Understanding TETRA Security

Similar documents
TETRA Security Istanbul February 2011

The Vulnerability Analysis and Improvement of the TETRA Authentication Protocol

ETSI TR V1.1.1 ( )

TETRA Interoperability Certificate. Damm, TetraFlex, SwMI Sepura, STP9000, Terminal. Sønderborg, February 2013

TETRA Interoperability Certificate

TETRA Interoperability Certificate. Motorola Solutions, Dimetra IP R8.2, SwMI. Krakow, April 2014

TETRA Interoperability Certificate. Hytera Mobilfunk GmbH, ACCESSNET T IP, SwMI Cassidian, TH1n, Terminal. Bad Münder, January 2013

EUROPEAN ETS TELECOMMUNICATION April 1998 STANDARD

TETRA Interoperability Certificate. Damm, TetraFlex Rel 7.7, SwMI Motorola Solutions, MTP8550Ex, Terminal. Sønderborg, February 2016

TETRA Interoperability Certificate

TETRA Interoperability Certificate

GPRS security. Helsinki University of Technology S Security of Communication Protocols

TETRA Interoperability Certificate. Hytera Mobilfunk GmbH, ACCESSNET T IP, SwMI Motorola, MTM5400, Terminal. Bad Münder, January 2013

TETRA Interoperability Certificate

TETRA Interoperability Certificate. Airbus D&S, Tetra System Rel 7.0, SwMI Sepura, SC2020, Terminal. Helsinki, June 2015

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

TETRA Interoperability Certificate

TETRA Interoperability Certificate. Airbus D&S, Tetra System Rel 7.0, SwMI. Helsinki, June 2015

TETRA Interoperability Certificate. Hytera, MT680 Plus, Terminal. Kraków, September 2017

Wireless LAN Security (RM12/2002)

TETRA Interoperability Certificate. Teltronic, NEBULA, SwMI Motorola, TCR1000, Terminal

PSWN. Land Mobile Radio System Recommended Security Policy. Public Safety Wireless Network FINAL

TETRA Interoperability Certificate. Hytera Mobilfunk, ACCESSNET-T IP, SwMI Hytera Mobilfunk, PTC760, Terminal. Flensburg, September 2017

BeOn Security Cybersecurity for Critical Communications Systems

TETRA Interoperability Certificate

Firewalls, Tunnels, and Network Intrusion Detection

Security functions in mobile communication systems

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Wireless Attacks and Countermeasures

Final draft ETSI EN V1.2.0 ( )

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

ETSI TS V1.1.1 ( ) Technical Specification

Network Security - ISA 656 Review

ON SECURITY OF BLUETOOTH WIRELESS SYSTEM. Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Define information security Define security as process, not point product.

TETRA Special Solutions: RF Coverage-Test and Coverage-Simulation Digital Voice Interface Telemetry and SCADA Solutions. Bangkok, June 2015

Network Security and Cryptography. December Sample Exam Marking Scheme

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Internet of Things Toolkit for Small and Medium Businesses

VoLTE Security in NG PRDs

TETRA MoU TTR Technical Ver Report July 2004

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

December 3, Sepura Data Services. Paul Leighton International Product Marketing Manager

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Federal Information Processing Standard (FIPS) What is it? Why should you care?

Security. Reliability

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Modern IP Communication bears risks

Security of Wireless Networks in Intelligent Vehicle Systems

System Manual Part 2: TetraNode Architecture

Information Security Controls Policy

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Distributed Systems. Lecture 14: Security. 5 March,

18-642: Security Pitfalls

(2½ hours) Total Marks: 75

Network Security and Cryptography. 2 September Marking Scheme

Firewalls for Secure Unified Communications

Securing trust in electronic supply chains

WiMAX Security: Problems & Solutions

Industrial Control System Security white paper

Understanding Cisco Unified Communications Security

RECOMMENDATION ITU-R M SECURITY PRINCIPLES FOR INTERNATIONAL MOBILE TELECOMMUNICATIONS-2000 (IMT-2000) (Question ITU-R 39/8) TABLE OF CONTENTS

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: tiamo (Software Version 2.

