3GPP Confidentiality and Integrity Algorithms for GSM and GPRS

Status: Final Published
Published Date: A5/3 and GEA3 specifications, 1999; A5/4 Encryption Algorithms for GSM and ECSD, and the GEA4, March 2004, Release 15 in October 2018
Region: Europe
Document: Link

Background

The Confidentiality and Integrity Algorithms for GSM and GPRS (specifically the A5/3, A5/4, GEA43, and GEA4) are tied to patents held by the Mitsubishi Electric Corporation Japan, which, in turn, has made them available on a royalty-free basis provided that a license is secured from the company. Underneath the obvious objective of providing security specifications for cellular communications, the SP 800-187 also serves as a stepping stone for a much more vital and intricate purpose, especially when considering automotive applications: encryption and data security.

Summary

This specification addresses a copious amount of communication security elements indirectly versus directly. Rather than dealing with communication security on a grander scale of cellular-connected things, the standard instead focuses on the building blocks for other security services: the encryption algorithms. The key elements of this specification, along with the “confidentiality” and “integrity” parameters for cellular technologies can be broken down even further and include the following:

• Encryption Roadmap and Data Security: This refers to attempting to develop a well-rounded roadmap of a cellular encryption approach that addresses both data security in-transit (confidentiality over the transmission of information) and data security at-rest (integrity of data caches).
• (Mostly) Full-Spectrum Cellular: Another key element is safeguarding communication security for communication protocols 2G, 3G, and 4G. However, as will be discussed below, there are a number of issues to consider here regarding 2G and Narrowband-Internet of Things (NB-IoT).
• Interference Protection and Visibility: This assures that no external interference can disrupt connectivity, or at the very least that such interference is minimized and potentially even detected much earlier when it occurs (thus providing additional visibility and evidence of
  tampering ahead of time).
• Damage Mitigation and Safeguard OTA: Finally, this refers to attempting to minimize connection tampering, replay attacks, attacks targeting data integrity, connectivity hijacking, potentially even blocking or altering predetermined OTA communication, which could carry security updates, vendor-specific system updates, and, perhaps most vital of all, critical automotive system function updates.

Cellular Vulnerabilities: Note, however, that even though the specification addresses security encryption for cellular communications, many vulnerabilities still continue to surface, many of which are attempting to perform the actions outlined in the previous bullet point section with the “replay attack” being the top threat.

It should be noted that the 2G protocol is arguably the weakest of them all, but even encryption protocols for 3G and 4G also suffer from vulnerabilities. This specification does not directly address these issues (i.e., attack vectors or vulnerable paths), but rather outlines top-level information and other essential algorithms that can be used in lieu of other less secure alternatives. As expected, the type of target application greatly alters security expectations and the choice of encryption algorithm to use.

Below is a list of the key encryption algorithms addressed in the Confidentiality and Integrity Algorithms for GSM and GPRS. Note that some versions like A5/1 and A5/2, GEA1 and GEA2, or UEA-type algorithms are not the focus of this standard, but they are included for the sake of completion. The main ones addressed by this standard are A5/3, A5/4, GEA/2, GEA/3, GEA/4, and GEA/5.

• A5/1 and A5/2: These were the original cellular algorithms attempting to cover the first and second generation of cellular communications and are now obsolete.
• A5/3 and A5/4: Both use the KASUMI block cipher (a 64-bit and 128-bit cipher originally created by the European ETSI), which is the foundation for GSM and GPRS encryption. All A5-type encryption algorithms are focused on providing security for voice data packets. The A5/3 used the 64-bit, while the latter A5/4 extended the encryption to a more advanced 128-bit cipher, which, as expected, is more complex and secure.
• UEA1 and UIA1: The UEA1 and UIA1 are the key ciphering algorithms and the basis for others like A5/4 and GEA/4, which focus on data security for data at-rest and in-transit. Both are built on KASUMI, as are the GEA/3 and GEA/4.
• GEA/1 and GEA/2: Rather insecure encryption algorithms covering the entire GSM/GPRS/ EDGE/3G/4G spectrum, which can be easily decrypted.
• GEA/3 and GEA/4: Similar to the A5/3 and A5/4, the GEA/3 is based on the 64-bit version of KASUMI, while the GEA/5 offers the advanced 128-bit version. Both cover the full cellular spectrum GSM/GPRS/EDGE/3G/4G. All GEA-type encryption algorithms focus on providing encryption for all other non-voice data packets.
• GEA5: The latest version of the data packet encryption algorithm, which is based on SNOW 3G.

Note

LPWA for IoT-focused Automotive Applications: The specification does not deal with new IoT-focused cellular connectivity protocols like NB-IoT or Long-Term Evolution (LTE) Cat M1 (also called LTE-M), which concern Low Power Wide Area (LPWA) applications. While they have not hit critical mass as of yet, protocols like LTE-M, which are based on the 3rd Generation Public Partnership (3GPP) standard for enabling LPWA communications, are used for car-sharing, vehicle telematics, tracking, and connected parking applications. The current iteration of this specification does not cover connection security issues for the aforementioned applications or protocols.