1、 ETSI TS 1Universal Mobile TelSpecification of the Malgorithm set fokey generation funDocument 2(3GPP TS 35.2TECHNICAL SPECIFICATION135 206 V13.0.0 (2016elecommunications System (LTE; 3G Security; MILENAGE algorithm set: An for the 3GPP authentication aunctions f1, f1*, f2, f3, f4, f5 ant 2: Algorit
2、hm specification .206 version 13.0.0 Release 1316-01) (UMTS); n example and and f5*; 13) ETSI ETSI TS 135 206 V13.0.0 (2016-01)13GPP TS 35.206 version 13.0.0 Release 13Reference RTS/TSGS-0335206vd00 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:
3、+33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made availab
4、le in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only pr
5、evailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other E
6、TSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any
7、form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction
8、in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Or
9、ganizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 135 206 V13.0.0 (2016-01)23GPP TS 35.206 version 13.0.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared
10、to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is a
11、vailable from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI
12、SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or rep
13、orts using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs termino
14、logy In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in E
15、TSI deliverables except when used in direct citation. ETSI ETSI TS 135 206 V13.0.0 (2016-01)33GPP TS 35.206 version 13.0.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g30 The name “MILENAGE“ . 5g31 Outline of the document .
16、5g31.1 References 5g32 INTRODUCTORY INFORMATION . 6g32.1 Introduction 6g32.2 Notation 6g32.2.1 Radix . 6g32.2.2 Conventions 6g32.2.3 Bit/Byte ordering 6g32.2.4 List of Symbols . 7g32.3 List of Variables . 7g32.4 Algorithm Inputs and Outputs 7g33 The algorithm framework and the specific example algor
17、ithms 8g34 Definition of the example algorithms . 9g34.1 Algorithm Framework 9g34.2 Specific Example Algorithms. 9g35 Implementation considerations . 10g35.1 OPCcomputed on or off the USIM? . 10g35.2 Customising the choice of block cipher . 10g35.3 Further customisation . 11g35.4 Resistance to side
18、channel attacks 11g3Annex 1: Figure of the Algorithms 12g3Annex 2: Specification of the Block Cipher Algorithm Rijndael 13g3A2.1 Introduction 13g3A2.2 The State and External Interfaces of Rijndael 13g3A2.3 Internal Structure 14g3A2.4 The Byte Substitution Transformation . 14g3A2.5 The Shift Row Tran
19、sformation . 15g3A2.6 The Mix Column Transformation 15g3A2.7 The Round Key addition 16g3A2.8 Key schedule 16g3A2.9 The Rijndael S-box . 17g3Annex 3: Simulation Program Listing - Byte Oriented . 18g3Annex 4: Rijndael Listing - 32-Bit Word Oriented 25g3Annex A (informative): Change history . 31g3Histo
20、ry 32 ETSI ETSI TS 135 206 V13.0.0 (2016-01)43GPP TS 35.206 version 13.0.0 Release 13Foreword This Technical Specification (TS) has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change followi
21、ng formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TS
22、G for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the docume
23、nt. Introduction This document has been prepared by the 3GPP Task Force, and contains an example set of algorithms which may be used as the authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. (It is not mandatory that the particular algorithms specified in this document are
24、used all seven functions are operator-specifiable rather than being fully standardised). This document is one five, which between them form the entire specification of the example algorithms, entitled: - 3GPP TS 35.205: “3rd Generation Partnership Project; Technical Specification Group Services and
25、System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General“. - 3GPP TS 35.206: “3rd Generation Partnership Project; Technical Specification Group Serv
26、ices and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm Specification“. - 3GPP TS 35.207: “3rd Generation Partnership Project; Technical
27、 Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Implementors Test Data“. - 3GPP TS 35.208: “3rd Generation Partne
28、rship Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 4: Design Conformance Test Data“. - 3GPP TR
29、35.909: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 5: Summary and
30、 results of design and evaluation“. ETSI ETSI TS 135 206 V13.0.0 (2016-01)53GPP TS 35.206 version 13.0.0 Release 130 The name “MILENAGE“ The name of this algorithm set is “MILENAGE“. It should be pronounced like a French word something like “mi-le-nahj“. 1 Outline of the document Section 2 introduce
