Authentication, Encryption and Voice Privacy

Document by: Rahul Chauhan

Version 1 Date: 07-08-2001

INDEX
1. Glossary of Technical Terms
2. References
3. Introduction
4. Authentication
5. NAM Programming the A-Key
6. Encryption
7. When to do Encryption?
8. Voice Privacy
9. Something about Algorithms

Index for Tables and Figures

1. Table 1: Auth_Signature Parameters
2. Table 2: CAVE Table
3. Figure 1 : Auth_Signature Input Parameters
4. Figure 2:SSD Update Message
5. Figure 3:Flow Diagram to generate CMEA Key and VPM
6. Figure 4:Specification of CMEA

1 Glossary of Technical Terms

The terms are arranged in the order of their occurrence in the document.

DTMF tones:
DTMF stands for Dual Tone Multiple Frequency. The key pressed digits are represented by two
frequencies.

ORYX:
ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream cipher based on
three 32-bit LFSRs. It is distinct from CMEA, which is a block cipher used to encrypt the cellular data
control channel.

CAVE:
CAVE expands to Cellular Authentication Voice and Encryption Algorithm.

CMEA:
CMEA is the encryption algorithm developed by the Telecommunications Industry Association to encrypt
digital cellular phone data. It uses a 64-bit key and features a variable block length. CMEA is used to
encrypt the control channel of cellular phones. It is distinct from ORYX, an also insecure stream cipher that
is used to encrypt data transmitted over digital cellular phones.

A Key:
A 64-bit cryptographic key variable stored in the semi-permanent memory of the mobile station and also
known to the Authentication Center (AC or HLR/AC) of the wireless system. It is entered when the mobile
station is first put into service with a particular subscriber, and usually will remain unchanged unless the
operator determines that its value has been compromised. The A-key is used in the SSD generation
procedure.

SSD:
SSD is an abbreviation for Shared Secret Data. It consists of two quantities, SSD_A and SSD_B.

1
SSD_A:
The SSD_A is a 64-bit binary quantity in the semi-permanent memory of the mobile station and also
known to the Authentication Center. It may be shared with the serving MSC.

SSD_B:
The SSD_B is used in the computation of the authentication response. A 64-bit binary quantity in the semi-
permanent memory of the mobile station and also known to the authentication Center. It may be shared
with the serving MSC. It is used in the computation of the CMEA key, VPM (Voice Privacy Mask) and
DataKey(for data services).

UCRP:
UCRP expands to Unique Challenge Response Procedure. This procedure is carried out when
Authentication fails.

IMSI
IMSI is International Mobile Subscriber Identity. It is a 34-bit quantity. The first 24 LSB“s form the
IMSI_S1 and the first 10 MSB“s form IMSI_S2.

ESN:
The 32-bit electronic serial number of the mobile station. It is unique for a mobile station.

VPM:
Voice Privacy Mask. This name describes a 520-bit entity that may be used for voice privacy functions as
specified in wireless system standards.

NAM
NAM stands for Number Assignment Module. Certain important values are entered through keypad. These
values are NAM parameters. The procedure to enter them into the mobile is called NAM Programming.

PACA:
PACA stands for Priority Access and Channel Assignment. A priority mobile station originated call for
which no traffic channel or voice channel was immediately available, and which has been queued for a
priority access channel assignment. This is called a PACA Call.

2 References
Standards documents for TIA/EIA-95-A, TIA/EIA-95-B, Common Cryptographic Algorithms.
.

2
3 Introduction
The Cellular communications industry is booming, so it is necessary to prevent unauthorized access to
cellular network, to increase security to as to maintain privacy and prevent fraud attacks. Something, which
today“s computer networks are susceptible to.
Cellphones identify themselves by sending identification information over the air and anyone can
misappropriate others identity information to make calls or get PIN numbers sent as DTMF tones. To fight
the menace of phone cloning, Authentication is must.
Cellular communications are sent over a radio link and anyone with a appropriate receiver can eavesdrop
over the transmission. So to make the security robust we go in for cryptography methods. That explains the
need for Encryption and Voice Privacy.
Hence we go in for Authentication, Encryption and Voice Privacy. In the document we are going to see
how these are achieved in the CDMA system.

4 Authentication
Now we are ready to define Authentication.
Authentication is the process by which information is exchanged between a mobile station and base station
for the purpose of confirming the identity of the mobile station. A successful outcome of the authentication
process occurs only when it can be demonstrated that the mobile station and base station possess identical
sets of shared secret data.

