introduction to tetra security
DESCRIPTION
INTRODUCTION TO TETRA SECURITY. Brian Murgatroyd. Agenda. Why security is important in TETRA systems Overview of TETRA security features Authentication Air interface encryption Key Management Terminal Disabling End to End Encryption. Security Threats. - PowerPoint PPT PresentationTRANSCRIPT
TWC 2004 ViennaTWC 2004 Vienna 11
INTRODUCTION TO TETRA INTRODUCTION TO TETRA SECURITYSECURITY
Brian MurgatroydBrian Murgatroyd
TWC 2004 ViennaTWC 2004 Vienna 22
AgendaAgenda Why security is important in TETRA systemsWhy security is important in TETRA systems Overview of TETRA security featuresOverview of TETRA security features Authentication Authentication Air interface encryption Air interface encryption Key ManagementKey Management Terminal DisablingTerminal Disabling End to End EncryptionEnd to End Encryption
TWC 2004 ViennaTWC 2004 Vienna 33
Security ThreatsSecurity Threats What are the main threats to your system?What are the main threats to your system?
Confidentiality?Confidentiality?
Availability?Availability?
Integrity?Integrity?
TWC 2004 ViennaTWC 2004 Vienna 44
Message Related ThreatsMessage Related Threats interceptioninterception
– by hostile government agenciesby hostile government agencies ConfidentialityConfidentiality
eavesdropping eavesdropping – by hackers, criminals, terroristsby hackers, criminals, terrorists
masquerading masquerading – pretending to be legitimate userpretending to be legitimate user
manipulation of data.manipulation of data. IntegrityIntegrity– changing messageschanging messages
ReplayReplay
– recording messages and replaying them later recording messages and replaying them later
TWC 2004 ViennaTWC 2004 Vienna 55
User Related ThreatsUser Related Threats
traffic analysistraffic analysis ConfidentialityConfidentiality– getting intelligence from patterns of the traffic-frequency- message getting intelligence from patterns of the traffic-frequency- message
lengths-message typeslengths-message types
observability of user behaviour. observability of user behaviour. examining where the traffic is observed - times examining where the traffic is observed - times
of day-number of usersof day-number of users
TWC 2004 ViennaTWC 2004 Vienna 66
System Related ThreatsSystem Related Threats
denial of servicedenial of service AvailabilityAvailability
– preventing the system working by attempting topreventing the system working by attempting to use up capacityuse up capacity
jammingjamming AvailabilityAvailability
– Using RF energy to swamp receiver sitesUsing RF energy to swamp receiver sites
unauthorized use of resourcesunauthorized use of resources IntegrityIntegrity
– Illicit use of telephony, interrogation of secure databasesIllicit use of telephony, interrogation of secure databases
TWC 2004 ViennaTWC 2004 Vienna 77
Communications SecurityCommunications Security
Security is not just encryption!Security is not just encryption! Terminal AuthenticationTerminal Authentication User logon/AuthenticationUser logon/Authentication Stolen Terminal DisablingStolen Terminal Disabling Key Management with minimum overheadKey Management with minimum overhead All the network must be secure, particularly with a All the network must be secure, particularly with a
managed systemmanaged system
TWC 2004 ViennaTWC 2004 Vienna 88
TETRA Air Interface security functionsTETRA Air Interface security functions AuthenticationAuthentication
TETRA has strong mutual authentication requiring knowledge TETRA has strong mutual authentication requiring knowledge of unique secret keyof unique secret key
EncryptionEncryption– Dynamic key encryption (class 3)Dynamic key encryption (class 3)
Static key encryption (class2)Static key encryption (class2)
Terminal DisablingTerminal Disabling Secure temporary or permanent disableSecure temporary or permanent disable
Over the Air Re-keying (OTAR)Over the Air Re-keying (OTAR) for managing large populations without user overhead for managing large populations without user overhead
Aliasing/User logonAliasing/User logon To allow association of user to terminalTo allow association of user to terminal
TWC 2004 ViennaTWC 2004 Vienna 99
AuthenticationAuthentication
Used to ensure that terminal isUsed to ensure that terminal is genuine and genuine and
allowed on network.allowed on network.
Mutual authentication ensures that in addition to Mutual authentication ensures that in addition to
verifying the terminal, the SwMI can be trusted.verifying the terminal, the SwMI can be trusted.
Authentication requires both SwMI and terminal Authentication requires both SwMI and terminal
have proof of secret key.have proof of secret key.
Successful authentication permits further Successful authentication permits further
security related functions to be downloaded.security related functions to be downloaded.
