SIST ETS 300 534 E3:2003

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Digital cellular telecommunications system (Phase 2) (GSM); Security related network functions (GSM 03.20 version 4.4.1)33.070.50Globalni sistem za mobilno telekomunikacijo (GSM)Global System for Mobile Communication (GSM)ICS:Ta slovenski standard je istoveten z:ETS 300 534 Edition 3SIST ETS 300 534 E3:2003en01-december-2003SIST ETS 300 534 E3:2003SLOVENSKI
STANDARD
EUROPEANETS 300 534TELECOMMUNICATIONAugust 1997STANDARDThird EditionSource: ETSI SMGReference: RE/SMG-030320PRICS:33.020Key words:Digital cellular telecommunications system, Global System for Mobile communications (GSM)GLOBAL SYSTEM
FOR MOBILE COMMUNICATIONSRDigital cellular telecommunications system (Phase 2);Security related network functions(GSM 03.20 version 4.4.1)ETSIEuropean Telecommunications Standards InstituteETSI SecretariatPostal address: F-06921 Sophia Antipolis CEDEX - FRANCEOffice address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCEX.400: c=fr, a=atlas, p=etsi, s=secretariat - Internet: secretariat@etsi.frTel.: +33 4 92 94 42 00 - Fax: +33 4 93 65 47 16Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and theforegoing restriction extend to reproduction in all media.© European Telecommunications Standards Institute 1997. All rights reserved.SIST ETS 300 534 E3:2003

Page 2ETS 300 534 (GSM 03.20 version 4.4.1): August 1997Whilst every care has been taken in the preparation and publication of this document, errors in content,typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to"ETSI Editing and Committee Support Dept." at the address shown on the title page.SIST ETS 300 534 E3:2003

Page 3ETS 300 534 (GSM 03.20 version 4.4.1): August 1997ContentsForeword.50 Scope.70.1Normative references.70.2Abbreviations.71General.82Subscriber identity confidentiality.92.1Generality.92.2Identifying method.92.3Procedures.102.3.1Location updating in the same MSC area.102.3.2Location updating in a new MSCs area, within the same VLR area.112.3.3Location updating in a new VLR; old VLR reachable.122.3.4Location Updating in a new VLR; old VLR not reachable.132.3.5Reallocation of a new TMSI.142.3.6Local TMSI unknown.152.3.7Location updating in a new VLR in case of a loss of information.162.3.8Unsuccessful TMSI allocation.163Subscriber identity authentication.173.1Generality.173.2The authentication procedure.173.3Subscriber Authentication Key management.183.3.1General authentication procedure.183.3.2Authentication at location updating in a new VLR, using TMSI.193.3.3Authentication at location updating in a new VLR, using IMSI.203.3.4Authentication at location updating in a new VLR, using TMSI, TMSIunknown in "old" VLR.213.3.5Authentication at location updating in a new VLR, using TMSI, old VLRnot reachable.223.3.6Authentication with IMSI if authentication with TMSI fails.223.3.7Re-use of security related information in failure situations.234Confidentiality of signalling information elements, connectionless data and user informationelements on physical connections.244.1Generality.244.2The ciphering method.244.3Key setting.254.4Ciphering key sequence number.264.5Starting of the ciphering and deciphering processes.264.6Synchronization.264.7Handover.274.8Negotiation of A5 algorithm.275Synthetic summary.28Annex A (informative):Security issues related to signalling schemes and key management.29A.1Introduction.29A.2Short description of the schemes.29A.3List of abbreviations.30SIST ETS 300 534 E3:2003

Page 4ETS 300 534 (GSM 03.20 version 4.4.1): August 1997Annex B (informative):Security information to be stored in the entities of the GSM system.44B.1Introduction.44B.2Entities and security information.44B.2.1Home Location Register (HLR).44B.2.2Visitor Location Register (VLR).44B.2.3Mobile services Switching Centre (MSC)/Base Station System (BSS).44B.2.4Mobile Station (MS).45B.2.5Authentication Centre (AuC).45Annex C (normative):External specifications of security related algorithms.46C.0Scope.46C.1Specifications for Algorithm A5.46C.1.1Purpose.46C.1.2Implementation indications.46C.1.3External specifications of Algorithm A5.48C.1.4Internal specification of Algorithm A5.48C.2Algorithm A3.48C.2.1Purpose.48C.2.2Implementation and operational requirements.48C.3Algorithm A8.49C.3.1Purpose.49C.3.2Implementation and operational requirements.49Annex D (informative):Status of Technical Specification GSM 03.20.50History.51SIST ETS 300 534 E3:2003

