180 likes | 446 Vues
TCA069D001 - . 2. Examining how to ensure the security of TETRA for Public Safety use. Identifying the key security features of TETRA and how these can be applied for Public Safety usePinpointing how encryption within TETRA can be most effective used for Public Safety applicationsExamining the ro
E N D
1. 1 TETRA @ Your Service The Security Mechanisms Designed into TETRA
Jeppe Jepsen
Motorola
2.
TCA069D001 - 2 Examining how to ensure the security of TETRA for Public Safety use Identifying the key security features of TETRA and how these can be applied for Public Safety use
Pinpointing how encryption within TETRA can be most effective used for Public Safety applications
Examining the role of user practices in ensuring security of TETRA systems
3.
TCA069D001 - 3 Why TetraSchengenPolice Corporation
4.
TCA069D001 - 4 TETRA is the only European interoperability standard for the digital trunked professional market place.
5.
TCA069D001 - 5 User Requirements TETRA was developed to address the unique integrated requirements of PMR and PAMR
Group and Broadcast Calls
Emergency Calls
Fast Access (<300 ms call set-up)
Direct Mode Operation (DMO)
Dispatch Operation
National Agency Encryption
Concurrent Voice + Data
Integrated Telephony
Scalable Infrastructure Presenter Notes
7 CLICKS
TETRA brings together mobile radio, mobile data, and mobile telephony, but the main unique aspect of TETRA is INTEGRATED SERVICES coupled with NETWORK SCALABILITY.
The unique services are:
- Multiple site, wide area all informed net for Group Calls and Broadcast Calls.
- Emergency Call - initiated by a simple button press, automatically alerting all users and the dispatcher in the initiators group. This facility will automatically drop the lowest priority call if the network is busy when an emergency call is initiated.
- Fast access (<300 ms call set-up) using a simple press to talk (PTT) switch for Group Calls and (preloaded) Terminal to Terminal calls
- Direct Mode Operation, which allows a group of terminal users to communicate in a local area independent of the network (more about this later)
- Support of end to end encryption meeting the requirements of national security organisations.
- Scalable Networks, from single site to nation-wide, matching a wide variety of user needs.Presenter Notes
7 CLICKS
TETRA brings together mobile radio, mobile data, and mobile telephony, but the main unique aspect of TETRA is INTEGRATED SERVICES coupled with NETWORK SCALABILITY.
The unique services are:
- Multiple site, wide area all informed net for Group Calls and Broadcast Calls.
- Emergency Call - initiated by a simple button press, automatically alerting all users and the dispatcher in the initiators group. This facility will automatically drop the lowest priority call if the network is busy when an emergency call is initiated.
- Fast access (<300 ms call set-up) using a simple press to talk (PTT) switch for Group Calls and (preloaded) Terminal to Terminal calls
- Direct Mode Operation, which allows a group of terminal users to communicate in a local area independent of the network (more about this later)
- Support of end to end encryption meeting the requirements of national security organisations.
- Scalable Networks, from single site to nation-wide, matching a wide variety of user needs.
6.
TCA069D001 - 6 Key security features of TETRA Security ?
Payload delivery security
Protection against traffic analysis, observance of user behavior
Protection against masquerading, replay, manipulation of data
What about denial of service, jamming, unauthorized use of resources
Authentication
Air Interface Encryption (AIE)
End to end Encryption
7.
TCA069D001 - 7
8.
TCA069D001 - 8 Authentication Authentication provides proof identity of all radios attempting use of the network.
A session key system from a central authentication centre allows key storage
Secret key need never be exposed
Authentication process derives air interface key (TETRA standard) As we have seen to run a class 3 system we require Authentication, but what is Authentication? Authentication provides proof of identity and takes the security of the system a step beyond that provided by simple registration. The basis of Authentication is that there is a shared secret between the two parties, in this case the subscriber and the SWiMi. The SWiMi sends a challenge based upon this secret to the subscriber and the subscriber sends a response. If the subscriber is who it claims to be, then the response will be the one expected by the SWiMi, therefore Authentication is complete.
