SIST ETS 300 396-6:1999

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Terrestrial Trunked Radio (TETRA); Direct Mode Operation (DMO); Part 6: Security33.070.10Prizemni snopovni radio (TETRA)Terrestrial Trunked Radio (TETRA)33.020Telekomunikacije na splošnoTelecommunications in generalICS:Ta slovenski standard je istoveten z:ETS 300 396-6 Edition 13SIST ETS 300 396-6:1999en01-MXOLM-19993SIST ETS 300 396-6:1999SLOVENSKI
STANDARD
EUROPEANETS 300 396-6TELECOMMUNICATIONApril 1998STANDARDSource: TETRAReference: DE/RES-06007-6ICS:33.020Key words:Direct Mode, security, TETRATerrestrial Trunked Radio (TETRA);Direct Mode Operation (DMO);Part 6: SecurityETSIEuropean Telecommunications Standards InstituteETSI SecretariatPostal address: F-06921 Sophia Antipolis CEDEX - FRANCEOffice address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCEInternet: secretariat@etsi.fr - http://www.etsi.fr - http://www.etsi.orgTel.: +33 4 92 94 42 00 - Fax: +33 4 93 65 47 16Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and theforegoing restriction extend to reproduction in all media.© European Telecommunications Standards Institute 1998. All rights reserved.SIST ETS 300 396-6:1999

Page 2ETS 300 396-6: April 1998Whilst every care has been taken in the preparation and publication of this document, errors in content,typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to"ETSI Editing and Committee Support Dept." at the address shown on the title page.SIST ETS 300 396-6:1999

Page 3ETS 300 396-6: April 1998ContentsForeword.71Scope.92Normative references.93Definitions and abbreviations.103.1Definitions.103.2Abbreviations.114Operational Security.124.1Single-Hop Calls.124.2Multi-Hop Calls.134.3Call Synchronization.154.3.1Synchronization of calls through a repeater.154.3.2Synchronization of data calls where data is multi-slot interleaved.164.3.2.1Recovery of stolen frames from interleaved data.175Authentication Mechanisms.175.1Mobile to mobile operation.175.2Dual Watch Operation.175.3Gateway mode operation.176Air Interface (AI) encryption.196.1General principles.196.2Key Stream Generator (KSG).196.2.1KSG numbering and selection.196.3Encryption mechanism.206.3.1Interface parameters.206.3.1.1Time Variant Parameter (TVP).206.3.1.2Cipher Key.216.3.1.3Identification of cipher keys.216.3.2Data to be encrypted.216.3.2.1Encryption of MAC header elements.216.3.2.1.1DMAC-SYNC PDU encryption.236.3.2.1.2DMAC-DATA PDU encryption.246.3.2.2Traffic channel encryption control.246.4AI encryption protocol.246.4.1General.246.4.1.1Positioning of encryption process.256.4.2Service description and primitives.256.4.2.1DMCC-ENCRYPT primitive.276.4.2.2DMC-ENCRYPTION primitive.286.4.3Protocol Functions.287Air Interface (AI) key management mechanisms.297.1Key numbering and storage.297.2Over The Air Rekeying.297.3OTAR service description and primitives.307.3.1SCK transfer primitives.307.4OTAR SCK protocol functions.307.4.1OTAR protocol models.327.5OTAR Protocol MSCs.337.5.1Case 1: KU requests key from KH.337.5.2Case 2: KU requests key from KH acting as a relay for KSL.347.5.3Case 3: KH distributing SCK unsolicited.357.5.4Case 4: Error scenarios with SDS timeout from KU or KH.36SIST ETS 300 396-6:1999

