THE JOURNAL OF CHINA UNIVERSITIES OF POSTS AND TELECOMMUNICATIONS

Vol.13, No.2, Jun.2006

Research on End-to=EndEncryption of TETRA

ZHANG Zhi-hui'. 2, YANG Yi-xian2
1.Beijing FORICH Software Technology Co., Ltd., Network Security Division, Beijing 100083, P. R . China;
2 . Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, P. R . China

Abstract: The Terrestrial Trunked Radio (TETRA) system uses end-to-end encryption in addition to the air interfuce en-
cryption to provide enhanced security. The TETRA system uses a synchronization technique known as jrume stealing to pro-
vide synchronization of end-to-end encrypted data . However, the frame stealing process degrades the quulity of video. This
paper proposes an end-to-end encryption system with the frame stealing technique f o r voice and frame insertion for video.
A block cipher in the output feedback mode is used to implement the end-to-end key stream generator. Moreover. In the
Short Datu Service(SDS) message encryption, a block cipher in the Cipher Buck Chaining (CBC) made is used to calculate
the cryptographically secure checksum, which is sufficient to certify the integrity.
Key words: TETRA; end-to-end encryption ; confidentiality; integrity
CLC number: TN918.1 Document code: A Article ID: 1005-8885(2006)02-0070-04

cryption system based on IDEA is presented and ana-

1 Introduction lyzed. The encryption algorithms for voice mode and for
SDS short messages are stream cipher generators. We
TETRA is an ETSI-standardized digital radio operat- use block cipher in Output FeedBack (OFB) mode to
ing system based on trunked mobile radio technolo- achieve the end-to-end Key Stream Generator (EKSG) .
gy[ 1 - 31 . It is typically designed for the Professional Mo- Frame stealing technique for voice and frame insertion
bile Radio (PMR) market and includes systems, typi- for video are discussed. In SDS message encryption, a
cally for Military and Public Safety organizations, as block cipher in CBC mode is used to calculate the cryp-
well as Public Access Mobile Radio Systems for public tographically secure checksum, which is sufficient to
service^[^-^^. While, in any radio system, the air inter- test the integrity. IDEA is a symmetrical block cipher
face is especially at risk, since it is vulnerable to unde- working with 128 bit keys.
tectable interception. TETRA has built on the
DECTL6-'] security and added features which are rele- 2 End-to-End Voice Encryption
vant for professional mobile radio users, such as end-to-
end encryption, encryption for closed user groups, se- Fig. 1 shows a synchronization mechanism of the
cure enabling and disabling of mobile terminals[']. Only voice encryption and decryption based on the syn-
the air interface security has been fully specified in the chronous stream cipher principle. The symmetry of
TETRA standard, and the definition of end-to-end se- transmitter and receiver has common encryption units.
curity is left to the user. The TETRA MoU Security The End-to-end Key Stream Generator[12- 13' ( EKSG)
and Fraud Prevention Group (SFPG) has produced a se- is the place where block cipher in output feedback mode
ries of recommendation documents which enable T E - is used to encrypt data. In OFB mode the previous out-
TRA users to optimally customize the security require- put of the encryption process is fed back as the input to
m e n t ~ " ~ .Air interface security protects data only be- the encryption process through a register. The plaintext
tween the terminals and the network. Within the net- is XORed with the output of encryption process to ob-
work infrastructure, the data is transported unencrypt- tain the cipher text as shown in Fig. 2. EKSG shall
ed. Thus end-to-end and air interface security comple- have two inputs, a cipher key and an initialization val-
ment, and do not impede, each other. Any one of them ue. The initialization value should be a time variant pa-
cannot fulfill all security requirements independent- rameter (e.g. a sequence number or a timestamp) used
ly['O-lll. The following article provides an overview of to initialize synchronization of the encryption units.
end-to-end encryption of TETRA. The end-to-end en- Function of multiplexer shall replace a half slot of cipher