Page 5ETS 300 534 (GSM 03.20 version 4.4.1): August 1997ForewordThis European Telecommunication Standard (ETS) has been produced by the Special Mobile Group(SMG) of the European Telecommunications Standards Institute (ETSI).This ETS defines the security related network functions for the Digital cellular telecommunications system(Phase 2).The specification from which this ETS has been derived was originally based on CEPT documentation,hence the presentation of this ETS may not be entirely in accordance with the ETSI rules.Transposition datesDate of adoption:25 July 1997Date of latest announcement of this ETS (doa):30 November 1997Date of latest publication of new National Standardor endorsement of this ETS (dop/e):31 May 1998Date of withdrawal of any conflicting National Standard (dow):31 May 1998SIST ETS 300 534 E3:2003

Page 6ETS 300 534 (GSM 03.20 version 4.4.1): August 1997Blank pageSIST ETS 300 534 E3:2003

Page 7ETS 300 534 (GSM 03.20 version 4.4.1): August 19970ScopeThis European Telecommunication Standard (ETS) specifies the network functions needed to provide thesecurity related service and functions specified in technical specification GSM 02.09.This ETS does not address the cryptological algorithms that are needed to provide different securityrelated features. This topic is addressed in annex C. Wherever a cryptological algorithm or mechanism isneeded, this is signalled with a reference to annex C. The references refers only to functionalities, andsome algorithms may be identical or use common hardware.0.1Normative referencesThis ETS incorporates by dated and undated reference, provisions from other publications. Thesenormative references are cited at the appropriate places in the text and the publications are listedhereafter. For dated references, subsequent amendments to or revisions of any of these publicationsapply to this ETS only when incorporated in it by amendment or revision. For undated references, thelatest edition of the publication referred to applies.[1]GSM 01.04 (ETR 100): "Digital cellular telecommunications system (Phase 2);Abbreviations and acronyms".[2]GSM 02.07 (ETS 300 505): "Digital cellular telecommunications system(Phase 2); Mobile Station (MS) features".[3]GSM 02.09 (ETS 300 506): "Digital cellular telecommunications system(Phase 2); Security aspects".[4]GSM 02.17 (ETS 300 509): "Digital cellular telecommunications system(Phase 2); Subscriber identity modules
Functional characteristics".[5]GSM 03.03 (ETS 300 523): "Digital cellular telecommunications system(Phase 2); Numbering, addressing and identification".[6]GSM 04.08 (ETS 300 557): "Digital cellular telecommunications system(Phase 2); Mobile radio interface layer 3 specification".[7]GSM 05.01 (ETS 300 573): "Digital cellular telecommunications system(Phase 2); Physical layer on the radio path
General description".[8]GSM 05.02 (ETS 300 574): "Digital cellular telecommunications system(Phase 2); Multiplexing and multiple access on the radio path".[9]GSM 05.03 (ETS 300 575): "Digital cellular telecommunications system(Phase 2); Channel coding".[10]GSM 09.02 (ETS 300 599): "Digital cellular telecommunications system(Phase 2); Mobile Application Part (MAP) specification".0.2AbbreviationsAbbreviations used in this ETS are listed in GSM 01.04.Specific abbreviations used in annex A are listed in clause A.3.SIST ETS 300 534 E3:2003

Page 8ETS 300 534 (GSM 03.20 version 4.4.1): August 19971GeneralThe different security related services and functions that are listed in GSM 02.09 are grouped as follows:-Subscriber identity confidentiality;-Subscriber identity authentication;-Signalling information element and connectionless user data confidentiality and data confidentialityfor physical connections (ciphering).It shall be possible to introduce new authentication and ciphering algorithms during the systems lifetime.The fixed network may support more than one authentication and ciphering algorithm.The security procedures include mechanisms to enable recovery in event of signalling failures. Theserecovery procedures are designed to minimize the risk of a breach in the security of the system.General on figures in this ETS:-In the figures below, signalling exchanges are referred to by functional names. The exact messagesand message types are specified in GSM 04.08 and GSM 09.02.-No assumptions are made for function splitting between MSC (Mobile Switching Centre), VLR(Visitor Location Register) and BSS (Base Station System). Signalling is described directly betweenMS and the local network (i.e. BSS, MSC and VLR denoted in the figures by BSS/MSC/VLR). Thesplitting in annex A is given only for illustrative purposes.-Addressing fields are not given; all information relates to the signalling layer. The TMSI allowsaddressing schemes without IMSI, but the actual implementation is specified in the GSM 04-series.-The term HPLMN in the figures below is used as a general term which should be understood asHLR (Home Location Register) or AuC (Authentication Centre).-What is put in a box is not part of the described procedure but it is relevant to the understanding ofthe figure.SIST ETS 300 534 E3:2003

