A5/3 ciphering in Release B11

Functional Feature Description

A5/3 ciphering
in Release B11

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
1

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

Contents

1. SCOPE ............................................................................................................. 3
2. RATIONALE ....................................................................................................... 4
3. ALCATEL-LUCENT IMPLEMENTATION ......................................................................... 4
3.1

General behavior ........................................................................................ 4

3.2

Call setup ................................................................................................. 5

3.3

TCH Handover............................................................................................ 6

4. HW IMPACT IN THE BSS AND EXTERNAL DEPENDENCIES................................................... 6

5. PARAMETERS ..................................................................................................... 6
6. COUNTERS ........................................................................................................ 7
7. GLOSSARY......................................................................................................... 8
8. REFERENCES ...................................................................................................... 8

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
2

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

1. SCOPE
The present functional feature description provides detailed information concerning the
implementation of the A5/3 ciphering feature in the Alcatel-Lucent BSS B11 release.
The following feature is described:
15 72 90

Alcatel-Lucent

A5/3

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
3

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

2. RATIONALE
Due to fact that A5/2 ciphering algorithm has been broken, the GSM Association requested all
operators to not use A5/2 anymore from July 2007 onwards. As a complement to this request, the
MS do not support A5/2 ciphering algorithm starting with 3GPP Release 6 onwards.
In the same time, some representatives of hacker community claim that they would be able to
break also the A5/1 ciphering algorithm with relatively limited means.
These were the reasons to introduce a new ciphering algorithm in order to continue ensuring voice
calls privacy in the GSM networks.
For that purpose the A5/3 ciphering algorithm was chosen. The new algorithm is very robust. It
was standardized in 3GPP Release 4 and it is already used in the UMTS technology.
A5/3 can be a mandatory requirement of some end-users and will be needed by Operators to
maintain a good corporate image and to avoid churn due to a feeling of uncertainty.
The A5/3 ciphering algorithm only concerns the Circuit Switched domain. In the Packet Switched
domain, ciphering is not provided by the BSS.

3. ALCATEL-LUCENT IMPLEMENTATION
3.1 General behavior
Before the introduction of the A5/3 algorithm, a BSS was supporting up to 2 encryption algorithms
(A5/1 and alternatively A5/2 up to 2007), but not both of them at the same time: either A5/1 was
used for all calls, either A5/2 was used for all calls.
As A5/3 algorithm is not supported by all MS in the network and also not supported by all TRX
generations, the BSS will have to support 2 encryption algorithms simultaneously. The choice of
the algorithm to be used will be performed on a per call basis: the ciphering algorithm is decided
at call setup, and can be changed after a handover in case the new TRX has different ciphering
capabilities.
For a call, A5/3 is used if:
-

MS supports A5/3, as indicated in Class mark 2,

TRX supports A5/3,

The operator has enabled A5/3 support for the cell,

NSS allows the use of A5/3;

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
4

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

DTM is not enabled in the cell or DTM is enabled and the Ciphering Mode Setting
Capability of the MS bit is set. (Only 3GPP Release 6 MS are able to change the ciphering
algorithm when the call is established in DTM, this being indicated in its Ciphering Mode
Setting Capability bit.)

The MSC gives in a bit field a set of permitted algorithms on call basis, e.g. in the CIPHER MODE
COMMAND message. The BSC will always give priority to A5/3 over A5/1, in case several ciphering
algorithms are possible.
If no ciphering algorithm is specified by the MSC, the BSC will use A5/0 (No encryption).

3.2 Call setup

Air

Abis

MS

BTS

MSC

BSC

TRX1

IMMEDIATE ASSIGNMENT

IMMEDIATE ASSIGNMENT

SABM / SDCCH
SDCCH unciphered

CIPHERING MODE CMD

CIPHER MODE CMD

ENCRYPTION COMMAND

2
SDCCH ciphered

HANDOVER CMD

HANDOVER CMD

3
ASSIGNMENT REQUEST

TRX2

ASSIGNMENT COMMAND

ASSIGNMENT COMMAND

SABM / FACCH
TRX3

TCH ciphered

Figure 1: Call setup example

1. At initial SDCCH allocation (i.e. call setup), ciphering is not started. At this point, SDCCH is
established without ciphering.

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
5

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

2. The ciphering algorithm is chosen at reception of CIPHER MODE COMMAND and takes into account
the TRX capabilities.
3. If a SDCCH handover takes place, it may happen that the ciphering capabilities of the new TRX
are different from the previous one. This situation can lead to a change of ciphering algorithm
after the handover.
4. Upon reception of the ASSIGNMENT REQUEST message, the selection of the ciphering algorithm is
done again for the TCH. The ciphering algorithm may have to be changed if the TRX chosen for
the TCH has different ciphering capabilities than the TRX where the SDCCH was established. For
normal TCH assignments, ciphering selection will be done based on the Encryption Information IE
stored when Cipher Mode Command was received.

