introduction to tetra security

TWC 2004 ViennaTWC 2004 Vienna 11

INTRODUCTION TO TETRA INTRODUCTION TO TETRA SECURITYSECURITY

Brian MurgatroydBrian Murgatroyd


AgendaAgenda Why security is important in TETRA systemsWhy security is important in TETRA systems Overview of TETRA security featuresOverview of TETRA security features Authentication Authentication Air interface encryption Air interface encryption Key ManagementKey Management Terminal DisablingTerminal Disabling End to End EncryptionEnd to End Encryption


Security ThreatsSecurity Threats What are the main threats to your system?What are the main threats to your system?

Confidentiality?Confidentiality?

Availability?Availability?

Integrity?Integrity?


Message Related ThreatsMessage Related Threats interceptioninterception

– by hostile government agenciesby hostile government agencies ConfidentialityConfidentiality

eavesdropping eavesdropping – by hackers, criminals, terroristsby hackers, criminals, terrorists

masquerading masquerading – pretending to be legitimate userpretending to be legitimate user

manipulation of data.manipulation of data. IntegrityIntegrity– changing messageschanging messages

ReplayReplay

– recording messages and replaying them later recording messages and replaying them later


User Related ThreatsUser Related Threats

traffic analysistraffic analysis ConfidentialityConfidentiality– getting intelligence from patterns of the traffic-frequency- message getting intelligence from patterns of the traffic-frequency- message

lengths-message typeslengths-message types

observability of user behaviour. observability of user behaviour. examining where the traffic is observed - times examining where the traffic is observed - times

of day-number of usersof day-number of users


System Related ThreatsSystem Related Threats

denial of servicedenial of service AvailabilityAvailability

– preventing the system working by attempting topreventing the system working by attempting to use up capacityuse up capacity

jammingjamming AvailabilityAvailability

– Using RF energy to swamp receiver sitesUsing RF energy to swamp receiver sites

unauthorized use of resourcesunauthorized use of resources IntegrityIntegrity

– Illicit use of telephony, interrogation of secure databasesIllicit use of telephony, interrogation of secure databases


Communications SecurityCommunications Security

Security is not just encryption!Security is not just encryption! Terminal AuthenticationTerminal Authentication User logon/AuthenticationUser logon/Authentication Stolen Terminal DisablingStolen Terminal Disabling Key Management with minimum overheadKey Management with minimum overhead All the network must be secure, particularly with a All the network must be secure, particularly with a

managed systemmanaged system


TETRA Air Interface security functionsTETRA Air Interface security functions AuthenticationAuthentication

TETRA has strong mutual authentication requiring knowledge TETRA has strong mutual authentication requiring knowledge of unique secret keyof unique secret key

EncryptionEncryption– Dynamic key encryption (class 3)Dynamic key encryption (class 3)

Static key encryption (class2)Static key encryption (class2)

Terminal DisablingTerminal Disabling Secure temporary or permanent disableSecure temporary or permanent disable

Over the Air Re-keying (OTAR)Over the Air Re-keying (OTAR) for managing large populations without user overhead for managing large populations without user overhead

Aliasing/User logonAliasing/User logon To allow association of user to terminalTo allow association of user to terminal


AuthenticationAuthentication

Used to ensure that terminal isUsed to ensure that terminal is genuine and genuine and

allowed on network.allowed on network.

Mutual authentication ensures that in addition to Mutual authentication ensures that in addition to

verifying the terminal, the SwMI can be trusted.verifying the terminal, the SwMI can be trusted.

Authentication requires both SwMI and terminal Authentication requires both SwMI and terminal

have proof of secret key.have proof of secret key.

Successful authentication permits further Successful authentication permits further

security related functions to be downloaded.security related functions to be downloaded.


User authentication (aliasing)User authentication (aliasing) Second layer of securitySecond layer of security Ensures the user is associated with terminalEnsures the user is associated with terminal User logon to network aliasing serverUser logon to network aliasing server log on with Radio User Identity and PINlog on with Radio User Identity and PIN Very limited functionality allowed prior to log onVery limited functionality allowed prior to log on Log on/off not associated with terminal registrationLog on/off not associated with terminal registration Could be used as access control for applications Could be used as access control for applications

as well as to the Radio systemas well as to the Radio system


AuthenticationAuthentication

Strong mutual authentication used for proving the user/terminal is who he Strong mutual authentication used for proving the user/terminal is who he claims to be.claims to be.

