Presentation is loading. Please wait.

Presentation is loading. Please wait.

TETRA Experience 2006 Sao Paulo July 18th 2006.

Published bySamson Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "TETRA Experience 2006 Sao Paulo July 18th 2006."— Presentation transcript:

1 TETRA Experience 2006 Sao Paulo July 18th 2006

2 TETRA Security Encryption and Management
Ramón Montañez

3 TETRA Experience - Brazil
Agenda Security threats TETRA security features Authentication Air interface Encryption End to End encryption Practical security measures July 18-19, 2006 TETRA Experience - Brazil

4 What we want to achieve with Security
Confidentiality No one can eavesdrop on what we are saying Integrity The information gets there completely intact Availability Communications are possible where and when they are needed Authenticity The people we are talking to are the right people The wrong people can’t try and join us July 18-19, 2006 TETRA Experience - Brazil

5 Threats to communication and the threats to security
Message related threats interception, eavesdropping, masquerading, replay, manipulation of data User related threats traffic analysis, observability of user behavior System related threats denial of service, jamming, unauthorized use of resources July 18-19, 2006 TETRA Experience - Brazil

6 TETRA Experience - Brazil
Network Security IT security is vital in TETRA networks Gateways are particularly vulnerable. Operating staff need vetting Firewalls required at access points to the network July 18-19, 2006 TETRA Experience - Brazil

7 Key Definitions of TETRA Security
Authentication - ensures only valid subscriber units have access to the system and subscribers will only try and access the authorized system Air Interface Encryption – protects all signaling, identity and traffic across the radio link End-to-End Encryption protects information as it passes through the system Base Station Infrastructure Dispatcher ????” 1. Authentication 2. Air Interface Encryption 3. End - to End Encryption XYZ” July 18-19, 2006 TETRA Experience - Brazil

8 TETRA Experience - Brazil
Authentication Used to ensure that terminal is genuine and allowed on network. Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted. Authentication requires both SwMI and terminal have proof of secret key. Successful authentication permits further security related functions to be downloaded. July 18-19, 2006 TETRA Experience - Brazil

9 TETRA Experience - Brazil
Authentication Authentication Center Challenge Session keys Calculated Response Switch Secret keys Mutual Challenge MS Calculated Response Authentication provides proof identity of all radios attempting use of the network Radio can authenticate the network in turn, protects against ‘fake base stations’ etc A session key system from a central authentication centre allows highly secure key storage Secret key need never be exposed Authentication process derives air interface key (TETRA standard) – automatic key changing! July 18-19, 2006 TETRA Experience - Brazil

10 Radio Security Provisioning And Key Storage
TETRA MoU SFPG Recommendation 01 provides a standardized format for importing authentication and other air interface encryption keys Use of Recommendation 01 files will allow multi vendor terminal supply Separation of logical key programming step from factory can allow all keys to be loaded in country Meets national security requirements SCK, GCK etc… Standardized format Imports key material from any vendor AuC TEI Factory TEI TETRA SwMI Key Programming K K, TEI July 18-19, 2006 TETRA Experience - Brazil

11 What is Air Interface Encryption?
First level encryption used to protect information over the Air Interface Typically software implementation Protects almost everything – speech, data, signaling, identities… Class Encryption OTAR Authentication 1 No No Optional 2 Static key Optional Optional 3 Dynamic key Mandatory Mandatory July 18-19, 2006 TETRA Experience - Brazil

12 The purpose of Air Interface Encryption
Network fixed links are considered difficult to intercept. Clear Air Interface! The air interface was considered vulnerable. Air Interface encryption was designed to make the air interface comparably as secure as the fixed line connection Air Interface Encryption Fixed Links Operational Information July 18-19, 2006 TETRA Experience - Brazil

13 Air Interface traffic keys
Four traffic keys are used in class 3 systems:- Derived cipher Key (DCK) derived from authentication process used for protecting uplink, one to one calls Common Cipher Key (CCK) protects downlink group calls and ITSI on initial registration Group Cipher Key (GCK) Provides crypto separation, combined with CCK Static Cipher Key (SCK) Used for protecting DMO and TMO fallback mode July 18-19, 2006 TETRA Experience - Brazil

14 Standard air interface algorithms
TEA1 and TEA4 General use including public safety TEA2 Europe public safety and military organizations only. TEA3 For use by public safety and military organizations outside of Europe. July 18-19, 2006 TETRA Experience - Brazil

