Transcript TWC04_07_Brian_Murgatroyd

INTRODUCTION TO TETRA
SECURITY
Brian Murgatroyd
TWC 2004 Vienna
1
Agenda







Why security is important in TETRA systems
Overview of TETRA security features
Authentication
Air interface encryption
Key Management
Terminal Disabling
End to End Encryption
TWC 2004 Vienna
2
Security Threats
 What are the main threats to your system?
 Confidentiality?
 Availability?
 Integrity?
TWC 2004 Vienna
3
Message Related Threats
 interception
– by hostile government agencies
Confidentiality
 eavesdropping
– by hackers, criminals, terrorists
 masquerading
– pretending to be legitimate user
 manipulation of data.
Integrity
– changing messages
 Replay
– recording messages and replaying them later
TWC 2004 Vienna
4
User Related Threats
 traffic analysis
Confidentiality
– getting intelligence from patterns of the traffic-frequency- message
lengths-message types
 observability of user behaviour.
examining where the traffic is observed - times of daynumber of users
TWC 2004 Vienna
5
System Related Threats
 denial of service
Availability
– preventing the system working by attempting to use up capacity
 jamming
Availability
– Using RF energy to swamp receiver sites
 unauthorized use of resources
Integrity
– Illicit use of telephony, interrogation of secure databases
TWC 2004 Vienna
6
Communications Security






Security is not just encryption!
Terminal Authentication
User logon/Authentication
Stolen Terminal Disabling
Key Management with minimum overhead
All the network must be secure, particularly with a
managed system
TWC 2004 Vienna
7
TETRA Air Interface security functions
 Authentication
 TETRA has strong mutual authentication requiring knowledge
of unique secret key
 Encryption
– Dynamic key encryption (class 3)
 Static key encryption (class2)
 Terminal Disabling
 Secure temporary or permanent disable
 Over the Air Re-keying (OTAR)
 for managing large populations without user overhead
 Aliasing/User logon
 To allow association of user to terminal
TWC 2004 Vienna
8
Authentication
 Used to ensure that terminal is genuine and
allowed on network.
 Mutual authentication ensures that in addition to
verifying the terminal, the SwMI can be trusted.
 Authentication requires both SwMI and terminal
have proof of secret key.
 Successful authentication permits further
security related functions to be downloaded.
TWC 2004 Vienna
9
User authentication (aliasing)







Second layer of security
Ensures the user is associated with terminal
User logon to network aliasing server
log on with Radio User Identity and PIN
Very limited functionality allowed prior to log on
Log on/off not associated with terminal registration
Could be used as access control for applications
as well as to the Radio system
TWC 2004 Vienna
10
Authentication
MS
EBTS
Switch
Service Request
False BTS