Page 4ETS 300 396-6: April 19987.5.5Case 5: Error scenarios where KH provides no keys in response todemand.377.6PDU descriptions.377.6.1OTAR SCK Provide.387.6.2OTAR SCK Demand.387.6.3OTAR SCK Result.397.7PDU Information elements coding.397.7.1Address extension.397.7.2ITSI.397.7.3ITSI flag.407.7.4Mobile country code.407.7.5Mobile network code.407.7.6Number of SCKs provided.407.7.7Number of SCKs requested.417.7.8OTAR SCK sub-type.417.7.9Proprietary.417.7.10Provision result.417.7.11Random seed (OTAR).427.7.12SCK key and identifier.427.7.13SCK number.427.7.14SCK number and result.427.7.15SCK version number.437.7.16Sealed Key.437.7.17Session key (OTAR).437.7.18Short subscriber identity.438Secure Enable and Disable mechanism.438.1Overview.438.2General relationships.448.3Enable/Disable state transitions.458.4Mechanisms.458.4.1Disable of MS equipment.468.4.2Disable of MS subscription.468.4.3Disable an MS subscription and equipment.468.4.4Enable an MS equipment.468.4.5Enable an MS subscription.468.4.6Enable an MS equipment and subscription.468.5Enable/disable authentication mechanism.478.6Enable/Disable service description and primitives.478.6.1Enable/Disable primitives.478.7Enable - disable protocol.498.7.1General Case.498.7.2Enable-Disable protocol models.498.7.3Specific Protocol Exchanges.508.7.3.1Successful disabling of a target with mutualauthentication.518.7.3.2Successful enabling of a target with mutual authentication528.7.3.3Successful delivery of TEI with mutual authentication.548.7.3.4Rejection of ENDIS command.558.7.3.5Authentication failure during ENDIS exchange.568.7.4Protocol messages.578.7.4.1ENDIS COMMAND.578.7.4.2ENDIS AUTHENTICATE.578.7.4.3ENDIS COMMAND CONFIRM.578.7.4.4ENDIS RESULT.588.7.4.5ENDIS TEI PROVIDE.588.7.4.6ENDIS REJECT.588.7.5Information elements coding.598.7.5.1Address extension.598.7.5.2Authentication challenge.598.7.5.3Authentication response.598.7.5.4Authentication result.598.7.5.5Command.60SIST ETS 300 396-6:1999

Page 5ETS 300 396-6: April 19988.7.5.6Enable/Disable result.608.7.5.7ENDIS PDU type.608.7.5.8Equipment status.618.7.5.9ITSI.618.7.5.10Mobile country code.618.7.5.11Mobile network code.618.7.5.12Proprietary.618.7.5.13Random seed.628.7.5.14Reject reason.628.7.5.15Session key.628.7.5.16Short subscriber identity.628.7.5.17Subscription status.638.7.5.18TETRA equipment identity.639End-to-end encryption.639.1Introduction.639.2Voice encryption and decryption mechanism.639.2.1Protection against replay.649.3Data encryption mechanism.659.4Exchange of information between encryption units.659.4.1Synchronization of encryption units.659.4.2Encrypted information between encryption units.669.4.3Transmission.679.4.4Reception.699.4.5Stolen frame format.699.5Location of security components in the functional architecture.709.6End-to-end Key Management.72Annex A (normative):Protocol mapping between V+D and DMO for gateway operations.73A.1OTAR mapping.73A.1.1DM-GWAY requests provision of SCK(s) from SwMI on behalf of a DM-MS.73A.2Enable-Disable mapping.75A.2.1DM-GWAY acting as intermediary in Secure enable/disable procedure.75A.2.1.1Disable.75A.2.1.2Enable.77History.79SIST ETS 300 396-6:1999

Page 6ETS 300 396-6: April 1998Blank pageSIST ETS 300 396-6:1999

Page 7ETS 300 396-6: April 1998ForewordThis European Telecommunication Standard (ETS) has been produced by the Terrestrial Trunked Radio(TETRA) Project of the European Telecommunications Standards Institute (ETSI).This ETS is a multi-part standard and will consist of the following parts:Part 1:"General network design".Part 2:"Direct MS-MS Air Interface- Radio Aspects".Part 3:"Direct MS-MS Air Interface- Protocol".Part 4:"Repeater Mode Air Interface".Part 5:"Gateway Mode Air Interface".Part 6:"Security".Transposition datesDate of adoption of this ETS:3 April 1998Date of latest announcement of this ETS (doa):31 July 1998Date of latest publication of new National Standardor endorsement of this ETS (dop/e):31 January 1999Date of withdrawal of any conflicting National Standard (dow):31 January 1999SIST ETS 300 396-6:1999