15 Over The Air Re-keying (OTAR)
Populations of terminals tend to be large and spread over wide areas so the only practical way to change encryption keys is by OTAR This is done securely by using a derived cipher key or a session key to wrap the downloaded key The security functionality is transparent to the user as the network provider would normally be responsible for OTAR and management of AI keys July 18-19, 2006 TETRA Experience - Brazil

16 End to end encryption in TETRA
ETSI Project TETRA provides standardized support for end to end Encryption ETSI EN contains specific end to end specification Ensures TETRA provides a standard alternative to proprietary offerings and technologies Ensures compatibility between infrastructures and terminals Many organizations want their own algorithm Confidence in strength Better control over distribution TETRA MoU – Security and fraud Protection Group (SFPG) Provides detailed recommendation on how to implement end to end encryption in TETRA The result – Standardization and compatibility, with choice of algorithm A big strength of TETRA July 18-19, 2006 TETRA Experience - Brazil

17 Standard end to end encryption algorithms
There are no ‘standard’ algorithms defined by SFPG but: IDEA was defined as a good candidate 64 bit block cipher algorithm for use with TETRA and test data and an example implementation was produced AES128 (Rijndael) was defined as a good candidate 128 bit block cipher algorithm for use with TETRA and test data and an example implementation was produced Both algorithms have proved popular with public safety organizations and give a good level of security assurance to sensitive data July 18-19, 2006 TETRA Experience - Brazil

18 End To End Encryption ‘Standardization’
TETRA MoU SFPG Recommendation 02 Framework for end to end encryption Recommended synchronization method for speech calls Protocol for Over The Air Keying Sample implementations including algorithm mode and key encryption DOES NOT specify implementation – can be implemented with module, software, SIM card etc.. DOES NOT provide module interface specification July 18-19, 2006 TETRA Experience - Brazil

19 Related Recommendations
TETRA MoU SFPG Recommendation 01 Key transfer specification Currently being updated to include end to end encryption key import formats TETRA MoU SFPG Recommendation 07 Short data service encryption TETRA MoU SFPG Recommendation 08 Framework for dividing encryption functionality between a SIM (smartcard) and a radio No defined bit level interface (export control issue) TETRA MoU SFPG Recommendation 11 IP Packet data encryption Work in process Will provide a suitable means for high security packet data encryption, with commonality with voice encryption July 18-19, 2006 TETRA Experience - Brazil

20 Implementing TETRA security
TETRA security measures are by no means the complete picture How well they are implemented – and how the implementation is evaluated is critical The rest of the network – what else connects to TETRA – is equally important The operational process and procedures equally provide countermeasures to the threats Link Other Network Other Network TETRA Network Other Network Landline July 18-19, 2006 TETRA Experience - Brazil

21 Implementation considerations – Air Interface Encryption
AIE should provide security equivalent to the fixed network There are several issues of trust here Do I trust that the AIE has been implemented properly? Does AIE always operate (during registration, in fallback modes etc)? Do I trust the way that the network (or radio) stores keys? Do I trust the fixed network itself or can someone break in? A strong AIE implementation and an evaluated network can provide essential protection of information An untested implementation and network may need reinforcing, for example with end to end encryption July 18-19, 2006 TETRA Experience - Brazil

22 TETRA Experience - Brazil
Benefits of end to end encryption in combination with Air Interface encryption Air interface (AI) encryption alone and end to end encryption alone both have their limitations For most users AI security measures are completely adequate Where either the network is untrusted, or the data is extremely sensitive then end to end encryption may be used in addition as a overlay. Brings the benefit of encrypting addresses and signalling as well as user data across the Air Interface and confidentiality right across the network July 18-19, 2006 TETRA Experience - Brazil

23 Disabling of terminals
Vital to ensure the reduction of risk of threats to system by stolen and lost terminals Relies on the integrity of the users to report losses quickly and accurately. Disabling may be either temporary or permanent Disabling stops the terminal working as a radio and: Permanent disabling removes all keys including (k) Temporary disabling removes all traffic keys but allows ambience listening The network or application must be able to remember disable commands to terminals that are not live on the network at the time of the original command being sent. July 18-19, 2006 TETRA Experience - Brazil

24 Useful Recommendations
TETRA MoU SFPG Recommendation 03 – TETRA threat analysis Gives an idea of possible threats and countermeasures against a radio system TETRA MoU SFPG Recommendation 04 – Implementing TETRA security features Provides guidance on how to design and configure a TETRA system Both documents are restricted access requiring Non Disclosure Agreement with SFPG July 18-19, 2006 TETRA Experience - Brazil

