Design of a block cipher used in TETRA secure radio

Submitting Institution

Royal Holloway, University of London

Unit of Assessment

Mathematical Sciences

Summary Impact Type

Technological

Research Subject Area(s)

Information and Computing Sciences: Computation Theory and Mathematics, Data Format


Download original

PDF

Summary of the impact

Terrestrial Trunked Radio (TETRA) is a very well known, international specification for secure mobile radio and `walkie-talkie' communication, that is extensively used and relied upon by emergency and public safety services such as police, ambulance and fire services, as well as governmental and private bodies. The European Telecommunications Standards Institute (ETSI) began standardising TETRA in the 1990s and it is now widely used throughout the world. Foundations of its success include resilience and reliability, but security is a major feature, being underpinned by expert cryptographic design. In particular the authentication and key generation mechanisms in TETRA rely on a block cipher (HURDLE) which was designed by a team of cryptographers at Royal Holloway.

The work carried out at Royal Holloway underpins the integrity and security of TETRA safety- critical networks throughout the world to the present day. A secure design for emergency service communications minimises both the amount of disruption criminals can cause to service operations, and the amount of operational information such criminals can glean from eavesdropping, contributing to the safety and security of society as a whole as well as the economic benefits to manufacturers of TETRA-based equipment.

Underpinning research

A block cipher is an algorithm to efficiently realise a family of permutations of binary strings of a fixed length, these permutations being indexed by a (secret) key. The block cipher should be designed so that the permutations it realises behave as if they were randomly chosen to an observer not in possession of the key.

The underpinning research. HURDLE is a block cipher that was designed by a team of cryptographers at Royal Holloway: Matthew Dodd (PhD student; now an independent security consultant), Sean Murphy (lecturer; now Professor), Kenny Paterson (post-doctoral researcher; now Professor) and Fred Piper (Professor; now retired) [1]. This work was undertaken as part of a wider project to design and evaluate the security mechanisms of the TETRA standard. The project to standardise TETRA security was commissioned by ETSI-SAGE, the Security Algorithms Group of Experts at the European Telecommunications Standards Institute. The team at Royal Holloway designed the block cipher in 1996, and the specification was issued by ETSI-SAGE in January 1997 [1].

Quality. The design of a secure and efficient block cipher is a delicate process, which requires a combination of experience (in cipher design and cryptanalysis), technical precision and creativity. Any cipher to be used in a critical and large-scale project such as TETRA is expected to be world- leading in terms of its design and performance, and indeed cannot be allowed to fail in operational use.

The specification for HURDLE has been subject to a rigorous process of peer review by top experts in the area: the design was reviewed in detail by SAGE participants and contractors, including security experts from the mobile and wireless industries. These experts were drawn from the major companies of the time that were active in international standardisation, and included Alcatel, British Telecommunications, Deutsche Telecom, France Telecomm, KPN Research, Philips Electronics Eindhoven and Vodafone. This review process replaces, and is more rigorous than is usual for, the standard academic review process. The full specification for HURDLE and derivative TETRA Algorithms is available under an NDA to approved parties, but is otherwise confidential and so cannot be reviewed in the standard way. Attesting to the academic quality of the specification, The President of the IACR (the main international organisation concerned with cryptographic research), a consultant for industry, and a member of ISO standards committees for security technologies) writes [2]:

I would like to make two points: first, that good cipher specification is regarded as a significant research contribution in my field; second, that the review process for a key industrial cipher can be more demanding than the refereeing process for a top cryptography conference [...] A typical submission to a cryptography conference will be reviewed by 2 or 3 academics (members of the programme committee, or their nominees). It is very unlikely that a typical reviewer will spend more than half a day examining each paper. For the [...] TETRA ciphers above, the design will be reviewed by several teams (certainly more than 3), each team looking at the cipher for (as an absolute minimum) 2 days. The review procedure is therefore typically much longer than for a submission for an academic conference. Moreover, high-profile academics and highly-regarded industrial consultants are often the same people. This leads me to believe that the industrial review process is often more rigorous than for a top academic conference. I should mention a second, unofficial, 'reviewing' process of an industrial cipher takes place when the deployed cryptographic system is attacked by third parties. If the system remains resistant to real- world attacks, this gives further evidence of the quality of the cipher.