Page 9ETS 300 534 (GSM 03.20 version 4.4.1): August 19972Subscriber identity confidentiality2.1GeneralityThe purpose of this function is to avoid the possibility for an intruder to identify which subscriber is using agiven resource on the radio path (e.g. TCH (Traffic Channel) or signalling resources) by listening to thesignalling exchanges on the radio path. This allows both a high level of confidentiality for user data andsignalling and protection against the tracing of a user's location.The provision of this function implies that the IMSI (International Mobile Subscriber Identity), or anyinformation allowing a listener to derive the IMSI easily, should not normally be transmitted in clear text inany signalling message on the radio path.Consequently, to obtain the required level of protection, it is necessary that:-a protected identifying method is normally used instead of the IMSI on the radio path; and-the IMSI is not normally used as addressing means on the radio path (see GSM 02.09);-when the signalling procedures permit it, signalling information elements that convey informationabout the mobile subscriber identity must be ciphered for transmission on the radio path.The identifying method is specified in the following subclause. The ciphering of communication over theradio path is specified in clause 4.2.2Identifying methodThe means used to identify a mobile subscriber on the radio path consists of a TMSI (Temporary MobileSubscriber Identity). This TMSI is a local number, having a meaning only in a given location area; theTMSI must be accompanied by the LAI (Location Area Identification) to avoid ambiguities. The maximumlength and guidance for defining the format of a TMSI are specified in GSM 03.03.The network (e.g. a VLR) manages suitable data bases to keep the relation between TMSIs and IMSIs.When a TMSI is received with an LAI that does not correspond to the current VLR, the IMSI of the MSmust be requested from the VLR in charge of the indicated location area if its address is known; otherwisethe IMSI is requested from the MS.A new TMSI must be allocated at least in each location updating procedure. The allocation of a new TMSIcorresponds implicitly for the MS to the de-allocation of the previous one. In the fixed part of the network,the cancellation of the record for an MS in a VLR implies the de-allocation of the corresponding TMSI.To cope with some malfunctioning, e.g. arising from a software failure, the fixed part of the network canrequire the identification of the MS in clear. This procedure is a breach in the provision of the service, andshould be used only when necessary.When a new TMSI is allocated to an MS, it is transmitted to the MS in a ciphered mode. This cipheredmode is the same as defined in clause 4.The MS must store its current TMSI in a non volatile memory, together with the LAI, so that these data arenot lost when the MS is switched off.SIST ETS 300 534 E3:2003

Page 10ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3ProceduresThis subclause presents the procedures, or elements of procedures, pertaining to the management ofTMSIs.2.3.1Location updating in the same MSC areaThis procedure is part of the location updating procedure which takes place when the original locationarea and the new location area depend on the same MSC. The part of this procedure relative to TMSImanagement is reduced to a TMSI re-allocation (from TMSIo with "o" for "old" to TMSIn with "n" for"new").The MS sends TMSIo as an identifying field at the beginning of the location updating procedure.The procedure is schematized in figure 2.1.¸¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5·º¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶»···/$,706,R·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·0DQDJHPHQWRIPHDQVIRUQHZFLSKHULQJ··VHHFODXVH·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»···¸¶¶¶¶¶¶¶¶¶¶¶¶¹··$OORFDWLRQ···RI706,Q··º¶¶¶¶¶¶¶¶¶¶¶¶»·&LSKHU706,Q·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···$FNQRZOHGJH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 2.1: Location updating in the same MSC areaSignalling Functionalities:Management of means for new ciphering:The MS and BSS/MSC/VLR agree on means for ciphering signalling information elements, inparticular to transmit TMSIn.SIST ETS 300 534 E3:2003

Page 11ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.2Location updating in a new MSCs area, within the same VLR areaThis procedure is part of the location updating procedure which takes place when the original locationarea and the new location area depend on different MSCs, but on the same VLR.The procedure is schematized on figure 2.2.¸¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5··+3/01·º¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¾¶¶¶¶¶¶»º¶¶¶¶¾¶¶»····/$,706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½····¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹··0DQDJHPHQWRIPHDQVIRUQHZ···FLSKHULQJVHHFODXVH··º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»··¸¶¶¶¶¶¶¶¶¶¶¶¶¹···DOORFDWLRQ····RI706,Q···º¶¶¶¶¶¶¶¶¶¶¶¶»········QRWH··&LSKHU706,QQRWH··/RF8SGDWLQJ·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·······QRWH··$FNQRZOHGJHQRWH··$FNQRZOHGJH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»NOTE:From a security point of view, the order of the procedures is irrelevant.Figure 2.2: Location updating in a new MSCs area, within the same VLR areaSignalling functionalities:Loc.Updating:stands for Location UpdatingThe BSS/MSC/VLR indicates that the location of the MS must be updated.SIST ETS 300 534 E3:2003

