Current Trends in Theory and Practice of Computer Science
Efficient Group Key Agreement
for Dynamic TETRA Networks
Su Youn Lee, Su Mi Lee and Dong Hoon Lee
2007.1.24
Baekseok College of Cultural Studies
GSIS Korea University
Agenda
 TETRA Networks
 Efficient Group Key Agreement for
Dynamic TETRA Networks (AGKA);
- Background and Motivation
- Set up, Join and Leave Algorithms
TETRA Networks
What is TETRA?
 TErrestrial Trunked RAdio (TETRA) is a new digital
transmission standard developed by ETSI and it is
becoming the system for public safety organisation
GSM
TETRA
Mobile
Radio
DECT
Mobile
Data
UMTS
Mobile
Telephony
4
What is TETRA?

Architecture
SwMI
Network
Management
Line
Dispatcher
Other TETRA
network
Intranet /
Internet
IP gateway,
Firewall
PABX, PSTN,
ISDN
5
TETRA Security Mechanisms
Air Interface Encryption
Securing the link between a
handset and the network
Key Management Center
Controlled emission of keys,
End-to-End Encryption
Securing the communication
enabling decentralized
authorisation and enforcing
the high security level.
across a network, independent
of the switching infrastructure
6
TETRA Security Mechanisms

Authentication
SwMI
Authentication Centre (AuC)
k
Session authentication keys
Switch 1
Switch 2
Challenge and
response from
Switch
MS
Authentication
 Authentication provides proof identity of all MS in TETRA network
 AuC securely send session authentication key to Switch1 and should
storage secret key.
- Secret key need never be exposed
 All MS and AuC operate mutual authentication using secret key K
7
Authentication process
Mobile Station
SwMI
K
K
TA11
RS
Rand
KS
TA12
DCK RES
Rand
TA12
RES
DCK, XRES
Random
Seed (RS)
RS
TA11
KS
(Session authentication key)
RES ≠ XRES
8
Air Interface Keys
• Derived Cipher Key (DCK)
derived from authentication procedure.
• Common Cipher Key(CCK)
generated by the SwMI and distributed to all MS.
• Group Cipher Key(GCK)
linked to a specific closed MS group.
• Static Cipher Key(SCK)
is a predetermined key
9
Key Management Mechanism
SwMI
GCK=fn(K1)
CCK=fn(DCK1)
MS1
K1
DCK1
MS2
K2
DCK2
MS3
K3
DCK3
MS4
K4
DCK4
GCK=fn(K3)
GCK=fn(K2)
CCK’=fn(DCK3)
CCK=fn(DCK2)
GCK=fn(K4)
CCK’=fn(DCK4)
GCK
Group call1
Group call2
CCK’
CCK
K1
DCK1
DCK2
K2
MGCK=fn(GCK, CCK)
K3
DCK3
K4
DCK4
MGCK’=fn(GCK, CCK’)
10
Over the Air Re-Keying (OTAR)
KSO
(GSKO)
DCK
GCK
CCK
SwMI
CCK
GCK
AI
MS
DCK
KSO
(GSKO)
CCK
MGCK
11
Efficient Group Key Agreement for
Dynamic TETRA Networks (AGKA);
- Background and Motivation
Background and Motivation

Group Key Agreement
− MS communicating over a public, easilymonitored network
− MS needs to establish a common secret key (session
key) to secure communication
− Group Key Agreement Protocol
sk
sk
sk
sk
13
Background and Motivation

Authenticated Group Key Agreement
(AGKA)
− AGKA guarantees security against an active
adversary who can modify, insert or remove
messages
− For providing authentication, we can construct
AGKA based on PW or signature
adversary
14
Background and Motivation

In AGKA, there are two concerns with
regard to efficiency : Communication
and Computation efficiency
− Communication Efficiency
 the number and length of messages
 few rounds
− Computation Efficiency
 needs to complete the protocol
 depends on the cryptographic algorithms
15
Background and Motivation

AGKA for Dynamic TETRA networks
− Provides Setup, Leave and Join Algorithms
− In a Leave event, removing MS do not know new
sk’
− Forward Secrecy
sk ' ?
sk
sk '
16
Background and Motivation

AGKA for Dynamic TETRA networks
− In Join event, joining MS do not know previous
sk
− Backward Secrecy
sk
sk '
sk ?
17
An Efficient Group Key Agreement for
Dynamic TETRA Networks (AGKA);
- Set up, Join and Leave Algorithms
An Efficient AGKA

