Distribution of EPS Authentication Vectors from HSS to MME

The MME invokes the procedure by requesting EPS AVs from the HSS. The Authenti-cation Information Request shall include the IMSI, the SN id of the requesting MME, and an indication that the authentication information is requested for EPS. The SN id is required for the computation of K_ASMEin the HSS.

Upon the receipt of the Authentication Information Request from the MME, the HSS may have pre-computed AVs available and retrieve them from the HSS database, or it may compute them on demand. The HSS sends an Authentication Information Answer back to the MME that contains an ordered array ofn EPS AVs (1 . . . n). Ifn > 1, the EPS AVs are ordered based on sequence number.

[TS33.401] recommendsn=1, so that only one AV is sent at a time, because the need for frequently contacting the HSS for fresh AVs has been reduced in EPS through the availability of the local master key K_ASME, which is not exposed in a way similar to Ciphering Key in 3G (CK) and Integrity Key in 3G (IK) in UMTS and, hence, does not need to be renewed very often. Based on the local master key, and keys derived from it, an MME can offer secure services even when links to the HE are unavailable. Furthermore, pre-computed AVs are no longer usable when the user moves to a different SN owing to the binding of the local master key K_ASMEto the SN id. However, pre-computation may still be useful when the next request for AVs is likely to be issued by an MME in the same SN, which may be the case, for example, for a user in his home network.

2It should be noted that the term Mobile Station is no longer used in EPS. Nevertheless, we keep this notation here so as to make it easier for the reader to compare the presentation in this book with the description of sequence number handling in [TS33.102], which also applies to EPS AKA.

EPS Authentication and Key Agreement 115

Each EPS AV is good for one run of the AKA procedure between the MME and the USIM.

Generation of Authentication Vectors in the HSS

A UMTS AV consists of a random-number random 128-bit string (RAND), an expected response (XRES), a CK, an IK and an authentication token (AUTN) (see Section 4.2), while an EPS AV consists of a random number RAND, an XRES, a local master key K_ASME and an AUTN. Figure 7.2 shows the generation of a UMTS AV by the AuC, and the generation of an EPS AV from this UMTS AV by the HSS.

Both UMTS AVs and EPS AVs play a role in EPS AKA. The AuC generates UMTS AVs for EPS AKA in exactly the same format as for UMTS AKA. The HSS part outside the AuC derives K_ASMEfrom the CK and IK.

SQN

RAND AMF

MAC

KDF

K_ASME

SN id SQN xor AK

Generate RAND Generate SQN

XRES CK IK AK

K

AUTN := SQN xor AK || AMF || MAC

UMTS AV := RAND || XRES || CK || IK || AUTN

EPS AV := RAND || XRES || K_ASME|| AUTN

f1 f2 f3 f4 f5

Figure 7.2 Generation of UMTS and EPS authentication vectors.

The AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND. For each user the HSS keeps track of the counter SQN_HE.

The HSS has some flexibility in generating sequence numbers, but some require-ments need to be fulfilled by the mechanism used. According to [TS33.102], these requirements are:³

• The generation mechanism shall allow the re-synchronization procedure in the HE (i.e.

in the HSS) described in clause 6.3.5.

• When the SQN exposes the identity and location of the user, the AK may be used as an anonymity key to conceal it. This needs some explanation. When the SQN of a particular user was predictable, and sufficiently different from the SQNs of other users in the area, it could be used to identify the user when eavesdropping on authentication messages. Whether there is a risk for the SQN to hint at a user’s identity depends on the SQN generation scheme and needs to be decided by the operator. As it is always possible to use AK (there is a detailed description below), this second requirement is actually not a requirement on the SQN generation process itself, but a caveat on the use of SQNs in AVs.

• The generation mechanism shall allow protection against wrap-around [of] the counter in the USIM.

It depends on the method of generating sequence numbers how exactly SQN_HE is used. Example methods for generating fresh sequence numbers are given in informative Annex C.1 of [TS33.102]. One method is based on using SQN_HE as a counter that is increased step by step, while another method is time-based. Combinations of these two methods are also possible. Furthermore, the SQN generation method can be chosen such that separate SQN spaces are used for different domains in which AKA AVs are used – EPS, 3G CS, 3G PS or IP Multimedia Subsystem (IMS). The use of this latter feature is one way of minimizing synchronization failures; the handling of such failures is explained in this chapter. A full description of the SQN generation methods here would, unfortunately, require an amount of space and detail beyond the scope of this book. The interested reader is therefore referred to the referenced part of the specification.

