Issue2 MOD 05 166 Crypto Management Tools

sepura Overview of the Sepura Crypto Management Tools MOD-05-166

PRODUCT PROD UCT BULL BUL L ETIN © SEPURA LIMITED 2006

MOD-05-166

Contents INTRODUCTION .............................................................................................4 CRYPTO MANAGEMENT CENTRE FUNCTIONALITY .................................5 FEATURES......................................................................................................8 Standard s ................................................................................................................................. 8 Encr ypt ion Algor ithms Suppo rted......................................................................................... 8 Use on various TETRA SwMIs................................................................................................ 8 Securi ty of Crypto Management Centre ................................................................................ 8

CMC USER INTERFACE ................................................................................9 CMC IN OPERATION....................................................................................10 LANGUAGE SUPPORT ................................................................................ 12 CONFIGURATION FILE ................................................................................ 13 CMC Sizi ng ............................................................................................................................. 13 Group or indiv idual Addressing........................................................................................... 13 Message retry mechanism.................................................................................................... 13

END TO END ENCRYPTION KEYS..............................................................14 Traffi c Encr ypt ion Keys (TEK).............................................................................................. 14 Key Encr ypt ion Key (KEK).................................................................................................... 14 Signalli ng Encr ypt ion Key (SEK) ......................................................................................... 14 Group Encrypt ion Key (GEK) ............................................................................................... 14

SEPURA CRYPTO - DELIVERY TOOL (CDT) .............................................15 OPERATIONAL PROCEDURE..................................................................... 16 Overview of the Sepura Crypto Management Tools.

14th July 2006 Company confidential

Page 2 of 19 © Sepura Limited 2005

MOD-05-166 Generat ion of the E2EE Data ................................................................................................ 16 Provis ion ing t he Crypt o Deliv ery Tool (CDT). .................................................................... 16 Programmi ng the Termin als ................................................................................................. 17

RELATED INFORMATION............................................................................18 Analysi s Tool ......................................................................................................................... 18 Data Leads .............................................................................................................................. 18

NOTICE .........................................................................................................19 Contac t Details ....................................................................................................................... 19

Overview of the Sepura Crypto Management Tools.



MOD-05-166

INTRODUCTION This document describes the Sepura Crypto Management Tools used for the generation, management and distribution of the End to End Encryption (E2EE) material. The Sepura tools are known as the Crypto Management Centre (CMC) and the Crypto Delivery Tool (CDT). Both tools follow the Recommendations of the TETRA MoU Security and Fraud Protection Group. The CMC allows the User to manage the End-to-End security functionality of their fleet of Sepura radio terminals from a central point with a minimum of skilled management time. The CMC brings the added benefit of electronic audit and the ability to quickly manage any security compromise by deleting the keys of lost or stolen terminals and by changing the keys of the remaining radio population. The document also describes a typical operational scenario by which the E2EE keys and associated parameters are generated and distributed into the Sepura handheld, covert and mobile terminals.

The relationship between the Sepura Crypto Management Tools and radio terminals.

Sepura Crypto Management Centre (CMC)

OTAK Messaging

File transfer Sepura radio terminals

Sepura Crypto Delivery Tool (CDT)


Data Cable



MOD-05-166

CRYPTO MANAGEMENT FUNCTIONALITY

CENTRE

The Crypto Management Centre (CMC) supports the following functional areas :-

(i) Database of E2EE materi al. The CMC database allows the User to manage the following relationships:•

Assignment of the unique Key Encryption Key (KEK) to each individual radio subscriber (ISSI).

•

Assignment of radio subscribers to the User Groups.

•

Assignment of Traffic keys (TEKs) to the Crypto Groups.

•

Association of Crypto Groups to User Groups.

This information is securely held within a database encrypted with the AES-128 algorithm. The encrypted database can be exported to an external storage media and for resilience Sepura recommend that this information should be regularly backed up. Certain fleet information, such as the individual (ISSI) and group (GSSI) TETRA identities of the radio subscribers, can be imported from the Sepura Radio Manager.

(ii) Generation o f th e Keys. The E2EE management Keys, the Key encryption Key (KEK) and Signalling Encryption Key (SEK) and the traffic keys (TEKs), can be generated using the integrated FIPS 140-2 compliant random number generator. The length of the Traffic Key (stated in Bits) is subject to export control regulations and hence the CMC will be factory configured to support 128, 64 or 56 bit key lengths. The management keys (KEK and SEK) have a fixed length of 128 bits.

