Introduction to TETRA Security

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

Brian Murgatroyd UK Home Office
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Su Youn Lee, Su Mi Lee and Dong Hoon Lee Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.
Lecture 1: Overview modified from slides of Lawrie Brown.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security Encryption and Management
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
TWC 2005 Frankfurt 1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd UK Police IT Organization.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
The power of TETRA - Direct Mode Operation
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Your Service The Security mechanisms designed into TETRA – a refresher
TETRA Security meeting needs of Military
Cryptography and Network Security
TETRA Security Security mechanisms in TETRA and how to ensure that the
TETRA Security Security mechanisms in TETRA and how to ensure that the
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
TWC 2003 Copenhagen1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Network Security Introduction
Fall 2006CS 395: Computer Security1 Key Management.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
Network Security Confidentiality Using Symmetric Encryption Chapter 7.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Cryptography and Network Security
CS457 Introduction to Information Security Systems
Chapter 5 Network Security Protocols in Practice Part I
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Wireless Network PMIT- By-
Instructor Materials Chapter 6 Building a Home Network
VIRTUALIZATION & CLOUD COMPUTING
Instructor Materials Chapter 6: VLANs
Cryptography and Network Security
IT443 – Network Security Administration Instructor: Bo Sheng
Network Security.
Secure Sockets Layer (SSL)
BY GAWARE S.R. DEPT.OF COMP.SCI
Firewalls.
Information and Network Security
Name:Shivalila A H,Shima
Angelo Benvenuto Leonardo Finmeccanica.
Routing and Switching Essentials v6.0
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 2 Mumtaz Ali Rajput +92 – 301-
Chapter 3: Implementing VLAN Security
Network Security – Kerberos
Cryptography and Network Security
Security Of Wireless Sensor Networks
Chapter 2: Scaling VLANs
Net 323 D: Networks Protocols
Outline Using cryptography in networks IPSec SSL and TLS.
Chinese wall model in the internet Environment
ONLINE SECURE DATA SERVICE
Security of Wireless Sensor Networks
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Introduction to Cryptography
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
WJEC GCSE Computer Science
Cryptography and Network Security
Security in Wide Area Networks
Security in Wireless Metropolitan Area Networks (802.16)
Security in Wireless Metropolitan Area Networks (802.16)
Presentation transcript:

Introduction to TETRA Security Brian Murgatroyd Chairman, TC TCCE (TETRA) former chairman TC TETRA WG6, TCCA SFPG

Agenda Why TETRA security is important Practical threats to TETRA systems TETRA Security objectives TETRA Air Interface Security mechanisms: Authentication Air interface encryption DMO Security Terminal disabling End to end encryption E2ee process E2ee Key management The TETRA standards define certain interfaces for a digital trunked radio system. A fundamental feature and a key requirement from conception, has been the need to design-in security. The range of security features offered is capable of meeting the needs of many types of user, including the public safety community. TETRA has not been designed with just the public safety community in mind although their requirements exceed those of most users. As well as the security features to be found in TETRA systems they must be designed with IT security in mind particularly where TETRA systems are designed with IP based infrastructures and are therefore vulnerable to attacks via system gateways etc. End to end encryption is also offered as a feature which allows users to be sure that their confidentiality is assured all the way through a system. .

Practical Security threats in TETRA systems Confidentiality Eavesdropping interception of signalling and addresses for traffic analysis Integrity Replay attacks Masquerading as a legitimate user Availability Flooding the network with messages Jamming attacks via the IP network to switch off the functional boxes Natural disasters- fire, flood, earthquake Software defined radio module Message related threats Are concerned with the user traffic. Interception and eavesdropping may occur easily in systems without encryption and are a threat to confidentiality. Masquerading as a legitimate user may occur often if terminals can be cloned and the subscriber identity copied. Manipulation of data may occur if an intermediary can capture the message and change it, an example of this is replay where the message is recorded, stored and replayed over the system. There is a considerable threat from replaying messages that have been recorded off-air User related threats Differ from message related threats in that they do not attempt to decode messages and eavesdrop but gain intelligence from analyzing user traffic from its length, type of message and location. System related threats Do not attack the individual user in any way but aim to stop the system working . They include: denial of service, i.e. preventing the system working by attempting to use up capacity An example of this is jamming, using RF energy to swamp receiver sites. Attacks on the wider network which could affect large parts or all of it. Natural disasters, freak weather. Unauthorized use of resources Illicit use of telephony, interrogation of secure databases The other threats in this category involve unauthorised access to databases and changing their content so that for example user registration details are removed or changed. TETRA hacking Software defined radios are now widely available. The model pictured costs $25USD They can used with software downloaded from the internet which will decode TETRA and expose all the signalling. If there is no encryption in place then all the speech, short data and data messages are available.

