«ETSI TR 102 512 V1.1.1 (2006-08) Technical Report Terrestrial Trunked Radio (TETRA); Security; Security requirements analysis for modulation enhancements ...»
certain value associated to the occurrence likelihood of a particular threat is explained as follows:
Each of these attack factors are summed (i.e. Elapsed time + Expertise + Knowledge of TOE + Window of opportunity + Equipment) to give an overall vulnerability rating as shown in table 2. The vulnerability rating is then mapped to the Occurrence likelihood as shown in table 3.
The impact of a threat is also estimated with values from "1" to "3". The meaning of a certain value associated to the
impact is explained as follows:
1 for "low impact" The concerned party (asset) is not harmed very strongly; the possible damage is low.
2 for "medium impact" The threat addresses the interests of providers/subscribers and cannot be neglected.
3 for "high impact" A basis of business is threatened and severe damage might occur in this context.
The product of occurrence likelihood and impact value gives the risk which serves as a measurement for the risk that
the concerned management function is compromised. The result is classified into the following three categories:
6.2 TETRA system under evaluation The TETRA system considered for evaluation has a very small set of open interfaces as shown in figure 3.
6.3 TETRA use cases (security scenarios) 6.3.1 Point to point communication within single TETRA SwMI A call made using ITSI as the source and destination address.
6.3.2 Point to multipoint communication within single TETRA SwMI A call made using ITSI as source address and GTSI as destination address.
6.3.3 Broadcast communication within single TETRA SwMI A call made with reserved broadcast address as destination address.
6.3.4 Point to point communication within multiple TETRA SwMIs A call made using ITSI as the source and destination address utilising ISI as communications (media and signaling) link between SwMIs.
6.3.5 Point to multipoint communication within multiple TETRA SwMIs A call made using ITSI as the source and GTSI as destination address utilising ISI as communications (media and signaling) link between SwMIs.
6.3.6 Broadcast communication within multiple TETRA SwMIs A call made with reserved broadcast address as destination address utilising ISI as communications (media and signaling) link between SwMIs.
6.4 Overview of existing TETRA security measures 6.4.1 Security analysis and recommendation The analysis presented as design input for TETRA in ETR 086-3  and the ongoing development of EN 300 392-7  has offered a set of security solutions to counter those threats identified in the referred documents.
The current countermeasures defined in EN 300 392-7  and the ongoing work of the TETRA MoU SFPG group address the risks present at the Air Interface and the risks involved in deploying the mechanisms defined to ensure that best practice is maintained.
6.4.2 Air interface capabilities 18.104.22.168 Security profiles or classes TETRA security is defined in terms of class (see EN 300 392-7 ). Each class has associated features that are mandatory or optional and are summarized in table 6.
22.214.171.124 Authentication All authentication services in TETRA release 1 are enabled by the secret key relationship of the root key K to ITSI and
support the following services:
• mutual authentication (where the decision to make the authentication mutual is made by the challenged party).
The authentication protocol is of the challenge-response format described in ISO/IEC 9798-2  with the random variable being provided by random numbers.
126.96.36.199 Over the air key management support Keys may be provided for one or more of the encryption services over the air in TETRA. In each case both individual and group distribution is defined. The former uses a key sealing service using K as the root key. The latter uses a group sealing key which may itself be distributed by the former method.
In addition for class 3 systems the core key CCK is provided over the air. The Derived Cipher Key (DCK) is derived during the authentication process. The Common Cipher Key (CCK) is sealed with the DCK resulting from authentication and transmitted in sealed form over the air.
188.8.131.52 Encryption The encryption service in TETRA offers confidentiality of traffic, both voice and data, and some protection of the signaling.
The Encrypted Short Identity (ESI) mechanism provides a means of protection of identities transmitted over the air interface. The mechanism applies only to those networks with air interface encryption applied (class 2 and class 3 systems). When encrypted signaling is used the ESI is sent instead of the true identity 184.108.40.206 Over the Air enable and disable The enable disable capability in TETRA (sometimes referred to as "stun' n' kill") allows a malfunctioning or stolen terminal to be either temporarily or permanently prevented from operation. In the former case the terminal can be re-enabled over the air, whereas in the latter case to reinstate operation requires a visit to a service centre.