Page 12ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.3Location updating in a new VLR; old VLR reachableThis procedure is part of the normal location updating procedure, using TMSI and LAI, when the originallocation area and the new location area depend on different VLRs.The MS is still registered in VLRo ("o" for old or original) and requests registration in VLRn ("n" for new).LAI and TMSIo are sent by MS as identifying fields during the location updating procedure.The procedure is schematized in figure 2.3.¸¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¾¶¶¶¶»º¶¶¶¶¾¶¶¶»º¶¶¶¾¶»······/$,706,R··706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶!½·········,06,····¼¶¶¶¶¶¶¶¶¶¶½·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·6HF5HO,QI···0DQDJHPHQWRIPHDQVIRUQHZ····FLSKHULQJVHHFODXVH···º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»···¸¶¶¶¶¶¶¶¶¶¶¶¶¹····$OORFDWLRQ·····RI706,Q····º¶¶¶¶¶¶¶¶¶¶¶¶»··········&LSKHU706,QQRWH··/RF8SGDWLQJQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·········$FNQRZOHGJHQRWH··$FNQRZOHGJHQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···&DQFHOODWLRQ¼¶¶¶¶¶¶¶½¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»NOTE:From a security point of view, the order of the procedures is irrelevant.Figure 2.3: Location updating in a new VLR; old VLR reachableSignalling functionalities:Sec.Rel.Info.:Stands for Security Related informationThe MSC/VLRn needs some information for authentication and ciphering; this information isobtained from MSC/VLRo.Cancellation:The HLR indicates to VLRo that the MS is now under control of another VLR. The "old" TMSI is freefor allocation.SIST ETS 300 534 E3:2003

Page 13ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.4Location Updating in a new VLR; old VLR not reachableThis variant of the procedure in subclause 2.3.3 arises when the VLR receiving the LAI and TMSIo cannotidentify the VLRo. In that case the relation between TMSIo and IMSI is lost, and the identification of theMS in clear is necessary.The procedure is schematized in figure 2.4¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶»º¶¶¶¶¶¶¶¶»º¶¶¶¾¶»····/$,706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¶¶¶¶¶¶¶¹···ROG9/5QRW····UHDFKDEOH···,GHQWLW\5HTXHVWº¶¶¶¶¶¶¶¶¶¶¶¶»·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·····,06,··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½····¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·0DQDJHPHQWRIPHDQVIRUQHZ··FLSKHULQJVHHFODXVH·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»·¸¶¶¶¶¶¶¶¶¶¶¶¶¹···$OORFDWLRQ····RI706,Q···º¶¶¶¶¶¶¶¶¶¶¶¶»··········&LSKHU706,QQRWH··/RFDWLRQ8SGDWLQJQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·····$FNQRZOHGJHQRWH··$FNQRZOHGJHQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···&DQFHOODWLRQ·¼¶¶¶¶¶¶¶¶¶¶¶½¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»NOTE:From a security point of view, the order of the procedures is irrelevant.Figure 2.4: Location Updating in a new VLR; old VLR not reachableSIST ETS 300 534 E3:2003

Page 14ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.5Reallocation of a new TMSIThis function can be initiated by the network whenever a radio connection exists. The procedure can beincluded in other procedures, e.g. through the means of optional parameters. The execution of thisfunction is left to the network operator.When a new TMSI is allocated to an MS the network must prevent the old TMSI from being allocatedagain until the MS has acknowledged the allocation of the new TMSI.If an IMSI record is deleted in the VLR by O&M action, the network must prevent any TMSI associatedwith the deleted IMSI record from being allocated again until a new TMSI is successfully allocated to thatIMSI.If an IMSI record is deleted in the HLR by O&M action, it is not possible to prevent any TMSI associatedwith the IMSI record from being allocated again. However, if the MS whose IMSI record was deletedshould attempt to access the network using the TMSI after the TMSI has been allocated to a differentIMSI, then authentication or ciphering of the MS whose IMSI was deleted will almost certainly fail, whichwill cause the TMSI to be deleted from the MS.The case where allocation of a new TMSI is unsuccessful is described in subclause 2.3.8.This procedure is schematized in figure 2.5.¸¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5·º¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶»·¸¶¶¶¶¶¶¶¶¶¶¶¶¹··$OORFDWLRQ···RI706,Q··º¶¶¶¶¶¶¶¶¶¶¶¶»·&LSKHU706,Q·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···$FNQRZOHGJH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 2.5: Reallocation of a new TMSISIST ETS 300 534 E3:2003

