Digital Enhanced Cordless Telecommunications (DECT) - Common Interface (CI) - Part 7: Security features

The present document is one of the parts of the specification of the Digital Enhanced Cordless Telecommunications (DECT) Common Interface (CI). The present document specifies the security architecture, the types of cryptographic algorithms required, the way in which they are to be used, and the requirements for integrating the security features provided by the architecture into the DECT CI. It also describes how the features can be managed and how they relate to certain DECT fixed systems and local network configurations. The security architecture is defined in terms of the security services which are to be supported at the CI, the mechanisms which are to be used to provide the services, and the cryptographic parameters, keys and processes which are associated with these mechanisms. The security processes specified in the present document are each based on one of three cryptographic algorithms:
- an authentication algorithm;
- a key stream generator for MAC layer encryption; and
- a key stream generator plus a Message Authentication Code generator for CCM authenticated encryption. The architecture is, however, algorithm independent, and either the DECT standard algorithms, or appropriate proprietary algorithms, or indeed a combination of both can, in principle, be employed. The use of the employed algorithm is specified in the present document. Integration of the security features is specified in terms of the protocol elements and processes required at the Network (NWK) and Medium Access Control (MAC) layers of the CI. The relationship between the security features and various network elements is described in terms of where the security processes and management functions may be provided. The present document does not address implementation issues. For instance, no attempt is made to specify whether the DSAA or DSAA2 should be implemented in the PP at manufacture, or whether the DSAA, DSAA2 or a proprietary authentication algorithm should be implemented in a detachable module. Similarly, the present document does not specify whether the DSC or DSC2 should be implemented in hardware in all PPs at manufacture, or whether special PPs should be manufactured with the DSC, DSC2 or proprietary ciphers built into them. The security architecture supports all these options, although the use of proprietary algorithms may limit roaming and the concurrent use of PPs in different environments. Within the standard authentication algorithms, DSAA2, DSC2 and CCM are stronger than DSAA and DSC and provide superior protection. DSAA2 and DSC2 are based on AES [10] and were created in 2011. CCM is also based on AES [10] and was added to the standard in 2012. The present document includes New Generation DECT, a further development of the DECT standard introducing wideband speech, improved data services, new slot types and other technical enhancements. The present document also includes DECT Ultra Low Energy (ULE), a low rate data technology based on DECT intended for M2M applications with ultra low power consumption.

Digitalne izboljšane brezvrvične telekomunikacije (DECT) - Skupni vmesnik (CI) - 7. del: Varnostne lastnosti

Ta dokument je eden od delov specifikacije skupnega vmesnika (CI) za digitalne izboljšane brezvrvične telekomunikacije (DECT). V tem dokumentu so določeni varnostna arhitektura, vrste zahtevanih kriptografskih algoritmov in način njihove uporabe ter zahteve za integriranje varnostnih lastnosti arhitekture v DECT CI. Opisuje tudi načine upravljanja funkcij ter njihovo povezavo z določenimi fiksnimi sistemi DECT in lokalnimi konfiguracijami omrežij. Varnostna arhitektura je določena v okviru varnostnih storitev, ki jih podpira skupni vmesnik, pri čemer mehanizmi tega vmesnika zagotavljajo storitve ter kriptografske parametre, ključe in procese, povezane s temi mehanizmi. Varnostni procesi, določni v tem dokumentu, so osnovani na treh kriptografskih algoritmih:
- algoritem preverjanja pristnosti;
- generator toka ključev za šifriranje plasti kode MAC; in
- generator toka ključev in generator kode MAC za preverjeno šifriranje CCM. Vendar je arhitektura neodvisna od algoritma, zato je načeloma mogoče uporabiti algoritme standarda DRCT, ustrezne lastniške algoritme ali kombinacijo obeh. Uporaba algoritma je določena v tem dokumentu. Integriranje varnostnih lastnosti je določeno v okviru protokolnih elementov in postopkov, ki so potrebni v plasteh NWK in MAC skupnega vmesnika. Razmerje med varnostnimi lastnostmi in različnimi omrežnimi elementi je opisano glede na lokacije, na katerih bodo zagotovljeni varnostni postopki in funkcije upravljanja. Ta dokument ne obravnava vprašanj uvedbe. Ta dokument na primer ne vsebuje nobene navedbe, ki bi določala uvedbo DSAA ali DSAA2 v PP med proizvodnjo oz. uvedbo DSAA, DSAA2 ali lastniškega algoritma za preverjanje pristnosti v snemljivi modul. Prav tako ta dokument ne določa uvedbe DSC ali DSC2 v strojno opremo vseh PP-jev med proizvodnjo oz. proizvodnje posebnih PP-jev z vgrajenimi DSC, DSC2 ali lastniškimi šiframi. Varnostna arhitektura podpira vse te možnosti, čeprav lahko uporaba lastniških algoritmov omejuje gostovanje in hkratno uporabo PP-jev v različnih okoljih. V okviru standardnih algoritmov za preverjanje pristnosti so DSAA2, DSC2 in CCM močnejši od DSAA in DSC ter zagotavljajo nadstandardno zaščito. DSAA2 in DCS2 temeljita na AES [10] ter sta bila izdelana leta 2011. Tudi CCM temelji na AES [10] in je bil v standard dodan leta 2012. Ta dokument vključuje novo generacijo digitalnih izboljšanih brezvrvičnih telekomunikacij, nadaljnji razvoj standarda za digitalne izboljšane brezvrvične telekomunikacije, ki uvaja širokopasovni govor, izpopolnjene podatkovne storitve, nove tipe rež in druge tehnične izpopolnitve. Ta dokument vključuje tudi DECT ULE (ultra nizka poraba energije), podatkovno tehnologijo nizke stopnje, ki temelji na DECT in je namenjena uporabi M2M z ultra nizko porabo energije.

General Information

Status
Published
Public Enquiry End Date
31-Jul-2013
Publication Date
23-Sep-2013
ICS
33.070.30 - Digital Enhanced Cordless Telecommunications (DECT)
Technical Committee
MOC - Mobile Communications
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
02-Sep-2013
Due Date
07-Nov-2013
Completion Date
24-Sep-2013
Ref Project
ETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features

Overview

SIST EN 300 175-7 V2.5.1:2013 defines the security features of the Digital Enhanced Cordless Telecommunications (DECT) Common Interface (CI). It specifies the security architecture, the types of cryptographic algorithms required, how algorithms are to be used, cryptographic parameters, keying material and processes, and how these features are integrated into the CI at the Network (NWK) and Medium Access Control (MAC) layers. The document covers management and operational relationships with DECT fixed systems and local network configurations and includes provisions for New Generation DECT and DECT Ultra Low Energy (ULE).

