GPRS Encryption Algorithm

Description

The GPRS Encryption Algorithm (GEA) is a set of stream cipher algorithms standardized by 3GPP to provide confidentiality for data transmitted over the Gb interface between the Mobile Station (MS) and the Serving GPRS Support Node (SGSN) in GSM/GPRS/EDGE networks. It operates within the GPRS protocol stack, specifically at the Logical Link Control (LLC) layer. Encryption and decryption are performed using a ciphering key (Kc), which is derived during the authentication and key agreement procedure, and an input parameter called the Logical Link Control (LLC) frame number, which ensures synchronization and prevents replay attacks. The algorithm generates a keystream that is XORed with the plaintext data to produce ciphertext, or vice versa for decryption.

Several versions of GEA exist, primarily GEA1, GEA2, GEA3, and GEA4, each with different cryptographic designs and strengths. GEA1 and GEA2 were developed in the 1990s and are based on proprietary designs, with GEA1 later found to have significant cryptographic weaknesses. GEA3 and GEA4, introduced later, are based on the more robust and internationally scrutinized Kasumi algorithm (used in 3G) and the SNOW 3G algorithm (used in 4G), respectively, offering much stronger security. The specific algorithm used in a session is negotiated between the MS and the network based on mutual capabilities.

The encryption process is initiated by the network sending a 'Ciphering Mode Command' to the mobile station. Upon receiving this command, both entities start applying the agreed GEA variant to all subsequent LLC frames. The algorithm's role is confined to the radio access part of the connection; data is decrypted at the SGSN before being routed through the core network. This architecture means GEA secures the most vulnerable wireless link but does not provide end-to-end encryption. Its operation is a fundamental part of the GPRS security architecture, working in conjunction with the GPRS Authentication and Key Agreement (GPRS-AKA) mechanism to provide a complete security context for packet data services.

Purpose & Motivation

GEA was created to address the critical need for confidentiality in the newly introduced packet-switched data services of GSM networks, known as GPRS. Prior to GPRS, GSM's circuit-switched voice services used the A5 series of algorithms for encryption over the radio interface. However, the different protocol architecture and continuous data flow of packet services required a new encryption mechanism integrated at the LLC layer. The primary problem GEA solves is preventing unauthorized interception and decoding of user data (like internet traffic) and sensitive signaling messages as they traverse the radio link.

Historically, the initial algorithms, GEA1 and GEA2, were designed with export restrictions and computational limitations of the 1990s in mind. This led to GEA1 being intentionally weak, a fact that became a significant security concern in later years. The development of GEA3 and GEA4 was motivated by the need to replace these weak algorithms with stronger, more transparent cryptographic designs aligned with 3G and 4G security standards. They address the limitations of the earlier versions by leveraging well-established, publicly evaluated algorithms (Kasumi and SNOW 3G), thereby restoring robust confidentiality for legacy GPRS/EDGE networks as they coexisted with and evolved towards UMTS and LTE.

Key Features

• Stream cipher design for efficient encryption of continuous data streams
• Operates at the Logical Link Control (LLC) layer of the GPRS protocol stack
• Uses a cipher key (Kc) derived from the subscriber's authentication process
• Synchronized via the LLC frame number to prevent keystream reuse
• Supports multiple algorithm variants (GEA1, GEA2, GEA3, GEA4) for backward compatibility and enhanced security
• Encryption is applied between the Mobile Station (MS) and the Serving GPRS Support Node (SGSN)

Evolution Across Releases

Defining Specifications