There are some important points to note, first the secret is never transmitted outside of the Authentication Centre or the subscriber, session keys are used for the real time authentication. These keys are generated by the Authentication Centre and then distributed through the system to the appropriate Home Location Registers. Second the discussion has only looked at Authentication of the subscriber by the SWiMi, equally important in terms of security is the Authentication of the SWiMi by the subscriber. The subscriber can either turn an Authentication request by the SWiMi into a mutual Authentication, or independently request Authentication, for example prior to accepting a disable command. Finally the process of Authentication generates part of the Air Interface Encryption Keys, namely the Derived Cipher Key, or DCK.As we have seen to run a class 3 system we require Authentication, but what is Authentication? Authentication provides proof of identity and takes the security of the system a step beyond that provided by simple registration. The basis of Authentication is that there is a shared secret between the two parties, in this case the subscriber and the SWiMi. The SWiMi sends a challenge based upon this secret to the subscriber and the subscriber sends a response. If the subscriber is who it claims to be, then the response will be the one expected by the SWiMi, therefore Authentication is complete.
There are some important points to note, first the secret is never transmitted outside of the Authentication Centre or the subscriber, session keys are used for the real time authentication. These keys are generated by the Authentication Centre and then distributed through the system to the appropriate Home Location Registers. Second the discussion has only looked at Authentication of the subscriber by the SWiMi, equally important in terms of security is the Authentication of the SWiMi by the subscriber. The subscriber can either turn an Authentication request by the SWiMi into a mutual Authentication, or independently request Authentication, for example prior to accepting a disable command. Finally the process of Authentication generates part of the Air Interface Encryption Keys, namely the Derived Cipher Key, or DCK.
9.
TCA069D001 - 9 Tetra Authentication mapping to network elements We have looked generically how Authentication works, this slide shows how it will be implemented within a Dimetra system. Again for simplicity authentication of the subscriber only is shown. As you can see the real-time authentication is carried out by the Zone Controller.
The session key is generated in the Authentication Centre using a Random Seed and K. The information is passed to the Zone Controller, via the Zone Manager, which now has the capability of performing Authentication of the subscriber. The EBTS takes no active part in the Authentication process, however, once this is completed the Derived Cipher Key is passed down to the site for real time use. Authentication is completed if the subscriber result, RES1, matches the Zone Controller result XRES1. As mentioned earlier you can see that the secret key K is never exposed to any part of the system outside the Authentication Centre or subscriber.We have looked generically how Authentication works, this slide shows how it will be implemented within a Dimetra system. Again for simplicity authentication of the subscriber only is shown. As you can see the real-time authentication is carried out by the Zone Controller.
The session key is generated in the Authentication Centre using a Random Seed and K. The information is passed to the Zone Controller, via the Zone Manager, which now has the capability of performing Authentication of the subscriber. The EBTS takes no active part in the Authentication process, however, once this is completed the Derived Cipher Key is passed down to the site for real time use. Authentication is completed if the subscriber result, RES1, matches the Zone Controller result XRES1. As mentioned earlier you can see that the secret key K is never exposed to any part of the system outside the Authentication Centre or subscriber.
10.
TCA069D001 - 10 Authentication Centre security Level of AuC security is essential to meet security approval
Quantity of key material can raise protective marking level
Requires additional protection over standard database techniques to achieve approval
Good design of AuC can use hardware crypto with tamper proofing and active erase facility to protect keys
The Authentication Centre becomes one of the critical areas in the security of the system. This is the single point in the system where all the information needed to clone subscriber units is held. For an operator this can mean vast amounts of lost revenue, for a Government it can lead to a denial of service attack.
To overcome this the Authentication Centre within Dimetra is based upon the proven Key Management Facility (KMF). The storage techniques used within the KMF are ideally suited to protecting the information held within the Authentication Centre. A hardware based Crypto module, with tamper detection and response, is used to generate keys for use within the system and encrypt the data held within the Authentication Centre.
