Efficient Group Key Agreement for Dynamic TETRA Networks

1
Efficient Group Key Agreement for Dynamic TETRA
Networks
Current Trends in Theory and Practice of Computer
Science
Su Youn Lee, Su Mi Lee and Dong Hoon Lee
2007.1.24
Baekseok College of Cultural Studies GSIS
Korea University
2
Agenda

• TETRA Networks
• Efficient Group Key Agreement for
• Dynamic TETRA Networks (AGKA)
• - Background and Motivation
• - Set up, Join and Leave Algorithms

3
TETRA Networks
4
What is TETRA?

• TErrestrial Trunked RAdio (TETRA) is a new
  digital transmission standard developed by ETSI
  and it is becoming the system for public safety
  organisation

TETRA
GSM
Mobile Radio
Mobile Data
UMTS
Mobile Telephony
DECT
5
What is TETRA?

• Architecture

Network Management
Line Dispatcher
SwMI
IP gateway, Firewall
6
TETRA Security Mechanisms
Air Interface Encryption Securing the link
between a handset and the network
Key Management Center Controlled emission of
keys, enabling decentralized authorisation and
enforcing the high security level.
End-to-End Encryption Securing the communication
across a network, independent of the switching
infrastructure
7
TETRA Security Mechanisms

• Authentication

SwMI
Authentication Centre (AuC)
k
Session authentication keys
Switch 1
Switch 2
Challenge and response from Switch
MS Authentication

• Authentication provides proof identity of all MS
  in TETRA network
• AuC securely send session authentication key to
  Switch1 and should storage secret key.
• - Secret key need never be exposed
• All MS and AuC operate mutual authentication
  using secret key K

8
Authentication process
SwMI
Mobile Station
K
Random Seed (RS)
K
RS Rand
TA11
KS
Rand
RS
TA12
TA12
TA11
KS
(Session authentication key)
DCK, XRES
RES
DCK
RES
RES ? XRES
9
Air Interface Keys

• Derived Cipher Key (DCK)
• derived from authentication procedure.
• Common Cipher Key(CCK)
• generated by the SwMI and distributed to all MS.
• Group Cipher Key(GCK)
• linked to a specific closed MS group.
• Static Cipher Key(SCK)
• is a predetermined key

10
Key Management Mechanism
SwMI
MS1 K1 DCK1
MS2 K2 DCK2
MS3 K3 DCK3
MS4 K4 DCK4
GCKfn(K1)
GCKfn(K3)
GCKfn(K4)
GCKfn(K2)
CCKfn(DCK3)
CCKfn(DCK4)
CCKfn(DCK1)
CCKfn(DCK2)
GCK
Group call1
Group call2
CCK
CCK
K4
DCK3
K3
DCK4
K1
DCK1
DCK2
MGCKfn(GCK, CCK)
MGCKfn(GCK, CCK)
11
Over the Air Re-Keying (OTAR)
KSO (GSKO)
DCK
GCK
CCK
SwMI
AI
CCK
GCK
MS
DCK
KSO (GSKO)
MGCK
CCK
12
Efficient Group Key Agreement for Dynamic TETRA
Networks (AGKA) - Background and Motivation
13
Background and Motivation

• Group Key Agreement
• MS communicating over a public, easily-
• monitored network
• MS needs to establish a common secret key
  (session key) to secure communication
• Group Key Agreement Protocol

sk
sk
sk
sk
14
Background and Motivation

• Authenticated Group Key Agreement (AGKA)
• AGKA guarantees security against an active
  adversary who can modify, insert or remove
  messages
• For providing authentication, we can construct
  AGKA based on PW or signature

15
Background and Motivation

• In AGKA, there are two concerns with regard to
  efficiency Communication and Computation
  efficiency
• Communication Efficiency
• the number and length of messages
• few rounds
• Computation Efficiency
• needs to complete the protocol
• depends on the cryptographic algorithms

16
Background and Motivation

• AGKA for Dynamic TETRA networks
• Provides Setup, Leave and Join Algorithms
• In a Leave event, removing MS do not know new sk
• Forward Secrecy

17
Background and Motivation

• AGKA for Dynamic TETRA networks
• In Join event, joining MS do not know previous sk
• Backward Secrecy

18
An Efficient Group Key Agreement for Dynamic
TETRA Networks (AGKA) - Set up, Join and Leave
Algorithms
19
An Efficient AGKA

• Setup

MS1 KEK1
MS2 KEK2
MS3 KEK3
MS4 KEK4
SwMI
KEK1
20
An Efficient AGKA

• Setup Group Key Computation Process

KEK1
21
An Efficient AGKA

• Setup
• Security
• MS verifies signature of SwMI
• Assume that a signature scheme is secure
• All signature cannot be used twice
• Only MS who knows KEK can compute a group key
• An adversary can not get any information about a
  group key from Zi-1,i
• XOR Encryption Scheme

22
An Efficient AGKA

• Join Algo.

MS1 KEK1
MS2 KEK2
MS3 KEK3
MS4 KEK4
MS5 KEK5
SwMI
Joining MS5
KEK1
23
An Efficient AGKA

• Join
• Security
• Backward Secrecy
• Joining MS should not know a previous group key
• Our scheme provides Backward Secrecy
• All MS re-calculate T value using different
  session ID (Ij) per session
• Although MS5 knows all T values in current
  session, MS5 does not compute a previous group
  key.

24
An Efficient AGKA

• Leave Algo.

MS1 KEK1
MS2 KEK2
MS4 KEK4
SwMI
KEK1
25
An Efficient AGKA

• Leave
• Security
• Forward Secrecy
• Leaving MS should not know a current group key
• Our scheme provides Forward Secrecy
• Leaving MS3 knows all T values of previous
  session
• All MS re-calculate T value using new session ID
  (Il) per session

26
An Efficient AGKA

• Useful properties
• Allows SwMI and MS to agree a group with low
  complexity
• Needs only XOR operation dependent on a number of
  group MS
• Construct a special AGKA scheme including join
  and leave algorithms

27
AGKA

• AGKA protocol
• Security Theorem
• of send, execute queries

28
Thank you !

• Questions? Comments?

• sylee_at_bcc.ac.kr.