Brian Murgatroyd UK Home Office TETRA SECURITY Brian Murgatroyd UK Home Office
Agenda Why security is important in TETRA systems Overview of TETRA security features Authentication Air interface encryption Key Management Terminal Disabling Using SIM’s End to End Encryption The TETRA suite of documents define a standard for a digital trunked radio system. A fundamental feature and a key requirement from conception, has been the need to design-in security. The range of security features offered is capable of meeting the needs of many types of user, including the public safety community. TETRA has not been designed with just the public safety community in mind although their requirements exceed those of most users. .
What are the main threats to your system? Confidentiality? Security Threats What are the main threats to your system? Confidentiality? Availability? Integrity? Threats to communications systems are not just those caused by illicit eavesdropping but fall into three areas: Confidentiality: The ability of the system to keep user data and traffic secret. Availability: The continuance of the service reliably and without interruption. Integrity: The systems strength in ensuring user traffic and data is not altered
Message Related Threats interception by hostile government agencies eavesdropping by hackers, criminals, terrorists Confidentiality masquerading pretending to be legitimate user manipulation of data Integrity changing messages Replay recording messages and replaying them later These threats are related to the messages: the user traffic. Interception and eavesdropping may occur easily in systems without encryption and are a threat to confidentiality. Masquerading as a legitimate user may occur often if terminals can be cloned and the subscriber identity copied. Manipulation of data may occur if an intermediary can capture the message and change it, an example of this is replay where the message is recorded, stored and replayed over the system.
User Related Threats traffic analysis Confidentiality getting intelligence from patterns of the traffic-frequency- message lengths-message types observability of user behaviour Confidentiality examining where the traffic is observed - times of day-number of users User related threats differ from message related threats in that they do not attempt to decode messages and eavesdrop but gain intelligence from analyzing user traffic from its length, type of message and location.
System Related Threats denial of service Availability preventing the system working by attempting to use up capacity jamming Availability Using RF energy to swamp receiver sites unauthorized use of resources Integrity Illicit use of telephony, interrogation of secure databases This group of threats do not attack the user in any way but aim to stop the system working . Jamming is a good example where the user is denied service because the receivers are jammed by signals affecting the base station or terminal receivers. The other threats in this category involve unauthorised access to databases and changing their content so that for example user registration details are removed or changed.
TETRA Security features Authentication Air Interface encryption Temporary /permanent disabling Aliasing/User logon Ambience listening Discrete Listening Lawful Interception The threats shown in the earlier slides are countered in TETRA by the security features above. TETRA has been designed with security in mind and requires a large number of measures with which to protect against all the different threats.
Class Authentication Encryption Other 1 Optional None - Security Classes Class Authentication Encryption Other 1 Optional None - 2 Optional Static ESI 3 Mandatory Dynamic ESI Mobiles may support one, several or all security classes. A base station at any one time may support either: class 1 only class 2 only class 3 only class 3 and 1 Class 2 and 3 cannot be used at the same time at a base station. The security class of a base station is transmitted as part of the system information broadcast message. If the terminal supports the level of security in the broadcast it may attach to the base station but should be implemented not to attach if it cannot support it.
Used to ensure that terminal is genuine and allowed on network. Authentication Used to ensure that terminal is genuine and allowed on network. Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted. Authentication requires both SwMI and terminal have proof of secret key. Successful authentication permits further security related functions to be downloaded. Authentication is a very powerful security feature which is useful in different ways depending on the type of system. In public access systems authentication protects against spoof terminals from using the system Public safety systems need strong authentication to ensure that only bona fide terminals are allowed on the system and that systems may be trusted.
Authentication process Mobile Base station Authentication Centre K Random Seed (RS) K RS Rand TA11 KS Rand RS This slide illustrates the process for the authentication of a mobile unit by the infrastructure. The process is symmetric with both parties relying on their knowledge of a secret piece of information - the authentication key, k. Authentication is achieved when both parties are able demonstrate that they share the same secret information. Note that k is never transmitted. There are 3 ways of generating k in the mobile - PIN, UAK or PIN/UAK. UAK is by far the most common method used Authentication of the infrastructure by a terminal follows a similar process but different authentication algorithms are used. Authentication may be mutual. The decision to make the authentication mutual is made by the first party to be challenged. k is 128 bits in length Random No and Random Seed are each 80 bits in length Result is 32 bits in length TA12 TA12 TA11 KS (Session key) Expected Result Result Same?