Page 15ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.6Local TMSI unknownThis procedure is a variant of the procedure described in subclauses 2.3.1 and 2.3.2, and happens whena data loss has occurred in a VLR and when a MS uses an unknown TMSI, e.g. for a communicationrequest or for a location updating request in a location area managed by the same VLR.This procedure is schematized in figure 2.6.¸¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5··+3/01·º¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶»º¶¶¶¶¾¶¶»····706,RQRWH··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¶¶¶¶¶¶¶¹···706,RLV····XQNQRZQ···,GHQWLW\5HTXHVWº¶¶¶¶¶¶¶¶¶¶¶¶»·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·····,06,··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½····¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·0DQDJHPHQWRIPHDQVIRUQHZ··FLSKHULQJVHHFODXVH·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»·¸¶¶¶¶¶¶¶¶¶¶¶¶¹··$OORFDWLRQ···RI706,Q··&LSKHU706,Qº¶¶¶¶¶¶¶¶¶¶¶¶»¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···$FNQRZOHGJH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··NOTE:Any message in which TMSIo is used as an identifying means in a location area managed bythe same VLR.Figure 2.6: Location updating in the same MSC area; local TMSI unknownSIST ETS 300 534 E3:2003

Page 16ETS 300 534 (GSM 03.20 version 4.4.1): August 19972.3.7Location updating in a new VLR in case of a loss of informationThis variant of the procedure described in 2.3.3 arises when the VLR in charge of the MS has suffered aloss of data. In that case the relation between TMSIo and IMSI is lost, and the identification of the MS inclear is necessary.The procedure is schematized in figure 2.7.¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¾¶¶¶¶»º¶¶¶¾¶¶¶¶»º¶¶¶¾¶»······/$,706,R··706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶!½·········8QNQRZQ···,GHQWLW\5HTXHVW·¼¶¶¶¶¶¶¶¶¶¶½·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·······,06,··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½····¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·0DQDJHPHQWRIPHDQVIRUQHZ··FLSKHULQJVHHFODXVH·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»·¸¶¶¶¶¶¶¶¶¶¶¶¶¹···$OORFDWLRQ····RI706,Q···º¶¶¶¶¶¶¶¶¶¶¶¶»······&LSKHU706,QQRWH··/RFDWLRQ8SGDWLQJQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·····$FNQRZOHGJHQRWH··$FNQRZOHGJHQRWH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···&DQFHOODWLRQ·¼¶¶¶¶¶¶¶¶¶¶¶½¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·'HDOORFDWLRQ··RI706,R·º¶¶¶¶¶¶¶¶¶¶¶¶¶»NOTE:From a security point of view, the order of the procedures is irrelevant.Figure 2.7: Location updating in a new VLR in case of a loss of information2.3.8Unsuccessful TMSI allocationIf the MS does not acknowledge the allocation of a new TMSI, the network shall maintain the associationbetween the old TMSI and the IMSI and between the new TMSI and the IMSI.For an MS-originated transaction, the network shall allow the MS to identify itself by either the old TMSI orthe new TMSI. This will allow the network to determine the TMSI stored in the MS; the associationbetween the other TMSI and the IMSI shall then be deleted, to allow the unused TMSI to be allocated toanother MS.For a network-originated transaction, the network shall identify the MS by its IMSI. When radio contact hasbeen established, the network shall instruct the MS to delete any stored TMSI. When the MS hasacknowledged this instruction, the network shall delete the association between the IMSI of the MS andany TMSI; this will allow the released TMSIs to be allocated to another MS.In either of the cases above, the network may initiate the normal TMSI reallocation procedure.Repeated failure of TMSI reallocation (passing a limit set by the operator) may be reported for O&Maction.SIST ETS 300 534 E3:2003

