Implementing End-to-End Security in
TETRA
Author: Heikki Lavanti
Instructor: M.Sc Olli-Pekka Lahtinen
Supervisor: Professor Raimo Kantola
1
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
AGENDA
1. Introduction & background for the thesis
2. Goals and methods of the thesis
3. TETRA
4. Smart card technology
5. Implementing E2EE in the NTS
6. Results of tests
7. Conclusions
2
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Introduction & background for the thesis
• Work was done at Nokia Networks’ Professional Mobile Radio business unit
situated in Helsinki
• Background for the thesis is the need for a module that implements end-toend encryption (E2EE) of circuit switched voice in the Nokia TETRA System
(NTS)
• The module must also support (relatively) easy replacement of the
algorithm
• E2EE is done between the end-user terminals, i.e. the network itself is
unaware of the type of communication
• There is a network element called the Dispatcher WorkStation (DWS) that
can monitor several calls at once and thus presents some special
requirements for the module used for E2EE
• The thesis studied the applicability of smart cards as the E2EE module in
the DWS
3
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Goals and methods of the thesis
• Goals:
• investigate how E2EE is implemented in the current NTS (especially the
DWS)
• investigate if the implementation could make use of smart card
technology and to this end
• study smart cards
• estimate requirements of E2EE
• analyze the suitability of smart cards
• Methods:
• the suggested implementation was tested using
• calculations
• simulations
4
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
TETRA
• TErrestrial Trunked RAdio
• Professional mobile radio standard done by ETSI
• Advantages over PLMNs (e.g. GSM) include
• fast call set-up
• group communication
• security (e.g. AIE)
•
Users (and customers) from the
• public sector (e.g. governments)
• called PSS (Public Safety and Security) networks
• private sector (e.g. gas companies)
• called PC (Professional Cellular) networks
• AIE offers a robust encryption scheme over the AI, but inside the SwMI, the
user data is in clear format and susceptible to eavesdropping
AIE = Air Interface Encryption
SwMI=Switching and Management Infrastructure
5
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Nokia TETRA SYSTEM (NTS)
CDD – Configuration and Data
Distribution server
DWS – Dispatcher WorkStation
DXT – Digital eXchange for TETRA
TBS – TETRA Base Station
TCS – TETRA Connectivity Server
6
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
The DWS
• Has four variants:
•DWSe1 – uses an E1 connection
•DWSi – uses an ISDN connection
•DWSr – uses the air interface and
TETRA packet data
•DWSx – can use both E1 and ISDN
+ supports E2EE
• The DWSx has a PCI card called the
Xgear, which has a module called the
GEM (General Encryption Module),
which encrypts the data
• The GEM is controlled via a GEI
(General Encryption Interface)  the
GEM can be any technology
• The thesis studied smart cards as the
new GEM technology
7
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Smart card technology
• A credit card- (or SIM card) sized plastic token with an embedded microchip
(integrated circuit chip)
• Comprised of
• a plastic card
• micro controller
• interfaces
• application
• Provides
• Persistent, protected storage
• Memory capacity (4K - 160K is typical)
• Computational capability and processing power (a small CPU)
• Self-contained
 Doesn’t need to depend on potentially vulnerable external resources
8
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Smart card technology
• An important aspect of smart cards is the prevention of unauthorized users
gaining access to information contained on the card
• The advantage smart cards have over magnetic stripe cards is that the
smart card contains the computer chip which stores the password or PIN
• The password is not sent over a communication line to a computer system
for verification, which can easily be tapped
• The most important part of a smart card is the software that provides
the applications
• After a smart card is issued to the consumer, protection of the card will be
mainly controlled by the application and the operating system
• Access of data has to be done through the logical file structure on the card
9
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
The ISO/IEC 7816
• Set of standards that define e.g. the physical layout and data transfer
methods of a smart card
• The protocol stack is divided into three according to the ISO OSI model:
10
Terminal
Smart card
Application Layer
Application Layer
Data Link Layer
Data Link Layer
Physical Layer
Physical Layer
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
