TETRA @ Your Service The Security mechanisms designed into TETRA – a refresher How do you ensure the solution is secure? “Jeppe” Jepsen Motorola

Threats to communication and the threats to security Message related threats interception, eavesdropping, masquerading, replay, manipulation of data User related threats traffic analysis, observability of user behaviour System related threats denial of service, jamming, unauthorized use of resources

Why Tetra Schengen Police Corporation

Key security features of TETRA Authentication Air Interface encryption End to end Encryption

Authentication Authentication Centre Session keys Switch 1 Switch 2 Challenge and response from Switch MS Authentication As we have seen to run a class 3 system we require Authentication, but what is Authentication? Authentication provides proof of identity and takes the security of the system a step beyond that provided by simple registration. The basis of Authentication is that there is a shared secret between the two parties, in this case the subscriber and the SWiMi. The SWiMi sends a challenge based upon this secret to the subscriber and the subscriber sends a response. If the subscriber is who it claims to be, then the response will be the one expected by the SWiMi, therefore Authentication is complete. There are some important points to note, first the secret is never transmitted outside of the Authentication Centre or the subscriber, session keys are used for the real time authentication. These keys are generated by the Authentication Centre and then distributed through the system to the appropriate Home Location Registers. Second the discussion has only looked at Authentication of the subscriber by the SWiMi, equally important in terms of security is the Authentication of the SWiMi by the subscriber. The subscriber can either turn an Authentication request by the SWiMi into a mutual Authentication, or independently request Authentication, for example prior to accepting a disable command. Finally the process of Authentication generates part of the Air Interface Encryption Keys, namely the Derived Cipher Key, or DCK. Authentication provides proof identity of all radio’s attempting use of the network. A session key system from a central authentication centre allows key storage Secret key need never be exposed Authentication process derives air interface key (TETRA standard)

What is Air Interface Encryption? First level encryption used to protect information over the Air Interface Typically software implementation AIE is System Wide 3 different Classes Class 1 No Encryption, can include Authentication Class 2 Static Cipher Key Encryption, can include Authentication Class 3 Dynamic Cipher Key Encryption Requires Authentication What is Air Interface Encryption? Well, it is the first level of protection over the air interface, it encrypts all voice and data, together with most of the signalling associated with TETRA calls. Examples of non-encrypted calls and signalling are: broadcast calls and initial registration. AIE is typically implemented in software, the protection level, as can be seen later, does not warrant the expense of a crypto module. AIE is defined as part of the TETRA standard and will be included in interoperability testing. One of the important things to note about AIE is that it is System wide and not under the control of the user. However,there are different conditions under which the system can operate and the standard takes account of this. There are three security classes under which the system can operate: Class 1, here there is no encryption, but there could be authentication. Class 2, encryption is on, but only Static Cipher Key is available, again authentication could be available. Finally there is Class 3, this is when Dynamic Encryption is being used and by definition Authentication has to be present. Typically Class 2 is used for fallback operation, for example when Authentication is not available, or if a site becomes isolated.

TETRA Air Interface Encryption Network fixed links are considered difficult to intercept. Clear Air Interface! The air interface was considered vulnerable. Air Interface encryption was designed to make the air interface as secure as the fixed line connection Air Interface Encryption Fixed Links Operational Information ANIMATED SLIDE So what is the point of Air Interface Encryption? Well the best way to describe this is to think of the following scenario. The TETRA information is available at the Air Interface and on the fixed links. (next slide). The fixed links have an inherent security associated with them. As an attacker I have to physically get access to a network and then determine the routing etc. Therefore there is a wall of a specific height I have to climb. (next slide). However, the Air Interface is still relatively vulnerable, the argument that it is digital and even TDMA is not valid for anything other than the extremely casual attack! (next slide) So Air Interface Encryption was designed to increase the security of the air interface to the same level as that inherently provided by the network. There is no point in making the Air Interface more protected than the network, otherwise the attack is moved to the now relatively vulnerable network. There is some talk about extending Air Interface Encryption to some point further down the network to give more protection. This gains nothing, effectively you are building one wall behind another, both of equal height, all this does is give the attacker a firmer base to stand upon when he climbs over!

