SIST ETS 300 175-7 E1:2005

SLOVENSKI STANDARD
SIST ETS 300 175-7 E1:2005
01-julij-2005
5DGLMVNDRSUHPDLQVLVWHPL5(6'LJLWDOQHL]EROMãDQHEUH]YUYLþQH
WHOHNRPXQLNDFLMH'(&76NXSQLYPHVQLN&,GHO9DUQRVWQHODVWQRVWL
Radio Equipment and Systemy (RES); Digital Enhanced Cordless Telecommunications
(DECT); Common Interface (CI); Part 7: Security features
Ta slovenski standard je istoveten z: ETS 300 175-7 Edition 1
ICS:
33.070.30 'LJLWDOQHL]EROMãDQH Digital Enhanced Cordless
EUH]YUYLþQHWHOHNRPXQLNDFLMH Telecommunications (DECT)
'(&7
SIST ETS 300 175-7 E1:2005 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ETS 300 175-7 E1:2005

---------------------- Page: 2 ----------------------

SIST ETS 300 175-7 E1:2005
EUROPEAN ETS 300 175-7
TELECOMMUNICATION October 1992
STANDARD
Source: ETSI TC-RES Reference: DE/RES-3001-7
ICS: 33.060
DECT
Key words:
Radio Equipment and Systems (RES);
Digital European Cordless Telecommunications (DECT)
Common interface
Part 7: Security features
ETSI
European Telecommunications Standards Institute
ETSI Secretariat
F-06921 Sophia Antipolis CEDEX - FRANCE
Postal address:
650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCE
Office address:
c=fr, a=atlas, p=etsi, s=secretariat - secretariat@etsi.fr
X.400: Internet:
Tel.: +33 92 94 42 00 - Fax: +33 93 65 47 16
Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and the
foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 1992. All rights reserved.
New presentation - see History box

---------------------- Page: 3 ----------------------

SIST ETS 300 175-7 E1:2005
Page 2
ETS 300 175-7: October 1992
Whilst every care has been taken in the preparation and publication of this document, errors in content,
typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to
"ETSI Editing and Committee Support Dept." at the address shown on the title page.

---------------------- Page: 4 ----------------------

SIST ETS 300 175-7 E1:2005
Page 3
ETS 300 175-7: October 1992
Contents
Foreword.9
Introduction .9
1 Scope.12
2 Normative references .12
3 Definitions and abbreviations.14
3.1 Definitions .14
3.2 Abbreviations .15
4 Security architecture .17
4.1 Background.17
4.2 Security services .17
4.2.1 Authentication of a PT.17
4.2.2 Authentication of an FT .17
4.2.3 Mutual authentication .18
4.2.4 Data confidentiality .18
4.2.5 User authentication .18
4.3 Security mechanisms .18
4.3.1 Authentication of a PT.18
4.3.2 Authentication of an FT .19
4.3.3 Mutual authentication .20
4.3.4 Data confidentiality .20
4.3.4.1 Derived Cipher Key (DCK).20
4.3.5 User authentication .21
4.4 Cryptographic parameters and keys.21
4.4.1 Overview .21
4.4.2 Cryptographic parameters.22
4.4.3 Cryptographic keys.23
4.4.3.1 Authentication key K.23
4.4.3.2 Authentication session keys KS and KS'.24
4.4.3.3 Cipher key CK .25
4.5 Security processes .25
4.5.1 Overview .25
4.5.2 Derivation of authentication key, K .25
4.5.2.1 K is derived from UAK . 26
4.5.2.2 K is derived from AC.26
4.5.2.3 K is derived from UAK and UPI .26
4.5.3 Authentication processes.26
4.5.3.1 Processes for the derivation of KS and KS'.26
4.5.3.2 Processes for the derivation of DCK, RES1 and RES2 .27
4.5.4 Key stream generation.27
4.6 Combinations of security services .28
5 Algorithms for security processes.28
5.1 Background.28
5.1.1 A algorithm.29
5.2 Derivation of session authentication key(s).29
5.2.1 A11 process. 29
5.2.2 A21 process. 29
5.3 Authentication and cipher key generation processes.30
5.3.1 A12 process. 30