Page 8ETS 300 396-6: April 1998Blank pageSIST ETS 300 396-6:1999

Page 9ETS 300 396-6: April 19981ScopeThis ETS defines the Terrestrial Trunked Radio system (TETRA) Direct Mode of operation. It specifies thebasic Air Interface (AI), the interworking between Direct Mode Groups via Repeaters, and interworkingwith the TETRA trunked system via Gateways. It also specifies the security aspects in TETRA DirectMode, and the intrinsic services that are supported in addition to the basic bearer and teleservices.This part describes the security mechanisms in TETRA Direct Mode. It provides mechanisms forconfidentiality of control signalling and user speech and data at the AI.-Clause 4 describes the general condition for which security of calls at the AI can be met. Thisintroduces conditions that all other clauses must follow.-Clause 5 describes authentication mechanisms for direct mode. The differences between peer-to-peer authentication mechanisms and client-server authentication mechanisms are covered by thisclause as are the principles of operation in gateway mode.-Clause 6 describes the confidentiality mechanisms using encryption on the AI, for circuit modespeech, circuit mode data, packet (short) data and control information. This clause then details theprotocol concerning control of encryption at the AI.-Clause 7 describes the key management mechanism, and includes a description of the OTARmechanism and protocol.-Clause 8 describes the enable/disable mechanism and includes a description of the protocol.-Clause 9 describes the mechanism to be used to support end-to-end encryption using synchronousstream cipher units for U-plane traffic by means of a frame stealing device for synchronization ofthe units.-Annex A defines the mapping of protocols in TETRA V+D Security to those of DMO Security foreach of OTAR and Enable/Disable.The use of AI encryption gives confidentiality protection against eavesdropping only. The addition of asynchronized time variant initialization value for the encryption algorithm gives a restrictive degree ofreplay protection.2Normative referencesThis ETS incorporates by dated and undated reference, provisions from other publications. Thesenormative references are cited at the appropriate places in the text and the publications are listedhereafter. For dated references, subsequent amendments to or revisions of any of these publicationsapply to this ETS only when incorporated in it by amendment or revision. For undated references the latestedition of the publication referred to applies.[1]ETS 300 392-2: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Voice plus Data (V+D); Part 2: Air Interface (AI)".[2]ISO 7498-2: "Information processing systems - Open Systems Interconnection -Basic reference model - Part 2: Security Architecture".[3]ETS 300 396-1: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Direct Mode; Part 1: General network design".[4]ETS 300 396-2: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Direct Mode; Part 2: Direct MS-MS Air Interface -Radio Aspects".[5]ETS 300 392-7: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Voice plus Data (V+D); Part 7: Security"SIST ETS 300 396-6:1999

Page 10ETS 300 396-6: April 1998[6]ETS 300 396-3: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Direct Mode; Part 3: Direct MS-MS Air Interface -Protocol".[7]ETS 300 396-5: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Speech codec for full-rate traffic channel Part 1:General description of speech functions".[8]ETS 300 392-1: "Radio Equipment and Systems (RES); Trans-EuropeanTrunked Radio (TETRA); Voice plus Data (V+D); Part 1: General networkdesign".[9]ETS 300 395-1: "Terrestrial Trunked Radio (TETRA); Speech CODEC for full-rate traffic channel; Part 1: General description of speech functions".3Definitions and abbreviations3.1DefinitionsFor the purposes of this ETS, the following definitions apply:Authentication Key (K): The primary secret, the knowledge of which has to be demonstrated forauthentication.cipher key: A value that is used to determine the transformation of plain text to cipher text in acryptographic algorithm.cipher text: The data produced through the use of encipherment. The semantic content of the resultingdata is not available (ISO 7498-2 [2]).decipherment: The reversal of a corresponding reversible encipherment (ISO 7498-2 [2]).encipherment: The cryptographic transformation of data to produce cipher text (ISO 7498-2 [2]).encryption state: Encryption on or off.end-to-end encryption: The encryption within or at the source end system, with the correspondingdecryption occurring only within or at the destination end system.flywheel: A mechanism to keep the KSG in the receiving terminal synchronized with the Key StreamGenerator (KSG) in the transmitting terminal in case synchronization data is not received correctly.Initialization Value (IV): A sequence of symbols that initializes the KSG inside the encryption unit.key stream: A pseudo random stream of symbols that is generated by a KSG for encipherment anddecipherment.Key Stream Generator (KSG): A cryptographic algorithm which produces a stream of binary digits whichcan be used for encipherment and decipherment. The initial state of the KSG is determined by theinitialization value.Key Stream Segment (KSS): A key stream of arbitrary length.Manipulation Flag (MF): Used to indicate that the Static Cipher Key SCK has been incorrectly recoveredin an OTAR exchange.plain text: The unencrypted source data. The semantic content is available.proprietary algorithm: An algorithm which is the intellectual property of a legal entity.SIST ETS 300 396-6:1999