What we want to achieve with security countermeasures Confidentiality –No one can eavesdrop on our speech, messaging and data communications –Signalling and addresses are protected􀂾 Authenticity –The people we are talking to are the right people –The wrong people can’t try and join us􀂾 Integrity –The information gets there completely and intact􀂾 Availability –Communications are possible where and when they are needed􀂾 Accountability (Non repudiation) –Whoever said something, can’t deny it later – Provide confidentiality of speech and data from eavesdropping Ensure users are protected against lost or stolen terminals Protection of user information Confidentiality of identity and call related information Protection from traffic analysis Protection of the network Fraud prevention Prevention of overload and denial of service attack Protection over the radio link, but also inside the network in the cases where this is needed Protection of user data

Layers of security Information Authentication Air interface encryption Proof of identity Air interface encryption Confidentiality at the radio link End to end encryption Confidentiality throughout the network Management functions Terminal disable Key management Attackers TETRA standards TC TETRA WG6 Two sources of information Recommend- SFPG ations In order to counter the threats discussed earlier TETRA has a range of security measures that will reduce or remove the major threats. Although confidentiality is very important and the air interface needs encrypting to protect against interception, it is equally important to ensure that only valid terminals are allowed on the network thorough the use of authentication and that stolen terminals can be securely disabled. The security functions must be automated as far as possible particularly with regard to changing encryption keys and over the air re-keying is widely used. These functions described above relate to communications security but it should be noted that there are also many vulnerabilities in the overall network which should be protected to avoid attacks in the IP network. There must be good protection applied to all gateways and network interfaces. These network security measures are out of scope for this presentation. Open standard information Advice on use, and technical specifications

Authentication Authentication provides proof of identity using a challenge response mechanism MS can authenticate to the SwMI SwMI can authenticate to the MS Mutual authentication provides both in same transaction The authentication key loaded to the MS is the secret which is proven The challenging party generates a random number and sends this to the challenged party The challenged party makes a calculation based on this number and on the secret key using standard TETRA algorithms The answer is sent back as proof of identity The key itself is never transmitted An encryption key (DCK) may be derived for use in air interface encryption in class 3 systems Authentication Centre Random Challenge Calculation MS Response Authentication is a very powerful security feature which is useful in different ways depending on the type of system. In public access systems authentication protects against spoof terminals from using the system Public safety systems need strong authentication to ensure that only bona fide terminals are allowed on the system and that systems may be trusted. Used to ensure that terminal is genuine and allowed on network. Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted. Authentication requires both SwMI and terminal have proof of secret key. Successful authentication permits further security related functions to be downloaded. Strong mutual authentication is used for proving the user/terminal is who he claims to be. Only allows legitimate terminals on the network Only allows the genuine network to be used by terminals

Authentication Generate RS K known only to AuC and MS Authentication Centre (AuC) K RS TA11 KS K RS KS (Session key) RS (Random seed) Generate RAND1 TA11 KS RAND1 RS, RAND1 KS RAND1 RES1 TA12 DCK Only available in Class 3 systems. Used to ensure that terminal is genuine and allowed on network. Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted. Authentication requires both SwMI and terminal have proof of secret key. Successful authentication permits further security related functions to be downloaded. Strong mutual authentication used for proving the user/terminal is who he claims to be. Only allows legitimate terminals on the network Only allows the genuine network to be used by terminals Uses Challenge- Response mechanism based on a unique secret key K stored in the terminal and in the Authentication Centre (AuC) All MS’s must be properly authenticated prior to being granted access to the network One of the outputs is the Derived Cipher Key used for Air Interface Encryption The session key is generated in the Authentication Centre using a Random Seed and K. The information is passed to the network, which now has the capability of performing Authentication of the subscriber.. Authentication is completed if the subscriber result, RES1, matches the Zone Controller result XRES1. The secret key K is never exposed to any part of the system outside the Authentication Centre or subscriber. TA12 Base station XRES1 DCK1 RES1 DCK1 Call Controller Compare RES1 and XRES1