Pass, No Record: An Android Password Manager

ASC Chairman. Best Practice In Data Security In The Cloud. Speaker Name Dr. Eng. Bahaa Hasan

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Communication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016

INFORMATION ASSURANCE DIRECTORATE

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Configure Basic Firewall Settings on the RV34x Series Router

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Mobile Security Fall 2013

Network Encryption 3 4/20/17

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Cyber Criminal Methods & Prevention Techniques. By

Why Firewalls? Firewall Characteristics

TETRA in Energy Refineries, Oil & Gas. Gary Lorenz

Echidna Concepts Guide

Ingate SIParator /Firewall SIP Security for the Enterprise

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Integration Technologies Group, Inc. Uncompromising Performance

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Security analysis and assessment of threats in European signalling systems?

Protecting your data. EY s approach to data privacy and information security

DIMETRA X CORE DATA SHEET DIMETRA X CORE

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

e-commerce Study Guide Test 2. Security Chapter 10

Network Security Policy

SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE

Wireless LAN Security. Gabriel Clothier

Managed Services Rely on us to manage your business services

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: StabNet (Software Version 1.

Transcription:

Understanding TETRA Security Brian Murgatroyd Tetra Association former chairman Security and Fraud Prevention Group (SFPG) Warren Systems Independent Security Consultant brian@warrensystems.co.uk

Agenda What is communications security? Security threats to TETRA systems Overall system security measures TETRA security features Authentication Air interface encryption Terminal disabling End to end encryption

What is Communications Security? Ensuring that threats to a communications system are sufficiently and appropriately reduced by technical, procedural and environmental countermeasures Proportionality is vital! -only put in countermeasures for those threats that are deemed important for the business otherwise costs may be prohibitive Requires detailed analysis of threats, vulnerability and risk and a security management strategy

Security Threats Confidentiality? Eavesdropping, interception of radio path or network Availability? Integrity? Denial of service( jamming, switching off network natural disasters) Messages are delivered unchanged Only authorized terminals and users allowed on the system

Overall TETRA Security Management Strategy Develop Security management strategy plan generate system security plan based on threat and vulnerability assessment, Undertake risk assessment and gap analysis Ensure Network Management and procedures sufficient Provide technical security countermeasures to radio system Authentication, air interface encryption, terminal disabling, end to end encryption

Network Security IT security is vital in TETRA networks Gateways are particularly vulnerable Firewalls required at all access points to the network Network staff need vetting Users may need some degree of vetting

Main TETRA security countermeasures Authentication - ensures only valid subscriber units have access to the system and subscribers will only try and access the authorized system Air Interface Encryption protects all signaling, identity and traffic across the radio link Terminal disabling ensures lost and stolen terminals are not a threat to the network security End-to-End Encryption protects user s data all the way through the system with high levels of protection

TETRA security classes Class Encryption OTAR Authentication 1 No No Optional 2 Static key Optional Optional 3 Dynamic key Mandatory Mandatory

Authentication Unique secret key known only to Authentication centre and MS Authentication Centre Generate Random number (RS) K RS KS TA11 K RS TA11 KS RAND1 Challenge RS, RAND1 RES1 KS (Session key) RS (Random seed) Switch K S TA12 Generate random number (RAND1) RAND1 RES1 TA12 DCK1 Response Base station DCK XRES1 DCK1 Compare RES1 and XRES1

Air interface encryption protection Dispatcher Base Station Infrastructure???? XYZ 1. Authentication 3. End -to -End Encryption 2. Air Interface Encryption