4.1 Standard Authentication Mode

For the mobile to go into the standard authentication mode the base station (BS) fills the following fields of
the Access Parameters Message (it is a part of the Overhead Parameter Messages which gives the
configurations to the mobile when it latches to a CDMA system)
auth = 01H
rand = Some 32 bit random value.
So the understanding till now is that, for the mobile to perform Authentication procedures the BS should
send the mobile into standard authentication mode.

4.2 When shall Authentication be performed

Authentication is performed when the mobile is performing any of the following procedures.
1. Registration: When the mobile does autonomous registration.
2. Unique Challenge :When the mobile performs a UCRP
3. Origination: When the mobile station originates a call.
4. Terminations: When the mobile station responds with a page message.
5. Mobile Station Data: When it sends a Data Burst Message. E.g. SMS
6. Base Station Challenge: During SSD Update.
7. TMSI Assignment: When a mobile responds to a TMSI Assignment.
8. PACA Cancellation: When a mobile cancels a PACA Call.

Note:
Authentication procedures 7 and 8 are not there in IS-95A, since these TMSI mode of addressing and
PACA call are not supported by IS-95A.These procedures are supported in IS-95B and IS-2000.

4.3 Computation of a Signature for Authentication

We will be computing a signature variable Auth_Signature, which is unique for a given set of inputs. This
Auth_Signature variable is the output of the CAVE (Refer chapter 7) when we given a set of inputs specific
to a procedure. Lets us call the context use of the CAVE process here as the Auth_Signature procedure.

3
4.4 Auth_Signature Input Parameters
RAND_CHALLENGE ESN AUTH_DATA SSD_AUTH
32bits 32 bits 24 bits 64bits

Auth_Signature Procedure
(CAVE Algorithm)

Auth_Signature
18 bits

Figure 1: The Figure shows the input,s and outputs for computation of
signature variable.

The table below gives the inputs to the Auth_Signature procedure for different Authentication procedures.
The parameters used will also be explained shortly.
Table 1: Auth_Signature Parameters
Procedure RAND_CHALLENGE ESN AUTH_DATA SSD_AUTH

Registration RAND ESN IMSI_S1 SSD_A

Unique Challenge RANDU and 8 LSB“s ESN IMSI_S1 SSD_A

of IMSI_S2

Origination RAND ESN Fill with IMSI_S1 SSD_A

and overwrite with
Last 6 Dialed
Digits
Terminations RAND ESN IMSI_S1 SSD_A

Mobile Station RAND ESN Fill with SSD_A

Data Bursts IMSI_S1and
overwrite with
Digits (according
to BURST_TYPE
in Data Burst
Message )

Base Station RANDBS ESN IMSI_S1 SSD_A_NEW

Challenge

TMSI Assignment RAND ESN IMSI_S1 SSD_A

PACA RAND ESN IMSI_S1 SSD_A

Cancellation

4
4.5 Authentication Procedures

4.5.1 Registration
Authentication is performed when the mobile attempts to send a Registration Message on the access
channel. The Auth_Signature procedure is filled with the parameters as shown in the Table 1 (RAND,
ESN,IMSI_S1,SSD_A). The mobile station shall then execute the Auth_Signature procedure. The 18-bit
output Auth_Signature shall be used to fill the AUTHR field of the Registration Message. The RANDC
(eight most significant bits of RAND) and COUNT fields of the message shall be filled with the current
values stored in the mobile station. The base station shall execute the same procedure and compare
AUTHR, RANDC and COUNT.
If the comparison fails meaning authentication was not successful, the base station may start a Unique
Challenge Response Procedure (UCRP) or carry out a SSD update.

4.5.2 Unique Challenge Response Procedure

UCRP expands to Unique Challenge Response Procedure. This procedure is carried out when
Authentication fails. The base station always initiates the UCRP procedure. The base station generates the
24-bit quantity RANDU and sends it to the mobile station in the Authentication Challenge Message. Upon
receipt of the Authentication Challenge Message, the mobile station shall set the input parameters of the
Auth_Signature procedure (see Table1 RAND and 8 LSB“s of IMSI_S2, ESN,IMSI_S1,SSD_A). The 24
most significant bits of the RAND_CHALLENGE input parameter shall be filled with RANDU, and the 8
least significant bits of RAND_CHALLENGE shall be filled with the 8 least significant bits of IMSI_S2.
The mobile shall than execute the Auth_Signature procedure and sends the output AUTHU to the base
station in Authentication Challenge Response Message. The base station than executes the same procedure
at its side but at with the internally stored value of SSD_A. If the procedure fails the base station may deny
service to the mobile station.

