ETSI EN 300 175-7-2017 Digital Enhanced Cordless Telecommunications (DECT) Common Interface (CI) Part 7 Security features (V2 7 1).pdf

1、 ETSI EN 300 175-7 V2.7.1 (2017-11) Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features EUROPEAN STANDARD ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 2 Reference REN/DECT-00307-7 Keywords authentication, DECT, IMT-2000, mobility, radio, security, TDD, TD

2、MA ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from:

3、 http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or percei

4、ved difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revisi

5、on or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/Commite

6、eSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written aut

7、horization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are trademarks of ETSI registered for the

8、 benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSM and the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 3 Contents Intellectual Property Rights 10g3Foreword . 10

9、g3Modal verbs terminology 11g3Introduction 11g31 Scope 15g32 References 15g32.1 Normative references . 15g32.2 Informative references 16g33 Definitions and abbreviations . 17g33.1 Definitions 17g33.2 Abbreviations . 18g34 Security architecture . 20g34.1 Background 20g34.2 Security services . 20g34.2

10、.1 Authentication of a PT 20g34.2.2 Authentication of an FT 20g34.2.3 Mutual authentication . 20g34.2.4 Data confidentiality. 20g34.2.5 User authentication . 21g34.3 Security mechanisms 21g34.3.0 General 21g34.3.1 Authentication of a PT (type 1 procedure) 21g34.3.2 Authentication of an FT (type 1 pr

11、ocedure) 22g34.3.3 Mutual authentication . 24g34.3.4 Data confidentiality. 24g34.3.4.0 General 24g34.3.4.1 Derived Cipher Key (DCK) 24g34.3.4.2 Static Cipher Key (SCK) . 25g34.3.4.3 Default Cipher Key (DefCK) 25g34.3.5 User authentication . 25g34.3.6 Authentication of a PT (type 2 procedure) 25g34.3

12、.7 Authentication of a FT (type 2 procedure) 28g34.4 Cryptographic parameters and keys . 30g34.4.1 Overview 30g34.4.2 Cryptographic parameters . 30g34.4.2.0 Description of parameters . 30g34.4.2.1 Provisions related to the generation of random numbers 33g34.4.3 Cryptographic keys . 33g34.4.3.0 Gener

13、al 33g34.4.3.1 Authentication key K 33g34.4.3.2 Authentication session keys KS and KS . 34g34.4.3.3 Cipher key CK 35g34.5 Security processes 35g34.5.1 Overview 35g34.5.2 Derivation of authentication key, K 35g34.5.2.0 General 35g34.5.2.1 K is derived from UAK . 36g34.5.2.2 K is derived from AC 36g34

14、.5.2.3 K is derived from UAK and UPI . 36g34.5.3 Authentication processes 36g34.5.3.0 General 36g34.5.3.1 Processes for the derivation of KS and KS . 37g34.5.3.2 Processes for the derivation of DCK, RES1 and RES2 . 37g34.5.4 Key stream generation 38g3ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 4 4.5.5 C

15、CM Authenticated Encryption . 38g34.6 Combinations of security services 39g34.6.0 Service combinations and related considerations . 39g34.6.1 Combinations of security algorithms 40g34.6.1.0 General 40g34.6.1.1 Limitations related to capering algorithms 40g35 Algorithms for security processes 40g35.1

16、 Background 40g35.1.0 General 40g35.1.1 A algorithm . 40g35.1.1.0 A algorithm, general 40g35.1.1.1 A algorithm, DSAA based (A-DSAA) 41g35.1.1.2 A algorithm, DSAA2 based (A-DSAA2) 41g35.1.1.3 A algorithm, proprietary 42g35.2 Derivation of session authentication key(s) 42g35.2.1 A11 process 42g35.2.2

17、A21 process 42g35.3 Authentication and cipher key generation processes 43g35.3.1 A12 process 43g35.3.2 A22 process 44g35.4 CCM algorithm 44g36 Integration of security 45g36.1 Background 45g36.2 Association of keys and identities 45g36.2.1 Authentication key 45g36.2.1.0 General 45g36.2.1.1 K is deriv

18、ed from UAK . 45g36.2.1.2 K derived from AC 45g36.2.1.3 K derived from UAK and UPI 46g36.2.2 Cipher keys . 46g36.2.3 Cipher keys for CCM 46g36.2.3.0 General 46g36.2.3.1 Single use of the keys for CCM 47g36.2.3.2 Cipher keys for CCM encryption of C/L multicast channels 48g36.3 NWK layer procedures .

