SIST ETS 300 175-7 E2:2005

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.QHRadio Equipment and Systems (RES); Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features33.070.30'(&7Digital Enhanced Cordless Telecommunications (DECT)ICS:Ta slovenski standard je istoveten z:ETS 300 175-7 Edition 2SIST ETS 300 175-7 E2:2005en01-julij-2005SIST ETS 300 175-7 E2:2005SLOVENSKI
STANDARD



SIST ETS 300 175-7 E2:2005



EUROPEANETS 300 175-7TELECOMMUNICATIONSeptember 1996STANDARDSecond EditionSource: ETSI TC-RESReference: RE/RES-03027-7ICS:33.060. 33.060.50Key words:DECT, radio, securityRadio Equipment and Systems (RES);Digital Enhanced Cordless Telecommunications (DECT);Common Interface (CI);Part 7: Security featuresETSIEuropean Telecommunications Standards InstituteETSI SecretariatPostal address: F-06921 Sophia Antipolis CEDEX - FRANCEOffice address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCEX.400: c=fr, a=atlas, p=etsi, s=secretariat - Internet: secretariat@etsi.frTel.: +33 92 94 42 00 - Fax: +33 93 65 47 16Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and theforegoing restriction extend to reproduction in all media.© European Telecommunications Standards Institute 1996. All rights reserved.SIST ETS 300 175-7 E2:2005



Page 2ETS 300 175-7: September 1996Whilst every care has been taken in the preparation and publication of this document, errors in content,typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to"ETSI Editing and Committee Support Dept." at the address shown on the title page.SIST ETS 300 175-7 E2:2005



Page 3ETS 300 175-7: September 1996ContentsForeword.9Introduction.101Scope.132Normative references.133Definitions and abbreviations.143.1Definitions.143.2Abbreviations.164Security architecture.174.1Background.174.2Security services.174.2.1Authentication of a PT.174.2.2Authentication of an FT.174.2.3Mutual authentication.174.2.4Data confidentiality.174.2.5User authentication.174.3Security mechanisms.184.3.1Authentication of a PT.184.3.2Authentication of an FT.194.3.3Mutual authentication.204.3.4Data confidentiality.204.3.4.1Derived Cipher Key (DCK).204.3.4.2 Static Cipher Key (SCK).214.3.5User authentication.214.4Cryptographic parameters and keys.214.4.1Overview.214.4.2Cryptographic parameters.224.4.3Cryptographic keys.234.4.3.1Authentication key K.234.4.3.2Authentication session keys KS and KS'.244.4.3.3Cipher key CK.254.5Security processes.254.5.1Overview.254.5.2Derivation of authentication key, K.264.5.2.1K is derived from UAK.264.5.2.2K is derived from AC.264.5.2.3K is derived from UAK and UPI.264.5.3Authentication processes.264.5.3.1Processes for the derivation of KS and KS'.274.5.3.2Processes for the derivation of DCK, RES1 and RES2.274.5.4Key stream generation.274.6Combinations of security services.285Algorithms for security processes.295.1Background.295.1.1A algorithm.295.2Derivation of session authentication key(s).295.2.1A11 process.295.2.2A21 process.305.3Authentication and cipher key generation processes.30SIST ETS 300 175-7 E2:2005



Page 4ETS 300 175-7: September 19965.3.1A12 process.305.3.2A22 process.316Integration of security.316.1Background.316.2Association of keys and identities.316.2.1Authentication key.316.2.1.1K is derived from UAK.316.2.1.2K derived from AC.326.2.1.3K derived from UAK and UPI.326.2.2Cipher keys.326.3NWK layer procedures.336.3.1Background.336.3.2Authentication exchanges.336.3.3Authentication procedures.356.3.3.1Authentication of a PT.356.3.3.2Authentication of an FT.356.3.4Transfer of Cipher Key, CK.356.4MAC layer procedures.356.4.1Background.356.4.2MAC layer field structure.366.4.3Data to be encrypted.376.4.4Encryption process.376.4.5Initialisation and synchronisation of the encryption process.406.4.6Encryption mode control.416.4.6.1Background.416.4.6.2MAC layer messages.416.4.6.3Procedures for switching to encrypt mode.416.4.6.4Procedures for switching to clear mode.446.4.7Handover of the encryption process.456.4.7.1Bearer handover, uninterrupted ciphering.456.4.7.2Connection handover, uninterrupted ciphering.456.4.7.3External handover - handover with ciphering.466.4.8Modifications for half slot specifications.466.4.8.1Background.466.4.8.2MAC layer field structure.466.4.8.3Data to be encrypted.476.4.8.4Encryption process.476.4.8.5Initialisation and synchronisation of the encryption process.476.4.8.6Encryption mode control.476.4.8.7Handover of the encryption process.476.4.9Modifications for double slot specifications.476.4.9.1Background.476.4.9.2MAC layer field structure.486.4.9.3Data to be encrypted.486.4.9.4Encryption process.486.4.9.5Initialisation and synchronisation of the encryption process.496.4.9.6Encryption mode control.496.4.9.7Handover of the encryption process.496.4.10Modifications for multi-bearer specifications.506.5Security attributes.506.5.1Background.506.5.2Authentication protocols.526.5.2.1Authentication of a PT.526.5.2.2Authentication of an FT.536.5.3Confidentiality protocols.546.5.4Access-rights protocols.566.5.5Key numbering and storage.576.5.5.1Authentication keys.576.5.5.2Cipher keys.58SIST ETS 300 175-7 E2:2005



