . 49
C.3.1 Purpose. 49
C.3.2 Implementation and operational requirements. 49
Annex D (informative): Status of Technical Specification GSM 03.20. 50
History. 51

Page 5
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
Foreword
This European Telecommunication Standard (ETS) has been produced by the Special Mobile Group
(SMG) of the European Telecommunications Standards Institute (ETSI).
This ETS defines the security related network functions within the digital cellular telecommunications
system.
The specification from which this ETS has been derived was originally based on CEPT documentation,
hence the presentation of this ETS may not be entirely in accordance with the ETSI rules.
Transposition dates
Date of adoption: 25 July 1997
Date of latest announcement of this ETS (doa): 30 November 1997
Date of latest publication of new National Standard
or endorsement of this ETS (dop/e): 31 May 1998
Date of withdrawal of any conflicting National Standard (dow): 31 May 1998

Page 6
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
Blank page
Page 7
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
0 Scope
This European Telecommunication Standard (ETS) specifies the network functions needed to provide the
security related service and functions specified in GSM 02.09.
This ETS does not address the cryptological algorithms that are needed to provide different security
related features. This topic is addressed in annex C. Wherever a cryptological algorithm or mechanism is
needed, this is signalled with a reference to annex C. The references refers only to functionalities, and
some algorithms may be identical or use common hardware.
0.1 Normative references
This ETS incorporates by dated and undated reference, provisions from other publications. These
normative references are cited at the appropriate places in the text and the publications are listed
hereafter. For dated references, subsequent amendments to or revisions of any of these publications
apply to this ETS only when incorporated in it by amendment or revision. For undated references, the
latest edition of the publication referred to applies.
[1] GSM 01.04 (ETR 350): "Digital cellular telecommunications system (Phase 2+);
Abbreviations and acronyms".
[2] GSM 02.07: "Digital cellular telecommunications system (Phase 2+); Mobile
Station (MS) features".
[3] GSM 02.09 (ETS 300 920): "Digital cellular telecommunications system;
Security aspects".
[4] GSM 02.17 (ETS 300 922): "Digital cellular telecommunications system;
Subscriber Identity Modules (SIM) Functional characteristics".
[5] GSM 03.03 (ETS 300 927): "Digital cellular telecommunications system
(Phase 2+); Numbering, addressing and identification".
[6] GSM 04.08 (ETS 300 940): "Digital cellular telecommunications system
(Phase 2+); Mobile radio interface layer 3 specification".
[7] GSM 05.01: "Digital cellular telecommunication system (Phase 2+); Physical
layer on the radio path; General description".
[8] GSM 05.02 (ETS 300 908): "Digital cellular telecommunications system
(Phase 2+); Multiplexing and multiple access on the radio path".
[9] GSM 05.03 (ETS 300 909): "Digital cellular telecommunications system
(Phase 2+); Channel coding".
[10] GSM 09.02 (ETS 300 974): "Digital cellular telecommunications system
(Phase 2+); Mobile Application Part (MAP) specification".
0.2 Abbreviations
Abbreviations used in this ETS are listed in GSM 01.04.
Specific abbreviations used in annex A are listed in clause A.3.

