INTRODUCTION TO TETRA SECURITY Brian Murgatroyd TWC 2003 Copenhagen Agenda • Why security is important in TETRA systems • Overview of TETRA security features • Authentication • Air.
Download
Report
Transcript INTRODUCTION TO TETRA SECURITY Brian Murgatroyd TWC 2003 Copenhagen Agenda • Why security is important in TETRA systems • Overview of TETRA security features • Authentication • Air.
INTRODUCTION TO TETRA
SECURITY
Brian Murgatroyd
TWC 2003 Copenhagen
1
Agenda
• Why security is important in TETRA
systems
• Overview of TETRA security features
• Authentication
• Air interface encryption
• Key Management
• Terminal Disabling
• End to End Encryption
TWC 2003 Copenhagen
2
Security Threats
• What are the main threats to your
system?
• Confidentiality?
• Availability?
• Integrity?
TWC 2003 Copenhagen
3
Message Related Threats
• interception
Confidentiality
– by hostile government agencies
• eavesdropping
– by hackers, criminals, terrorists
• masquerading
– pretending to be legitimate user
• manipulation of data.
Integrity
– changing messages
• Replay
– recording messages and replaying them later
TWC 2003 Copenhagen
4
User Related Threats
• traffic analysis
Confidentiality
– getting intelligence from patterns of the traffic-frequencymessage lengths-message types
• observability of user behaviour. Confidentiality
– examining where the traffic is observed - times of day-number
of users
TWC 2003 Copenhagen
5
System Related Threats
• denial of service
Availability
– preventing the system working by attempting to use up capacity
• jamming
Availability
– Using RF energy to swamp receiver sites
• unauthorized use of resources
Integrity
– Illicit use of telephony, interrogation of secure databases
TWC 2003 Copenhagen
6
TETRA Air Interface security functions
• Authentication
• TETRA has strong mutual authentication requiring knowledge
of secret key
• Encryption
– Dynamic key encryption (class 3)
• Static key encryption (class2)
• Terminal Disabling
• Secure temporary or permanent disable
• Over the Air Re-keying (OTAR)
• for managing large populations without user overhead
• Aliasing/User logon
• To allow association of user to terminal
TWC 2003 Copenhagen
7
User authentication (aliasing)
•
•
•
•
•
•
•
Second layer of security
Ensures the user is associated with terminal
User logon to network aliasing server
log on with Radio User Identity and PIN
Very limited functionality allowed prior to log on
Log on/off not associated with terminal registration
Could be used as access control for applications as
well as to the Radio system
TWC 2003 Copenhagen
8
Security Classes
Class
1
2
3
Authentication Encryption
Optional
Optional
Mandatory
None
Static
Dynamic
TWC 2003 Copenhagen
Other
ESI
ESI
9
Authentication
• Used to ensure that terminal is genuine and
allowed on network.
• Mutual authentication ensures that in addition
to verifying the terminal, the SwMI can be
trusted.
• Authentication requires both SwMI and
terminal have proof of secret key.
• Successful authentication permits further
security related functions to be downloaded.
TWC 2003 Copenhagen
10
Authentication process
Mobile
Base station
Authentication Centre
K
K
TA11
KS
TA12
RS
Rand
Rand
TA12
RS
TA11
Expected Result
Result
Random
Seed (RS)
KS
(Session key)
Same?
TWC 2003 Copenhagen
11
Deriving DCK from mutual authentication
Infrastructure-MS
authentication
DCK1
TB4
MS-Infrastructure
authentication
DCK
DCK2
TWC 2003 Copenhagen
12
Encryption Process
Traffic Key
Key Stream Generator
(TEA[x])
CN
LA
Combining
algorithm (TB5)
Key Stream Segments
CC
Initialisation
Vector (IV)
Clear data in
Encrypted data out
A BCDE F G H I
y 4M v# Qt q c
Modulo 2 addition (XOR)
TWC 2003 Copenhagen
13
Air Interface traffic keys
• Four traffic keys are used in class 3 systems:• Derived cipher Key (DCK)
– derived from authentication process used for protecting uplink, one to
one calls
• Common Cipher Key(CCK)
– protects downlink group calls and ITSI on initial registration
• Group Cipher Key(GCK)
– Provides crypto separation, combined with CCK
• Static Cipher Key(SCK)
– Used for protecting DMO and TMO fallback mode
TWC 2003 Copenhagen
14
DMO Security
Implicit Authentication
Static Cipher keys
No disabling
TWC 2003 Copenhagen
15
TMO SCK OTAR scheme
TETRA Infrastructure
Key Management
Centre
•
•
•
DMO SCKs must be distributed when terminals are operating in
TMO.
In normal circumstances, terminals should return to TMO
coverage within a key lifetime
A typical DMO SCK lifetime may be between 2 weeks and 6
months
TWC 2003 Copenhagen
16
Key Overlap scheme used for DMO
SCKs
Past
•
•
•
Transmit
Present
Receive
Future
The scheme uses Past, Present and Future versions of an SCK.
System Rules
– Terminals may only transmit on their Present version of the key.
– Terminals may receive on any of the three versions of the key.
This scheme allows a one key period overlap.
TWC 2003 Copenhagen
17
Disabling of terminals
• Vital to ensure the reduction of risk of threats
to system by stolen and lost terminals
• Relies on the integrity of the users to report
losses quickly and accurately.
• May be achieved by removing subscription
and/or disabling terminal
• Disabling may be either temporary or
permanent
• Permanent disabling removes all keys
including (k)
• Temporary disabling removes all traffic keys
but allows ambience listening
TWC 2003 Copenhagen
18
End to end encryption
MS
Network
Air interface security between MS and network
End-to-end security between MS’s
MS
• Protects messages
across an untrusted
infrastructure
• Provides enhanced
confidentiality
• Voice and SDS
services
• IP data services (soon)
TWC 2003 Copenhagen
19
End to end encryption features
• Additional synchronization carried in
stolen half frames
• Standard algorithms available or
national solutions
• Key Management in User Domain
TWC 2003 Copenhagen
20
Limitations of End to End Encryption
• Only protects the user payload (confidentiality
protection)
• Requires a transparent network - no transcoding-All
the bits encrypted at the transmitting end must be
decrypted at the receiver
• Will not work outside the TETRA domain
• frequent transmission of synchronization vector
needs to ensure good late entry capability but as
frame stealing is used this may impact slightly on
voice quality.
TWC 2003 Copenhagen
21
End to end keys
• Traffic encryption key(TEK). Three editions
used in terminal to give key overlap.
• Group Key encryption key(GEK) used to
protection TEKs during OTAR.
• Unique KEK(long life) used to protect GEKs
during OTAR.
• Signalling Encryption Keys (SEK) used
optionally for control traffic
TWC 2003 Copenhagen
22
Benefits of end to end encryption with
Air Interface encryption
• Air interface (AI) encryption alone and end to end
encryption alone both have their limitations
• For most users AI security measures are
completely adequate
• Where either the network is untrusted, or the data
is extremely sensitive then end to end encryption
may be used in addition
• Brings the benefit of encrypting addresses and
signalling as well as user data across the Air
Interface and confidentiality right across the
network
TWC 2003 Copenhagen
23
Conclusions
• Security functions built in from the
start!
• User friendly and transparent key
management.
• Air interface encryption protects
control traffic, IDs as well as voice and
user traffic.
• Key management comes without user
overhead because of OTAR.
TWC 2003 Copenhagen
24