Cryptography Reference
In-Depth Information
look like there are — there will be no practically effective attacks like
that of Biryukov and Shamir (see Section 5.7.2).
•
At the base stations
quintets
, rather than triplets, arrive. The three
values —
SRAND, SRES
, and
Kc
— remain in place (with different names
though), while an
integrity key, IK
, and an
authentication key, AK
, were
newly introduced. Similarly to the encryption key,
Kc
, these two 128-bit
numbers never traverse the airway, but are computed from
SRAND
and
Ki
at the network provider and in the handset.
•
IK
is used to encrypt 64-bit checksums (so-called MACs; see Section
6.3.1), which have the function of digital signatures. A base station can
use the MAC to identify itself to the cell phone (and vice versa), par-
ticularly for important signalization messages ('disable encryption' as an
easily remembered example). A sequential number and a
direction flag
that specifies the direction a data packet flows, i.e., from the cell phone
to the base station, or the other way round, are appended to the computed
MAC. Both pieces of information prevent special types of replay attacks,
where an active attacker reuses packets previously sent.
•
The
AK
key serves to hide the sequential number, which could be used
by an attacker to discover the sender's identity and cell.
AK
is set to zero
if this preventive measure appears superfluous.
•
The MACs mentioned above enable 'signed' (authorized) signaling mes-
sages. In contrast to GSM, this enables fast local authentication, i.e.,
without the need to request or consume new quintets every time a con-
nection is established. This is important in UMTS, because connections
have to be continually established and torn down, for instance, when
surfing the Web, to release unused frequencies quickly. The lifetime of
a key is agreed upon at the beginning of a connection and written to a
special field in the signaling message.
•
Encrypted packets are not always decrypted in a base station; they may
also be decrypted in a
Radio Network Controller
(
RNC
). An RNC is used
to securely overcome non-tamperproof network sections.
The wireless communication is encrypted by means of KASUMI, which is
operated in OFB mode, but with two minor modifications. While you would
write
S
n
+
1
= KASUMI(S
n
)
C
n
=S
n
⊕
P
n
