UEA

UMTS Encryption Algorithm

Security
Introduced in Rel-4
UEA is a family of stream cipher algorithms used to encrypt user data and signaling messages on the radio interface in UMTS networks. The primary algorithm, UEA1 (based on KASUMI), was designed to provide stronger confidentiality than the A5 algorithms used in GSM.

Description

The UMTS Encryption Algorithm (UEA) refers to a set of standardized cryptographic algorithms used to provide confidentiality protection for user data and signaling messages transmitted over the Uu air interface between the User Equipment (UE) and the UMTS Terrestrial Radio Access Network (UTRAN). Encryption is a critical part of the 3GPP security architecture, preventing eavesdropping on radio communications. The UEA algorithms are stream ciphers, generating a keystream that is XORed with the plaintext data. The keystream generation is synchronized between the UE and the Radio Network Controller (RNC) using inputs including a Cipher Key (CK) derived during authentication and a time-variant COUNT-C parameter.

The most significant algorithm in the family is UEA1, also known as the f8 algorithm. UEA1 is based on the KASUMI block cipher, which itself is a modified version of the MISTY1 cipher. UEA1 operates in a specific output-feedback mode to generate the keystream. The algorithm takes several inputs: the 128-bit Cipher Key (CK), a 32-bit COUNT-C (a sequential counter), a 5-bit BEARER identity (to separate data streams), a 1-bit DIRECTION (uplink/downlink), and a variable-length LENGTH parameter (to limit keystream length). This combination ensures that the keystream is unique for each radio block, preventing replay attacks. A second algorithm, UEA2, was introduced later and is based on the SNOW 3G stream cipher, offering an alternative for enhanced security and performance.

The decision of which UEA algorithm to use for a connection is part of the security negotiation between the UE and the network during the Radio Resource Control (RRC) connection setup or security mode command procedure. The network indicates the selected algorithm from the set supported by both the UE and the network (as indicated in the UE's security capabilities). The encryption is applied in the Radio Link Control (RLC) layer for transparent and unacknowledged mode data, and in the Packet Data Convergence Protocol (PDCP) layer for acknowledged mode data and for LTE/5G where PDCP is used. The RNC is the network entity responsible for encryption and decryption in the downlink and uplink, respectively.

Purpose & Motivation

UEA was developed to address the well-documented cryptographic weaknesses in the A5/1 and A5/2 stream ciphers used in GSM. GSM encryption had several flaws, including short key lengths and algorithmic vulnerabilities that made them susceptible to cryptanalysis and practical attacks. The design of UMTS (3G) presented an opportunity to build a stronger, more robust security architecture from the ground up. The primary purpose of UEA1 was to provide a level of confidentiality that was deemed secure for the foreseeable future at the time of UMTS's launch, resisting known cryptanalytic techniques and brute-force attacks with its 128-bit key.

The development of UEA1 involved a more open and standardized process compared to the secret design of the GSM A5 algorithms. The KASUMI block cipher was developed by the SAGE (Security Algorithms Group of Experts) group within ETSI and was made publicly available for scrutiny, increasing confidence in its security. The introduction of UEA2 (SNOW 3G) in later releases served multiple purposes: it provided algorithm agility, allowing operators to switch algorithms if a weakness was discovered in UEA1; it offered potential performance benefits; and it aligned with the need for a new core algorithm for the upcoming LTE system, where SNOW 3G also formed the basis for the 128-EEA1 cipher. This evolution demonstrates the principle of not relying on a single cryptographic algorithm.

Key Features

  • Stream cipher algorithm for encrypting data on the UMTS Uu interface
  • UEA1 is based on the KASUMI block cipher in a specific output-feedback mode (f8)
  • UEA2 is based on the SNOW 3G stream cipher
  • Uses a 128-bit Cipher Key (CK) derived from the authentication and key agreement (AKA) procedure
  • Keystream is unique per radio block using inputs like COUNT-C, BEARER, and DIRECTION
  • Algorithm selection is negotiated via RRC Security Mode Command procedures

Evolution Across Releases

Rel-4 Initial

Introduced the foundational UEA1 (f8) algorithm based on KASUMI. This became the mandatory-to-support confidentiality algorithm for all UMTS UEs and networks, providing the primary encryption for user plane and RRC signaling plane data.

TS 23.060TS 25.413TS 33.102TS 33.401TS 33.501TS 33.859
Rel-8

Introduced UEA2, based on the SNOW 3G stream cipher, as an additional optional algorithm. This provided algorithm diversity and was also adopted as the basis for 128-EEA1 in LTE, facilitating a smoother transition and common cryptographic components across 3G and 4G.

TS 23.060TS 25.413TS 33.102TS 33.401TS 33.501TS 33.859

Defining Specifications

SpecificationTitle
TS 23.060 3GPP TS 23.060
TS 25.413 3GPP TS 25.413
TS 33.102 3GPP TR 33.102
TS 33.401 3GPP TR 33.401
TS 33.501 3GPP TR 33.501
TS 33.859 3GPP TR 33.859