Key topics and technical requirements

  • Security architecture and services: Authentication (PT/FT/user), mutual authentication, data confidentiality and key management at the CI.
  • Algorithm-independent design: The architecture supports standard DECT algorithms, proprietary algorithms, or combinations - with guidance on usage and interworking limitations (e.g., roaming).
  • Cryptographic building blocks:
    • Authentication algorithms (DSAA, DSAA2)
    • Key stream generators for MAC-layer encryption (DSC, DSC2)
    • CCM authenticated encryption (AES-based) for combined confidentiality and integrity
  • Stronger algorithm options: DSAA2, DSC2 and CCM (all AES-based) introduced to provide enhanced protection compared to legacy DSAA/DSC.
  • Key types and derivation: Definitions and processes for Authentication Key (K), session keys (KS, KS'), Cipher Key (CK), Derived Cipher Key (DCK), Static Cipher Key (SCK), Default Cipher Key (DefCK), and related derivation/re-key procedures.
  • Integration into CI protocols:
    • NWK layer procedures for key association, transfer and re-keying
    • MAC layer procedures for encryption, initialization vectors (IV), key stream synchronization, mode switching, and handover with uninterrupted ciphering
  • Management and operational notes: Where authentication and ciphering functions may reside (network elements, detachable modules, PP devices) and the impact of proprietary algorithms on interoperability.
  • Scope exclusions: The standard does not prescribe implementation choices (e.g., whether certain algorithms are embedded in hardware or detachable modules).

Practical applications and who uses this standard

  • Device manufacturers (DECT handsets, base stations, PPs) - to implement CI-compliant security features.
  • Firmware and protocol developers - to integrate NWK and MAC level encryption, authentication and CCM authenticated encryption.
  • Network operators and service providers - to design secure DECT deployments, roaming policies and key management procedures.
  • IoT/M2M solution designers - especially for ULE-based low-power applications requiring lightweight secure links.
  • Security architects and integrators - for assessing interoperability, algorithm choices and operational security posture.
  • Test labs and compliance bodies - for evaluating conformance to DECT CI security requirements.

Related standards and keywords

  • Related: other parts of the EN 300 175 DECT Common Interface series and DECT system specifications.
  • Keywords: DECT security, Common Interface (CI), authentication, encryption, CCM, DSAA2, DSC2, AES, key management, MAC layer, NWK layer, New Generation DECT, DECT ULE, M2M, IoT.
ETSI EN 300 175-7 V2.5.0 (2013-04) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 1 previewETSI EN 300 175-7 V2.5.0 (2013-04) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 2 previewETSI EN 300 175-7 V2.5.0 (2013-04) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 3 previewETSI EN 300 175-7 V2.5.0 (2013-04) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 4 preview
PreviousNext
Standard

ETSI EN 300 175-7 V2.5.0 (2013-04) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features

English language
158 pages
sale 15% off
Preview
sale 15% off
Preview
ETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 1 previewETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 2 previewETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 3 previewETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features - Page 4 preview
PreviousNext
Standard

ETSI EN 300 175-7 V2.5.1 (2013-08) - Digital Enhanced Cordless Telecommunications (DECT); Common Interface (CI); Part 7: Security features

English language
158 pages
sale 15% off
Preview
sale 15% off
Preview
SIST EN 300 175-7 V2.5.1:2013 - Page 1 previewSIST EN 300 175-7 V2.5.1:2013 - Page 2 previewSIST EN 300 175-7 V2.5.1:2013 - Page 3 previewSIST EN 300 175-7 V2.5.1:2013 - Page 4 preview
PreviousNext
Standard

SIST EN 300 175-7 V2.5.1:2013

English language
158 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN 300 175-7 V2.5.1:2013 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Digital Enhanced Cordless Telecommunications (DECT) - Common Interface (CI) - Part 7: Security features". This standard covers: The present document is one of the parts of the specification of the Digital Enhanced Cordless Telecommunications (DECT) Common Interface (CI). The present document specifies the security architecture, the types of cryptographic algorithms required, the way in which they are to be used, and the requirements for integrating the security features provided by the architecture into the DECT CI. It also describes how the features can be managed and how they relate to certain DECT fixed systems and local network configurations. The security architecture is defined in terms of the security services which are to be supported at the CI, the mechanisms which are to be used to provide the services, and the cryptographic parameters, keys and processes which are associated with these mechanisms. The security processes specified in the present document are each based on one of three cryptographic algorithms: - an authentication algorithm; - a key stream generator for MAC layer encryption; and - a key stream generator plus a Message Authentication Code generator for CCM authenticated encryption. The architecture is, however, algorithm independent, and either the DECT standard algorithms, or appropriate proprietary algorithms, or indeed a combination of both can, in principle, be employed. The use of the employed algorithm is specified in the present document. Integration of the security features is specified in terms of the protocol elements and processes required at the Network (NWK) and Medium Access Control (MAC) layers of the CI. The relationship between the security features and various network elements is described in terms of where the security processes and management functions may be provided. The present document does not address implementation issues. For instance, no attempt is made to specify whether the DSAA or DSAA2 should be implemented in the PP at manufacture, or whether the DSAA, DSAA2 or a proprietary authentication algorithm should be implemented in a detachable module. Similarly, the present document does not specify whether the DSC or DSC2 should be implemented in hardware in all PPs at manufacture, or whether special PPs should be manufactured with the DSC, DSC2 or proprietary ciphers built into them. The security architecture supports all these options, although the use of proprietary algorithms may limit roaming and the concurrent use of PPs in different environments. Within the standard authentication algorithms, DSAA2, DSC2 and CCM are stronger than DSAA and DSC and provide superior protection. DSAA2 and DSC2 are based on AES [10] and were created in 2011. CCM is also based on AES [10] and was added to the standard in 2012. The present document includes New Generation DECT, a further development of the DECT standard introducing wideband speech, improved data services, new slot types and other technical enhancements. The present document also includes DECT Ultra Low Energy (ULE), a low rate data technology based on DECT intended for M2M applications with ultra low power consumption.

The present document is one of the parts of the specification of the Digital Enhanced Cordless Telecommunications (DECT) Common Interface (CI). The present document specifies the security architecture, the types of cryptographic algorithms required, the way in which they are to be used, and the requirements for integrating the security features provided by the architecture into the DECT CI. It also describes how the features can be managed and how they relate to certain DECT fixed systems and local network configurations. The security architecture is defined in terms of the security services which are to be supported at the CI, the mechanisms which are to be used to provide the services, and the cryptographic parameters, keys and processes which are associated with these mechanisms. The security processes specified in the present document are each based on one of three cryptographic algorithms: - an authentication algorithm; - a key stream generator for MAC layer encryption; and - a key stream generator plus a Message Authentication Code generator for CCM authenticated encryption. The architecture is, however, algorithm independent, and either the DECT standard algorithms, or appropriate proprietary algorithms, or indeed a combination of both can, in principle, be employed. The use of the employed algorithm is specified in the present document. Integration of the security features is specified in terms of the protocol elements and processes required at the Network (NWK) and Medium Access Control (MAC) layers of the CI. The relationship between the security features and various network elements is described in terms of where the security processes and management functions may be provided. The present document does not address implementation issues. For instance, no attempt is made to specify whether the DSAA or DSAA2 should be implemented in the PP at manufacture, or whether the DSAA, DSAA2 or a proprietary authentication algorithm should be implemented in a detachable module. Similarly, the present document does not specify whether the DSC or DSC2 should be implemented in hardware in all PPs at manufacture, or whether special PPs should be manufactured with the DSC, DSC2 or proprietary ciphers built into them. The security architecture supports all these options, although the use of proprietary algorithms may limit roaming and the concurrent use of PPs in different environments. Within the standard authentication algorithms, DSAA2, DSC2 and CCM are stronger than DSAA and DSC and provide superior protection. DSAA2 and DSC2 are based on AES [10] and were created in 2011. CCM is also based on AES [10] and was added to the standard in 2012. The present document includes New Generation DECT, a further development of the DECT standard introducing wideband speech, improved data services, new slot types and other technical enhancements. The present document also includes DECT Ultra Low Energy (ULE), a low rate data technology based on DECT intended for M2M applications with ultra low power consumption.