All of this context points to the two ciphers that Royal Holloway are putting forward as being clearly of 2 star or higher research quality, as defined above.

In his letter of support, President of the IACR gives more detailed evidence of the high esteem the community gives to research of this type.

The President of the IACR makes the point above that resistance to real-world attacks is a measure of quality.

There is no evidence that HURDLE has been broken, despite being widely deployed in security- critical applications for many years. The former Chair of ETSI SAGE (Security Algorithms Group of Experts) and Chair of ETSI Project TETRA WG 6 (the TETRA security group) when the TETRA standard was created. He writes [1]:

The security of TETRA was state-of-the-art, and I believe it is has stood up very well to developments over the past 15 years. I am not aware of any successful attacks on the security of TETRA.

The Chief Executive of the TETRA+ Association, a trade association to support TETRA which counts over 150 operators, manufacturers and other interested parties as members. He writes [3] of TETRA:

As far as I am aware there have not been any reports of this security being breached ever and it continues to be deployed in existing and new implementations around the world. I am pleased to give credit for this remarkable achievement to Royal Holloway, University of London who designed the algorithms that provide this security.

Context. The design of HURDLE forms part of a strong tradition of the study of cryptology in the School that continues to the present day. Royal Holloway is designated as an Academic Centre of Excellence in Cyber Security Research (2012-) and hosts a Centre for Doctoral Training in Cyber Security (2013-); and our expertise in cryptography (as part of an interdisciplinary group spanning mathematics and computer science) contributes significantly to this. Highlights of work completed over the history of the group include the invention of key distribution schemes (Mitchell-Piper), the cryptanalysis of FEAL (the first use of differential cryptanalysis; Murphy), the algebraic framework for the cryptanalysis of AES (Cid-Murphy-Robshaw), pairing-based cryptography (Galbraith-McKee), ID-based cryptography (Paterson), key predistribution for Wireless Sensor Networks (Blackburn-Martin-Ng), codes for copyright protection (Blackburn-Ng) and group-based cryptography (Blackburn-Cid). Consultancy in the field of information security is regularly carried out, including the design and cryptanalysis of ciphers and work with new digital mobile telephony standards. Blackburn, Cid, Martin, McKee, Murphy, Ng and Paterson are current academic staff who have published cryptography papers and/or undertaken cryptographic consultancy within the current REF period.

References to the research

ETSI/SAGE Specification, `Specification of the HURDLE-II Algorithm', European Telecommunications Standards Institute, 20 January 1997. Available under an appropriate NDA.

Details of the impact

What is the link between the research and the benefit? HURDLE is the cryptographic primitive that underpins authentication and key derivation in TETRA [1]. Authentication allows two mobile devices, or a base station and a mobile device, to confirm that each is a valid party in the network. Key derivation allows the generation of secret keys (such as session keys) used in communication protocols from longer-term secret key material. The TETRA standard [4] specifies authentication and key derivation operations in terms of TETRA Algorithms (denoted TAn in [4], where n is an integer). HURDLE is the cryptographic component in all the TETRA Algorithms in [4].

