DU

Triple DES Unwrap Plug-in

Security →
Introduced in Rel-8

DU is a cryptographic plug-in within 3GPP security architectures that unwraps keys encrypted using Triple DES, serving as a critical component for secure key management and distribution.

Category
Security
Introduced
Rel-8
Where
Radio Access Network › NG-RAN (5G)
Specifications
7 specs
DU Description Purpose Related Detected Changes Specifications

Description

The Triple DES Unwrap Plug-in (DU) is a software or hardware-based cryptographic module specified within various 3GPP technical specifications. Its primary function is to perform the unwrapping operation, which is the decryption of a wrapped (encrypted) key. The wrapping process typically uses the Triple DES algorithm in a specific mode, such as the Key Wrap algorithm defined in RFC 3394, to protect a sensitive key, like a session key or a root key, during transmission over potentially insecure channels. The DU plug-in contains the necessary logic and cryptographic primitives to receive the wrapped key, apply the correct 3DES decryption steps using a pre-shared or derived key encryption key (KEK), and output the plaintext key material for use by the receiving entity.

Architecturally, the DU is not a standalone network node but a functional component integrated into larger security entities. For example, it can be part of a Home Subscriber Server (HSS), an Authentication Centre (AuC), or a network element performing key management in the Generic Bootstrapping Architecture (GBA). Its operation is triggered when an entity receives a key wrapped for its protection. The plug-in uses the appropriate KEK, which is securely known to both the wrapping and unwrapping parties, to decrypt the ciphertext. The specification details the exact cryptographic parameters, including the use of the 3DES block cipher with a 168-bit key (comprising three 56-bit DES keys) and the specific padding or formatting schemes required for interoperability.

The role of the DU in the network is foundational for secure key establishment and distribution protocols. By providing a standardized method for unwrapping keys, it ensures that different vendors' equipment can securely exchange cryptographic material. This is essential for functions like authentication, ciphering, and integrity protection across the radio interface and within the core network. The plug-in's operation is often transparent to higher-layer protocols, which simply request a key unwrap service. Its correct implementation is validated through conformance testing specified in documents like 31.113, ensuring robust security across the ecosystem.

Purpose & Motivation

The DU was created to address the need for a standardized, secure method of transporting cryptographic keys between network functions in 3GPP systems. In early releases like Rel-8, as networks evolved to support more sophisticated services like IMS and mobile broadband, the secure distribution of session keys from authentication servers to serving nodes became paramount. Previous ad-hoc or vendor-specific key transport methods posed interoperability risks and potential security vulnerabilities. The DU plug-in, based on the established Triple DES algorithm, provided a well-defined cryptographic operation that could be reliably implemented across the industry.

The motivation for specifying such a plug-in was to decouple the complex cryptographic operations from the core logic of network entities. By defining a precise unwrap function, 3GPP ensured that the security-critical task of key decryption was performed correctly and consistently, regardless of the vendor implementing the HSS or other security module. This approach also facilitated the evolution of cryptographic algorithms; while the DU specifically handles 3DES, the plug-in model allows for the definition of additional unwrap plug-ins for newer algorithms (like AES) in later releases, supporting a graceful migration path. The DU solved the problem of how to securely deliver keys that protect user traffic and signaling, which is a fundamental requirement for any cellular network's confidentiality and integrity services.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (10 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 4 changes

In Release 15, the specification introduced procedures for handling DL User Data to the DU and defined the handling of optional IEs in CU to DU RRC information. It also specified new mobility procedures, including Inter-gNB-DU mobility using the MCG SRB and provided corrections for intra-gNB-DU handover. These changes enhanced the functional split and interaction between the Central Unit and Distributed Unit within the gNB architecture.

  • CR to 38.401 on DL User Data to DU TS 38.401CR0014
  • Procedure description on optional IEs in CU to DU RRC information IE. TS 38.401CR0068
  • Inter-gNB-DU mobility using MCG SRB procedure TS 38.401CR0104
  • Correction on intra-gNB-DU handover TS 38.401CR0007
Rel-16 3 changes

In Release 16, the specification introduced new steps for querying the source DU's latest configuration during inter-gNB-DU mobility procedures for intra-NR. This release also provided corrections to the procedural descriptions for both intra-gNB-DU handover and for the gNB-DU transmission stop during an inter-gNB handover involving a gNB-CU-UP change.

  • Correction for gNB-DU transmission stop descriptoin in the inter-gNB HO involving gNB-CU-UP change TS 38.401CR0122
  • Adding missing steps querying the source DU's latest configuration during the inter-gNB-DU mobility for intra-NR TS 38.401CR0135
  • Correction for intra-gNB-DU handover description TS 38.401CR0148
Rel-17 1 change

In Release 17, a correction was made regarding the gNB-DU ID. This update ensured the proper identification and addressing of the Distributed Unit within the gNB architecture, which consists of multiple DUs attached to a central unit.

Rel-18 2 changes

In Release 18, the updates for the DU function focused on correcting specific notification and procedure messages. These included fixes for the Cell Switch notification message between the DU and CU, and corrections to the LTM (Load and Traffic Management) procedures for scenarios involving an Inter-DU case and a CU-UP change.

  • Corrections for DU-CU/CU-DU Cell Switch notification message TS 38.401CR0390
  • Correction on LTM procedures for Inter-DU case and CU-UP change TS 38.401CR0423

Explore further

Broader topics and technologies where DU plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityTesting & ConformanceLawful InterceptManagement & Operations

Defining Specifications

3GPP specifications that define or reference DU, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.725 vg20 Study on URLLC Architecture Enhancements Rel-16
TS 25.415 vj00 Iu Interface User Plane Protocol Rel-19
TS 31.113 v1800 USAT Interpreter Byte Code Specification Rel-8
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 38.201 vj00 NR Physical Layer General Description Rel-19
TS 38.401 vj10 NG-RAN Architecture Specification Rel-19
TR 38.838 vh00 Study on XR Evaluations for NR Rel-17