Page 8
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
1 General
The different security related services and functions that are listed in GSM 02.09 are grouped as follows:
- Subscriber identity confidentiality;
- Subscriber identity authentication;
- Signalling information element and connectionless user data confidentiality and data confidentiality
for physical connections (ciphering).
It shall be possible to introduce new authentication and ciphering algorithms during the systems lifetime.
The fixed network may support more than one authentication and ciphering algorithm.
The security procedures include mechanisms to enable recovery in event of signalling failures. These
recovery procedures are designed to minimize the risk of a breach in the security of the system.
General on figures in this ETS:
- In the figures below, signalling exchanges are referred to by functional names. The exact messages
and message types are specified in GSM 04.08 and GSM 09.02.
- No assumptions are made for function splitting between MSC (Mobile Switching Centre), VLR
(Visitor Location Register) and BSS (Base Station System). Signalling is described directly between
MS and the local network (i.e. BSS, MSC and VLR denoted in the figures by BSS/MSC/VLR). The
splitting in annex A is given only for illustrative purposes.
- Addressing fields are not given; all information relates to the signalling layer. The TMSI allows
addressing schemes without IMSI, but the actual implementation is specified in the GSM 04-series.
- The term HPLMN in the figures below is used as a general term which should be understood as
HLR (Home Location Register) or AuC (Authentication Centre).
- What is put in a box is not part of the described procedure but it is relevant to the understanding of
the figure.
Page 9
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2 Subscriber identity confidentiality
2.1 Generality
The purpose of this function is to avoid the possibility for an intruder to identify which subscriber is using a
given resource on the radio path (e.g. TCH (Traffic Channel) or signalling resources) by listening to the
signalling exchanges on the radio path. This allows both a high level of confidentiality for user data and
signalling and protection against the tracing of a user's location.
The provision of this function implies that the IMSI (International Mobile Subscriber Identity), or any
information allowing a listener to derive the IMSI easily, should not normally be transmitted in clear text in
any signalling message on the radio path.
Consequently, to obtain the required level of protection, it is necessary that:
- a protected identifying method is normally used instead of the IMSI on the radio path; and
- the IMSI is not normally used as addressing means on the radio path (see GSM 02.09);
- when the signalling procedures permit it, signalling information elements that convey information
about the mobile subscriber identity must be ciphered for transmission on the radio path.
The identifying method is specified in the following subclause. The ciphering of communication over the
radio path is specified in clause 4.
2.2 Identifying method
The means used to identify a mobile subscriber on the radio path consists of a TMSI (Temporary Mobile
Subscriber Identity). This TMSI is a local number, having a meaning only in a given location area; the
TMSI must be accompanied by the LAI (Location Area Identification) to avoid ambiguities. The maximum
length and guidance for defining the format of a TMSI are specified in GSM 03.03.
The network (e.g. a VLR) manages suitable data bases to keep the relation between TMSIs and IMSIs.
When a TMSI is received with an LAI that does not correspond to the current VLR, the IMSI of the MS
must be requested from the VLR in charge of the indicated location area if its address is known; otherwise
the IMSI is requested from the MS.
A new TMSI must be allocated at least in each location updating procedure. The allocation of a new TMSI
corresponds implicitly for the MS to the de-allocation of the previous one. In the fixed part of the network,
the cancellation of the record for an MS in a VLR implies the de-allocation of the corresponding TMSI.
To cope with some malfunctioning, e.g. arising from a software failure, the fixed part of the network can
require the identification of the MS in clear. This procedure is a breach in the provision of the service, and
should be used only when necessary.
When a new TMSI is allocated to an MS, it is transmitted to the MS in a ciphered mode. This ciphered
mode is the same as defined in clause 4.
The MS must store its current TMSI in a non volatile memory, together with the LAI, so that these data are
not lost when the MS is switched off.

Page 10
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3 Procedures
This subclause presents the procedures, or elements of procedures, pertaining to the management of
TMSIs.
2.3.1 Location updating in the same MSC area
This procedure is part of the location updating procedure which takes place when the original location
area and the new location area depend on the same MSC. The part of this procedure relative to TMSI
management is reduced to a TMSI re-allocation (from TMSIo with "o" for "old" to TMSIn with "n" for
"new").
The MS sends TMSIo as an identifying field at the beginning of the location updating procedure.
The procedure is schematized in figure 2.1.
‚¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5•
”¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶»
••
•/$,706,R•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•0DQDJHPHQWRIPHDQVIRUQHZFLSKHULQJ•
•VHHFODXVH•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
••
•‚¶¶¶¶¶¶¶¶¶¶¶¶„
••$OORFDWLRQ•
••RI706,Q•
•”¶¶¶¶¶¶¶¶¶¶¶¶»
•&LSKHU706,Q•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•$FNQRZOHGJH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 2.1: Location updating in the same MSC area
Signalling Functionalities:
Management of means for new ciphering:
The MS and BSS/MSC/VLR agree on means for ciphering signalling information elements, in
particular to transmit TMSIn.
Page 11
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.2 Location updating in a new MSCs area, within the same VLR area
This procedure is part of the location updating procedure which takes place when the original location
area and the new location area depend on different MSCs, but on the same VLR.
The procedure is schematized on figure 2.2.
‚¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5••+3/01•
”¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶»
•••
•/$,706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„•
•0DQDJHPHQWRIPHDQVIRUQHZ••
•FLSKHULQJVHHFODXVH••
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»•
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••DOORFDWLRQ••
••RI706,Q••
•”¶¶¶¶¶¶¶¶¶¶¶¶»•
••••
•••QRWH•
•&LSKHU706,QQRWH••/RF8SGDWLQJ•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
•••QRWH•
•$FNQRZOHGJHQRWH••$FNQRZOHGJH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
NOTE: From a security point of view, the order of the procedures is irrelevant.
Figure 2.2: Location updating in a new MSCs area, within the same VLR area
Signalling functionalities:
Loc.Updating:
stands for Location Updating
The BSS/MSC/VLR indicates that the location of the MS must be updated.

