KC

Ciphering Key

Security →
Introduced in Rel-8

KC is the 64-bit ciphering key derived from subscriber authentication and used with the A5 algorithm to encrypt data and signaling over the radio interface in GSM and early 3GPP systems.

Category
Security
Introduced
Rel-8
Where
User Equipment › SIM/USIM
Specifications
2 specs
KC Description Purpose Related Classification Detected Changes Specifications

Description

The Ciphering Key (KC) is a fundamental security element defined in 3GPP specifications, particularly in TS 31.102 (USIM application) and TS 31.113 (UICC security). It is a 64-bit symmetric key utilized exclusively by the A5 family of stream cipher algorithms (e.g., A5/1, A5/2, A5/3) to provide over-the-air encryption for the radio link between the Mobile Station (MS) and the Base Transceiver Station (BTS) in GSM and its evolutionary paths. Architecturally, KC resides within the security architecture of the Subscriber Identity Module (SIM) or Universal Subscriber Identity Module (USIM) on the UICC, and within the network's Authentication Centre (AuC) in the Home Location Register (HLR). It is never transmitted over the air; instead, it is generated independently by both the mobile device and the network using shared secret information.

The operational lifecycle of KC begins with subscriber authentication. When a mobile device attaches to the network, the AuC generates a random challenge (RAND) and, using the shared secret key Ki (unique to the subscriber's IMSI) and the A3 authentication algorithm, computes both a signed response (SRES) for verification and the ciphering key KC using the A8 key derivation algorithm. The RAND is sent to the mobile. The SIM/USIM, possessing the same Ki, performs identical computations to generate its own SRES (sent back for authentication) and the identical KC. Upon successful authentication, the network instructs the MS to commence ciphering using a specific A5 algorithm variant, and both parties use the locally stored KC to initialize the A5 cipher's keystream generator.

During a call or data session, the A5 algorithm uses KC as a seed to generate a pseudo-random keystream. This keystream is then XORed with the plaintext data (voice frames or signaling messages) to produce ciphertext for transmission over the Um radio interface. The process is symmetric: the receiver uses the same KC and algorithm to regenerate the identical keystream and decrypt the data. KC is typically refreshed for each new session or can be changed during a call via a ciphering mode update procedure to enhance security. Its role is confined to the radio access link; core network transport uses separate security mechanisms like IPsec. The management and storage of KC within the UICC are governed by strict security protocols to prevent extraction, forming a critical part of the system's trust anchor.

Purpose & Motivation

KC was created to solve the critical problem of eavesdropping on analog cellular radio communications, which were inherently insecure. Before digital encryption in GSM, anyone with a radio scanner could listen to calls. The introduction of KC and the A5 ciphers in the GSM standard was a landmark step in providing mandatory, baseline confidentiality for millions of cellular users. It addressed the growing privacy concerns as mobile telephony became widespread and the radio spectrum a shared, public medium.

The motivation stemmed from the need for a lightweight, efficient encryption mechanism that could operate within the severe computational and latency constraints of late-1980s mobile hardware. The design chose a 64-bit key length as a compromise between security strength and implementation feasibility. The system's elegance lies in its derivation from the existing authentication framework (using Ki and A3/A8), avoiding the need to transmit the key itself. This "generate-on-both-sides" model significantly reduced the key exposure risk compared to systems that might distribute session keys in the clear.

However, the historical context also includes its limitations. The initial A5/1 and A5/2 algorithms, and the 64-bit key length, were later found to be cryptographically weak against sophisticated attacks, reflecting the export control regulations and computational assumptions of its time. The evolution to 3G (UMTS) addressed these weaknesses by introducing a stronger, 128-bit Ciphering Key (CK) and new algorithms (e.g., KASUMI), but KC remained essential for backward compatibility in GSM and for roaming scenarios. Its specification in USIM documents (TS 31.102) ensures that modern UICCs can still support legacy GSM security when needed, highlighting its role in the long-term evolution and interoperability of cellular security.

Classification

Part ofAUC
Specific typesA5/1
Related approachesUSIM

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (27 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 6 changes

In Release 15, updates to USIM management procedures for 5GS were introduced, which included ensuring that the SOR counter and UE parameter update counter are stored on the USIM in association with the K~AUSF~. This was facilitated by declaring Service n°133 as available in the EF UST whenever Service n°123 is available.

