1、 ETSI EN 300 175-7 V2.6.1 (2015-07) Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features EUROPEAN STANDARD ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 2 Reference REN/DECT-000304-7 Keywords authentication, DECT, IMT-2000, mobility, radio, security, TDD, T
2、DMA ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from
3、: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perce
4、ived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revis
5、ion or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportS
6、taff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorizatio
7、n of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Tr
8、ade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 3 Contents Intellectual Property Rights 10g3Foreword . 10g3Modal verbs termin
9、ology 10g3Introduction 11g31 Scope 15g32 References 15g32.1 Normative references . 15g32.2 Informative references 16g33 Definitions and abbreviations . 17g33.1 Definitions 17g33.2 Abbreviations . 17g34 Security architecture . 19g34.1 Background 19g34.2 Security services . 20g34.2.1 Authentication of
10、 a PT 20g34.2.2 Authentication of an FT 20g34.2.3 Mutual authentication . 20g34.2.4 Data confidentiality. 20g34.2.5 User authentication . 20g34.3 Security mechanisms 20g34.3.0 General 20g34.3.1 Authentication of a PT (type 1 procedure) 21g34.3.2 Authentication of an FT (type 1 procedure) 22g34.3.3 M
11、utual authentication . 23g34.3.4 Data confidentiality. 24g34.3.4.0 General 24g34.3.4.1 Derived Cipher Key (DCK) 24g34.3.4.2 Static Cipher Key (SCK) . 24g34.3.4.3 Default Cipher Key (DefCK) 24g34.3.5 User authentication . 25g34.3.6 Authentication of a PT (type 2 procedure) 25g34.3.7 Authentication of
12、 a FT (type 2 procedure) 28g34.4 Cryptographic parameters and keys . 30g34.4.1 Overview 30g34.4.2 Cryptographic parameters . 30g34.4.2.0 Description of parameters . 30g34.4.2.1 Provisions related to the generation of random numbers 33g34.4.3 Cryptographic keys . 33g34.4.3.0 General 33g34.4.3.1 Authe
13、ntication key K 33g34.4.3.2 Authentication session keys KS and KS . 34g34.4.3.3 Cipher key CK 34g34.5 Security processes 35g34.5.1 Overview 35g34.5.2 Derivation of authentication key, K 35g34.5.2.0 General 35g34.5.2.1 K is derived from UAK . 35g34.5.2.2 K is derived from AC 36g34.5.2.3 K is derived
14、from UAK and UPI . 36g34.5.3 Authentication processes 36g34.5.3.0 General 36g34.5.3.1 Processes for the derivation of KS and KS . 36g34.5.3.2 Processes for the derivation of DCK, RES1 and RES2 . 37g34.5.4 Key stream generation 37g3ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 4 4.5.5 CCM Authenticated Enc
15、ryption . 38g34.6 Combinations of security services 38g34.6.0 Service combinations and related considerations . 38g34.6.1 Combinations of security algorithms 39g34.6.1.0 General 39g34.6.1.1 Limitations related to capering algorithms 39g35 Algorithms for security processes 39g35.1 Background 39g35.1.
16、0 General 39g35.1.1 A algorithm . 40g35.1.1.0 A algorithm, general 40g35.1.1.1 A algorithm, DSAA based (A-DSAA) 40g35.1.1.2 A algorithm, DSAA2 based (A-DSAA2) 40g35.1.1.3 A algorithm, proprietary 41g35.2 Derivation of session authentication key(s) 41g35.2.1 A11 process 41g35.2.2 A21 process 42g35.3
17、Authentication and cipher key generation processes 42g35.3.1 A12 process 42g35.3.2 A22 process 43g35.4 CCM algorithm 44g36 Integration of security 44g36.1 Background 44g36.2 Association of keys and identities 44g36.2.1 Authentication key 44g36.2.1.0 General 44g36.2.1.1 K is derived from UAK . 44g36.
