Description
The Data Authentication Pattern (DAP) is a standardized security construct within 3GPP systems that implements message authentication. It is not a standalone protocol but a defined pattern or framework for applying cryptographic integrity protection and data origin authentication to protocol data units (PDUs) exchanged between network entities. The pattern specifies how to generate and verify an authentication tag (often a Message Authentication Code or MAC) over a set of data fields, ensuring the data's integrity and confirming the identity of the sender. This prevents unauthorized modification, replay attacks, and spoofing during data transmission.
Architecturally, DAP operates at a layer above the basic transport, typically within the application or signaling protocol layers. Its implementation involves a sender and a receiver sharing a secret cryptographic key (K), established through prior security procedures like Authentication and Key Agreement (AKA). To generate a DAP, the sender selects the specific data fields to be protected (the 'authenticated data'), which may include critical parameters like identifiers, timestamps, or command codes. Using the shared key K and a specified cryptographic algorithm (historically, algorithms like the 3GPP MILENAGE set were common), the sender computes a MAC over this authenticated data. This MAC, the DAP itself, is then appended to the message before transmission.
Upon receipt, the receiving entity extracts the DAP and the received authenticated data. It independently recalculates the expected MAC using its copy of the shared key K and the same algorithm. By comparing the computed MAC with the received DAP, the receiver can verify with high cryptographic assurance that the data is intact and originated from an entity possessing the correct key. The exact scope of the authenticated data, the cryptographic algorithm, and the key management are defined within the specific 3GPP technical specification (TS) implementing the DAP for a particular interface or service, such as those governing Lawful Interception (LI) or subscriber data management.
DAP's role is foundational for securing sensitive operations, particularly in network management and regulatory functions. For instance, in Lawful Interception systems specified in TS 33.108, DAPs authenticate all Handover Interface (HI) communications between the Lawful Enforcement Monitoring Facility (LEMF) and the network operator's Mediation Function (MF). This ensures that interception commands and intercepted content are genuine and untampered, a critical legal requirement. Similarly, DAP mechanisms secure communications in the Equipment Identity Register (EIR) and other network elements handling sensitive subscriber or equipment data, as referenced in specs like TS 23.048.
Purpose & Motivation
DAP was created to address the fundamental security requirement of data origin authentication and integrity protection in 3GPP networks. As mobile networks evolved to offer more sophisticated services and handle increasingly sensitive user data, the risk of malicious actors injecting false commands, tampering with management data, or spoofing network entities grew. Previous approaches often relied on implicit trust within closed network domains or weaker, non-standardized security mechanisms that were insufficient for regulatory compliance and robust network protection.
The primary problem DAP solves is providing a standardized, cryptographically strong method to ensure that critical data exchanges—especially for network management, lawful interception, and subscriber data handling—are trustworthy. Without DAP, commands to activate lawful interception or update equipment blacklists could be forged, leading to privacy violations, service disruption, or legal non-compliance. Its creation was motivated by the need for a consistent security pattern that could be mandated across various 3GPP interfaces, ensuring interoperability between equipment from different vendors while meeting the stringent security and legal requirements of network operators and regulators.
Historically, its introduction in Release 5 coincided with the maturation of 3G security architecture and the formalization of systems like Lawful Interception. DAP provided the necessary technical mechanism to fulfill the 'authentication' requirement for Handover Interface communications, as demanded by law enforcement agencies worldwide. It addressed the limitation of having no standardized, algorithm-agnostic framework for such authentication, allowing for the integration of strong cryptographic algorithms like those in the MILENAGE suite defined for 3G/UMTS AKA.
Key Features
- Provides cryptographic data origin authentication
- Ensures integrity protection for selected message fields
- Uses shared secret keys established via network security procedures
- Employed in critical regulatory functions like Lawful Interception
- Defines a reusable pattern applicable across different 3GPP interfaces
- Algorithm-agnostic framework supporting specified cryptographic functions
Evolution Across Releases
Introduced the Data Authentication Pattern as a fundamental security mechanism. Initially specified for securing the Handover Interface (HI) in Lawful Interception architectures, ensuring authenticated and integrity-protected communication between the network operator's Mediation Function and the Law Enforcement Monitoring Facility. Established the core pattern of using a shared key and cryptographic function to generate an authentication tag for critical data fields.
Enhanced and refined DAP usage within the evolving Lawful Interception framework for EPS (Evolved Packet System). Specifications were updated to ensure DAP applicability within new LTE/SAE architectures, maintaining security for interception-related data flows in the new core network context.
Continued maintenance and potential clarifications of DAP specifications to align with broader 3GPP security enhancements. Ensured compatibility with updated cryptographic algorithms and key lengths as part of ongoing security robustness improvements across the standards.
DAP concepts and requirements were carried forward into the 5G System (5GS) era. While new 5G security mechanisms like the 5G AKA and service-based architecture security were introduced, DAP remained relevant for specific legacy-compatible interfaces and regulatory functions, such as certain Lawful Interception handover scenarios, ensuring backward security compatibility.
Specifications referencing DAP (e.g., for Lawful Interception) were updated for 5G Phase 2. This included ensuring DAP's role was clearly defined in the context of new 5G capabilities like network slicing, though the core cryptographic pattern itself remained stable.
Sustained the Data Authentication Pattern as a foundational, stable security component within 3GPP systems. Its specifications are upheld in relevant docs to support legacy interfaces, regulatory compliance, and any new use cases requiring a proven data origin authentication framework.
Defining Specifications
| Specification | Title |
|---|---|
| TS 22.101 | 3GPP TS 22.101 |
| TS 23.048 | 3GPP TS 23.048 |
| TS 32.808 | 3GPP TR 32.808 |