Dimetra Air Interface Encryption Full Implementation of AIE Authentication Static Cipher Key Common Cipher Key Derived Cipher Key Group Cipher Key Modified Group Cipher Key TEA 1, 2, 3 and TEA 4 algorithms Authentication Centre Key Management Centre Key Loader for key distribution So, that is TETRA Air Interface Encryption, what about our product Dimetra. As you can see we will have the complete package, including a key mangement system, although as stated this will be phased in over a period of time. The phased approach comes about for several reasons, two of which are worth noting. The first is that TETRA is still a relatively new technology from a commercial development point of view, compared to APCO 25 it is several years behind. Therefore not all the features can be implemented at once, apart from the sheer development effort, there is the much more practical issue of ensuring that systems work reliably and meet the specification, allowing for interoperability among manufacturers. Equally important is the fact that the security section of the standard is not completely finalised, the Public Enquiry has been completed and the final version of the standard is being written.

Air Interface Encryption - the Keys DCK1 DCK2 MS2 MS1 A Clear audio Dispatcher 1 MS3 DCK3 B MS4 Group 1 MGCKB MS5 MGCKC C Infrastructure MS8 MS9 SCK ANIMATED SLIDE As you have probably realised Air Interface Encryption is somewhat more complicated than the traditional encryption we have been used to in Mobile Radio systems. Let’s go through the keys one by one and visually see how they are used. (next slide) First we have a simple DMO scenario, in effect this is very similar to our traditional one, we have a selection of subscribers all using the same symmetric key, in this case a Static Cipher Key. Different DMO groups could use different keys, again similar to our existing systems. (next slide) Next let's look at the case where we have a conversation taking place through a repeater. Once again the users are using a Static Cipher Key, but this time it would be fixed for all groups as this is the system fall-back key.(next slide) Now we move to a more normal mode of operation. There is a complete infrastructure available, including an Authentication Centre. In this case the subscribers communicate to the base-site using their unique Derived Cipher Keys or DCK. The base-site talks to the subscribers using it’s Common Cipher Key or CCK. Therefore from site A all downlink communications will be encrypted with CCKA. Therefore any repeated audio is decrypted and encrypted again at the base-site. If the group call is across several sites then the audio link through the infrastructure is clear. (next slide). For an individual call, DCK is used for both the up and the down link. Moving on to the final set of keys, Group Cipher Keys or GCK. Group Cipher keys are used for the downlink communication instead of the CCK. This provides added security on a shared system by allowing different user groups to have their own unique key. Looking at the diagram you will see that GCK does not exist, however there is a MGCK. This is the Modified Group Cipher Key, this is the Group Cipher Key modified with the site Common Cipher Key. This allows the GCK to be a long term key as it is never used in it’s raw state. Another facet of this is that users in the same group, but at different sites will have different MGCK’s. A couple of final points to note about the keys, SCK’s, CCK’ and GCK’ are managed keys, while DCK is not, it is a by product of the Authentication process. MS6 MS7 SCK SCK, CCK and MGCK controlled by System Owner DCK Generated through Authentication Process

The importance of Air Interface encryption Many threats other than eavesdropping traffic analysis, observance of user behaviour Strong authentication AI protects control channel messages as well as voice and data payloads encrypted registration protects ITSIs End to end encryption if used alone is much weaker (it only protects the payload)

