4G/LTE - Integrity

  

 

 

 

SNOW3G

 

SNOW3G is the algorithm used for UIA2 in UMTS and EIA1 in LTE. In this page, I will describe on this algorithm at a very high level. For the details (or sample source code), refer to ETSI/SAGE specification (3GPP document on NAS Integrity does not have any details on the algorithm itself). If you want to look into some implementation example in source code, refer to ref [1].

 

In this page, just try to understand what kind of input you need for the algorithm and how to figure out those input values.

 

 

Parameter

Bit Field Length

Description

INPUT

 COUNT-I

32

 Frame dependent Input. See NAS Integrity Page
FRESH

32

Random Number (See How to derive FRESH value ?)
DIRECTION

1

Direction of Transmission. See NAS Integrity Page

IK

128

 Integrity Key. See Authentication Page
LENGTH

64

 Length of MESSAGE
MESSAGE

Variable

 Contents of the MESSAGE

Algorithm

SNOW3G/UIA2/EIA1

OUTPUT

 MAC-I

32

 Calculated MAC(Message Authentication Code)

 

 

Following is the illustration of overall procedure for SNOW3G. It is drawn based on ref [2] and modified a little bit based on ETSI/SEGA specification.

 

 

 

How to derive FRESH value ?

 

Just in terms of Algorithm implementation, FRESH is specified as a 32 bit random number. But when SNOW3G is used in EIA1, it is not completely random. It is more like a predefined constant as stated below.

 

33.401 - B.2.2 128-EIA1 states as follows :

 

128-EIA1 is based on SNOW 3G and is implemented in the same way as UIA2 as specified in TS 35.215. The used IV is constructed the same way as in subclause 4.4 of that TS, with the only difference being that FRESH [0], … FRESH [31] shall be replaced by BEARER[0] … BEARER[4] ¦ 0..0  (i.e. 27 zero bits)

 

It means each of the FRESH bit is configured as follows (NOTE : FRESH is 32 bit, but BEARER is 5 bit). NOTE : FRESH[0] is MSB and FRESH[31] is LSB.

    FRESH[0] = BEARER[0]

    FRESH[1] = BEARER[1]

    FRESH[2] = BEARER[2]

    FRESH[3] = BEARER[3]

    FRESH[4] = BEARER[4]

    FRESH[6] = 0

    FRESH[7] = 0

    ...

    FRESH[30] = 0

    FRESH[31] = 0

 

Then you may ask how to derive BEARER value. 33.401 - 8.1.1 NAS input parameters and mechanism states as follows.

 

The BEARER identity is not necessary since there is only one NAS signalling connection per pair of MME and UE, but is included as a constant value so that the input parameters for AS and NAS will be the same, which simplifies specification and implementation work.

 

Also  33.401 - 7.4.3 KeNB* and Token Preparation for the RRCConnectionReestablishment Procedure has following statement  

 

all BEARER bits shall be set to 1

 

Putting all the above statement together, we can define FRESH value to be 0xF8000000 as follows :

    FRESH[0] = 1

    FRESH[1] = 1

    FRESH[2] = 1

    FRESH[3] = 1

    FRESH[4] = 1

    FRESH[6] = 0

    FRESH[7] = 0

    ...

    FRESH[30] = 0

    FRESH[31] = 0

 

 

Reference :

 

[1] CryptoMobile (GitHub)

[2] Lightweight Security Solutions for LTE/LTE-A Networks