19、48g36.3.1 Background . 48g36.3.2 Authentication exchanges . 48g36.3.3 Authentication procedures 50g36.3.3.1 Authentication of a PT type 1 procedure . 50g36.3.3.2 Authentication of an FT type 1 procedure . 50g36.3.3.3 Authentication of a PT type 2 procedure . 51g36.3.3.4 Authentication of an FT type

20、2 procedure . 51g36.3.4 Transfer of Cipher Key, CK 52g36.3.5 Re-Keying . 52g36.3.6 Encryption with Default Cipher Key 52g36.3.7 Transfer of Cipher Key CK for CCM . 52g36.3.7.0 General 52g36.3.7.1 Transfer by Virtual Call setup CC procedure 52g36.3.7.2 Transfer using MM procedures for CCM re-keying a

21、nd sequence reset . 53g36.3.8 Transfer of Cipher Keys for CCM encryption of multicast channels . 53g36.3.8.1 General 53g36.3.8.2 Multicast encryption parameter assignation procedure, FT initiated 53g36.3.8.2.0 General 53g36.3.8.2.1 Transport of the security parameters . 54g36.3.8.2.2 coding 54g36.3.

22、8.3 Multicast encryption parameter retrieval procedure, PT initiated . 54g36.3.8.3.0 General 54g36.3.8.3.1 Transport of the security parameters . 55g36.3.8.3.2 coding 55g36.3.8.4 Error cases . 55g3ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 5 6.3.8.4.1 FT initiated parameter assignation procedure - PT r

23、eject 55g36.3.8.4.2 PT initiated parameter retrieval procedure - FT reject . 55g36.3.8.4.3 Coding of the MM-INFO-REJECT in the error cases . 56g36.3.9 Transfer of Cipher Keys to Wireless Relay Stations (WRS) 56g36.3.9.1 General 56g36.3.9.2 Security considerations . 56g36.3.9.3 Indication of cipher k

24、ey FT initiated procedure 56g36.3.9.4 Cipher key retrieval procedure. PT initiated . 57g36.3.9.5 Error cases . 59g36.3.9.5.1 PT initiated cipher key retrieval procedure - FT reject 59g36.4 MAC layer procedures . 60g36.4.1 Background . 60g36.4.2 MAC layer field structure . 60g36.4.3 Data to be encryp

25、ted . 62g36.4.4 Encryption process 62g36.4.5 Initialization and synchronization of the encryption process 65g36.4.5.0 General 65g36.4.5.1 Construction of CK . 65g36.4.5.2 The Initialization Vector (IV) . 65g36.4.5.3 Generation of two Key Stream segments 65g36.4.6 Encryption mode control 66g36.4.6.1

26、Background . 66g36.4.6.2 MAC layer messages. 66g36.4.6.3 Procedures for switching to encrypt mode 66g36.4.6.3.1 General 66g36.4.6.3.2 PT procedure for switching from clear to encrypt mode with a DCK . 67g36.4.6.3.3 FT procedure for switching from clear to encrypt mode with a DCK . 67g36.4.6.3.4 PT p

27、rocedure for switching from clear to encrypt mode with a Default Cipher Key (DefCK) . 68g36.4.6.3.5 Error handling - poor link 70g36.4.6.4 Procedures for switching to clear mode 72g36.4.6.5 Procedures for re-keying . 73g36.4.6.5.1 Re-keying to a DCK 73g36.4.6.5.2 Re-keying to a DefCK . 74g36.4.6.5.3

