osmocomtetra
play

OsmocomTETRA Researching TETRA and its security Harald Welte - PowerPoint PPT Presentation

Nov 19, 2023 •184 likes •619 views

TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de PHN2011, May 2011, Berlin/Germany

  1. TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de PHN2011, May 2011, Berlin/Germany Harald Welte OsmocomTETRA

  2. TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA Outline TETRA Introduction 1 TETRA Technical Intro 2 TETRA Data Services 3 Osmocom TETRA 4 Harald Welte OsmocomTETRA

  3. TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA About the speaker Using + playing with Linux since 1994 Kernel / bootloader / driver / firmware development since 1999 IT security expert, focus on network protocol security Core developer of Linux packet filter netfilter/iptables Board-level Electrical Engineering Always looking for interesting protocols (RFID, DECT, GSM) Harald Welte OsmocomTETRA

  4. TETRA Introduction TETRA Technical Intro What is TETRA? TETRA Data Services Where is TETRA deployed? Osmocom TETRA Introducing TETRA TErrestrial Trunked RAdio Digital PMR (Professional Mobile Radio) standard Standardization Body ETSI started work in 1990 First specified in 1995, endorsed by EU Radiocomms Committee Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde & Schwarz Chinese vendors are expected to appear on the market soon Harald Welte OsmocomTETRA

  5. TETRA Introduction TETRA Technical Intro What is TETRA? TETRA Data Services Where is TETRA deployed? Osmocom TETRA TETRA vs GSM Longer range due to lower frequency (but not vs. GSM 410/450!) Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz) Specified to work at speeds above 400 km/h one-to-one, one-to-many and many-to-many (but: GSM-R ASCI) offers direct mode between handsets in case base station is out of range separate infrastructure from public networks (but: GSM-R) de-central fall-back, i.e. base stations switching local calls Harald Welte OsmocomTETRA

  6. TETRA Introduction TETRA Technical Intro What is TETRA? TETRA Data Services Where is TETRA deployed? Osmocom TETRA TETRA vs GSM Summary Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band Local call switching can be implemented in GSM (think of OpenBSC) GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is very different from trunked mode It seems, the industry rather re-invented an entirely different system to ensure the resulting equipment can be sold at multiples of the commercial-grade GSM equipment. Harald Welte OsmocomTETRA

  7. TETRA Introduction TETRA Technical Intro What is TETRA? TETRA Data Services Where is TETRA deployed? Osmocom TETRA TETRA deployments In 2009, TETRA was deployed in 114 countries (every continent except North America) Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard But also: Private company networks (industrial plants) In Germany there are 63 registered networks (only 5 are BOS) Harald Welte OsmocomTETRA

  8. TETRA Introduction TETRA Technical Intro What is TETRA? TETRA Data Services Where is TETRA deployed? Osmocom TETRA TETRA deployments Follow TETRA Newsletter released by TETRA MoU organization Majority of recent deployments seems to be in Asia, specifically China. Examples typically include police, public transportation, airports, harbours, industrial plants Harald Welte OsmocomTETRA

  9. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Frequencies European Emergency Services 380-383 MHz and 390-393 MHz 383-385 MHz and 393-395 MHz (optional) European Private/Commercial Systems 410-430 MHz 450-470 MHz Other Countries Depending on local regulatory requirements Harald Welte OsmocomTETRA

  10. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Frequency plan Single TETRA carrier normally 25kHz wide, no guard bands Channel grid can align on 6.25, 12.5 and 25kHz offset This allows seamless migration / co-existence with analog FM PMR in same band Uplink/Downlink spacing can depend on band, typically 10MHz Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth Harald Welte OsmocomTETRA

  11. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Modulation pi/4 DQPSK (Differential Quaternary Phase Shift Keying) 2 bits per symbol Phase difference encodes information 8 phase constellations, 4 possible transitions Requires very linear amplifier as it is not constant envelope Used within TETRA at 36 kbits/sec (18 kSymbols/sec) Harald Welte OsmocomTETRA

  12. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Modulation pi/4 DQPSK (8 constellations, 4 transitions) Source: Wikipedia / User:Splash Harald Welte OsmocomTETRA

  13. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA TDMA Frame structure Each time-slot contains 510 bits (GSM: 156) TDMA frame with 4 time-slots (GSM: 8) Duration of TDMA frame: 56.67 ms (GSM: 4.6 ms) Multiframe: 18 TDMA frames (GSM: 26/51) Hyperframe: 60 Multiframes (GSM: 2715648) Harald Welte OsmocomTETRA

  14. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Protocol Stack The TETRA protocol stack is more complex than GSM Shared Stacking: PHY/lowerMAC/upperMAC/LLC Above LLC there is MLE (resembles GSM RR), on top: MM (Mobility Management) CMCE (Circuit Mode Control Entity) CONS (Connection Oriented Service) CNLS (Connectionless Service) Call Control, Supplementary services on top of CMCE Packet data on top of CNLS and CONS Harald Welte OsmocomTETRA

  15. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Protocol Stack Harald Welte OsmocomTETRA

  16. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Protocol Stack Harald Welte OsmocomTETRA