Page 12
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.3 Location updating in a new VLR; old VLR reachable
This procedure is part of the normal location updating procedure, using TMSI and LAI, when the original
location area and the new location area depend on different VLRs.
The MS is still registered in VLRo ("o" for old or original) and requests registration in VLRn ("n" for new).
LAI and TMSIo are sent by MS as identifying fields during the location updating procedure.
The procedure is schematized in figure 2.3.
‚¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶»”¶¶¶¶»
•••••
•/$,706,R••706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶!‰•
•••••
•••,06,••
••…¶¶¶¶¶¶¶¶¶¶‰•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„•6HF5HO,QI••
•0DQDJHPHQWRIPHDQVIRUQHZ•••
•FLSKHULQJVHHFODXVH•••
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»••
•‚¶¶¶¶¶¶¶¶¶¶¶¶„••
••$OORFDWLRQ•••
••RI706,Q•••
•”¶¶¶¶¶¶¶¶¶¶¶¶»•
••••
••••
•&LSKHU706,QQRWH••/RF8SGDWLQJQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
••••
•$FNQRZOHGJHQRWH••$FNQRZOHGJHQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•&DQFHOODWLRQ
…¶¶¶¶¶¶¶‰
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
NOTE: From a security point of view, the order of the procedures is irrelevant.
Figure 2.3: Location updating in a new VLR; old VLR reachable
Signalling functionalities:
Sec.Rel.Info.:
Stands for Security Related information
The MSC/VLRn needs some information for authentication and ciphering; this information is
obtained from MSC/VLRo.
Cancellation:
The HLR indicates to VLRo that the MS is now under control of another VLR. The "old" TMSI is free
for allocation.
Page 13
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.4 Location Updating in a new VLR; old VLR not reachable
This variant of the procedure in subclause 2.3.3 arises when the VLR receiving the LAI and TMSIo cannot
identify the VLRo. In that case the relation between TMSIo and IMSI is lost, and the identification of the
MS in clear is necessary.
The procedure is schematized in figure 2.4
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶»”¶¶¶¶»
•••
•/$,706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••ROG9/5QRW••
••UHDFKDEOH••
•,GHQWLW\5HTXHVW”¶¶¶¶¶¶¶¶¶¶¶¶»•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
•••
•,06,••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•0DQDJHPHQWRIPHDQVIRUQHZ•
•FLSKHULQJVHHFODXVH•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••$OORFDWLRQ••
••RI706,Q••
•”¶¶¶¶¶¶¶¶¶¶¶¶»•
••••
••••
•&LSKHU706,QQRWH••/RFDWLRQ8SGDWLQJQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
•$FNQRZOHGJHQRWH••$FNQRZOHGJHQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•&DQFHOODWLRQ•
…¶¶¶¶¶¶¶¶¶¶¶‰
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
NOTE: From a security point of view, the order of the procedures is irrelevant.
Figure 2.4: Location Updating in a new VLR; old VLR not reachable

