TETRA Security

The area of TETRA security is extensive, as it needs to provide different levels of security ranging from what is acceptable on commercial networks to what is acceptable on a national public safety network.  The security mechanisms in the standard are covered through Authentication, Air Interface Encryption (AIE) and End to End encryption. The threats to Confidentiality, Authenticity, Integrity, Availability as well as Accountability are covered with those three mechanisms.

The standard based services are constantly being expanded by a sub-group of the Association – Security and Fraud Prevention Group (SFPG).

Mutual Authentication is a service required to ensure that a TETRA system can control access to it and for a radio terminal to check if a network can be trusted. In TETRA, as in most other secure systems, authentication is the basis for much of overall network security and can also be used to ensure validated billing in public access systems, and can provide the foundation for a secure distribution channel for sensitive information such as other encryption keys.  The mutual authentication security mechanisms protect both Voice and Data services.

The TETRA standard supports four AIE TETRA Encryption Algorithms (TEAs), these being TEA1, TEA2, TEA3 and TEA 4.  There are differences in the intended use and the exportability of equipment containing these algorithms.  For example, TEA2 is intended for use by public safety users in Schengen and related European countries only; the others have wider applications ranging from general commercial use to public safety use in regions where TEA2 is not used. The main benefit of over the air encryption is that it protects all signalling and identities as well as user speech and data.  This provides an excellent level of protection from traffic analysis as well as from eavesdropping.  The encryption system is closely bound to the TETRA signalling protocols and the algorithms can (if desired) be implemented as software within radio terminals and base station equipment, instead of using encryption modules, which could consume space and increase cost. 

The TETRA standard also supports End to End encryption using a variety of encryption algorithms as deemed necessary by national security organisations.  The TETRA Association Security and Fraud Prevention Group has extended the work carried out in the TETRA standard to define a general framework for the incorporation of End to End encryption.  Recommended sample solutions have also been provided for the International Data Encryption Algorithm (IDEA) algorithm (IPR owned by Ascom) and the newer Advanced Encryption Standard (AES) algorithm (IPR free), which benefits from a larger cryptographic algorithm block size.  Custom and indigenous algorithms are also possible with End to End encryption, although these are not recommended for air interface encryption due to their need for integration in signalling protocols and availability of standard compliant terminals.

Besides these core security capabilities TETRA can also support a wide range of security management capabilities such as those used to control, manage and operate the individual security mechanisms in a network.  The most important of these is Encryption Key management, which is fully integrated in TETRA standard functions.  Even though security functions are integrated in a network this does not automatically imply that a network is fully secure. However, what is normally achieved is that the security risks are “condensed”, that is they are concentrated to specific elements in the network, which can be adequately controlled.

Overview of standard TETRA Cryptographic Algorithms and their rules for management and distribution 

TEA 2 licensing rules – Frequently Asked Questions