18、2.1.2 K derived from AC 45g36.2.1.3 K derived from UAK and UPI 45g36.2.2 Cipher keys . 45g36.2.3 Cipher keys for CCM 46g36.2.3.0 General 46g36.2.3.1 Single use of the keys for CCM 46g36.2.3.2 Cipher keys for CCM encryption of C/L multicast channels 47g36.3 NWK layer procedures . 47g36.3.1 Background
19、 . 47g36.3.2 Authentication exchanges . 48g36.3.3 Authentication procedures 49g36.3.3.1 Authentication of a PT type 1 procedure . 49g36.3.3.2 Authentication of an FT type 1 procedure . 49g36.3.3.3 Authentication of a PT type 2 procedure . 50g36.3.3.4 Authentication of an FT type 2 procedure . 50g36.
20、3.4 Transfer of Cipher Key, CK 51g36.3.5 Re-Keying . 51g36.3.6 Encryption with Default Cipher Key 51g36.3.7 Transfer of Cipher Key CK for CCM . 51g36.3.7.0 General 51g36.3.7.1 Transfer by Virtual Call setup CC procedure 51g36.3.7.2 Transfer using MM procedures for CCM re-keying and sequence reset .
21、52g36.3.8 Transfer of Cipher Keys for CCM encryption of multicast channels . 52g36.3.8.1 General 52g36.3.8.2 Multicast encryption parameter assignation procedure, FT initiated 52g36.3.8.2.0 General 52g36.3.8.2.1 Transport of the security parameters . 53g36.3.8.2.2 coding 53g36.3.8.3 Multicast encryp
22、tion parameter retrieval procedure, PT initiated . 53g36.3.8.3.0 General 53g36.3.8.3.1 Transport of the security parameters . 54g36.3.8.3.2 coding 54g36.3.8.4 Error cases . 54g3ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 5 6.3.8.4.1 FT initiated parameter assignation procedure - PT reject 54g36.3.8.4.2
23、PT initiated parameter retrieval procedure - FT reject . 54g36.3.8.4.3 Coding of the MM-INFO-REJECT in the error cases . 54g36.4 MAC layer procedures . 55g36.4.1 Background . 55g36.4.2 MAC layer field structure . 55g36.4.3 Data to be encrypted . 56g36.4.4 Encryption process 57g36.4.5 Initialization
24、and synchronization of the encryption process 60g36.4.5.0 General 60g36.4.5.1 Construction of CK . 60g36.4.5.2 The Initialization Vector (IV) . 60g36.4.5.3 Generation of two Key Stream segments 60g36.4.6 Encryption mode control 61g36.4.6.1 Background . 61g36.4.6.2 MAC layer messages. 61g36.4.6.3 Pro
25、cedures for switching to encrypt mode 61g36.4.6.4 Procedures for switching to clear mode 66g36.4.6.5 Procedures for re-keying . 67g36.4.7 Handover of the encryption process . 68g36.4.7.0 General 68g36.4.7.1 Bearer handover, uninterrupted ciphering . 69g36.4.7.2 Connection handover, uninterrupted cip
26、hering . 69g36.4.7.3 External handover - handover with ciphering . 69g36.4.8 Modifications for half and long slot specifications (2-level modulation) . 70g36.4.8.1 Background . 70g36.4.8.2 MAC layer field structure . 70g36.4.8.3 Data to be encrypted 70g36.4.8.4 Encryption process 71g36.4.8.5 Initial
27、ization and synchronization of the encryption process 71g36.4.8.6 Encryption mode control . 71g36.4.8.7 Handover of the encryption process 71g36.4.9 Modifications for double slot specifications (2-level modulation) . 71g36.4.9.1 Background . 71g36.4.9.2 MAC layer field structure . 72g36.4.9.3 Data t
28、o be encrypted 72g36.4.9.4 Encryption process 73g36.4.9.5 Initialization and synchronization of the encryption process 74g36.4.9.6 Encryption mode control . 74g36.4.9.7 Handover of the encryption process 74g36.4.10 Modifications for multi-bearer specifications . 74g36.4.11 Modifications for 4-level,
29、 8-level, 16-level and 64-level modulation formats . 74g36.4.11.1 Background . 74g36.4.11.2 MAC layer field structure . 75g36.4.11.3 Data to be encrypted 75g36.4.11.4 Encryption process 75g36.4.11.4.0 General 75g36.4.11.4.1 Encryption process for the A-field and for the unprotected format . 75g36.4.
