This application implements the TUAK algorithm defined in
3GPP 35.231, that is the new algorithm proposed to replace Milenage as the AKA
algorithm.
There are a few differences from the inputs and outputs to
Milenage:
- The K key can be 128 or 256 bits
- MAC-A and MAC-S can be 64, 128 or 256 bits
- RES can be 32, 64, 128 or 256 bits
- CK and IK can be 128 or 256 bits.
Existing 3GPP specifications do not support all of these
possibilities, but they were included in TUAK for future flexibility in case
future releases of these specifications want to support them.
TUAK uses the Keccak-f permutation with 1600 bits as
input/output.
Milenage uses a 128 bits OP that is used with K key to
derive OPc. For TUAK a 256 bits TOP key is specified, and a 256 bits TOPc is
derived using TOP and K.
As stated before, the lengths of K, MAC-A/MAC-S, RES, CK and
IK can be chosen by the operator, although they have to be fixed for a
particular implementation of TUAK.
For compatibility with current 3GPP specifications the length
of K must be 128 bits, the length of RES must be between 32 and 128 bits, the
length of MAC-A/MAC-S must be 64 bits, and the length of CK and IK must be 128
bits.
If a more secure version of this algorithm is required, this
could be done by adding extra Keccak permutations before extracting the output.
This can be set in the application in the dropbox “keccak
iterations”.
The application was tested with all test vectors from 3GPP
35.232 specification.
You can download it for free here.
This comment has been removed by a blog administrator.
ReplyDeleteNice work!
ReplyDeleteHi Fabricio, nice explanation!
ReplyDeleteI have unclear information in terms of the way Tuak used in the authenticate command APDU.
How Tuak authenticate command is constructed? Is it still having apdu '00 88 00 00' (CLA INS P1 P2)?
Thanks