(iii) Import o f externally generated Keys material Externally generated sealed and unsealed Crypto keys and associated fields can be imported from the appropriate security authorities in an SFPG Rec01 format with appropriate Info code. E2EE Keys may also be manually entered via the CMC keyboard however this mechanism is only recommended for training purposes.




MOD-05-166

(iv) Management of the E2E Key Li fecycle Both Automatic and Manual update of Keys and Crypto Group Associations are supported by the CMC. The time period for Key update is user selectable in units of days, months or a specific Day within a month. The CMC operator may also initiate an immediate key download to a radio terminal or User Group perhaps for a special operation. The OTAK download process is acknowledged and the CMC is aware of the percentage of the radio terminals which have successfully downloaded the new keys. This figure is also at the key changeover point e.g. greater than 80% have received the download, before the new key is activated

(v) Over The Air Key Management (OTAK) using SDS messaging. The CMC send SDS based OTAK messages either via direct connection to the TETRA Network or wirelessly via the data port of a Sepura terminal. The OTAK message structure is defined in section 8.7 of SFPG Rec 02 (edition 4).and the message types are described in the points below. •

Response to a Power Up or Registration message from a radio terminal, the CMC will search the database and download any keys and associations as required.

•

Download of the Signalling Key (SEK) and Traffic Key (TEK) to the radio terminal.

•

Association_Set message and response to Association_Ack message

•

Activation of the Traffic Keys.

•

Deletion of both individual and groups of Traffic Keys.

•

Stun and Kill including response to MS generated Stun_Kill_Ack which indicates that the User has local disabled the radio terminal.

Sepura radio terminals exchange individual E2EE Key management messages with a defined CMC (the individual identity (ISSI) of the CMC must be pre-configured in the terminal(s)). Receipt of a message from an unknown CMC will be considered invalid by the radio terminal. All OTAK messages are protected by encryption with the Signalling Encryption Key (SEK) (apart from the message delivering the SEK) and all keys within OTAK messages are protected by encryption with the Key Encryption Key (KEK).




MOD-05-166 (vi) Expor t Key material to t he Sepura Cryp to Delivery Tool. The CMC is able to compile and export files containing the encryption Keys and Cryptogroup associations to the Sepura Crypto Delivery Tool (CDT).

(vii) Event Loggin g For audit purposes every Event is logged and archived on a daily basis with a new folder produced every month. Event logs are time stamped and read only. Reports will be provided to (1) indicate when each radio terminal contacted the CMC and its key currency, and (2) of all actions undertaken by CMC Users and Super Users. The reports are available to an Administrator level User only and may be exported in .csv and .txt file formats.




MOD-05-166

FEATURES STANDARDS The CMC conforms fully to SFPG Recommendation 02 (Edition 4).

ENCRYPTION A LGORITHMS SUPPORTED Initially the CMC will support the AES-128 algorithm however it is expected that other algorithms will become available in future software releases. Export control regulations will determine which algorithms may be supplied and also the permitted length of the Traffic Keys (stated in Bits). For UK and Western European operations, 128 bit keys will typically be used however 56 and 64 bit keys are also supported.

USE ON VARIOUS TETRA SWMIS. The CMC will typically interface to the Short Data Service router of the TETRA SwMI. It is intended that the CMC will operate on the TETRA systems of different manufacturers assuming that appropriate interface details are made available to Sepura. This solution is aimed at the E2EE management of larger fleets of Users. As an alternative the CMC will also support the transmission and reception of SDS based OTAK messages via the PEI interface of a dedicated Sepura mobile radio terminal. This solution is aimed at the E2EE Key management of smaller fleets of Users.

SECURITY OF CRYPTO M ANA GEMENT CENTRE Sepura recommend that the CMC operates on a machine dedicated to Crypto Management and physically located in a secure environment. The CMC protects the E2EE Key material by storing the Keys in a database which is encrypted using a Master Key. The CMC is responsible for the generation, application and change of the Master Key used by the encrypted database. The encrypted database may be saved and backed up onto an external storage media. To import this to another CMC machine the Master Key must also be loaded.




MOD-05-166

CMC USER INTERFACE The tasks and permissions of the CMC are distributed across 3 levels. Each level has access control and a CMC User must enter a valid alphanumeric Password (at least 9 characters in length) to gain access to specific tasks and when moving between the levels. The 3 categories of User are (1) the Administrator, (2) the Super User and (3) the Key Delivery User.

•

Ad mi ni st rato r The Administrator has access to all User functions, can create Super User accounts. E2EE Key Management is a continuous process and hence the CMC can be set to execute its core Key Management tasks even if no one is logged on. An Administrator level permission is needed to exit the program. The three methods of Key generation may be enabled or disabled according to local security rules in Administrator level set up.