The Authentication Centre also manages the Air Interface keys, SCK, CCK and GCK in much the same way as the traditional KMF does, distributing these to the relevant parts of the system. While there is the internal Key Generator available the Authentication Centre can also accept key material from an external source, using standard medium such as a CD.
The Authentication Centre becomes one of the critical areas in the security of the system. This is the single point in the system where all the information needed to clone subscriber units is held. For an operator this can mean vast amounts of lost revenue, for a Government it can lead to a denial of service attack.
To overcome this the Authentication Centre within Dimetra is based upon the proven Key Management Facility (KMF). The storage techniques used within the KMF are ideally suited to protecting the information held within the Authentication Centre. A hardware based Crypto module, with tamper detection and response, is used to generate keys for use within the system and encrypt the data held within the Authentication Centre.
The Authentication Centre also manages the Air Interface keys, SCK, CCK and GCK in much the same way as the traditional KMF does, distributing these to the relevant parts of the system. While there is the internal Key Generator available the Authentication Centre can also accept key material from an external source, using standard medium such as a CD.
11.
TCA069D001 - 11 What is Air Interface Encryption (AIE)? First level encryption used to protect information over the Air Interface
Typically software implementation
AIE is System Wide
3 different Classes
Class 1
No Encryption, can include Authentication
Class 2
Static Cipher Key Encryption, can include Authentication
Class 3
Dynamic Cipher Key Encryption
Requires Authentication What is Air Interface Encryption? Well, it is the first level of protection over the air interface, it encrypts all voice and data, together with most of the signalling associated with TETRA calls. Examples of non-encrypted calls and signalling are: broadcast calls and initial registration. AIE is typically implemented in software, the protection level, as can be seen later, does not warrant the expense of a crypto module.
AIE is defined as part of the TETRA standard and will be included in interoperability testing.
One of the important things to note about AIE is that it is System wide and not under the control of the user. However,there are different conditions under which the system can operate and the standard takes account of this. There are three security classes under which the system can operate: Class 1, here there is no encryption, but there could be authentication. Class 2, encryption is on, but only Static Cipher Key is available, again authentication could be available. Finally there is Class 3, this is when Dynamic Encryption is being used and by definition Authentication has to be present. Typically Class 2 is used for fallback operation, for example when Authentication is not available, or if a site becomes isolated.What is Air Interface Encryption? Well, it is the first level of protection over the air interface, it encrypts all voice and data, together with most of the signalling associated with TETRA calls. Examples of non-encrypted calls and signalling are: broadcast calls and initial registration. AIE is typically implemented in software, the protection level, as can be seen later, does not warrant the expense of a crypto module.
AIE is defined as part of the TETRA standard and will be included in interoperability testing.
One of the important things to note about AIE is that it is System wide and not under the control of the user. However,there are different conditions under which the system can operate and the standard takes account of this. There are three security classes under which the system can operate: Class 1, here there is no encryption, but there could be authentication. Class 2, encryption is on, but only Static Cipher Key is available, again authentication could be available. Finally there is Class 3, this is when Dynamic Encryption is being used and by definition Authentication has to be present. Typically Class 2 is used for fallback operation, for example when Authentication is not available, or if a site becomes isolated.
12.
TCA069D001 - 12 TETRA Air Interface Encryption ANIMATED SLIDE
So what is the point of Air Interface Encryption? Well the best way to describe this is to think of the following scenario. The TETRA information is available at the Air Interface and on the fixed links. (next slide).
The fixed links have an inherent security associated with them. As an attacker I have to physically get access to a network and then determine the routing etc. Therefore there is a wall of a specific height I have to climb. (next slide).