3.3 TCH Handover

When a TCH handover is performed, the ciphering capabilities of the new TRX can be different
from the ciphering capabilities of the previous one.
If an internal or external handover condition is met, the BSC derives the ciphering algorithm
according to 3.1. This selection is signaled with the ciphering information in the CHANNEL
ACTIVATION message to the new TRX and in the HANDOVER CMD (or ASSIGNMENT CMD message in
case of intra-cell HO) to the MS (the later only in case the ciphering algorithm is changed).
For internal handover, the BSC takes the NSS settings concerning ciphering from the CIPHER MODE
COMMAND message. For external handover, this information is taken from HANDOVER REQUEST
message.

4. HW IMPACT IN THE BSS AND EXTERNAL DEPENDENCIES

In the A9100 BTS, A5/3 ciphering is supported by all EDGE capable TRX.
A5/3 is supported by the Alcatel-Lucent micro-BTS starting from the 9110-E Micro-BTS (M5M).
A5/3 feature must be supported by the MSC.

5. PARAMETERS
CELL_CIPH_SET: List of the ciphering algorithms allowed by the Operator, on a per cell basis.
The values can be: A5/0, A5/0+A5/1, A5/0+A5/1+A5/3. The A5/0 bit is always set.

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
6

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

6. COUNTERS
MC951
Indicates the number of Assignment Request messages received for MS supporting A5/3 ciphering.
MC952
Indicates the number of Cipher Mode Command received from the MSC, allowing A5/3 ciphering
for a MS supporting A5/3 in a cell where A5/3 is enabled.
MC953
Indicates number of successful Cipher Mode Command procedures for usage of A5/3
MC954
Counter is incremented each time the BSC sends:
1) If the cell is a serving cell: a 44.018 ASSIGNMENT COMMAND message with the target ciphering
algorithm to be used by the MS for this call set to A5/3 (whatever the ciphering algorithm used
before),
2) If the cell is the target cell of an Intra-Cell handover, or inter-cell handover, or external handover
or internal/external directed retry: or a 44.018 HANDOVER COMMAND message via the serving cell
with the target ciphering algorithm to be used by the MS for this call in the target cell set to A5/3
(whatever the ciphering algorithm used before).
MC955
Indicates number of 44.018 Assignment Command / Handover Command messages sent to an MS,
with A5/3 as ciphering algorithm
MC956
Counter is incremented each time the BSC sends:
1) If the cell is a serving cell: a 44.018 ASSIGNMENT COMMAND message to an A5/3 capable MS
without requiring the usage of A5/3, because the TRX on which the MS is being allocated in the
serving cell does not support A5/3,
2) If the cell is the target cell of an intra-cell handover, or inter-cell handover, or external handover
or internal/external directed retry: or a 44.018 HANDOVER COMMAND message to an A5/3 capable
MS via the serving cell, without requiring the usage of A5/3, because the TRX on which the MS will
be allocated in the target cell does not support A5/3.

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
7

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.

A5/3 ciphering in Release B11

7. GLOSSARY

2G

2nd Generation

3GPP

3rd Generation Partnership Project

BSC

Base Station Controller

BSS

Base Station Subsystem

BTS

Base Transceiver Station

CS

Circuit Switched

DTM

Dual Transfer Mode

GMSK

Gaussian Minimum Shift Keying

GPRS

General Packet Radio Service

GSM

Global System for Mobile communications

HO

Handover

IP

Internet Protocol

MS

Mobile Station

MSC

Mobile Switching Centre

NSS

Network Sub-System

OMC-R

Operation and Maintenance Center - Radio

PS

Packet Switched

SDCCH

Standalone Dedicated Control Channel (GSM TS)

SUM

Station Unit Module

TCH

Traffic Channel

TDM

Time-Division Multiplexing

TRX

Transceiver

8. REFERENCES
3GPP TS 24.008

Mobile radio interface Layer 3 specification; Core network protocols; Stage 3.

3GPP TS 42.009

Security aspects.

3GPP TS 43.020

Security related network functions.

3GPP TS 48.058

Base Station Controller - Base Transceiver Station (BSC - BTS) interface; Layer

3GPP TS 55.216

3 specification.
Specification of the A5/3 Encryption Algorithms for GSM and ECSD, and the
GEA3 Encryption Algorithm for GPRS; Document 1: A5/3 and GEA3
Specifications.

End of Document

Alcatel-Lucent

File
FFUV7WE2.DOC

Reference
3DC 21144 0140 TQZZA

Date
18/082008

Edition
02

Page
8

All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization.