SIST EN 300 396-6 V1.4.1:2010

European Standard (Telecommunications series)

Terrestrial Trunked Radio (TETRA);
Direct Mode Operation (DMO);
Part 6: Security
2 ETSI EN 300 396-6 V1.4.1 (2010-07)

Reference
REN/TETRA-06178
Keywords
air interface, data, DMO, security, speech,
TETRA
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2010.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI EN 300 396-6 V1.4.1 (2010-07)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 8
4 DMO security class . 9
4.1 General . 9
4.2 DM-2-A . 10
4.3 DM-2-B . 10
4.4 DM-2-C . 10
5 DMO call procedures . 11
5.1 General . 11
5.1.1 Security profile . 11
5.1.2 Indication of security parameters . 11
5.2 Security class on call setup . 12
5.2.1 General . 12
5.2.2 Normal behaviour . 12
5.2.3 Exceptional behaviour . 12
5.2.3.1 Call-setup with presence check . 12
5.2.3.2 Call-setup without presence check . 12
5.2.3.3 Behaviour post call-setup . 12
5.3 Security class on call follow-on . 12
5.3.1 General . 12
5.3.2 Normal behaviour . 13
5.3.3 Exceptional behaviour . 13
6 Air interface authentication and key management mechanisms . 14
6.1 Authentication . 14
6.2 Repeater mode operation . 14
6.3 Gateway mode operation . 14
6.4 Air Interface (AI) key management mechanisms . 16
6.4.1 Key grouping . 16
6.4.2 Identification of cipher keys in signalling . 18
7 Enable and disable mechanism . 18
8 Air Interface (AI) encryption . 19
8.1 General principles. 19
8.2 Encryption mechanism . 19
8.2.1 Allocation of KSS to logical channels . 20
8.3 Application of KSS to specific PDUs. 20
8.3.1 Class DM-1 . 20
8.3.2 Class DM-2A . 21
8.3.2.1 DMAC-SYNC PDU encryption . 21
8.3.2.2 DMAC-DATA PDU encryption . 21
8.3.2.3 DMAC-FRAG PDU encryption . 21
8.3.2.4 DMAC-END PDU encryption . 22
8.3.2.5 DMAC-U-SIGNAL PDU encryption . 22
8.3.2.6 Traffic channel encryption . 22
8.3.3 Class DM-2B . 23
ETSI
4 ETSI EN 300 396-6 V1.4.1 (2010-07)
8.3.3.1 DMAC-SYNC PDU encryption . 23
8.3.3.2 DMAC-DATA PDU encryption . 23
8.3.3.3 DMAC-FRAG PDU encryption . 24
8.3.3.4 DMAC-END PDU encryption . 24
8.3.3.5 DMAC-U-SIGNAL PDU encryption . 24
8.3.3.6 Traffic channel encryption . 24
8.3.4 Class DM-2C . 24
8.3.4.1 DMAC-SYNC PDU encryption . 25
8.3.4.2 DMAC-DATA PDU encryption . 26
8.3.4.3 DMAC-FRAG PDU encryption . 26
8.3.4.4 DMAC-END PDU encryption . 26
8.3.4.5 DMAC-U-SIGNAL PDU encryption . 26
8.3.4.6 Traffic channel encryption . 27
8.4 Encryption of identities in repeater and gateway presence signal . 27
9 Encryption synchronization . 30
9.1 General . 30
9.1.1 Algorithm to establish frame number to increment TVP . 31
9.1.1.1 Master DM-MS operation . 31
9.1.1.2 Slave DM-MS operation . 31
9.2 TVP used for reception of normal bursts . 32
9.3 Synchronization of calls through a repeater . 32
9.3.1 Algorithm to establish frame number to increment TVP . 33
9.3.1.1 Master DM-MS operation . 33
9.3.1.2 Slave DM-MS operation . 33
9.4 Synchronization of calls through a gateway . 33
9.5 Synchronization of data calls where data is multi-slot interleaved . 34
9.5.1 Recovery of stolen frames from interleaved data . 35
Annex A (normative): Key Stream Generator (KSG) boundary conditions . 36
A.1 Overview . . 36
A.2 Use . 37
A.3 Interfaces to the algorithm . 37
A.3.1 ECK . 37
A.3.1.1 Use of ECK in class DM-2-A and DM-2-B . 37
A.3.1.2 Use of ECK in class DM-2-C . 38
A.3.2 Keystream. 38
A.3.3 Time Variant Parameter (TVP) . 38
Annex B (normative): Boundary conditions for cryptographic algorithm TB6 . 39
Annex C (informative): Encryption control in DM-MS . 40
C.1 General . 40
C.2 Service description and primitives . 40
C.2.1 DMCC-ENCRYPT primitive . 41
C.2.2 DMC-ENCRYPTION primitive . 43
C.3 Protocol functions . 44
Annex D (informative): Bibliography . 45
History . 46

ETSI
5 ETSI EN 300 396-6 V1.4.1 (2010-07)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This European Standard (Telecommunications series) has been produced by ETSI Technical Committee Terrestrial
Trunked Radio (TETRA).
The present document is part 6 of a multi-part deliverable covering Direct Mode Operation, as identified below:
Part 1: "General network design";
Part 2: "Radio aspects";
Part 3: "Mobile Station to Mobile Station (MS-MS) Air Interface (AI) protocol";
Part 4: "Type 1 repeater air interface";
Part 5: "Gateway air interface";
Part 6: "Security";
Part 7: "Type 2 repeater air interface";
Part 8: "Protocol Implementation Conformance Statement (PICS) proforma specification";
Part 10: "Managed Direct Mode Operation (M-DMO)".
NOTE: Parts 7, 8 and 10 of this multi-part deliverable is of status "historical" and will not be updated according
to this version of the standard.

