|
TECHNICAL SPECIFICATION
Universal Mobile Telecommunications System (UMTS);
LTE;
3G Security;
Specification of the MILENAGE algorithm set: An example
algorithm set for the 3GPP authentication and key generation
functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 3: Implementors' test data
(3GPP TS 35.207 version 15.0.0 Release 15)
---------------------- Page: 1 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 1 ETSI TS 135 207 V15.0.0 (2018-12)
Reference
RTS/TSGS-0335207vf00
Keywords
LTE,SECURITY,UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
If you find errors in the present document, please send your comment to one of the following services:
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2018.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 2 ETSI TS 135 207 V15.0.0 (2018-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables.
The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under
.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
---------------------- Page: 3 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 3 ETSI TS 135 207 V15.0.0 (2018-12)
Contents
Intellectual Property Rights . 2
Foreword . 2
Modal verbs terminology . 2
Foreword . 4
Introduction . 4
1 Outline of the implementors' test data . 5
1.1 References . 5
2 Introductory information . 6
2.1 Introduction . 6
2.2 Radix . 6
2.3 Bit/Byte ordering . 6
2.4 List of Variables . 6
2.5 Algorithm Inputs and Outputs . 7
2.6 Coverage. 7
3 Rijndael test data . 8
3.1 Overview . 8
3.2 Format . 8
3.3 Test Set 1 . 9
3.4. Test Set 2 . 10
3.5. Test Set 3 . 10
3.6 Test Set 4 . 11
3.7 Test Set 5 . 11
3.8 Test Set 6 . 12
4 Authentication algorithms f1 AND f1* . 12
4.1 Overview . 12
4.2 Format . 12
4.3 Test Set 1 . 12
4.4 Test Set 2 . 13
4.5 Test Set 3 . 13
4.6 Test Set 4 . 13
4.7 Test Set 5 . 13
4.8 Test Set 6 . 14
5 Algorithms f2, f5 and f3 . 14
5.1 Overview . 14
5.2 Format . 14
5.3 Test Set 1 . 15
5.4 Test Set 2 . 15
5.5 Test Set 3 . 15
5.6 Test Set 4 . 15
5.7 Test Set 5 . 15
5.8 Test Set 6 . 16
6 Algorithms f4 and f5* . 16
6.1 Overview . 16
6.2 Format . 16
6.3 Test Set 1 . 16
6.4 Test Set 2 . 16
6.5 Test Set 3 . 17
6.6 Test Set 4 . 17
6.7 Test Set 5 . 17
6.8 Test Set 6 . 17
Annex A (informative): Change history . 18
History . 19
ETSI
---------------------- Page: 4 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 4 ETSI TS 135 207 V15.0.0 (2018-12)
Foreword
rd
This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
Introduction
This document has been prepared by the 3GPP Task Force, and contains an example set of algorithms which may be
used as the authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. (It is not mandatory that the
particular algorithms specified in this document are used — all seven functions are operator-specifiable rather than
being fully standardised). This document is one five, which between them form the entire specification of the example
algorithms, entitled:
- 3GPP TS 35.205: "3rd Generation Partnership Project; Technical Specification Group Services and System
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP
authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 1: General".
- 3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services and System
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP
authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 2: Algorithm Specification".
- 3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services and System
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP
authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 3: Implementors' Test Data".
- 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services and System
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP
authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 4: Design Conformance Test Data".
- 3GPP TR 35.909: "3rd Generation Partnership Project; Technical Specification Group Services and System
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP
authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*;
Document 5: Summary and results of design and evaluation".
ETSI
---------------------- Page: 5 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 5 ETSI TS 135 207 V15.0.0 (2018-12)
1 Outline of the implementors' test data
Section 2 introduces the algorithms and describes the notation used in the subsequent sections.
Section 3 provides test data for the Rijndael kernel function.
Section 4 provides test data for the authentication algorithms f1 and f1*.
Section 5 provides test data for the algorithms f2, f5 and f3.
Section 6 provides test data for the algorithms f4 and f5*.