However, the Air Interface is still relatively vulnerable, the argument that it is digital and even TDMA is not valid for anything other than the extremely casual attack! (next slide)
So Air Interface Encryption was designed to increase the security of the air interface to the same level as that inherently provided by the network. There is no point in making the Air Interface more protected than the network, otherwise the attack is moved to the now relatively vulnerable network. There is some talk about extending Air Interface Encryption to some point further down the network to give more protection. This gains nothing, effectively you are building one wall behind another, both of equal height, all this does is give the attacker a firmer base to stand upon when he climbs over!ANIMATED SLIDE
So what is the point of Air Interface Encryption? Well the best way to describe this is to think of the following scenario. The TETRA information is available at the Air Interface and on the fixed links. (next slide).
The fixed links have an inherent security associated with them. As an attacker I have to physically get access to a network and then determine the routing etc. Therefore there is a wall of a specific height I have to climb. (next slide).
However, the Air Interface is still relatively vulnerable, the argument that it is digital and even TDMA is not valid for anything other than the extremely casual attack! (next slide)
So Air Interface Encryption was designed to increase the security of the air interface to the same level as that inherently provided by the network. There is no point in making the Air Interface more protected than the network, otherwise the attack is moved to the now relatively vulnerable network. There is some talk about extending Air Interface Encryption to some point further down the network to give more protection. This gains nothing, effectively you are building one wall behind another, both of equal height, all this does is give the attacker a firmer base to stand upon when he climbs over!
13.
TCA069D001 - 13 Dimetra Air Interface Encryption Full Implementation of AIE
Authentication
Static Cipher Key
Common Cipher Key
Derived Cipher Key
Group Cipher Key
Modified Group Cipher Key
TEA 1, 2, 3 and TEA 4 algorithms
Authentication Centre
High grade key storage
Key Management
Key Loader
So, that is TETRA Air Interface Encryption, what about our product Dimetra. As you can see we will have the complete package, including a key mangement system, although as stated this will be phased in over a period of time.
The phased approach comes about for several reasons, two of which are worth noting. The first is that TETRA is still a relatively new technology from a commercial development point of view, compared to APCO 25 it is several years behind. Therefore not all the features can be implemented at once, apart from the sheer development effort, there is the much more practical issue of ensuring that systems work reliably and meet the specification, allowing for interoperability among manufacturers. Equally important is the fact that the security section of the standard is not completely finalised, the Public Enquiry has been completed and the final version of the standard is being written.So, that is TETRA Air Interface Encryption, what about our product Dimetra. As you can see we will have the complete package, including a key mangement system, although as stated this will be phased in over a period of time.
The phased approach comes about for several reasons, two of which are worth noting. The first is that TETRA is still a relatively new technology from a commercial development point of view, compared to APCO 25 it is several years behind. Therefore not all the features can be implemented at once, apart from the sheer development effort, there is the much more practical issue of ensuring that systems work reliably and meet the specification, allowing for interoperability among manufacturers. Equally important is the fact that the security section of the standard is not completely finalised, the Public Enquiry has been completed and the final version of the standard is being written.
14.
TCA069D001 - 14 Air Interface Encryption - the Keys ANIMATED SLIDE
As you have probably realised Air Interface Encryption is somewhat more complicated than the traditional encryption we have been used to in Mobile Radio systems. Lets go through the keys one by one and visually see how they are used. (next slide)
First we have a simple DMO scenario, in effect this is very similar to our traditional one, we have a selection of subscribers all using the same symmetric key, in this case a Static Cipher Key. Different DMO groups could use different keys, again similar to our existing systems. (next slide)
Next let's look at the case where we have a conversation taking place through a repeater. Once again the users are using a Static Cipher Key, but this time it would be fixed for all groups as this is the system fall-back key.(next slide)
Now we move to a more normal mode of operation. There is a complete infrastructure available, including an Authentication Centre. In this case the subscribers communicate to the base-site using their unique Derived Cipher Keys or DCK. The base-site talks to the subscribers using its Common Cipher Key or CCK. Therefore from site A all downlink communications will be encrypted with CCKA. Therefore any repeated audio is decrypted and encrypted again at the base-site. If the group call is across several sites then the audio link through the infrastructure is clear. (next slide). For an individual call, DCK is used for both the up and the down link.