220.127.116.11 TAA1 TAA1 is the authentication and key management algorithm set defined by SAGE in accordance with the algorithm specifications given in EN 300 392-7  and the rules of management given in TR 101 052 .
An independent analysis of the TEAx algorithms in order to determine the impact of requesting a longer key stream segment from the TEAx algorithms identified no security or cryptanalysis concerns in the definition of any of the TEAx algorithms. The analysis is available on request from the ETSI TETRA WG6 chair.
The conclusion of the study is that there is no change in the level of risk to loss of confidentiality for encrypted air interface traffic when moving from the existing TETRA to the modified air interface being standardized in TETRA.
18.104.22.168.2 TEA1 For use in the region specified in the rules of procedure for TEA1 .
22.214.171.124.3 TEA2 For use in the region specified in the rules of procedure for TEA2 .
126.96.36.199.4 TEA3 For use in regions specified in the rules of procedure for TEA3 .
188.8.131.52.5 TEA4 For use in regions specified in the rules of procedure for TEA4 .
184.108.40.206 Overview The Peripheral Equipment Interface is defined in EN 300 392-5  and allows for a split of the TETRA terminal to two separate devices connected using the PEI at reference point RT: Terminal Equipment type 2 (TE2); and a Mobile Termination type 2 (MT2).
The equipment that may act as TE2 includes PCs and PDAs as well as specialist data equipment (including sensors).
The existing scope of PEI restricts MT2 to be a TETRA Trunked Mode equipment, and further restricts PEI to a single point to point connection.
With respect to data services, the TETRA PEI will be used for the following:
• transmission and reception of packet data (including setting of packet data parameters);
• transmission and reception of circuit data (including setting of circuit data parameters);
• transmission and reception of short data (including setting of short data parameters).
In addition to data services the TETRA PEI may be used for the following:
• set-up and control of speech calls (including setting of speech call parameters);
• access to general information of MT2 and network;
• access to user applications located in MT2.
The TETRA PEI includes components which are not required by all the functions listed above and therefore, depending on the functionality that a MT2 supports, not all aspects of the PEI need to be implemented.
TETRA PEI has been designed to fulfil the following key requirements:
• a standard physical interface, widely adopted in the Information Technology (IT) world;
• broad compatibility with other wireless data systems;
• access to the full range of MT2 functionality (TE applications may use profiles to restrict functionality).
The impact of adoption of standard physical interfaces may allow a number of standard PC connectivity arrangements
to be adopted and the security models of these should be considered. The range of physical interfaces include:
The purpose of PEI is to enable control therefore only the call set up, maintenance and clear down signaling for speech calls are sent on the PEI, and therefore voice packets are never sent over the PEI (voice packets go directly from the MT codec to the TMD-SAP). However it is noted that circuit mode data may be sent over the PEI.
220.127.116.11 Objectives The objectives of PEI are to enable remote control of MT2 and thus to allow expanded functionality within TE2.
The security objectives to be met by PEI are to ensure that the remote TE2 offers the same risk to the TETRA user and TETRA SwMI as if the TE and MT were collocated.
Any unprotected PEI may allow access to any of the three service categories.
The following key differences are noted:
• TNP1 commands can be sent in parallel with ongoing packet data services.
• AT commands can only be sent in the command state.
The primary assumption in PEI is that the connection is between two trusted equipments (TE and MT) and there is no authentication or authorization. It is further assumed that the connection is wired using a short non-radiating cable (within the constraints set for V.24  and V.28  in ITU-T).
Where the physical connection does not comply with clause 5 of EN 300 392-5  and instead adopts wireless modes, the MT, and all capabilities open to TNP1 and the AT command set, are open to attack. To counter this Bluetooth should not be set to discoverable mode.
