Transcript 7_TWC03_Intro_to_security

INTRODUCTION TO TETRA
SECURITY
Brian Murgatroyd
TWC 2003 Copenhagen
1
Agenda
•
•
•
•
•
•
•
Why security is important inT
E
T
RAsystems
Overview of T
E
T
RAsecurity features
A
uthentication
A
ir interface encryption
Key Management
T
erminal Disabling
E
nd toEndEncryption
TWC 2003 Copenhagen
2
Security Threats
• What are the main threats to your
system?
• Confidentiality?
• A
vailability?
• Integrity?
TWC 2003 Copenhagen
3
Message Related Threats
• interception
Confidentiality
– by hostile government agencies
• eavesdropping
– by hackers, criminals, terrorists
• masquerading
– pretending to be legitimate user
• manipulation of data.
Integrity
– changing messages
• Replay
– recording messages and replaying them later
TWC 2003 Copenhagen
4
User Related Threats
• traffic analysis
Confidentiality
– getting intelligence from patterns of the traffic-frequencymessage lengths-message types
• observability of user behaviour. Confidentiality
– examining where the traffic is observed - times of day-number
of users
TWC 2003 Copenhagen
5
System Related Threats
• denial of service
A
vailability
– preventing the system working by attempting to use up capacity
• jamming
A
vailability
– Using RF energy to swamp receiver sites
• unauthorized use of resources
Integrity
– Illicit use of telephony, interrogation of secure databases
TWC 2003 Copenhagen
6
TETRA Air Interface security functions
• A
uthentication
• TETRA has strong mutual authentication requiring knowledge
of secret key
• E
ncryption
– Dynamic key encryption (class 3)
• Static key encryption (class2)
• T
erminal Disabling
• Secure temporary or permanent disable
• Over theAir Re-keying (OT
A
R)
• for managing large populations without user overhead
• A
liasing/U
ser logon
• To allow association of user to terminal
TWC 2003 Copenhagen
7
User authentication (aliasing)
•
•
•
•
•
•
•
Second layer of security
E
nsures the user is associated with terminal
U
ser logon to network aliasing server
log on with RadioUser Identity and PIN
Very limited functionality allowed prior to log on
Log on/off not associated with terminal registration
Could be used as access control for applications as
well as to the Radio system
TWC 2003 Copenhagen
8
Security Classes
Class
1
2
3
A
uthentication
Encryption
Other
Optional
Optional
Mandatory
None
Static
Dynamic
E
SI
E
SI
TWC 2003 Copenhagen
9
Authentication
• U
sed to ensure that terminal is genuine and
allowed on network.
• Mutual authentication ensures that in addition
to verifying the terminal, the SwMI can be
trusted.
• A
uthentication requires both SwMI and terminal
have proof of secret key.
• Successful authentication permits further
security related functions to be downloaded.
TWC 2003 Copenhagen
10
Authentication process
Mobile
Base station
Authentication Centre
K
K
TA11
KS
TA12
RS
Rand
Rand
TA12
RS
TA11
Expected Result
Result
Random
Seed (RS)
KS
(Session key)
Same?
TWC 2003 Copenhagen
11
Deriving DCK from mutual authentication
Infrastructure-MS
authentication
DCK1
TB4
MS-Infrastructure
authentication
DCK
DCK2
TWC 2003 Copenhagen
12
Encryption Process
Traffic Key
Key Stream Generator
(TEA[x])
CN
LA
Combining
algorithm (TB5)
Key Stream Segments
CC
Initialisation
Vector (IV)
Clear data in
Encrypted data out
A BCDE F G H I
y 4M v# Qt q c
Modulo 2 addition (XOR)
TWC 2003 Copenhagen
13
Air Interface traffic keys
• Four traffic keys are used in class 3 systems:• Derived cipher Key (DCK)
– derived from authentication process used for protecting uplink, one to
one calls
• Common Cipher Key(CCK)
– protects downlink group calls and ITSI on initial registration
• Group Cipher Key(GCK)
– Provides crypto separation, combined with CCK
• Static Cipher Key(SCK)
– Used for protecting DMO and TMO fallback mode
TWC 2003 Copenhagen
14
DMO Security
Implicit Authentication
Static Cipher keys
No disabling
TWC 2003 Copenhagen
15
TMO SCK OTAR scheme
TETRA Infrastructure
Key Management
Centre
•
•
•
DMO SCKs must be distributed when terminals are operating
inTMO.
In normal circumstances, terminals should return toTMO
coverage within a key lifetime
Atypical DMO SCK lifetime may be between 2 weeks and 6
months
TWC 2003 Copenhagen
16
Key Overlap scheme used for DMO
SCKs
Past
•
•
•
Transmit
Present
Receive
Future
T
he scheme uses Past, Present and Future versions of an SCK.
System Rules
– Terminals may only transmit on their Present version of the key.
– Terminals may receive on any of the three versions of the key.
T
his scheme allows a one key period overlap.
TWC 2003 Copenhagen
17
Disabling of terminals
• Vital to ensure the reduction of risk of threats
to system by stolen and lost terminals
• Relies on the integrity of the users to report
losses quickly and accurately.
• May be achieved by removing subscription
and/or disabling terminal
• Disabling may be either temporary or
permanent
• Permanent disabling removes all keys
including (k)
• T
emporary disabling removes all traffic keys
but allows ambience listening
TWC 2003 Copenhagen
18
End to end encryption
MS
Network
Air interface security between MS and network
End-to-end security between MS’s
MS
• Protects messages
across an untrusted
infrastructure
• Provides enhanced
confidentiality
• Voice and SDS
services
• IP data services (soon)
TWC 2003 Copenhagen
19
End to end encryption features
• A
dditional synchronization carried in
stolen half frames
• Standard algorithms available or
national solutions
• Key Management inUser Domain
TWC 2003 Copenhagen
20
Limitations of End to End Encryption
• Only protects the user payload (confidentiality
protection)
• Requires a transparent network - no transcoding-All
the bits encrypted at the transmitting end must be
decrypted at the receiver
• Will not work outside theT
E
T
RAdomain
• frequent transmission of synchronization vector
needs to ensure good late entry capability but as
frame stealing is used this may impact slightly on
voice quality.
TWC 2003 Copenhagen
21
End to end keys
• T
raffic encryption key(T
E
K).Three editions used in
terminal to give key overlap.
• Group Key encryption key(GEK) used to
protectionT
E
Ks during OT
A
R.
• U
nique KEK(long life) used to protect GEKs during
OT
A
R.
• SignallingEncryption Keys (SEK) used optionally
for control traffic
TWC 2003 Copenhagen
22
Benefits of end to end encryption with
Air Interface encryption
• A
ir interface (AI) encryption alone and end to end
encryption alone both have their limitations
• For most usersAI security measures are completely
adequate
• Where either the network is untrusted, or the data
is extremely sensitive then end to end encryption
may be used in addition
• Brings the benefit of encrypting addresses and
signalling as well as user data across theAir
Interface and confidentiality right across the
network
TWC 2003 Copenhagen
23
Conclusions
• Security functions built in from the
start!
• U
ser friendly and transparent key
management.
• A
ir interface encryption protects control
traffic, IDs as well as voice and user
traffic.
• Key management comes without user
overhead because of OT
A
R.
TWC 2003 Copenhagen
24