BEST key derivation shall use the key derivation function (KDF) defined in TS 33.220, with input parameters as defined in clause 5 of the present document.

When deriving a KHSE from CK, IK and the serving network name when producing authentication vectors, and when the UE computes KHSE according to 5G AKA, the following parameters shall be used to form the input S to the KDF:

• FC = 0x63;
• P0 = serving network name;
• L0 = length of the serving network name (variable length as specified in TS 24.501);
• P1 = SQN ⊕ AK,
• L1 = length of SQN ⊕ AK (i.e. 0x00 0x06).

The XOR of the Sequence Number (SQN) and the Anonymity Key (AK) is sent to the UE as a part of the Authentication Token (AUTN), see TS 33.102. If AK is not used, AK shall be treated in accordance with TS 33.102, i.e. as 000…0. The serving network name shall be constructed as specified in clause 6.1.1.4 of TS 33.501. The input key KEY shall be equal to the concatenation CK || IK of CK and IK. When deriving a KHSE from CK', IK' and the serving network name when producing authentication vectors, and when the UE computes KHSE according to EAP-AKA', the following parameters shall be used to form the input S to the KDF:

• FC = 0x64;
• P0 = serving network name;
• L0 = length of the serving network name (variable length as specified in TS 24.501);
• P1 = SQN ⊕ AK,
• L1 = length of SQN ⊕ AK (i.e. 0x00 0x06).

The XOR of the Sequence Number (SQN) and the Anonymity Key (AK) is sent to the UE as a part of the Authentication Token (AUTN), see TS 33.102. If AK is not used, AK shall be treated in accordance with TS 33.102, i.e. as 000…0. The serving network name shall be constructed as specified in clause 6.1.1.4 of TS 33.501. The input key KEY shall be equal to the concatenation CK' || IK' of CK' and IK'.

The HSE and UE shall derive the BEST UE-to-HSE keys and the Intermediate key which are derived from CK and IK , KASME, KHSE, or GBA/ 5G GBA/ AKMA/ proprietary agreed key depending on the key agreement version selected. The following input string shall be used when the UE and the HSE derive the BEST UE-to-HSE user plane service keys KE2Menc and/or KE2Mint or the Intermediate BEST key for usage in further key derivations for the UE-to-EAS user plane services or the key agreement services:

• FC = 0x60,
• P0 = HSE id if supplied else NULL,
• L0 = length of HSE id (i.e. 0x00 0x03 if HSE id supplied or 0x00 0x00 if not),
• P1 = SQN ⊕ AK
• L1 = length of SQN ⊕ AK (i.e. 0x00 0x06)
• P2 = algorithm type distinguisher
• L2 = length of algorithm type distinguisher (i.e. 0x00 0x01)

For UMTS key agreement, the input key shall be equal to the concatenation CK || IK of CK and IK. For EPS key agreement, the input key shall be equal to KASME. For 5G key agreement, the input key shall be equal to KHSE (see clause 5.1.0a). For GBA and 5G GBA, the input key shall be equal to Ks_(int/ext)_NAF. For AKMA, the input key shall be equal to KAF. For proprietary key agreement, the proprietary key shall be used as the input key. The Intermediate Key ID shall be set equal to SQN ⊕ AK.

The following input string shall be used when the UE and the HSE derive the enterprise specific pre-shared key KEAS_PSK from KIntermediate

• FC = 0x61,
• P0 = Enterprise Application Server id,
• L0 = length of Enterprise Application Server id (i.e. 0x00 0x03)

The input key shall be KIntermerdiate, as derived in clause 5.1.1.

The following input string shall be used when the UE and the EAS derive the BEST User plane keys KE2Eenc or KE2Eint from KEAS_PSK.:

• FC = 0x62,
• P0 = algorithm type distinguisher
• L0 = length of algorithm type distinguisher (i.e. 0x00 0x01)

The input key shall be equal to the concatenation KEAS_E2E || KEnterprise of KEAS_PSK and KEnterprise.