Page 11ETS 300 396-6: April 1998SCK-set: The collective term for the group of 32 SCK associated with each Individual TETRA SubscriberIdentity (ITSI).Sealed Static Cipher Key (SSCK): A static cipher key cryptographically sealed with a particular user'ssecret key. In this form the keys are distributed over the AI.spoofer: An entity attempting to obtain service from or interfere with the operation of the system byimpersonation of an authorized system user or system component.Static Cipher Key (SCK): A cipher key that is independent of any other key.synchronization value: A sequence of symbols that is transmitted to the receiving terminal tosynchronize the KSG in the receiving terminal with the KSG in the transmitting terminal.synchronous stream cipher: An encryption method in which a cipher text symbol completely representsthe corresponding plain text symbol. The encryption is based on a key stream that is independent of thecipher text. In order to synchronize the KSGs in the transmitting and the receiving terminal synchronizationdata is transmitted separately.TETRA algorithm: The mathematical description of a cryptographic process used for either of thesecurity processes authentication or encryption.time stamp: Is a sequence of symbols that represents the time of day.3.2AbbreviationsFor the purposes of this ETS, the following abbreviations apply.ACAuthentication CentreAIAir InterfaceC-PLANEControl-PLANECTCipher TextDLLData Link LayerDMDirect ModeDMCCDirect Mode Call ControlDMODirect Mode OperationEKSGEnd-to-end Key Stream GeneratorEKSSEnd-to-end Key Stream SegmentFFunctionFNFrame NumberHSCHalf-Slot ConditionHSIHalf-Slot ImportanceHSNHalf-Slot NumberHSSHalf-Slot StolenHSSEHalf-Slot Stolen by Encryption unitITSIIndividual TETRA Subscriber IdentityIVInitialization ValueKauthentication KeyKHKey HolderKSSession KeyKSGKey Stream GeneratorKSLKey SeaLerKSOSession Key OTARKSSKey Stream SegmentKUKey UserLLCLogical Link ControlMACMedium Access ControlMFManipulation FlagMNIMobile Network IdentityMSMobile StationMSCMessage Sequence ChartOTAROver The Air RekeyingPDUProtocol Data UnitSIST ETS 300 396-6:1999

Page 12ETS 300 396-6: April 1998PTPlain TextRANDRANDom challengeRESRESponseRSRandom SeedRSORandom Seed for OTARSession Key OTARSAP Service Access PointSCHSignalling CHannelSCH/FFull SCHSCH/HHalf SCHSCH/SSynchronization SCHSCKStatic Cipher KeySCK-VNSCK Version NumberSCKNStatic Cipher Key NumberSDSShort Data ServiceSDU Service Data UnitSHSIStolen Half-Slot IdentifierSSSynchronization StatusSSCKSealed Static Cipher KeySTCHSTolen CHannelSVSynchronization ValueSwMISwitching and Management InfrastructureTATETRA AlgorithmTCHTraffic CHannelTDMATime Division Media AccessTEITETRA Equipment IdentityTNTimeslot NumberTSITETRA Subscriber IdentityTVPTime Variant ParameterTxTransmitU-PLANEUser-PLANEV+DVoice + DataXRESeXpected RESponse4Operational SecurityThis clause describes the operational use of security features in TETRA Direct Mode Operation (DMO).For this clause a call is defined as the group of transmissions and changeovers that are bounded by initialcall setup and final call cleardown. Call pre-emption when successful may mark the start of a new call.NOTE:A DMO call may be considered as a series of unidirectional call transactions with eachnew call transaction having a new call master (the current transmitter).A new call master (i.e. call master for the current call transaction) should not be able to change theencryption parameters set at the start of the call. A call shall remain in the same encryption state in all calltransactions.In a standard direct mode call slot 1 of the TDMA structure shall be used by the transmitter fortransmission, and slot 3 of the TDMA structure shall be used by the transmitter to send or receive controlmessages. In frequency efficient operation the other 2 slots of the TDMA structure shall be used in likemanner.4.1Single-Hop CallsA DMO call is considered a single-hop call in the following cases:-MS to individual MS;-MS to group of MSs.A single hop call can only be made secure (encrypted) if the following conditions apply:-Source and Destination MS share SCK;-Source and Destination MS have common KSG.SIST ETS 300 396-6:1999