Moving on to the final set of keys, Group Cipher Keys or GCK. Group Cipher keys are used for the downlink communication instead of the CCK. This provides added security on a shared system by allowing different user groups to have their own unique key.
Looking at the diagram you will see that GCK does not exist, however there is a MGCK. This is the Modified Group Cipher Key, this is the Group Cipher Key modified with the site Common Cipher Key. This allows the GCK to be a long term key as it is never used in its raw state. Another facet of this is that users in the same group, but at different sites will have different MGCKs.
A couple of final points to note about the keys, SCKs, CCK and GCK are managed keys, while DCK is not, it is a by product of the Authentication process.ANIMATED SLIDE
As you have probably realised Air Interface Encryption is somewhat more complicated than the traditional encryption we have been used to in Mobile Radio systems. Lets go through the keys one by one and visually see how they are used. (next slide)
First we have a simple DMO scenario, in effect this is very similar to our traditional one, we have a selection of subscribers all using the same symmetric key, in this case a Static Cipher Key. Different DMO groups could use different keys, again similar to our existing systems. (next slide)
Next let's look at the case where we have a conversation taking place through a repeater. Once again the users are using a Static Cipher Key, but this time it would be fixed for all groups as this is the system fall-back key.(next slide)
Now we move to a more normal mode of operation. There is a complete infrastructure available, including an Authentication Centre. In this case the subscribers communicate to the base-site using their unique Derived Cipher Keys or DCK. The base-site talks to the subscribers using its Common Cipher Key or CCK. Therefore from site A all downlink communications will be encrypted with CCKA. Therefore any repeated audio is decrypted and encrypted again at the base-site. If the group call is across several sites then the audio link through the infrastructure is clear. (next slide). For an individual call, DCK is used for both the up and the down link.
Moving on to the final set of keys, Group Cipher Keys or GCK. Group Cipher keys are used for the downlink communication instead of the CCK. This provides added security on a shared system by allowing different user groups to have their own unique key.
Looking at the diagram you will see that GCK does not exist, however there is a MGCK. This is the Modified Group Cipher Key, this is the Group Cipher Key modified with the site Common Cipher Key. This allows the GCK to be a long term key as it is never used in its raw state. Another facet of this is that users in the same group, but at different sites will have different MGCKs.
A couple of final points to note about the keys, SCKs, CCK and GCK are managed keys, while DCK is not, it is a by product of the Authentication process.
15.
TCA069D001 - 15 The importance of Air Interface encryption Many threats other than eavesdropping
traffic analysis, observance of user behaviour
Strong authentication
AI protects control channel messages as well as voice and data payloads
encrypted registration protects ITSIs
End to end encryption if used alone is much weaker (it only protects the payload)
16.
TCA069D001 - 16 What does Tetra provide within End-to-End encryption End to end encryption uses more secure implementations
End to end encryption uses larger keys
End to end encryption uses longer synchronisation vectors
We have spent some time talking about Air Interface Encryption and Authentication and I would like to turn our attention to End-to-End Encryption.
End-to-End Encryption is used for more secure communications, the concept here is that the encryption is done at the traffic source and the decryption only takes place at the receiving point. There is no intermediate decryption/encryption taking place within the system. Air Interface Encryption is clearly not End-to-End because the message is decrypted at the Base Site and then encrypted again, with a different key, before being transmitted out to other users. Even if I take the decryption/encryption process further back along the network I would not have End-to-End. Within a TETRA system End-to-End is even more important for these security conscious users as they are probably not the owners of the system and are likely to be sharing it with other organisations.
Because of the additional security, End-to-End is usually implemented differently to Air Interface Encryption i.e. it is hardware based rather than software. Being hardware based allows for the inclusion of Tamper Detection and response, providing that extra security for the key information. A dedicated processor is available, adding to the security as well as allowing greater processing power for the handling of encryption and associated functionality.