1.1 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TS 33.102 v3.5.0: "3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; 3G Security; Security Architecture".
[2] 3GPP TS 33.105 v3.4.0: "3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; 3G Security; Cryptographic Algorithm Requirements".
[3] 3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example
algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and
f5*; Document 2: Algorithm Specification".
[4] 3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example
algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and
f5*; Document 3: Implementors' Test Data" (this document).
[5] 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example
algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and
f5*; Document 4: Design Conformance Test Data".
[6] Joan Daemen and Vincent Rijmen: "AES Proposal: Rijndael", available at
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf or
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/rijndaeldocV2.zip
[7] http://csrc.nist.gov/encryption/aes/
ETSI
---------------------- Page: 6 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 6 ETSI TS 135 207 V15.0.0 (2018-12)
2 Introductory information
2.1 Introduction
Within the security architecture of the 3GPP system there are seven security functions f1, f1*, f2, f3, f4, f5 and f5*.
The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified
by each operator rather than being fully standardized. The algorithms specified in this document are examples that may
be used by an operator who does not wish to design his own.
The inputs and outputs of all seven algorithms are defined in section 2.5.
2.2 Radix
Unless stated otherwise, all test data values presented in this document are in hexadecimal.
2.3 Bit/Byte ordering
All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the
least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of substrings, the
leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the
least significant.
2.4 List of Variables
AK a 48-bit anonymity key that is the output of either of the functions f5 and f5*.
AMF a 16-bit authentication management field that is an input to the functions f1 and f1*.
c1,c2,c3,c4,c5 128-bit constants, which are XORed onto intermediate variables.
CK a 128-bit confidentiality key that is the output of the function f3.
IK a 128-bit integrity key that is the output of the function f4.
K a 128-bit subscriber key that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5*.
MAC-A a 64-bit network authentication code that is the output of the function f1.
MAC-S a 64-bit resynchronisation authentication code that is the output of the function f1*.
OP a 128-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1,
f1*, f2, f3, f4, f5 and f5*.
OP a 128-bit value derived from OP and K and used within the computation of the functions.
C
r1,r2,r3,r4,r5 integers in the range 0–127 inclusive, which define amounts by which intermediate variables are
cyclically rotated.
RAND a 128-bit random challenge that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5*.
RES a 64-bit signed response that is the output of the function f2.
SQN a 48-bit sequence number that is an input to either of the functions f1 and f1*. (For f1* this input
is more precisely called SQN .)
MS
ETSI
---------------------- Page: 7 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 7 ETSI TS 135 207 V15.0.0 (2018-12)
2.5 Algorithm Inputs and Outputs
The inputs to the algorithms are given in tables 1 and 2, the outputs in tables 3–9 below.
Table 1. inputs to f1 and f1*
Parameter Size (bits) Comment
K 128 Subscriber key K[0]…K[127]
RAND 128 Random challenge RAND[0]…RAND[127]
SQN 48 Sequence number SQN[0]…SQN[47]. (For f1* this input is
more precisely called SQN .)
MS
AMF 16 Authentication management field AMF[0]…AMF[15]
Table 2. inputs to f2, f3, f4, f5 and f5*
Parameter Size (bits) Comment
K 128 Subscriber key K[0]…K[127]
RAND 128 Random challenge RAND[0]…RAND[127]
Table 3. f1 output
Parameter Size (bits) Comment
MAC-A 64 Network authentication code MAC-A[0]…MAC-A[63]
Table 4. f1* output
Parameter Size (bits) Comment
MAC-S 64 Resynch authentication code MAC-S[0]…MAC-S[63]
Table 5. f2 output
Parameter Size (bits) Comment
RES 64 Response RES[0]…RES[63]
Table 6. f3 output
Parameter Size (bits) Comment
CK 128 Confidentiality key CK[0]…CK[127]
Table 7. f4 output
Parameter Size (bits) Comment
IK 128 Integrity key IK[0]…IK[127]
Table 8. f5 output
Parameter Size (bits) Comment
AK 48 Anonymity key AK[0]…AK[47]
Table 9. f5* output
Parameter Size (bits) Comment
AK 48 Resynch anonymity key AK[0]…AK[47]
NOTE: Both f5 and f5* outputs are called AK according to reference [2]. In practice only one of them will be
calculated in each instance of the authentication and key agreement procedure.