Interoperable Authentication To enable terminals from multiple manufacturers to use the same SwMI, an interoperable means of loading authentication keys is essential SFPG Recommendation 01 – TETRA Key Distribution A standardised, multi vendor means of delivering keys to an infrastructure Mechanisms and file formats for all key types, authentication and encryption Standardised model Factory TEI Standardised format Imports key material from any vendor AuC TETRA SwMI TEI K, TEI K SCK, GCK etc… from national security authority Key Programming Key programming can take place in MS factory, or locally with appropriate tools

Air Interface Encryption Air Interface Encryption protects: Speech and data traffic Signalling and identities Certain broadcast information can be encrypted Initial registration can be encrypted Encrypted over the air interface, not inside the network Intention: to make the air interface as secure as the network Applies to all types of carrier - TETRA 1 and TEDS There are three classes of encryption: Class 1 (Clear – no encryption) Class 2 (Encryption with Static Cipher Key) Class 3 (Encryption using dynamic keys) Protection of user data Protection against traffic and network analysis Encrypted over the air Encrypted over the air Clear inside the network

Air Interface Encryption keys Class 3 Four air interface keys can be used:- Derived Cipher Key (DCK) Protect all individually addressed transmissions Changed every time the MS authenticates Common Cipher Key (CCK) Protects downlink group calls and identities Downloaded using Over The Air Rekeying (OTAR) following DCK establishment Changed frequently (daily) Group Cipher Key (GCK) Provides crypto separation for groups Combined with CCK to make MGCK Can be downloaded by OTAR, or manually loaded GCK changed less often – but MGCK changes whenever CCK changes Static Cipher Key (SCK) One key protects all Simple networks and fallback use in TMO DMO All keys are numbered – so that the BS can tell the MS which key to use, without revealing the key CCK CCK (M)GCK1 DCK Dynamic keys Class 3 (M)GCK2 Class 2 Class 2 Static keys SCK SCK SCK

Air interface encryption process Synchronisation provided by TETRA slot and frame numbering system - Changes every timeslot - 23 day repeat length - Protects against replay 3 4 1 2 17 5 18 60 32768 Stream cipher: suitable for radio systems Initialisation Vector (synchronisation) Root encryption key DCK, CCK, SCK, MGCK modified by: Location Area Scrambling Code Carrier number Thus the actual key used is different on every carrier frequency on every site Allows much wider use of the same root key across multiple sites Reduces the amount of signalling needed on cell change –and risk of failure, need to revert to clear etc. Strengthens the overall security of the system Key Algorithm keystream bits 1,1,0,1,0... 1,0,1,1,0... 0,1,1,0,0... Encrypt/ decrypt Process encrypts and decrypts one bit at a time. Optimum solution if bit errors occur in transmission one corrupted encrypted bit only results in one corrupted decrypted bit TETRA supports a number of encryption algorithms to cater for different markets: These algorithms have been designed by ETSI SAGE to provide strong encryption Proprietary algorithms can also be used. Initialization Vector - IV for synchronizing the encryption engine for air interface encryption is derived from a number of system parameters: slot number 2bits - VI(0,1) frame number (= 4 slots) 5 bits - IV(2,…6) multiframe number (= 18 frames) 6 bits - IV(7,…12) hyperframe number (= 60 multiframes) 15 bits- IV(13,…27) Direction of transmission 1 bit - IV(28) IV is transmitted as part of SYNC & SYSINFO (alternate with CCK-id/SCK-VN) ECK is a combination of traffic key, colour code, carrier number, location area

Key Management Over The Air Rekeying (OTAR) is an essential management tool Keys must be replaced at frequent intervals DCK and CCK change are ‘built in’ to protocols SCK and GCKs require separate OTAR mechanism OTAR can be sent individually or to a group Group transmission can be much more efficient on large systems Keys can be encrypted with individual or group key encryption keys MSs respond randomly to transmissions that change their state, to prevent overload on the uplink following an OTAR transmission Group Session Key for OTAR (GSKO) Session Key for OTAR (KSO), or GSKO In any system with a large and geographically distributed terminals the use of OTAR is essential for efficiency. OTAR to individuals is inefficient if same keys going to many terminals Need to download to groups rather than individual terminals to save system capacity Requirement for many different sets of keys in large multi-user network-GCKs and DMO SCKs .DMO SCKs must be distributed when terminals are operating in TMO. In normal circumstances, terminals should return to TMO coverage within a key lifetime

