Implementing End-to-End Security in TETRA

1
Implementing End-to-End Security in TETRA

• Author Heikki Lavanti
• Instructor M.Sc Olli-Pekka Lahtinen
• Supervisor Professor Raimo Kantola

2
AGENDA

1. Introduction background for the thesis
2. Goals and methods of the thesis
3. TETRA
4. Smart card technology
5. Implementing E2EE in the NTS
6. Results of tests
7. Conclusions

3
Introduction background for the thesis

• Work was done at Nokia Networks Professional
  Mobile Radio business unit situated in Helsinki
• Background for the thesis is the need for a
  module that implements end-to-end encryption
  (E2EE) of circuit switched voice in the Nokia
  TETRA System (NTS)
• The module must also support (relatively) easy
  replacement of the algorithm
• E2EE is done between the end-user terminals, i.e.
  the network itself is unaware of the type of
  communication
• There is a network element called the Dispatcher
  WorkStation (DWS) that can monitor several calls
  at once and thus presents some special
  requirements for the module used for E2EE
• The thesis studied the applicability of smart
  cards as the E2EE module in the DWS

4
Goals and methods of the thesis

• Goals
• investigate how E2EE is implemented in the
  current NTS (especially the DWS)
• investigate if the implementation could make use
  of smart card technology and to this end
• study smart cards
• estimate requirements of E2EE
• analyze the suitability of smart cards
• Methods
• the suggested implementation was tested using
• calculations
• simulations

5
TETRA

• TErrestrial Trunked RAdio
• Professional mobile radio standard done by ETSI
• Advantages over PLMNs (e.g. GSM) include
• fast call set-up
• group communication
• security (e.g. AIE)
• Users (and customers) from the
• public sector (e.g. governments)
• called PSS (Public Safety and Security) networks
• private sector (e.g. gas companies)
• called PC (Professional Cellular) networks
• AIE offers a robust encryption scheme over the
  AI, but inside the SwMI, the user data is in
  clear format and susceptible to eavesdropping

AIE Air Interface Encryption SwMISwitching and
Management Infrastructure
6
Nokia TETRA SYSTEM (NTS)

• CDD Configuration and Data
  Distribution server
• DWS Dispatcher WorkStation
• DXT Digital eXchange for TETRA
• TBS TETRA Base Station
• TCS TETRA Connectivity Server

7
The DWS

• Has four variants
• DWSe1 uses an E1 connection
• DWSi uses an ISDN connection
• DWSr uses the air interface and TETRA packet
  data
• DWSx can use both E1 and ISDN supports E2EE
• The DWSx has a PCI card called the Xgear, which
  has a module called the GEM (General Encryption
  Module), which encrypts the data
• The GEM is controlled via a GEI (General
  Encryption Interface) ? the GEM can be any
  technology
• The thesis studied smart cards as the new GEM
  technology

8
Smart card technology

• A credit card- (or SIM card) sized plastic token
  with an embedded microchip (integrated circuit
  chip)
• Comprised of
• a plastic card
• micro controller
• interfaces
• application
• Provides
• Persistent, protected storage
• Memory capacity (4K - 160K is typical)
• Computational capability and processing power (a
  small CPU)
• Self-contained
• ? Doesnt need to depend on potentially
  vulnerable external resources

9
Smart card technology

• An important aspect of smart cards is the
  prevention of unauthorized users gaining access
  to information contained on the card
• The advantage smart cards have over magnetic
  stripe cards is that the smart card contains the
  computer chip which stores the password or PIN
• The password is not sent over a communication
  line to a computer system for verification, which
  can easily be tapped
• The most important part of a smart card is the
  software that provides the applications
• After a smart card is issued to the consumer,
  protection of the card will be mainly controlled
  by the application and the operating system
• Access of data has to be done through the logical
  file structure on the card