National transposition dates
Date of adoption of this EN: 15 June 2010
Date of latest announcement of this EN (doa): 30 September 2010
Date of latest publication of new National Standard
or endorsement of this EN (dop/e): 31 March 2011
Date of withdrawal of any conflicting National Standard (dow): 31 March 2011

ETSI
6 ETSI EN 300 396-6 V1.4.1 (2010-07)
1 Scope
The present document defines the Terrestrial Trunked Radio system (TETRA) Direct Mode of operation. It specifies the
basic Air Interface (AI), the interworking between Direct Mode Groups via Repeaters and interworking with the
TETRA Trunked system via Gateways. It also specifies the security aspects in TETRA Direct Mode and the intrinsic
services that are supported in addition to the basic bearer and teleservices.
The present document describes the security mechanisms in TETRA Direct Mode. It provides mechanisms for
confidentiality of control signalling and user speech and data at the AI. It also provided some implicit authentication as
a member of a group by knowledge of a shared secret encryption key.
The use of AI encryption gives both confidentiality protection against eavesdropping, and some implicit authentication.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI EN 300 392-2: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 2: Air
Interface (AI)".
[2] ISO 7498-2: "Information processing systems - Open Systems Interconnection - Basic Reference
Model - Part 2: Security Architecture".
[3] ETSI EN 300 396-2: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct
Mode Operation (DMO); Part 2: Radio aspects".
[4] ETSI EN 300 392-7: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D);
Part 7: Security".
[5] ETSI EN 300 396-3: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct
Mode Operation (DMO); Part 3: Mobile Station to Mobile Station (MS-MS) Air Interface (AI)
protocol".
[6] ETSI TS 100 392-15: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D);
Part 15: TETRA frequency bands, duplex spacings and channel numbering".
[7] ETSI EN 302 109: "Terrestrial Trunked Radio (TETRA); Security; Synchronization mechanism
for end-to-end encryption".
[8] ETSI EN 300 396-5: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct
Mode Operation (DMO); Part 5: Gateway air interface".
[9] ETSI EN 300 396-4: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct
Mode Operation (DMO); Part 4: Type 1 repeater air interface".
ETSI
7 ETSI EN 300 396-6 V1.4.1 (2010-07)
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
Not applicable.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
air interface encryption state: status of encryption in a call (on or off)
call transaction: all of the functions associated with a complete unidirectional transmission of information during a call
NOTE: A call is made up of one or more call transactions. In a simplex call these call transactions are sequential.
(See EN 300 396-3 [5]).
carrier number: integer, N, used in TETRA to represent the frequency of the RF carrier
NOTE: See TS 100 392-15 [6].
cipher key: value that is used to determine the transformation of plain text to cipher text in a cryptographic algorithm
cipher text: data produced through the use of encipherment
NOTE: The semantic content of the resulting data is not available (ISO 7498-2 [2]).
decipherment: reversal of a corresponding reversible encipherment
NOTE: See ISO 7498-2 [2].
Direct Mode Operation (DMO): mode of simplex operation where mobile subscriber radio units may communicate
using radio frequencies which may be monitored by, but which are outside the control of, the TETRA TMO network
NOTE: DM operation is performed without intervention of any base station. (See EN 300 396-3 [5]).
DMO-net: number of DMO MSs communicating together and using common cryptographic parameters
encipherment: cryptographic transformation of data to produce cipher text
NOTE: See ISO 7498-2 [2].
encryption cipher key: cipher key used as input to the KSG, derived from an address specific cipher key and randomly
varied per channel using algorithm TB6
end-to-end encryption: encryption within or at the source end system, with the corresponding decryption occurring
only within or at the destination end system
explicit authentication: transaction initiated and completed specifically to demonstrate knowledge of a shared secret
where the secret is not revealed
implicit authentication: authenticity demonstrated by proof of knowledge of a shared secret where that demonstration
is a by-product of another function
key stream: pseudo random stream of symbols that is generated by a KSG for encipherment and decipherment
Key Stream Generator (KSG): cryptographic algorithm which produces a stream of binary digits which can be used
for encipherment and decipherment
NOTE: The initial state of the KSG is determined by the initialization value.
ETSI
8 ETSI EN 300 396-6 V1.4.1 (2010-07)
Key Stream Segment (KSS): key stream of arbitrary length
plain text: unencrypted source data
NOTE: The semantic content is available.
proprietary algorithm: algorithm which is the intellectual property of a legal entity
SCK-set: collective term for the group of 32 SCKs associated with each Individual TETRA Subscriber Identity
SCK-subset: collection of SCKs from an SCK-set, with SCKNs in numerical sequence, where every SCK in the subset
is associated with one or more different GSSIs
NOTE: Multiple SCK subsets have corresponding SCKs associated with the same GSSIs.
Static Cipher Key (SCK): predetermined cipher key that may be used to provide confidentiality in class DM-2-A,
DM-2-B and DM-2-C systems with a corresponding algorithm
synchronization value: sequence of symbols that is transmitted to the receiving terminal to synchronize the KSG in the
receiving terminal with the KSG in the transmitting terminal
synchronous stream cipher: encryption method in which a cipher text symbol completely represents the
corresponding plain text symbol
NOTE: The encryption is based on a key stream that is independent of the cipher text. In order to synchronize the
KSGs in the transmitting and the receiving terminal synchronization data is transmitted separately.