4.5.3 Mobile Station Origination

Authentication is performed, when the mobile station attempts to place a call by sending the Origination
Message. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with
IMSI_S1 and overwrite with Last 6 Dialed Digits, SSD_A). The 18-bit output Auth_Signature shall be used
to fill the AUTHR field of the Origination Message. The RANDC (eight most significant bits of RAND)
and COUNT fields of the message shall be filled with the current values stored in the mobile station. The
base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

4.5.4 Mobile Station Termination

The mobile station responds to a page (by sending a Page Response Message on the Access Channel), the
following authentication procedures shall be performed. The Auth_Signature is filled with parameters
shown in the Table 1 (RAND, ESN,IMSI_S1,SSD_A). The 18-bit output Auth_Signature shall be used to
fill the AUTHR field of the Page Response Message. The RANDC (eight most significant bits of RAND)
and COUNT fields of the Page Response Message shall be filled with the current values stored in the
mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and
COUNT.

4.5.5 Mobile Station Data Bursts

The mobile station attempts to send a data burst message, the following authentication procedures shall be
performed. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with
IMSI_S1 and overwrite with Digits (according to BURST_TYPEin Data Burst Message, SSD_A). The 18-
bit output Auth_Signature shall be used to fill the AUTHR field of the Page Response Message. The
RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the

5
current values stored in the mobile station. The base station shall execute the same procedure and compare
AUTHR, RANDC and COUNT.

4.5.6 Base Station Challenge

The mobile station carries out the base station challenge procedure when the base station does a SSD
update. The message flow diagram (Figure 2 ) on the next page shall illustrate the procedure.

4.5.7 TMSI Assignment

The mobile station responds to a TMSI Assignment with a TMSI Assignment Completion Message. The
Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with IMSI_S1,SSD_A).
The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the TMSI Assignment
Completion Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the
message shall be filled with the current values stored in the mobile station. The base station shall execute
the same procedure and compare AUTHR, RANDC and COUNT.

4.5.8 PACA Cancellation

When the mobile cancels a PACA call it will send a PACA Cancel Message. The Auth_Signature is filled
with parameters shown in the Table 1(RAND, ESN, Fill with IMSI_S1,SSD_A). The 18-bit output
Auth_Signature shall be used to fill the AUTHR field of the PACA Cancel Message. The RANDC (eight
most significant bits of RAND) and COUNT fields of the message shall be filled with the current values
stored in the mobile station. The base station shall execute the same procedure and compare AUTHR,
RANDC and COUNT.

6
 Figure 2: SSD Update Procedure
MOBILE STATION BASE STATION

Base Station initiates SSD

Update

SSD UPDATE MESSAGE Base

(Has random value RANDSSD)

Inputs to SSD_Generation Procedure:

A-Key (64 bits), RANDSSD, ESN (32 bits)

SSD_Genaration Procedure
SSD_Genaration Procedure (CAVE Process)
(CAVE Process)

SSD_A_NEW SSD_B_NEW SSD_A_NEW SSD_B_NEW

Base Station Challenge Procedure starts here

MS generates a random number RANDBS

BASE STATION CHALLENGE ORDER

(RANDBS)
Inputs to Auth_Signature Procedure:
RANDBS, ESN, IMSI_S1, SSD_A_NEW

Auth_Signature Procedure Auth_Signature Procedure

(CAVE Process) (CAVE Process)

AUTHR AUTHR
Base Station Challenge Confirmation Order
(AUTHR the Auth_Signature generated)

AUTHRmobilestation
=
AUTHRbasestation?

SSD Update Confirmation Order/

SSD Update Rejection Order

The MS and BS will than update the values of SSD on receiving the confirmation order

7
5 NAM Programming the A Key
From the Authentication procedures it is clear that Authentication will be successful if same copies of SSD
is maintained at both the mobile station and base station. For the generation of SSD one of the input
parameters is the A key. This A key is maintained at the mobile associated Authentication Center (AuC).
The same copy of the A Key is entered manually (via keypad called as NAM Programming).
For security, algorithms we can keep the algorithm open source and algorithm“s input secret or keep the
inputs known and the algorithm secret. The standards body has gone for the former method to maintain
security. We understand from Figure 2 that the inputs for SSD Generation are A Key, ESN (this number is
printed on the mobile case) and RANDSSD (which is a number). For the above reasons we maintain the
Akey secret and see that the value of A Key is not compromised.
The standards body also prevents the manufacturer of the mobile to give any interface to view A Key and
SSD.