End-to-End encryption tends to provide additional security through greater key lengths and longer Synchronisation Vectors, as you can see from the comparison on the slide, the number of keys available to a End-to-End algorithms as opposed to TEA 1 and TEA 2 is significantly larger. We have spent some time talking about Air Interface Encryption and Authentication and I would like to turn our attention to End-to-End Encryption.
End-to-End Encryption is used for more secure communications, the concept here is that the encryption is done at the traffic source and the decryption only takes place at the receiving point. There is no intermediate decryption/encryption taking place within the system. Air Interface Encryption is clearly not End-to-End because the message is decrypted at the Base Site and then encrypted again, with a different key, before being transmitted out to other users. Even if I take the decryption/encryption process further back along the network I would not have End-to-End. Within a TETRA system End-to-End is even more important for these security conscious users as they are probably not the owners of the system and are likely to be sharing it with other organisations.
Because of the additional security, End-to-End is usually implemented differently to Air Interface Encryption i.e. it is hardware based rather than software. Being hardware based allows for the inclusion of Tamper Detection and response, providing that extra security for the key information. A dedicated processor is available, adding to the security as well as allowing greater processing power for the handling of encryption and associated functionality.
End-to-End encryption tends to provide additional security through greater key lengths and longer Synchronisation Vectors, as you can see from the comparison on the slide, the number of keys available to a End-to-End algorithms as opposed to TEA 1 and TEA 2 is significantly larger.
17.
TCA069D001 - 17 Standardised end to end in TETRA Many organisations want their own algorithm
Confidence in strength
Better control over distribution
ETSI Project TETRA provides standardised support for end to end Encryption
To give TETRA standard alternative to proprietary offerings and technologies
TETRA MoU Security and fraud Protection Group
Provides detailed recommendation on how to implement end to end encryption in TETRA
Provides sample implementation using IDEA Algorithm One of the biggest issues when discussing End-to-End encryption in TETRA is the fact that there was no standard. This defeats the concept of open standards, buy from any manufacture, etc. as manufacturers will offer their own algorithms, at least those with the capability will. This is now being addressed and there will be at least one TETRA standard End-to-End algorithm that all manufacturers can offer in their systems. Apart from the algorithm, work is also ongoing in defining Key Management and some of the associated commands.
While this works well for Commercial organisations, it does not necessarily fit the requirement of Governments and Military. These organisations may be looking for their own algorithm, possibly they already have one they want to use, or one will be developed.
This does lead to a dilemma, while we have a product that is capable of accepting virtually any algorithm designed for this level of security, there are severe export controls on this type of technology. This does not prevent us discussing the concept of Home Country algorithms, but export licenses, primarily US, will need to be obtained before the details can be discussed. One of the biggest issues when discussing End-to-End encryption in TETRA is the fact that there was no standard. This defeats the concept of open standards, buy from any manufacture, etc. as manufacturers will offer their own algorithms, at least those with the capability will. This is now being addressed and there will be at least one TETRA standard End-to-End algorithm that all manufacturers can offer in their systems. Apart from the algorithm, work is also ongoing in defining Key Management and some of the associated commands.
While this works well for Commercial organisations, it does not necessarily fit the requirement of Governments and Military. These organisations may be looking for their own algorithm, possibly they already have one they want to use, or one will be developed.
This does lead to a dilemma, while we have a product that is capable of accepting virtually any algorithm designed for this level of security, there are severe export controls on this type of technology. This does not prevent us discussing the concept of Home Country algorithms, but export licenses, primarily US, will need to be obtained before the details can be discussed.
18.
TCA069D001 - 18 Summary
Message related threats
interception, eavesdropping, masquerading, replay, manipulation of data
User related threats
traffic analysis, observability of user behaviour
System related threats
denial of service, jamming, unauthorized use of resources