2.6 Coverage
The test data sets for the kernel function Rijndael have been chosen in a way that, provided all data sets are tested:
ETSI
---------------------- Page: 8 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 8 ETSI TS 135 207 V15.0.0 (2018-12)
- Every S-Box entry is being used.
- Each input bit has been in both the '0' and '1' state.
The test data sets for all seven functions are based on the test data sets above. The values for OP, K and RAND have
been chosen such that the input values of the first encryption are the test data sets of Rijndael. This way, the following
coverage is being reached, provided all test data sets are tested:
- The conditions for Rijndael seen above.
- Each input bit for the functions has been in both the '0' and '1' state.
3 Rijndael test data
3.1 Overview
The test data sets presented here are for the cryptographic kernel function Rijndael with 128-bit key and data as it is
specified in [3].
3.2 Format
Rijndael is composed of 10 rounds that transform the input into the output. An intermediate result is called the State.
The State can be pictured as a 4x4 rectangular array of bytes (128 bits in total). The cipher key is similarly pictured as a
4x4 rectangular array. In each of the data intermediate values of the round key array and of the State are given. For the
first set the value of the State after each step of the algorithm is given. In the remaining data sets only the value of the
State as it is at the end of each round is given.
The internal states will be written as hexadecimal strings, column by column and from top to bottom within each
column (the same way as plaintext bytes are fed into the matrix).
Example: The State
C2 37 2E 21
3C 69 51 9E
62 EC 9D 23
CC 29 D8 F7
is represented by the string c23c62cc 3769ec29 2e519dd8 219e23f7.
ETSI
---------------------- Page: 9 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 9 ETSI TS 135 207 V15.0.0 (2018-12)
3.3 Test Set 1
Key: 465b5ce8 b199b49f aa5f0a2e e238a6bc
Plaintext: ee36f7cf 037d37d3 692f7f03 99e7949a
Round key 0: 465b5ce8 b199b49f aa5f0a2e e238a6bc
Round key 1: 407f3970 f1e68def 5bb987c1 b981217d
Round key 2: 4e82c626 bf644bc9 e4ddcc08 5d5ced75
Round key 3: 00d75b6a bfb310a3 5b6edcab 063231de
Round key 4: 2b104605 94a356a6 cfcd8a0d c9ffbbd3
Round key 5: 2dfa20d8 b959767e 7694fc73 bf6b47a0
Round key 6: 725ac0d0 cb03b6ae bd974add 02fc0d7d
Round key 7: 828d3fa7 498e8909 f419c3d4 f6e5cea9
Round key 8: db06ece5 928865ec 6691a638 90746891
Round key 9: 52436d85 c0cb0869 a65aae51 362ec6c0
Round key 10: 55f7d780 953cdfe9 336671b8 0548b778
add keys(0): a86dab27 b2e4834c c370752d 7bdf3226
Substitution(1): c23c62cc 3769ec29 2e519dd8 219e23f7
Row shift(1): c2699df7 375123cc 2e9e6229 213cecd8
mix column(1): 4e5b885c 723c6fa8 ae860fdc 32aead18
add keys(1): 0e24b12c 83dae247 f53f881d 8b2f8c65