Page 13ETS 300 396-6: April 1998Call setup in DMO is a single pass operation with an allowed exception for individual calls to allow apresence check acknowledgement (2 pass call setup). All call parameters are contained in thesynchronization bursts which contain two data blocks of 60 bits and 124 bits respectively. The first datablock (logical channel SCH/S) shall contain the parameters for encryption. The second data block (logicalchannel SCH/H) shall contain the addressing data for the call (see ETS 300 396-3 [6], subclause 9.1.1).4.2Multi-Hop CallsDMO calls that pass through a repeater or gateway shall be considered multi-hop calls.A multi-hop call can only be made secure (encrypted) if one of the following apply (in addition to theconditions for single hop calls):- the Time Variant Parameter (TVP) used to synchronize the Key Stream Generator (KSG) isunaltered by the transmission;- intermediate terminations decrypt and re-encrypt the call on each side of the hop.Calls made through a layer-1 repeater shall not be considered by this ETS. The term repeater when usedin later clauses of this ETS shall refer to a layer-2 repeater.In the case of a call through a gateway to TETRA V+D the DMO call initiator shall be synchronized to thegateway.SIST ETS 300 396-6:1999

Page 14ETS 300 396-6: April 1998Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 1Mobile 1Mobile 2Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 2Layer 1Layer 2Mobile 1Mobile 2Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Mobile 1Mobile 2REPEATER - LAYER 1REPEATER - LAYER 2GATEWAYMobile 1 and Mobile 2 use same protocolMobile 1 and Mobile 2 use same protocolMobile 1 and Mobile 2 may use different protocolsmay store and forwardmay verify addressingCALL SETUPCALL SETUPCALL SETUP #1CALL SETUP #2may store and forwardmay verify addressingmay reject call setupAI EncryptionAI Encryption #1The Gateway:AI EncryptionAI EncryptionAI EncryptionAI Encryption #2AI Encryption #2AI EncryptionAI EncryptionFigure 1: Protocol stacks for multi-hop callsSIST ETS 300 396-6:1999

Page 15ETS 300 396-6: April 19984.3Call SynchronizationIn DMO there is no centralized synchronization master. Each call transaction has a rotating master-slaverelation, with the master-role being that of the current transmitter, and the slave-role being that of thecurrent receivers.In DMO the encryption synchronization shall apply only to the current call transaction. All slaves shall setthe values of Frame Number (FN), Timeslot Number (TN) and TVP from the first synchronization burstand increment each value as appropriate for the duration of the call transaction. (See ETS 300 396-2 [4],subclauses 9.3.2 and 9.3.3 for full definitions of FN and TN, and ETS 300 396-2 [4], subclause 7.3.2 fordefinitions of the incrementing of these counters.)NOTE 1:Call setup refers to the establishment of a single call transaction.The encryption state for all call transactions in the call shall be set by the first call master. The initial valueof TVP shall be chosen by the first call master. This initial TVP may be chosen randomly or may contain atime of day element to prevent replay. Each new transmitting party shall establish a new TVP, however theTVP sequence may be continuous over a set of call transactions.TVP shall be incremented on every timeslot with a cycle of 229 timeslots, except during call setup wherethe following exception shall apply:During call setup TVP shall not be incremented during the synchronization bursts but shall berepeated across each slot of the synchronization frames. TVP shall be first incremented on the firsttimeslot of the first frame following the synchronization burst as shown in figure 2.FN17FN18FN1FN2TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4SynchronizationSynchronizationTrafficTVPSTVPSTVPSTVPSTVPSTVPSTVPSTVPSTVPS+1TVPS+2TVPS+3TVPS+4TVPS+5TVPS+6TVPS+7TVPS+8NOTE 1:TVPS is the value of TVP used in the synchronization bursts.NOTE 2:Normal traffic transmission slots are shown shaded.Figure 2: Incrementing of TVP after call setup synchronization bursts for DM-SETUPFor call setup with presence checking (DM-SETUP PRES) the above process shall be followed, whereTVP is incremented on the first traffic slot after completion of transmission of the DM-SETUP PRESmessages.NOTE 2:The foregoing scheme is common to all initial synchronization bursts of a calltransaction.TVP may contain a time of day element to prevent replay. This suggests that each mobile should maintaina real time clock reference. The specification of such a reference is not covered by this ETS.4.3.1Synchronization of calls through a repeaterCalls through a repeater may modify the normal synchronization burst pattern and repeat a receivedsynchronization burst (one timeslot) over a frame. Traffic shall follow in the first timeslot of the first framefollowing the synchronization frame. In the synchronization frame where the timeslot is replicated TVPshall not be incremented.SIST ETS 300 396-6:1999