SIST EN 300 175-7 V2.5.1:2013 is classified under the following ICS (International Classification for Standards) categories: 33.070.30 - Digital Enhanced Cordless Telecommunications (DECT). The ICS classification helps identify the subject area and facilitates finding related standards.

You can purchase SIST EN 300 175-7 V2.5.1:2013 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


Draft ETSI EN 300 175-7 V2.5.0 (2013-04)

European Standard
Digital Enhanced Cordless Telecommunications (DECT);
Common Interface (CI);
Part 7: Security features
2 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)

Reference
REN/DECT-000268-7
Keywords
authentication, DECT, IMT-2000, mobility, radio,
security, TDD, TDMA
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2013.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
Contents
Intellectual Property Rights . 9
Foreword . 9
Introduction . 10
1 Scope . 14
2 References . 14
2.1 Normative references . 15
2.2 Informative references . 15
3 Definitions and abbreviations . 16
3.1 Definitions . 16
3.2 Abbreviations . 16
4 Security architecture . 18
4.1 Background . 18
4.2 Security services . 19
4.2.1 Authentication of a PT . 19
4.2.2 Authentication of an FT . 19
4.2.3 Mutual authentication . 19
4.2.4 Data confidentiality. 19
4.2.5 User authentication . 19
4.3 Security mechanisms . 19
4.3.1 Authentication of a PT (type 1 procedure) . 20
4.3.2 Authentication of an FT (type 1 procedure) . 21
4.3.3 Mutual authentication . 22
4.3.4 Data confidentiality. 23
4.3.4.1 Derived Cipher Key (DCK) . 23
4.3.4.2 Static Cipher Key (SCK) . 23
4.3.4.3 Default Cipher Key (DefCK) . 23
4.3.5 User authentication . 24
4.3.6 Authentication of a PT (type 2 procedure) . 24
4.3.7 Authentication of a FT (type 2 procedure) . 27
4.4 Cryptographic parameters and keys . 29
4.4.1 Overview . 29
4.4.2 Cryptographic parameters . 29
4.4.2.1 Provisions related to the generation of random numbers . 32
4.4.3 Cryptographic keys . 32
4.4.3.1 Authentication key K . 32
4.4.3.2 Authentication session keys KS and KS' . 33
4.4.3.3 Cipher key CK . 34
4.5 Security processes . 34
4.5.1 Overview . 34
4.5.2 Derivation of authentication key, K . 34
4.5.2.1 K is derived from UAK . 34
4.5.2.2 K is derived from AC . 35
4.5.2.3 K is derived from UAK and UPI . 35
4.5.3 Authentication processes . 35
4.5.3.1 Processes for the derivation of KS and KS' . 35
4.5.3.2 Processes for the derivation of DCK, RES1 and RES2 . 36
4.5.4 Key stream generation . 37
4.5.5 CCM Authenticated Encryption . 37
4.6 Combinations of security services . 38
4.6.1 Combinations of security algorithms . 38
4.6.1.1 Limitations related to capering algorithms . 38
5 Algorithms for security processes . 39
5.1 Background . 39
5.1.1 A algorithm . 39
ETSI
4 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
5.1.1.1 A algorithm, DSAA based (A-DSAA) . 39
5.1.1.2 A algorithm, DSAA2 based (A-DSAA2) . 39
5.1.1.3 A algorithm, proprietary . 40
5.2 Derivation of session authentication key(s) . 40
5.2.1 A11 process . 40
5.2.2 A21 process . 41
5.3 Authentication and cipher key generation processes . 42
5.3.1 A12 process . 42
5.3.2 A22 process . 42
5.4 CCM algorithm . 43
6 Integration of security . 43
6.1 Background . 43
6.2 Association of keys and identities . 43
6.2.1 Authentication key . 43
6.2.1.1 K is derived from UAK . 44
6.2.1.2 K derived from AC. 44
6.2.1.3 K derived from UAK and UPI . 44
6.2.2 Cipher keys . 44
6.2.3 Cipher keys for CCM . 45
6.2.3.1 Single use of the keys for CCM . 45
6.3 NWK layer procedures . 46
6.3.1 Background . 46
6.3.2 Authentication exchanges . 47
6.3.3 Authentication procedures . 48
6.3.3.1 Authentication of a PT type 1 procedure . 48
6.3.3.2 Authentication of an FT type 1 procedure . 48
6.3.3.3 Authentication of a PT type 2 procedure . 49
6.3.3.4 Authentication of an FT type 2 procedure . 49
6.3.4 Transfer of Cipher Key, CK. 50
6.3.5 Re-Keying . 50
6.3.6 Encryption with Default Cipher Key . 50
6.3.7 Transfer of Cipher Key CK for CCM . 50
6.3.7.1 Transfer by Virtual Call setup CC procedure . 50
6.3.7.2 Transfer using MM procedures for CCM re-keying and sequence reset . 51
6.4 MAC layer procedures . 51
6.4.1 Background . 51
6.4.2 MAC layer field structure . 51
6.4.3 Data to be encrypted . 52
6.4.4 Encryption process . 53
6.4.5 Initialization and synchronization of the encryption process . 56
6.4.5.1 Construction of CK . 56
6.4.5.2 The Initialization Vector (IV) . 56
6.4.5.3 Generation of two Key Stream segments . 56
6.4.6 Encryption mode control . 57
6.4.6.1 Background . 57
6.4.6.2 MAC layer messages. 57
6.4.6.3 Procedures for switching to encrypt mode . 57
6.4.6.4 Procedures for switching to clear mode . 62
6.4.6.5 Procedures for re-keying . 63
6.4.7 Handover of the encryption process . 64
6.4.7.1 Bearer handover, uninterrupted ciphering . 65
6.4.7.2 Connection handover, uninterrupted ciphering . 65
6.4.7.3 External handover - handover with ciphering . 65
6.4.8 Modifications for half and long slot specifications (2-level modulation) . 66
6.4.8.1 Background . 66
6.4.8.2 MAC layer field structure . 66
6.4.8.3 Data to be encrypted. 66
6.4.8.4 Encryption process . 67
6.4.8.5 Initialization and synchronization of the encryption process . 67
6.4.8.6 Encryption mode control . 67
6.4.8.7 Handover of the encryption process . 67
ETSI
5 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
6.4.9 Modifications for double slot specifications (2-level modulation) . 67
6.4.9.1 Background . 67
6.4.9.2 MAC layer field structure . 68
6.4.9.3 Data to be encrypted. 68
6.4.9.4 Encryption process . 69
6.4.9.5 Initialization and synchronization of the encryption process . 70
6.4.9.6 Encryption mode control . 70
6.4.9.7 Handover of the encryption process . 70
6.4.10 Modifications for multi-bearer specifications . 70
6.4.11 Modifications for 4-level, 8-level, 16-level and 64-level modulation formats . 71
6.4.11.1 Background . 71
6.4.11.2 MAC layer field structure . 71
6.4.11.3 Data to be encrypted. 71
6.4.11.4 Encryption process . 71
6.4.11.4.1 Encryption process for the A-field and for the unprotected format . 72
6.4.11.4.2 Encryption process for the single subfield protected format . 73
6.4.11.4.3 Encryption process for the multi-subfield protected format . 74