18.104.22.168 Summary of unwanted incidents
The following unwanted incidents may arise when PEI is exploited:
• harvesting of data on the SIM (this is currently restricted to the PSTN phonebook and some local configuration data); and
• remote invocation of packet data connections.
6.5.2 ISI The ISI provides the technical links between two TETRA networks that have agreed to allow intercommunication. The form of physical link used for the ISI is not specified. There are two specifications for the transmission of TETRA speech that may apply (references TS 100 392-3-6  and TS 100 392-3-7 ) on the ISI which will allow support of encrypted speech across the ISI.
Details of the ISI are currently insufficient to permit a full TVRA to be carried out but a general assumption that the end-points are trusted but that the linking network is itself untrusted may be applied. In this way the general assumptions and TVRA models for use of untrusted networks apply.
ETSI 20 ETSI TR 102 512 V1.1.1 (2006-08) 6.5.3 IP The use of Internet Protocol in TETRA is possible but not explicitly protected other than by the existing radio interface mechanisms and by the explicit TETRA identity authentication. The bulk of air interface protocols for establishment of an IP connection in TETRA share a common root with those of GPRS and 3GPP in the use of the PDP-context activation and deactivation and the use of IPsec in the TETRA environment is able to share the profiles being developed in both 3GPP for 3rd generation cellular and wireless access, and in TISPAN for IP access.
NOTE: Work in progress in ETSI and with the IPv6 forum towards a suite of interoperability and conformance tests for IPv6 covering the capabilities of IPsec in addition to the core and mobility capabilities of IPv6 may be used as the basis of a formal TETRA IPsec profile.
6.5.4 Application level security All applications in TETRA are assumed to exist within the trusted TETRA SwMI space and therefore considered out of scope for this TVRA (within the trusted zone).
There are a number of solutions for security within applications but the selection of countermeasures and identification of risk cannot be generalized. The use of tools such as Digital Rights Management and Kerberos like models of distributed secure access control may be usefully reviewed in the application context.
7 Identification of requirements for countermeasures 7.1 Overview Countermeasures should be applied to those vulnerability/asset relationships where the risk is significant (i.e. where the
risk identified in clause 6 is critical or major). Countermeasures can take a number of forms:
• Redesign to eliminate the weakness (as with no weakness there is no threat-weakness pair hence no vulnerability).
• New assets offering specific protection for specific vulnerabilities.
NOTE 1: Any new asset introduced to the system has to be assessed for vulnerabilities and any concurrent risk identified.
NOTE 2: A single asset performing as a countermeasure may reduce the risk associated with many vulnerabilities and assets.
7.2 TETRA air interface modifications The major areas in TETRA where additional risk is to be encountered that lie within the scope of TETRA to provide countermeasures for are in the areas of the ISI and PEI. In both cases ongoing work in both TETRA and the TETRA MoU SFPG are addressing these areas. For those areas outside of TETRA's immediate control such as application level security and IP security the TETRA MoU SFPG is addressing the principal areas of risk and appropriate countermeasures to be applied. This work allied with ongoing best practice in the market and in particular the trends in 3GPP and TISPAN for use of IPsec should be followed and applied where appropriate.
One of the biggest changes arising from the update of the TETRA air interface is the greater data carrying capacity and as such there are requirements to modify the KSS length output from the KSG (see clause 22.214.171.124.1) to support confidentiality of both /8-D8PSK and QAM modulation. One further consequence of the greater data carrying π capacity is that there will be greater likelihood of PDU association in /8-D8PSK and QAM channels. Changes have π been developed in WG6 to provide for additional precautions in the case of QAM modulation to avoid KSS repeat where PDU association occurs.
ETSI 21 ETSI TR 102 512 V1.1.1 (2006-08) 7.2.1 Outline of modifications to TETRA air interface security The TETRA air interface security specification has been progressively updated during the period of development of the present document. The main changes are summarised in the table below and refers to specific Change Requests to be incorporated.
Table 7: Outline CRs updating TETRA Air interface security in response to ongoing TVRA work