10
The ISO/IEC 7816

• Set of standards that define e.g. the physical
  layout and data transfer methods of a smart card
• The protocol stack is divided into three
  according to the ISO OSI model

11
The ISO/IEC 7816

• The ISO/IEC 7816 places several restrictions to
  smart card-terminal communications
• the physical layer has several performance
  degrading factors e.g. 8 data bits are
  encapsulated inside 10 bits and communication is
  half-duplex
• there are several guard times as well to ensure
  that the terminal and smart card have enough time
  to respond
• communication is defined as master-slave with the
  card always the slave. ETSI has defined a CAT
  (Card Application Toolkit) to alleviate this, but
  communication is still quite cumbersome
• The CAT commands are known as proactive commands
• The End-to-end Application Toolkit (EAT) is a
  subset of the CAT

12
TETRA E2EE

• E2EE encrypts user data at the sender and
  decrypts it at the receiver ? the network is a
  transparent medium
• E2EE does not encrypt signaling, which is
  encrypted using AIE ? E2EE does not replace AIE
  but is an additional security feature

13
TETRA E2EE

• TETRA uses an algebraic code-exited linear
  predictive (ACELP) codec for speech compression
• In the TETRA codec, speech samples of 30 ms are
  used. This sample is digitized to a speech frame
  of 137 bits. After the codec two subslots each
  consisting of a speech frame are fitted into one
  TDMA timeslot
• Thus, one TETRA timeslot consists of 274 bits of
  data
• The DWS can monitor 16 group calls and
  communicate with one timeslot, i.e. it has to be
  able to simultaneously decrypt 16 speech frames
  and decrypt one speech frame
• New timeslots arrive with an interval of 32ms.
  One Key Stream Operation (KSO) would have to be
  done in 32ms/171.88ms

14
Implementing E2EE in the NTS

• The following illustrates the Key Stream
  Operation (KSO) of a TETRA terminal in E2EE
• The KSG takes as it input a key and the IV in the
  first round (or SV in subsequent rounds)
• Next the KSG uses an algorithm to generate the
  KSS
• The KSS is XORed with the input
• The ciphertext is sent with the SV
• The receiver does the same
• KSO in reverse
• The KSO is a flywheel
• the receiver can calculate
• the KSS without the SVs
• However, the SV is sent at
• regular intervals

15
Tests

• The requirements for the smart cards I/O
  contacts capacity were estimated using
  calculations based on the DWS and the ISO 7816
• These were then compared to the figures given by
  Infineon, a large manufacturer of smart cards
• Also, the KSG was simulated using a smart card
  controller simulator provided by Infineon
• the OS was provided by Infineon
• the application used was a simple AES algorithm
  that took as its input the lengths of the key and
  the SV

16
Results of tests

• The calculations showed that the requirements for
  the I/O contact is approximately 435 kbit/s
• The Infineon SLE88 family of smart card
  controllers have a maximum rate of 625 kbit/s ?
  the I/O contact could manage the load
• The KSG would have to be able to generate one KSS
  in approximately 50 µs
• The simulated KSG needs 160 µs at 55 MHz to be
  able to generate the KSS ? clearly over the limit

17
Conclusions

• The I/O contact is fast enough to handle the
  requirements of E2EE in the DWS
• The application was not fast enough, there may be
  several reasons for this
• The OS was a simple implementation and in no way
  optimized
• The application itself was written in C and not
  assembler, and was not optimized
• However, although the solution that makes use of
  only one smart card, an implementation of 2 to 4
  smart card could probably be possible
• Next steps
• The calculations done on the I/O contact should
  be verified using hardware tests
• The application and OS should be further
  developed in order to gain more accurate results
• Also, alternatives to the smart card technology
  should be considered
• e.g. Field Programmable Gate Arrays
• All in all, smart card technology is continuously
  developing towards faster CPUs and larger
  transfer rates and probably the performance
  bottlenecks will not exist in the near future

18
Thank You !

• Questions ?