6.4.11.4.4 Encryption process for the constant-size-subfield protected format . 76
6.4.11.4.5 Encryption process for the encoded protected format (MAC service I ) . 76
PX
6.4.11.5 Initialization and synchronization of the encryption process . 78
6.4.11.6 Encryption mode control . 78
6.4.11.7 Handover of the encryption process . 78
6.4.12 Procedures for CCM re-keying and sequence reset . 78
6.5 Security attributes . 78
6.5.1 Background . 78
6.5.2 Authentication protocols . 79
6.5.2.1 Authentication of a PT type 1 procedure . 79
6.5.2.2 Authentication of an FT type 1 procedure . 80
6.5.2.3 Authentication of a PT type 2 procedure . 81
6.5.2.4 Authentication of an FT type 2 procedure . 82
6.5.3 Confidentiality protocols . 83
6.5.4 Access-rights protocols . 85
6.5.5 Key numbering and storage . 86
6.5.5.1 Authentication keys . 86
6.5.5.2 Cipher keys . 86
6.5.6 Key allocation . 87
6.5.6.1 Introduction . 87
6.5.6.2 UAK allocation (DSAA algorithm) . 88
6.5.6.3 UAK allocation (DSAA2 algorithm) . 89
6.6 DLC layer procedures . 89
6.6.1 Background . 89
6.6.2 CCM Authenticated Encryption . 90
6.6.2.1 CCM operation . 90
6.6.2.2 Key management . 90
6.6.2.3 CCM Initialization Vector . 91
6.6.2.3.1 CCM Initialization Vector: first byte . 91
6.6.2.3.2 CCM Initialization Vector: bytes 8-11 . 91
6.6.2.3.3 CCM Initialization Vector: bytes 12. 92
6.6.2.4 CCM Sequence Number . 92
6.6.2.5 CCM Start and Stop . 92
6.6.2.6 CCM Sequence resetting and re-keying . 93
7 Use of security features . 93
7.1 Background . 93
7.2 Key management options . 93
7.2.1 Overview of security parameters relevant for key management . 93
7.2.2 Generation of authentication keys . 94
7.2.3 Initial distribution and installation of keys . 95
7.2.4 Use of keys within the fixed network . 95
7.2.4.1 Use of keys within the fixed network: diagrams for authentication type 1 scenarios . 98
7.2.4.2 Use of keys within the fixed network: diagrams for authentication type 2 scenarios . 101
7.3 Confidentiality service with a Cordless Radio Fixed Part (CRFP). 103
ETSI
6 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
7.3.1 General . 103
7.3.2 CRFP initialization of PT cipher key . 103
Annex A (informative): Security threats analysis . 104
A.1 Introduction . 104
A.2 Threat A - Impersonating a subscriber identity . 105
A.3 Threat B - Illegal use of a handset (PP) . 105
A.4 Threat C - Illegal use of a base station (FP) . 105
A.5 Threat D - Impersonation of a base station (FP) . 106
A.6 Threat E - Illegally obtaining user data and user related signalling information . 106
A.7 Conclusions and comments . 107
Annex B (informative): Security features and operating environments . 109
B.1 Introduction . 109
B.2 Definitions . 109
B.3 Enrolment options . 109
Annex C (informative): Reasons for not adopting public key techniques . 111
Annex D (informative): Overview of security features . 112
D.1 Introduction . 112
D.2 Authentication of a PT . 112
D.3 Authentication of an FT . 113
D.4 Mutual authentication of a PT and an FT . 113
D.4.1 Direct method . 113
D.4.2 Indirect method 1. 113
D.4.3 Indirect method 2. 113
D.5 Data confidentiality . 113
D.5.1 Cipher key derivation as part of authentication . 114
D.5.2 Static cipher key . 114
D.6 User authentication . 114
D.7 Key management in case of roaming . 114
D.7.1 Introduction . 114
D.7.2 Use of actual authentication key K . 114
D.7.3 Use of session keys. 115
D.7.4 Use of precalculated sets . 115
Annex E (informative): Limitations of DECT security . 116
E.1 Introduction . 116
E.2 Protocol reflection attacks . 116
E.3 Static cipher key and short Initial Vector (IV) . 116
E.4 General considerations regarding key management . 117
E.5 Use of a predictable challenge in FT authentication . 117
Annex F (informative): Security features related to target networks . 118
F.1 Introduction . 118
F.1.1 Notation and DECT reference model . 118
F.1.2 Significance of security features and intended usage within DECT. 118
ETSI
7 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
F.1.3 Mechanism/algorithm and process requirements . 119
F.2 PSTN reference configurations . 120
F.2.1 Domestic telephone . 120
F.2.2 PBX . 121
F.2.3 Local loop . 123
F.3 ISDN reference configurations . 124
F.3.1 Terminal equipment . 124
F.3.2 Network termination 2 . 125
F.3.3 Local loop . 125
F.4 X.25 reference configuration . 125
F.4.1 Data Terminal Equipment (DTE) . 125
F.4.2 PAD equipment . 126
F.5 GSM reference configuration . 126
F.5.1 Base station substation . 126
F.5.2 Mobile station . 126
F.6 IEEE 802 reference configuration . 126
F.6.1 Bridge . 126
F.6.2 Gateway . 126
F.7 Public access service reference configurations . 127
F.7.1 Fixed public access service reference configuration . 127
Annex G (informative): Compatibility of DECT and GSM authentication . 128
G.1 Introduction . 128
G.2 SIM and DAM functionality . 128
G.3 Using an SIM for DECT authentication . 129
G.4 Using a DAM for GSM authentication . 129
Annex H (normative): DECT Standard Authentication Algorithm (DSAA) . 130
Annex I (informative): Void . 131
Annex J (normative): DECT Standard Cipher (DSC) . 132
Annex K (normative): Clarifications, bit mappings and examples for DSAA and DSC . 133
K.1 Ambiguities concerning the DSAA . 133
K.2 Ambiguities concerning the DSC DECT-standard cipher . 134
Annex L (normative): DECT Standard Authentication Algorithm #2 (DSAA2) . 136
L.1 Introduction . 136
L.2 Operation of the Authentication Algorithm . 136
L.2.1 DSAA2-1 . 136
L.2.2 DSAA2-2 . 137
L.3 Test Sets . 138
L.3.1 DSAA2-1 . 138
L.3.2 DSAA2-2 . 141
L.4 DSAA2 Examples . 144
L.4.1 Subscription with Key Allocation . 144
L.4.1.1 PP AC Authentication . 145
L.4.1.2 FP AC Authentication . 146
L.4.2 DCK Allocation through PP UAK Authentication . 146
L.4.2.1 PP UAK Authentication . 146
L.4.2.2 Derivation of 64 bit DCK for DSC . 147
ETSI
8 Draft ETSI EN 300 175-7 V2.5.0 (2013-04)
L.5 DCK to CK mapping . 147
Annex M (normative): DECT Standard Cipher #2 (DSC2) . 148
M.1 Introduction . 148
M.2 Operation of the Cipher . 148
M.3 Test Sets . 149
M.4 DSC2 Test Set . 151
M.5 Mapping of DECT values into AES-128 plaintext . 153
Annex N (normative): CCM Authenticated Encryption . 154
N.1 Introduction . 154
N.1.1 Key management . 154
N.2 Operation of the CCM encryption algorithm .
...