25 Assuring your security solution
There are two important steps in assuring the security of the solution: Evaluation and Accreditation Evaluation of solutions should be by a trusted independent body Technical analysis of design and implementation Accreditation is the continual assessment of risks Assessment of threats vs. solutions Procedural and technical solutions Should be undertaken by end user representative and/or their government national security organization July 18-19, 2006 TETRA Experience - Brazil

26 Maximizing cost effectiveness
Evaluation can be extremely expensive – how to get best value for money? Establish the requirements in advance as far as they are known – security is always a changing requirement! Look for suppliers with track record and reputation Look for validations of an equivalent solution elsewhere Consider expert help on processes and procedures July 18-19, 2006 TETRA Experience - Brazil

27 What security level do you want?
TETRA Class 1 TETRA Class 2 TETRA Class 3 TETRA w/ E2E algorithm on Smart Card TETRA w/ E2E SW algorithm in radio TETRA w/ E2E hardware solution TETRA your Service July 18-19, 2006 TETRA Experience - Brazil

28 TETRA Experience - Brazil
Thank You July 18-19, 2006 TETRA Experience - Brazil 18

29 TETRA Experience 2006 Sao Paulo July 18th 2006

30 TETRA Data Services & Applications
Ole Arrhenius TETRA Experience Sao Paulo,

31 Contents Basic data services in TETRA The concern about data speed
TETRA data applications, examples Wireless Application Protocol, WAP Towards higher data speeds Conclusions

32 Basic data services in TETRA
4 channels Status messages efficient, real time Short Data Service, SDS text messaging + application platform IP packet data advanced applications, opens the world of Intranet and Internet connectivity Circuit mode data for specialized applications, rarely used 1 2 36 kbits/s gross bit rate 3 4 Carrier

33 Status messages Data sent as 16 bit numeric values
32768 values free for use, the rest reserved for system use Converted into text in the receiving terminal or workstation Fast and efficient Easy to use Sent over control channel, do not load traffic channels

34 Short Data Service Four SDS-types specified by TETRA standard: SDS-1, SDS-2, SDS-3 and SDS-4 TL SDS-1, -2 and -3 are fixed length (16, 32, 64 bits) SDS-4 TL is variable length (max 1278 bits). Protocol identifier defines how SDS-4 is used, most typical use is text messaging (140/160 chars) and AVL Data sent over control channel or traffic channel (simultaneous voice and data) Text entry using the keypad of the phone, single device for voice and data Hello, I will be back in the ioffice in 15 minutes. I will call you then. John OK MM05 11:28 p12553: VIPs arriving in 5 minutes at gate 23, prepare security and transport. OK

35 IP-packet data Similar to the GPRS service in GSM networks
Enables advanced data applications Enables Intranet and Internet connectivity Excellent application platform Uses traffic channel, single slot or multiple time slots

36 TETRA data services enable a wide range of applications
Database access Image communications Intranet/internet access Reporting , calendar Workforce management CC&C system integration File transmission Information push, alarm distribution Information pull Control and monitoring, telemetry

37 TETRA fullfils 95% of daily data needs
Fundamental daily services 95% TETRA GPRS EDGE 3G Data speed < 28 kbps < 40kbps < 160kbps < 1Mbps Multimedia services Text, images Text, images, video Internet/intranet access Yes Complementing non-critical services 5% Complementary wireless data services can be used to complement non-critical data services, if necessary

38 The concern of data speed
Single slot IP packet data provides approximately 3 … 4 kbps payload Multislot data increases performance but has side effects Increased power consumption in handsets Decreases voice capacity Robust basic data services more important than extreme speeds especially in public safety Majority of daily data services consist of low data volume database queries in the range of 0.5 … 10 kB per transaction Smart applications are more important than the raw data speed, bloated applications will eat available bandwidth, no matter how much bandwidth is available

39 The concern of data speed, example
Optimized for handportable radio’s screen 7 kB Original photo image taken with a digital camera. Original size is 1600x1200 and file size 1MByte Pixel size of a TETRA handheld terminal typically 100 x 130 pixels Compression and optimization for 100x130 pixel screen shrinks the 1MByte image into 7 kilobytes 100 x 130 x 16 (colour) = 26 kBytes With further optimisation and compression from 26 kB to 7 kB

40 Example of an integrated, smart application
Police field command application using AVL, on-board databases, status messaging, text messages and IP packet data Minimizes over-the-air data, yet very graphics intensive and informative

