Title: Efficient Group Key Agreement for Dynamic TETRA Networks
1Efficient Group Key Agreement for Dynamic TETRA
Networks
Current Trends in Theory and Practice of Computer
Science
Su Youn Lee, Su Mi Lee and Dong Hoon Lee
2007.1.24
Baekseok College of Cultural Studies GSIS
Korea University
2Agenda
- TETRA Networks
- Efficient Group Key Agreement for
- Dynamic TETRA Networks (AGKA)
- - Background and Motivation
- - Set up, Join and Leave Algorithms
-
3TETRA Networks
4What is TETRA?
- TErrestrial Trunked RAdio (TETRA) is a new
digital transmission standard developed by ETSI
and it is becoming the system for public safety
organisation
TETRA
GSM
Mobile Radio
Mobile Data
UMTS
Mobile Telephony
DECT
5What is TETRA?
Network Management
Line Dispatcher
SwMI
IP gateway, Firewall
6TETRA Security Mechanisms
Air Interface Encryption Securing the link
between a handset and the network
Key Management Center Controlled emission of
keys, enabling decentralized authorisation and
enforcing the high security level.
End-to-End Encryption Securing the communication
across a network, independent of the switching
infrastructure
7TETRA Security Mechanisms
SwMI
Authentication Centre (AuC)
k
Session authentication keys
Switch 1
Switch 2
Challenge and response from Switch
MS Authentication
- Authentication provides proof identity of all MS
in TETRA network - AuC securely send session authentication key to
Switch1 and should storage secret key. - - Secret key need never be exposed
- All MS and AuC operate mutual authentication
using secret key K
8Authentication process
SwMI
Mobile Station
K
Random Seed (RS)
K
RS Rand
TA11
KS
Rand
RS
TA12
TA12
TA11
KS
(Session authentication key)
DCK, XRES
RES
DCK
RES
RES ? XRES
9Air Interface Keys
- Derived Cipher Key (DCK)
- derived from authentication procedure.
- Common Cipher Key(CCK)
- generated by the SwMI and distributed to all MS.
- Group Cipher Key(GCK)
- linked to a specific closed MS group.
- Static Cipher Key(SCK)
- is a predetermined key
10Key Management Mechanism
SwMI
MS1 K1 DCK1
MS2 K2 DCK2
MS3 K3 DCK3
MS4 K4 DCK4
GCKfn(K1)
GCKfn(K3)
GCKfn(K4)
GCKfn(K2)
CCKfn(DCK3)
CCKfn(DCK4)
CCKfn(DCK1)
CCKfn(DCK2)
GCK
Group call1
Group call2
CCK
CCK
K4
DCK3
K3
DCK4
K1
DCK1
DCK2
MGCKfn(GCK, CCK)
MGCKfn(GCK, CCK)
11Over the Air Re-Keying (OTAR)
KSO (GSKO)
DCK
GCK
CCK
SwMI
AI
CCK
GCK
MS
DCK
KSO (GSKO)
MGCK
CCK
12Efficient Group Key Agreement for Dynamic TETRA
Networks (AGKA) - Background and Motivation
13Background and Motivation
- Group Key Agreement
- MS communicating over a public, easily-
- monitored network
- MS needs to establish a common secret key
(session key) to secure communication - Group Key Agreement Protocol
sk
sk
sk
sk
14Background and Motivation
- Authenticated Group Key Agreement (AGKA)
- AGKA guarantees security against an active
adversary who can modify, insert or remove
messages - For providing authentication, we can construct
AGKA based on PW or signature
15Background and Motivation
- In AGKA, there are two concerns with regard to
efficiency Communication and Computation
efficiency - Communication Efficiency
- the number and length of messages
- few rounds
- Computation Efficiency
- needs to complete the protocol
- depends on the cryptographic algorithms
16Background and Motivation
- AGKA for Dynamic TETRA networks
- Provides Setup, Leave and Join Algorithms
- In a Leave event, removing MS do not know new sk
- Forward Secrecy
17Background and Motivation
- AGKA for Dynamic TETRA networks
- In Join event, joining MS do not know previous sk
- Backward Secrecy
18An Efficient Group Key Agreement for Dynamic
TETRA Networks (AGKA) - Set up, Join and Leave
Algorithms
19An Efficient AGKA
MS1 KEK1
MS2 KEK2
MS3 KEK3
MS4 KEK4
SwMI
KEK1
20An Efficient AGKA
- Setup Group Key Computation Process
KEK1
21An Efficient AGKA
- Setup
- Security
- MS verifies signature of SwMI
- Assume that a signature scheme is secure
- All signature cannot be used twice
- Only MS who knows KEK can compute a group key
- An adversary can not get any information about a
group key from Zi-1,i - XOR Encryption Scheme
22An Efficient AGKA
MS1 KEK1
MS2 KEK2
MS3 KEK3
MS4 KEK4
MS5 KEK5
SwMI
Joining MS5
KEK1
23An Efficient AGKA
- Join
- Security
- Backward Secrecy
- Joining MS should not know a previous group key
- Our scheme provides Backward Secrecy
- All MS re-calculate T value using different
session ID (Ij) per session - Although MS5 knows all T values in current
session, MS5 does not compute a previous group
key.
24An Efficient AGKA
MS1 KEK1
MS2 KEK2
MS4 KEK4
SwMI
KEK1
25An Efficient AGKA
- Leave
- Security
- Forward Secrecy
- Leaving MS should not know a current group key
- Our scheme provides Forward Secrecy
- Leaving MS3 knows all T values of previous
session - All MS re-calculate T value using new session ID
(Il) per session
26An Efficient AGKA
- Useful properties
- Allows SwMI and MS to agree a group with low
complexity - Needs only XOR operation dependent on a number of
group MS - Construct a special AGKA scheme including join
and leave algorithms
27AGKA
- AGKA protocol
- Security Theorem
- of send, execute queries
28Thank you !