Efficient Group Key Agreement for Dynamic TETRA NetworksSu Youn Lee, Su Mi Lee and Dong Hoon Lee 2007.1.24 Current Trends in Theory and Practice of Computer Science

Baekseok College of Cultural Studies GSIS Korea University

TETRA Networks Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Background and Motivation - Set up, Join and Leave Algorithms Agenda

TETRA Networks

*

What is TETRA?MobileRadioDECTGSMTETRAMobileDataMobileTelephonyUMTS TErrestrial Trunked RAdio (TETRA) is a new digital transmission standard developed by ETSI and it is becoming the system for public safety organisation

*

What is TETRA?Architecture

NetworkManagementLineDispatcherIP gateway,FirewallSwMI

*

TETRA Security MechanismsEnd-to-End EncryptionSecuring the communication across a network, independent of the switching infrastructureAir Interface EncryptionSecuring the link between a handset and the networkKey Management CenterControlled emission of keys, enabling decentralized authorisation and enforcing the high security level.

*

TETRA Security MechanismsAuthentication

Authentication provides proof identity of all MS in TETRA networkAuC securely send session authentication key to Switch1 and should storage secret key. - Secret key need never be exposedAll MS and AuC operate mutual authentication using secret key KMS AuthenticationSwitch 1Switch 2Session authentication keysChallenge and response from SwitchAuthentication Centre (AuC)SwMIk

*

Authentication processKRandom Seed (RS)Mobile StationRSKSRandDCK, XRESKRSRandTA11KS(Session authentication key)RES XRESRESDCKRESSwMITA12TA12TA11

*

Air Interface KeysDerived Cipher Key (DCK)derived from authentication procedure.Common Cipher Key(CCK) generated by the SwMI and distributed to all MS.Group Cipher Key(GCK) linked to a specific closed MS group. Static Cipher Key(SCK) is a predetermined key

*

Key Management Mechanism K1K3K4MGCK=fn(GCK, CCK)CCKCCKMGCK=fn(GCK, CCK)SwMIGroup call1DCK1DCK2DCK3DCK4GCK=fn(K1)GCK=fn(K2)GCK=fn(K3)GCK=fn(K4)CCK=fn(DCK1)CCK=fn(DCK2)CCK=fn(DCK3)CCK=fn(DCK4)Group call2GCK

MS1K1DCK1MS2K2DCK2MS3K3DCK3MS4K4DCK4

*

Over the Air Re-Keying (OTAR)CCK SwMIMSGCKCCKMGCKDCKAICCK GCKKSO (GSKO)DCKKSO (GSKO)

Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Background and Motivation

*

Background and MotivationGroup Key Agreement MS communicating over a public, easily- monitored network MS needs to establish a common secret key (session key) to secure communication Group Key Agreement Protocol

sksksksk

*

Background and MotivationAuthenticated Group Key Agreement (AGKA)AGKA guarantees security against an active adversary who can modify, insert or remove messagesFor providing authentication, we can construct AGKA based on PW or signature

*

Background and MotivationIn AGKA, there are two concerns with regard to efficiency : Communication and Computation efficiencyCommunication Efficiency the number and length of messages few roundsComputation Efficiencyneeds to complete the protocol depends on the cryptographic algorithms

*

Background and MotivationAGKA for Dynamic TETRA networksProvides Setup, Leave and Join AlgorithmsIn a Leave event, removing MS do not know new skForward Secrecy

*

Background and MotivationAGKA for Dynamic TETRA networksIn Join event, joining MS do not know previous skBackward Secrecy

An Efficient Group Key Agreement for Dynamic TETRA Networks (AGKA); - Set up, Join and Leave Algorithms

*

An Efficient AGKASetup

KEK1SwMI

*

An Efficient AGKASetup : Group Key Computation ProcessKEK1

*

An Efficient AGKASetup; Security MS verifies signature of SwMIAssume that a signature scheme is secureAll signature cannot be used twice Only MS who knows KEK can compute a group keyAn adversary can not get any information about a group key from Zi-1,iXOR Encryption Scheme

*

An Efficient AGKAJoin Algo.

KEK1SwMIJoining MS5

*

An Efficient AGKAJoin ; Security Backward SecrecyJoining MS should not know a previous group key Our scheme provides Backward SecrecyAll MS re-calculate T value using different session ID (Ij) per sessionAlthough MS5 knows all T values in current session, MS5 does not compute a previous group key.

*

An Efficient AGKALeave Algo.

KEK1SwMI

*

An Efficient AGKALeave ; Security Forward SecrecyLeaving MS should not know a current group key Our scheme provides Forward SecrecyLeaving MS3 knows all T values of previous sessionAll MS re-calculate T value using new session ID (Il) per session

*

An Efficient AGKAUseful propertiesAllows SwMI and MS to agree a group with low complexityNeeds only XOR operation dependent on a number of group MSConstruct a special AGKA scheme including join and leave algorithms

*

AGKAAGKA protocolSecurity Theorem# of send, execute queries :

*

Questions? Comments?Thank you ! sylee@bcc.ac.kr.