TETRA algorithm: mathematical description of a cryptographic process used for either of the security processes
authentication or encryption
Trunked Mode Operation (TMO): operations of TETRA specified in EN 300 392-2 [1]
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ACK ACKnowledgement
AI Air Interface
CK Cypher Key
CN Carrier Number
DM Direct Mode
DMAC Direct Mode Media Access Control
DMC A layer 2 Service Access Point (DMC-SAP)
DMCC Direct Mode Call Control
DMO Direct Mode Operation
DSB Direct Mode Synchronisation Burst
ECK Encryption Cipher Key
EDSI Encrypted Direct-mode Short Identity
EDSI-URTC Encrypted DMO Short Identity-Usage Restriction Type Confidentiality
EUIV EDSI-URTC Initialisation Vector
FN Frame Number
GSSI Group Short Subscriber Identity
GTSI Group TETRA Subscriber Identity
KAG Key Association Group
KSG Key Stream Generator
KSS Key Stream Segment
MAC Medium Access Control
MDE Message Dependent Elements
MNI Mobile Network Identity
MS Mobile Station
OTAR Over The Air Rekeying
PDU Protocol Data Unit
PICS Protocol Implementation Conformance Statement
REP REPeater
ETSI
9 ETSI EN 300 396-6 V1.4.1 (2010-07)
RF Radio Frequency
SAP Service Access Point
SCH Signalling CHannel
SCH/F Full SCH
SCH/H Half SCH
SCH/S Synchronization SCH
SCK Static Cipher Key
SCKN Static Cipher Key Number
SCK-VN SCK-Version Number
SDS Short Data Service
SDU Service Data Unit
SSI Short Subscriber Identity
STCH STolen CHannel
SwMI Switching and Management Infrastructure
SYNC SYNChronization
TCH Traffic CHannel
TDMA Time Division Media Access
TMO Trunked Mode Operation
TN Timeslot Number
TVP Time Variant Parameter
U-PLANE User-PLANE
URT Usage Restriction Type
URTC Usage Restriction Type Confidentiality
V+D Voice + Data
XOR eXclusive OR
4 DMO security class
4.1 General
TETRA security is defined in terms of class. DMO security offers 4 classes defined in table 4.1.
NOTE: DMO offers equivalence to TMO security class 1 (no encryption enabled) and to TMO security class 2
(SCK encryption supported).
Table 4.1: Direct Mode security class
DMO security class Remark
DM-1 No encryption applied.
DM-2-A The DM-SDU and any related traffic is AI encrypted. Addresses are not encrypted.
DM-2-B The destination address (SSI), DM-SDU and any related traffic are AI encrypted.
DM-2-C In the DMAC-SYNC PDU, the PDU is encrypted from destination address element and
onwards except for source address type element, and any related traffic is AI encrypted. In the
DMAC-DATA PDU, the PDU is encrypted from the destination address type element and
onwards.
NOTE 1: Except in DMAC-DATA PDUs for class DM-2-C the destination and source address type elements are never
encrypted.
NOTE 2: DM-1 is considered the lowest level of security.
NOTE 3: DM-2-A through DM-2-B to DM-2-C provide progressively increased levels of security by encrypting more of
the signalling content.
The security class is identified in DMAC-SYNC PDUs by the AI encryption state element (see table 4.2).
ETSI
10 ETSI EN 300 396-6 V1.4.1 (2010-07)
Table 4.2: AI encryption state element encoding
Information element Length Value Class
Air Interface encryption state 2 00 DM-1
10 DM-2-A
11 DM-2-B
01 DM-2-C
On establishing a call the first master shall establish the security class of the call. The security class should be
maintained for the duration of the call.
4.2 DM-2-A
The purpose of security class DM-2-A is to provide confidentiality of user traffic and signalling in applications where it
is not necessary to hide the addressing information.
In addition security class DM-2-A allows calls to be made through a repeater where the repeater is not provided with
the capability to encrypt or decrypt messages by maintaining the layer 2 (MAC) elements of any signalling in clear.
Addresses identified by the Usage Restriction Type (URT) field in repeaters, gateways and combined
repeater-gateways, shall be in clear (i.e. the Encrypted DMO Short Identity-Usage Restriction Type Confidentiality
(EDSI-URTC) shall not apply).
4.3 DM-2-B
The purpose of security class DM-2-B is to provide confidentiality of user traffic and signalling.
Security class DM-2-B extends the confidentiality applied to signalling over that provided in class DM-2-A to encrypt
parts of the MAC header. The encryption allows repeater operation to be made without requiring the repeater to be able
to encrypt and decrypt transmissions unless it wishes to check the validity of the destination address. In class DM-2-B
because the source address is in clear, a pre-emptor can identify the pre-emption slots and hence the call can be
pre-empted even if the pre-emptor does not have the encryption key being used by the call master.
Addresses identified by the URT field in repeaters, gateways and combined repeater-gateways, should be encrypted
(i.e. EDSI-URTC should apply).
4.4 DM-2-C
The purpose of security class DM-2-C is to provide confidentiality of user traffic and signalling including all identities
other than those of repeaters and gateways.
In addition in class DM-2-C the bulk of the MAC header elements are encrypted. Where repeaters are used, the repeater
requires the ability to encrypt and decrypt all transmissions. In class DM-2-C calls can only be pre-empted by an MS
which has the SCK in use by the call master.
Addresses identified by the URT field in repeaters, gateways and combined repeater-gateways, should be encrypted
(i.e. EDSI-URTC should apply).
ETSI
11 ETSI EN 300 396-6 V1.4.1 (2010-07)
5 DMO call procedures
5.1 General
5.1.1 Security profile
An MS should maintain a security profile for each destination address. The security profile should contain at least the
following for each destination address:
• KSG, as identified by its KSG-identifier;
• current SCK, as identified by SCKN, for transmission;
• valid SCKs, as identified by SCKN, for reception;
• the preferred, and minimum, security class to be applied to calls for transmission;
• the minimum security class to be applied to calls for reception; and
• the minimum security class that a master will accept in a pre-emption request.
The preferred security class is the security class to be used for transmission when the MS is acting as a call master. The
minimum security class for transmission is the lowest security class that the MS shall use to transmit responses to other
signalling.
NOTE 1: Minimum may be the same as preferred.
NOTE 2: A default profile may be maintained in addition to a profile for specific addresses.
NOTE 3: A profile should exist for received individual calls (i.e. for calls where destination address is that of the
receiving MS).
NOTE 4: If the preferred security class to be applied to calls for transmission is DM-2-C the minimum security
class that a master will accept in a pre-emption request should be set to class DM-2-C MS.
5.1.2 Indication of security parameters
In call setup procedures the DMAC-SYNC PDU found in logical channel SCH/S shall contain the parameters required
to identify the security class of the call, the encryption algorithm and the identity of the key in use, in addition to the
current value of the Time Variant Parameter used to synchronize the encryption devices (see also annex A).