Page 17ETS 300 534 (GSM 03.20 version 4.4.1): August 19973Subscriber identity authentication3.1GeneralityThe definition and operational requirements of subscriber identity authentication are given in GSM 02.09.The authentication procedure will also be used to set the ciphering key (see clause 4). Therefore, it isperformed after the subscriber identity (TMSI/IMSI) is known by the network and before the channel isencrypted.Two network functions are necessary: the authentication procedure itself, and the key management insidethe fixed subsystem.3.2The authentication procedureThe authentication procedure consists of the following exchange between the fixed subsystem and theMS.-The fixed subsystem transmits a non-predictable number RAND to the MS.-The MS computes the signature of RAND, say SRES, using algorithm A3 and some secretinformation: the Individual Subscriber Authentication Key, denoted below by Ki.-The MS transmits the signature SRES to the fixed subsystem.-The fixed subsystem tests SRES for validity.The general procedure is schematized in figure 3.1.¸¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··1HWZRUNVLGH·º¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»5$1',06,.L5$1'·QRWH·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½········999·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·.L·$···º¶¶¶¶¶¶¾¶¶¶¶¶¶»99·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹··$··º¶¶¶¶¶¶¾¶¶¶¶¶¶»·9·65(6¸¶¶¶¹º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½ ·º¶¾¶»·9\HVQRNOTE:IMSI is used to retrieve Ki in the network.Figure 3.1: The authentication procedureAuthentication algorithm A3 is specified in annex C.SIST ETS 300 534 E3:2003

Page 18ETS 300 534 (GSM 03.20 version 4.4.1): August 19973.3Subscriber Authentication Key managementThe Subscriber Authentication Key Ki is allocated, together with the IMSI, at subscription time.Ki is stored on the network side in the Home Public Land Mobile Network (HPLMN), in an AuthenticationCentre (AuC). A PLMN may contain one or more AuC. An AuC can be physically integrated with otherfunctions, e.g. in a Home Location Register (HLR).3.3.1General authentication procedureWhen needed for each MS, the BSS/MSC/VLR requests security related information from the HLR/AuCcorresponding to the MS. This includes an array of pairs of corresponding RAND and SRES. These pairsare obtained by applying Algorithm A3 to each RAND and the key Ki as shown in figure 3.1. The pairs arestored in the VLR as part of the security related information.The procedure used for updating the vectors RAND/SRES is schematized in figure 3.2.NOTE:The Authentication Vector Response contains also Kc(1.n) which is not shown in thisand the following figures. For discussion of Kc see clause 4.¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·%6606&9/5··+/5$X&·º¶¶¶¶¾¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¾¶¶¶¶¶¶»···6HFXULW\5HODWHG,QIRUPDWLRQ5HTXHVW·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½···¸¶¶¶¶¶¶¶¶¶¶¶¹··JHQHUDWH·.L··5$1'Q···º¶¶¶¶¶¾¶¶¶¶¶»·····99·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹··$··º¶¶¶¶¶¶¶¾¶¶¶¶¶»·$XWKHQWLFDWLRQ9HFWRU5HVSRQVH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»·65(6Q5$1'Q·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·6WRUH5$1'65(6··YHFWRUV·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 3.2: Procedure for updating the vectors RAND/SRESSIST ETS 300 534 E3:2003

Page 19ETS 300 534 (GSM 03.20 version 4.4.1): August 1997When an MSC/VLR performs an authentication, including the case of a location updating within the sameVLR area, it chooses a RAND value in the array corresponding to the MS. It then tests the answer fromthe MS by comparing it with the corresponding SRES, as schematized in figure 3.3.¸¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5·º¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶¶¶»···5$1'M·65(6M¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½···.L·5$1'M··99··¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹···$···º¶¶¶¶¶¶¶¶¾¶¶¶¶»···65(6M·····9·····65(6M··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¶¶¹·······99¸¶¶¶¶¶¹· ·º¶¶¾¶¶»9\HVQRFigure 3.3: General authentication procedure3.3.2Authentication at location updating in a new VLR, using TMSIDuring location updating in a new VLR (VLRn), the procedure to get pairs for subsequent authenticationmay differ from that described in the previous subclause. In the case when identification is done usingTMSI, pairs for authentication as part of security related information are given by the old VLR (VLRo). Theold VLR shall send to the new VLR only those pairs which have not been used.The procedure is schematized in figure 3.4.¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¾¶¶¶¶»º¶¶¶¶¾¶¶¶»º¶¶¶¾¶»······/$,706,R··706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶!½·········,06,··.L···5$1'Q······65(6Q····5$1'·¼¶¶¶¶¶¶¶¶¶¶½··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·····99··¸¶¶¶¶¶¹···$···º¶¶¶¶¶»···65(6··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¹··· ···º¶¶¾¶¶»·9·\HVQR·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·/RFDWLRQ8SGDWLQJ·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 3.4: Authentication at location updating in a new VLR, using TMSISIST ETS 300 534 E3:2003