Page 16ETS 300 396-6: April 1998FN18FN1FN2FN3…TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4…SynchronizationTrafficMaster to repeater…TVPSTVPSTVPSTVPS+1TVPS+2TVPS+3TVPS+4FN18FN1FN2FN3TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4TN1TN2TN3TN4Repeater to SlaveSynchronizationSynchronizationTrafficTVPSTVPSTVPSTVPSTVPSTVPSTVPSTVPSTVPS+1TVPS+2TVPS+3TVPS+4NOTE 1:TVPS is the value of TVP used in the synchronization bursts.NOTE 2:The first traffic slot from the master is in the first slot of the first frame after the repeater hasfinished repeating the synchronization data (TN1 of FN3 in above example).NOTE 3:Normal traffic transmission slots are shown shaded.Figure 3: Incrementing of TVP across a repeaterFurther synchronization examples for calls through a repeater demonstrate the same principle. In call setup with a presence check traffic from the master to the repeater follows in the first slot of the first framefollowing receipt of the presence check and not as above in the first slot of the first frame after receivingthe repeated synchronization bursts.In the case where a PDU is fragmented the first part of the PDU is sent repeatedly in the synchronizationframes as above and the following MAC-FRAG and MAC-END PDUs are sent as per normal traffic.4.3.2Synchronization of data calls where data is multi-slot interleavedNOTE:The examples below assume that the data call is a single slot call transmitted ontimeslot 1 of each frame.In multi-slot interleaved calls the original traffic burst is expanded to cover 4 or 8 bursts (TCH/2.4,TCH/4.8). The interleaving follows encryption at the transmitter, and decryption follows de-interleaving atthe receiver.Transmitted TrafficT1T2T3T4T5T6T7T8Transmitted FrameFN1FN2FN3FN4FN5FN6FN7FN8Encryption TVP valueTVPS+1TVPS+5TVPS+9TVPS+13TVPS+17TVPS+21TVPS+25TVPS+29T1 (1 of 4)T1(2 of 4)T1 (3 of 4)T1 (4 of 4)T5 (1 of 4)T5 (2 of 4)T5 (3 of 4)T5 (4 of 4)InterleavingnullT2 (1 of 4)T2 (2 of 4)T2 (3 of 4)T2 (4 of 4)T6 (1 of 4)T6 (2 of 4)T6 (3 of 4)over 4 framesnullnullT3 (1 of 4)T3 (2 of 4)T3 (3 of 4)T3 (4 of 4)T7 (1 of 4)T7 (2 of 4)nullnullnullT4 (1 of 4)T4 (2 of 4)T4 (3 of 4)T4 (4 of 4)T8 (1 of 4)Recovered traffic frameT1T2T3T4T5Decryption TVP valueTVPS+1TVPS+5TVPS+9TVPS+13TVPS+17Actual TVP valueTVPS+13TVPS+17TVPS+21TVPS+25TVPS+29NOTE 1:TVPS is the value of TVP used in the synchronization bursts.NOTE 2:Actual TVP value is to be used for decryption of non-traffic bursts.Figure 4: Value of TVP to be used for TCH/4.8 or TCH/2.4 with interleaving depth of 4The actual TVP value is to be used by the receiver for the synchronization bursts and any bursts that arenot (interleaved) traffic. The value of TVP to be used in the receiver shall be "TVPA - 4*(interleavingdepth - 1)", where TVPA is the actual value of TVP.SIST ETS 300 396-6:1999