Who benefits? The TETRA mobile radio and `walkie-talkie' communication standard is tailored for use by the public safety sector (such as police, fire and ambulance services), government agencies and the military. It was first developed as a European standard in the late 1990s, but is now marketed worldwide for a wide variety of safety-critical applications. There are now more than 1400 TETRA contracts, and TETRA is in use in over 130 countries, with over 200,000 users in the UK alone [3,5,6]. For example, the police forces from the following European countries use TETRA: Austria, Belgium, Denmark, Estonia, Finland, Germany, Greece, Iceland, Ireland, Italy, the Netherlands, Norway, Portugal, Poland, Romania, Slovenia, Sweden and the U.K. The standard is used by a range of other organisations with safety-critical needs. UK examples include London Underground, airport services at Aberdeen, Birmingham, Glasgow, Heathrow and Manchester and the UK Highways Agency. The TETRA Industry Group [5] lists a selection of recent TETRA implementations, showing that new users continue to switch to the standard. Since 2008, there have been applications to airport services, bus and tram services, disaster relief, fire services, gas extraction, the military, mining, oil extraction, roadside assistance, train communications, and communications in underground/metro networks. A wide range of European countries have been involved, plus Australia, Brazil, Canada, China, Haiti, India, Jordan, Kazakhstan, Kuwait, Malaysia, Mexico, Pakistan, Qatar, Russia and Singapore. Beyond the systems themselves, society as a whole benefits from the provision of secure and efficient infrastructure that keeps many millions of citizens protected from crime and terrorism, and safe in cases of emergency.

How do they benefit? Authentication in TETRA is used to prevent cloned devices from becoming part of the network, and to prevent illegitimate parties from masquerading as base stations. Key derivation algorithms are an essential part of other security functions provided by the network; for example, an insecure key derivation algorithm could result in decryption of TETRA communications, thereby compromising the confidentiality of sensitive data.

Security is a major feature of TETRA; indeed, the Pocket Guide [7] produced by the TETRA Association lists Communications Security as its first benefit, with authentication and encryption (both dependent on HURDLE) specifically highlighted:

Communications security is a prerequisite for public safety agencies, and a critical requirement for the increasing number of commercial organisations that rely on TETRA.

TETRA builds on the inherent security strengths of digital technology. A key feature of TETRA is the protection of the radio connection between devices and radio sites through the application of advanced Air Interface Encryption techniques.

TETRA's security measures deliver the strongest levels of protection; ensuring the privacy of conversations and the secure transmission of sensitive data.

A potential security loophole in networks — devices — is also addressed. Authentication at the connection between device and network controls traffic to ensure that transmissions are from approved users. If a terminal is misplaced or stolen it can be immediately disabled, preventing unauthorised personnel listening to private conversations or viewing sensitive information.

It is of national importance for a country's security-critical services to have a radio network that is not vulnerable to eavesdropping and outside manipulation, made up of devices that cannot be cloned. The secure design of the HURDLE cipher has ensured the integrity and confidentiality of a growing number of safety-critical networks over the past 10 years, with consequent benefits to national security, to safety, and to the reliable operations of the systems they support.

Sources to corroborate the impact

[1] Supporting statement from the former Chair of ETSI SAGE (Security Algorithms Group of Experts) and Chair of ETSI Project TETRA WG 6 (the TETRA security group), 11 October 2013. Copy available on request. [Quality and authorship of underpinning research; link to impact.]

[2] Supporting statement from the President of the International Association of Cryptologic Research, 11 May 2013. Copy available on request. [Quality of underpinning research.]

[3] Supporting statement from the Chief Executive of the TETRA+ Critical Communications Association, October 2013. Copy available on request. [Authorship of research; link between research and impact; reach and significance of impact]

[4] ETSI EN 300 392-7 V2.1.1 (2001-02), Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 7: Security, European Telecommunications Standards Institute, 2001. http://www.etsi.org. Copy available on request. [Link between research and impact]

[5] TETRA Industry Group fact sheet "TETRA Around the World" (copy available on request) and http://www.tetrahealth.info/worldIintro.htm Retrieved 9 October 2013. [Reach of impact.]

[6] TETRA Industry Group, FAQs — Who uses TETRA and Why? http://www.tetrahealth.info/pages/FAQs_WhoUses.html Retrieved 9 October 2013. [Reach and significance of impact.]

[7] The TETRA Pocket Guide. http://pocketguide.tetra-association.com/english/ Retrieved May 2012. [Reach and significance of impact.]