Only allows legitimate terminals on the networkOnly allows legitimate terminals on the network Only allows the genuine network to be used by terminalsOnly allows the genuine network to be used by terminals Uses Challenge- Response mechanism based on a unique secret key K Uses Challenge- Response mechanism based on a unique secret key K

stored in the stored in the terminalterminal and in the Authentication Centre (AuC) and in the Authentication Centre (AuC) All MS’s must be properly authenticated prior to being granted access to the All MS’s must be properly authenticated prior to being granted access to the

networknetwork One of the outputs is the DOne of the outputs is the Derived erived CCipher ipher KKey used for Air Interface Encryptioney used for Air Interface Encryption

SwitchMSEBTS

Service RequestFalse BTS


TTETRA Authentication mapping to ETRA Authentication mapping to network elementsnetwork elements

Authentication Centre (AuC)

CallController

TA11

K RS

KS

Generate RS

KS (Session key)RS (Random seed)

TA12

KS RAND1

XRES1 DCK1

Generate RAND1

Compare RES1 and XRES1

TA11

TA12

K RS

KS RAND1

RES1 DCK1

RS, RAND1

RES1

EBTS

DCK

K known only to AuC and MS


Encryption ProcessEncryption Process

Clear data inClear data in Encrypted data out Encrypted data out

Key Stream Generator (TEA[x])

Initialisation Vector (IV)

A BCDE F G H y 4 M v # Q t q c

Traffic Key (X)CK

Key Stream Segments

Combining algorithm (TB5)

I

CN

LA

CC


Air Interface traffic keysAir Interface traffic keys

Four traffic keys are used in class 3 systems:-Four traffic keys are used in class 3 systems:- Derived cipher Key (DCK)Derived cipher Key (DCK)

– derived from authentication process used for protecting uplink, one to one derived from authentication process used for protecting uplink, one to one

callscalls Common Cipher Key(CCK)Common Cipher Key(CCK)

– protects downlink group calls and ITSI on initial registrationprotects downlink group calls and ITSI on initial registration

Group Cipher Key(GCK)Group Cipher Key(GCK)– Provides crypto separation, combined with CCKProvides crypto separation, combined with CCK

Static Cipher Key(SCKStatic Cipher Key(SCK))– Used for protecting DMO and TMO fallback modeUsed for protecting DMO and TMO fallback mode


DMO SecurityDMO Security

Implicit AuthenticationStatic Cipher keysNo disabling


TMO SCK OTAR schemeTMO SCK OTAR scheme

DMO SCKs must be distributed when terminals are operating in DMO SCKs must be distributed when terminals are operating in TMO.TMO.

In normal circumstances, terminals should return to TMO In normal circumstances, terminals should return to TMO coverage within a key lifetimecoverage within a key lifetime

A typical DMO SCK lifetime may be between 2 weeks and 6 A typical DMO SCK lifetime may be between 2 weeks and 6 monthsmonths

Key Management Centre

TETRA Infrastructure


Group OTARGroup OTAR OTAR to individuals is inefficient if same keys going OTAR to individuals is inefficient if same keys going

to many terminalsto many terminals Need to download to groups rather than individual Need to download to groups rather than individual

terminals to save system capacityterminals to save system capacity Requirement for many different sets of keys in large Requirement for many different sets of keys in large

multi-user network-GCKs and DMO SCKsmulti-user network-GCKs and DMO SCKs Ensure that the right terminal gets the right keysEnsure that the right terminal gets the right keys


Key Overlap scheme used for DMO SCKsKey Overlap scheme used for DMO SCKs

The scheme uses Past, Present and Future versions of an SCK.The scheme uses Past, Present and Future versions of an SCK. System RulesSystem Rules

– Terminals may only transmit on their Present version of the key.Terminals may only transmit on their Present version of the key.– Terminals may receive on any of the three versions of the key.Terminals may receive on any of the three versions of the key.