---------------------- Page: 5 ----------------------

SIST ETS 300 175-7 E1:2005
Page 4
ETS 300 175-7: October 1992
5.3.2 A22 process.30
6 Integration of security.31
6.1 Background.31
6.2 Association of keys and identities.31
6.2.1 Authentication key.31
6.2.1.1 K is derived from UAK .31
6.2.1.2 K derived from AC.31
6.2.1.3 K derived from UAK and UPI.32
6.2.2 Cipher keys.32
6.3 Network layer procedures .32
6.3.1 Background.32
6.3.2 Authentication exchanges .33
6.3.3 Authentication procedures .34
6.3.3.1 Authentication of a PT .34
6.3.3.2 Authentication of an FT.34
6.3.4 Transfer of Cipher Key, CK .34
6.4 MAC layer procedures .35
6.4.1 Background.35
6.4.2 MAC layer field structure.35
6.4.3 Data to be encrypted .36
6.4.4 Encryption process .36
6.4.5 Initialisation and synchronisation of the encryption process.39
6.4.6 Encryption mode control.39
6.4.6.1 Background .39
6.4.6.2 MAC layer messages .40
6.4.6.3 Procedures for switching to encrypt mode.40
6.4.6.4 Procedures for switching to clear mode .43
6.4.7 Handover of the encryption process .44
6.4.7.1 Bearer handover, uninterrupted ciphering .44
6.4.7.2 Connection handover, uninterrupted ciphering.44
6.4.7.3 External handover - handover with interrupted ciphering .45
6.4.8 Modifications for half slot specifications .45
6.4.8.1 Background .45
6.4.8.2 MAC layer field structure .45
6.4.8.3 Data to be encrypted.46
6.4.8.4 Encryption process.46
6.4.8.5 Initialisation and synchronisation of the encryption process.46
6.4.8.6 Encryption mode control .46
6.4.8.7 Handover of the encryption process.46
6.4.9 Modifications for double slot specifications.46
6.4.9.1 Background .46
6.4.9.2 MAC layer field structure .47
6.4.9.3 Data to be encrypted.47
6.4.9.4 Encryption process.47
6.4.9.5 Initialisation and synchronisation of the encryption process.48
6.4.9.6 Encryption mode control .48
6.4.9.7 Handover of the encryption process.48
6.4.10 Modifications for Multi-Bearer Specifications.48
6.5 Security attributes.49
6.5.1 Background.49
6.5.2 Authentication protocols .50
6.5.2.1 Authentication of a PT .51
6.5.2.2 Authentication of an FT.52
6.5.3 Confidentiality protocols .53
6.5.4 Access-rights protocols.55
6.5.5 Key numbering and storage.56
6.5.5.1 Authentication keys .56
6.5.5.2 Cipher keys .56
6.5.6 Key allocation.57

---------------------- Page: 6 ----------------------

SIST ETS 300 175-7 E1:2005
Page 5
ETS 300 175-7: October 1992
6.5.6.1 Introduction .57
6.5.6.2 UAK allocation .57
7 Use of security features.59
7.1 Background.59
7.2 Key management options.59
7.2.1 Overview of security parameters relevant for key management.59
7.2.2 Generation of authentication keys .60
7.2.3 Initial distribution and installation of keys.61
7.2.4 Use of keys within the fixed network.61
Annex A (informative): Security threats analysis .65
A.1 Introduction .65
A.2 Threat A - impersonating a subscriber identity.66
A.3 Threat B - illegal use of a handset (PP) .66
A.4 Threat C - illegal use of a base station (FP).67
A.5 Threat D - impersonation of a base station (FP).67
A.6 Threat E - illegally obtaining user data and user related signalling information.67
A.7 Conclusions and comments.68
Annex B (informative): Security features and operating environments.70
B.1 Introduction .70
B.2 Definitions . 70
B.3 Enrolment options.71
Annex C (informative): Reasons for not adopting public key techniques .72
Annex D (informative): Overview of security features.73
D.1 Introduction.73
D.2 Authentication of a PT.73
D.3 Authentication of an FT .73
D.4 Mutual authentication of a PT and an FT.74
D.4.1 Direct method .74
D.4.2 Indirect method 1 .74
D.4.3 Indirect method 2 .74
D.5 Data confidentiality .74
D.5.1 Cipher key derivation as part of authentication.74
D.5.2 Static cipher key .75
D.6 User authentication .75
D.7 Key management in case of roaming.75
D.7.1 Introduction.75
D.7.2 Use of actual authentication key K .76
D.7.3 Use of session keys .77

---------------------- Page: 7 ----------------------

SIST ETS 300 175-7 E1:2005
Page 6
ETS 300 175-7: October 1992
D.7.4 Use of precalculated sets.78
Annex E (informative): Limitations of DECT security.79
E.1 Introduction .79
E.2 Protocol reflection attacks .79
E.3 Static cipher key and short Initial Vector (IV).79
E.4 General considerations regarding key management.80
E.5 Use of a predictable challenge in FT authentication.80
Annex F (informative): Security features related to target networks.81
F.1 Introduction.81
F.1.1 Notation and DECT reference model .81
F.1.2 Significance of security features and intended usage within DECT .81
F.1.3 Mechanism/algorithm and process requirements .82
F.2 PSTN reference configurations.83
F.2.1 Domestic telephone .83
F.2.2 PBX.85
F.2.3 Local loop .87
F.3 ISDN reference configurations.88
F.3.1 Terminal equipment.88
F.3.2 Network termination 2 .90
F.3.3 Local loop .90
F.4 X.25 reference configuration .90
F.4.1 Data terminal equipment.90
F.4.2 PAD equipment.90
F.5 GSM reference configuration .91
F.5.1 Base station substation .91
F.5.2 Mobile Station .91
F.6 IEEE.802 reference configuration.91
F.6.1 Bridge.91
F.6.2 Gateway.91
F.7 Public access service reference configurations .91
F.7.1 Fixed public access service reference configuration.91
Annex G (informative): Compatibility of DECT and GSM authentication .93
G.1 Introduction.93
G.2 SIM and DAM functionality .93
G.3 Using an SIM for DECT authentication.94
G.4 Using a DAM for GSM authentication.94
Annex H (informative): DECT standard authentication algorithm .95
Annex I (informative): DECT standard cipher.96