DMO Security Encryption using Static Cipher Keys (Class 2) There is no other common shared secret Gateway identities can also be optionally encrypted SCKs can either be provided manually or by OTAR in TMO MS also needs key associations – which tell the MS which key to use with which group SCKs also encrypt DMO path to gateways and repeaters SCK Numbers (SCKN – 32 possible) used to identify key in use Implicit authentication by use of encryption key No disabling End to end encryption possible Transparent operation through gateways and repeaters SCK There is no explicit authentication in DMO and the best that can be done is to rely on the terminals having the same SCK (implicit authentication). CCKs and DCKs cannot be used as they rely on the authentication process For the same reason there is no disabling in DMO as the risk of allowing a terminals even with the correct key to stun another is not safe if that terminal has been stolen.

Key Overlap scheme used for DMO SCKs Transmit MS 1 v27: Past v28: Present v29: Future MS 2 v28: Past v29: Present v30: Future Past Present Future Receive It is essential that changing keys does not lead to loss of communications The scheme uses Past, Present and Future versions of an SCK. System Rules Terminals may only transmit on their Present version of the key. Terminals may receive on any of the three versions of the key. This scheme allows a one key period overlap. Key overlap schemes must ensure that terminals that have re-keyed can talk to those that have not and that those who have not re-keyed can also speak to those units that have. A three edition scheme is shown above. This gives a one period overlap forwards and backwards and therefore allows terminals that have been out of TMO coverage to communicate. If OTAR is used for SCKs then return to TMO will trigger a download of new SCK editions upon registration and authentication to the network. The system must be arranged so that users can only transmit on the ”present” edition of key but can receive also on the “past” or “future” editions. SCKs are divided into 3* sets of 10*Key Association Groups (KAGs) to allow all SCKs to be changed in this way Each communication group can be associated with a KAG Terminals can hold multiple sets of SCKs for use on different networks

Disabling of terminals Vital to ensure the reduction of risk of threats to system by stolen and lost terminals Relies on the integrity of the users to report losses quickly and accurately. Subscription and/or equipment can be disabled, if terminal has separate SIM card Command sent over the air: terminal can require a minimum security state, e.g. authentication, encryption Disabling may be either temporary or permanent Temporary disabling leaves terminal apparently dead, but able to roam around the network Therefore, keeps necessary short term keys, but deletes long term keys – DMO SCK, GCK, GSKO Temporary disabled terminal can be recovered over the air (enabled) Permanent disabling deletes all keys (including k) and user information, and requires manual recovery The system must be protected against lost or stolen terminals being used by unauthorized persons. It is likely that in large systems a considerable number of terminals will be lost every year. In public safety systems it is vital that users report that they have lost their terminals quickly so that their subscription can be removed from the system and the terminal can no longer register on the TETRA network. Removing subscription is only partly satisfactory in that it still allows the terminals to be used in DMO and repeated attempts may be made to register thereby reducing capacity on that base site. Terminals may be disabled either temporarily or permanently which prevents them operating until they are re-enabled.

RED (sensitive) information only present at the end points End to end encryption Protects messages across an untrusted infrastructure Also can operate in DMO Provides enhanced confidentiality Standardised in SFPG (Recommendation 02) Solutions for Voice, Short Data and Packet Data Voice and SDS solutions apply in TETRA domain May need to consider protection beyond this, or use TETRA information formats for message external to the network Packet data solution applies to TETRA 1 and TEDS (or any other IP network – such as LTE) Protection can extend throughout connected IP networks Only protects the user payload (confidentiality protection) Needs an additional synchronization vector Requires a transparent network - no transcoding - All the bits encrypted at the transmitting end must be decrypted at the receiver Will not work outside the TETRA domain Key Management in User Domain No need to trust network provider Frequent transmission of synchronization vector needed to ensure good late entry capability but as frame stealing is used this may impact slightly on voice quality. RED (sensitive) information only present at the end points Transmissions remain encrypted across network