Authentication Used to ensure that terminal is genuine and allowed on network Mutual authentication ensures that in addition to verifying the terminal, the SwMI can be trusted Authentication requires both SwMI and terminal have proof of unique secret key Successful authentication permits further security related functions to be downloaded Secret keys are provisioned securely in accordance with SFPG Recommendation 01

Air interface encryption As well as protecting voice, SDS and packet data transmissions: AI encryption protects voice and data payloads Also protects signalling Encrypted registration protects identities and gives anonymity Protection against replay attacks

Over The Air Re-keying (OTAR) Populations of terminals tend to be large and the only practical way to change encryption keys frequently is by OTAR This is done securely by using a derived cipher key or a session key to wrap the downloaded traffic key The security functionality is transparent to the user as the network provider would normally be responsible for OTAR and management of AI keys

Security Class 2 keys Static Cipher keys (SCKs) used as traffic keys in TMO Probably loaded manually to network and terminals May also be loaded by OTAR using session keys for wrapping Also used for protecting DMO

Class 3 Air Interface traffic keys Three types of traffic keys are used in class 3 systems:- Derived cipher Key (DCK) derived from authentication process and unique to each terminal used for protecting uplink, one to one calls Common Cipher Key(CCK) protects downlink group calls and ITSI on initial registration Group Cipher Key(GCK) Provides crypto separation, combined with CCK. Used on systems with multiple but operationally separate user groups

Disabling of terminals Vital to ensure the reduction of risk of threats to system by stolen and lost terminals Relies on the integrity of the users to report losses quickly and accurately. Disabling may be either temporary or permanent Disabling stops the terminal working as a radio and: Permanent disabling removes all keys (including secret key) Temporary disabling removes all traffic keys but allows ambience listening The network or application needs to be able to remember disable commands to terminals that are not live on the network at the time of the original command being sent.

Standard air interface algorithms TEA1 and TEA4 Generally exportable outside Europe. Designed for non public safety use TEA2 Only for use in Europe for public safety and military organizations. Strictly export controlled TEA3 For use by public safety and military organizations where TEA2 is not allowed. Strictly export controlled

End to end encryption MS Network Air interface security between MS and network End-to-end security between MS s MS Protects messages across an untrusted infrastructure Provides enhanced confidentiality over all parts of the network Protects Voice services SDS services Packet data services Key management under control of user

Standard end-to-end encryption algorithms There are no standard algorithms defined by SFPG but: IDEA was defined as a good candidate 64 bit block cipher algorithm for use with TETRA and test data and an example implementation was produced. However IDEA requires a license to be purchased AES-128 was defined as a good candidate 128 bit block cipher algorithm for use with TETRA and test data and an example implementation was produced. AES is license free and is an extremely popular algorithm AES-256 has now been implemented by some terminal suppliers and gives a very high level of assurance for high levels of confidentiality protection

Benefits of end to end encryption in combination with Air Interface encryption Air interface (AI) encryption alone and end to end encryption alone both have their limitations For most users AI security measures are completely adequate Where either the network is untrusted, or the data is extremely sensitive then end to end encryption may be used in addition as an overlay. Brings the benefit of encrypting user addresses and signalling as well as user data across the Air Interface and confidentiality of user data right across the network

Export control of crypto material All cryptographic material and terminals capable of encryption are subject to export control The authority has to be satisfied that the key length and algorithms used are allowed to be exported. Guidance is given in the Wassenaar arrangement www.wassenaar.org but the export control authority must be approached in all cases

Evaluation of security mechanisms How can a system be judged secure? Evaluate threats and risks, independently if possible Ensure correct implementation of security on network Talk to other customers about their systems Ensure mobile terminals have been evaluated Use standard encryption algorithms Regular audit and inspection

SFPG Exists to define security aspects of TETRA in practical detail Some important Recommendations 01 - specifies file formayts when distributing keys 02 - end to end encryption 04- implementing TETRA air interface security 06- managemnt of long term keys 07- End to end encryption of SDS messages 11-End to end encryption of TETRA packet data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback