B1

CTS Ciphering Key Generation Algorithm

Security
Introduced in Rel-8
A cryptographic algorithm used in GSM systems to generate ciphering keys for encrypting communication between mobile stations and the network. It ensures confidentiality of user data and signaling messages by deriving session-specific encryption keys from authentication parameters. This foundational security mechanism protects against eavesdropping on radio interfaces.

Description

The B1 algorithm is a standardized cryptographic function specified in 3GPP TS 43.020 for GSM networks. It operates as a key derivation function that takes authentication parameters as input and produces ciphering keys used to encrypt communications over the air interface. The algorithm is implemented in both the mobile station (MS) and the authentication center (AuC) within the network infrastructure, ensuring both ends can independently compute the same session keys.

Architecturally, B1 functions within the GSM security framework alongside other algorithms like A3 (authentication algorithm) and A8 (ciphering key generation algorithm). When a mobile station attempts to connect to the network, the authentication process generates a 128-bit random challenge (RAND) and a secret subscriber key (Ki) stored in both the SIM card and AuC. B1 processes these inputs along with other parameters to generate the session-specific ciphering key (Kc) that will be used for the duration of the call or data session.

The algorithm's design follows cryptographic principles appropriate for the computational constraints of early mobile devices while providing adequate security for its time. It generates a 64-bit ciphering key (Kc) that is then used with the A5 stream cipher algorithms to encrypt voice and data transmissions. The B1 algorithm ensures that even if one session key is compromised, subsequent sessions remain secure since new keys are generated for each authentication instance.

In operation, B1 executes a series of cryptographic transformations on the input parameters to produce the output key. The exact mathematical operations are standardized to ensure interoperability across different network equipment manufacturers and mobile device vendors. The algorithm's implementation must meet specific performance requirements to support timely connection establishment while maintaining the security properties necessary for mobile communications.

B1's role extends beyond mere key generation—it forms part of a comprehensive security chain that includes authentication, key agreement, and encryption. By standardizing this algorithm, 3GPP ensured that GSM networks worldwide could implement consistent security measures, enabling international roaming while maintaining protection against interception and unauthorized access to communications.

Purpose & Motivation

The B1 algorithm was created to address the fundamental security requirement of confidentiality in early digital cellular networks. Before GSM, analog cellular systems offered no encryption, making conversations vulnerable to interception by anyone with a suitable radio receiver. As mobile communications expanded to include sensitive business and personal conversations, the need for cryptographic protection became imperative.

B1 specifically solves the problem of secure key distribution for session encryption. Rather than transmitting encryption keys over the air where they could be intercepted, B1 enables both the network and mobile device to independently compute the same session key from shared secrets and public challenges. This approach, known as key agreement through cryptographic derivation, prevents eavesdroppers from obtaining the keys needed to decrypt communications even if they capture the radio transmission.

The algorithm's development responded to the technical constraints of 1990s mobile devices, which had limited processing power and memory. B1 had to be computationally efficient enough to run on simple microcontroller-based SIM cards while providing adequate cryptographic strength. By standardizing this algorithm, 3GPP ensured interoperability across different manufacturers' equipment and created a foundation for the security features that would evolve through subsequent generations of mobile technology.

Key Features

  • Generates 64-bit ciphering keys (Kc) for GSM encryption
  • Uses shared secret (Ki) and random challenge (RAND) as inputs
  • Implemented in both SIM cards and network authentication centers
  • Enables session-specific key generation for forward security
  • Standardized algorithm ensuring interoperability across networks
  • Forms part of GSM's A3/A8 authentication and key agreement framework

Evolution Across Releases

Rel-8 Initial

Originally specified as part of the GSM security architecture in 3GPP TS 43.020. The B1 algorithm was defined as the standardized method for generating ciphering keys from authentication parameters, establishing the foundation for GSM encryption. It worked in conjunction with the A3 authentication algorithm and A5 encryption algorithms to provide comprehensive air interface security.

TS 43.020

Defining Specifications

SpecificationTitle
TS 43.020 3GPP TR 43.020