An AMF is included in the AUTN of each AV. The role of the AMF is discussed a bit further below in this chapter.

Upon request from the HSS, the AuC computes the following values, as described in [TS33.102]:

• a message authentication code MAC=f1_K(SQN||RAND||AMF), where f1 is a mes-sage authentication function,

• an expected response XRES=f2_K(RAND), where f2 is a (possibly truncated) message authentication function,

• a cipher key CK=f3_K (RAND), where f3 is a key generating function,

• an integrity key IK=f4_K (RAND), where f4 is a key generating function and

• an anonymity key AK=f5_K(RAND), where f5 is a key generating function or f5≡0.

3Some text reproduced with permission from2010, 3GPP.

EPS Authentication and Key Agreement 117

Finally the authentication token AUTN=(SQN xor AK)||AMF||MAC is constructed.

If the operator decides that no concealment of SQN is needed, then they set f5≡0 (AK=0).

The following step is new for EPS compared to 3G. When the HSS receives the UMTS AV from the AuC, the HSS applies the KDF to CK, IK, SN id and, for technical cryptographic reasons, (SQN xor AK). The result of the application of KDF is the key K_ASME. CK and IK can then be deleted in the HSS. The keys CK and IK used for computing EPS AVs must never leave the HSS.

AMF Usage for EPS AKA Authentication Vector Identification

In earlier releases of the UMTS AKA specification, the use of the AMF was completely proprietary. Annex F of [TS33.102] lists example uses of the AMF. They are:

• indicating the algorithm and key used to generate a particular AV when multiple algo-rithms and permanent keys are used,

• change of parameters relating to SQN verification in the USIM and

• setting threshold values for key lifetimes.

However, not much use was made of the AMF in practice; and it turned out, on the other hand, that the AMF was well suited to distinguish between AVs for EPS use and those for legacy uses. 3GPP decided to use the most significant bit of the AMF for this distinction and call it the ‘AMF separation bit’, and to reserve the seven next most significant bits of the AMF for future standardization use, while leaving the remaining eight bits for proprietary use. Annex H of [TS33.102] defines this usage of the bits in the AMF. Annex H was introduced in Release 8, the 3GPP release where EPS was first specified.

The AuC shall set the AMF separation bit to ‘1’ in AVs for EPS use, and to ‘0’

otherwise.

Readers may ask why the SQNs could not be used, instead of the AMF, to distinguish AVs for EPS use from those for legacy uses. After all, as explained in this chapter, SQNs can be generated such that separate SQN spaces are used for different usage domains of AVs. The answer is twofold:

• Firstly and foremost, as we will see in Section 7.2.3, it is the ME that must check whether the type of radio access network it is connected to (Evolved Universal Ter-restrial Radio Access Network=E-UTRAN) corresponds to the type of AV (‘for EPS use’) received from the network. But the ME cannot read the SQN if it is concealed by AK. The USIM cannot perform this check as it has no idea about the network connection. Furthermore, the USIM may be according to the Release 99 specifications and have no EPS-specific functionality.

• Secondly, the SQN management scheme is proprietary, and 3GPP prefers to keep it this way.

Only the AuC can set bits in the AMF. Therefore, in order for the AuC to be able to correctly set the AMF separation bit, the HSS must tell the AuC that the request for AVs is for EPS use. The example uses of the AMF listed here can still be realized using the proprietary part of the AMF.

Lengths of Authentication Parameters

The lengths of authentication parameters are the same for EPS AKA as the ones specified for UMTS AKA in clause 6.3.7 of [TS33.102]. In particular, the permanent key K, RAND, CK and IK are all 128 bits long. It is true that K_ASMEis 256 bits long, but it also has a key entropy of only 128 bits as it is derived from K. It should be noted, however, that EPS is specified in such a way that all keys can be extended to 256 bits of length if a need is seen in the future.

7.2.3 Mutual Authentication and Establishment of a Shared Key