UMTS

Let’s learn about the features and functionalities of the UMTS.

We'll cover the following

UMTS security protocols
UMTS cryptographic algorithms

The main reason for developing a new standard for mobile telecommunications was not so much to alleviate GSM security concerns, but rather to provide additional features and functionality, such as the ability to access internet services. However, the opportunity was taken during the development of UMTS to build on the successful aspects of GSM security and further strengthen it where appropriate. The main cryptographic improvements over GSM are as follows:

Mutual entity authentication: GSM offers entity authentication only of the mobile user. Since the development of GSM, so-called false base station attacks have become much more feasible due to reductions in the cost of suitable equipment. In one example of such an attack, a mobile user connects to the false base station, which immediately suggests that encryption is turned off. By additionally requiring the user to authenticate to the mobile base station, such attacks are prevented.
Prevention of triplet reuse: A GSM triplet can, in theory, be reused many times for the particular mobile it was generated for. In UMTS, this is prevented by upgrading authentication triplets to quintets, which additionally include a sequence number preventing successful replay and a MAC key.
Use of publicly known algorithms: UMTS adopts cryptographic algorithms based on well-established and well-studied techniques. While it does not quite use ‘off-the-shelf’ algorithms, due to the desire to tailor algorithms to the underlying hardware, the algorithms deployed are very closely based on standard algorithms, and the modifications have been publicly evaluated.
Longer key lengths: Following the relaxation of the export restrictions that were in place at the time of GSM development, the key lengths of the underlying cryptographic algorithms were increased to 128 bits.
Integrity of signaling data: UMTS provides additional integrity protection to the critical signaling data. This is provided using a MAC, whose key is established during the UMTS authentication (AKE) protocol.

UMTS security protocols

We will omit the details of the UMTS security protocols since they are, in essence, just slightly more complex versions of the original GSM protocols. Entity authentication of the mobile user is conducted via a challenge-response mechanism that is similar to GSM, at the end of which encryption and MAC keys are established.

Entity authentication of the base station is added to UMTS through the use of a MAC. This MAC uses a 128-bit integrity key $K_I$ derived from $K_i$ and RAND in a similar way as that with which the encryption key $K_C$ is derived. The freshness mechanism used as part of this authentication is a sequence number maintained by the mobile user and the base station. This is preferable to also using a challenge-response protocol in the opposite direction since this would introduce one extra message exchange as well as require the mobile user to randomly generate a challenge number. It would also be inconvenient when roaming because the local mobile operator would have to contact a user’s home mobile operator during each authentication attempt.

Roaming works on the same principle as for GSM, except that the additional fields of the authentication quintet provide protection against replays.

UMTS cryptographic algorithms

Just as for GSM, mobile operators are free to use their own cryptographic algorithms as part of the UMTS AKE protocol. However, UMTS recommends using a set of algorithms called MILENAGE, which is based on a 128-bit block cipher such as AES and implements all the functionality required for UMTS authentication.

Once again, the encryption algorithm must be fixed across all mobile operators. The selected UMTS algorithm is KASUMI, a 128-bit block cipher based on a well-studied design known as MISTY. Since what we want is a stream cipher, KASUMI is deployed in a mode of operation that deploys a block cipher as a stream cipher keystream generator.

UMTS also specifies a backup stream cipher in the (unexpected) event that a serious vulnerability is found in KASUMI. Since KASUMI is a Feistel Cipher, the alternative algorithm is a dedicated stream cipher (one that is not a special mode of operation of a block cipher) called SNOW 3G.

Since UMTS also requires a MAC, UMTS specifies an associated MAC algorithm for each of these encryption algorithms. For KASUMI, this is an authentication mode of operation of the block cipher. For SNOW 3G, a special MAC algorithm has been designed, which generates a MAC based on SNOW 3G encryption.

At the time of writing, there are no known significant practical attacks against any of these cryptographic algorithms.

Get hands-on with 1200+ tech skills courses.

Introduction

Basic Principles

Historical Cryptosystems

Theoretical versus Practical Security

Symmetric Encryption

Public-Key Encryption

Data Integrity

Digital Signature Schemes

Entity Authentication

Cryptographic Protocols

Key Management

Public-Key Management

Cryptographic Applications

Cryptography for Personal Devices

Control of Cryptography

Mathematics Appendix

Closing Remarks

UMTS

UMTS security protocols

UMTS cryptographic algorithms