TWC 2004 ViennaTWC 2004 Vienna 1010
User authentication (aliasing)User authentication (aliasing) Second layer of securitySecond layer of security Ensures the user is associated with terminalEnsures the user is associated with terminal User logon to network aliasing serverUser logon to network aliasing server log on with Radio User Identity and PINlog on with Radio User Identity and PIN Very limited functionality allowed prior to log onVery limited functionality allowed prior to log on Log on/off not associated with terminal registrationLog on/off not associated with terminal registration Could be used as access control for applications Could be used as access control for applications
as well as to the Radio systemas well as to the Radio system
TWC 2004 ViennaTWC 2004 Vienna 1111
AuthenticationAuthentication
Strong mutual authentication used for proving the user/terminal is who he Strong mutual authentication used for proving the user/terminal is who he claims to be.claims to be.
Only allows legitimate terminals on the networkOnly allows legitimate terminals on the network Only allows the genuine network to be used by terminalsOnly allows the genuine network to be used by terminals Uses Challenge- Response mechanism based on a unique secret key K Uses Challenge- Response mechanism based on a unique secret key K
stored in the stored in the terminalterminal and in the Authentication Centre (AuC) and in the Authentication Centre (AuC) All MS’s must be properly authenticated prior to being granted access to the All MS’s must be properly authenticated prior to being granted access to the
networknetwork One of the outputs is the DOne of the outputs is the Derived erived CCipher ipher KKey used for Air Interface Encryptioney used for Air Interface Encryption
SwitchMSEBTS
Service RequestFalse BTS
TWC 2004 ViennaTWC 2004 Vienna 1212
TTETRA Authentication mapping to ETRA Authentication mapping to network elementsnetwork elements
Authentication Centre (AuC)
CallController
TA11
K RS
KS
Generate RS
KS (Session key)RS (Random seed)
TA12
KS RAND1
XRES1 DCK1
Generate RAND1
Compare RES1 and XRES1
TA11
TA12
K RS
KS RAND1
RES1 DCK1
RS, RAND1
RES1
EBTS
DCK
K known only to AuC and MS
TWC 2004 ViennaTWC 2004 Vienna 1313
Encryption ProcessEncryption Process
Clear data inClear data in Encrypted data out Encrypted data out
Key Stream Generator (TEA[x])
Initialisation Vector (IV)
A BCDE F G H y 4 M v # Q t q c
Traffic Key (X)CK
Key Stream Segments
Combining algorithm (TB5)
I
CN
LA
CC
TWC 2004 ViennaTWC 2004 Vienna 1414
Air Interface traffic keysAir Interface traffic keys
Four traffic keys are used in class 3 systems:-Four traffic keys are used in class 3 systems:- Derived cipher Key (DCK)Derived cipher Key (DCK)
– derived from authentication process used for protecting uplink, one to one derived from authentication process used for protecting uplink, one to one
callscalls Common Cipher Key(CCK)Common Cipher Key(CCK)
– protects downlink group calls and ITSI on initial registrationprotects downlink group calls and ITSI on initial registration
Group Cipher Key(GCK)Group Cipher Key(GCK)– Provides crypto separation, combined with CCKProvides crypto separation, combined with CCK
Static Cipher Key(SCKStatic Cipher Key(SCK))– Used for protecting DMO and TMO fallback modeUsed for protecting DMO and TMO fallback mode
TWC 2004 ViennaTWC 2004 Vienna 1515
DMO SecurityDMO Security
Implicit AuthenticationStatic Cipher keysNo disabling
TWC 2004 ViennaTWC 2004 Vienna 1616
TMO SCK OTAR schemeTMO SCK OTAR scheme
DMO SCKs must be distributed when terminals are operating in DMO SCKs must be distributed when terminals are operating in TMO.TMO.
In normal circumstances, terminals should return to TMO In normal circumstances, terminals should return to TMO coverage within a key lifetimecoverage within a key lifetime
A typical DMO SCK lifetime may be between 2 weeks and 6 A typical DMO SCK lifetime may be between 2 weeks and 6 monthsmonths
Key Management Centre
TETRA Infrastructure
TWC 2004 ViennaTWC 2004 Vienna 1717
Group OTARGroup OTAR OTAR to individuals is inefficient if same keys going OTAR to individuals is inefficient if same keys going
to many terminalsto many terminals Need to download to groups rather than individual Need to download to groups rather than individual
terminals to save system capacityterminals to save system capacity Requirement for many different sets of keys in large Requirement for many different sets of keys in large
multi-user network-GCKs and DMO SCKsmulti-user network-GCKs and DMO SCKs Ensure that the right terminal gets the right keysEnsure that the right terminal gets the right keys
TWC 2004 ViennaTWC 2004 Vienna 1818
Key Overlap scheme used for DMO SCKsKey Overlap scheme used for DMO SCKs
The scheme uses Past, Present and Future versions of an SCK.The scheme uses Past, Present and Future versions of an SCK. System RulesSystem Rules
– Terminals may only transmit on their Present version of the key.Terminals may only transmit on their Present version of the key.– Terminals may receive on any of the three versions of the key.Terminals may receive on any of the three versions of the key.