Page 5ETS 300 175-7: September 19966.5.6Key allocation.596.5.6.1Introduction.596.5.6.2UAK allocation.597Use of security features.607.1Background.607.2Key management options.617.2.1Overview of security parameters relevant for key management.617.2.2Generation of authentication keys.627.2.3Initial distribution and installation of keys.627.2.4Use of keys within the fixed network.637.3Confidentiality service with a Cordless Radio Fixed Part (CRFP).677.3.1General.677.3.2CRFP initialization of PT cipher key.67Annex A (informative): Security threats analysis.68A.1Introduction.68A.2Threat A - impersonating a subscriber identity.69A.3Threat B - illegal use of a handset (PP).69A.4Threat C - illegal use of a base station (FP).70A.5Threat D - impersonation of a base station (FP).70A.6Threat E - illegally obtaining user data and user related signalling information.70A.7Conclusions and comments.72Annex B (informative):Security features and operating environments.73B.1Introduction.73B.2Definitions.73B.3Enrolment options.74Annex C (informative):Reasons for not adopting public key techniques.75Annex D (informative):Overview of security features.76D.1Introduction.76D.2Authentication of a PT.76D.3Authentication of an FT.77D.4Mutual authentication of a PT and an FT.77D.4.1Direct method.77D.4.2Indirect method 1.77D.4.3Indirect method 2.77D.5Data confidentiality.77D.5.1Cipher key derivation as part of authentication.78D.5.2Static cipher key.78D.6User authentication.78SIST ETS 300 175-7 E2:2005



Page 6ETS 300 175-7: September 1996D.7Key management in case of roaming.78D.7.1Introduction.78D.7.2Use of actual authentication key K.78D.7.3Use of session keys.79D.7.4Use of precalculated sets.81Annex E (informative):Limitations of DECT security.82E.1Introduction.82E.2Protocol reflection attacks.82E.3Static cipher key and short Initial Vector (IV).82E.4General considerations regarding key management.83E.5Use of a predictable challenge in FT authentication.83Annex F (informative):Security features related to target networks.84F.1Introduction.84F.1.1Notation and DECT reference model.84F.1.2Significance of security features and intended usage within DECT.84F.1.3Mechanism/algorithm and process requirements.85F.2PSTN reference configurations.86F.2.1Domestic telephone.86F.2.2PBX.88F.2.3Local loop.90F.3ISDN reference configurations.91F.3.1Terminal equipment.91F.3.2Network termination 2.93F.3.3Local loop.93F.4X.25 reference configuration.93F.4.1Data Terminal Equipment (DTE).93F.4.2PAD equipment.93F.5GSM reference configuration.94F.5.1Base station substation.94F.5.2Mobile Station.94F.6IEEE.802 reference configuration.94F.6.1Bridge.94F.6.2Gateway.94F.7Public access service reference configurations.94F.7.1Fixed public access service reference configuration.94Annex G (informative):Compatibility of DECT and GSM authentication.95G.1Introduction.95G.2SIM and DAM functionality.95G.3Using an SIM for DECT authentication.96G.4Using a DAM for GSM authentication.96SIST ETS 300 175-7 E2:2005



Page 7ETS 300 175-7: September 1996Annex H (informative):DECT standard authentication algorithm.97Annex J (informative):DECT standard cipher.98Annex K (informative):Bibliography.99History.100SIST ETS 300 175-7 E2:2005