Strong mutual authentication used for proving the user/terminal is who he
claims to be.
Only allows legitimate terminals on the network
Only allows the genuine network to be used by terminals
Uses Challenge- Response mechanism based on a unique secret key K
stored in the terminal and in the Authentication Centre (AuC)
All MS’s must be properly authenticated prior to being granted access to the
network
One of the outputs is the Derived Cipher Key used for Air Interface Encryption
TWC 2004 Vienna
11
TETRA Authentication mapping to
network elements
Authentication Centre (AuC)
K known only to
AuC and MS
Generate RS
K
RS
TA11
KS
K
RS
KS (Session key)
RS (Random seed)
TA11
Generate RAND1
KS
RAND1
RS, RAND1
KS
RAND1
RES1
Call
Controller
DCK
EBTS
TA12
RES1
TA12
XRES1
DCK1
DCK1
Compare RES1 and
XRES1
TWC 2004 Vienna
12
Encryption Process
Traffic Key
(X)CK
Key Stream Generator
(TEA[x])
CN
LA
Combining
algorithm (TB5)
Key Stream Segments
CC
Initialisation
Vector (IV)
A BCDE F G H I
Clear data in
y 4M v# Qt q c
Encrypted data out
TWC 2004 Vienna
13
Air Interface traffic keys
 Four traffic keys are used in class 3 systems: Derived cipher Key (DCK)
– derived from authentication process used for protecting uplink, one
to one calls
 Common Cipher Key(CCK)
– protects downlink group calls and ITSI on initial registration
 Group Cipher Key(GCK)
– Provides crypto separation, combined with CCK
 Static Cipher Key(SCK)
– Used for protecting DMO and TMO fallback mode
TWC 2004 Vienna
14
DMO Security
Implicit Authentication
Static Cipher keys
No disabling
TWC 2004 Vienna
15
TMO SCK OTAR scheme
TETRA Infrastructure
Key Management
Centre
 DMO SCKs must be distributed when terminals are operating in
TMO.
 In normal circumstances, terminals should return to TMO
coverage within a key lifetime
 A typical DMO SCK lifetime may be between 2 weeks and 6
months
TWC 2004 Vienna
16
Group OTAR
 OTAR to individuals is inefficient if same keys going
to many terminals
 Need to download to groups rather than individual
terminals to save system capacity
 Requirement for many different sets of keys in large
multi-user network-GCKs and DMO SCKs
 Ensure that the right terminal gets the right keys
TWC 2004 Vienna
17
Key Overlap scheme used for DMO SCKs
Past
Transmit
Present
Receive
Future
 The scheme uses Past, Present and Future versions of an SCK.
 System Rules
– Terminals may only transmit on their Present version of the key.
– Terminals may receive on any of the three versions of the key.
 This scheme allows a one key period overlap.
TWC 2004 Vienna
18
Disabling of terminals
 Vital to ensure the reduction of risk of threats to system by
stolen and lost terminals
 Relies on the integrity of the users to report losses quickly
and accurately.
 May be achieved by removing subscription and/or
disabling terminal
 Disabling may be either temporary or permanent
 Permanent disabling removes all keys including (k)
 Temporary disabling removes all traffic keys but allows
ambience listening
TWC 2004 Vienna
19
End to end encryption
MS
Network
MS
 Protects messages across
an untrusted infrastructure
 Provides enhanced
confidentiality
 Voice and SDS services
 IP data services (soon)
Air interface security between MS and network
End-to-end security between MS’s
TWC 2004 Vienna
20
Features of End to End Encryption
 Only protects the user payload (confidentiality protection)
 Needs an additional synchronization vector
 Requires a transparent network - no transcoding-All the bits encrypted
at the transmitting end must be decrypted at the receiver
 Will not work outside the TETRA domain
 Key Management in User Domain
 No need to trust network provider
 frequent transmission of synchronization vector needed to ensure good
late entry capability but as frame stealing is used this may impact
slightly on voice quality.
TWC 2004 Vienna
21
End to end keys
 Traffic encryption key(TEK). Three editions used
in terminal to give key overlap.
 Group Key encryption key(GEK) used to
protection TEKs during OTAR.
 Unique KEK(long life) used to protect GEKs
during OTAR.
 Signalling Encryption Keys (SEK) used
optionally for control traffic
TWC 2004 Vienna
22
E2e Key Management
Key Management System,
GEK (y)
[TEK]GEK(y)
[GEK(y)]UKEK (x)
Terminal:UKEK (x),
GEK (y)
TWC 2004 Vienna
23
Benefits of end to end encryption with Air
Interface encryption
 Air interface (AI) encryption alone and end to end encryption alone
both have their limitations
 For most users AI security measures are completely adequate
 Where either the network is untrusted, or the data is extremely
sensitive then end to end encryption may be used in addition
 Brings the benefit of encrypting addresses and signalling as well as
user data across the Air Interface and confidentiality right across the
network
TWC 2004 Vienna
24
Conclusions
 Security functions built in from the start!
 User friendly and transparent key
management.
 Air interface encryption protects, control
traffic, IDs as well as voice and user
traffic.
 Key management comes without user
overhead because of OTAR.
TWC 2004 Vienna
25