Presentation is loading. Please wait.

Presentation is loading. Please wait.

TETRA Security meeting needs of Military

Published bySherman Mosley Modified over 9 years ago

Similar presentations

Presentation on theme: "TETRA Security meeting needs of Military"— Presentation transcript:

1 TETRA Security meeting needs of Military
Security mechanisms in TETRA and how to ensure that the solution is secure… ”Jeppe” Jepsen Motorola

2 What we want to achieve with Security
Confidentiality No one can eavesdrop on what we are saying Authenticity The people we are talking to are the right people The wrong people can’t try and join us Integrity The information gets there completely intact Availability Communications are possible where and when they are needed Accountability (Non repudiation) Whoever said something, can’t deny it later

3 Threats to communication and the threats to security
Message related threats interception, eavesdropping, masquerading, replay, manipulation of data User related threats traffic analysis, observability of user behavior System related threats denial of service, jamming, unauthorized use of resources

4 Key Functions of TETRA Security
TETRA has several security features allowing most customers security needs to be met in a cost efficient way. Authentication - ensures only valid subscriber units have access to the system and subscribers will only try and access the authorized system Base Station Infrastructure Dispatcher ????” 1. Authentication 2. Air Interface Encryption 3. End - to End Encryption XYZ” Air Interface Encryption – protects all signalling, identity and traffic across the radio link End-to-End Encryption - protects information as it passes through the system

5 Authentication Authentication Centre Challenge Session keys Calculated Response Switch Secret keys Mutual Challenge MS Calculated Response Authentication provides proof identity of all radios attempting use of the network Radio can authenticate the network in turn, protects against ‘fake base stations’ etc A session key system from a central authentication centre allows highly secure key storage Secret key need never be exposed Authentication process derives air interface key (TETRA standard) – automatic key changing!

6 Radio Security Provisioning And Key Storage
TETRA MoU SFPG Recommendation 01 provides a standardised format for importing authentication and other air interface encryption keys Use of Recommendation 01 files will allow multi vendor terminal supply Separation of logical key programming step from factory can allow all keys to be loaded in country Meets national security requirements SCK, GCK etc… from national security authority Standardised format Imports key material from any vendor AuC TEI Factory TEI TETRA SwMI Key Programming K K, TEI

7 What is Air Interface Encryption?
First level encryption used to protect information over the Air Interface Typically software implementation Protects almost everything – speech, data, signalling, identities… 3 different Classes Class 1 No Encryption, can include Authentication Class 2 Static Cipher Key Encryption, can include Authentication Class 3 Dynamic Cipher Key Encryption Individual Derived Cipher Key Common Cipher Key Group Cipher Key Requires Authentication Includes over the air key management protocols Allows seamless key management

8 The purpose of Air Interface Encryption
Network fixed links are considered difficult to intercept. Clear Air Interface! The air interface was considered vulnerable. Air Interface encryption was designed to make the air interface as secure as the fixed line connection Air Interface Encryption Fixed Links Operational Information ANIMATED SLIDE So what is the point of Air Interface Encryption? Well the best way to describe this is to think of the following scenario. The TETRA information is available at the Air Interface and on the fixed links. (next slide). The fixed links have an inherent security associated with them. As an attacker I have to physically get access to a network and then determine the routing etc. Therefore there is a wall of a specific height I have to climb. (next slide). However, the Air Interface is still relatively vulnerable, the argument that it is digital and even TDMA is not valid for anything other than the extremely casual attack! (next slide) So Air Interface Encryption was designed to increase the security of the air interface to the same level as that inherently provided by the network. There is no point in making the Air Interface more protected than the network, otherwise the attack is moved to the now relatively vulnerable network. There is some talk about extending Air Interface Encryption to some point further down the network to give more protection. This gains nothing, effectively you are building one wall behind another, both of equal height, all this does is give the attacker a firmer base to stand upon when he climbs over!

9 Important properties of Air Interface encryption
Many threats other than eavesdropping traffic analysis, observance of user behaviour AIE protects control channel messages and identities as well as voice and data payloads End to end encryption - if used alone - is insufficient (it only protects the voice payload) Continuous authentication Encryption key generated from authentication process Encrypted registration protects ITSIs even at switch on Security classes can be changed in operation – essential for fallback measures if authentication cannot operate

10 End to end encryption in TETRA
ETSI Project TETRA provides standardised support for end to end Encryption ETSI EN contains specific end to end specification Ensures TETRA provides a standard alternative to proprietary offerings and technologies Ensures compatibility between infrastructures and terminals Many organisations want their own algorithm Confidence in strength Better control over distribution TETRA MoU – Security and fraud Protection Group Provides detailed recommendation on how to implement end to end encryption in TETRA The result – Standardisation and compatibility, with choice of algorithm A big strength of TETRA

11 End To End Encryption ‘Standardisation’
TETRA MoU SFPG Recommendation 02 Framework for end to end encryption Recommended synchronisation method for speech calls Protocol for Over The Air Keying Sample implementations including algorithm mode and key encryption for IDEA, but AES128 is now preferred DOES NOT specify implementation – can be implemented with module, software, SIM card etc.. DOES NOT provide module interface specification

