Scribd Logo
Upload

Welcome to Scribd!

  • 6 Security Tetra

    Uploaded by

    Ricardo Agustín Solalinde
    145 views20 pages
    TETRA segurity slides

    Original Title

    6 Security tetra

    Copyright

    © © All Rights Reserved

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    TETRA segurity slides

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    145 views20 pages

    6 Security Tetra

    Uploaded by

    Ricardo Agustín Solalinde
    TETRA segurity slides

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    TETRA SECURITY

    Brian Murgatroyd
    UK Home Office

    Agenda
    Why security is important in TETRA systems
    Overview of TETRA security features
    Authentication
    Air interface encryption
    Key Management
    Terminal Disabling
    Using SIMs
    End to End Encryption

    Security Threats
    What are the main threats to your system?
    Confidentiality?
    Availability?
    Integrity?

    Message Related Threats


    interception
    by hostile government agencies

    eavesdropping

    by hackers, criminals, terrorists

    Confidentiality
    masquerading

    pretending to be legitimate user

    manipulation of data
    changing messages

    Replay

    Integrity

    recording messages and replaying them later

    User Related Threats

    traffic analysis

    Confidentiality
    getting intelligence from patterns of the traffic-frequencymessage lengths-message types

    observability of user behaviour

    Confidentiality
    examining where the traffic is observed - times of day-number
    of users

    System Related Threats


    denial of service

    Availability

    preventing the system working by attempting to use up


    capacity

    jamming

    Availability

    Using RF energy to swamp receiver sites

    unauthorized use of resources

    Integrity

    Illicit use of telephony, interrogation of secure databases

    TETRA Security features


    Authentication
    Air Interface encryption
    Temporary /permanent disabling
    Aliasing/User logon
    Ambience listening
    Discrete Listening
    Lawful Interception

    Security Classes

    Class Authentication

    Encryption

    1 Optional None 2 Optional Static ESI


    3 Mandatory
    Dynamic ESI

    Other

    Authentication
    Used to ensure that terminal is genuine and
    allowed on network.
    Mutual authentication ensures that in
    addition to verifying the terminal, the SwMI
    can be trusted.
    Authentication requires both SwMI and
    terminal have proof of secret key.
    Successful authentication permits further
    security related functions to be
    downloaded.

    Authentication process
    Mobile
    Base station
    Centre
    K

    Authentication

    Random
    Seed (RS)

    TA11
    KS

    TA12

    Result

    RS
    Rand

    Rand
    TA12

    RS
    TA11

    Expected Result
    Same?

    KS
    (Session key)

    Deriving DCK from mutual authentication


    RAND1

    Result 1

    KS
    DCK1
    DCK
    RAND2

    DCK2

    KS
    Result 2

    Air Interface keys


    Four traffic keys are used in class 3
    systems:Derived cipher Key (DCK)

    derived from authentication process used for protecting


    uplink, one to one calls

    Common Cipher Key(CCK)

    protect downlink group calls and ITSI on initial


    registration

    Group Cipher Key(GCK)

    Provides crypto separation, combined with CCK

    Static Cipher Key(SCK)

    Used for protecting DMO and TMO fallback mode

    Over the Air Re-Keying (OTAR)


    KSO
    (GSKO)

    DCK
    GCK

    CCK

    SCK

    BS
    CCK

    GCK

    SCK

    AI
    MS

    DCK

    KSO
    (GSKO)
    CCK

    MGCK

    SCK

    Encryption Process

    Traffic
    Key
    Initialisation
    Vector (IV)
    Clear data in
    A BC D E F G H I

    Key Stream Generator


    (TEA[x])
    Key Stream

    Encrypted data out


    y 4M v# Qt q c
    Modulo 2 addition (XOR)

    Disabling of terminals
    Vital to ensure the reduction of risk of
    threats to system by stolen and lost
    terminals
    Relies on the integrity of the users to report
    losses quickly and accurately.
    May be achieved by removing subscription
    and/or disabling terminal
    Disabling may be either temporary or
    permanent
    Permanent disabling removes all keys
    including (k)
    Temporary disabling removes all traffic keys
    but allows ambience listening

    Security and SIMs


    Many second generation terminals may use
    SIMs
    SIM contains all personalization information
    Secret key(k) and ITSI must be on SIM if
    complete SIM mobility required.
    Design must be able to prevent the secret
    key (k) and traffic keys being extracted
    May be possible to only have talkgroup and
    phonebook information on SIM (leave ITSI/K
    in terminal)

    End to End Encryption

    End to end encryption features


    No need to trust infrastructure- no
    intermediate decoding.
    Additional synchronization carried in stolen
    half frames
    Standard algorithms available or national
    solutions
    Local Key Management Centres managed
    by User
    Keys received from national COMSEC

    End to end keys


    Traffic encryption key(TEK). Three editions
    used in terminal to give key overlap.
    Group Key encryption key(GEK) used to
    protection TEKs during OTAR.
    Unique KEK(long life) used to protect GEKs
    during OTAR.
    Signalling Encryption Keys (SEK) used
    optionally for control traffic

    Conclusions
    Security functions built in from the start!
    User friendly and transparent key
    management.
    Air interface encryption protects control
    traffic, IDs as well as voice and user traffic.
    Key management comes without user
    overhead because of OTAR.
    Well developed end to end encryption for
    users with very sensitive data to protect.

    You might also like