30、11.4.2 Encryption process for the single subfield protected format . 77g36.4.11.4.3 Encryption process for the multi-subfield protected format 78g36.4.11.4.4 Encryption process for the constant-size-subfield protected format 80g36.4.11.4.5 Encryption process for the encoded protected format (MAC ser
31、vice IPX) . 80g36.4.11.5 Initialization and synchronization of the encryption process 82g36.4.11.6 Encryption mode control . 82g36.4.11.7 Handover of the encryption process 82g36.4.12 Procedures for CCM re-keying and sequence reset 82g36.5 Security attributes . 82g36.5.1 Background . 82g36.5.2 Authe
32、ntication protocols . 83g36.5.2.0 General 83g36.5.2.1 Authentication of a PT type 1 procedure . 83g36.5.2.2 Authentication of an FT type 1 procedure . 84g3ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 6 6.5.2.3 Authentication of a PT type 2 procedure . 85g36.5.2.4 Authentication of an FT type 2 procedure
33、. 86g36.5.3 Confidentiality protocols 87g36.5.4 Access-rights protocols. 89g36.5.5 Key numbering and storage 89g36.5.5.0 General 89g36.5.5.1 Authentication keys . 89g36.5.5.2 Cipher keys . 90g36.5.6 Key allocation . 91g36.5.6.1 Introduction . 91g36.5.6.2 UAK allocation (DSAA algorithm) 91g36.5.6.3 U
34、AK allocation (DSAA2 algorithm) 92g36.6 DLC layer procedures 93g36.6.1 Background . 93g36.6.2 CCM Authenticated Encryption . 93g36.6.2.0 CCM overview 93g36.6.2.1 CCM operation 93g36.6.2.2 Key management . 94g36.6.2.3 CCM Initialization Vector . 94g36.6.2.3.0 CCM Initialization Vector: overview 94g36
35、.6.2.3.1 CCM Initialization Vector: first byte . 95g36.6.2.3.2 CCM Initialization Vector: bytes 8-11 95g36.6.2.3.3 CCM Initialization Vector: bytes 12 95g36.6.2.4 CCM Sequence Number . 95g36.6.2.5 CCM Start and Stop 96g36.6.2.6 CCM Sequence resetting and re-keying 96g36.6.2.7 CCM encryption for mult
36、icast channels 96g36.6.2.7.0 General 96g36.6.2.7.1 Applicable types of multicast channels and identifiers 96g36.6.2.7.2 Process for encryption of multicast channels 96g36.6.2.7.3 DLC service for encrypted multicast channels 96g36.6.2.7.4 Encryption key for multicast channels 97g36.6.2.7.5 CCM and DL
37、C sequence numbers 97g36.6.2.7.6 Initialization Vector for multicast channels . 97g36.6.2.7.7 Security provisions regarding the key . 98g36.6.2.8 CCM encryption for service channels . 98g36.6.2.8.0 General 98g36.6.2.8.1 Initialization Vector for service channels 99g37 Use of security features 99g37.