12 Related Recommendations
TETRA MoU SFPG Recommendation 01 Key transfer specification Currently being updated to include end to end encryption key import formats TETRA MoU SFPG Recommendation 07 Short data service encryption Currently being updated to reflect larger algorithm block sizes, e.g. 128 bits for AES TETRA MoU SFPG Recommendation 08 Framework for dividing encryption functionality between a SIM (smartcard) and a radio No defined bit level interface (export control issue) TETRA MoU SFPG Recommendation 11 IP Packet data encryption Work in process Will provide a suitable means for high security packet data encryption, with commonality with voice encryption

13 Implementing TETRA security
TETRA security measures are by no means the complete picture How well they are implemented – and how the implementation is evaluated is critical The rest of the network – what else connects to TETRA – is equally important The operational process and procedures equally provide countermeasures to the threats Link Other Network Other Network TETRA Network Other Network Landline

14 Implementation considerations – Air Interface Encryption
AIE should provide security equivalent to the fixed network There are several issues of trust here Do I trust that the AIE has been implemented properly? Does AIE always operate (during registration, in fallback modes etc)? Do I trust the way that the network (or radio) stores keys? Do I trust the fixed network itself or can someone break in? A strong AIE implementation and an evaluated network can provide essential protection of information An untested implementation and network may need reinforcing, for example with end to end encryption

15 Useful Recommendations
TETRA MoU SFPG Recommendation 03 – TETRA threat analysis Gives an idea of possible threats and countermeasures against a radio system TETRA MoU SFPG Recommendation 04 – Implementing TETRA security features Provides guidance on how to design and configure a TETRA system Both documents are restricted access requiring Non Disclosure Agreement with SFPG

16 Assuring your security solution
There are two important steps in assuring the security of the solution: Evaluation and Accreditation Evaluation of solutions should be by a trusted independent body Technical analysis of design and implementation Accreditation is the continual assessment of risks Assessment of threats vs solutions Procedural and technical solutions Should be undertaken by end user representative

17 Maximising cost effectiveness
Evaluation can be extremely expensive – how to get best value for money? Establish the requirements in advance as far as they are known – security is always a changing requirement! Look for suppliers with track record and reputation Look for validations of an equivalent solution elsewhere Consider expert help on processes and procedures

18 Summary: The essentials of a secure system
A strong standard A good implementation Experienced supplier Trusted evaluation Continual assessment of threats and solutions Standard EVALUATED

19

20 Military Operational Requirements (MOR)
NATO C3 Board has approved the MOR from a policy point of view MOR has to be implemented in MOR covers the use of Mobile Communications for Support Elements of NATO Activities The MOR addresses the use of Mobile Communications, within a non-hostile environment, allowing interoperability with systems of other NATO Forces, PfP nations and civil organisations, ensuring an appropriate level of security

21 NC3A SET - 2 SHF SATCOM Terminal
13 meter antenna located in the dunes near Nc3A-NL connected to the SATIN lab typical of a large NATO SGT

22 Example 4: SET 12 (System parameters)
Diameter size of the dish 1.2 m Transmit Gain: 37 dBi G/T 13 dB/K Maximal EIRP 55 dBW Power: 100 W antenna tracking (open loop) controlled via a laptop (rs 232) transportable , 6 transit cases, total weight < 350 kg fast setup and teardown by 2 persons Datarate depends on link budget and allocated resource 128 kbps duplex between Set 2 and Set 12 in Denmark on NATO IV

23 TETRA Extension Demonstration
NATO IV (channel 4) RS 449 64/128 kbps Copenhagen : SET 12 NC3A-NL TETRA BS modem modem RS 449 interface (satcom boundary) TETRA Switch

24 What security level do you want?
TETRA Class 1 TETRA Class 2 TETRA Class 3 TETRA w/ E2E algoritm on Smart Card TETRA w/ E2E SW algorithm in radio TETRA w/ E2E hardware solution using AES128 TETRA w/ E2E hardware solution using own algorithm TETRA your Service

25 www.motorola.com/tetra Jeppe.Jepsen@Motorola.com
Thank You 18

Download ppt "TETRA Security meeting needs of Military"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA www.in-arg.com MESH VOIP.

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Brian Murgatroyd UK Home Office

Brian Murgatroyd UK Home Office
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Su Youn Lee, Su Mi Lee and Dong Hoon Lee 2007.1.24 Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.

Su Youn Lee, Su Mi Lee and Dong Hoon Lee Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.
TETRA Inter System Interface (ISI)

TETRA Inter System Interface (ISI)
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
Security Encryption and Management

Security Encryption and Management
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
TWC 2005 Frankfurt 1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd UK Police IT Organization.

TWC 2005 Frankfurt 1 INTRODUCTION TO TETRA SECURITY Brian Murgatroyd UK Police IT Organization.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Similar presentations

Ads by Google