28、 FT Indication of re-keying to a DefCK . 75g36.4.6.6 Insertion of WAIT . 76g36.4.7 Handover of the encryption process . 77g36.4.7.0 General 77g36.4.7.1 Bearer handover, uninterrupted ciphering . 77g36.4.7.2 Connection handover, uninterrupted ciphering . 77g36.4.7.3 External handover - handover with

29、ciphering . 78g36.4.8 Modifications for half and long slot specifications (2-level modulation) . 78g36.4.8.1 Background . 78g36.4.8.2 MAC layer field structure . 78g36.4.8.3 Data to be encrypted 79g36.4.8.4 Encryption process 79g36.4.8.5 Initialization and synchronization of the encryption process 8

30、0g36.4.8.6 Encryption mode control . 80g36.4.8.7 Handover of the encryption process 80g36.4.9 Modifications for double slot specifications (2-level modulation) . 80g36.4.9.1 Background . 80g36.4.9.2 MAC layer field structure . 80g36.4.9.3 Data to be encrypted 81g36.4.9.4 Encryption process 81g36.4.9

31、.5 Initialization and synchronization of the encryption process 82g36.4.9.6 Encryption mode control . 82g36.4.9.7 Handover of the encryption process 82g36.4.10 Modifications for multi-bearer specifications . 83g36.4.11 Modifications for 4-level, 8-level, 16-level and 64-level modulation formats . 83

32、g36.4.11.1 Background . 83g36.4.11.2 MAC layer field structure . 83g36.4.11.3 Data to be encrypted 83g36.4.11.4 Encryption process 84g3ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 6 6.4.11.4.0 General 84g36.4.11.4.1 Encryption process for the A-field and for the unprotected format . 84g36.4.11.4.2 Encryp

33、tion process for the single subfield protected format . 85g36.4.11.4.3 Encryption process for the multi-subfield protected format 86g36.4.11.4.4 Encryption process for the constant-size-subfield protected format 88g36.4.11.4.5 Encryption process for the encoded protected format (MAC service IPX) . 8

34、8g36.4.11.5 Initialization and synchronization of the encryption process 90g36.4.11.6 Encryption mode control . 90g36.4.11.7 Handover of the encryption process 90g36.4.12 Procedures for CCM re-keying and sequence reset 90g36.5 Security attributes . 90g36.5.1 Background . 90g36.5.2 Authentication pro

35、tocols . 91g36.5.2.0 General 91g36.5.2.1 Authentication of a PT type 1 procedure . 91g36.5.2.2 Authentication of an FT type 1 procedure . 92g36.5.2.3 Authentication of a PT type 2 procedure . 93g36.5.2.4 Authentication of an FT type 2 procedure . 94g36.5.3 Confidentiality protocols 95g36.5.4 Access-

36、rights protocols. 97g36.5.5 Key numbering and storage 98g36.5.5.0 General 98g36.5.5.1 Authentication keys . 98g36.5.5.2 Cipher keys . 98g36.5.6 Key allocation . 99g36.5.6.1 Introduction . 99g36.5.6.2 UAK allocation (DSAA algorithm) 100g36.5.6.3 UAK allocation (DSAA2 algorithm) 101g36.6 DLC layer pro

37、cedures 101g36.6.1 Background . 101g36.6.2 CCM Authenticated Encryption . 102g36.6.2.0 CCM overview 102g36.6.2.1 CCM operation 102g36.6.2.2 Key management . 103g36.6.2.3 CCM Initialization Vector . 103g36.6.2.3.0 CCM Initialization Vector: overview 103g36.6.2.3.1 CCM Initialization Vector: first byt

38、e . 103g36.6.2.3.2 CCM Initialization Vector: bytes 8-11 104g36.6.2.3.3 CCM Initialization Vector: bytes 12 104g36.6.2.4 CCM Sequence Number . 104g36.6.2.5 CCM Start and Stop 105g36.6.2.6 CCM Sequence resetting and re-keying 105g36.6.2.7 CCM encryption for multicast channels 105g36.6.2.7.0 General 1