Page 14
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.5 Reallocation of a new TMSI
This function can be initiated by the network whenever a radio connection exists. The procedure can be
included in other procedures, e.g. through the means of optional parameters. The execution of this
function is left to the network operator.
When a new TMSI is allocated to an MS the network must prevent the old TMSI from being allocated
again until the MS has acknowledged the allocation of the new TMSI.
If an IMSI record is deleted in the VLR by O&M action, the network must prevent any TMSI associated
with the deleted IMSI record from being allocated again until a new TMSI is successfully allocated to that
IMSI.
If an IMSI record is deleted in the HLR by O&M action, it is not possible to prevent any TMSI associated
with the IMSI record from being allocated again. However, if the MS whose IMSI record was deleted
should attempt to access the network using the TMSI after the TMSI has been allocated to a different
IMSI, then authentication or ciphering of the MS whose IMSI was deleted will almost certainly fail, which
will cause the TMSI to be deleted from the MS.
The case where allocation of a new TMSI is unsuccessful is described in subclause 2.3.8.
This procedure is schematized in figure 2.5.
‚¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5•
”¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶»
•‚¶¶¶¶¶¶¶¶¶¶¶¶„
••$OORFDWLRQ•
••RI706,Q•
•”¶¶¶¶¶¶¶¶¶¶¶¶»
•&LSKHU706,Q•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•$FNQRZOHGJH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 2.5: Reallocation of a new TMSI

Page 15
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.6 Local TMSI unknown
This procedure is a variant of the procedure described in subclauses 2.3.1 and 2.3.2, and happens when
a data loss has occurred in a VLR and when a MS uses an unknown TMSI, e.g. for a communication
request or for a location updating request in a location area managed by the same VLR.
This procedure is schematized in figure 2.6.
‚¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5••+3/01•
”¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶»
•••
•706,RQRWH••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••706,RLV••
••XQNQRZQ••
•,GHQWLW\5HTXHVW”¶¶¶¶¶¶¶¶¶¶¶¶»•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
•••
•,06,••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•0DQDJHPHQWRIPHDQVIRUQHZ•
•FLSKHULQJVHHFODXVH•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
•‚¶¶¶¶¶¶¶¶¶¶¶¶„
••$OORFDWLRQ•
••RI706,Q•
•&LSKHU706,Q”¶¶¶¶¶¶¶¶¶¶¶¶»
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•$FNQRZOHGJH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••
NOTE: Any message in which TMSIo is used as an identifying means in a location area managed by
the same VLR.
Figure 2.6: Location updating in the same MSC area; local TMSI unknown

Page 16
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
2.3.7 Location updating in a new VLR in case of a loss of information
This variant of the procedure described in 2.3.3 arises when the VLR in charge of the MS has suffered a
loss of data. In that case the relation between TMSIo and IMSI is lost, and the identification of the MS in
clear is necessary.
The procedure is schematized in figure 2.7.
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶»”¶¶¶¶»
•••••
•/$,706,R••706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶!‰•
•••••
•••8QNQRZQ••
•,GHQWLW\5HTXHVW•…¶¶¶¶¶¶¶¶¶¶‰•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•••
•••
•,06,••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•0DQDJHPHQWRIPHDQVIRUQHZ•
•FLSKHULQJVHHFODXVH•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••$OORFDWLRQ••
••RI706,Q••
•”¶¶¶¶¶¶¶¶¶¶¶¶»•
••••
•&LSKHU706,QQRWH••/RFDWLRQ8SGDWLQJQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
•$FNQRZOHGJHQRWH••$FNQRZOHGJHQRWH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•&DQFHOODWLRQ•
…¶¶¶¶¶¶¶¶¶¶¶‰
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
•’HDOORFDWLRQ•
•RI706,R•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»
NOTE: From a security point of view, the order of the procedures is irrelevant.
Figure 2.7: Location updating in a new VLR in case of a loss of information
2.3.8 Unsuccessful TMSI allocation
If the MS does not acknowledge the allocation of a new TMSI, the network shall maintain the association
between the old TMSI and the IMSI and between the new TMSI and the IMSI.
For an MS-originated transaction, the network shall allow the MS to identify itself by either the old TMSI or
the new TMSI. This will allow the network to determine the TMSI stored in the MS; the association
between the other TMSI and the IMSI shall then be deleted, to allow the unused TMSI to be allocated to
another MS.
For a network-originated transaction, the network shall identify the MS by its IMSI. When radio contact has
been established, the network shall instruct the MS to delete any stored TMSI. When the MS has
acknowledged this instruction, the network shall delete the association between the IMSI of the MS and
any TMSI; this will allow the released TMSIs to be allocated to another MS.
In either of the cases above, the network may initiate the normal TMSI reallocation procedure.
Repeated failure of TMSI reallocation (passing a limit set by the operator) may be reported for O&M
action.
Page 17
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3 Subscriber identity authentication
3.1 Generality
The definition and operational requirements of subscriber identity authentication are given in GSM 02.09.
The authentication procedure will also be used to set the ciphering key (see clause 4). Therefore, it is
performed after the subscriber identity (TMSI/IMSI) is known by the network and before the channel is
encrypted.
Two network functions are necessary: the authentication procedure itself, and the key management inside
the fixed subsystem.
3.2 The authentication procedure
The authentication procedure consists of the following exchange between the fixed subsystem and the
MS.
- The fixed subsystem transmits a non-predictable number RAND to the MS.
- The MS computes the signature of RAND, say SRES, using algorithm A3 and some secret
information: the Individual Subscriber Authentication Key, denoted below by Ki.
- The MS transmits the signature SRES to the fixed subsystem.
- The fixed subsystem tests SRES for validity.
The general procedure is schematized in figure 3.1.
‚¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•06••5DGLRSDWK••1HWZRUNVLGH•
”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
5$1’,06,
.L5$1’•QRWH
•‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
•• ••
•• •9
99•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„•.L
•$•••
”¶¶¶¶¶¶¶¶¶¶¶¶»99
•‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
••$•
•”¶¶¶¶¶¶¶¶¶¶¶¶»
•9
•65(6‚¶¶¶„
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰ •
”¶¶»
•
\HVQR
NOTE: IMSI is used to retrieve Ki in the network.
Figure 3.1: The authentication procedure
Authentication algorithm A3 is specified in annex C.