European Standard
Digital Enhanced Cordless Telecommunications (DECT);
Common Interface (CI);
Part 7: Security features
2 ETSI EN 300 175-7 V2.5.1 (2013-08)

Reference
REN/DECT-000268-7
Keywords
authentication, DECT, IMT-2000, mobility, radio,
security, TDD, TDMA
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2013.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI EN 300 175-7 V2.5.1 (2013-08)
Contents
Intellectual Property Rights . 9
Foreword . 9
Introduction . 10
1 Scope . 14
2 References . 14
2.1 Normative references . 15
2.2 Informative references . 15
3 Definitions and abbreviations . 16
3.1 Definitions . 16
3.2 Abbreviations . 16
4 Security architecture . 18
4.1 Background . 18
4.2 Security services . 19
4.2.1 Authentication of a PT . 19
4.2.2 Authentication of an FT . 19
4.2.3 Mutual authentication . 19
4.2.4 Data confidentiality. 19
4.2.5 User authentication . 19
4.3 Security mechanisms . 19
4.3.1 Authentication of a PT (type 1 procedure) . 20
4.3.2 Authentication of an FT (type 1 procedure) . 21
4.3.3 Mutual authentication . 22
4.3.4 Data confidentiality. 23
4.3.4.1 Derived Cipher Key (DCK) . 23
4.3.4.2 Static Cipher Key (SCK) . 23
4.3.4.3 Default Cipher Key (DefCK) . 23
4.3.5 User authentication . 24
4.3.6 Authentication of a PT (type 2 procedure) . 24
4.3.7 Authentication of a FT (type 2 procedure) . 27
4.4 Cryptographic parameters and keys . 29
4.4.1 Overview . 29
4.4.2 Cryptographic parameters . 29
4.4.2.1 Provisions related to the generation of random numbers . 32
4.4.3 Cryptographic keys . 32
4.4.3.1 Authentication key K . 32
4.4.3.2 Authentication session keys KS and KS' . 33
4.4.3.3 Cipher key CK . 34
4.5 Security processes . 34
4.5.1 Overview . 34
4.5.2 Derivation of authentication key, K . 34
4.5.2.1 K is derived from UAK . 34
4.5.2.2 K is derived from AC . 35
4.5.2.3 K is derived from UAK and UPI . 35
4.5.3 Authentication processes . 35
4.5.3.1 Processes for the derivation of KS and KS' . 35
4.5.3.2 Processes for the derivation of DCK, RES1 and RES2 . 36
4.5.4 Key stream generation . 37
4.5.5 CCM Authenticated Encryption . 37
4.6 Combinations of security services . 38
4.6.1 Combinations of security algorithms . 38
4.6.1.1 Limitations related to capering algorithms . 38
5 Algorithms for security processes . 39
5.1 Background . 39
5.1.1 A algorithm . 39
ETSI
4 ETSI EN 300 175-7 V2.5.1 (2013-08)
5.1.1.1 A algorithm, DSAA based (A-DSAA) . 39
5.1.1.2 A algorithm, DSAA2 based (A-DSAA2) . 39
5.1.1.3 A algorithm, proprietary . 40
5.2 Derivation of session authentication key(s) . 40
5.2.1 A11 process . 40
5.2.2 A21 process . 41
5.3 Authentication and cipher key generation processes . 42
5.3.1 A12 process . 42
5.3.2 A22 process . 42
5.4 CCM algorithm . 43
6 Integration of security . 43
6.1 Background . 43
6.2 Association of keys and identities . 43
6.2.1 Authentication key . 43
6.2.1.1 K is derived from UAK . 44
6.2.1.2 K derived from AC. 44
6.2.1.3 K derived from UAK and UPI . 44
6.2.2 Cipher keys . 44
6.2.3 Cipher keys for CCM . 45
6.2.3.1 Single use of the keys for CCM . 45
6.3 NWK layer procedures . 46
6.3.1 Background . 46
6.3.2 Authentication exchanges . 47
6.3.3 Authentication procedures . 48
6.3.3.1 Authentication of a PT type 1 procedure . 48
6.3.3.2 Authentication of an FT type 1 procedure . 48
6.3.3.3 Authentication of a PT type 2 procedure . 49
6.3.3.4 Authentication of an FT type 2 procedure . 49
6.3.4 Transfer of Cipher Key, CK. 50
6.3.5 Re-Keying . 50
6.3.6 Encryption with Default Cipher Key . 50
6.3.7 Transfer of Cipher Key CK for CCM . 50
6.3.7.1 Transfer by Virtual Call setup CC procedure . 50
6.3.7.2 Transfer using MM procedures for CCM re-keying and sequence reset . 51
6.4 MAC layer procedures . 51
6.4.1 Background . 51
6.4.2 MAC layer field structure . 51
6.4.3 Data to be encrypted . 52
6.4.4 Encryption process . 53
6.4.5 Initialization and synchronization of the encryption process . 56
6.4.5.1 Construction of CK . 56
6.4.5.2 The Initialization Vector (IV) . 56
6.4.5.3 Generation of two Key Stream segments . 56
6.4.6 Encryption mode control . 57
6.4.6.1 Background . 57
6.4.6.2 MAC layer messages. 57
6.4.6.3 Procedures for switching to encrypt mode . 57
6.4.6.4 Procedures for switching to clear mode . 62
6.4.6.5 Procedures for re-keying . 63
6.4.7 Handover of the encryption process . 64
6.4.7.1 Bearer handover, uninterrupted ciphering . 65
6.4.7.2 Connection handover, uninterrupted ciphering . 65
6.4.7.3 External handover - handover with ciphering . 65
6.4.8 Modifications for half and long slot specifications (2-level modulation) . 66
6.4.8.1 Background . 66
6.4.8.2 MAC layer field structure . 66
6.4.8.3 Data to be encrypted. 66
6.4.8.4 Encryption process . 67
6.4.8.5 Initialization and synchronization of the encryption process . 67
6.4.8.6 Encryption mode control . 67
6.4.8.7 Handover of the encryption process . 67
ETSI
5 ETSI EN 300 175-7 V2.5.1 (2013-08)
6.4.9 Modifications for double slot specifications (2-level modulation) . 67
6.4.9.1 Background . 67
6.4.9.2 MAC layer field structure . 68
6.4.9.3 Data to be encrypted. 68
6.4.9.4 Encryption process . 69
6.4.9.5 Initialization and synchronization of the encryption process . 70
6.4.9.6 Encryption mode control . 70
6.4.9.7 Handover of the encryption process . 70
6.4.10 Modifications for multi-bearer specifications . 70
6.4.11 Modifications for 4-level, 8-level, 16-level and 64-level modulation formats . 71
6.4.11.1 Background . 71
6.4.11.2 MAC layer field structure . 71
6.4.11.3 Data to be encrypted. 71
6.4.11.4 Encryption process . 71
6.4.11.4.1 Encryption process for the A-field and for the unprotected format . 72
6.4.11.4.2 Encryption process for the single subfield protected format . 73
6.4.11.4.3 Encryption process for the multi-subfield protected format . 74
6.4.11.4.4 Encryption process for the constant-size-subfield protected format . 76
6.4.11.4.5 Encryption process for the encoded protected format (MAC service I ) . 76
PX
6.4.11.5 Initialization and synchronization of the encryption process . 78
