RAND

RANDom number (authentication parameter)

Security
Introduced in Rel-2
RAND is a critical random number used as a challenge in 3GPP authentication and key agreement (AKA) procedures. It is generated by the network and sent to the UE to compute authentication responses and derive session keys, ensuring secure access.

Description

RAND, short for RANDom number, is a fundamental 128-bit parameter within the 3GPP security architecture, specifically for the Authentication and Key Agreement (AKA) mechanism. It is a cryptographically strong random or pseudo-random number generated by the network's authentication center, typically residing in the Home Subscriber Server (HSS) for LTE/5G or the Home Location Register/Authentication Centre (HLR/AuC) for 2G/3G. The primary role of the RAND is to serve as a random challenge in a challenge-response protocol. During an authentication procedure, the network sends the RAND to the User Equipment (UE) via the serving network (e.g., MME, SGSN).

Upon receipt, the UE passes the RAND to its Universal Subscriber Identity Module (USIM) application. The USIM, which shares a long-term secret key (K) with the HSS/AuC, uses this RAND along with the key K and other parameters as inputs to a set of cryptographic functions. These functions, standardized in 3GPP (like the MILENAGE algorithm suite), produce two crucial outputs: a Signed Response (SRES for 2G, RES for 3G/4G/5G) and a Cipher Key (CK) and Integrity Key (IK). The UE sends the computed RES back to the network. The network, having generated the same RAND and possessing the same secret key K, performs the identical computation. It then compares the RES received from the UE with the one it computed locally. A match proves that the UE possesses the correct secret key and is therefore authentic.

Beyond authentication, the RAND is equally vital for key derivation. The same computation that produces the RES also generates the ciphering key (CK) and integrity key (IK). These keys form the basis for all subsequent secure communication between the UE and the network for that session. They are used to derive the actual encryption and integrity protection keys for the Access Stratum (AS) and Non-Access Stratum (NAS). Thus, the randomness and unpredictability of the RAND are paramount. A weak or predictable RAND could compromise the entire authentication process, allowing for replay attacks or making it easier for an attacker to deduce the long-term secret key. The RAND ensures that each authentication instance is unique, providing freshness and preventing the reuse of previously exchanged authentication vectors.

Purpose & Motivation

The RAND exists to provide a robust challenge in a challenge-response authentication mechanism, which is central to securing cellular networks. Before standardized authentication protocols, simpler systems were vulnerable to replay attacks where an attacker could intercept and re-send a valid user response to gain access. The use of a random challenge for each authentication attempt directly addresses this vulnerability. By ensuring the challenge is different every time, a previously recorded response becomes useless to an attacker.

In the evolution from GSM to UMTS and beyond, the role of the RAND expanded. In GSM, the RAND was used with the COMP128 algorithm to generate the SRES and the Kc key. However, GSM authentication was one-way (network authenticates the UE) and had cryptographic weaknesses. The introduction of UMTS AKA, starting in Release 99, retained the RAND but integrated it into a more secure, mutual authentication framework. The RAND, combined with a sequence number (SQN) for freshness, became the input to stronger algorithms, producing separate keys for encryption and integrity. This solved the limitations of GSM's weaker cryptography and lack of integrity protection.

The motivation for its creation and continued use is the fundamental need for a non-repeating, unpredictable variable to seed the cryptographic functions that secure the network. It is the element that introduces entropy and session-specific variability into the key generation process. Without a fresh RAND for each authentication, the derived session keys could be predictable, leading to a catastrophic failure of confidentiality and integrity for user data and signaling. Its standardization ensures interoperability between equipment from different vendors and networks worldwide.

Key Features

  • A 128-bit cryptographically random number used as a network challenge
  • Primary input to the authentication and key generation functions (e.g., MILENAGE)
  • Ensures freshness and prevents replay attacks in the AKA procedure
  • Generated by the HSS/AuC and distributed to the serving network in an authentication vector
  • Used by the USIM to compute the authentication response (RES) and session keys (CK, IK)
  • Fundamental to the security of 3G, 4G LTE, and 5G network access

Evolution Across Releases

Rel-2 Initial

Introduced as part of the GSM security architecture. The RAND was generated by the AuC and used with the COMP128 algorithm to produce the Signed Response (SRES) and the ciphering key (Kc) for GSM encryption, establishing the challenge-response framework for cellular authentication.

TS 21.905TS 24.109TS 24.229TS 29.109TS 31.102TS 31.103TS 31.900TS 33.102TS 33.105TS 33.401TS 35.205TS 35.934

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 24.109 3GPP TS 24.109
TS 24.229 3GPP TS 24.229
TS 29.109 3GPP TS 29.109
TS 31.102 3GPP TR 31.102
TS 31.103 3GPP TR 31.103
TS 31.900 3GPP TR 31.900
TS 33.102 3GPP TR 33.102
TS 33.105 3GPP TR 33.105
TS 33.401 3GPP TR 33.401
TS 35.205 3GPP TR 35.205
TS 35.934 3GPP TR 35.934