Page 18
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3.3 Subscriber Authentication Key management
The Subscriber Authentication Key Ki is allocated, together with the IMSI, at subscription time.
Ki is stored on the network side in the Home Public Land Mobile Network (HPLMN), in an Authentication
Centre (AuC). A PLMN may contain one or more AuC. An AuC can be physically integrated with other
functions, e.g. in a Home Location Register (HLR).
3.3.1 General authentication procedure
When needed for each MS, the BSS/MSC/VLR requests security related information from the HLR/AuC
corresponding to the MS. This includes an array of pairs of corresponding RAND and SRES. These pairs
are obtained by applying Algorithm A3 to each RAND and the key Ki as shown in figure 3.1. The pairs are
stored in the VLR as part of the security related information.
The procedure used for updating the vectors RAND/SRES is schematized in figure 3.2.
NOTE: The Authentication Vector Response contains also Kc(1.n) which is not shown in this
and the following figures. For discussion of Kc see clause 4.
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•%6606&9/5••+/5$X&•
”¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶»
••
•6HFXULW\5HODWHG,QIRUPDWLRQ5HTXHVW•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••
•‚¶¶¶¶¶¶¶¶¶¶¶„
••JHQHUDWH•.L
••5$1’Q••
•”¶¶¶¶¶¶¶¶¶¶»•
•••
•99
•‚¶¶¶¶¶¶¶¶¶¶¶¶¶„
••$•
•”¶¶¶¶¶¶¶¶¶¶¶¶»
•$XWKHQWLFDWLRQ9HFWRU5HVSRQVH•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
•65(6Q5$1’Q
•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•6WRUH5$1’65(6•
•YHFWRUV•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 3.2: Procedure for updating the vectors RAND/SRES