I 0  ID1 || ID2 || ID3 || ID4
Setup
MS1
KEK1
MS2
KEK2
MS3
KEK3
MS4
KEK4
SwMI
T1  g KEK1 ( I 0 )
T2  g KEK 2 ( I 0 )
T3  g KEK3 ( I 0 )
T4  g KEK 4 ( I 0 )
Z 4,1  T4  T1
Z1, 2  T1  T2 Z i 1,i ,  i Z1,2i ,3  T2  T3
Z 3, 4  T3  T4
 4,1  S sk (Z 4,1 || I 0 ) 1, 2  S sk (Z1, 2 || I 0 )  2,3  S sk ( Z 2,3 || I 0 )  3, 4  S sk ( Z 3, 4 || I 0 )
ac
KEK1
T1  g KEK1 ( I 0 )
ac
KEK2
T2  g KEK 2 ( I 0 )
ac
KEK3
T3  g KEK3 ( I 0 )
ac
KEK4
T4  g KEK 4 ( I 0 )
19
An Efficient AGKA

Setup : Group Key Computation Process
KEK1
KEK2
T1  g KEK1 ( I 0 )
T2  g KEK 2 ( I 0 )
KEK3
T3  g KEK3 ( I 0 )
KEK4
T4  g KEK 4 ( I 0 )
verify S skac ( Z i 1,i || I 0 )  true
Z1, 2  T1  T1  T2  T1  T2
Z 2,3  T2  T2  T3  T2  T3
Z 3, 4  T3  T3  T4  T3  T4
Z 4 ,1  T4  T4  T1  T4  T1'
?
check T1  T1'  true
sk0  H (T1 || T2 || T3 || T4 )
20
An Efficient AGKA

Setup;
− Security
 MS verifies signature of SwMI
• Assume that a signature scheme is secure
• All signature cannot be used twice
 Only MS who knows KEK can compute a group key
• An adversary can not get any information
about a group key from Zi-1,i
• XOR Encryption Scheme
21
An Efficient AGKA
Join Algo.

I j  ID1 || ID2 || ID3 || ID4 || ID5
SwMI
T1  g KEK1 ( I j )
Z 5,1  T5  T1
T2  g KEK 2 ( I j )
Z1, 2  T1  T2
T3  g KEK3 ( I j )
Z 2,3Z ,T2  T3
i 1,i
i 1,i
MS1
KEK1
MS2
KEK2
MS3
KEK3
MS4
KEK4
MS5
KEK5
T4  g KEK 4 ( I j )
Z 3, 4  T3  T4
T5  g KEK5 ( I j )
Z 4,5  T4  T5
 5,1  S sk (Z 5,1 || I j ) 1, 2  S skac (Z1, 2 || Ij )  2,3  S skac ( Z 2,3 || I j )  3, 4  S sk ( Z 3, 4 || Ij )  4,5  S sk (Z 4,5 || I j )
ac
ac
ac
Joining MS5
KEK1
T1  g KEK1 ( I1 )
KEK2
T2  g KEK 2 ( I1 )
KEK3
KEK4
T3  g KEK3 ( I1 )
T4  g KEK 4 ( I1 )
KEK5
T5  g KEK5 ( I1 )22
An Efficient AGKA

Join ;
− Security
 Backward Secrecy
• Joining MS should not know a previous group
key
 Our scheme provides Backward Secrecy
• All MS re-calculate T value using different
session ID (Ij) per session
• Although MS5 knows all T values in current
session, MS5 does not compute a previous
group key.
23
An Efficient AGKA

I l  ID1 || ID2 || ID4
Leave Algo.
MS1
KEK1
MS2
KEK2
MS4
KEK4
SwMI
T1  g KEK1 ( I l )
Z 4,1  T4  T1
T2  g KEK2 ( I l )
T4  g KEK4 ( I l )
Z1, 2  T1  T2 Z i 1,i ,  i 1,i
Z 2, 4  T2  T4
 4,1  S sk ( Z 4,1 || I l ) 1, 2  S sk ( Z1, 2 || I l )
ac
 2, 4  S sk (Z 2, 4 || I l )
ac
ac
Leaving MS3
KEK1
T1  g KEK1 ( I l )
KEK2
T2  g KEK2 ( I l )
KEK3
KEK4
T4  g KEK4 ( I l )
24
An Efficient AGKA

Leave ;
− Security
 Forward Secrecy
• Leaving MS should not know a current group
key
 Our scheme provides Forward Secrecy
• Leaving MS3 knows all T values of previous
session
• All MS re-calculate T value using new session
ID (Il) per session
25
An Efficient AGKA

Useful properties
− Allows SwMI and MS to agree a group with
low complexity
− Needs only XOR operation dependent on a
number of group MS
− Construct a special AGKA scheme including
join and leave algorithms
26
AGKA

AGKA protocol
− Security Theorem
 # of send, execute queries :
qex , qs
SS
prf
Adv pAGKA
(
k
,
t
)

Adv
(
k
,
t
)

n

Adv
,A
S , Af
g , Ag (k , t )
27
Thank you !

Questions? Comments?
 sylee@bcc.ac.kr.
28