Implementing End-to-End Security in TETRA

1. Implementing End-to-End Security in TETRA Author: Heikki Lavanti Instructor: M.Sc Olli-Pekka Lahtinen Supervisor: Professor Raimo Kantola

2. AGENDA • Introduction & background for the thesis • Goals and methods of the thesis • TETRA • Smart card technology • Implementing E2EE in the NTS • Results of tests • Conclusions

3. Introduction & background for the thesis • Work was done at Nokia Networks’ Professional Mobile Radio business unit situated in Helsinki • Background for the thesis is the need for a module that implements end-to-end encryption (E2EE) of circuit switched voice in the Nokia TETRA System (NTS) • The module must also support (relatively) easy replacement of the algorithm • E2EE is done between the end-user terminals, i.e. the network itself is unaware of the type of communication • There is a network element called the Dispatcher WorkStation (DWS) that can monitor several calls at once and thus presents some special requirements for the module used for E2EE • The thesis studied the applicability of smart cards as the E2EE module in the DWS

4. Goals and methods of the thesis • Goals: • investigate how E2EE is implemented in the current NTS (especially the DWS) • investigate if the implementation could make use of smart card technology and to this end • study smart cards • estimate requirements of E2EE • analyze the suitability of smart cards • Methods: • the suggested implementation was tested using • calculations • simulations

5. TETRA • TErrestrial Trunked RAdio • Professional mobile radio standard done by ETSI • Advantages over PLMNs (e.g. GSM) include • fast call set-up • group communication • security (e.g. AIE) • Users (and customers) from the • public sector (e.g. governments) • called PSS (Public Safety and Security) networks • private sector (e.g. gas companies) • called PC (Professional Cellular) networks • AIE offers a robust encryption scheme over the AI, but inside the SwMI, the user data is in clear format and susceptible to eavesdropping AIE = Air Interface Encryption SwMI=Switching and Management Infrastructure

6. CDD – Configuration and Data Distribution server DWS – Dispatcher WorkStation DXT – Digital eXchange for TETRA TBS – TETRA Base Station TCS – TETRA Connectivity Server Nokia TETRA SYSTEM (NTS)

7. The DWS • Has four variants: • DWSe1 – uses an E1 connection • DWSi – uses an ISDN connection • DWSr – uses the air interface and TETRA packet data • DWSx – can use both E1 and ISDN + supports E2EE • The DWSx has a PCI card called the Xgear, which has a module called the GEM (General Encryption Module), which encrypts the data • The GEM is controlled via a GEI (General Encryption Interface)  the GEM can be any technology • The thesis studied smart cards as the new GEM technology

8. Smart card technology • A credit card- (or SIM card) sized plastic token with an embedded microchip (integrated circuit chip) • Comprised of • a plastic card • micro controller • interfaces • application • Provides • Persistent, protected storage • Memory capacity (4K - 160K is typical) • Computational capability and processing power (a small CPU) • Self-contained  Doesn’t need to depend on potentially vulnerable external resources

9. Smart card technology • An important aspect of smart cards is the prevention of unauthorized users gaining access to information contained on the card • The advantage smart cards have over magnetic stripe cards is that the smart card contains the computer chip which stores the password or PIN • The password is not sent over a communication line to a computer system for verification, which can easily be tapped • The most important part of a smart card is the software that provides the applications • After a smart card is issued to the consumer, protection of the card will be mainly controlled by the application and the operating system • Access of data has to be done through the logical file structure on the card

10. The ISO/IEC 7816 • Set of standards that define e.g. the physical layout and data transfer methods of a smart card • The protocol stack is divided into three according to the ISO OSI model:

11. The ISO/IEC 7816 • The ISO/IEC 7816 places several restrictions to smart card-terminal communications: • the physical layer has several performance degrading factors – e.g. 8 data bits are encapsulated inside 10 bits and communication is half-duplex • there are several guard times as well to ensure that the terminal and smart card have enough time to respond • communication is defined as master-slave with the card always the slave. ETSI has defined a CAT (Card Application Toolkit) to alleviate this, but communication is still quite cumbersome • The CAT commands are known as proactive commands • The End-to-end Application Toolkit (EAT) is a subset of the CAT

12. TETRA & E2EE • E2EE encrypts user data at the sender and decrypts it at the receiver  the network is a transparent medium • E2EE does not encrypt signaling, which is encrypted using AIE  E2EE does not replace AIE but is an additional security feature

13. TETRA & E2EE • TETRA uses an algebraic code-exited linear predictive (ACELP) codec for speech compression • In the TETRA codec, speech samples of 30 ms are used. This sample is digitized to a speech frame of 137 bits. After the codec two subslots each consisting of a speech frame are fitted into one TDMA timeslot • Thus, one TETRA timeslot consists of 274 bits of data • The DWS can monitor 16 group calls and communicate with one timeslot, i.e. it has to be able to simultaneously decrypt 16 speech frames and decrypt one speech frame • New timeslots arrive with an interval of 32ms. One Key Stream Operation (KSO) would have to be done in 32ms/17=1.88ms

14. Implementing E2EE in the NTS • The following illustrates the Key Stream Operation (KSO) of a TETRA terminal in E2EE • The KSG takes as it input a key and the IV in the first round (or SV in subsequent rounds) • Next the KSG uses an algorithm to generate the KSS • The KSS is XORed with the input • The ciphertext is sent with the SV • The receiver does the same KSO in reverse • The KSO is a flywheel • the receiver can calculate the KSS without the SVs • However, the SV is sent at regular intervals

15. Tests • The requirements for the smart card’s I/O contact’s capacity were estimated using calculations based on the DWS and the ISO 7816 • These were then compared to the figures given by Infineon, a large manufacturer of smart cards • Also, the KSG was simulated using a smart card controller simulator provided by Infineon • the OS was provided by Infineon • the application used was a simple AES algorithm that took as its input the lengths of the key and the SV

16. Results of tests • The calculations showed that the requirements for the I/O contact is approximately 435 kbit/s • The Infineon SLE88 family of smart card controllers have a maximum rate of 625 kbit/s  the I/O contact could manage the load • The KSG would have to be able to generate one KSS in approximately 50 μs • The simulated KSG needs 160 μs at 55 MHz to be able to generate the KSS  clearly over the limit

17. Conclusions • The I/O contact is fast enough to handle the requirements of E2EE in the DWS • The application was not fast enough, there may be several reasons for this: • The OS was a simple implementation and in no way optimized • The application itself was written in C and not assembler, and was not optimized • However, although the solution that makes use of only one smart card, an implementation of 2 to 4 smart card could probably be possible • Next steps: • The calculations done on the I/O contact should be verified using hardware tests • The application and OS should be further developed in order to gain more accurate results • Also, alternatives to the smart card technology should be considered • e.g. Field Programmable Gate Arrays • All in all, smart card technology is continuously developing towards faster CPUs and larger transfer rates and probably the performance bottlenecks will not exist in the near future

18. Thank You ! Questions ?