  • USIM Service Table update for PDU session call control support TS 31.102CR0786
  • Allow configuration of MCS (Access Identity 2) via USIM. TS 31.102CR0794
  • Mission Critical Services configuration data update to USIM TS 31.102CR0808
  • Enhance USIM OPL configuration to support 3 bytes TAC when in NG-RAN. TS 31.102CR0818
  • Updates to USIM management procedures for 5GS TS 31.102CR0806
  • Clarification about presence of EFIMSConfigData in ISIM and USIM TS 31.102CR0833
Rel-16 9 changes

In Release 16, the primary new feature for the "KC" (Ciphering Key) function was the specification of storage for a potentially separate KSEAF for non-3GPP access on the USIM. This enhancement, detailed in the Change Request, explicitly supports the storage of security anchor keys for trusted non-3GPP networks, as indicated by the related title for configuring a list of such networks. This allows the USIM to manage ciphering keys for a broader set of access technologies beyond traditional 3GPP networks.

  • Support for USIM configuration of RLOS PLMN list TS 31.102CR0847
  • URSP storage in USIM TS 31.102CR0861
  • Specify storage for a potentially separate KSEAF for non-3gpp access on the USIM TS 31.102CR0864
  • USIM configuration of RLOS allowed MCC list TS 31.102CR0881
  • Support for Trusted non-3GPP access networks list by USIM TS 31.102CR0891
  • Dedicated AID for USIM Applications with non-IMSI based SUPI Types TS 31.102CR0897

+ 3 more changes

Rel-17 8 changes

In Release 17, the primary update to the KC (Ciphering Key) function itself was not a change to the key storage files like EF Keys or EF KeysPS. Instead, the release introduced new USIM capabilities that work in conjunction with stored keys, such as adding a file for SOR-CMCI parameters without rule storage and support for 'No E-UTRA Disabling In 5GS' in the USIM. These enhancements expanded the USIM's role in managing security and network selection parameters that rely on the underlying ciphering and integrity keys.

  • Introduce a USIM file to store pre-configured CAG information list TS 31.102CR0904
  • SOR-CMCI storage in USIM TS 31.102CR0917
  • Addition of USIM files for the indication of whether disaster roaming is enabled in the UE, disaster roaming wait range, disaster return wait range and applicability indicator for disaster roaming PLMNs list provided by VPLMN. TS 31.102CR0938
  • Adding eDRX parameters in the USIM for NG-RAN TS 31.102CR0943
  • 5G NSWO (Non-Seamless WLAN Offload) configuration support in the USIM compromised proposal. TS 31.102CR0946
  • Support of 'No E-UTRA Disabling In 5GS' in USIM TS 31.102CR0947

+ 2 more changes

Rel-18 3 changes

In Release 18, the primary enhancement related to the Ciphering Key (KC) function was not a direct change to the key itself but a mandatory linkage in the USIM Service Table to ensure extended security parameters are stored. Specifically, when Service n°123 (which enables storage of the K_AUSF key) is available, Service n°133 must also be declared available to ensure associated security counters are stored on the USIM alongside the K_AUSF. This change supports the extended storage of 5G security parameters on the USIM.

  • 5G Security Parameters extended storage on USIM (Mandating Service n°133 to be enabled when Service n°123 is enabled) Rel18. TS 31.102CR1014
  • Add EF of Access Control to GBA_U_APIs to the USIM TS 31.102CR1007
  • Add EF of IMS Data Channel configuration to the USIM TS 31.102CR1006
Rel-19 1 change

In Release 19, a change was introduced to ensure backward compatibility for USIMs that lack extended security parameter storage, specifically within the EF_5GAuthKeys file. This update addresses the handling of the ciphering key (CK) and related security parameters when a legacy USIM without this enhanced storage capability is used in the network. The modification ensures secure interoperability by defining how the ME should manage keying material in such scenarios.

  • Backward compatibility handling of USIM without extended security parameter storage in EF_5GAuthKeys - Rel19 TS 31.102CR1074

Explore further

Broader topics and technologies where KC plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegritySpectrum & CoexistenceRoaming & Interconnect

Defining Specifications

3GPP specifications that define or reference KC, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.113 v1800 USAT Interpreter Byte Code Specification Rel-8