Presentation on theme: "Brian Murgatroyd UK Home Office"— Presentation transcript:
1Brian Murgatroyd UK Home Office TETRA SECURITYBrian MurgatroydUK Home Office
2Agenda Why security is important in TETRA systems Overview of TETRA security featuresAuthenticationAir interface encryptionKey ManagementTerminal DisablingUsing SIM’sEnd to End EncryptionThe TETRA suite of documents define a standard for a digital trunked radio system. A fundamental feature and a key requirement from conception, has been the need to design-in security.The range of security features offered is capable of meeting the needs of many types of user, including the public safety community.TETRA has not been designed with just the public safety community in mind although their requirements exceed those of most users..
3What are the main threats to your system? Confidentiality? Security ThreatsWhat are the main threats to your system?Confidentiality?Availability?Integrity?Threats to communications systems are not just those caused by illicit eavesdropping but fall into three areas:Confidentiality: The ability of the system to keep user data and traffic secret.Availability: The continuance of the service reliably and without interruption.Integrity: The systems strength in ensuring user traffic and data is not altered
4Message Related Threats interceptionby hostile government agencieseavesdroppingby hackers, criminals, terrorists Confidentialitymasqueradingpretending to be legitimate usermanipulation of data Integritychanging messagesReplayrecording messages and replaying them laterThese threats are related to the messages: the user traffic.Interception and eavesdropping may occur easily in systems without encryption and are a threat to confidentiality.Masquerading as a legitimate user may occur often if terminals can be cloned and the subscriber identity copied.Manipulation of data may occur if an intermediary can capture the message and change it, an example of this is replay where the message is recorded, stored and replayed over the system.
5User Related Threats traffic analysis Confidentiality getting intelligence from patterns of the traffic-frequency- message lengths-message typesobservability of user behaviour Confidentialityexamining where the traffic is observed - times of day-number of usersUser related threats differ from message related threats in that they do not attempt to decode messages and eavesdrop but gain intelligence from analyzing user traffic from its length, type of message and location.
6System Related Threats denial of service Availabilitypreventing the system working by attempting to use up capacityjamming AvailabilityUsing RF energy to swamp receiver sitesunauthorized use of resources IntegrityIllicit use of telephony, interrogation of secure databasesThis group of threats do not attack the user in any way but aim to stop the system working . Jamming is a good example where the user is denied service because the receivers are jammed by signals affecting the base station or terminal receivers.The other threats in this category involve unauthorised access to databases and changing their content so that for example user registration details are removed or changed.
7TETRA Security features AuthenticationAir Interface encryptionTemporary /permanent disablingAliasing/User logonAmbience listeningDiscrete ListeningLawful InterceptionThe threats shown in the earlier slides are countered in TETRA by the security features above.TETRA has been designed with security in mind and requires a large number of measures with which to protect against all the different threats.
8Class Authentication Encryption Other 1 Optional None - Security ClassesClass Authentication Encryption Other1 Optional None -2 Optional Static ESI3 Mandatory Dynamic ESIMobiles may support one, several or all security classes.A base station at any one time may support either:class 1 onlyclass 2 onlyclass 3 onlyclass 3 and 1Class 2 and 3 cannot be used at the same time at a base station.The security class of a base station is transmitted as part of the system information broadcast message. If the terminal supports the level of security in the broadcast it may attach to the base station but should be implemented not to attach if it cannot support it.
9Used to ensure that terminal is genuine and allowed on network. AuthenticationUsed to ensure that terminal is genuine and allowed on network.Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted.Authentication requires both SwMI and terminal have proof of secret key.Successful authentication permits further security related functions to be downloaded.Authentication is a very powerful security feature which is useful in different ways depending on the type of system.In public access systems authentication protects against spoof terminals from using the systemPublic safety systems need strong authentication to ensure that only bona fide terminals are allowed on the system and that systems may be trusted.
10Authentication process Mobile Base station Authentication CentreKRandom Seed (RS)KRSRandTA11KSRandRSThis slide illustrates the process for the authentication of a mobile unit by the infrastructure.The process is symmetric with both parties relying on their knowledge of a secret piece of information - the authentication key, k. Authentication is achieved when both parties are able demonstrate that they share the same secret information. Note that k is never transmitted. There are 3 ways of generating k in the mobile - PIN, UAK or PIN/UAK.UAK is by far the most common method usedAuthentication of the infrastructure by a terminal follows a similar process but different authentication algorithms are used.Authentication may be mutual. The decision to make the authentication mutual is made by the first party to be challenged.k is 128 bits in lengthRandom No and Random Seed are each 80 bits in lengthResult is 32 bits in lengthTA12TA12TA11KS(Session key)Expected ResultResultSame?