6.4.11.6 Encryption mode control . 78
6.4.11.7 Handover of the encryption process . 78
6.4.12 Procedures for CCM re-keying and sequence reset . 78
6.5 Security attributes . 78
6.5.1 Background . 78
6.5.2 Authentication protocols . 79
6.5.2.1 Authentication of a PT type 1 procedure . 79
6.5.2.2 Authentication of an FT type 1 procedure . 80
6.5.2.3 Authentication of a PT type 2 procedure . 81
6.5.2.4 Authentication of an FT type 2 procedure . 82
6.5.3 Confidentiality protocols . 83
6.5.4 Access-rights protocols . 85
6.5.5 Key numbering and storage . 86
6.5.5.1 Authentication keys . 86
6.5.5.2 Cipher keys . 86
6.5.6 Key allocation . 87
6.5.6.1 Introduction . 87
6.5.6.2 UAK allocation (DSAA algorithm) . 88
6.5.6.3 UAK allocation (DSAA2 algorithm) . 89
6.6 DLC layer procedures . 89
6.6.1 Background . 89
6.6.2 CCM Authenticated Encryption . 90
6.6.2.1 CCM operation . 90
6.6.2.2 Key management . 90
6.6.2.3 CCM Initialization Vector . 91
6.6.2.3.1 CCM Initialization Vector: first byte . 91
6.6.2.3.2 CCM Initialization Vector: bytes 8-11 . 91
6.6.2.3.3 CCM Initialization Vector: bytes 12. 92
6.6.2.4 CCM Sequence Number . 92
6.6.2.5 CCM Start and Stop . 92
6.6.2.6 CCM Sequence resetting and re-keying . 93
7 Use of security features . 93
7.1 Background . 93
7.2 Key management options . 93
7.2.1 Overview of security parameters relevant for key management . 93
7.2.2 Generation of authentication keys . 94
7.2.3 Initial distribution and installation of keys . 95
7.2.4 Use of keys within the fixed network . 95
7.2.4.1 Use of keys within the fixed network: diagrams for authentication type 1 scenarios . 98
7.2.4.2 Use of keys within the fixed network: diagrams for authentication type 2 scenarios . 101
7.3 Confidentiality service with a Cordless Radio Fixed Part (CRFP). 103
ETSI
6 ETSI EN 300 175-7 V2.5.1 (2013-08)
7.3.1 General . 103
7.3.2 CRFP initialization of PT cipher key . 103
Annex A (informative): Security threats analysis . 104
A.1 Introduction . 104
A.2 Threat A - Impersonating a subscriber identity . 105
A.3 Threat B - Illegal use of a handset (PP) . 105
A.4 Threat C - Illegal use of a base station (FP) . 105
A.5 Threat D - Impersonation of a base station (FP) . 106
A.6 Threat E - Illegally obtaining user data and user related signalling information . 106
A.7 Conclusions and comments . 107
Annex B (informative): Security features and operating environments . 109
B.1 Introduction . 109
B.2 Definitions . 109
B.3 Enrolment options . 109
Annex C (informative): Reasons for not adopting public key techniques . 111
Annex D (informative): Overview of security features . 112
D.1 Introduction . 112
D.2 Authentication of a PT . 112
D.3 Authentication of an FT . 113
D.4 Mutual authentication of a PT and an FT . 113
D.4.1 Direct method . 113
D.4.2 Indirect method 1. 113
D.4.3 Indirect method 2. 113
D.5 Data confidentiality . 113
D.5.1 Cipher key derivation as part of authentication . 114
D.5.2 Static cipher key . 114
D.6 User authentication . 114
D.7 Key management in case of roaming . 114
D.7.1 Introduction . 114
D.7.2 Use of actual authentication key K . 114
D.7.3 Use of session keys. 115
D.7.4 Use of precalculated sets . 115
Annex E (informative): Limitations of DECT security . 116
E.1 Introduction . 116
E.2 Protocol reflection attacks . 116
E.3 Static cipher key and short Initial Vector (IV) . 116
E.4 General considerations regarding key management . 117
E.5 Use of a predictable challenge in FT authentication . 117
Annex F (informative): Security features related to target networks . 118
F.1 Introduction . 118
F.1.1 Notation and DECT reference model . 118
F.1.2 Significance of security features and intended usage within DECT. 118
ETSI
7 ETSI EN 300 175-7 V2.5.1 (2013-08)
F.1.3 Mechanism/algorithm and process requirements . 119
F.2 PSTN reference configurations . 120
F.2.1 Domestic telephone . 120
F.2.2 PBX . 121
F.2.3 Local loop . 123
F.3 ISDN reference configurations . 124
F.3.1 Terminal equipment . 124
F.3.2 Network termination 2 . 125
F.3.3 Local loop . 125
F.4 X.25 reference configuration . 125
F.4.1 Data Terminal Equipment (DTE) . 125
F.4.2 PAD equipment . 126
F.5 GSM reference configuration . 126
F.5.1 Base station substation . 126
F.5.2 Mobile station . 126
F.6 IEEE 802 reference configuration . 126
F.6.1 Bridge . 126
F.6.2 Gateway . 126
F.7 Public access service reference configurations . 127
F.7.1 Fixed public access service reference configuration . 127
Annex G (informative): Compatibility of DECT and GSM authentication . 128
G.1 Introduction . 128
G.2 SIM and DAM functionality . 128
G.3 Using an SIM for DECT authentication . 129
G.4 Using a DAM for GSM authentication . 129
Annex H (normative): DECT Standard Authentication Algorithm (DSAA) . 130
Annex I (informative): Void . 131
Annex J (normative): DECT Standard Cipher (DSC) . 132
Annex K (normative): Clarifications, bit mappings and examples for DSAA and DSC . 133
K.1 Ambiguities concerning the DSAA . 133
K.2 Ambiguities concerning the DSC DECT-standard cipher . 134
Annex L (normative): DECT Standard Authentication Algorithm #2 (DSAA2) . 136
L.1 Introduction . 136
L.2 Operation of the Authentication Algorithm . 136
L.2.1 DSAA2-1 . 136
L.2.2 DSAA2-2 . 137
L.3 Test Sets . 138
L.3.1 DSAA2-1 . 138
L.3.2 DSAA2-2 . 141
L.4 DSAA2 Examples . 144
L.4.1 Subscription with Key Allocation . 144
L.4.1.1 PP AC Authentication . 145
L.4.1.2 FP AC Authentication . 146
L.4.2 DCK Allocation through PP UAK Authentication . 146
L.4.2.1 PP UAK Authentication . 146
L.4.2.2 Derivation of 64 bit DCK for DSC . 147
ETSI
8 ETSI EN 300 175-7 V2.5.1 (2013-08)
L.5 DCK to CK mapping . 147
Annex M (normative): DECT Standard Cipher #2 (DSC2) . 148
M.1 Introduction . 148
M.2 Operation of the Cipher . 148
M.3 Test Sets . 149
M.4 DSC2 Test Set . 151
M.5 Mapping of DECT values into AES-128 plaintext . 153
Annex N (normative): CCM Authenticated Encryption . 154
N.1 Introduction . 154
N.1.1 Key management . 154
N.2 Operation of the CCM encryption algorithm . 154
N.2.1 Description of the CCM algor
...