39、05g36.6.2.7.1 Applicable types of multicast channels and identifiers 105g36.6.2.7.2 Process for encryption of multicast channels 105g36.6.2.7.3 DLC service for encrypted multicast channels 105g36.6.2.7.4 Encryption key for multicast channels 105g36.6.2.7.5 CCM and DLC sequence numbers 106g36.6.2.7.6

40、 Initialization Vector for multicast channels . 106g36.6.2.7.7 Security provisions regarding the key . 107g36.6.2.8 CCM encryption for service channels . 107g36.6.2.8.0 General 107g36.6.2.8.1 Initialization Vector for service channels 108g36.7 Security meta-procedures . 108g36.7.1 General 108g36.7.2

41、 Re-keying 108g36.7.2.1 Aim and strategy . 108g36.7.2.2 Re-keying procedure . 108g36.7.2.3 Re-keying procedure with Wireless Relay Stations (WRSs) 109g36.7.2.3.1 General 109g3ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 7 6.7.2.3.2 Key aging model 110g36.7.3 Early encryption 110g36.7.3.1 Aim and strategy

42、 . 110g36.7.3.2 The Default Cipher Keys (DefCK) . 110g36.7.3.3 The Default Cipher Key Index 111g36.7.3.4 Generation and refresh strategy. 111g36.7.3.5 Running the procedure 111g36.7.3.6 Security considerations . 111g37 Use of security features 112g37.1 Background 112g37.2 Key management options . 11

43、2g37.2.1 Overview of security parameters relevant for key management . 112g37.2.2 Generation of authentication keys 113g37.2.3 Initial distribution and installation of keys . 114g37.2.4 Use of keys within the fixed network . 115g37.2.4.0 Use of keys within the fixed network: general 115g37.2.4.1 Use

44、 of keys within the fixed network: diagrams for authentication type 1 scenarios . 117g37.2.4.2 Use of keys within the fixed network: diagrams for authentication type 2 scenarios . 120g37.3 Confidentiality service with a Cordless Radio Fixed Part (CRFP). 122g37.3.1 General 122g37.3.2 CRFP initializat

45、ion of PT cipher key 122g3Annex A (informative): Security threats analysis 123g3A.1 Introduction 123g3A.2 Threat A - Impersonating a subscriber identity 124g3A.3 Threat B - Illegal use of a handset (PP) 124g3A.4 Threat C - Illegal use of a base station (FP) . 124g3A.5 Threat D - Impersonation of a b

46、ase station (FP) 125g3A.6 Threat E - Illegally obtaining user data and user related signalling information . 125g3A.7 Conclusions and comments 126g3Annex B (informative): Security features and operating environments . 128g3B.1 Introduction 128g3B.2 Definitions 128g3B.3 Enrolment options 128g3Annex C

47、 (informative): Reasons for not adopting public key techniques . 130g3Annex D (informative): Overview of security features . 131g3D.1 Introduction 131g3D.2 Authentication of a PT . 131g3D.3 Authentication of an FT . 132g3D.4 Mutual authentication of a PT and an FT . 132g3D.4.0 General . 132g3D.4.1 D

48、irect method . 132g3D.4.2 Indirect method 1 132g3D.4.3 Indirect method 2 132g3D.5 Data confidentiality 132g3D.5.0 General . 132g3D.5.1 Cipher key derivation as part of authentication 133g3D.5.2 Static cipher key . 133g3D.6 User authentication . 133g3ETSI ETSI EN 300 175-7 V2.7.1 (2017-11) 8 D.7 Key

49、management in case of roaming . 133g3D.7.1 Introduction 133g3D.7.2 Use of actual authentication key K . 133g3D.7.3 Use of session keys. 134g3D.7.4 Use of precalculated sets 134g3Annex E (informative): Limitations of DECT security . 135g3E.1 Introduction 135g3E.2 Protocol reflection attacks 135g3E.3 Static cipher key and short Initial Vector (IV) . 135g3E.4 General considerations regarding key management . 136g3E.5 Use of a predictable challenge in FT authentication 136g3Annex F (informative): Security features related to target networks . 137g3F.1 Introduction 137g3F.1.0 Ge