The DMAC-SYNC PDU is defined in clause 9 of EN 300 396-3 [5] and contains the security elements identified in
table 5.1.
Table 5.1: Security elements of DMAC-SYNC PDU contents in SCH/S
Information element Length Value Remark
Air interface encryption state 2 Security class (see note 1)
Time Variant Parameter 29 Any
Reserved 1 0 Default value is 0
KSG number 4
Encryption key number 5 Identifies SCKN (see note 2)
NOTE 1: If set to DM-1 the other security elements shall not be present.
NOTE 2: The encoding is such that 00000 indicates SCKN = 1, 11111 indicates SCKN = 32.
2 2
ETSI
12 ETSI EN 300 396-6 V1.4.1 (2010-07)
5.2 Security class on call setup
5.2.1 General
On establishing a call the first master shall establish the security class of the call by setting the Air Interface (AI)
encryption state element of DMAC-SYNC PDU using data contained in the master's security profile.
Once an SCK has been established for a call transaction the master shall make no changes to the ciphering parameters
(key, algorithm, class) within that call transaction.
The security class and algorithm should be maintained for the duration of the call. The key may be different in different
transactions because each MS may have a different definition of which SCKN is current.
5.2.2 Normal behaviour
On receipt of call setup the DM-MS shall extract the ciphering parameters from the DMAC-SYNC PDU. These
parameters shall be compared with the DM-MS's predefined security profile associated with the destination address.
If the parameters match the security profile (i.e. KSG-id identical, SCKN belongs to the KAG specified for the address,
security class is equal to or greater than the minimum required for the destination address) the call may be accepted
(i.e. speech or data path opened).
5.2.3 Exceptional behaviour
On receipt of call setup the slave DM-MS shall extract the ciphering parameters from the DMAC-SYNC PDU. These
parameters shall be compared with the DM-MS's predefined security profile associated with the destination address.
5.2.3.1 Call-setup with presence check
If the parameters do not match the security profile (i.e. KSG-id is not identical, or SCKN does not belong to the KAG
specified for the address, or security class is not equal to or greater than the minimum required for the destination
address) the slave should ignore or reject the call (i.e. speech or data path closed) with reason "security parameter
mismatch".
5.2.3.2 Call-setup without presence check
If the parameters do not match the security profile (i.e. KSG-id is not identical, or SCKN does not belong to the KAG
specified for the address, or security class is not equal to or greater than the minimum required for the destination
address), the slave should ignore the call (i.e. speech or data path closed).
5.2.3.3 Behaviour post call-setup
Once an SCK has been established for a call transaction the master shall make no changes to the ciphering parameters
(key, algorithm, class) within that call transaction. If the slave DM-MS perceives that such a change is being attempted
the slave DM-MS (receiver) shall ignore the change and maintain the original parameters for the remainder of that call
transaction.
5.3 Security class on call follow-on
5.3.1 General
The slave or idle DM-MS shall have a method of determining the minimum security class required by any subsequent
call transaction in the call as defined by the security profile (see clause 5.1.1).
If the follow on transaction is sent to the same address, the new call master shall select the SCKN from KAG associated
with that address that it considers to be the current key (which may be different to the SCKN used by the previous call
master).
ETSI
13 ETSI EN 300 396-6 V1.4.1 (2010-07)
If the slave or idle DM-MS sends any request to the master (e.g. pre-emption, changeover), it shall only use the SCKN
that it considers to be current in the associated KAG to cipher the request.
If a pre-emption request is received using a different class to that of the call being pre-empted, any response to the
pre-emption request shall be sent using the lower of the two security classes.
NOTE: A master may ignore a pre-emption request (without sending a response) if the security class used for the
pre-emption request is insufficient.
The master shall respond to any pre-emption request using the SCKN that it considers to be the current SCK for the
ongoing call (as indicated by the security profile for the ongoing call). This shall be the same SCKN that the master was
using for the call transaction prior to receiving the pre-emption request.
Any pre-emption request shall be sent in a manner that the current call master can understand.
5.3.2 Normal behaviour
When making an attempt to follow on a pre-existing call the new call master shall establish a new independent TVP.
On receipt of call setup the DM-MS shall extract the encryption parameters from the DMAC-SYNC PDU. These
parameters shall be compared with the predefined security profile associated with the destination address. If the
parameters match in full the call may be accepted (i.e. speech or data path opened).
5.3.3 Exceptional behaviour
On receipt of call setup the DM-MS shall extract the encryption parameters from the DMAC-SYNC PDU. These
parameters shall be compared with the predefined security profile associated with the destination address. If the
parameters do not match the security profile (i.e. KSG-id is not identical, SCKN does not belong the KAG specified for
the address, or security class is not equal to or greater than the minimum required for the destination address) the call
should be rejected (i.e. speech or data path shall be closed) with reason "security parameter mismatch" in call setup with
presence check acknowledgement or ignored where no presence check is used.
If the minimum security class required by any subsequent call transaction in the call is not attained the call shall be
rejected.
If the minimum security class required by the master to accept any pre-emption request is not attained, or the
parameters do not match in full the predefined security profile associated with the destination address of the call, the
pre-emption request shall be ignored or rejected. If a pre-emption request is received using a different class to that of the
call being pre-empted, the response to the pre-emption request should be sent using the lower of the two security
classes. An MS shall use only class 2C to attempt to pre-empt an ongoing class 2C call.
NOTE: A master may ignore a pre-emption request (without sending a response) if the security class used for the
pre-emption request is insufficient.
ETSI
14 ETSI EN 300 396-6 V1.4.1 (2010-07)
6 Air interface authentication and key management
mechanisms
6.1 Authentication
An explicit authentication protocol between mobile terminals in DMO is not provided. The fact that static cipher keys
are used (which are generated, controlled and distributed through the DMO system security management which may use
the TMO system or may be distributed by a fill gun) provides an implicit authentication between mobile stations as
belonging to the same DMO net when successful communication takes place.