•

Super User The Super User is permitted to set up and delete Key Delivery User accounts, perform a KILL terminal function, change the subscriber membership of the different User Groups, define the periodicity of key change and manually load a new database Master key.

•

Key Delivery User The Key Delivery User is able to operate the CMC, perform a STUN terminal function, Initiate an E2E key download to the selected terminals and run the audit analysis reports.




MOD-05-166

CMC IN OPERATION.

The figure above is the main CMC screen and is an example of the “look and feel” of the Sepura Crypto Management Tools. The User interface largely consists of Definition Windows and Event Windows. A Definition Window allows the CMC User to manage the membership of the various groupings such as User Groups and Crypto Groups. The User is typically able to select from lists and then “drag and drop” to populate the new grouping. An Event Window shows the progress of an E2EE event such as a Key Change. The Key Change window displays the number of days to the next key change, the number of radio terminals in each User group that have received the new key and the remaining numbers of radio terminals that still require the new keys. The CMC is designed to operate with the minimum of user management.




MOD-05-166 The CMC can automatically change the keys to a User Group at intervals pre-determined by the CMC operator or at the intervention of the CMC operator e.g. after a compromise of a terminal. When an E2EE enabled terminal registers on the network, it sends an MS_Signal-Powerup SDS message to the KMC informing it that is present. The CMC will then search its database to see if there are any outstanding actions relating to New key downloads, New key associations, Deletion of key associations or Stun_Kill. If no action is required, the CMC logs the event and updates the database to show when the last contact was with this terminal. An acknowledgement is not sent to the terminal to save system capacity. If action is required the CMC will send the appropriate Key Management Messages to the terminal and update its database entry to show this. The CMC will retry to send the message a configurable number of times over a configurable time period.




MOD-05-166

LANGUAGE SUPPORT The User interface is initially available in English and Dutch with support for other languages added as the market demands.




MOD-05-166

CONFIGURATION FILE The CMC contains a System Configuration file (controlled by Sepura) which defines the size of subscriber database and other parameters including a key used to protect the database storage of the master key, group or individually addressed messaging, the TETRA address of the CMC and the retry period of the OTAK messages.

CMC SIZING The CMC may be sized according to customers needs, with the maximum number of subscribers set to 64000. The CMC can support up to 8192 User Groups and 4094 Crypto Groups (this number is defined in SFPG Rec. 02).

GROUP OR INDIVIDUAL A DDRESSING Some TETRA SwMI’s do not support Group addressed SDS messages and so the CMC can be factory configured to support individual OTAK messaging only or individual and group messaging as appropriate.

MESSAGE RETRY MECHANISM The CMC will retry to send the OTAK message a configurable number of times over a configurable time period.




MOD-05-166

END TO END ENCRYPTION KEYS To maintain security different key types are used to encrypt the user traffic, protect the keys for OTAK and protect the SDS based key management messages.

TRAFFIC ENCRYPTION K EYS (TEK) Traffic Keys (TEKs) are used to encrypt the user speech traffic. Three TEKs are held per Crypto group (Past, Present and Future) to allow asynchronous key changing to groups who perhaps appear infrequently on the Trunked network. A terminal selects the Present Traffic key for transmission but is able to receive on any of the three Traffic key versions associated with the talk-group.

K EY ENCRYPTION K EY (KEK) Each radio terminal has a unique Key Encryption Key (KEK), which is used to protect the individually addressed key management messages. The KEK is a long life key and typically has a life of years although this will depend upon the user security policy. The CMC maintains a database of all individual terminal identities (ISSIs) and their associated KEKs. The KEK must be manually loaded into each radio terminal. This is achieved by exporting a file of the KEK/ISSI pairs of a number of radio terminals into the Sepura Crypto Delivery Tool (CDT). The download to each radio terminal is logged by the CDT and following completion of loading the response file should be exported to the CMC to confirm that each association has been successfully made.

SIGNALLING ENCRYPTION K EY (SEK) The SEK is used to encrypt the SDS based OTAK messages. There is one SEK in the CMC per User Group

GROUP ENCRYPTION K EY (GEK) The GEK is not supported by this release of Crypto Management Tools.