Page 19
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
When an MSC/VLR performs an authentication, including the case of a location updating within the same
VLR area, it chooses a RAND value in the array corresponding to the MS. It then tests the answer from
the MS by comparing it with the corresponding SRES, as schematized in figure 3.3.
‚¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5•
”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶»
••
•5$1’M•65(6M
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
••
•.L•5$1’M••
99 ••
‚¶¶¶¶¶¶¶¶¶¶¶¶¶„••
•$• ••
”¶¶¶¶¶¶¶¶¶¶¶¶»••
•65(6M••
•••
9••
••
•65(6M••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰¶¶„•
••••
••99
‚¶¶¶¶¶„
• •
”¶¶¶¶»
\HVQR
Figure 3.3: General authentication procedure
3.3.2 Authentication at location updating in a new VLR, using TMSI
During location updating in a new VLR (VLRn), the procedure to get pairs for subsequent authentication
may differ from that described in the previous subclause. In the case when identification is done using
TMSI, pairs for authentication as part of security related information are given by the old VLR (VLRo). The
old VLR shall send to the new VLR only those pairs which have not been used.
The procedure is schematized in figure 3.4.
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶»”¶¶¶¶»
•••••
•/$,706,R••706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶!‰•
•••••
•••,06,••
.L•••5$1’Q••
••••65(6Q••
••5$1’•…¶¶¶¶¶¶¶¶¶¶‰•
•…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
••••
99••
‚¶¶¶¶¶„••
•$•••
”¶¶¶¶¶»••
•65(6••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶„•
•• ••
•”¶¶¶¶»•
9•
\HVQR•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•/RFDWLRQ8SGDWLQJ•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 3.4: Authentication at location updating in a new VLR, using TMSI

Page 20
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3.3.3 Authentication at location updating in a new VLR, using IMSI
When the IMSI is used for identification, or more generally when the old VLR is not reachable, the
procedure described in subclause 3.3.2 cannot be used. Instead, pairs of RAND/SRES contained in the
security related information are requested directly from the HPLMN.
The procedure is schematized in figure 3.5.
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶»
•,06,••6HF5HO,QIR5HT•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
.L•••5$1’Q•
••5$1’•…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
•…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰65(6Q•
99••
‚¶¶¶¶¶„••
•$•••
”¶¶¶¶¶»••
•65(6••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶„•
•• ••
”¶¶¶¶»•
9•
\HVQR•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•/RFDWLRQ8SGDWLQJ•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 3.5: Authentication at location updating in a new VLR, using IMSI

