EPS Encryption Algorithm

Description

The EPS Encryption Algorithm (EEA) is a suite of cryptographic algorithms specified by 3GPP to provide confidentiality protection for user plane data and control plane signaling within the Evolved Packet System (EPS). It operates in conjunction with the EPS Integrity Algorithm (EIA) to form the complete set of cryptographic primitives for the LTE security framework known as NAS (Non-Access Stratum) and AS (Access Stratum) security. The algorithms are implemented in the User Equipment (UE) and the network's security entities—specifically the eNodeB for AS security and the MME (Mobility Management Entity) for NAS security.

How EEA works is integral to the LTE authentication and key agreement (AKA) process. Upon successful mutual authentication between the UE and the network, a root key (K_ASME) is established. From this root key, a ciphering key (K_eNB) is derived, which is further used to generate the specific encryption keys (e.g., K_UPenc, K_RRCenc) for different channels. The EEA algorithm then uses these dynamically generated keys to encrypt the data. The encryption is applied using a stream cipher or a block cipher in a specific mode of operation, transforming plaintext into ciphertext to prevent eavesdropping on the radio interface and within the core network.

The primary EEA algorithms are EEA0 (null cipher), 128-EEA1 (based on SNOW 3G), 128-EEA2 (based on AES-CTR), and 128-EEA3 (based on ZUC). EEA0 provides no encryption and is used only in specific, predefined circumstances. The selection of which algorithm to use is negotiated during the Security Mode Command procedure between the network and the UE, based on their mutually supported capabilities. The encryption is applied per bearer and per direction (uplink/downlink), ensuring granular security. The EEA suite's role is critical in protecting against threats on the air interface, making it a fundamental component of the LTE security architecture detailed in TS 33.401.

Purpose & Motivation

The EPS Encryption Algorithm suite was created to address the security requirements of the new all-IP LTE architecture, which introduced different threat models compared to previous 3G circuit-switched networks. Prior security mechanisms from 2G/3G, while robust for their time, used older cryptographic algorithms and had architectural limitations. The move to a flatter, IP-based EPS required a new, stronger, and more flexible set of algorithms to ensure user data confidentiality and protect against sophisticated attacks on the radio access network.

The motivation for developing multiple algorithms (SNOW 3G, AES, ZUC) was to provide cryptographic agility and align with global regulatory requirements. Different regions have preferences or mandates for specific cryptographic standards (e.g., AES is a NIST standard, while ZUC is a Chinese standard). By standardizing a suite, 3GPP ensured global interoperability while allowing operators and regulators to choose algorithms that comply with local policies. This approach solved the problem of a single point of failure; if a vulnerability is discovered in one algorithm, networks can migrate to another without a complete overhaul of the security architecture. EEA, as part of the LTE security framework, was designed from the ground up to provide robust, algorithm-agile confidentiality protection suitable for high-speed mobile broadband services.

Key Features

• Suite of algorithms including EEA1 (SNOW 3G), EEA2 (AES-CTR), and EEA3 (ZUC)
• Provides confidentiality for user plane data and RRC/NAS signaling messages
• Keys derived dynamically from the LTE AKA process for each session
• Algorithm negotiation via Security Mode Command procedure
• Supports cryptographic agility for regional and regulatory compliance
• Applied per radio bearer and per transmission direction

Evolution Across Releases

Defining Specifications