31、s the algorithms and describes the notation used in the subsequent sections. Section 3 explains how the algorithms are designed as a framework in such a way that various “customising components“ can be selected in order to customise the algorithm for a particular operator. Section 4 defines the exam
32、ple algorithms. The algorithm framework is defined in section 4.1; in section 4.2, specific instances of the components are selected to define the specific example algorithm set. Section 5 explains various options and considerations for implementation of the algorithms, including considerations to b
33、e borne in mind when modifying the customising components. Illustrative pictures are given in Annex 1. Annex 2 gives a specification of the block cipher algorithm which is used as a cryptographic kernel in the definition of the example algorithms. Annexes 3 and 4 contain source code in the C program
34、ming language: Annex 3 gives a complete and straightforward implementation of the algorithm set, while Annex 4 gives an example of an alternative high-performance implementation just of the kernel function. 1.1 References The following documents contain provisions which, through reference in this te
35、xt, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. In the c
36、ase of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.102 v3.5.0: “3rd Generation Partnership Project; Technical Specification Group Services and Sy
37、stem Aspects; 3G Security; Security Architecture“. 2 3GPP TS 33.105 v3.4.0: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Cryptographic Algorithm Requirements“. 3 3GPP TS 35.206: “3rd Generation Partnership Project; Technical Specificati
38、on Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm Specification“ (this document). 4 3GPP TS 35.207: “3rd Generation P
39、artnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 3: Implementors Test Data“. 5 3GPP TS 3
40、5.208: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 4: Design Confo
41、rmance Test Data“. ETSI ETSI TS 135 206 V13.0.0 (2016-01)63GPP TS 35.206 version 13.0.0 Release 136 Joan Daemen and Vincent Rijmen: “AES Proposal: Rijndael“, available at http:/csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf or http:/www.esat.kuleuven.ac.be/rijmen/rijndael/rijndael
42、docV2.zip 7 http:/csrc.nist.gov/encryption/aes/ 8 Thomas S. Messerges, “Securing the AES finalists against Power Analysis Attacks“, in FSE 2000, Seventh Fast Software Encryption Workshop, ed. Schneier, Springer Verlag, 2000. 9 P. C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA,
43、DSS, and Other Systems“, in CRYPTO96, Lecture Notes in Computer Science #1109, Springer Verlag, 1996. 10 J. Kelsey, B. Schneier, D. Wagner, C. Hall, “Side Channel Cryptanalysis of Product Ciphers“, in ESORICS98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998. 11 L. Goubin, J. Patarin
44、, “DES and differential power analysis“, in CHES99, Lecture Notes in Computer Science #1717, Springer Verlag, 1999. 12 P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis“, in CRYPTO99, Lecture Notes in Computer Science #1666, Springer Verlag, 1999. 13 L. Goubin, J.-S. Coron, “On boolean and a
45、rithmetic masking against differential power analysis“, in CHES00, Lecture Notes in Computer Science series, Springer Verlag (to appear). 2 INTRODUCTORY INFORMATION 2.1 Introduction Within the security architecture of the 3GPP system there are seven security functions f1, f1*, f2, f3, f4, f5 and f5*
46、. The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified by each operator rather than being fully standardised. The algorithms specified in this document are examples that may be used by an operator who does not wish to design his ow
47、n. The inputs and outputs of all seven algorithms are defined in section 2.4. 2.2 Notation 2.2.1 Radix We use the prefix 0x to indicate hexadecimal numbers. 2.2.2 Conventions We use the assignment operator =, as used in several programming languages. When we write = we mean that assumes the value th
48、at had before the assignment took place. For instance, x = x + y + 3 means (new value of x) becomes (old value of x) + (old value of y) + 3. 2.2.3 Bit/Byte ordering All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the least sign
49、ificant bit (or byte) on the right hand side. Where a variable is broken down into a number of substrings, the ETSI ETSI TS 135 206 V13.0.0 (2016-01)73GPP TS 35.206 version 13.0.0 Release 13leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the least significant. 2.2.4 List of Symbols = The assignment operator. The bitwise exclusive-OR operation | The concatenation of the two operands. ExkThe result of applying a block cipher encryption to the input value x us