Received date: 2005-06-02

Fomndath item: This project is supported by National Natural Science Foundation of China(60372094).
 No. 2 ZHANG Zhi-hui, et a l . : Research on End-to-End Encryption of TETRA
text with a synchronization frame provided by the "Sync
Frame" functional unit, the frame stealing. The frame
stealing process periodically replaces the contents of a
half slot of data with synchronization information. The
replaced portions of data stream are lost. The TETRA
speech codec is capable of tolerating some loss of data,
Control
y3-
P l a i d Cipher text
Fig. 1 Synchronization mechanism at the transmitter and the receiver
Key%ijc!
IDEA
encrypt
64 bit
IV Register
P"
Fig. 2 Key stream generator based on IDEA
To provide a high level of security traffic, end-to-end
encryption is needed. The channels involved in mobile
communication systems are very noisy and time vary-
ing. Communications over these channels result errors in
the received data, and, consequently, loss of synchro-
nization of the receiver to the incoming data stream.
IBSS of synchronization in a stream of encrypted data
will result in an erroneously deciphered data stream. If
the key stream K , at the receiver looses synchronization
to incoming cipher text stream C, the corresponding de-
crypted data stream P , at the receiver will be in error.
Therefore, some means of providing synchronization at
the receiver are required. Synchronization is provided by
sending synchronization information to the receiver.
The transmitter sends IV updates within a synchroniza-
tion frame to the receiver to recover from loss of syn-
chronization. The synchronization frame contains addi-
tional elements which allow the receiver to select the
correct key and key algorithm. Two further elements, a
timestamp and a cryptographic check sum, secure the
integrity of the synchronization frame and prevent im-
posture through repetition ( replay attacks ) . When a
frame is received, the encryption synchronization unit
detects the synchronization information, and changes
the current key and the algorithm according to the re-
ceived key number and the algorithm number, and the
71
while never effect greatly for speech. Moreover, since
speech frames are directly mapped on to the transmis-
sion time slots of the radio, the frame stealing strategy
can be efficiently adopted for synchronization of end-to-
end encrypted speech.
OF-----
unit
-
IV of the receiver decryption unit is updated according
to the received IV.
IDEA is the symmetrical block cipher working with
128-bit keys. It was developed in 1991 at the Technical
University of Zurich, and at present has no known
weakne~ses"~'. Key stream generator based on IDEA is
shown in Fig. 2 . An encryption speed of 177 Mb/s can
be obtained using IDEA based on VISI. In order to
generate enough bits for a TETRA half-slot, IDEA is
executed four times. The last 64 bit then serve as a pos-
sible Synchronization Vector (SV) . The SV is part of a
119 bit long synchronization frame, which is transmit-
ted between one and four times per second. The frame
stealing makes it possibIe to transmit signaling data in-
stead of user data, and is achieved by replacing half a
timeslot of user data with signaling data.
3 End-to-End Video Encryption
The TETRA speech codec is capable of tolerating
some loss of data, and cause no problems for speech. So
the frame stealing strategy can be efficiently adopted for
the synchronization of end-to-end encrypted speech.
Moreover, unlike speech, video is coded in the host
computer at the application layer. Thus, there is no di-
rect mapping of video frames to the transmission time
slots of the radio. This makes it difficult to determine
the timing for stealing half slots to send synchronization
frames. Therefore an alternative technique is required to
provide synchronization to encrypted video streams.
M. I . Samarakoon"'] proposed a technique termed
frame insertion which is more appropriate for video
transmission. In frame insertion, synchronization
frames are inserted to the transmitted video streams
 72 The Journal of CHUPT 2006

between successive video frames. Unlike frame stealing the legitimate receiver can decode the data. The data in
where there is no loss of data. However, to permit the the Enc. Ctrl. Data element contain the IV, and tell
insertion of application has to reduce the data rate to the receiver the information to use.
maintain the same overall transmission rate. The receiv- Message
er has to check whether the received frame is a synchro- integrity
nization frame by verifying the size of received frame.
The main problem about dropped packets is the size of a
dropped packet to the receiver, especially the variable F L K IV\ I
lengths. The solution to this problem is to generate
fixed length key stream segment to encrypt the variable
length data packets. The length of each of these key
stream segments is independent of the data packet sizes
and should be equal to an allowable or expected maxi- Fig. 3 Construction of an encrypted SDS message
mum data packet size. After encrypting each data pack- Even when an attacker cannot read the contents of a
et whose size if less than the expected maximum, the data packet, it still can be interest to him which kind of
excess portion of the key stream segment is discarded. data packet is concerned. To prevent an attacker from
The fly-wheeling technique"'] offers a method of recov- drawing any useful conclusions about the nature of a
ering synchronization from dropped packets. short data message, the original the Protocol Identifier
We also consider coding video cipher text in order to ( P I D ) of the unencrypted SDS message ( 0 - P I D ) is
use the frame stealing technique for synchronization of transmitted and replaced with a new protocol identifier
end-to-end video encryption. After video cipher text ( E S P I D ) . Logging the ES-PID is no use to the attack-
generated with EKSG, an amount of redundancy are in- er, since all it reveals is an encrypted short data message
serted to cipher text periodically. In transmission pro- which is being sent.
cess, the frame stealing mechanism makes it possible to The receiver should decrypt the SDS data using the
transmit signaling data instead of the redundancy, and right cipher key and calculate the CCSUM. If the result
is achieved by replacing half timeslot of the redundancy is equal to the CCSUM received, the communication is
with signaling data. Thus, the frame stealing strategy successful as shown in Fig. 4 . When a SDS is received,
can be efficiently adopted for speech and video encryp- the receiver checks whether the SDS is encrypted by
tion. verifying the ES-PID. If an encrypted SDS message is
received the current key and algorithm are changed ac-
4 The SDS Encryption cording to the received key number and the algorithm
number, and the IV of the receiver decryption unit is
Within TETRA, as in GSM, a short message service
is also defined. In TETRA, it is called the short data
service"*'. Depended on the SDS type, the amount of Identify ES-PID
bits, from 16 to 2 048, can be transmitted. An SDS
N
short data message is protected in such a way. its con-
tent remains confidential, and its integrity can be
checked on reception as shown in Fig. 3 . Data is confi- Analyze Enc.trl.Data
Get the control data for
dentiality achieved through data encryption. The proce- encryption
dure is the same with that in end-to-end voice encryp-
tion. A CrypTographically Secure Checksum (CCSUM)
and other control data (Enc. Ctrl. Data) comprise the t
I Calculate the CCSUM I
synchronization vector"6'. It is not necessary to encrypt i
the SV elements, since they are not confidential. It is
sufficient to able to test their integrity, and the exis- 4 SDS receive
tence of the CCSUM also made it possible. As long as failed
an attacker does not know the key used to calculate the
checksum, he cannot change data in the SDS message or
recalculate the CCSUM without being detected. A block
cipher in CBC mode can be used to calculate the CC-
SUM. The SV delivers all necessary information so that Fig. 4
Fig. 4 Flow
Flow chart
chart o receiver SIX
off aa receiver SIX process
process
 No. 2 ZHANG Zhi-hui, et u1. : Research on End-to-End Encryption of TETRA 73

