Veranstaltung

17:35
-
18:15

Tag 3

TETRA Algorithm set B - Can glue mend the burst?

aufgezeichnet

Security

In August 2023, we published the TETRA:BURST vulnerabilities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure. Authentication and encryption within TETRA were handled by proprietary cryptographic cipher-suites, which had remained secret for over two decades through restrictive NDAs until our reverse-engineering and publication. This talk is not TETRA:BURST, but dives into the latest TETRA revision introduced in 2022. Most notably, it contains a new suite of cryptographic ciphers. Of course the cipher available for critical infrastructure and civilian use (TEA7) is intentionally crippled, and of course these ciphers were to be kept secret, but this decision was overruled due to public backlash following our publication last year. In this talk we will present a practical attack on the TEA7 cipher, which while taking a 192-bit key, only offers 56 bits of security. Furthermore, we point out improvements and shortcomings of the new standard, and present an update on TEA3 cryptanalysis, where we previously found a suspicious feature, and draw a parallel with its successor TEA6. All in all, in this short and relatively crypto-forward talk, we assess with all-new material whether the new TETRA standard is fit for its intended purpose. This crucial technology seeks to once again take a very central role in our society for decades to come, and its cryptographic resilience is of fundamental importance - for emergency networks, but possibly even more for our critical infrastructure and associated processes.

The new authentication suite (TAA2, as opposed to the old TAA1) features longer keys and completely new cryptographic primitives. The new Air Interface Encryption algorithms (TEA set B) consist of three new ciphers, for differing target audiences. TEA5 is intended for European emergency networks, and is the successor of TEA2. TEA6 is intended for friendly extra-european emergency and military networks, and replaces TEA3. Lastly, TEA7 is the only one available for use by critical infrastructure and other civil applications, and replaces TEA1.

Initially, ETSI envisaged to keep the new algorithms secret again, once more eliminating the possibility of public scrutiny. However, following our publication, a promise was made to release the algorithms to the public for inspection. Additionally, a statement was made that TEA7 has a reduced effective strength of 56 bits. As mentioned, this algorithm is the successor to TEA1, which has an effective strength of only 32 bits, in a time where 40 bits was the maximum for freely exportable crypto.

In TETRA:BURST, we presented several vulnerabilities found in the old standard. Obviously, the backdoored TEA1 algorithm is now replaced by a new cipher, and we will dive into how this works, how it can be attacked, and what the practical implications will be. Second, we previously presented a method of decrypting and injecting traffic on all network types, even those using the stronger TEA2 and TEA3 algorithms. This relies on the lack of cryptographic integrity guarantees on message - something that is still unaddressed. We discuss how this leads to issues. Lastly, TETRA:BURST described a way of decrypting the pseudonymized identities of TETRA users (first demonstrated at the 37C3), allowing for a powerful intelligence capability. We will discuss how the new standard seeks to resolve this issue.

Lastly, we previously recommended caution regarding TEA3, due to a suspicious feature in its design. While no full attack will be presented, progress in its cryptanalysis was made, which we will discuss during the talk. And, there is an interesting parallel to be drawn between the suspicious quirk in TEA3 and the design of its successor, TEA6.