Page 20ETS 300 534 (GSM 03.20 version 4.4.1): August 19973.3.3Authentication at location updating in a new VLR, using IMSIWhen the IMSI is used for identification, or more generally when the old VLR is not reachable, theprocedure described in subclause 3.3.2 cannot be used. Instead, pairs of RAND/SRES contained in thesecurity related information are requested directly from the HPLMN.The procedure is schematized in figure 3.5.¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¾¶¶¶¶»º¶¶¶¾¶»·,06,··6HF5HO,QIR5HT·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½····.L···5$1'Q···5$1'·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½65(6Q·99··¸¶¶¶¶¶¹···$···º¶¶¶¶¶»···65(6··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¹··· ··º¶¶¾¶¶»·9·\HVQR·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·/RFDWLRQ8SGDWLQJ·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 3.5: Authentication at location updating in a new VLR, using IMSISIST ETS 300 534 E3:2003

Page 21ETS 300 534 (GSM 03.20 version 4.4.1): August 19973.3.4Authentication at location updating in a new VLR, using TMSI, TMSI unknown in "old"VLRThis case is an abnormal one, when a data loss has occurred in the "old" VLR.The procedure is schematized in figure 3.6.¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¾¶¶¶¶»º¶¶¶¶¾¶¶¶»º¶¶¶¾¶»······/$,706,R··706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½¼¶¶¶¶¶¶¶¶¶¶!½·········8QNQRZQ···,GHQWLW\5HTXHVW·¼¶¶¶¶¶¶¶¶¶¶½·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·····,06,··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·6HF5HO,QIR5HT···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·······5$1'Q65(6Q···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½.L·5$1'···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·99··¸¶¶¶¶¶¹···$···º¶¶¶¶¶»···65(6··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¹··· ··º¶¶¾¶¶»·9·\HVQR·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·/RFDWLRQ8SGDWLQJ·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 3.6: Authentication at location updating in a new VLR, using TMSI,TMSI unknown in "old" VLRSIST ETS 300 534 E3:2003

Page 22ETS 300 534 (GSM 03.20 version 4.4.1): August 19973.3.5Authentication at location updating in a new VLR, using TMSI, old VLR not reachableThe case occurs when an old VLR cannot be reached by the new VLR.The procedure is schematized in figure 3.7¸¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5Q··06&9/5R··+3/01·º¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶»º¶¶¶¶¶¶¶¶»º¶¶¶¾¶»····/$,706,R··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·····¸¶¶¶¶¶¶¶¶¶¶¶¶¹···9/5QRW····UHDFKDEOH···º¶¶¶¶¶¶¶¶¶¶¶¶»··,GHQWLW\5HTXHVW··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·····,06,··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·6HF5HO,QIR5HT···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·······5$1'Q65(6Q···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½.L·5$1'···¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·99··¸¶¶¶¶¶¹···$···º¶¶¶¶¶»···65(6··¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½··¸¶¶¶¶¶¹··· ··º¶¶¾¶¶»·9·\HVQR·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·/RFDWLRQ8SGDWLQJ·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 3.7: Authentication at location updating in a new VLR, using TMSI, old VLR not reachable3.3.6Authentication with IMSI if authentication with TMSI failsIf authentication of an MS which identifies itself with a TMSI is unsuccessful, the network requests theIMSI from the MS, and repeats the authentication using the IMSI. Optionally, if authentication using theTMSI fails the network may reject the access request or location registration request which triggered theauthentication.SIST ETS 300 534 E3:2003

Page 23ETS 300 534 (GSM 03.20 version 4.4.1): August 19973.3.7Re-use of security related information in failure situationsSecurity related information consisting of sets of RAND, SRES and Kc is stored in the VLR and in theHLR.When a VLR has used a set of security related information to authenticate an MS, it shall delete the set ofsecurity related information or mark it as used. When a VLR needs to use security related information, itshall use a set which is not marked as used in preference to a set which is marked as used; if there are nosets which are not marked as used then the VLR may use a set which is marked as used. It is an operatoroption to define how many times a set of security related information may be re-used in the VLR; when aset of security related information has been re-used as many times as is permitted by the operator, it shallbe deleted.If a VLR successfully requests security related information from the HLR, it shall discard any securityrelated information which is marked as used in the VLR.If a VLR receives from another VLR a request for security related information, it shall send only the setswhich are not marked as used.If an HLR receives a request for security related information, it shall send any sets which are not markedas used; those sets shall then be deleted or marked as used. If there are no sets which are not marked asused, the HLR may as an operator option send sets which are marked as used. It is an operator option todefine how many times a set of security related information may be re-sent by the HLR; when a set ofsecurity related information has been sent as many times as is permitted by the operator, it shall bedeleted.SIST ETS 300 534 E3:2003