5.1 Generating the A Key Checksum

The generation of the A-key is the responsibility of the service provider. A-keys should be chosen and
managed using procedures that minimize the likelihood of compromise. The 20 A-Key digits are converted
into a 64-bit representation to serve as an input to CAVE, along with the mobile station's ESN and AAV
(Authentication Algorithm Version) are inputs to the CAVE. CAVE is then run in the same manner as for
the Auth_Signature procedure, and its 18-bit response is the A-Key checksum. The checksum provides a
check for the accuracy of the A-Key when entered into a mobile station. The checksum is returned as 6
decimal digits for entry into the mobile station.

Note:
Generation of the A Key checksum is external to mobile, it is generated on a system.

5.2 Why generate a A Key Checksum

The A Key is never directly entered into the mobile, since anyone with the privilege to change the A Key
can do so. Hence the A Key is entered into the mobile along with the A Key checksum. This checks that we
don“t make any arbitrary string of digits the A Key.

5.3 Verification of A Key

While A-key digits are being entered from a keypad, the mobile station transmitter shall be disabled. When
the A-key digits are entered from a keypad, the number of digits entered is to be at least 6, and may be any
number of digits up to and including 26 digits (i.e. 20 digits of A Key and 6 digits of checksum). In a case
where the number of digits entered is less than 26, the leading most significant digits will be set equal to
zero, in order to produce a 26-digit quantity called the ” entry value„. The verification procedure checks the
accuracy of the 26 decimal digit entry value. If the verification is successful, the 64-bit pattern determined
by the first 20 digits of the entry value will be written to the subscriber's semi-permanent memory as the A-
key. And, the SSD_A and the SSD_B will be set to zero.

Note:
When the A key is changed the SSD becomes zero. When the mobile is shipped the A key stored is a string
of zeros.

6 Encryption
In an effort to enhance the authentication process and to protect sensitive information (example PIN“s sent
as DTMF tones), certain fields which carry these sensitive information in Traffic Channel messages are
encrypted.
All type specific fields in traffic channel messages will be encrypted using the CMEA process. For
encryption to be carried to the mobile should be in standard authentication mode.

8
6.1 When to do Encryption?
The encryption capacity supported by the mobile software of the mobile is known in the Origination
Message (MO call) and Page Response Message (MT call). The ENCRYPTION_SUPPORTED in these
messages tell the encryption capacity of the mobile.
The base station by sending the Channel Assignment Message turns on the initial mode. The
ENCRYPT_MODE field in this message tells the mode of encryption to be used on traffic channel. If the
field value is 0H than no encryption of type specific fields is to be done. If the value is 1H or 2H than
CMEA or Enhanced CMEA as the case maybe, is used for encrypting the type specific fields.
Encryption can be turned ON (if not done in Channel Assignment Message) or OFF after this message
when on a traffic channel. Sending the General Handoff Direction Message or Extended Handoff Direction
Message does this by the setting the value of the field ENCRYPT_MODE in theses messages to 1H or 0H
as the case may be.
Take for example the Alert with Information Message (AWI) which is sent on the forward traffic channel.
The use of this message during call setup is to give a ring back tone to the calling mobile and a CLI (Caller
Line Identification) to the called mobile. So AWI has different uses as the case may be. The record fields
that are for ring back tone, CLI are included as the case maybe, these fields are called type specific fields.
Such fields are there in all traffic channel messages like Flash with Information, Data Burst Message,
DTMF etc. These type specific fields may contain DTMF tones (which can be PIN numbers), or some SMS
message sent in Data Burst Message. These fields are encrypted.

7 Voice Privacy
Users claim an interest in being able to communicate among them, using Cellphones, without routine
monitoring of their communications by other persons or organizations. This is Voice privacy. Voice
privacy is provided in the CDMA system by means of the private long code mask used for PN spreading.
Transition to this private long code mask is done only when a mobile is in the standard authentication mode
and is on a traffic channel.
All calls are initiated using the public long code mask for PN spreading. The mobile station user may
request voice privacy during call setup using the Origination Message or Page Response Message, and
during Traffic Channel operation using the Long Code Transition Request Order.
To initiate a transition to the private or public long code mask, either the base station or the mobile station
sends a Long Code Transition Request Order on the Traffic Channel. The mobile station or the base station
responds to this with a Long Code Transition Completion Order.
The base station can also cause a transition to the private or public long code mask by sending the Extended
Handoff Direction Message or the General Handoff Direction Message with the PRIVATE_LCM bit set
appropriately.

