Su Youn Lee, Su Mi Lee and Dong Hoon Lee Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS Korea University Efficient Group Key Agreement for Dynamic TETRA Networks

 TETRA Networks  Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Background and Motivation - Set up, Join and Leave Algorithms Agenda

TETRA Networks

4 What is TETRA? Mobile Radio DECT GSM TETRA Mobile Data Mobile Telephony UMTS  TErrestrial Trunked RAdio (TETRA) is a new digital transmission standard developed by ETSI and it is becoming the system for public safety organisation

5  Architecture What is TETRA? PABX, PSTN, ISDN Intranet / Internet Other TETRA network Network Management Line Dispatcher IP gateway, Firewall SwMI

6 TETRA Security Mechanisms End-to-End Encryption Securing the communication across a network, independent of the switching infrastructure Air Interface Encryption Securing the link between a handset and the network Key Management Center Controlled emission of keys, enabling decentralized authorisation and enforcing the high security level.

7 TETRA Security Mechanisms  Authentication Authentication provides proof identity of all MS in TETRA network AuC securely send session authentication key to Switch1 and should storage secret key. - Secret key need never be exposed All MS and AuC operate mutual authentication using secret key K MS Authentication Switch 1 Switch 2 Session authentication keys Challenge and response from Switch Authentication Centre (AuC) SwMI k

8 Authentication process K Random Seed (RS) Mobile Station RS KS Rand DCK, XRES K RS Rand TA11 KS ( Session authentication key ) RES ≠ XRES RES DCK RES SwMI TA12 TA11

9 Air Interface Keys Derived Cipher Key (DCK) derived from authentication procedure. Common Cipher Key(CCK) generated by the SwMI and distributed to all MS. Group Cipher Key(GCK) linked to a specific closed MS group. Static Cipher Key(SCK) is a predetermined key

10 Key Management Mechanism MS1K1K1 DCK 1 MS2K2K2 DCK 2 MS3K3K3 DCK 3 MS4K4K4 DCK 4 K1K1 K2K2 K3K3 K4K4 MGCK=fn(GCK, CCK) CCK CCK’ MGCK’=fn(GCK, CCK’) SwMI Group call1 DCK 1 DCK 2 DCK 3 DCK 4 GCK=fn(K 1 ) GCK=fn(K 2 ) GCK=fn(K 3 )GCK=fn(K 4 ) CCK=fn(DCK 1 ) CCK=fn(DCK 2 ) CCK’=fn(DCK 3 )CCK’=fn(DCK 4 ) Group call2 GCK

11 Over the Air Re-Keying (OTAR) CCK SwMI MS GCK CCK MGCK DCK AI CCKGCK KSO (GSKO) DCK KSO (GSKO)

Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Background and Motivation

13 Background and Motivation  Group Key Agreement − MS communicating over a public, easily- monitored network − MS needs to establish a common secret key (session key) to secure communication − Group Key Agreement Protocol sk

14 adversary Background and Motivation  Authenticated Group Key Agreement (AGKA) −AGKA guarantees security against an active adversary who can modify, insert or remove messages −For providing authentication, we can construct AGKA based on PW or signature

15 Background and Motivation  In AGKA, there are two concerns with regard to efficiency : Communication and Computation efficiency −Communication Efficiency the number and length of messages few rounds −Computation Efficiency needs to complete the protocol depends on the cryptographic algorithms

16 Background and Motivation  AGKA for Dynamic TETRA networks −Provides Setup, Leave and Join Algorithms −In a Leave event, removing MS do not know new sk’ −Forward Secrecy

17 Background and Motivation  AGKA for Dynamic TETRA networks −In Join event, joining MS do not know previous sk −Backward Secrecy

An Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Set up, Join and Leave Algorithms

19 An Efficient AGKA  Setup MS1 KEK 1 MS2 KEK 2 MS3 KEK 3 MS4 KEK 4 KEK 1 KEK 2 KEK 3 KEK 4 SwMI

20 An Efficient AGKA  Setup : Group Key Computation Process KEK 1 KEK 2 KEK 3 KEK 4

21 An Efficient AGKA  Setup; −Security MS verifies signature of SwMI Assume that a signature scheme is secure All signature cannot be used twice Only MS who knows KEK can compute a group key An adversary can not get any information about a group key from Z i-1,i XOR Encryption Scheme

22 An Efficient AGKA  Join Algo. MS1KEK1 MS2KEK2 MS3KEK3 MS4KEK4 MS5KEK5 KEK 1 KEK 2 KEK 3 KEK 4 SwMI KEK 5 Joining MS 5

23 An Efficient AGKA  Join ; −Security Backward Secrecy Joining MS should not know a previous group key Our scheme provides Backward Secrecy All MS re-calculate T value using different session ID (I j ) per session Although MS 5 knows all T values in current session, MS 5 does not compute a previous group key.

24 An Efficient AGKA  Leave Algo. MS1 KEK 1 MS2 KEK 2 MS4 KEK 4 KEK 1 KEK 2 KEK 4 SwMI KEK 3 Leaving MS 3

25 An Efficient AGKA  Leave ; −Security Forward Secrecy Leaving MS should not know a current group key Our scheme provides Forward Secrecy Leaving MS 3 knows all T values of previous session All MS re-calculate T value using new session ID (I l ) per session

26 An Efficient AGKA  Useful properties −Allows SwMI and MS to agree a group with low complexity −Needs only XOR operation dependent on a number of group MS −Construct a special AGKA scheme including join and leave algorithms

27 AGKA  AGKA protocol −Security Theorem # of send, execute queries :

28 Thank you !  Questions? Comments? 