Page 8ETS 300 175-7: September 1996Blank pageSIST ETS 300 175-7 E2:2005



Page 9ETS 300 175-7: September 1996ForewordThis second edition European Telecommunication Standard (ETS) has been produced by the RadioEquipment and Systems (RES) Technical Committee of the European Telecommunications StandardsInstitute (ETSI).Annexes A to K to this ETS are informative.The following cryptographic algorithms are subject to controlled distribution:a)DECT standard cryptographic algorithms;b)DECT standard cipher.These algorithms are distributed on an individual basis. Further information and details of the currentdistribution procedures can be obtained from the ETSI Secretariat at the address on the first page of thisETS.Further details of the DECT system may be found in the ETSI Technical Reports ETR 015, ETR 043 andETR 056.This ETS forms part 7 of a series of 9 laying down the arrangements for the Digital Enhanced CordlessTelecommunications (DECT) Common Interface (CI).Part 1:"Overview".Part 2"Physical layer (PHL)".Part 3"Medium Access Control (MAC) layer".Part 4"Data Link Control (DLC) layer".Part 5:"Network (NWK) layer".Part 6:"Identities and addressing".Part 7:"Security features".Part 8:"Speech coding and transmission".Part 9:"Public Access Profile (PAP)".Transposition datesDate of adoption of this ETS:6 September 1996Date of latest announcement of this ETS (doa):31 December 1996Date of latest publication of new National Standardor endorsement of this ETS (dop/e):30 June 1997Date of withdrawal of any conflicting National Standard (dow):30 June 1997SIST ETS 300 175-7 E2:2005



Page 10ETS 300 175-7: September 1996IntroductionThis ETS contains a detailed specification of the security features which may be provided by DECTsystems. An overview of the processes required to provide all the features detailed in this ETS ispresented in figure 1.The ETS consists of four main clauses (clauses 4 - 7), together with a number of informative and importantannexes (A - J). The purpose of this introduction is to briefly preview the contents of each of the mainclauses and the supporting annexes.Each of the main clauses starts with a description of its objectives and a summary of its contents. Clause 4is concerned with defining a security architecture for DECT. This architecture is defined in terms of thesecurity services which may be offered (subclause 4.2), the mechanisms which must be used to providethese services (subclause 4.3), the security parameters and keys required by the mechanisms (challenges,keys etc.), and which must be passed across the air interface or held within DECT Portable Parts (PPs),Fixed Parts (FPs) or other network entities (e.g. management centres) (subclause 4.4), the processeswhich are required to provide the security mechanisms (subclause 4.5), and the recommendedcombinations of services (subclause 4.6).Clause 5 is concerned with specifying how certain cryptographic algorithms are to be used for the securityprocesses. Two algorithms are required:-a key stream generator; and-an authentication algorithm.The key stream generator is only used for the encryption process, and this process is specified insubclause 4.4. The authentication algorithm may be used to derive authentication session keys and cipherkeys, and is the basis of the authentication process itself. The way in which the authentication algorithm isto be used to derive authentication session keys is specified in subclause 5.2. The way in which thealgorithm is to be used to provide the authentication process and derive cipher keys is specified insubclause 5.3.Neither the key stream generator nor the authentication algorithm are specified in this ETS. Only their inputand output parameters are defined. In principle, the security features may be provided by usingappropriate proprietary algorithms. The use of proprietary algorithms may, however, limit roaming in thepublic access service environment, as well as the use of PPs in different environments.For example, for performance reasons, the key stream generator will need to be implemented in hardwarein PPs and FPs. The use of proprietary generators will then limit the interoperability of systems providedby different manufacturers.Two standard algorithms have been specified. These are the DECT Standard Authentication Algorithm(DSAA, see annex H) and the DECT Standard Cipher (DSC, see annex I).Because of the confidential nature of the information contained in them, these annexes are not included inthis ETS. However, the algorithms will be made available to DECT equipment manufacturers. The DSAAmay also need to be made available to public access service operators who, in turn, may need to make itavailable to manufacturers of authentication modules.Clause 6 is concerned with integrating the security features into the DECT system. Four aspects ofintegration are considered. The first aspect is the association of user security parameters (in particular,authentication keys) with DECT identities. This is the subject of subclause 6.2. The second aspect ofintegration is the definition of the NWK layer protocol elements and message types needed for theexchange of authentication parameters across the air interface. This is dealt with in subclause 6.3. TheMAC layer procedures for the encryption of data passed over the air interface are the subject of subclause6.4. Finally, subclause 6.5 is concerned with security attributes which DECT systems may support, and theNWK layer messages needed to enable PPs and FPs to identify which security algorithms and keys will beused to provide the various security services.SIST ETS 300 175-7 E2:2005



Page 11ETS 300 175-7: September 1996Clause 7 is concerned with key management issues. Careful management of keys is fundamental to theeffective operation of a security system, and subclause 7.2 is intended to provide guidance on this subject.The subclause includes an explanation of how the DECT security features may be supported by differentkey management options.For example, schemes which allow authentication keys to be held in a central location within a publicaccess service network are described, as are schemes which allow authentication keys to be derivedlocally in public access service base stations. The subclause is very much less specific than the othersubclauses in this ETS. This is because the key management issues discussed are not an integral part ofthe CI. In the end it is up to network operators and service providers to decide how they are going tomanage their cryptographic keys. This ETS can at best provide some suggestions and guidelines.The main text is supplemented by a set of informative annexes. There are two types of annex. Those ofthe first type provide background information justifying the inclusion of a particular service, or the use of aparticular type of mechanism in the security features. Those of the second type provide guidance on theuse and management of
...