Page 17ETS 300 396-6: April 1998Transmission across frame 18 shall be treated as shown in figure 5:Transmitted TrafficT15T16T17Synch.T18T19T20T21Transmitted FrameFN15FN16FN17FN18FN1FN2FN3FN4Encryption TVP valueTVPStartTVPStart+4TVPStart+8TVPStart+12TVPStart+16TVPStart+20TVPStart+24TVPStart+28T15 (1 of 4)T15 (2 of 4)T15 (3 of 4)T15 (4 of 4)T19 (1 of 4)T19 (2 of 4)T19 (3 of 4)InterleavingT12 (4 of 4)T16 (1 of 4)T16 (2 of 4)T16 (3 of 4)T16 (4 of 4)T20 (1 of 4)T20 (2 of 4)over 4 framesT13 (3 of 4)T13 (4 of 4)T17 (1 of 4)T17 (2 of 4)T17 (3 of 4)T17 (4 of 4)T21 (1 of 4)T14 (2 of 4)T14 (3 of 4)T14 (4 of 4)T18 (1 of 4)T18 (2 of 4)T18 (3 of 4)T18 (4 of 4)Recovered traffic frameT12T13T14Synch.T15T16T17T18Decryption TVP valueTVPStart+12TVPStartTVPStart+4TVPStart+8TVPStart+16Actual TVP valueTVPStartTVPStart+4TVPStart+8TVPStart+12TVPStart+16TVPStart+20TVPStart+24TVPStart+28NOTE:TVPStart is the value of TVP used in the first traffic frame in this example.Figure 5: Treatment of TVP for TCH/4.8 or TCH/2.4 with interleaving depth of 4 at frame 18For traffic frames starting, but not fully received, before frame 18, the value of TVP to be used forencryption shall be "TVPA - 4*(interleaving depth - 1) - 4", where TVPA is the actual value of TVP.4.3.2.1Recovery of stolen frames from interleaved dataIf the stolen frame has been stolen from the C-plane it shall not be treated as if it were interleaved andshall therefore be decrypted with the "actual" value of TVP for immediate delivery to the C-plane.If the stolen frame has been stolen from circuit mode data in the U-plane it shall be treated as interleavedand shall follow the same rules as for data traffic.NOTE:Speech and full rate data transmissions are not subject to multi-slot interleaving (seeETS 300 396-3 [6]).5Authentication Mechanisms5.1Mobile to mobile operation.An explicit authentication protocol between mobile terminals in DMO shall not be provided. The fact thatstatic cipher keys are used (which are generated, controlled and distributed through the DMO systemsecurity management) provides an implicit authentication between mobile stations as belonging to thesame DMO net when successful communication takes place.5.2Dual Watch OperationIn dual-watch mode a DM-MS shall be a valid member of the TETRA V+D network and may authenticateto that network using the procedures defined in ETS 300 392-7 [5], clause 4.5.3Gateway mode operation.Calls established through a gateway shall be considered as multi-hop calls and as such shall use a multi-pass call setup protocol.For secure calls the gateway shall authenticate itself to the TETRA V+D network. Details of authenticationprocedures are contained in ETS 300 392-7 [5], clause 4.The gateway shall be considered as having two synchronized protocol stacks with the V+D network actingas the synchronization master for the call (see figure 6).SIST ETS 300 396-6:1999

Page 18ETS 300 396-6: April 1998Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3Layer 1Layer 2Layer 3DM MobileV+D SwMIGATEWAYCALL SETUP #1CALL SETUP #2DMO ProtocolV+D ProtocolDMO ProtocolV+D ProtocolDMO EncryptionDMO EncryptionV+D EncryptionV+D EncryptionFigure 6: TETRA DMO to TETRA V+D GatewayThe gateway shall be registered and authenticated to the SwMI. Therefore the SwMI shall recognize thegateway as a valid addressee (the gateway shall have an ITSI). After successful registration the gatewayshall be able to communicate with the TETRA SwMI using AI encryption as defined in ETS 300 392-7 [5],clause 6. On initial call setup the keys in use are as shown in figure 7.DMOV+DGateway BoundarySCKorUplink and DownlinkDCK on Uplink and DownlinkDCK on Uplink and MGCK on DownlinkFigure 7: Gateway Initial Key allocationsThroughout an encrypted call (which may include the call setup phase) each layer 2 (i.e. the DMO-protocollayer 2 and the V+D-protocol layer 2) shall decrypt incoming messages and encrypt outgoing messages.This may impose some delay on the end-to-end link. This part of the ETS shall not describe methods forcorrecting this delay.If the DM-MS is a party to a group call with some members of the group being on the TETRA V+D modenetwork there may be a delay for any call transaction through the gateway. This part of the ETS shall notdescribe methods for correcting this delay.SIST ETS 300 396-6:1999