Substitution(2): ab36c871 ec5798a0 e675c4a4 3d15644d
Row shift(2): ab57c44d ec756471 e615c8a0 3d3698a4
mix column(2): 3d1fb8ef 49dbc2dc 802f83b7 1c46d7ba
add keys(2): 739d7ec9 f6bf8915 64f24fbf 411a3acf
Substitution(3): 8f5ef3dd 4208a759 43898408 83a2808a
Row shift(3): 8f08848a 428980dd 43a2f359 835ea708
mix column(3): 13821109 590dac6e d14bf726 50c59077
add keys(3): 13554a63 e6bebccd 8a252b8d 56f7a1a9
Substitution(4): 7dfcd6fb 8eae65bd 7e3ff15d b16832d3
Row shift(4): 7daef1d3 8e3f32fb 7e68d6bd b1fc655d
mix column(4): 31e14465 8f5dc369 2f727d5d 5ea060eb
add keys(4): 1af10260 1bfe95cf e0bff750 975fdb38
Substitution(5): a2a177d0 afbb2a8a e1086853 88cfb907
Row shift(5): a2bb6807 af08b9d0 e1cf778a 88a12a53
mix column(5): e670c020 34bfa5e0 6e77458f 8afc88ae
add keys(5): cb8ae0f8 8de6d39e 18e3b9fc 3597cf0e
Substitution(6): 1f7ee141 5d8e660b ad1156b0 96888aab
Row shift(6): 1f8e56ab 5d118a41 ad88e10b 967e66b0
mix column(6): 4a49dbb4 42bb80fe 2895e193 6370efc2
add keys(6): 38131b64 89b83650 9502ab4e 618ce2bf
Substitution(7): 077daf43 a76c0553 2a77622f ef649808
Row shift(7): 076c6208 a7779843 2a64af53 ef7d052f
mix column(7): d071b717 17b93e9b 045bfe13 6835e90c
add keys(7): 52fc88b0 5e37b792 f0423dc7 9ed027a5
Substitution(8): 00b0c4e7 589aa94f 8c2c27c6 0b70cc06
Row shift(8): 009a2706 582ccce7 8c70c44f 0bb0a9c6
mix column(8): 9440deb1 efa8c5dd 1874bea5 b256a393
add keys(8): 4f463254 7d20a031 7ee5189d 2222cb02
Substitution(9): 845a2320 ffb7e0c7 f3d9ad5e 93931f77
Row shift(9): 84b7ad77 ffd91f20 f39323c7 935ae05e
mix column(9): 0b6aeb63 aa57789c b76c742b 6d42f0a8
add keys(9): 592986e6 6a9c70f5 1136da7a 5b6c3668
Substitution(10):cba5448e 02de51e6 820557da 39500545
Row shift(10): cbde5745 0205058e 825044e6 39a551da
add keys(10): 9e2980c5 9739da67 b136355e 3cede6a2
Ciphertext: 9e2980c5 9739da67 b136355e 3cede6a2
ETSI
---------------------- Page: 10 ----------------------
3GPP TS 35.207 version 15.0.0 Release 15 10 ETSI TS 135 207 V15.0.0 (2018-12)
3.4. Test Set 2
Key: 0396eb31 7b6d1c36 f19c1c84 cd6ffd16
Plaintext: 93cc3640 c5d6a521 d81235bd 0882bf0a
Round key 0: 0396eb31 7b6d1c36 f19c1c84 cd6ffd16
Round key 1: aac2ac8c d1afb0ba 2033ac3e ed5c5128
Round key 2: e21398d9 33bc2863 138f845d fed3d575
Round key 3: 80100562 b3ac2d01 a023a95c 5ef07c29
Round key 4: 0400a03a b7ac8d3b 178f2467 497f584e
Round key 5: c66a8f01 71c6023a 6649265d 2f367e13
Round key 6: e399f214 925ff02e f416d673 db20a860
Round key 7: 145b22ad 8604d283 721204f0 a932ac90
Round key 8: b7ca427e 31ce90fd 43dc940d eaee389d
Round key 9: 84cd1cf9 b5038c04 f6df1809 1c312094
Round key 10: 757a3e65 c079b261 36a6aa68 2a978afc
End of Round 0: 905add71 bebbb917 298e2939 c5ed421c
End of round 1: 7605c840 32e4a13b bf94cea5 2775d315
End of round 2: fb262fc1 7c78fe50 b567e7ef f4991c6f
End of round 3: 7d736610 e36a13d8 7e5d4d65 5db3231a
End of round 4: a6677d9e ad85d9
...