8 Something on Algorithms
As I said earlier, we use cryptography methods to increase the robustness of the system. The TIA standard
describes four cryptographic methods for use in digital cellular systems.
1. CAVE (Cellular Authentication Voice Privacy and Encryption) algorithm. It is intended for
performing authentication and key generation.
2. XOR mask for voice privacy. CDMA uses SS technique for security.
3. ORYX a stream cipher for wireless data services.
4. CMEA (Cellular Message Encryption Algorithm), a block cipher used to encrypt type specific fields
on traffic channel.

8.1 Uses of CAVE

1. CAVE is used to generate a set of cryptovariables for the Cellular Message Encryption Algorithm
(CMEA) message encryption process.
2. CAVE is used in the generation of 520 bits for the duplex voice privacy masks.
3. The generation of a subscriber's Shared Secret Data (SSD) from his unique A-key.
4. A procedure to verify the manual entry of the A-key.
5. CAVE is used for Authentication procedures.

9
We will be looking into these shortly.

8.2 The CAVE Process

Lets us not get into the technicalities of the CAVE and CMEA but get a working knowledge of the CAVE
process. For the core details you can always refer to TR45 Appendix A of IS-54.
CAVE is a software-compatible non-linear mixing function. Its primary components are a 32-bit
linear-feedback shift register (LFSR), sixteen 8-bit mixing registers, and a 256-entry lookup table. We shall
call it the CAVE Table. The table is organized as two (256 x 4 bit) tables. The low order four bits of the
entries comprise table 0 and the high order four bits of the entries comprise table 1.

8.2.1 Steps in CAVE operation

The algorithm operation consists of three steps:
1. An initial loading, a repeated randomization consisting of four or eight ” rounds„, and processing of the
output. Initial loading consists of filling the LFSR, register stages R00 through R15, and the pointer
offsets with information that is specific to the application.
2. The randomization process.
The output processing utilizes the final (randomized) contents of R00 through R15 in a simple function
whose result is returned to the calling process.

8.3 The CMEA Message Encryption Process

8.3.1 Steps in CMEA Process

CMEA consists of three layers.
1. The first step performs one non-linear pass on the block; this effects left-to-right diffusion.
2. The second step is a purely linear, unkeyed operation intended to make changes propagate in the
opposite direction. One can think of the second step as (roughly speaking) Xoring the right half of the
block onto the left half.
3. The third step performs a final nonlinear pass on the block from left to right; in fact, it is the inverse of
the first step.
CMEA obtains the non-linearity in the first and third layer from a 8-bit keyed lookup table known as the T-
box.
The T-box calculates its 8-bit output as
T (x) = C (((C (((C (((C ((x ⊕ K0) + K1) + x)⊕ K2) + K3) + x) ⊕ K4) + K5)+x) ⊕K6) + K7) + x
Given input byte x and 8-byte key K0:::7. In this equation C is an unkeyed 8-bit lookup table known as the
CaveTable; all operations are performed using 8-bit arithmetic. The CaveTable is given in the figure on the
next page.

8.4 Generation of CMEA Key and VPM (Voice Privacy Mask)

The generation of the 8 byte CMEA Key and VPM is taken together since VPM generation is the
continuation of the CMEA Key. The generation of these keys is carried out only after a global challenge
and not any unique challenge. The CAVE is reinitialized with the post authentication contents and SSD_B
and not SSD_A as is the case for Authentication. The CMEA key is got by running first 8 iterations of
CAVE and than two 4 iterations of CAVE. In the first four round we get k1, k2, k3, k4 and in the second
iteration we get the remaining bytes of the key. There on the CAVE is run for eleven more iterations
beyond that of the CMEA to get the VPM.

10
Figure 3: The Flow Diagram below shows the flow to generate the CMEA Key and VPM.

11
8.4.1 Specification of CMEA
The algorithm encrypts a n-byte message P0.._1 to a cipher text C0 _1 under the key K0..7 as follows:

Figure 4 Specification of CMEA

Step 1 à

Step 2 à

Step 3 à

Here all operations are byte-wide arithmetic: + and - are addition and subtraction modulo 256, ⊕ stands for
a logical bitwise exclusive or, ∨ represents a logical bitwise or, and the keyed T function is as described
previously.

Table 2: CAVE Table

12