41 On screen AVL map with touch screen action buttons …

42 ZOOM + ZOOM -- F9 MOB F1 Show F2 Report/His F3 Status F4 Maps/AVL
F5 Messages F6 Equipment F7 Forms/En POKE/K1 F8 Setup 812 Free On the way 813 At scene Transport ZOOM + Not in car 811 ZOOM -- Car chase 814 Off-duty F9 MOB

43 Send only the necessary information over the air
Keep high volume, ‘static’ data (maps, images, floorplans of buildings) in onboard databases Update static data at the station using fixed LAN or WLAN Over the air information is typically low volume: Location information Status of field units Text messaging Compressed images

44 More examples of applications using TETRA data services

45 Automatic Vehicle/Person Location, AVL / APL
Integrated GPS in new terminals Position of every unit in real time Location shown on GIS at Command and control room TETRA SDS or TETRA IP can be used to deliver location information New ETSI LIP standard for compact SDS location information, 76 bits instead of about 200 bits

46 Image communication ”One picture paints thousand words”
TETRA IP one slot packet data is sufficient for image transmission Image compression technologies reduce data volumes for fast transmission, e.g. JPEG2000 Retrieve images from a database (pull) Send images from command and control centre (push) Increases efficiency and officer safety

47 Wireless Application Protocol (WAP)
Specified to create a global protocol to work across differing wireless network technologies WAP offers bearer independence Allows applications developed to work across TETRA and GSM and GPRS Optimised for the constraints of handheld devices WAP Server Application Portal 2. Locate 3. Mail 4. Report 5. Search Link Menu TETRA

48 What about the future ?

49 TETRA High Speed Data TETRA high speed data is part of TETRA 2 standardization TETRA HSD will complement the current TETRA services with higher data speeds User experience comparable to GPRS/EDGE Very spectrum-efficient Adapts its speed (modulation) when necessary

50 Development continues
Next … TETRA High Speed Data Evolution Java Multi-slot packet data Situation awareness Integrated GPS Colours Advanced location applications Image communication Time

51 Summary TETRA provides a rich set of basic and advanced data services
Data applications complement TETRA voice services IP over TETRA is a solid and robust platform for data applications Accessing data from the field opens totally new opportunities for public safety and other user segments Data speed in TETRA IP cover the majority of current needs

52 TETRA Experience 2006 Sao Paulo July 18th 2006

Download ppt "TETRA Experience 2006 Sao Paulo July 18th 2006."

Similar presentations

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA www.in-arg.com MESH VOIP.

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.
Brian Murgatroyd UK Home Office

Brian Murgatroyd UK Home Office
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
TETRA - Direct Mode Operation

TETRA - Direct Mode Operation
TETRA Congress Warsaw, 13.-14.6.2006 TETRA Data Services & Applications Hannu Vilppunen Warsaw June 2006 Presented by Risto Toikkanen.

TETRA Congress Warsaw, TETRA Data Services & Applications Hannu Vilppunen Warsaw June 2006 Presented by Risto Toikkanen.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Su Youn Lee, Su Mi Lee and Dong Hoon Lee 2007.1.24 Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.

Su Youn Lee, Su Mi Lee and Dong Hoon Lee Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Copyright 2005-2009: Hi Tech Criminal Justice, Raymond E. Foster Police Technology Police Technology Chapter Four Police Technology Networks.

Copyright : Hi Tech Criminal Justice, Raymond E. Foster Police Technology Police Technology Chapter Four Police Technology Networks.
TETRA Inter System Interface (ISI)

TETRA Inter System Interface (ISI)
Telefónica Móviles España GPRS (General Packet Radio Service)

Telefónica Móviles España GPRS (General Packet Radio Service)
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security Encryption and Management

Security Encryption and Management
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
© GPRShelp 2004 An Introduction To GPRS. © GPRShelp 2004 Contents What is GPRS? GPRS Applications GPRS Myths GPRS Services Email – the killer application.

© GPRShelp 2004 An Introduction To GPRS. © GPRShelp 2004 Contents What is GPRS? GPRS Applications GPRS Myths GPRS Services – the killer application.
TWC 2005 Frankfurt 1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd UK Police IT Organization.

TWC 2005 Frankfurt 1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd UK Police IT Organization.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
I-mode Revolutionary Wireless Internet Technology Marc Lisevich Bryan Kwan Jay Hoang.

I-mode Revolutionary Wireless Internet Technology Marc Lisevich Bryan Kwan Jay Hoang.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Definitions, Concepts and Applications of TETRA Hannu Villpunen Nokia 14.11.2001.

Definitions, Concepts and Applications of TETRA Hannu Villpunen Nokia

Similar presentations

Ads by Google