DU

Triple DES Unwrap Plug-in

Security
Introduced in Rel-8
A cryptographic plug-in used within 3GPP security architectures to unwrap (decrypt) keys that have been encrypted using the Triple DES (3DES) algorithm. It is a component of key management and distribution systems, ensuring secure key delivery between network entities. Its role is critical for maintaining the confidentiality of cryptographic keys during transport.

Description

The Triple DES Unwrap Plug-in (DU) is a software or hardware-based cryptographic module specified within various 3GPP technical specifications. Its primary function is to perform the unwrapping operation, which is the decryption of a wrapped (encrypted) key. The wrapping process typically uses the Triple DES algorithm in a specific mode, such as the Key Wrap algorithm defined in RFC 3394, to protect a sensitive key, like a session key or a root key, during transmission over potentially insecure channels. The DU plug-in contains the necessary logic and cryptographic primitives to receive the wrapped key, apply the correct 3DES decryption steps using a pre-shared or derived key encryption key (KEK), and output the plaintext key material for use by the receiving entity.

Architecturally, the DU is not a standalone network node but a functional component integrated into larger security entities. For example, it can be part of a Home Subscriber Server (HSS), an Authentication Centre (AuC), or a network element performing key management in the Generic Bootstrapping Architecture (GBA). Its operation is triggered when an entity receives a key wrapped for its protection. The plug-in uses the appropriate KEK, which is securely known to both the wrapping and unwrapping parties, to decrypt the ciphertext. The specification details the exact cryptographic parameters, including the use of the 3DES block cipher with a 168-bit key (comprising three 56-bit DES keys) and the specific padding or formatting schemes required for interoperability.

The role of the DU in the network is foundational for secure key establishment and distribution protocols. By providing a standardized method for unwrapping keys, it ensures that different vendors' equipment can securely exchange cryptographic material. This is essential for functions like authentication, ciphering, and integrity protection across the radio interface and within the core network. The plug-in's operation is often transparent to higher-layer protocols, which simply request a key unwrap service. Its correct implementation is validated through conformance testing specified in documents like 31.113, ensuring robust security across the ecosystem.

Purpose & Motivation

The DU was created to address the need for a standardized, secure method of transporting cryptographic keys between network functions in 3GPP systems. In early releases like Rel-8, as networks evolved to support more sophisticated services like IMS and mobile broadband, the secure distribution of session keys from authentication servers to serving nodes became paramount. Previous ad-hoc or vendor-specific key transport methods posed interoperability risks and potential security vulnerabilities. The DU plug-in, based on the established Triple DES algorithm, provided a well-defined cryptographic operation that could be reliably implemented across the industry.

The motivation for specifying such a plug-in was to decouple the complex cryptographic operations from the core logic of network entities. By defining a precise unwrap function, 3GPP ensured that the security-critical task of key decryption was performed correctly and consistently, regardless of the vendor implementing the HSS or other security module. This approach also facilitated the evolution of cryptographic algorithms; while the DU specifically handles 3DES, the plug-in model allows for the definition of additional unwrap plug-ins for newer algorithms (like AES) in later releases, supporting a graceful migration path. The DU solved the problem of how to securely deliver keys that protect user traffic and signaling, which is a fundamental requirement for any cellular network's confidentiality and integrity services.

Key Features

  • Implements the Triple DES (3DES) decryption algorithm for key unwrapping
  • Supports standardized key wrap formats as per 3GPP and IETF RFCs
  • Integrated as a functional component within larger security entities like HSS/AuC
  • Enables secure interoperability for key distribution between multi-vendor equipment
  • Subject to conformance testing to ensure correct cryptographic operation
  • Works with a Key Encryption Key (KEK) established through secure means

Evolution Across Releases

Rel-8 Initial

Introduced as the Triple DES Unwrap Plug-in within the 3GPP security architecture. Its initial specification provided the core cryptographic algorithm and operational procedures for unwrapping keys encrypted with 3DES, establishing a standardized component for secure key delivery in the evolving packet-switched core network.

TS 23.725TS 25.415TS 31.113TS 33.501TS 38.201TS 38.401TS 38.838

Defining Specifications

SpecificationTitle
TS 23.725 3GPP TS 23.725
TS 25.415 3GPP TS 25.415
TS 31.113 3GPP TR 31.113
TS 33.501 3GPP TR 33.501
TS 38.201 3GPP TR 38.201
TS 38.401 3GPP TR 38.401
TS 38.838 3GPP TR 38.838