11Deriving DCK from mutual authentication Result 1RAND1KSDCK1DCKRAND2DCK2The authentication algorithm in the base station used for authenticating a mobile generates a cipher key - DCK1 as well as Result,.A similar algorithm used by a mobile when authenticating the infrastructure produces another cipher key - DCK2.If the infrastructure is authenticating a mobile, DCK1 will be produced and DCK2 will be set to 0.If the mobile is authenticating the infrastructure, DCK2 will be produced and DCK1 will be set to 0.If mutual authentication is required, DCK will be a result of combining DCK1 and DCK2.DCK is be used for protecting voice, data and signalling.KS’Result 2
12Four traffic keys are used in class 3 systems:- Air Interface keysFour traffic keys are used in class 3 systems:-Derived cipher Key (DCK)derived from authentication process used for protecting uplink, one to one callsCommon Cipher Key(CCK)protect downlink group calls and ITSI on initial registrationGroup Cipher Key(GCK)Provides crypto separation, combined with CCKStatic Cipher Key(SCK)Used for protecting DMO and TMO fallback modeDCK is used wherever possible as it is the most secure. It only has a life equivalent to the authentication period (perhaps 24 hours) and is unique to the terminal. It should always be used for the uplink(MS-BS) link. It cannot be used for downlink group calls(because all MS’s have a different DCK)The CCK is used primarily for protecting downlink group calls. It may also be used for protecting ITSI’s on initial registration (as long as the stored CCK is still valid. CCK will probably be a short life key (up to one week)The GCK is used to enable crypto separation between groups. It is used in conjunction with CCK. It tends to have a longer life than CCK. The traffic key is called MGCK (modified GCK)The SCK is used as the traffic key in Class 2 systems. In Class 3 systems it is used for protecting DMO transmissions and may be used as a fallback key in TMO in case BS’s lose contact with the SwMI.
13Over the Air Re-Keying (OTAR) KSO (GSKO)DCKGCKSCKCCKBSSCKCCKGCKAIKeys are transferred securely (encrypted) using TETRA’s Over The Air Re-keying mechanism (OTAR)Class 3 systems use DCK as the sealing key for CCKSCKs and GCKs use KSO as the sealing key - a key derived using kRecent revisions to the TETRA standard include Group Sealing Key for OTAR(GSKO)used to minimize overheads by providing a broadcast function for distributing keys to user groupsKey sizes: DCK1/DCK2/DCK, CCK, GCK, MGCK, SCK all 80 bitsGSKO is 96 bitsMSDCKKSO (GSKO)CCKMGCKSCK
14Key Stream Generator (TEA[x]) Encryption ProcessKey Stream Generator (TEA[x])Traffic KeyKey StreamInitialisation Vector (IV)TETRA supports a number of encryption algorithms to cater for different markets:TEA1 for Europe (non public safety)TEA2 for Europe (public safety)TEA3 for outside Europe (public safety)TEA4 for outside Europe (non public safety)Proprietary algorithms can also be used.Initialisation Vector - IV for synchronizing the encryption engine for air interface encryption is derived from a number of system parameters:slot number 2bits - VI(0,1)frame number (= 4 slots) 5 bits - IV(2,…6)multiframe number (= 18 frames) 6 bits - IV(7,…12)hyperframe number (= 60 multiframes) 15 bits- IV(13,…27)Direction of transmission 1 bit - IV(28)IV is transmitted as part of SYNC & SYSINFO (alternate with CCK-id/SCK-VN)Clear data inEncrypted data outABCDEFGHIy4Mv#QtqcModulo 2 addition (XOR)
15Disabling of terminals Vital to ensure the reduction of risk of threats to system by stolen and lost terminalsRelies on the integrity of the users to report losses quickly and accurately.May be achieved by removing subscription and/or disabling terminalDisabling may be either temporary or permanentPermanent disabling removes all keys including (k)Temporary disabling removes all traffic keys but allows ambience listeningThe system must be protected against lost or stolen terminals being used by unauthorized persons. It is likely that in large systems a considerable number of terminals will be lost every year.In public safety systems it is vital that users report that they have lost their terminals quickly so that their subscription can be removed form the system and the terminal cannot register.Removing subscription is only partly satisfactory in that it still allows the terminals to be used in DMO and repeated attempts may be made to register thereby reducing capacity on that base site.Terminals may be disabled either temporarily or permanently which prevents them operating until they are enabled.