SLOVENSKI STANDARD
01-oktober-2013
'LJLWDOQHL]EROMãDQHEUH]YUYLþQHWHOHNRPXQLNDFLMH '(&7 6NXSQLYPHVQLN &, 
GHO9DUQRVWQHODVWQRVWL
Digital Enhanced Cordless Telecommunications (DECT) - Common Interface (CI) - Part
7: Security features
Ta slovenski standard je istoveten z: EN 300 175-7 Version 2.5.1
ICS:
33.070.30 'LJLWDOQHL]EROMãDQH Digital Enhanced Cordless
EUH]YUYLþQHWHOHNRPXQLNDFLMH Telecommunications (DECT)
'(&7
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

European Standard
Digital Enhanced Cordless Telecommunications (DECT);
Common Interface (CI);
Part 7: Security features
2 ETSI EN 300 175-7 V2.5.1 (2013-08)

Reference
REN/DECT-000268-7
Keywords
authentication, DECT, IMT-2000, mobility, radio,
security, TDD, TDMA
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2013.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI EN 300 175-7 V2.5.1 (2013-08)
Contents
Intellectual Property Rights . 9
Foreword . 9
Introduction . 10
1 Scope . 14
2 References . 14
2.1 Normative references . 15
2.2 Informative references . 15
3 Definitions and abbreviations . 16
3.1 Definitions . 16
3.2 Abbreviations . 16
4 Security architecture . 18
4.1 Background . 18
4.2 Security services . 19
4.2.1 Authentication of a PT . 19
4.2.2 Authentication of an FT . 19
4.2.3 Mutual authentication . 19
4.2.4 Data confidentiality. 19
4.2.5 User authentication . 19
4.3 Security mechanisms . 19
4.3.1 Authentication of a PT (type 1 procedure) . 20
4.3.2 Authentication of an FT (type 1 procedure) . 21
4.3.3 Mutual authentication . 22
4.3.4 Data confidentiality. 23
4.3.4.1 Derived Cipher Key (DCK) . 23
4.3.4.2 Static Cipher Key (SCK) . 23
4.3.4.3 Default Cipher Key (DefCK) . 23
4.3.5 User authentication . 24
4.3.6 Authentication of a PT (type 2 procedure) . 24
4.3.7 Authentication of a FT (type 2 procedure) . 27
4.4 Cryptographic parameters and keys . 29
4.4.1 Overview . 29
4.4.2 Cryptographic parameters . 29
4.4.2.1 Provisions related to the generation of random numbers . 32
4.4.3 Cryptographic keys . 32
4.4.3.1 Authentication key K . 32
4.4.3.2 Authentication session keys KS and KS' . 33
4.4.3.3 Cipher key CK . 34
4.5 Security processes . 34
4.5.1 Overview . 34
4.5.2 Derivation of authentication key, K . 34
4.5.2.1 K is derived from UAK . 34
4.5.2.2 K is derived from AC . 35
4.5.2.3 K is derived from UAK and UPI . 35
4.5.3 Authentication processes . 35
4.5.3.1 Processes for the derivation of KS and KS' . 35
4.5.3.2 Processes for the derivation of DCK, RES1 and RES2 . 36
4.5.4 Key stream generation . 37
4.5.5 CCM Authenticated Encryption . 37
4.6 Combinations of security services . 38
4.6.1 Combinations of security algorithms . 38
4.6.1.1 Limitations related to capering algorithms . 38
5 Algorithms for security processes . 39
5.1 Background . 39
5.1.1 A algorithm . 39
ETSI
4 ETSI EN 300 175-7 V2.5.1 (2013-08)
5.1.1.1 A algorithm, DSAA based (A-DSAA) . 39
5.1.1.2 A algorithm, DSAA2 based (A-DSAA2) . 39
5.1.1.3 A algorithm, proprietary . 40
5.2 Derivation of session authentication key(s) . 40
5.2.1 A11 process . 40
5.2.2 A21 process . 41
5.3 Authentication and cipher key generation processes . 42
5.3.1 A12 process . 42
5.3.2 A22 process . 42
5.4 CCM algorithm . 43
6 Integration of security . 43
6.1 Background . 43
6.2 Association of keys and identities . 43
6.2.1 Authentication key . 43
6.2.1.1 K is derived from UAK . 44
6.2.1.2 K derived from AC. 44
6.2.1.3 K derived from UAK and UPI . 44
6.2.2 Cipher keys . 44
6.2.3 Cipher keys for CCM . 45
6.2.3.1 Single use of the keys for CCM . 45
6.3 NWK layer procedures . 46
6.3.1 Background . 46
6.3.2 Authentication exchanges . 47
6.3.3 Authentication procedures . 48
6.3.3.1 Authentication of a PT type 1 procedure . 48
6.3.3.2 Authentication of an FT type 1 procedure . 48
6.3.3.3 Authentication of a PT type 2 procedure . 49
6.3.3.4 Authentication of an FT type 2 procedure . 49
6.3.4 Transfer of Cipher Key, CK. 50
6.3.5 Re-Keying . 50
6.3.6 Encryption with Default Cipher Key . 50
6.3.7 Transfer of Cipher Key CK for CCM . 50
6.3.7.1 Transfer by Virtual Call setup CC procedure . 50
6.3.7.2 Transfer using MM procedures for CCM re-keying and sequence reset . 51
6.4 MAC layer procedures . 51
6.4.1 Background . 51
6.4.2 MAC layer field structure . 51
6.4.3 Data to be encrypted . 52
6.4.4 Encryption process . 53
6.4.5 Initialization and synchronization of the encryption process . 56
6.4.5.1 Construction of CK . 56
6.4.5.2 The Initialization Vector (IV) . 56
6.4.5.3 Generation of two Key Stream segments . 56
6.4.6 Encryption mode control . 57
6.4.6.1 Background . 57
6.4.6.2 MAC layer messages. 57
6.4.6.3 Procedures for switching to encrypt mode . 57
6.4.6.4 Procedures for switching to clear mode . 62
6.4.6.5 Procedures for re-keying . 63
6.4.7 Handover of the encryption process . 64
6.4.7.1 Bearer handover, uninterrupted ciphering . 65
6.4.7.2 Connection handover, uninterrupted ciphering . 65
6.4.7.3 External handover - handover with ciphering . 65
6.4.8 Modifications for half and long slot specifications (2-level modulation) . 66
6.4.8.1 Background . 66
6.4.8.2 MAC layer field structure . 66
6.4.8.3 Data to be encrypted. 66
6.4.8.4 Encryption process . 67
6.4.8.5 Initialization and synchronization of the encryption process . 67
6.4.8.6 Encryption mode control . 67
6.4.8.7 Handover of the encryption process . 67
ETSI
5 ETSI EN 300 175-7 V2.5.1 (2013-08)
6.4.9 Modifications for double slot specifications (2-level modulation) . 67
6.4.9.1 Background . 67
6.4.9.2 MAC layer field structure . 68
6.4.9.3 Data to be encrypted. 68
6.4.9.4 Encryption process . 69
6.4.9.5 Initialization and synchronization of the encryption process . 70
6.4.9.6 Encryption mode control . 70
6.4.9.7 Handover of the encryption process . 70
6.4.10 Modifications for multi-bearer specifications . 70
6.4.11 Modifications for 4-level, 8-level, 16-level and 64-level modulation formats . 71
6.4.11.1 Background . 71
6.4.11.2 MAC layer field structure . 71
6.4.11.3 Data to be encrypted. 71
6.4.11.4 Encryption process . 71
6.4.11.4.1 Encryption process for the A-field and for the unprotected format . 72
6.4.11.4.2 Encryption process for the single subfield protected format . 73