  17. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Security Once again all security features optional, like in GSM Security features include Authentication Air interface encryption End-to-End encryption Over-the-air re-keying (OTAR) Remote locking of stolen devices Not all handsets support all features Key material can be stored in handset flash or in SIM Harald Welte OsmocomTETRA

  18. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Authentication Authentication messages part of Mobility Management (MM) Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3 Supports three modes Authentication of user by infrastructure (TA11, TA12) Authentication of infrastructure by user (TA21, TA22) Mutual authentication (four-pass, TA11, TA12, TA21, TA22) Harald Welte OsmocomTETRA

  19. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Authentication Harald Welte OsmocomTETRA

  20. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Air Interface Encryption Like GSM: Encrypts only the air interface, not the core network Unlike GSM: Not between L1 and L0 but inside the upper MAC layer Thus, no idle frames with known plaintext Thus, no redundant information due to FEC before crypto Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK) IV is concatenation of hyperframe, multiframe, frame and slot number Harald Welte OsmocomTETRA

  21. TETRA Introduction TETRA Air Interface TETRA Technical Intro TETRA Protocol Stack TETRA Data Services TETRA Security Osmocom TETRA TETRA Security Conclusions TETRA Air Interface Encryption Harald Welte OsmocomTETRA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de EH2011, April 2011,

693 views • 40 slides
OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

TETRA Introduction TETRA Technical Intro Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de SRLabs, January 2011, Berlin/Germany Harald Welte

462 views • 33 slides
Digital Transmission through the Additive White Gaussian Noise Channel ELEN 3024 - Communication

Digital Transmission through the Additive White Gaussian Noise Channel ELEN 3024 - Communication

Digital Transmission through the Additive White Gaussian Noise Channel ELEN 3024 - Communication Fundamentals School of Electrical and Information Engineering, University of the Witwatersrand July 15, 2013 Digital Transmission Through the AWGN

286 views • 16 slides
Outline Introduction. Paper: Design of GFSK Demodulator. Dong Han, Yuanjin Zheng. An

Outline Introduction. Paper: Design of GFSK Demodulator. Dong Han, Yuanjin Zheng. An

Paper presentation Ultra-Portable Devices Outline Introduction. Paper: Design of GFSK Demodulator. Dong Han, Yuanjin Zheng. An Ultra Low Power GFSK Demodulator for Wireless Body Area Network, Inst. Phase Domain ADC. of

295 views • 5 slides
tr

tr

tr r rtt s tt qrtr

342 views • 18 slides
Roadmap for Section 5.2. Memory Manager Features and Components Virtual Address Space Allocation

Roadmap for Section 5.2. Memory Manager Features and Components Virtual Address Space Allocation

Unit OS5: Memory Management 5.2. Windows Memory Management Fundamentals Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 5.2. Memory Manager Features and Components Virtual

709 views • 32 slides
Digital Modulation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Modulation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Modulation Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay August 19, 2013 1 / 21 Digital Modulation Definition The process of mapping a bit sequence to signals

689 views • 21 slides
Lecture 1 slides Singlecarrier Modulation System noises Multicarrier Modulation System PDF

Lecture 1 slides Singlecarrier Modulation System noises Multicarrier Modulation System PDF

Lecture 1 slides Singlecarrier Modulation System noises Multicarrier Modulation System PDF created with pdfFactory trial version www.pdffactory.com Fading: PDF created with pdfFactory trial version www.pdffactory.com

688 views • 7 slides
Introduction to computer networks What is a computer network? What are the benefits of

Introduction to computer networks What is a computer network? What are the benefits of

Introduction to computer networks What is a computer network? What are the benefits of using networks? What does LAN stand for? Where are LANs usually located? What is the difference between a wired LAN and a wireless LAN?

280 views • 6 slides
IC220 Gates Basic building blocks of logic Slide Set #A1: Digital Logic Combinational

IC220 Gates Basic building blocks of logic Slide Set #A1: Digital Logic Combinational

Appendix Goals Establish an understanding of the basics of logic design for future material IC220 Gates Basic building blocks of logic Slide Set #A1: Digital Logic Combinational Logic (Appendix A) Decoders, Multiplexors, PLAs

413 views • 6 slides
PFTD lst = ["a","b","c","a"] DeMorgans Law dex =

PFTD lst = ["a","b","c","a"] DeMorgans Law dex =

Compsci 101 Announcements DeMorgans Law, Short circuiting, APT-4 due Tuesday, Oct. 6 Images, Tuples Assign 3 due Thursday, Oct 8 Live Lecture Lab 5 on Friday Susan Rodger October 1, 2020 Exam 1 do not discuss until it is

235 views • 4 slides
Thursday, 19 November 2015 Questions about project and/or labs? Last time: Full adders; Karnaugh

Thursday, 19 November 2015 Questions about project and/or labs? Last time: Full adders; Karnaugh

Thursday, 19 November 2015 Questions about project and/or labs? Last time: Full adders; Karnaugh maps Today: Karnaugh maps again-- in-class exercise DeMorgans Law Karnaugh Maps Used to design circuits for up to four inputs. Alternate