In dual-watch mode a DM-MS shall be a valid member of the TETRA TMO network for its TMO operation and when
operating in TMO shall operate in accordance with the security class of that network using the procedures defined in
EN 300 392-7 [4].
In dual-watch mode a DM-MS operating in DMO shall operate in accordance with the procedures defined in the present
document.
6.2 Repeater mode operation
A repeater shall not modify the security class of a call. A repeater shall not modify the KSG-id and SCK applied to the
call.
NOTE 1: The DPRES-SYNC signal is not mandatory on a free channel. Where DPRES-SYNC is not broadcast on
a free channel there needs to be a prior arrangement to identify the channel, location and other parameters
normally present in DPRES-SYNC.
NOTE 2: The DPRES-SYNC signal is sent in clear. Therefore it may be preferable for users who operate in class
DM-2-C (or class DM-2-B) to obtain their authorization to use the repeater by prior arrangement so that
the repeater does not broadcast their addresses in the DPRES-SYNC signal.
6.3 Gateway mode operation
Calls established through a gateway (i.e. DM-GATE or DM-REP/GATE) shall be considered as multi-hop calls and as
such shall use a tandem call setup protocol (i.e. DMO to GATE, GATE to TMO).
In gateway mode the gateway shall be a valid member of the TETRA TMO network and shall operate in accordance
with the security class of that network using the procedures defined in EN 300 392-7 [4].
The gateway presence signal (see EN 300 396-5 [8], clauses 13.4.6.2 and 14.1.2) shall indicate the encryption state
(encryption applied or clear operation) of the TMO system using the "gateway encryption state on SwMI" information
element defined in table 6.1. DMO systems interoperating with TMO systems should use the same encryption state.
EXAMPLE: If TMO encryption state is on, the DMO terminal should communicate in class DM-2-A or
DM-2-B or DM-2-C.
Table 6.1: Gateway encryption state on SwMI information element encoding
Information element Length Value Remark
Gateway encryption state on SwMI 1 0 The link to the SwMI is not encrypted (Gateway
operating in class 1).
1 The link to the SwMI is encrypted (Gateway operating in
class 2 or 3).
NOTE 1: The value of the element shall follow the encryption state of the link to the SwMI.
NOTE 2: There is no relationship between DMO and TMO encryption states.

Class 2 TMO systems interworking with DMO systems operating in encrypted mode should not use the same SCK on
the TMO side of the gateway as is used on the DMO-net.
ETSI
15 ETSI EN 300 396-6 V1.4.1 (2010-07)
The gateway shall be considered as having two synchronized protocol stacks with the TMO network acting as the
synchronization master for the call (see figure 6.1).
NOTE 1: The TVP in DMO used for synchronization remains independent of the frame numbering used in TMO.
DMO Protocol DMO Protocol TMO Protocol TMO Protocol

CALL SETUP #2
CALL SETUP #1
Layer 3 Layer 3 Layer 3 Layer 3
TMO Encryption
DMO Encryption TMO Encryption
DMO Encryption
Layer 2 Layer 2 Layer 2 Layer 2
Layer 1 Layer 1 Layer 1 Layer 1
DM Mobile
GATEWAY TMO SwMI
Figure 6.1: TETRA DMO to TETRA TMO gateway
On initial call setup from a DMO-net to a TMO-net the keys in use are as shown in figure 6.2.
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Terrestrial Trunked Radio (TETRA) - Direct Mode Operation (DMO) - Part 6: Security33.070.10Prizemni snopovni radio (TETRA)Terrestrial Trunked Radio (TETRA)ICS:Ta slovenski standard je istoveten z:EN 300 396-6 Version 1.4.1SIST EN 300 396-6 V1.4.1:2010en01-oktober-2010SIST EN 300 396-6 V1.4.1:2010SLOVENSKI
STANDARD
ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 2
Reference REN/TETRA-06178 Keywords air interface, data, DMO, security, speech, TETRA ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00
Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88
Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2010. All rights reserved.
DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE™ is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association. SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 3 Contents Intellectual Property Rights . 5 Foreword . 5 1 Scope . 6 2 References . 6 2.1 Normative references . 6 2.2 Informative references . 7 3 Definitions and abbreviations . 7 3.1 Definitions . 7 3.2 Abbreviations . 8 4 DMO security class . 9 4.1 General . 9 4.2 DM-2-A . 10 4.3 DM-2-B . 10 4.4 DM-2-C . 10 5 DMO call procedures . 11 5.1 General . 11 5.1.1 Security profile . 11 5.1.2 Indication of security parameters . 11 5.2 Security class on call setup . 12 5.2.1 General . 12 5.2.2 Normal behaviour . 12 5.2.3 Exceptional behaviour . 12 5.2.3.1 Call-setup with presence check . 12 5.2.3.2 Call-setup without presence check . 12 5.2.3.3 Behaviour post call-setup . 12 5.3 Security class on call follow-on . 12 5.3.1 General . 12 5.3.2 Normal behaviour . 13 5.3.3 Exceptional behaviour . 13 6 Air interface authentication and key management mechanisms . 14 6.1 Authentication . 14 6.2 Repeater mode operation . 14 6.3 Gateway mode operation . 14 6.4 Air Interface (AI) key management mechanisms . 16 6.4.1 Key grouping . 16 6.4.2 Identification of cipher keys in signalling . 18 7 Enable and disable mechanism . 18 8 Air Interface (AI) encryption . 19 8.1 General principles. 19 8.2 Encryption mechanism . 19 8.2.1 Allocation of KSS to logical channels . 20 8.3 Application of KSS to specific PDUs. 20 8.3.1 Class DM-1 . 20 8.3.2 Class DM-2A . 21 8.3.2.1 DMAC-SYNC PDU encryption . 21 8.3.2.2 DMAC-DATA PDU encryption . 21 8.3.2.3 DMAC-FRAG PDU encryption . 21 8.3.2.4 DMAC-END PDU encryption . 22 8.3.2.5 DMAC-U-SIGNAL PDU encryption . 22 8.3.2.6 Traffic channel encryption . 22 8.3.3 Class DM-2B . 23 SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 4 8.3.3.1 DMAC-SYNC PDU encryption . 23 8.3.3.2 DMAC-DATA PDU encryption . 23 8.3.3.3 DMAC-FRAG PDU encryption . 24 8.3.3.4 DMAC-END PDU encryption . 24 8.3.3.5 DMAC-U-SIGNAL PDU encryption . 24 8.3.3.6 Traffic channel encryption . 24 8.3.4 Class DM-2C . 24 8.3.4.1 DMAC-SYNC PDU encryption . 25 8.3.4.2 DMAC-DATA PDU encryption . 26 8.3.4.3 DMAC-FRAG PDU encryption . 26 8.3.4.4 DMAC-END PDU encryption . 26 8.3.4.5 DMAC-U-SIGNAL PDU encryption . 26 8.3.4.6 Traffic channel encryption . 27 8.4 Encryption of identities in repeater and gateway presence signal . 27 9 Encryption synchronization . 30 9.1 General . 30 9.1.1 Algorithm to establish frame number to increment TVP . 31 9.1.1.1 Master DM-MS operation . 31 9.1.1.2 Slave DM-MS operation . 31 9.2 TVP used for reception of normal bursts . 32 9.3 Synchronization of calls through a repeater . 32 9.3.1 Algorithm to establish frame number to increment TVP . 33 9.3.1.1 Master DM-MS operation . 33 9.3.1.2 Slave DM-MS operation . 33 9.4 Synchronization of calls through a gateway . 33 9.5 Synchronization of data calls where data is multi-slot interleaved . 34 9.5.1 Recovery of stolen frames from interleaved data . 35 Annex A (normative): Key Stream Generator (KSG) boundary conditions . 36 A.1 Overview . 36 A.2 Use . 37 A.3 Interfaces to the algorithm . 37 A.3.1 ECK . 37 A.3.1.1 Use of ECK in class DM-2-A and DM-2-B . 37 A.3.1.2 Use of ECK in class DM-2-C . 38 A.3.2 Keystream. 38 A.3.3 Time Variant Parameter (TVP) . 38 Annex B (normative): Boundary conditions for cryptographic algorithm TB6 . 39 Annex C (informative): Encryption control in DM-MS . 40 C.1 General . 40 C.2 Service description and primitives . 40 C.2.1 DMCC-ENCRYPT primitive . 41 C.2.2 DMC-ENCRYPTION primitive . 43 C.3 Protocol functions . 44 Annex D (informative): Bibliography . 45 History . 46
ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This European Standard (Telecommunications series) has been produced by ETSI Technical Committee Terrestrial Trunked Radio (TETRA). The present document is part 6 of a multi-part deliverable covering Direct Mode Operation, as identified below: Part 1: "General network design"; Part 2: "Radio aspects"; Part 3: "Mobile Station to Mobile Station (MS-MS) Air Interface (AI) protocol"; Part 4: "Type 1 repeater air interface"; Part 5: "Gateway air interface"; Part 6: "Security"; Part 7: "Type 2 repeater air interface"; Part 8: "Protocol Implementation Conformance Statement (PICS) proforma specification"; Part 10: "Managed Direct Mode Operation (M-DMO)". NOTE: Parts 7, 8 and 10 of this multi-part deliverable is of status "historical" and will not be updated according to this version of the standard.
National transposition dates Date of adoption of this EN: 15 June 2010 Date of latest announcement of this EN (doa): 30 September 2010 Date of latest publication of new National Standard or endorsement of this EN (dop/e):
31 March 2011 Date of withdrawal of any conflicting National Standard (dow): 31 March 2011
ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 6 1 Scope The present document defines the Terrestrial Trunked Radio system (TETRA) Direct Mode of operation. It specifies the basic Air Interface (AI), the interworking between Direct Mode Groups via Repeaters and interworking with the TETRA Trunked system via Gateways. It also specifies the security aspects in TETRA Direct Mode and the intrinsic services that are supported in addition to the basic bearer and teleservices. The present document describes the security mechanisms in TETRA Direct Mode. It provides mechanisms for confidentiality of control signalling and user speech and data at the AI. It also provided some implicit authentication as a member of a group by knowledge of a shared secret encryption key. The use of AI encryption gives both confidentiality protection against eavesdropping, and some implicit authentication.
2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http://docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. [1] ETSI EN 300 392-2: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 2: Air Interface (AI)". [2] ISO 7498-2: "Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture". [3] ETSI EN 300 396-2: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct Mode Operation (DMO); Part 2: Radio aspects". [4] ETSI EN 300 392-7: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 7: Security". [5] ETSI EN 300 396-3: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct Mode Operation (DMO); Part 3: Mobile Station to Mobile Station (MS-MS) Air Interface (AI) protocol". [6] ETSI TS 100 392-15: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 15: TETRA frequency bands, duplex spacings and channel numbering". [7] ETSI EN 302 109: "Terrestrial Trunked Radio (TETRA); Security; Synchronization mechanism for end-to-end encryption". [8] ETSI EN 300 396-5: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct Mode Operation (DMO); Part 5: Gateway air interface". [9] ETSI EN 300 396-4: "Terrestrial Trunked Radio (TETRA); Technical requirements for Direct Mode Operation (DMO); Part 4: Type 1 repeater air interface". SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 7 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. Not applicable. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: air interface encryption state: status of encryption in a call (on or off) call transaction: all of the functions associated with a complete unidirectional transmission of information during a call NOTE: A call is made up of one or more call transactions. In a simplex call these call transactions are sequential. (See EN 300 396-3 [5]). carrier number: integer, N, used in TETRA to represent the frequency of the RF carrier
NOTE: See TS 100 392-15 [6]. cipher key: value that is used to determine the transformation of plain text to cipher text in a cryptographic algorithm cipher text: data produced through the use of encipherment NOTE: The semantic content of the resulting data is not available (ISO 7498-2 [2]). decipherment: reversal of a corresponding reversible encipherment
NOTE: See ISO 7498-2 [2]. Direct Mode Operation (DMO): mode of simplex operation where mobile subscriber radio units may communicate using radio frequencies which may be monitored by, but which are outside the control of, the TETRA TMO network NOTE: DM operation is performed without intervention of any base station. (See EN 300 396-3 [5]). DMO-net: number of DMO MSs communicating together and using common cryptographic parameters encipherment: cryptographic transformation of data to produce cipher text NOTE: See ISO 7498-2 [2]. encryption cipher key: cipher key used as input to the KSG, derived from an address specific cipher key and randomly varied per channel using algorithm TB6 end-to-end encryption: encryption within or at the source end system, with the corresponding decryption occurring only within or at the destination end system explicit authentication: transaction initiated and completed specifically to demonstrate knowledge of a shared secret where the secret is not revealed implicit authentication: authenticity demonstrated by proof of knowledge of a shared secret where that demonstration is a by-product of another function key stream: pseudo random stream of symbols that is generated by a KSG for encipherment and decipherment Key Stream Generator (KSG): cryptographic algorithm which produces a stream of binary digits which can be used for encipherment and decipherment NOTE: The initial state of the KSG is determined by the initialization value.
ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 8 Key Stream Segment (KSS): key stream of arbitrary length plain text: unencrypted source data NOTE: The semantic content is available. proprietary algorithm: algorithm which is the intellectual property of a legal entity SCK-set: collective term for the group of 32 SCKs associated with each Individual TETRA Subscriber Identity SCK-subset: collection of SCKs from an SCK-set, with SCKNs in numerical sequence, where every SCK in the subset is associated with one or more different GSSIs NOTE: Multiple SCK subsets have corresponding SCKs associated with the same GSSIs. Static Cipher Key (SCK): predetermined cipher key that may be used to provide confidentiality in class DM-2-A, DM-2-B and DM-2-C systems with a corresponding algorithm synchronization value: sequence of symbols that is transmitted to the receiving terminal to synchronize the KSG in the receiving terminal with the KSG in the transmitting terminal synchronous stream cipher: encryption method in which a cipher text symbol completely represents the corresponding plain text symbol NOTE: The encryption is based on a key stream that is independent of the cipher text. In order to synchronize the KSGs in the transmitting and the receiving terminal synchronization data is transmitted separately. TETRA algorithm: mathematical description of a cryptographic process used for either of the security processes authentication or encryption Trunked Mode Operation (TMO): operations of TETRA specified in EN 300 392-2 [1] 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: ACK ACKnowledgement AI Air Interface CK Cypher Key CN Carrier Number DM Direct Mode DMAC Direct Mode Media Access Control DMC A layer 2 Service Access Point (DMC-SAP) DMCC Direct Mode Call Control DMO Direct Mode Operation DSB Direct Mode Synchronisation Burst ECK Encryption Cipher Key EDSI Encrypted Direct-mode Short Identity EDSI-URTC Encrypted DMO Short Identity-Usage Restriction Type Confidentiality EUIV EDSI-URTC Initialisation Vector FN Frame Number GSSI Group Short Subscriber Identity GTSI Group TETRA Subscriber Identity KAG Key Association Group KSG Key Stream Generator KSS Key Stream Segment MAC Medium Access Control MDE Message Dependent Elements MNI Mobile Network Identity MS Mobile Station OTAR Over The Air Rekeying PDU Protocol Data Unit PICS Protocol Implementation Conformance Statement REP REPeater SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 9 RF Radio Frequency SAP Service Access Point SCH Signalling CHannel SCH/F Full SCH SCH/H Half SCH SCH/S Synchronization SCH SCK Static Cipher Key SCKN Static Cipher Key Number SCK-VN SCK-Version Number SDS Short Data Service SDU Service Data Unit SSI Short Subscriber Identity STCH STolen CHannel SwMI Switching and Management Infrastructure SYNC SYNChronization TCH Traffic CHannel TDMA Time Division Media Access TMO Trunked Mode Operation TN Timeslot Number TVP Time Variant Parameter U-PLANE User-PLANE URT Usage Restriction Type URTC Usage Restriction Type Confidentiality V+D Voice + Data XOR eXclusive OR 4 DMO security class 4.1 General TETRA security is defined in terms of class. DMO security offers 4 classes defined in table 4.1. NOTE: DMO offers equivalence to TMO security class 1 (no encryption enabled) and to TMO security class 2 (SCK encryption supported).
Table 4.1: Direct Mode security class DMO security class Remark DM-1 No encryption applied. DM-2-A The DM-SDU and any related traffic is AI encrypted. Addresses are not encrypted. DM-2-B The destination address (SSI), DM-SDU and any related traffic are AI encrypted. DM-2-C In the DMAC-SYNC PDU, the PDU is encrypted from destination address element and onwards except for source address type element, and any related traffic is AI encrypted. In the DMAC-DATA PDU, the PDU is encrypted from the destination address type element and onwards. NOTE 1: Except in DMAC-DATA PDUs for class DM-2-C the destination and source address type elements are never encrypted. NOTE 2: DM-1 is considered the lowest level of security.
NOTE 3: DM-2-A through DM-2-B to DM-2-C provide progressively increased levels of security by encrypting more of the signalling content.
The security class is identified in DMAC-SYNC PDUs by the AI encryption state element (see table 4.2). SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 10 Table 4.2: AI encryption state element encoding Information element Length Value Class Air Interface encryption state 2 002 DM-1
102 DM-2-A
112 DM-2-B
012 DM-2-C
On establishing a call the first master shall establish the security class of the call. The security class should be maintained for the duration of the call. 4.2 DM-2-A The purpose of security class DM-2-A is to provide confidentiality of user traffic and signalling in applications where it is not necessary to hide the addressing information.
In addition security class DM-2-A allows calls to be made through a repeater where the repeater is not provided with the capability to encrypt or decrypt messages by maintaining the layer 2 (MAC) elements of any signalling in clear. Addresses identified by the Usage Restriction Type (URT) field in repeaters, gateways and combined repeater-gateways, shall be in clear (i.e. the Encrypted DMO Short Identity-Usage Restriction Type Confidentiality (EDSI-URTC) shall not apply). 4.3 DM-2-B The purpose of security class DM-2-B is to provide confidentiality of user traffic and signalling.
