What is UEA? UMTS Encryption Algorithm

Description

The UMTS Encryption Algorithm (UEA) refers to a set of standardized cryptographic algorithms used to provide confidentiality protection for user data and signaling messages transmitted over the Uu air interface between the User Equipment (UE) and the UMTS Terrestrial Radio Access Network (UTRAN). Encryption is a critical part of the 3GPP security architecture, preventing eavesdropping on radio communications. The UEA algorithms are stream ciphers, generating a keystream that is XORed with the plaintext data. The keystream generation is synchronized between the UE and the Radio Network Controller (RNC) using inputs including a Cipher Key (CK) derived during authentication and a time-variant COUNT-C parameter.

The most significant algorithm in the family is UEA1, also known as the f8 algorithm. UEA1 is based on the KASUMI block cipher, which itself is a modified version of the MISTY1 cipher. UEA1 operates in a specific output-feedback mode to generate the keystream. The algorithm takes several inputs: the 128-bit Cipher Key (CK), a 32-bit COUNT-C (a sequential counter), a 5-bit BEARER identity (to separate data streams), a 1-bit DIRECTION (uplink/downlink), and a variable-length LENGTH parameter (to limit keystream length). This combination ensures that the keystream is unique for each radio block, preventing replay attacks. A second algorithm, UEA2, was introduced later and is based on the SNOW 3G stream cipher, offering an alternative for enhanced security and performance.

The decision of which UEA algorithm to use for a connection is part of the security negotiation between the UE and the network during the Radio Resource Control (RRC) connection setup or security mode command procedure. The network indicates the selected algorithm from the set supported by both the UE and the network (as indicated in the UE's security capabilities). The encryption is applied in the Radio Link Control (RLC) layer for transparent and unacknowledged mode data, and in the Packet Data Convergence Protocol (PDCP) layer for acknowledged mode data and for LTE/5G where PDCP is used. The RNC is the network entity responsible for encryption and decryption in the downlink and uplink, respectively.

Purpose & Motivation

UEA was developed to address the well-documented cryptographic weaknesses in the A5/1 and A5/2 stream ciphers used in GSM. GSM encryption had several flaws, including short key lengths and algorithmic vulnerabilities that made them susceptible to cryptanalysis and practical attacks. The design of UMTS (3G) presented an opportunity to build a stronger, more robust security architecture from the ground up. The primary purpose of UEA1 was to provide a level of confidentiality that was deemed secure for the foreseeable future at the time of UMTS's launch, resisting known cryptanalytic techniques and brute-force attacks with its 128-bit key.

The development of UEA1 involved a more open and standardized process compared to the secret design of the GSM A5 algorithms. The KASUMI block cipher was developed by the SAGE (Security Algorithms Group of Experts) group within ETSI and was made publicly available for scrutiny, increasing confidence in its security. The introduction of UEA2 (SNOW 3G) in later releases served multiple purposes: it provided algorithm agility, allowing operators to switch algorithms if a weakness was discovered in UEA1; it offered potential performance benefits; and it aligned with the need for a new core algorithm for the upcoming LTE system, where SNOW 3G also formed the basis for the 128-EEA1 cipher. This evolution demonstrates the principle of not relying on a single cryptographic algorithm.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (25 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-4, normative work from Rel-15.

Rel-15 16 changes

In Release 15, the specifications for the UEA function were updated to handle security algorithms for use between a UE and a Secondary gNB (SgNB) in EN-DC scenarios. The changes involved aligning algorithm names and key derivation functions with 5G specifications, specifically referencing procedures now detailed in TS 33.501. Additionally, clarifications were made for algorithm selection during procedures like N2 handover and RRC Reestablishment.

Aligning the specification of the key derivation function for key to use in security algorithms between UE and SgNB in EDCE5 with the 5G specification TS 33.401CR0625
Clarifying the security algorithms that are used between the UE and MeNB and the UE and SgNB TS 33.401CR0628
Aligning the algorithm names between EDCE5 and 5G TS 33.401CR0641
Handling the algorithms for use between a UE and SgNB for EN-DC TS 33.401CR0648
Referencing algorithm and key derivation description for EN-DC that exist in TS 33.501 TS 33.401CR0659
CR for Clause Security algorithm selection, key establishment and security mode command procedure TS 33.501CR0053

+ 10 more changes

Rel-17 4 changes

In Release 17, updates to the UEA function included confirming User Equipment (UE) supported algorithms during the Path Switch procedure. Additionally, work was done to resolve an encryption policy mismatch between Security Edge Protection Proxies (SEPPs) and to align the JSON format for an encryption Information Element with CT4.

Confirming UE supported algorithms in Path Switch procedure TS 33.401CR0700
UP IP: mapping of EPS integrity algorithm to NR integrity algorithm TS 33.401CR0707
Resolving editor's note on encryption policy mismatch between SEPPs TS 33.501CR1019
Mirror: align the JSON format on encryption IE with CT4 in Rel17 TS 33.501CR1048

Rel-18 3 changes

In Release 18, the updates to the UEA function involved clarifications and corrections rather than introducing new algorithms. The changes included providing clarification on data-type encryption policy and on the use of NULL encryption. Additionally, a correction was made regarding the procedure for the negotiation of security algorithms in EN-DC (E-UTRA-NR Dual Connectivity) scenarios.

Clarification on data-type encryption policy TS 33.501CR1634
NULL encryption clarification TS 33.501CR1795
Correction on negotiation of security algorithms for EN-DC (R18) TS 33.401CR0717

Rel-19 2 changes

In Release 19, the enhancements for the UEA function focused on improving algorithm selection reliability and specification clarity. The changes ensured that the AMF (Access and Mobility Management Function) selects an encryption algorithm that is actually supported by the User Equipment. Furthermore, clarifications were made to the text describing the Access Stratum (AS) algorithm selection procedure.

Ensuring the AMF selects an algorithm supported by the UE TS 33.501CR2172
Clarifications for the AS algorithm selection text TS 33.501CR2173

Explore further

Broader topics and technologies where UEA plays a role.

Topics

Authentication (5G-AKA, EAP)RRC (Radio Resource Control)Encryption & Integrity LTE / LTE-Advanced Lawful Intercept UMTS / WCDMA

Technologies

LTE 5G

Defining Specifications

3GPP specifications that define or reference UEA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 23.060 vj00	GPRS Service Description Stage 2	Rel-19
TS 25.413 vj00	Radio Access Network Application Part (RANAP)	Rel-19
TS 33.102 vj10	3G Security Architecture Specification	Rel-19
TS 33.401 vj10	EPS Security Architecture	Rel-19
TS 33.501 vk00	5G Security Architecture and Procedures	Rel-20
TS 33.859 vb10	UTRAN Key Hierarchy Enhancement Study	Rel-11