twc 2003 copenhagen1 introduction to tetra security brian murgatroyd
TRANSCRIPT
TWC 2003 Copenhagen 1
INTRODUCTION TO TETRA INTRODUCTION TO TETRA SECURITYSECURITY
Brian MurgatroydBrian Murgatroyd
TWC 2003 Copenhagen 2
Agenda
• Why security is important in TETRA systems• Overview of TETRA security features• Authentication • Air interface encryption • Key Management• Terminal Disabling• End to End Encryption
TWC 2003 Copenhagen 3
Security Threats• What are the main threats to your system?
• Confidentiality?
• Availability?
• Integrity?
TWC 2003 Copenhagen 4
Message Related Threats
• interception Confidentiality
– by hostile government agencies
• eavesdropping– by hackers, criminals, terrorists
• masquerading – pretending to be legitimate user
• manipulation of data. Integrity– changing messages
• Replay
– recording messages and replaying them later
TWC 2003 Copenhagen 5
User Related Threats
• traffic analysis Confidentiality– getting intelligence from patterns of the traffic-frequency-
message lengths-message types
• observability of user behaviour. Confidentiality– examining where the traffic is observed - times of day-number
of users
TWC 2003 Copenhagen 6
System Related Threats
• denial of service Availability
– preventing the system working by attempting to use up capacity
• jamming Availability
– Using RF energy to swamp receiver sites
• unauthorized use of resources Integrity
– Illicit use of telephony, interrogation of secure databases
TWC 2003 Copenhagen 7
TETRA Air Interface security functions
• Authentication• TETRA has strong mutual authentication requiring knowledge
of secret key
• Encryption– Dynamic key encryption (class 3)
• Static key encryption (class2)
• Terminal Disabling• Secure temporary or permanent disable
• Over the Air Re-keying (OTAR)• for managing large populations without user overhead
• Aliasing/User logon• To allow association of user to terminal
TWC 2003 Copenhagen 8
User authentication (aliasing)
• Second layer of security• Ensures the user is associated with terminal• User logon to network aliasing server• log on with Radio User Identity and PIN• Very limited functionality allowed prior to log on• Log on/off not associated with terminal registration• Could be used as access control for applications as well
as to the Radio system
TWC 2003 Copenhagen 9
Security Classes
Class Authentication Encryption Other
1 Optional None -
2 Optional Static ESI3 Mandatory Dynamic ESI
TWC 2003 Copenhagen 10
Authentication
• Used to ensure that terminal is genuine and
allowed on network.
• Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted.
• Authentication requires both SwMI and terminal have proof of secret key.
• Successful authentication permits further security related functions to be downloaded.
TWC 2003 Copenhagen 11
Authentication processMobileMobile Base stationBase station Authentication Authentication CentreCentre
K Random Seed (RS)
RS
KS
Rand
Expected Result
K
RS
Rand
Result
TA11
TA12TA12
TA11
KS
(Session key)
Same?
TWC 2003 Copenhagen 12
Deriving DCK from mutual authentication
DCK2
DCK1
DCK
Infrastructure-MS authentication
MS-Infrastructure authentication
TB4
TWC 2003 Copenhagen 13
Encryption Process
Clear data inClear data in Encrypted data out Encrypted data out
Key Stream Generator (TEA[x])
Modulo 2 addition (XOR)
Initialisation Vector (IV)
A BCDE F G H y 4 M v # Q t q c
Traffic Key
Key Stream Segments
Combining algorithm (TB5)
I
CN
LA
CC
TWC 2003 Copenhagen 14
Air Interface traffic keys
• Four traffic keys are used in class 3 systems:-• Derived cipher Key (DCK)
– derived from authentication process used for protecting uplink, one to
one calls • Common Cipher Key(CCK)
– protects downlink group calls and ITSI on initial registration
• Group Cipher Key(GCK)– Provides crypto separation, combined with CCK
• Static Cipher Key(SCK)– Used for protecting DMO and TMO fallback mode
TWC 2003 Copenhagen 15
DMO Security
Implicit AuthenticationStatic Cipher keysNo disabling
TWC 2003 Copenhagen 16
TMO SCK OTAR scheme
• DMO SCKs must be distributed when terminals are operating in TMO.• In normal circumstances, terminals should return to TMO coverage
within a key lifetime• A typical DMO SCK lifetime may be between 2 weeks and 6 months
Key Management Centre
TETRA Infrastructure
TWC 2003 Copenhagen 17
Key Overlap scheme used for DMO SCKs
• The scheme uses Past, Present and Future versions of an SCK.• System Rules
– Terminals may only transmit on their Present version of the key.– Terminals may receive on any of the three versions of the key.
• This scheme allows a one key period overlap.
Past Present Future
Receive
Transmit
TWC 2003 Copenhagen 18
Disabling of terminals
• Vital to ensure the reduction of risk of threats to system by stolen and lost terminals
• Relies on the integrity of the users to report losses quickly and accurately.
• May be achieved by removing subscription and/or disabling terminal
• Disabling may be either temporary or permanent• Permanent disabling removes all keys including (k)• Temporary disabling removes all traffic keys but
allows ambience listening
TWC 2003 Copenhagen 19
End to end encryption
End-to-end security between MS’s
Network MS
Air interface security between MS and network
MS
• Protects messages across an untrusted infrastructure
• Provides enhanced confidentiality
• Voice and SDS services• IP data services (soon)
TWC 2003 Copenhagen 20
End to end encryption features
• Additional synchronization carried in stolen half frames
• Standard algorithms available or national solutions
• Key Management in User Domain
TWC 2003 Copenhagen 21
Limitations of End to End Encryption
• Only protects the user payload (confidentiality protection)
• Requires a transparent network - no transcoding-All the bits encrypted at the transmitting end must be decrypted at the receiver
• Will not work outside the TETRA domain• frequent transmission of synchronization vector needs
to ensure good late entry capability but as frame stealing is used this may impact slightly on voice quality.
TWC 2003 Copenhagen 22
End to end keys
• Traffic encryption key(TEK). Three editions used in terminal to give key overlap.
• Group Key encryption key(GEK) used to protection TEKs during OTAR.
• Unique KEK(long life) used to protect GEKs during OTAR.
• Signalling Encryption Keys (SEK) used optionally for control traffic
TWC 2003 Copenhagen 23
Benefits of end to end encryption with Air Interface encryption• Air interface (AI) encryption alone and end to end
encryption alone both have their limitations• For most users AI security measures are completely
adequate• Where either the network is untrusted, or the data is
extremely sensitive then end to end encryption may be used in addition
• Brings the benefit of encrypting addresses and signalling as well as user data across the Air Interface and confidentiality right across the network
TWC 2003 Copenhagen 24
Conclusions• Security functions built in from the start!
• User friendly and transparent key management.
• Air interface encryption protects control traffic, IDs as well as voice and user traffic.
• Key management comes without user overhead because of OTAR.