Deriving DCK from mutual authentication Result 1 RAND1 KS DCK1 DCK RAND2 DCK2 The authentication algorithm in the base station used for authenticating a mobile generates a cipher key - DCK1 as well as Result,. A similar algorithm used by a mobile when authenticating the infrastructure produces another cipher key - DCK2. If the infrastructure is authenticating a mobile, DCK1 will be produced and DCK2 will be set to 0. If the mobile is authenticating the infrastructure, DCK2 will be produced and DCK1 will be set to 0. If mutual authentication is required, DCK will be a result of combining DCK1 and DCK2. DCK is be used for protecting voice, data and signalling. KS’ Result 2
Four traffic keys are used in class 3 systems:- Air Interface keys Four traffic keys are used in class 3 systems:- Derived cipher Key (DCK) derived from authentication process used for protecting uplink, one to one calls Common Cipher Key(CCK) protect downlink group calls and ITSI on initial registration Group Cipher Key(GCK) Provides crypto separation, combined with CCK Static Cipher Key(SCK) Used for protecting DMO and TMO fallback mode DCK is used wherever possible as it is the most secure. It only has a life equivalent to the authentication period (perhaps 24 hours) and is unique to the terminal. It should always be used for the uplink(MS-BS) link. It cannot be used for downlink group calls(because all MS’s have a different DCK) The CCK is used primarily for protecting downlink group calls. It may also be used for protecting ITSI’s on initial registration (as long as the stored CCK is still valid. CCK will probably be a short life key (up to one week) The GCK is used to enable crypto separation between groups. It is used in conjunction with CCK. It tends to have a longer life than CCK. The traffic key is called MGCK (modified GCK) The SCK is used as the traffic key in Class 2 systems. In Class 3 systems it is used for protecting DMO transmissions and may be used as a fallback key in TMO in case BS’s lose contact with the SwMI.
Over the Air Re-Keying (OTAR) KSO (GSKO) DCK GCK SCK CCK BS SCK CCK GCK AI Keys are transferred securely (encrypted) using TETRA’s Over The Air Re-keying mechanism (OTAR) Class 3 systems use DCK as the sealing key for CCK SCKs and GCKs use KSO as the sealing key - a key derived using k Recent revisions to the TETRA standard include Group Sealing Key for OTAR(GSKO)used to minimize overheads by providing a broadcast function for distributing keys to user groups Key sizes: DCK1/DCK2/DCK, CCK, GCK, MGCK, SCK all 80 bits GSKO is 96 bits MS DCK KSO (GSKO) CCK MGCK SCK
Key Stream Generator (TEA[x]) Encryption Process Key Stream Generator (TEA[x]) Traffic Key Key Stream Initialisation Vector (IV) TETRA supports a number of encryption algorithms to cater for different markets: TEA1 for Europe (non public safety) TEA2 for Europe (public safety) TEA3 for outside Europe (public safety) TEA4 for outside Europe (non public safety) Proprietary algorithms can also be used. Initialisation Vector - IV for synchronizing the encryption engine for air interface encryption is derived from a number of system parameters: slot number 2bits - VI(0,1) frame number (= 4 slots) 5 bits - IV(2,…6) multiframe number (= 18 frames) 6 bits - IV(7,…12) hyperframe number (= 60 multiframes) 15 bits- IV(13,…27) Direction of transmission 1 bit - IV(28) IV is transmitted as part of SYNC & SYSINFO (alternate with CCK-id/SCK-VN) Clear data in Encrypted data out A B C D E F G H I y 4 M v # Q t q c Modulo 2 addition (XOR)
Disabling of terminals Vital to ensure the reduction of risk of threats to system by stolen and lost terminals Relies on the integrity of the users to report losses quickly and accurately. May be achieved by removing subscription and/or disabling terminal Disabling may be either temporary or permanent Permanent disabling removes all keys including (k) Temporary disabling removes all traffic keys but allows ambience listening The system must be protected against lost or stolen terminals being used by unauthorized persons. It is likely that in large systems a considerable number of terminals will be lost every year. In public safety systems it is vital that users report that they have lost their terminals quickly so that their subscription can be removed form the system and the terminal cannot register. Removing subscription is only partly satisfactory in that it still allows the terminals to be used in DMO and repeated attempts may be made to register thereby reducing capacity on that base site. Terminals may be disabled either temporarily or permanently which prevents them operating until they are enabled.