This scheme allows a one key period overlap.This scheme allows a one key period overlap.

Past Present Future

Receive

Transmit


Disabling of terminalsDisabling of terminals

Vital to ensure the reduction of risk of threats to system by Vital to ensure the reduction of risk of threats to system by stolen and lost terminalsstolen and lost terminals

Relies on the integrity of the users to report losses quickly Relies on the integrity of the users to report losses quickly and accurately.and accurately.

May be achieved by removing subscription and/or May be achieved by removing subscription and/or disabling terminaldisabling terminal

Disabling may be either temporary or permanentDisabling may be either temporary or permanent Permanent disabling removes all keys including (k)Permanent disabling removes all keys including (k) Temporary disabling removes all traffic keys but allows Temporary disabling removes all traffic keys but allows

ambience listeningambience listening


End to end encryptionEnd to end encryption

End-to-end security between MS’s

Network MS

Air interface security between MS and network

MS

Protects messages across Protects messages across an untrusted infrastructurean untrusted infrastructure

Provides enhanced Provides enhanced confidentialityconfidentiality

Voice and SDS servicesVoice and SDS services IP data services (soon)IP data services (soon)


Features of End to End EncryptionFeatures of End to End Encryption Only protects the user payload (confidentiality protection)Only protects the user payload (confidentiality protection) Needs an additional synchronization vectorNeeds an additional synchronization vector Requires a transparent network - no transcoding-All the bits encrypted Requires a transparent network - no transcoding-All the bits encrypted

at the transmitting end must be decrypted at the receiverat the transmitting end must be decrypted at the receiver Will not work outside the TETRA domainWill not work outside the TETRA domain Key Management in User DomainKey Management in User Domain No need to trust network providerNo need to trust network provider frequent transmission of synchronization vector needed to ensure good frequent transmission of synchronization vector needed to ensure good

late entry capability but as frame stealing is used this may impact late entry capability but as frame stealing is used this may impact slightly on voice quality.slightly on voice quality.


End to end keysEnd to end keys

Traffic encryption key(TEK). Three editions used Traffic encryption key(TEK). Three editions used in terminal to give key overlap.in terminal to give key overlap.

Group Key encryption key(GEK) used to Group Key encryption key(GEK) used to protection TEKs during OTAR.protection TEKs during OTAR.

Unique KEK(long life) used to protect GEKs Unique KEK(long life) used to protect GEKs during OTAR. during OTAR.

Signalling Encryption Keys (SEK) used Signalling Encryption Keys (SEK) used optionally for control trafficoptionally for control traffic


E2e Key ManagementE2e Key Management

Key Management System, GEK (y)

Terminal:UKEK (x), GEK (y)

[TEK]GEK(y)

[GEK(y)]UKEK (x)


Benefits of end to end encryption with Air Benefits of end to end encryption with Air Interface encryptionInterface encryption

Air interface (AI) encryption alone and end to end encryption alone Air interface (AI) encryption alone and end to end encryption alone both have their limitationsboth have their limitations

For most users AI security measures are completely adequateFor most users AI security measures are completely adequate Where either the network is untrusted, or the data is extremely Where either the network is untrusted, or the data is extremely

sensitive then end to end encryption may be used in additionsensitive then end to end encryption may be used in addition Brings the benefit of encrypting addresses and signalling as well as Brings the benefit of encrypting addresses and signalling as well as

user data across the Air Interface and confidentiality right across the user data across the Air Interface and confidentiality right across the networknetwork


ConclusionsConclusions

Security functions built in from the start!Security functions built in from the start! User friendly and transparent key User friendly and transparent key

management.management. Air interface encryption protects, control Air interface encryption protects, control

traffic, IDs as well as voice and user traffic, IDs as well as voice and user traffic.traffic.

Key management comes without user Key management comes without user overhead because of OTAR.overhead because of OTAR.

introduction to tetra security

Documents

successful authentication

terminal registrationcould

security related functions

viennaagendawhy security

genuine network

proof of secret key

air interface encryptiontwc

association of user