Page 19ETS 300 396-6: April 19986Air Interface (AI) encryption6.1General principlesAI encryption shall provide confidentiality on the radio link between a DM-MS and either a single DM-MSor a group of DM-MSs.AI encryption operates by combining the output of a Key Stream Generator (KSG) with the contents ofmessages to be transmitted across the AI. Both control and traffic (speech or data) information can beencrypted. The encryption process shall take place in the upper Medium Access Control (MAC) layer ofthe TETRA protocol stack.NOTE:The encryption method described is a bit replacement type in which each bit of cleartext that is to be encrypted is replaced by a bit of cipher text to avoid error propagation.AI encryption shall be a separate function to the end-to-end encryption service described in clause 9.Information that has already been encrypted by the end-to-end service may be encrypted again by the AIencryption function. Where TETRA provides for clear or encrypted circuit mode services inETS 300 396-1 [3], subclause 7.2, these shall be independent of AI encryption; thus a service invokedwithout end-to-end encryption may still be encrypted over the AI.6.2Key Stream Generator (KSG)Encryption shall be realized using an encryption algorithm implemented in a KSG. The KSG shall form anintegral part of a DM-MS.NOTE:The KSG to be used in TETRA DMO can be the same as that used in TETRA V+D.(See ETS 300 392-7 [5], subclause 6.1.1).The KSG shall have two inputs, a Time Variant Parameter (TVP) and a cipher key. These parametersshall be as specified in subclause 6.3.1. The KSG shall produce one output as a sequence of key streambits referred to as a Key Stream Segment (KSS).A KSS of length n shall be produced to encrypt every timeslot. The bits of KSS are labelled KSS(0),…KSS(n-1), where KSS(0) is the first bit output from the generator. The bits in the KSS shall be used toencrypt or decrypt the data of the control or traffic field. The maximum value of n shall be 432, whichenables encryption of an unprotected data channel TCH/7.2.6.2.1KSG numbering and selectionThere shall be at least one TETRA standard algorithm. AI signalling shall identify which algorithm is in use(see table 1).The values 00002 to 01112 of KSG-id used in signalling shall be reserved for the TETRA standardalgorithms.Table 1: KSG Number element contentsInformation elementLengthValueRemarkKSG number400002TEA100012TEA200102
to 01112Other TETRA standard algorithms1xxx2Proprietary TETRA algorithmsThe TETRA standard algorithms shall only be available on a restricted basis from ETSI.SIST ETS 300 396-6:1999

Page 20ETS 300 396-6: April 19986.3Encryption mechanismThe key stream bits shall be modulo 2 added (XORed) with plain text bits in data, speech and controlchannels to obtain encrypted cipher text bits, with the exception of the MAC header bits and fill bits.KSS(0) shall be XORed with the first transmitted bit of the first DM-SDU, and so on.If the information in a slot has fewer bits than the length of KSS produced, the last unused bits of KSSshall be discarded. For example, if there are M information bits, KSS(0) to KSS(M-1) shall be utilized,KSS(M) to KSS(n-1) shall be discarded.In DMO the use of the TDMA framing structure is strictly enforced (see ETS 300 396-3 [6]subclause 4.3.1). There is no support for multi-slot communication and where a PDU is fragmented overmany slots the KSS is restarted on each slot as shown in figure 8.DM-SDUFN(n)MAC-H#1DM-SDU#1KSS#1FN(n+1)MAC-H#2DM-SDU#2KSS#2FN(n+2)MAC-H#3DM-SDU#3KSS#3NOTE 1:The example DM-SDU is fragmented over 3 slots by breaking it into DM-SDU#1, DM-SDU#2and DM-SDU#3NOTE 2:KSS#1 is used to encrypt DM-SDU#1, KSS#2 for DM-SDU#2, and KSS#3 for DM-SDU#3NOTE 3:Length of DM-SDU#1 = L#1. KSS#1(0,.,L#1-1) is used to encrypt DM-SDU#1. The remainderof KSS#1 is discarded (KSS#!(L#1, ., 431)). Similarly for fragments 2 and 3.Figure 8: Allocation of KSS to encrypt an example fragmented PDUThe physical nature of the TETRA AI is that each TDMA slot is broken into 2 half-slots. In all cases theKSS is split between those slots as follows:KSS(0, …, 215) shall be used to encrypt the first half slot;KSS(216, …, 431) shall be used to encrypt the second half slot.6.3.1Interface parameters6.3.1.1Time Variant Parameter (TVP)The TVP shall be used to initialize the KSG at the start of every timeslot. The TVP sh
...