---------------------- Page: 8 ----------------------

SIST ETS 300 175-7 E1:2005
Page 7
ETS 300 175-7: October 1992
Annex J (informative): Bibliography.97
History.98

---------------------- Page: 9 ----------------------

SIST ETS 300 175-7 E1:2005
Page 8
ETS 300 175-7: October 1992
Blank page

---------------------- Page: 10 ----------------------

SIST ETS 300 175-7 E1:2005
Page 9
ETS 300 175-7: October 1992
Foreword
This European Telecommunication Standard (ETS) has been produced by the Radio Equipment and
Systems (RES) Technical Committee of the European Telecommunications Standards Institute (ETSI), and
was adopted, having passed through the ETSI standards approval procedure (Public Enquiry 23: 1991-09-
02 to 1991-12-27, Vote 22: 1992-05-25 to 1992-07-17).
Annexes A to J to this ETS are informative.
The following cryptographic algorithms are subject to controlled distribution:
a) DECT standard cryptographic algorithms;
b) DECT standard cipher.
These algorithms are distributed on an individual basis. Further information and details of the current
distribution procedures can be obtained from the ETSI Secretariat at the address on the first page of this
ETS.
Further details of the DECT system may be found in the ETSI Technical Reports ETR 015 [16], and ETR
043 [15], and also in draft ETSI Technical Report: "Digital European Cordless Telecommunications System
description document" [17].
Introduction
This ETS contains a detailed specification of the security features which may be provided by DECT
systems. An overview of the processes required to provide all the features detailed in this ETS is
presented in figure 1.
The ETS consists of four main Clauses (Clauses 4 - 7), together with a number of informative and
important Annexes (A - J). The purpose of this introduction is to briefly preview the contents of each of the
main Clauses and the supporting Annexes.
Each of the main Clauses starts with a description of its objectives and a summary of its contents. Clause
4 is concerned with defining a security architecture for DECT. This architecture is defined in terms of the
security services which may be offered (subclause 4.2), the mechanisms which must be used to provide
these services (subclause 4.3), the security parameters and keys required by the mechanisms (challenges,
keys etc.), and which must be passed across the air interface or held within DECT portable parts, fixed
parts or other network entities (e.g. management centres) (subclause 4.4), the processes which are
required to provide the security mechanisms (subclause 4.5), and the recommended combinations of
services (subclause 4.6).
Clause 3 is concerned with specifying how certain cryptographic algorithms are to be used for the security
processes. Two algorithms are required: a key stream generator and an authentication algorithm. The key
stream generator is only used for the encryption process, and this process is specified in subclause 4.4.
The authentication algorithm may be used to derive authentication session keys and cipher keys, and is the
basis of the authentication process itself. The way in which the authentication algorithm is to be used to
derive authentication session keys is specified in subclause 3.2. The way in which the algorithm is to be
used to provide the authentication process and derive cipher keys is specified in subclause 3.3.
Neither the key stream generator nor the authentication algorithm are specified in this ETS. Only their input
and output parameters are defined. In principle, the security features may be provided by using
appropriate proprietary algorithms. The use of proprietary algorithms may, however, limit roaming in the
public access service environment, as well as the use of PPs in different environments.
For example, for performance reasons, the key stream generator will need to be implemented in hardware
in portable and fixed parts. The use of proprietary generators will then limit the interoperability of systems
provided by different manufacturers. Two standard algorithms have been specified. These are the DECT
Standard Authentication Algorithm (DSAA, see Annex H) and the DECT Standard Cipher (DSC, see
Annex I).

---------------------- Page: 11 ----------------------

SIST ETS 300 175-7 E1:2005
Page 10
ETS 300 175-7: October 1992
Because of the confidential nature of the information contained in them, these documents are not submitted
for Public Enquiry. However, the algorithms will have to be made available to DECT equipment
manufacturers. The DSAA may also need to be made available to public access service operators who, in
turn, may need to make it available to manufacturers of authentication modules. Clause 4 is concerned with
integrating the security features into the DECT system. Four aspects of integration are considered. The
first aspect is the association of user security parameters (in particular, authentication keys) with
...