MOD-05-166

SEPURA CRYPTO - DELIVERY TOOL (CDT) The Crypto Delivery Tool (CDT) is a software application tool which operates with a standard desktop or laptop PC. The CDT is able to use the same PC as other Sepura programming tools such as the Radio Manager or SKMS. All E2EE material received from the CMC is stored on an encrypted database within the CDT. Once provisioned with E2EE information from the Sepura CMC, the Crypto Delivery Tool allows the User to securely and easily carry E2EE material between the various customer locations and program the material into the radio terminals. The tasks and permissions of the Crypto Delivery Tool are distributed across 3 levels. Each level has access control and a User must enter a valid Username and Password to gain access to specific tasks and move between the levels. The CDT supports three categories of User, as follows :- (1) the Configuration User, (2) the Key Management User and (3) the Key Delivery User. The Configuration User is able to :• •

Set the Usernames and Passwords. Configure the default parameters.

The Key Management User is able to :• •

Import of E2EE loading task files from the Crypto Manager Centre (CMC). Export of E2EE loading response files to the CMC.

The Key Delivery User is able to :• •

Select communication port. Select the key delivery mode which may be either Continuous or Confirmed.

Under Continuous Mode the E2EE material is automatically loaded once the radio terminal is connected to the CDT tool. Confirmed Mode requires the User to manually initiate the loading of E2EE data following display of the connected terminal’s identity.




MOD-05-166

OPERATIONAL PROCEDURE A typical operational procedure for E2EE material would be as follows :-

GENERATION OF THE E2EE D ATA The User logs onto the Crypto Manager Centre as the Key Manager User and generates the required E2EE Key information using the onboard random number generator. This includes the generation of the Management keys (KEKs and SEKs), and the Traffic keys (TEKs). Once generated the TEKs are each given a unique Identifier (the KEYID) and both the Key and the KeyId are protected by sealing with the KEK of the terminal which will eventually receive this key. The Key Manager User also defines the membership of the Crypto Groups by associating each Crypto Group with an individual radio User, a range of individual radio Users or a group of radio Users.

PROVISIONING THE CRYPTO DELIVERY TOOL (CDT). The E2EE information and Crypto-group data is formed into a number of files. The Key Delivery User of the CMC is responsible for the selection and download of the appropriate file to a CDT. Typically the CDT receives the files when plugged into the CMC however once registered with the CMC the CDT does not have to be directly connected to the CMC for the E2EE file to be transferred. The transfer of the E2EE file could take place via an external storage device such as a memory stick.




MOD-05-166

PROGRAMMING THE TERMINALS E2EE terminals are programmed in the field by cable connection to the Crypto Delivery Tool. Please note that the tool programs one terminal at a time. When logged on as the Key Delivery User and following connection of a terminal, the Crypto Delivery Tool undertakes the following actions :•

•

•

Reads the terminals TETRA identity (ISSI) and E2EE capability parameters from the radio terminal. Using the identity (ISSI), checks if there are any E2EE loading tasks pending. If the E2EE tasks include loading a KEK then this is done first as loading KEK clears all traffic keys currently held on the radio terminal. The sealed KEK is unsealed just prior to its transfer to the radio terminal.

•

All related E2EE Traffic key data is sent to the radio terminal.

•

Any E2EE Crypto Group data is sent to the radio terminal.

•

All terminal acknowledgements to the E2EE loading messages are stored by the Crypto Delivery Tool. This file is exported back to the Crypto Manager Centre and is used to track the E2EE material loaded in each terminal.




MOD-05-166

RELATED INFORMATION A NALYSIS TOOL A separate audit program is available (at an additional cost) which performs off line analysis of the terminal usage patterns based upon the Event and Report logs compiled by the Crypto Management Centre.

D ATA L EADS The existing Data lead(s) are used to connect the Crypto Delivery Tool to the Sepura mobile, covert and handheld radios. These are Sepura part numbers 300-00065 and 400-00001 respectively.




MOD-05-166

NOTICE

All rights reserved. This document may not be reproduced in any form either in part or in whole without the prior written consent of Sepura Limited, nor may it be edited, duplicated or distributed using electronic systems. Company and product names mentioned in this document may be protected under copyright or patent laws. The information in this document is subject to change without notice and describes only the product defined in this document. This document is intended for the use of Sepura Limited’s customers and/or other parties only for the purposes of the agreement or arrangement under which this document is submitted, and no part of it may be reproduced or transmitted in any form or means without the prior written permission of Sepura Limited.

CONTACT DETAILS

Sepura Limited Radio House St Andrew’s Road Cambridge CB4 1GR United Kingdom

Web :

www.sepura.com

Tel:

+44 (0)1223 876000

Fax:

+44 (0)1223 879000




Issue2 MOD 05 166 Crypto Management Tools

Recommend Documents