COUNT-C

Ciphering Sequence Number for Core Network

Security
Introduced in Rel-8
COUNT-C is a time-variant parameter used for synchronization between ciphering and deciphering operations in 3GPP networks. It ensures cryptographic synchronization between the UE and network elements, preventing desynchronization that could lead to communication failures or security vulnerabilities. This parameter is fundamental to maintaining secure and reliable encrypted communications.

Description

COUNT-C is a critical security parameter defined in 3GPP specifications, specifically in TS 33.105, that serves as the time-variant input to cryptographic algorithms for ciphering in the core network domain. It functions as a counter that increments with each encrypted Protocol Data Unit (PDU), ensuring that the same cryptographic keystream is never reused with the same encryption key. The parameter consists of two main components: the Hyper Frame Number (HFN) and the Sequence Number (SN), where the HFN represents the higher-order bits that increment less frequently, while the SN represents the lower-order bits that increment with each PDU.

The architecture of COUNT-C integration involves its generation and management within both the User Equipment (UE) and the network's security entities, such as the Serving GPRS Support Node (SGSN) in 3G or the Mobility Management Entity (MME) in 4G. During the establishment of a secure connection, both endpoints initialize their COUNT-C values based on negotiated parameters and then synchronize them throughout the session. The COUNT-C value is combined with other inputs like the encryption key (CK), bearer identity, direction of transmission, and length of the keystream required to form the complete input to the cryptographic algorithm (such as SNOW 3G, AES, or ZUC).

In operation, each time a PDU is ciphered for transmission, the transmitting entity increments its local COUNT-C value and uses it to generate the keystream that will be XORed with the plaintext data. The receiving entity must maintain an identical COUNT-C value to generate the same keystream for deciphering. If synchronization is lost due to transmission errors or other issues, the receiving entity may attempt to resynchronize using mechanisms defined in the specifications, though persistent desynchronization typically results in connection failure to prevent security compromises.

The role of COUNT-C extends beyond mere synchronization—it provides essential protection against replay attacks by ensuring that each encrypted message is uniquely processed. Since the COUNT-C value changes with each PDU, even if an attacker intercepts and records encrypted traffic, they cannot successfully replay those messages later as the COUNT-C would have advanced, causing decryption to fail. This time-variant property is fundamental to the forward security of the communication session and is a mandatory component in all 3GPP ciphering algorithms.

Purpose & Motivation

COUNT-C was created to address the fundamental cryptographic requirement for time-variant parameters in stream cipher operations within mobile networks. Prior to standardized approaches, ad-hoc synchronization mechanisms risked cryptographic weaknesses such as keystream reuse, which could lead to successful cryptanalysis and compromise of encrypted communications. The 3GPP security working group recognized that a robust, standardized method for maintaining ciphering synchronization was essential for the integrity of mobile communications as networks evolved from 2G to 3G and beyond.

The primary problem COUNT-C solves is maintaining perfect synchronization between encrypting and decrypting entities despite the unreliable nature of wireless transmission where packets may be lost, duplicated, or arrive out of order. Without COUNT-C, even minor synchronization errors would cause catastrophic communication failures as the receiver would generate incorrect keystreams, rendering all subsequent traffic undecipherable. The parameter also addresses security requirements by ensuring that the same keystream is never reused with the same key, which is critical for preventing certain cryptographic attacks.

Historically, as 3GPP introduced more sophisticated cryptographic algorithms with Release 8 and the transition to LTE, the need for a robust synchronization mechanism became even more critical due to increased data rates, diverse bearer types, and more complex network architectures. COUNT-C provided a standardized solution that could work across different network domains (access stratum and non-access stratum) and with various cryptographic algorithms, ensuring backward compatibility while supporting future security enhancements.

Key Features

  • Time-variant parameter ensuring cryptographic synchronization
  • Consists of Hyper Frame Number (HFN) and Sequence Number (SN) components
  • Mandatory input to all 3GPP ciphering algorithms (SNOW 3G, AES, ZUC)
  • Prevents keystream reuse and protects against replay attacks
  • Maintains synchronization across potential packet loss or reordering
  • Supports both uplink and downlink ciphering operations

Evolution Across Releases

Rel-8 Initial

COUNT-C was introduced as a fundamental security parameter for LTE/SAE security architecture. It was defined as a time-variant input parameter for the new 128-bit cryptographic algorithms (SNOW 3G and AES) supporting both confidentiality and integrity protection. The initial architecture established COUNT-C's structure as a concatenation of HFN and SN, with specific rules for initialization and incrementation during handovers and connection establishments.

TS 33.105

Defining Specifications

SpecificationTitle
TS 33.105 3GPP TR 33.105