You are on page 1of 24

INTRODUCTION

TO TETRA

SECURITY
BrianMurgatroyd

TWC 2003 Copenhagen

Agenda

Why security is important in TETRA systems


Overview of TETRA security features
Authentication
Air interface encryption
Key Management
Terminal Disabling
End to End Encryption

TWC2003Copenha

Security Threats

What are the main threats to your system?


Confidentiality?
Availability?
Integrity?

TWC2003Copenha

Message Related Threats


interception

Confidentiality

by hostile government agencies

eavesdropping
by hackers, criminals, terrorists

masquerading
pretending to be legitimate user

manipulation of data.

Integrity

changing messages

Replay
recording messages and replaying them later

TWC2003Copenha

User Related Threats


traffic analysis

Confidentiality

getting intelligence from patterns of the traffic-frequencymessage lengths-message types

observability of user behaviour. Confidentiality


examining where the traffic is observed - times of day-number
of users

TWC2003Copenha

System Related Threats


denial of service

Availability

preventing the system working by attempting to use up capacity

jamming

Availability

Using RF energy to swamp receiver sites

unauthorized use of resources

Integrity

Illicit use of telephony, interrogation of secure databases

TWC2003Copenha

TETRA Air Interface security functions


Authentication
TETRA has strong mutual authentication requiring knowledge of
secret key

Encryption
Dynamic key encryption (class 3)
Static key encryption (class2)

Terminal Disabling
Secure temporary or permanent disable

Over the Air Re-keying (OTAR)


for managing large populations without user overhead

Aliasing/User logon
To allow association of user to terminal

TWC2003Copenha

User authentication (aliasing)

Second layer of security


Ensures the user is associated with terminal
User logon to network aliasing server
log on with Radio User Identity and PIN
Very limited functionality allowed prior to log on
Log on/off not associated with terminal registration
Could be used as access control for applications as
well as to the Radio system

TWC2003Copenha

Security Classes
Class

Authentication Encryption Other

1 Optional
None 2 Optional
Static ESI
3 Mandatory Dynamic
ESI

TWC2003Copenha

Authentication
Used to ensure that terminal is genuine and
allowed on network.
Mutual authentication ensures that in addition
to verifying the terminal, the SwMI can be
trusted.
Authentication requires both SwMI and
terminal have proof of secret key.
Successful authentication permits further
security related functions to be downloaded.

TWC2003Copenha

10

Authentication process
Mobile
Basestation Authentication
Centre
K
K
TA11
KS

RS
Rand

Rand
TA12

TA12

Random
Seed(RS)

RS
TA11

ExpectedResult
Result

Same?
TWC2003Copenha

KS
(Sessionkey)

11

Deriving DCK from mutual authentication

InfrastructureMS
authentication

DCK1
TB4

MSInfrastructure
authentication

DCK

DCK2

TWC2003Copenha

12

Encryption Process
TrafficKey
CN
LA

KeyStreamGenerator
(TEA[x])

Combining
algorithm(TB5)

KeyStreamSegments

CC
Initialisation
Vector(IV)
Cleardatain
A BCDE F G H I

Encrypteddataout
y 4M v# Qt q c

Modulo2addition(XOR)
TWC2003Copenha

13

Air Interface traffic keys


Four traffic keys are used in class 3 systems: Derived cipher Key (DCK)
derived from authentication process used for protecting uplink, one to
one calls

Common Cipher Key(CCK)


protects downlink group calls and ITSI on initial registration

Group Cipher Key(GCK)


Provides crypto separation, combined with CCK

Static Cipher Key(SCK)


Used for protecting DMO and TMO fallback mode

TWC2003Copenha

14

DMO Security

Implicit Authentication
Static Cipher keys
No disabling

TWC2003Copenha

15

TMO SCK OTAR scheme


TETRA Infrastructure

Key Management
Centre

DMO SCKs must be distributed when terminals are operating in


TMO.
In normal circumstances, terminals should return to TMO
coverage within a key lifetime
A typical DMO SCK lifetime may be between 2 weeks and 6
months

TWC2003Copenha

16

Key Overlap scheme used for DMO


SCKs
Past

Transmit
Present
Receive

Future

The scheme uses Past, Present and Future versions of an SCK.


System Rules
Terminals may only transmit on their Present version of the key.
Terminals may receive on any of the three versions of the key.
This scheme allows a one key period overlap.

TWC2003Copenha

17

Disabling of terminals
Vital to ensure the reduction of risk of threats
to system by stolen and lost terminals
Relies on the integrity of the users to report
losses quickly and accurately.
May be achieved by removing subscription
and/or disabling terminal
Disabling may be either temporary or
permanent
Permanent disabling removes all keys
including (k)
Temporary disabling removes all traffic keys
but allows ambience listening

TWC2003Copenha

18

End to end encryption


MS

Network

MS

Air interface security between MS and network

End-to-end security between MSs

Protects messages
across an untrusted
infrastructure
Provides enhanced
confidentiality
Voice and SDS
services
IP data services (soon)

TWC2003Copenha

19

End to end encryption features


Additional synchronization carried in
stolen half frames
Standard algorithms available or
national solutions
Key Management in User Domain

TWC2003Copenha

20

Limitations of End to End Encryption


Only protects the user payload (confidentiality
protection)
Requires a transparent network - no transcoding-All
the bits encrypted at the transmitting end must be
decrypted at the receiver
Will not work outside the TETRA domain
frequent transmission of synchronization vector
needs to ensure good late entry capability but as
frame stealing is used this may impact slightly on
voice quality.

TWC2003Copenha

21

End to end keys


Traffic encryption key(TEK). Three editions
used in terminal to give key overlap.
Group Key encryption key(GEK) used to
protection TEKs during OTAR.
Unique KEK(long life) used to protect GEKs
during OTAR.
Signalling Encryption Keys (SEK) used
optionally for control traffic

TWC2003Copenha

22

Benefits of end to end encryption with


Air Interface encryption
Air interface (AI) encryption alone and end to end
encryption alone both have their limitations
For most users AI security measures are
completely adequate
Where either the network is untrusted, or the data
is extremely sensitive then end to end encryption
may be used in addition
Brings the benefit of encrypting addresses and
signalling as well as user data across the Air
Interface and confidentiality right across the
network

TWC2003Copenha

23

Conclusions
Security functions built in from the
start!
User friendly and transparent key
management.
Air interface encryption protects
control traffic, IDs as well as voice and
user traffic.
Key management comes without user
overhead
because of OTAR.

TWC2003Copenha
24