updated according to the received IV. After the [81 ETSI EN 300 392-7. TETRA: Security aspects, Version
decryption process, the CCSUM of the decrypted SDS 2.2.1[EB/OL]. 2004-09-01. http://www.etsi.org.
should be calculated. If the CCSUM is equal to the re- [93 TETRA MoU SFPG Recommendation 02 ~ End-teEnd
Encryption [ EB/OL]. 2003-08-01. http: // www. te-
ceived one, the received SDS is valid.
t ramou .corn/ MoU .
[lo1 ZHANG Zhi-hui, HU Bing, YANG Yi-xian. Research on
encryption mechanism of TETRA [ J 1. Communications
S Conclusions Technology, 2004(2):118- 120.
[111 ROEILIFSEN G. Cryptographic algorithms in telecommu-
An end-to-end voice encryption system based on a nications systems[ J 3. Information Security Technical Re-
synchronization mechanism, frame stealing, is intro- port, 1999,4(1): 29-37.
duced. When the system is used to encrypt the video, [I21 ETSI EN 302 109. TETRA: Synchronization mechanism
for end-to-end encryption, Version 1.1.1 [ EB/OL]. 2003-
frame insertion is adopted. This technique has the ad-
06-15. http: //www. etsi.org.
vantage over the conventional frame stealing technique
[I31 Security for TETRA [ EB/OI;]. 2001-12-15. http: //
of not loosing any data. But the frame insertion will re- www. ascom. com/secsol/de/filel99161- 0 - tetra- securi-
duce the data rate. So how to code video effectively ty. pdf.
should be taken into account. End-to-end SDS encryp- [14] SCHNEIER B. Applied cryptography: protocols, algo-
tion system base on block cipher is proposed. The pro- rithms, and murce code in C [ M ] . 2nd ed. New York,
cedure to achieve data confidentiality is the same with NY, USA: John Wiley & Sons Inc., 1996: 225 - 230.
end-to-end voice encryption. Data integrity is achieved [I51 SAMARAKOON M I, HONARY B, RAYNE M . En-
crypted video over TETRA [ J ]. IEE Colloquium Digest,
through calculation of the CCSUM.
20001 7 ) :29 - 33.
TETRA End-to-End Security [ EB/OI,]. 2003-10-25.
References : http: //www. ascom. com/secsol/de/file199164- 0 - tetra-
ETSI EN 300 392-1 V1.3.0, TETRA: teneral network e2e- article. pdf.
design [ EB/OI.] . 2005-02-01. http: //www. etsi. org.
TETRA Security Mechanisms [ EB/OL 1. 2003-02-10.
Biographies: ZHANG Zhi-hui, male, doctor of
http: // www. tetramou. mm/files/tetra- security- mecha-
Beijing University of Posts and Telecommunica-
nisms. ppt.
tions, R and D engineer of Beijing FORICH
Wireless Distributed Communication Systems [ EH/OI, ] .
Software Technology Co., Ltd., interested in
2004-05-10. http: // www2. rfsworld. com/RFS Edition31
the research on information and network securi-
pdfs/WIXS- Introduction. 525-527. pdf.
ty, distributed system security.
TETRA Security-An overview [ EB/OI,]. 2003-08-01.
http: // www. tetramou. com/resources/files/Tetra - secRl .
pdf .
SUI Ai-fen, WANG Jiao. Research and comparison of secu-
YANG Yi-xian, male, Doctor of Beijing Uni-
rity mechanisms in GSM and I S 4 1 [ J 1. Journal of
versity of Pcsts and Telecommunications, Pro-
Chongqing Institute of Posts and Telecommunications ( in
fessor, Tutor of Doctor students, interested in
Chinese), 2004, 1611): 66-69.
the research on coding cryptology, information
ETSI EN 300 175-7. V1.8.1, DECT Common Interface
and network security, signal and information
Security features [ EB/OIz]. 2004-11-10. http: //www. et-
processing, etc.
si.org.
LIN H, I E I N HARN. Authentication in wireless commu-
nications[ C ] // Proceedings of IEEE Global Telecommunica-
tions Conference: Vol 1, Nov 29 - Dec 2, 1993, Houston,
Tx, USA. Piscataway, NJ, USA: IEEE, 1993: 550 -
554.