Features of End to End Encryption Protects the user payload, not signalling Uses an additional synchronisation vector, which is carried in voice stream so that bandwidth of end to end encrypted speech is the same as unencrypted speech Intelligent frame stealing algorithms cause negligible speech quality impact Network must be transparent to voice No interruption of audio, or variations in transport time, as this would affect synchronisation Network has no control over the encryption system Packet data solution is based on IPSEC and is completely transparent to other IP networks Works over any IP network – TETRA1, TEDS, LTE, .... Key Management can be in User Domain Uses SDS to carry Key Management Messages – key management system can be located anywhere that offers a Short Data connection to the SwMI No need to trust network provider for key management Over The Air Key management (OTAK) service fully specified Encrypted inside the network Encrypted over the air

Key management for end to end encryption Key Management for end to end encryption is in the user domain. This is especially important where there is a third party service provider. The methodology uses SDS to deliver keys and other key management commands to the terminals. The key management messages are encrypted by a signalling encryption key and therefore the network cannot decrypt any of the key management message. Some systems will support group SDS messaging and in this case there may be some advantage in sending group key management messages, particularly if there is a large terminal fleet. Traffic keys TEKS) are changed frequently. Because of the likelihood of users not being able to change keys at the same time an overlap system may be used such that the terminal may transmit only on his ‘Present key’ but may receive on his ‘Past’ or ‘Future’ keys. GEKs are common to a user group thereby allowing group SDS messages to be used in downloading TEKs. GEKS need changing at longer intervals then TEKs but to avoid manual re-keying they may be changed by protecting them with a unique KEK. GEKs must be changed individually. Unique KEKs are stored very securely in the terminal and must be changed manually. They are associated with the terminal ISSI at the KMC and then loaded to the terminal They will probably have a long life.

End to end keys Key Encryption Key (KEK) Traffic Encryption Key (TEK). Root key used for OTAK – must be manually loaded Encrypts keys when sent by OTAK to individual user Traffic Encryption Key (TEK). Three (or more) versions used in terminal to give key overlap. (as used for DMO SCK for Air Interface Encryption) Can be loaded by OTAK Group key Encryption Key (GEK) Can be used to encrypt keys if sent by OTAK to a group of users Signalling Encryption Keys (SEK) Used for key management message encryption Message Key TEK KEK (or GEK) SEK

Benefits and limitations of end to end encryption in combination with Air Interface encryption Air interface (AI) encryption alone and end to end encryption alone both have their limitations For most users, AI security measures are completely adequate but: Where either the network is untrusted, or the data is extremely sensitive then end to end encryption may be used in addition to AI encryption Using e2ee encryption alone leaves the possibility of replay attacks and the signalling and addresses would be exposed Brings the benefit of encrypting addresses and signalling as well as user data across the Air Interface and confidentiality right across the network E2ee terminals are generally more expensive than AI terminals and require a separate key management system which should be located in the user domain and not by the service provider

Standards and Recommendations TETRA Security Standard EN300392-7 (TETRA V+D Security) EN300396-6 (TETRA DMO Security) EN302109 (End to end synchronisation) SFPG Recommendations 01 – TETRA Key Distribution 02 – End to End Encryption 03 – (Permanent Document) – TETRA Threat analysis 04 – Use of TETRA Security Features 05 – Secure Cross border TETRA operation (about to be published) 06 – Use of Long Life Cipher Keys 07 – End to End Encrypted Short Data Service 08 – Use of SIM card for End to End Encryption 09 – Physical Security of TETRA terminals 11 – End to End Encryption of Packet Data 12 – Use of Java in TETRA terminals All are periodically updated TETRA standards downloadable from ETSI www.etsi.org/standards SFPG Recommendations available on request to TCCA members from SFPG@TandCCA.com

Summary TETRA is highly secure – probably the most secure of any published open standard radio technology Excellent defence against threats found in many different user environments Security functions apply uniformly across TETRA 1 and TEDS Air interface encryption protects control, network information, IDs as well as voice and user data. End to end encryption provides another layer of security which may allow many different agencies on a public safety system Air interface key management comes without user overhead because of OTAR Standards and Recommendations are continually being developed to maintain the security necessary in a TETRA system Work on securing the next generation of broadband systems is well underway.

Any Questions? More questions may be answered later: please send an email to warren.systems@clara.net or SFPG@TandCCA.com This is also the address from which to request SFPG Recommendations