6.4.11.4.3 Encryption process for the multi-subfield protected format . 74
6.4.11.4.4 Encryption process for the constant-size-subfield protected format . 76
6.4.11.4.5 Encryption process for the encoded protected format (MAC service I ) . 76
PX
6.4.11.5 Initialization and synchronization of the encryption process . 78
6.4.11.6 Encryption mode control . 78
6.4.11.7 Handover of the encryption process . 78
6.4.12 Procedures for CCM re-keying and sequence reset . 78
6.5 Security attributes . 78
6.5.1 Background . 78
6.5.2 Authentication protocols . 79
6.5.2.1 Authentication of a PT type 1 procedure . 79
6.5.2.2 Authentication of an FT type 1 procedure . 80
6.5.2.3 Authentication of a PT type 2 procedure . 81
6.5.2.4 Authentication of an FT type 2 procedure . 82
6.5.3 Confidentiality protocols . 83
6.5.4 Access-rights protocols . 85
6.5.5 Key numbering and storage . 86
6.5.5.1 Authentication keys . 86
6.5.5.2 Cipher keys . 86
6.5.6 Key allocation . 87
6.5.6.1 Introduction . 87
6.5.6.2 UAK allocation (DSAA algorithm) . 88
6.5.6.3 UAK allocation (DSAA2 algorithm) . 89
6.6 DLC layer procedures . 89
6.6.1 Background . 89
6.6.2 CCM Authenticated Encryption . 90
6.6.2.1 CCM operation . 90
6.6.2.2 Key management . 90
6.6.2.3 CCM Initialization Vector . 91
6.6.2.3.1 CCM Initialization Vector: first byte . 91
6.6.2.3.2 CCM Initialization Vector: bytes 8-11 . 91
6.6.2.3.3 CCM Initialization Vector: bytes 12. 92
6.6.2.4 CCM Sequence Number . 92
6.6.2.5 CCM Start and Stop . 92
6.6.2.6 CCM Sequence resetting and re-keying . 93
7 Use of security features . 93
7.1 Background . 93
7.2 Key management options . 93
7.2.1 Overview of security parameters relevant for key management . 93
7.2.2 Generation of authentication keys . 94
7.2.3 Initial distribution and installation of keys . 95
7.2.4 Use of keys within the fixed network . 95
7.2.4.1 Use of keys within the fixed network: diagrams for authentication type 1 scenarios . 98
7.2.4.2 Use of keys within the fixed network: diagrams for authentication type 2 scenarios . 101
7.3 Confidentiality service with a Cordless Radio Fixed Part (CRFP). 103
ETSI
6 ETSI EN 300 175-7 V2.5.1 (2013-08)
7.3.1 General . 103
7.3.2 CRFP initialization of PT cipher key . 103
Annex A (informative): Security threats analysis . 104
A.1 Introduction . 104
A.2 Threat A - Impersonating a subscriber identity . 105
A.3 Threat B - Illegal use of a handset (PP) . 105
A.4 Threat C - Illegal use of a base station (FP) . 105
A.5 Threat D - Impersonation of a base station (FP) . 106
A.6 Threat E - Illegally obtaining user data and user related signalling information . 106
A.7 Conclusions and comments . 107
Annex B (informative): Security features and operating environments . 109
B.1 Introduction . 109
B.2 Definitions . 109
B.3 Enrolment options . 109
Annex C (informative): Reasons for not adopting public key techniques . 111
Annex D (informative): Overview of security features . 112
D.1 Introduction . 112
D.2 Authentication of a PT . 112
D.3 Authentication of an FT . 113
D.4 Mutual authentication of a PT and an FT . 113
D.4.1 Direct method . 113
D.4.2 Indirect method 1. 113
D.4.3 Indirect method 2. 113
D.5 Data confidentiality . 113
D.5.1 Cipher key derivation as part of authentication . 114
D.5.2 Static cipher key . 114
D.6 User authentication . 114
D.7 Key management in case of roaming . 114
D.7.1 Introduction . 114
D.7.2 Use of actual authentication key K . 114
D.7.3 Use of session keys. 115
D.7.4 Use of precalculated sets . 115
Annex E (informative): Limitations of DECT security . 116
E.1 Introduction . 116
E.2 Protocol reflection attacks . 116
E.3 Static cipher key and short Initial Vector (IV) . 116
E.4 General considerations regarding key management . 117
E.5 Use of a predictable challenge in FT authentication . 117
Annex F (informative): Security features related to target networks . 118
F.1 Introduction . 118
F.1.1 Notation and DECT reference model . 118
F.1.2 Significance of security features and intended usage within DECT. 118
ETSI
7 ETSI EN 300 175-7 V2.5.1 (2013-08)
F.1.3 Mechanism/algorithm and process requirements . 119
F.2 PSTN reference configurations . 120
F.2.1 Domestic telephone . 120
F.2.2 PBX . 121
F.2.3 Local loop . 123
F.3 ISDN reference configurations . 124
F.3.1 Terminal equipment . 124
F.3.2 Network termination 2 . 125
F.3.3 Local loop . 125
F.4 X.25 reference configuration . 125
F.4.1 Data Terminal Equipment (DTE) . 125
F.4.2 PAD equipment . 126
F.5 GSM reference configuration . 126
F.5.1 Base station substation . 126
F.5.2 Mobile station . 126
F.6 IEEE 802 reference configuration . 126
F.6.1 Bridge . 126
F.6.2 Gateway . 126
F.7 Public access service reference configurations . 127
F.7.1 Fixed public access service reference configuration . 127
Annex G (informative): Compatibility of DECT and GSM authentication . 128
G.1 Introduction . 128
G.2 SIM and DAM functionality . 128
G.3 Using an SIM for DECT authentication . 129
G.4 Using a DAM for GSM authentication . 129
Annex H (normative): DECT Standard Authentication Algorithm (DSAA) . 130
Annex I (informative): Void . 131
Annex J (normative): DECT Standard Cipher (DSC) . 132
Annex K (normative): Clarifications, bit mappings and examples for DSAA and DSC . 133
K.1 Ambiguities concerning the DSAA . 133
K.2 Ambiguities concerning the DSC DECT-standard cipher . 134
Annex L (normative): DECT Standard Authentication Algorithm #2 (DSAA2) . 136
L.1 Introduction . 136
L.2 Operation of the Authentication Algorithm . 136
L.2.1 DSAA2-1 . 136
L.2.2 DSAA2-2 . 137
L.3 Test Sets . 138
L.3.1 DSAA2-1 . 138
L.3.2 DSAA2-2 . 141
L.4 DSAA2 Examples . 144
L.4.1 Subscription with Key Allocation . 144
L.4.1.1 PP AC Authentication . 145
L.4.1.2 FP AC Authentication . 146
L.4.2 DCK Allocation through PP UAK Authentication . 146
L.4.2.1 PP UAK Authentication . 146
L.4.2.2 Derivation of 64 bit DCK for DSC . 147
ETSI
8 ETSI EN 300 175-7 V2.5.1 (2013-08)
L.5 DCK to CK mapping . 147
Annex M (normative): DECT Standard Cipher #2 (DSC2) . 148
M.1 Introduction . 148
M.2 Operation of the Cipher . 148
M.3 Test Sets .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...