Page 21
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3.3.4 Authentication at location updating in a new VLR, using TMSI, TMSI unknown in "old"
VLR
This case is an abnormal one, when a data loss has occurred in the "old" VLR.
The procedure is schematized in figure 3.6.
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶»”¶¶¶¶»
•••••
•/$,706,R••706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰…¶¶¶¶¶¶¶¶¶¶!‰•
•••••
•••8QNQRZQ••
•,GHQWLW\5HTXHVW•…¶¶¶¶¶¶¶¶¶¶‰•
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
•••
•,06,••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•6HF5HO,QIR5HT•
••…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
•••5$1’Q65(6Q•
••…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
.L•5$1’••
•…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
99••
‚¶¶¶¶¶„••
•$•••
”¶¶¶¶¶»••
•65(6••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶„•
•• ••
”¶¶¶¶»•
9•
\HVQR•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•/RFDWLRQ8SGDWLQJ•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 3.6: Authentication at location updating in a new VLR, using TMSI,
TMSI unknown in "old" VLR
Page 22
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3.3.5 Authentication at location updating in a new VLR, using TMSI, old VLR not reachable
The case occurs when an old VLR cannot be reached by the new VLR.
The procedure is schematized in figure 3.7
‚¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶¶¶¶¶„‚¶¶¶¶¶¶¶¶„‚¶¶¶¶¶„
•06••5DGLRSDWK••%6606&9/5Q••06&9/5R••+3/01•
”¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶¶¶¶»”¶¶¶¶¶¶¶¶»”¶¶¶¶»
•••
•/$,706,R••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•••
•‚¶¶¶¶¶¶¶¶¶¶¶¶„•
••9/5QRW••
••UHDFKDEOH••
•”¶¶¶¶¶¶¶¶¶¶¶¶»•
•,GHQWLW\5HTXHVW••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
•••
•,06,••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•6HF5HO,QIR5HT•
••…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰
••••
•••5$1’Q65(6Q•
••…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰
.L•5$1’••
•…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶‰•
99••
‚¶¶¶¶¶„••
•$•••
”¶¶¶¶¶»••
•65(6••
…¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!‰•
•‚¶¶¶¶¶„•
•• ••
”¶¶¶¶»•
9•
\HVQR•
‚¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶„
•/RFDWLRQ8SGDWLQJ•
”¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»
Figure 3.7: Authentication at location updating in a new VLR, using TMSI, old VLR not reachable
3.3.6 Authentication with IMSI if authentication with TMSI fails
If authentication of an MS which identifies itself with a TMSI is unsuccessful, the network requests the
IMSI from the MS, and repeats the authentication using the IMSI. Optionally, if authentication using the
TMSI fails the network may reject the access request or location registration request which triggered the
authentication.
Page 23
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
3.3.7 Re-use of security related information in failure situations
Security related information consisting of sets of RAND, SRES and Kc is stored in the VLR and in the
HLR.
When a VLR has used a set of security related information to authenticate an MS, it shall delete the set of
security related information or mark it as used. When a VLR needs to use security related information, it
shall use a set which is not marked as used in preference to a set which is marked as used; if there are no
sets which are not marked as used then the VLR may use a set which is marked as used. It is an operator
option to define how many times a set of security related information may be re-used in the VLR; when a
set of security related information has been re-used as many times as is permitted by the operator, it shall
be deleted.
If a VLR successfully requests security related information from the HLR, it shall discard any security
related information which is marked as used in the VLR.
If a VLR receives from another VLR a request for security related information, it shall send only the sets
which are not marked as used.
If an HLR receives a request for security related information, it shall send any sets which are not marked
as used; those sets shall then be deleted or marked as used. If there are no sets which are not marked as
used, the HLR may as an operator option send sets which are marked as used. It is an operator option to
define how many times a set of security related information may be re-sent by the HLR; when a set of
security related information has been sent as many times as is permitted by the operator, it shall be
deleted.
Page 24
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
4 Confidentiality of signalling information elements, connectionless data and
user information elements on physical connections
4.1 Generality
In GSM 02.09, some signalling information elements are considered sensitive and must be protected.
To ensure identity confidentiality (see clause 2), the Temporary Subscriber Identity must be transferred in
a protected mode at allocation time and at other times when the signalling procedures permit it.
The confidentiality of connection less user data requires at least the protection of the message part
pertaining to OSI layers 4 and above.
The user information confidentiality of user information on physical connections concerns the information
transmitted on a traffic channel on the MS-BSS interface (e.g. for speech). It is not an end-to-end
confidentiality service.
These needs for a protected mode of transmission are fulfilled with the same mechanism where the
confidentiality function is a OSI layer 1 function. The scheme described below assumes that the main part
of the signalling information elements is transmitted on DCCH (Dedicated Control Channel), and that the
CCCH (Common Control Channel) is only used for the allocation of a DCCH.
Four points have to be specified:
- the ciphering method;
- the key setting;
- the starting of the enciphering and deciphering processes;
- the synchronization.
4.2 The ciphering method
The layer 1 data flow (transmitted on DCCH or TCH) is ciphered by a bit per bit or stream cipher, i.e. the
data flow on the radio path is obtained by the bit per bit binary addition of the user data flow and a
ciphering bit stream, generated by algorithm A5 using a key determined as specified in subclause 4.3. The
key is denoted below by Kc, and is called "Ciphering Key".
For multislot configurations (e.g. HSCSD) different ciphering bit streams are used on the different
timeslots. On timeslot "n" a ciphering bit stream, generated by algorithm A5, using a key Kcn is used. Kcn
is derived from Kc as follows:
Let BN denote a binary encoding onto 64 bits of the timeslot number "n" (range 0-7). Bit "i" of Kcn,
Kcn(i), is then calculated as Kc(i) xor (BN<<32(i)) ("xor" indicates: "bit per bit binary addition" and
"<<32" indicates: "32 bit circular shift"), the number convention being such that the lsb of Kc is
xored with the lsb of the shifted BN.
Deciphering is performed by exactly the same method.
Algorithm A5 is specified in annex C.

Page 25
ETS 300 929 (GSM 03.20 version 5.1.1): August 1997
4.3 Key setting
Mutual key setting is the procedure that allows the mobile station and the network to agree on the key Kc
to use in the ciphering and deciphering algorithms A5.
A key sett
...