Cryptography Reference
In-Depth Information
by upgrading authentication triplets to
quintets
, which additionally include a
sequence number that prevents successful replay and a MAC key.
Use of publicly known algorithms
. UMTS adopts cryptographic algorithms
based on well-established and well-studied techniques. While it does not
quite use 'off-the-shelf' algorithms, due to the desire to tailor algorithms to
the underlying hardware, the algorithms deployed are very closely based on
standard algorithms and the modifications have been publicly evaluated.
Longer key lengths
. Following the relaxation of export restrictions that were
in place at the time of GSM development, the key lengths of the underlying
cryptographic algorithms were increased to 128 bits.
Integrity of signalling data
. UMTS provides additional integrity protection to the
critical signalling data. This is provided using a MAC, whose key is established
during the UMTS authentication (AKE) protocol.
UMTS SECURITY PROTOCOLS
We will omit the details of the UMTS security protocols since they are, in
essence, just slightly more complex versions of the original GSM protocols. Entity
authentication of the mobile user is conducted via a similar challenge-response
mechanism toGSM, at the end of which encryption andMACkeys are established.
Entity authentication of the base station is added to UMTS through the use of a
MAC. The freshness mechanism used as part of this authentication is a sequence
number (see Section 8.2.2), which is maintained by the mobile user and the
base station. This is preferable to also using a challenge-response protocol in the
opposite direction since, as we discussed in Section 8.2.3, this would introduce one
extra message exchange, as well as require the mobile user to randomly generate
a challenge number. It would also be very inconvenient when roaming, since the
local mobile operator would have to contact a user's home mobile operator during
each authentication attempt.
Roaming works on exactly the same principle as for GSM, except that the
additional fields of the authentication quintet provide protection against replays.
UMTS CRYPTOGRAPHIC ALGORITHMS
Just as for GSM, mobile operators are free to use their own cryptographic
algorithms as part of the UMTS AKE protocol. However, UMTS recommends
the use of a set of algorithms called MILENAGE, which is based on AES and
implements all the functionality required for UMTS authentication.
Once again the encryption algorithmmust be fixed across all mobile operators.
The selected UMTS algorithm is KASUMI, which is a 128-bit block cipher based
on a well-studied design known as MISTY. Since what we really want is a stream
cipher, KASUMI is deployed in a mode of operation that deploys a block cipher
as a stream cipher keystream generator (similar to some of those discussed in
Section 4.6). UMTS also specifies 'backup' stream ciphers in the (unexpected)
event that a serious vulnerability is found in KASUMI.