The ISO/IEC 7816
• The ISO/IEC 7816 places several restrictions to smart card-terminal
communications:
• the physical layer has several performance degrading factors – e.g. 8
data bits are encapsulated inside 10 bits and communication is halfduplex
• there are several guard times as well to ensure that the terminal and
smart card have enough time to respond
• communication is defined as master-slave with the card always the
slave. ETSI has defined a CAT (Card Application Toolkit) to alleviate
this, but communication is still quite cumbersome
• The CAT commands are known as proactive commands
• The End-to-end Application Toolkit (EAT) is a subset of the CAT
11
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
TETRA & E2EE
• E2EE encrypts user data at the sender and decrypts it at the receiver  the
network is a transparent medium
• E2EE does not encrypt signaling, which is encrypted using AIE  E2EE
does not replace AIE but is an additional security feature
12
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
TETRA & E2EE
• TETRA uses an algebraic code-exited linear predictive (ACELP) codec for
speech compression
•
In the TETRA codec, speech samples of 30 ms are used. This sample is
digitized to a speech frame of 137 bits. After the codec two subslots each
consisting of a speech frame are fitted into one TDMA timeslot
• Thus, one TETRA timeslot consists of 274 bits of data
• The DWS can monitor 16 group calls and communicate with one timeslot,
i.e. it has to be able to simultaneously decrypt 16 speech frames and
decrypt one speech frame
• New timeslots arrive with an interval of 32ms. One Key Stream Operation
(KSO) would have to be done in 32ms/17=1.88ms
13
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Implementing E2EE in the NTS
• The following illustrates the Key Stream Operation (KSO) of a TETRA
terminal in E2EE
• The KSG takes as it input a key and the IV in the first round (or SV in
subsequent rounds)
• Next the KSG uses an algorithm to generate the KSS
• The KSS is XORed with the input
• The ciphertext is sent with the SV
• The receiver does the same
Plain text
IV = Initialization Vector
Cipher text
KSG = Key Stream Generator
Cipher text + Synch vector
KSS = Key Stream Segment
Key and synchronization data
SV = Synchronization Vector
KSO in reverse
Terminal
Key
• The KSO is a flywheel
• the receiver can calculate
the KSS without the SVs
• However, the SV is sent at
regular intervals
14
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Terminal
IV
Key
SV
KSG
KSS
XOR
Synch
control
Synch
control
Synch
frame
Frame
stealing
Synch
frame
Channel
Synch
detec
SV
KSG
KSS
XOR
Tests
• The requirements for the smart card’s I/O contact’s capacity were estimated
using calculations based on the DWS and the ISO 7816
• These were then compared to the figures given by Infineon, a large
manufacturer of smart cards
• Also, the KSG was simulated using a smart card controller simulator
provided by Infineon
• the OS was provided by Infineon
• the application used was a simple AES algorithm that took as its input
the lengths of the key and the SV
15
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Results of tests
• The calculations showed that the requirements for the I/O contact is
approximately 435 kbit/s
• The Infineon SLE88 family of smart card controllers have a maximum rate
of 625 kbit/s  the I/O contact could manage the load
• The KSG would have to be able to generate one KSS in approximately 50
μs
• The simulated KSG needs 160 μs at 55 MHz to be able to generate the
KSS  clearly over the limit
16
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Conclusions
• The I/O contact is fast enough to handle the requirements of E2EE in the DWS
• The application was not fast enough, there may be several reasons for this:
• The OS was a simple implementation and in no way optimized
• The application itself was written in C and not assembler, and was not optimized
• However, although the solution that makes use of only one smart card, an
implementation of 2 to 4 smart card could probably be possible
• Next steps:
• The calculations done on the I/O contact should be verified using hardware tests
• The application and OS should be further developed in order to gain more
accurate results
• Also, alternatives to the smart card technology should be considered
• e.g. Field Programmable Gate Arrays
• All in all, smart card technology is continuously developing towards faster CPUs and
larger transfer rates and probably the performance bottlenecks will not exist in the
near future
17
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa
Thank You !
Questions ?
18
© NOKIA
Implementing End-to-end Security in TETRA.PPT / 01-02-2005 / HLa