38、1 Background 99g37.2 Key management options . 100g37.2.1 Overview of security parameters relevant for key management . 100g37.2.2 Generation of authentication keys 101g37.2.3 Initial distribution and installation of keys . 101g37.2.4 Use of keys within the fixed network . 102g37.2.4.0 Use of keys wi
39、thin the fixed network: general 102g37.2.4.1 Use of keys within the fixed network: diagrams for authentication type 1 scenarios . 104g37.2.4.2 Use of keys within the fixed network: diagrams for authentication type 2 scenarios . 107g37.3 Confidentiality service with a Cordless Radio Fixed Part (CRFP)
40、. 109g37.3.1 General 109g37.3.2 CRFP initialization of PT cipher key 109g3Annex A (informative): Security threats analysis 110g3A.1 Introduction 110g3A.2 Threat A - Impersonating a subscriber identity 111g3A.3 Threat B - Illegal use of a handset (PP) 111g3A.4 Threat C - Illegal use of a base station
41、 (FP) . 111g3A.5 Threat D - Impersonation of a base station (FP) 111g3ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 7 A.6 Threat E - Illegally obtaining user data and user related signalling information . 112g3A.7 Conclusions and comments 113g3Annex B (informative): Security features and operating environ
42、ments . 114g3B.1 Introduction 114g3B.2 Definitions 114g3B.3 Enrolment options 114g3Annex C (informative): Reasons for not adopting public key techniques . 116g3Annex D (informative): Overview of security features . 117g3D.1 Introduction 117g3D.2 Authentication of a PT . 117g3D.3 Authentication of an
43、 FT . 117g3D.4 Mutual authentication of a PT and an FT . 118g3D.4.0 General . 118g3D.4.1 Direct method . 118g3D.4.2 Indirect method 1 118g3D.4.3 Indirect method 2 118g3D.5 Data confidentiality 118g3D.5.0 General . 118g3D.5.1 Cipher key derivation as part of authentication 118g3D.5.2 Static cipher ke
44、y . 119g3D.6 User authentication . 119g3D.7 Key management in case of roaming . 119g3D.7.1 Introduction 119g3D.7.2 Use of actual authentication key K . 119g3D.7.3 Use of session keys. 119g3D.7.4 Use of precalculated sets 119g3Annex E (informative): Limitations of DECT security . 120g3E.1 Introductio
45、n 120g3E.2 Protocol reflection attacks 120g3E.3 Static cipher key and short Initial Vector (IV) . 120g3E.4 General considerations regarding key management . 121g3E.5 Use of a predictable challenge in FT authentication 121g3Annex F (informative): Security features related to target networks . 122g3F.
46、1 Introduction 122g3F.1.0 General . 122g3F.1.1 Notation and DECT reference model . 122g3F.1.2 Significance of security features and intended usage within DECT. 122g3F.1.3 Mechanism/algorithm and process requirements . 123g3F.2 PSTN reference configurations 123g3F.2.1 Domestic telephone 123g3F.2.2 PB
47、X 125g3F.2.3 Local loop . 126g3F.3 ISDN reference configurations . 127g3F.3.1 Terminal equipment . 127g3F.3.2 Network termination 2 129g3ETSI ETSI EN 300 175-7 V2.6.1 (2015-07) 8 F.3.3 Local loop . 129g3F.4 X.25 reference configuration 129g3F.4.1 Data Terminal Equipment (DTE) . 129g3F.4.2 PAD equipm
48、ent 129g3F.5 GSM reference configuration . 129g3F.5.1 Base station substation . 129g3F.5.2 Mobile station . 130g3F.6 IEEE 802 reference configuration 130g3F.6.1 Bridge . 130g3F.6.2 Gateway 130g3F.7 Public access service reference configurations 130g3F.7.1 Fixed public access service reference config
49、uration 130g3Annex G (informative): Compatibility of DECT and GSM authentication 131g3G.1 Introduction 131g3G.2 SIM and DAM functionality 131g3G.3 Using an SIM for DECT authentication . 132g3G.4 Using a DAM for GSM authentication 132g3Annex H (normative): DECT Standard Authentication Algorithm (DSAA) 133g3Annex I (informative): Void . 134g3Annex J (normative): DECT Standard Cipher (DSC) . 135g3Annex K (normative): Clarifications, bit mappings and examples for DSAA and DSC . 136g3K.1 Ambiguities concerning the DSAA 136g3K.2 Ambiguities concerning the DSC DECT-standard cipher