This scheme allows a one key period overlap.This scheme allows a one key period overlap.
Past Present Future
Receive
Transmit
TWC 2004 ViennaTWC 2004 Vienna 1919
Disabling of terminalsDisabling of terminals
Vital to ensure the reduction of risk of threats to system by Vital to ensure the reduction of risk of threats to system by stolen and lost terminalsstolen and lost terminals
Relies on the integrity of the users to report losses quickly Relies on the integrity of the users to report losses quickly and accurately.and accurately.
May be achieved by removing subscription and/or May be achieved by removing subscription and/or disabling terminaldisabling terminal
Disabling may be either temporary or permanentDisabling may be either temporary or permanent Permanent disabling removes all keys including (k)Permanent disabling removes all keys including (k) Temporary disabling removes all traffic keys but allows Temporary disabling removes all traffic keys but allows
ambience listeningambience listening
TWC 2004 ViennaTWC 2004 Vienna 2020
End to end encryptionEnd to end encryption
End-to-end security between MS’s
Network MS
Air interface security between MS and network
MS
Protects messages across Protects messages across an untrusted infrastructurean untrusted infrastructure
Provides enhanced Provides enhanced confidentialityconfidentiality
Voice and SDS servicesVoice and SDS services IP data services (soon)IP data services (soon)
TWC 2004 ViennaTWC 2004 Vienna 2121
Features of End to End EncryptionFeatures of End to End Encryption Only protects the user payload (confidentiality protection)Only protects the user payload (confidentiality protection) Needs an additional synchronization vectorNeeds an additional synchronization vector Requires a transparent network - no transcoding-All the bits encrypted Requires a transparent network - no transcoding-All the bits encrypted
at the transmitting end must be decrypted at the receiverat the transmitting end must be decrypted at the receiver Will not work outside the TETRA domainWill not work outside the TETRA domain Key Management in User DomainKey Management in User Domain No need to trust network providerNo need to trust network provider frequent transmission of synchronization vector needed to ensure good frequent transmission of synchronization vector needed to ensure good
late entry capability but as frame stealing is used this may impact late entry capability but as frame stealing is used this may impact slightly on voice quality.slightly on voice quality.
TWC 2004 ViennaTWC 2004 Vienna 2222
End to end keysEnd to end keys
Traffic encryption key(TEK). Three editions used Traffic encryption key(TEK). Three editions used in terminal to give key overlap.in terminal to give key overlap.
Group Key encryption key(GEK) used to Group Key encryption key(GEK) used to protection TEKs during OTAR.protection TEKs during OTAR.
Unique KEK(long life) used to protect GEKs Unique KEK(long life) used to protect GEKs during OTAR. during OTAR.
Signalling Encryption Keys (SEK) used Signalling Encryption Keys (SEK) used optionally for control trafficoptionally for control traffic
TWC 2004 ViennaTWC 2004 Vienna 2323
E2e Key ManagementE2e Key Management
Key Management System, GEK (y)
Terminal:UKEK (x), GEK (y)
[TEK]GEK(y)
[GEK(y)]UKEK (x)
TWC 2004 ViennaTWC 2004 Vienna 2424
Benefits of end to end encryption with Air Benefits of end to end encryption with Air Interface encryptionInterface encryption
Air interface (AI) encryption alone and end to end encryption alone Air interface (AI) encryption alone and end to end encryption alone both have their limitationsboth have their limitations
For most users AI security measures are completely adequateFor most users AI security measures are completely adequate Where either the network is untrusted, or the data is extremely Where either the network is untrusted, or the data is extremely
sensitive then end to end encryption may be used in additionsensitive then end to end encryption may be used in addition Brings the benefit of encrypting addresses and signalling as well as Brings the benefit of encrypting addresses and signalling as well as
user data across the Air Interface and confidentiality right across the user data across the Air Interface and confidentiality right across the networknetwork
TWC 2004 ViennaTWC 2004 Vienna 2525
ConclusionsConclusions
Security functions built in from the start!Security functions built in from the start! User friendly and transparent key User friendly and transparent key
management.management. Air interface encryption protects, control Air interface encryption protects, control
traffic, IDs as well as voice and user traffic, IDs as well as voice and user traffic.traffic.
Key management comes without user Key management comes without user overhead because of OTAR.overhead because of OTAR.