MAC-M

Message Authentication Code for Mobile Application Part

Security
Introduced in Rel-8
A Message Authentication Code (MAC) used within the context of the Mobile Application Part (MAP) protocol, specifically for securing TCAP (Transaction Capabilities Application Part) user components. It provides authentication and integrity for certain legacy core network signaling transactions, particularly in pre-LTE networks like GSM and UMTS.

Description

MAC-M is a security mechanism defined within the 3GPP specifications for authenticating messages in the Mobile Application Part (MAP) protocol suite, which is used for signaling between core network elements in 2G (GSM) and 3G (UMTS) circuit-switched and packet-switched domains. Its primary application is in the context of the Transaction Capabilities Application Part (TCAP), which provides a framework for structured dialogues and transactions between network nodes. TCAP messages can carry various application contexts, and MAC-M is used to authenticate specific user components within these TCAP messages.

The technical operation involves the generation of a MAC over selected parts of a TCAP message component using a shared secret key established between the involved network entities, such as between a Visitor Location Register (VLR) and a Home Location Register (HLR). The algorithm for computing MAC-M is not a public, standardized cryptographic algorithm like AES but is typically a network operator-specific algorithm, often based on the COMP128 variants used in legacy authentication. The specification 33.204 details the protocol aspects and the fields to be included in the MAC calculation, but the cryptographic function itself is operator-defined.

Architecturally, MAC-M is applied at the application layer within the MAP protocol stack. When a network entity needs to send a sensitive MAP operation (e.g., related to subscriber data management or authentication information retrieval), it can invoke the MAP-SECURITY service. This service instructs the generation of MAC-M for the relevant TCAP component. The receiving entity then verifies the MAC-M using the same shared secret. Successful verification assures the receiver of the message's origin and that it hasn't been modified in transit.

Its role is confined to securing signaling between network nodes (Network Domain Security) rather than user-to-network security. It helps prevent fraud and misrouting in inter-operator exchanges or between different network domains within an operator's network. However, with the migration towards all-IP core networks using Diameter-based protocols (e.g., S6a, S6d) in EPS and HTTP/2-based services (e.g., Nudm) in 5GS, the relevance of MAP and consequently MAC-M has diminished, being largely relegated to legacy system interworking and roaming scenarios with older network generations.

Purpose & Motivation

MAC-M was created to address the need for securing certain high-value or sensitive transactions within the MAP protocol, which was the backbone of core network signaling in GSM and UMTS. As mobile networks evolved to support roaming and inter-operator connections, the risk of fraudulent signaling messages became apparent. For example, an attacker could impersonate a VLR to obtain authentication vectors from an HLR or modify location update messages. MAC-M provided a mechanism for point-to-point authentication of specific MAP operations between trusted network entities.

The problem it solved was the lack of inherent security in the SS7-based MAP protocol stack, which was designed in an era of closed, trusted operator networks. As networks opened for global roaming, a method was needed to ensure that sensitive subscriber data and management commands exchanged between network nodes (e.g., between an MSC/VLR and an HLR) were authentic and untampered. MAC-M filled this gap for selected operations, adding a layer of security without requiring a full overhaul of the widely deployed MAP infrastructure.

Its motivation was largely driven by regulatory and fraud prevention requirements. It allowed operators to implement a security measure for critical functions like transferring authentication data (via MAP_SEND_AUTHENTICATION_INFO) or inserting subscriber data (MAP_INSERT_SUBSCRIBER_DATA). However, its implementation was often optional and operator-specific, leading to inconsistent deployment. The evolution towards IP-based core networks with built-in, mandatory security protocols like IPsec and TLS for Diameter, and the deprecation of MAP in favor of these newer protocols, has addressed the limitations of MAC-M by providing stronger, standardized, and end-to-end security for all signaling transactions.

Key Features

  • Used for authenticating TCAP user components within the MAP signaling protocol.
  • Provides point-to-point authentication between core network nodes like HLR, VLR, and MSC.
  • Typically employs operator-specific cryptographic algorithms, often based on COMP128.
  • Applied selectively to sensitive MAP operations via the MAP-SECURITY service.
  • Primarily serves Network Domain Security (NDS) for legacy circuit-switched and GPRS cores.
  • Detailed in 3GPP TS 33.204, focusing on protocol application rather than cryptographic algorithm definition.

Evolution Across Releases

Rel-8 Initial

Specified in the context of 3G security (TS 33.204), consolidating and carrying forward the MAP security mechanisms from earlier 3GPP releases for UMTS networks. It provided a standardized framework for applying MAC-M within MAP dialogues, supporting the continued operation and security of legacy GSM and UMTS core network interfaces as LTE/EPC was being introduced.

TS 33.204

Defining Specifications

SpecificationTitle
TS 33.204 3GPP TR 33.204