Page 24ETS 300 534 (GSM 03.20 version 4.4.1): August 19974Confidentiality of signalling information elements, connectionless data anduser information elements on physical connections4.1GeneralityIn GSM 02.09, some signalling information elements are considered sensitive and must be protected.To ensure identity confidentiality (see clause 2), the Temporary Subscriber Identity must be transferred ina protected mode at allocation time and at other times when the signalling procedures permit it.The confidentiality of connection less user data requires at least the protection of the message partpertaining to OSI layers 4 and above.The user information confidentiality of user information on physical connections concerns the informationtransmitted on a traffic channel on the MS-BSS interface (e.g. for speech). It is not an end-to-endconfidentiality service.These needs for a protected mode of transmission are fulfilled with the same mechanism where theconfidentiality function is a OSI layer 1 function. The scheme described below assumes that the main partof the signalling information elements is transmitted on DCCH (Dedicated Control Channel), and that theCCCH (Common Control Channel) is only used for the allocation of a DCCH.Four points have to be specified:-the ciphering method;-the key setting;-the starting of the enciphering and deciphering processes;-the synchronization.4.2The ciphering methodThe layer 1 data flow (transmitted on DCCH or TCH) is ciphered by a bit per bit or stream cipher, i.e. thedata flow on the radio path is obtained by the bit per bit binary addition of the user data flow and aciphering bit stream, generated by algorithm A5 using a key determined as specified in subclause 4.3. Thekey is denoted below by Kc, and is called "Ciphering Key".Deciphering is performed by exactly the same method.Algorithm A5 is specified in annex C.SIST ETS 300 534 E3:2003

Page 25ETS 300 534 (GSM 03.20 version 4.4.1): August 19974.3Key settingMutual key setting is the procedure that allows the mobile station and the network to agree on the key Kcto use in the ciphering and deciphering algorithms A5.A key setting is triggered by the authentication procedure. Key setting may be initiated by the network asoften as the network operator wishes.Key setting must occur on a DCCH not yet encrypted and as soon as the identity of the mobile subscriber(i.e. TMSI or IMSI) is known by the network.The transmission of Kc to the MS is indirect and uses the authentication RAND value; Kc is derived fromRAND by using algorithm A8 and the Subscriber Authentication key Ki, as defined in annex C.As a consequence, the procedures for the management of Kc are the authentication proceduresdescribed in subclause 3.3.The values Kc are computed together with the SRES values. The security related information (seesubclause 3.3.1) consists of RAND, SRES and Kc.The key Kc is stored by the mobile station until it is updated at the next authentication.Key setting is schematized in figure 4.1.¸¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··1HWZRUNVLGH·º¶¶¶¶¶¶¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶¶¶»···706,·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½···5$1'RU,06,·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½·.L·5$1'·5$1'·.L9999¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·$··$·º¶¶¶¶¶¶¾¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶¶»·.F·.F99¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¹·6WRUH.F··6WRUH.F·º¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶»Figure 4.1: Key settingSIST ETS 300 534 E3:2003

Page 26ETS 300 534 (GSM 03.20 version 4.4.1): August 19974.4Ciphering key sequence numberThe ciphering key sequence number is a number which is associated with the ciphering key Kc and theyare stored together in the mobile station and in the network.However since it is not directly involved in any security mechanism, it is not addressed in this ETS but inGSM 04.08 instead.4.5Starting of the ciphering and deciphering processesThe MS and the BSS must co-ordinate the instants at which the enciphering and deciphering processesstart on DCCH and TCH.On DCCH, this procedure takes place under the control of the network some time after the completion ofthe authentication procedure (if any), or after the key Kc has been made available at the BSS.No information elements for which protection is needed must be sent before the ciphering and decipheringprocesses are operating.The transition from clear text mode to ciphered mode proceeds as follows: deciphering starts in the BSS,which sends in clear text to the MS a specific message, here called "Start cipher". Both the encipheringand deciphering start on the MS side after the message "Start cipher" has been correctly received by theMS. Finally, enciphering on the BSS side starts as soon as a frame or a message from the MS has beencorrectly deciphered at the BSS.The starting of enciphering and deciphering processes is schematized in figure 4.2.¸¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹·06··5DGLRSDWK··%6606&9/5·º¶¶¶¶¶¶¶¶¾¶¶»º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»º¶¶¶¶¶¶¾¶¶¶¶¶¶¶»·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹··6WDUWGHFLSKHULQJ··º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»·6WDUWFLSKHU·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶½¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹··6WDUWGHFLSKHULQJ···DQG···6WDUWHQFLSKHULQJ··º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»····DQ\FRUUHFWO\GHFLSKHUHGPHVVDJH·¼¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶!½·¸¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¹··6WDUWHQFLSKHULQJ·º¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶»Figur
...