Many second generation terminals may use SIMs Security and SIMs Many second generation terminals may use SIMs SIM contains all personalization information Secret key(k) and ITSI must be on SIM if complete SIM mobility required. Design must be able to prevent the secret key (k) and traffic keys being extracted May be possible to only have talkgroup and phonebook information on SIM (leave ITSI/K in terminal) There is a problem if all personalization items are held on SIM. ITSI and K are paired together and therefore if ITSI is on the SIM so must K. There is a security problem if red key material is allowed to pass from the terminal to the SIM or from SIM to terminals because the interface is vulnerable to attack. Encrypting the interface is possible but only by using an individual key therefore negating mobility. The TETRA MOU SFPG is looking at the possibility of only holding non security information on the SIM and relying on a secure user log-on to give access to talkgroups.
End to End Encryption E2E encryption is supported by TETRA and is mainly of interest to specialist users, for example drug squads and the military, who have very demanding security requirements and unlike with AI encryption the infrastructure cannot be trusted to protect their sensitive data.. E2E is only applied to the payload - voice and user data. E2E encryption is normally used with AI encryption - i.e. voice and data is super encrypted over the air interface. TETRA signalling and user IDs remains protected to AI encryption standard. To ensure the decrypting engine in the receiver maintains synchronism with the encrypting engine in the transmitter, a synchronization vector is sent periodically. TETRA provides a mechanism known as frame stealing to facilitates this. E2E encryption implementation is described fully by the SFPG recommendation 02 Sealed keys are distributed over the air interface using TETRA’s SDS service, wrapped using a KEK. As some users may not be in range of the infrastructure when the keys are initially sent, the management proposals include the use of a regime that uses previous, current and future key sets. This improve the interoperability of remote units (e.g. specialist undercover units) who may not want or be able to operate within the infrastructure. National security and export considerations often restrict enhanced grade encryption algorithms to a particular country. SFPG have however recommended a publicly available baseline algorithm (IDEA) for users who do not have the resources to develop their own solution.
End to end encryption features No need to trust infrastructure- no intermediate decoding. Additional synchronization carried in stolen half frames Standard algorithms available or national solutions Local Key Management Centres managed by User Keys received from national COMSEC authority (depending on National policy) The Key Management Centre (KMC) will have to store the Unique Key Encryption Keys(KEKs), Group Key Encryption Keys(GEKS), Traffic Encryption Keys(TEKs) and User identities and be capable of connection to the TETRA system via the SDS. The KMC must be kept in a secure site and have strict access controls.
Group Key encryption key(GEK) used to protection TEKs during OTAR. End to end keys Traffic encryption key(TEK). Three editions used in terminal to give key overlap. Group Key encryption key(GEK) used to protection TEKs during OTAR. Unique KEK(long life) used to protect GEKs during OTAR. Signalling Encryption Keys (SEK) used optionally for control traffic TEKS are changed frequently -e.g. 28 days. Because of the likelihood of users not being able to change keys at the same time an overlap system may be used such that the terminal may transmit only on his ‘Present key’ but may receive on his ‘Past’ or ‘Future’ keys. GEKs are common to a user group thereby allowing group SDS messages to be used in downloading TEKs. GEKS need changing at longer intervals then TEKs but to avoid manual re-keying they may be changed by protecting them with a unique KEK. GEKs must be changed individually. Unique KEKs are stored very securely in the terminal and must be changed manually. They will probably have a long life.
Security functions built in from the start! Conclusions Security functions built in from the start! User friendly and transparent key management. Air interface encryption protects control traffic, IDs as well as voice and user traffic. Key management comes without user overhead because of OTAR. Well developed end to end encryption for users with very sensitive data to protect. TETRA offers a range of security features which may be tailored to the particular system implementation.