Standardised end to end in TETRA Many organisations want their own algorithm Confidence in strength Better control over distribution ETSI Project TETRA provides standardised support for end to end Encryption To give TETRA standard alternative to proprietary offerings and technologies TETRA MoU – Security and fraud Protection Group Provides detailed recommendation on how to implement end to end encryption in TETRA    Provides sample implementation using IDEA and AES128 One of the biggest issues when discussing End-to-End encryption in TETRA is the fact that there was no standard. This defeats the concept of open standards, buy from any manufacture, etc. as manufacturers will offer their own algorithms, at least those with the capability will. This is now being addressed and there will be at least one TETRA standard End-to-End algorithm that all manufacturers can offer in their systems. Apart from the algorithm, work is also ongoing in defining Key Management and some of the associated commands. While this works well for Commercial organisations, it does not necessarily fit the requirement of Governments and Military. These organisations may be looking for their own algorithm, possibly they already have one they want to use, or one will be developed. This does lead to a dilemma, while we have a product that is capable of accepting virtually any algorithm designed for this level of security, there are severe export controls on this type of technology. This does not prevent us discussing the concept of Home Country algorithms, but export licenses, primarily US, will need to be obtained before the details can be discussed.

Confidentiality Solutions – Air interface encryption Should provide security equivalent to the fixed network There are several issues of trust here Do I trust that the AIE has been implemented properly Do I trust the way that the network (or radio) stores keys Do I trust the fixed network itself A strong AIE implementation and an evaluated network can provide essential protection of information An untested implementation and network may need reinforcing, for example with end to end encryption

Processes for accreditation HANDLING PROCESSES Set Up Issues Getting from the Organization Chart to planning secure communications Getting the system setup properly Introducing new units and new secure communications groups Key Material Delivery Issues Getting the right encryption keys into the right radio Ensuring the security of key storage and distribution Accomplishing fast, efficient periodic rekeying Verifying readiness to communicate Avoiding interruptions of service Security Management Issues Dealing with compromised or lost units Integrating with key material distribution process Audit control, event archival, and maintaining rekeying history Controlling access to security management functions KEYLOAD PROCESS Protect National Security Key load in country of use Key load by security cleared nationals Remove keys from radios sent abroad for repair Key Load encrypted keys cannot be read while being programmed Customer Friendly Keys can be programmed “In Vehicle” (& away from secure area) Accurate Audit logs of key distribution “In Country” Key Generation Secure Storage CONNECTION PROCESSES Connected networks Security levels Assurance requirements Barriers Own operating procedures Virus protection PERSONNEL PROCESSES Ensure personnel are adequately cleared and trained Where do they live Criminal records Experience in secure environment Signed relevant agreements Procedures for security breaches REPORTING PROCESSES Stolen radio reporting Radio disabling procedures Radio key erasure procedures Intrusion detection reporting and response Attack detection and correlation …..and more.

Assuring your security solution Evaluation of solutions should be by a trusted independent body Who? Manufacturer? Vested interest Blindness to own weaknesses End user Do you have the skills?

Assuring your security solution Government Closest to own requirements and solutions Sets the rules as well as tests them Can lead to changing requirements as threats change Third party evaluation house Need to ensure you can trust them Proven capability, references, experience in the field Can have more bandwidth than government Typically evaluation of crypto solutions is undertaken by a government body, assurance of the rest of the network by a reputable company, but the accreditator has to be a member of the end user organisation Who else can be allowed to accept the risks?

And if you don’t have this capability? Look for suppliers with track record and reputation Look for validations of an equivalent solution elsewhere Get some expert help on processes and procedures

Finally….cost Evaluation can be extremely expensive – how to get best value for money? Stable requirements Understanding the context Strong implementations It can be cheaper to spend more putting in a strong solution than the evaluation cost of a cheap solution! Proof for small lock Proof for large lock

Does the government get good value? How much do you value national security? Do you understand the cost of security measures vs the cost of compromise? Can you afford to risk doing nothing?

Essentials of a secure system A strong standard A good implementation Experienced supplier Trusted evaluation Standard EVALUATED

Example accreditation issue Your microwave link passes over a university with an MSc course in security Switch Site University Cryptanalysis Department

Security and Fraud Prevention Group – a TETRA MoU body REC 02 – Framework for End to end Encryption and key Mangement REC 03 – TETRA Threat Analysis REC 04 – Implementation and use of TETRA Security Features

Thank You ? www.tetramou.com www.etsi.org www.motorola.com/tetra Jeppe.Jepsen@Motorola.com 18