584 views • 15 slides
Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Propositional Logic Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically) equivalent if A ( F ) = A ( G ) for every assignment A that is suitable for both F and G . We write F G to denote that F and G

276 views • 12 slides
Non-Classical Logics Viorica Sofronie-Stokkermans E-mail: sofronie@uni-koblenz.de Winter

Non-Classical Logics Viorica Sofronie-Stokkermans E-mail: sofronie@uni-koblenz.de Winter

Non-Classical Logics Viorica Sofronie-Stokkermans E-mail: sofronie@uni-koblenz.de Winter Semester 2012/2013 1 Non-Classical Logics Alternatives to classical logic Extensions of classical logic 2 Non-Classical Logics Alternatives

695 views • 31 slides
Constraint Answer Set Programming without Grounding J. Arias 1 , 2 M. Carro 1 , 2 E. Salazar 3 K.

Constraint Answer Set Programming without Grounding J. Arias 1 , 2 M. Carro 1 , 2 E. Salazar 3 K.

Jul 14, 2018 [ICLP-2018] Constraint Answer Set Programming without Grounding J. Arias 1 , 2 M. Carro 1 , 2 E. Salazar 3 K. Marple 3 G. Gupta 3 1 IMDEA Software Institute, 2 Universidad Polit ecnica de Madrid, 3 University of Texas at Dallas

778 views • 75 slides
CSE 140 Lecture 11 Standard Combinational Modules CK Cheng and Diba Mirza CSE Dept. UC San

CSE 140 Lecture 11 Standard Combinational Modules CK Cheng and Diba Mirza CSE Dept. UC San

CSE 140 Lecture 11 Standard Combinational Modules CK Cheng and Diba Mirza CSE Dept. UC San Diego 1 Part III - Standard Combinational Modules (Harris: 2.8, 5) Signal Transport Decoder: Decode address Encoder: Encode address

826 views • 47 slides
Gate Symbols OR NOR AND NAND INVERTER BUFFER Exercise :

Gate Symbols OR NOR AND NAND INVERTER BUFFER Exercise :

Combinational Logic Gate Symbols OR NOR AND NAND INVERTER BUFFER Exercise : show that the equivalent gates do the same function Decoder Multiple-input/multiple-output device. Inputs ( n ) are

87 views • 6 slides
CSSE132 Introduc0on to Computer Systems 11 : Basic computa.onal

CSSE132 Introduc0on to Computer Systems 11 : Basic computa.onal

CSSE132 Introduc0on to Computer Systems 11 : Basic computa.onal structures March 20, 2013 1 Today: Basic computa0onal structures Helpful structures

286 views • 24 slides
INF5470 Fall 2011 Lecture 5: Neuromorphic Communication Content The AER protocol Collision

INF5470 Fall 2011 Lecture 5: Neuromorphic Communication Content The AER protocol Collision

INF5470 Fall 2011 Lecture 5: Neuromorphic Communication Content The AER protocol Collision Handling Serial AER Weekly Questions Lecture 5: Neuromorphic Communication 2 Content The AER protocol Collision Handling Serial AER Weekly

567 views • 15 slides
Sidan 1 The Register File Zero ext . Branch 32 word (32 bit) registers. logic 0 A ALU

Sidan 1 The Register File Zero ext . Branch 32 word (32 bit) registers. logic 0 A ALU

Basic Building Blocks The Program Counter There is a special register inside the processor. Multiplexer Adder Demultiplexer Big enough to hold an instruction address (32 bits). Called the program counter (PC). + Computer

607 views • 5 slides
P ART II A RCHITECTURE MOOC on M4D 2013 Introduction What have we done ? A stack has

P ART II A RCHITECTURE MOOC on M4D 2013 Introduction What have we done ? A stack has

P ART II A RCHITECTURE MOOC on M4D 2013 Introduction What have we done ? A stack has been developed over which different web telephony applications can be developed Three applications have been developed Content Delivery

571 views • 19 slides
Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas Bogk 23c3 27. December 2006 Overview Common software vulnerabilities Dylan Architecture of IP-Stack CVE sorted by bug class Software

447 views • 44 slides
CSCI 2570 Introduction to Nanocomputing Errors in Crossbars John E Savage Lecture Outline

CSCI 2570 Introduction to Nanocomputing Errors in Crossbars John E Savage Lecture Outline

CSCI 2570 Introduction to Nanocomputing Errors in Crossbars John E Savage Lecture Outline General Properties of nanoarrays NanoFabrics an early model for nanoarrays NanoPLAS A programmable architecture Coping with

520 views • 28 slides
University of Jordan Computer Engineering Department COURSE OUTLINE http://www.driyad.ucoz.net

University of Jordan Computer Engineering Department COURSE OUTLINE http://www.driyad.ucoz.net

Summer 2012 0907231 Digital Logic University of Jordan Computer Engineering Department COURSE OUTLINE http://www.driyad.ucoz.net I. Course Description 0907231 Digital Logic [3 Credit Hours] (engineering students sections) Number Systems and

455 views • 3 slides

More recommend