16Many second generation terminals may use SIMs Security and SIMsMany second generation terminals may use SIMsSIM contains all personalization informationSecret key(k) and ITSI must be on SIM if complete SIM mobility required.Design must be able to prevent the secret key (k) and traffic keys being extractedMay be possible to only have talkgroup and phonebook information on SIM (leave ITSI/K in terminal)There is a problem if all personalization items are held on SIM.ITSI and K are paired together and therefore if ITSI is on the SIM so must K.There is a security problem if red key material is allowed to pass from the terminal to the SIM or from SIM to terminals because the interface is vulnerable to attack.Encrypting the interface is possible but only by using an individual key therefore negating mobility.The TETRA MOU SFPG is looking at the possibility of only holding non security information on the SIM and relying on a secure user log-on to give access to talkgroups.
17End to End EncryptionE2E encryption is supported by TETRA and is mainly of interest to specialist users, for example drug squads and the military, who have very demanding security requirements and unlike with AI encryption the infrastructure cannot be trusted to protect their sensitive data..E2E is only applied to the payload - voice and user data.E2E encryption is normally used with AI encryption - i.e. voice and data is super encrypted over the air interface. TETRA signalling and user IDs remains protected to AI encryption standard.To ensure the decrypting engine in the receiver maintains synchronism with the encrypting engine in the transmitter, a synchronization vector is sent periodically. TETRA provides a mechanism known as frame stealing to facilitates this.E2E encryption implementation is described fully by the SFPG recommendation 02Sealed keys are distributed over the air interface using TETRA’s SDS service, wrapped using a KEK. As some users may not be in range of the infrastructure when the keys are initially sent, the management proposals include the use of a regime that uses previous, current and future key sets. This improve the interoperability of remote units (e.g. specialist undercover units) who may not want or be able to operate within the infrastructure.National security and export considerations often restrict enhanced grade encryption algorithms to a particular country. SFPG have however recommended a publicly available baseline algorithm (IDEA) for users who do not have the resources to develop their own solution.
18End to end encryption features No need to trust infrastructure- no intermediate decoding.Additional synchronization carried in stolen half framesStandard algorithms available or national solutionsLocal Key Management Centres managed by UserKeys received from national COMSEC authority (depending on National policy)The Key Management Centre (KMC) will have to store the Unique Key Encryption Keys(KEKs), Group Key Encryption Keys(GEKS), Traffic Encryption Keys(TEKs) and User identities and be capable of connection to the TETRA system via the SDS.The KMC must be kept in a secure site and have strict access controls.
19Group Key encryption key(GEK) used to protection TEKs during OTAR. End to end keysTraffic encryption key(TEK). Three editions used in terminal to give key overlap.Group Key encryption key(GEK) used to protection TEKs during OTAR.Unique KEK(long life) used to protect GEKs during OTAR.Signalling Encryption Keys (SEK) used optionally for control trafficTEKS are changed frequently -e.g. 28 days. Because of the likelihood of users not being able to change keys at the same time an overlap system may be used such that the terminal may transmit only on his ‘Present key’ but may receive on his ‘Past’ or ‘Future’ keys.GEKs are common to a user group thereby allowing group SDS messages to be used in downloading TEKs.GEKS need changing at longer intervals then TEKs but to avoid manual re-keying they may be changed by protecting them with a unique KEK. GEKs must be changed individually.Unique KEKs are stored very securely in the terminal and must be changed manually. They will probably have a long life.
20Security functions built in from the start! ConclusionsSecurity functions built in from the start!User friendly and transparent key management.Air interface encryption protects control traffic, IDs as well as voice and user traffic.Key management comes without user overhead because of OTAR.Well developed end to end encryption for users with very sensitive data to protect.TETRA offers a range of security features which may be tailored to the particular system implementation.