The KDF is used to derive different keys. The different input key and input strings S used with the KDF is defined in the subclauses of this annex.The general description of the KDF and the encodings of its inputs are as defined by subclauses B.1 and B.2 of TS 33.220.

The FC number space is controlled by TS 33.220. FC values allocated for this specification are in range of 0x30 - 0x3F.

This input string is used for UMTS subscribers when there is a need to derive CK' CS|| IK' CS from CK PS||IK PS during mapping the security contexts from HSPA to UTRAN/GERAN. The Key is the concatenation of CK PS||IK PS (which are 128 bits each), and the output is CK' CS||IK' CS (which are 128 bits each).

• FC = 0x30
• P0 = NONCE
• L0 = length of NONCE (i.e. 0x00 0x10)

Further, the GSM Kc' used in GERAN shall be derived from CK' CS||IK' CS using the key conversion function c3 defined in this specification.

This input string is used for GSM subscribers when there is a need to derive Kc' from the 64-bit Kc during mapping the security contexts from HSPA to UTRAN/GERAN. The Key is the concatenation of Kc || Kc || Kc || Kc || (which are 64 bits each), and the output Kc' is the 64 most significant bits of the KDF output.

• FC = 0x31
• P0 = NONCE
• L0 = length of NONCE (i.e. 0x00 0x10)

The Kc' used in GERAN directly. When the access is over UTRAN, CK' CS||IK' CS shall be further derived from Kc' using the key conversion functions c4 and c5 defined in this specification.

This input string is used when there is a need to derive Kc 128 from CK and IK. The key Kc 128 is used as input to the GSM A5 and GEA ciphering algorithms which requires 128-bit keys. Kc 128 shall only be derived by the MS and the network when in UMTS security context. Kc 128 shall not be derived by the MS or the network when in GSM security context. This implies that GSM A5 using Kc 128 and GEA using Kc 128 can only be selected by the network (see TS 43.020) when the UE and network are in UMTS security context as there is otherwise no key which the ciphering algorithms can use.

• FC = 0x32

The Key input is the concatenation of CK and IK (i.e., CK || IK). No input parameters (Pi, Li) are used by this function. The KDF returns a 256-bit output, where the 128 most significant bits are identified with Kc 128 .

This input string is used for UMTS subscribers when there is a need to derive CK' PS || IK' PS from CK CS || IK CS during mapping the security contexts from UTRAN/GERAN to HSPA. The input parameter Key is the concatenation of CK CS || IK CS (which are 128 bits each), and the output is CK' PS ||IK' PS (which are 128 bits each).

• FC = 0x33
• P0 = NONCE MSC
• L0 = length of NONCE MSC (i.e. 0x00 0x10)

Further, the GPRS Kc' used in GERAN shall be derived from CK' PS||IK' PS using the key conversion function c3 defined in this specification.

This input string is used for GSM subscribers when there is a need to derive GPRS Kc' from the 64-bit Kc during mapping the security contexts from UTRAN/GERAN to HSPA. The input parameter Key is the concatenation of Kc || Kc || Kc || Kc || (which are 64 bits each), and the output Kc' is the 64 most significant bits of the KDF output.

• FC = 0x34
• P0 = NONCE MSC
• L0 = length of NONCE MSC (i.e. 0x00 0x10)

CK' PS || IK' PS shall be derived from GPRS Kc' using the key conversion functions c4 and c5 defined in this specification.