Security class DM-2-B extends the confidentiality applied to signalling over that provided in class DM-2-A to encrypt parts of the MAC header. The encryption allows repeater operation to be made without requiring the repeater to be able to encrypt and decrypt transmissions unless it wishes to check the validity of the destination address. In class DM-2-B because the source address is in clear, a pre-emptor can identify the pre-emption slots and hence the call can be pre-empted even if the pre-emptor does not have the encryption key being used by the call master. Addresses identified by the URT field in repeaters, gateways and combined repeater-gateways, should be encrypted (i.e. EDSI-URTC should apply). 4.4 DM-2-C The purpose of security class DM-2-C is to provide confidentiality of user traffic and signalling including all identities other than those of repeaters and gateways. In addition in class DM-2-C the bulk of the MAC header elements are encrypted. Where repeaters are used, the repeater requires the ability to encrypt and decrypt all transmissions. In class DM-2-C calls can only be pre-empted by an MS which has the SCK in use by the call master. Addresses identified by the URT field in repeaters, gateways and combined repeater-gateways, should be encrypted (i.e. EDSI-URTC should apply). SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 11 5 DMO call procedures 5.1 General 5.1.1 Security profile An MS should maintain a security profile for each destination address. The security profile should contain at least the following for each destination address:
• KSG, as identified by its KSG-identifier; • current SCK, as identified by SCKN, for transmission;
• valid SCKs, as identified by SCKN, for reception; • the preferred, and minimum, security class to be applied to calls for transmission; • the minimum security class to be applied to calls for reception; and • the minimum security class that a master will accept in a pre-emption request. The preferred security class is the security class to be used for transmission when the MS is acting as a call master. The minimum security class for transmission is the lowest security class that the MS shall use to transmit responses to other signalling. NOTE 1: Minimum may be the same as preferred. NOTE 2: A default profile may be maintained in addition to a profile for specific addresses. NOTE 3: A profile should exist for received individual calls (i.e. for calls where destination address is that of the receiving MS). NOTE 4: If the preferred security class to be applied to calls for transmission is DM-2-C the minimum security class that a master will accept in a pre-emption request should be set to class DM-2-C MS. 5.1.2 Indication of security parameters In call setup procedures the DMAC-SYNC PDU found in logical channel SCH/S shall contain the parameters required to identify the security class of the call, the encryption algorithm and the identity of the key in use, in addition to the current value of the Time Variant Parameter used to synchronize the encryption devices (see also annex A). The DMAC-SYNC PDU is defined in clause 9 of EN 300 396-3 [5] and contains the security elements identified in table 5.1. Table 5.1: Security elements of DMAC-SYNC PDU contents in SCH/S Information element Length Value Remark Air interface encryption state 2
Security class (see note 1) Time Variant Parameter 29 Any
Reserved 1 0 Default value is 0 KSG number 4
Encryption key number 5
Identifies SCKN (see note 2) NOTE 1: If set to DM-1 the other security elements shall not be present. NOTE 2: The encoding is such that 000002 indicates SCKN = 1, 111112 indicates SCKN = 32.
ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 12 5.2 Security class on call setup 5.2.1 General On establishing a call the first master shall establish the security class of the call by setting the Air Interface (AI) encryption state element of DMAC-SYNC PDU using data contained in the master's security profile. Once an SCK has been established for a call transaction the master shall make no changes to the ciphering parameters (key, algorithm, class) within that call transaction. The security class and algorithm should be maintained for the duration of the call. The key may be different in different transactions because each MS may have a different definition of which SCKN is current. 5.2.2 Normal behaviour On receipt of call setup the DM-MS shall extract the ciphering parameters from the DMAC-SYNC PDU. These parameters shall be compared with the DM-MS's predefined security profile associated with the destination address.
If the parameters match the security profile (i.e. KSG-id identical, SCKN belongs to the KAG specified for the address, security class is equal to or greater than the minimum required for the destination address) the call may be accepted (i.e. speech or data path opened). 5.2.3 Exceptional behaviour On receipt of call setup the slave DM-MS shall extract the ciphering parameters from the DMAC-SYNC PDU. These parameters shall be compared with the DM-MS's predefined security profile associated with the destination address. 5.2.3.1 Call-setup with presence check If the parameters do not match the security profile (i.e. KSG-id is not identical, or SCKN does not belong to the KAG specified for the address, or security class is not equal to or greater than the minimum required for the destination address) the slave should ignore or reject the call (i.e. speech or data path closed) with reason "security parameter mismatch".
5.2.3.2 Call-setup without presence check If the parameters do not match the security profile (i.e. KSG-id is not identical, or SCKN does not belong to the KAG specified for the address, or security class is not equal to or greater than the minimum required for the destination address), the slave should ignore the call (i.e. speech or data path closed). 5.2.3.3 Behaviour post call-setup Once an SCK has been established for a call transaction the master shall make no changes to the ciphering parameters (key, algorithm, class) within that call transaction. If the slave DM-MS perceives that such a change is being attempted the slave DM-MS (receiver) shall ignore the change and maintain the original parameters for the remainder of that call transaction. 5.3 Security class on call follow-on 5.3.1 General The slave or idle DM-MS shall have a method of determining the minimum security class required by any subsequent call transaction in the call as defined by the security profile (see clause 5.1.1). If the follow on transaction is sent to the same address, the new call master shall select the SCKN from KAG associated with that address that it considers to be the current key (which may be different to the SCKN used by the previous call master). SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 13 If the slave or idle DM-MS sends any request to the master (e.g. pre-emption, changeover), it shall only use the SCKN that it considers to be current in the associated KAG to cipher the request. If a pre-emption request is received using a different class to that of the call being pre-empted, any response to the pre-emption request shall be sent using the lower of the two security classes. NOTE: A master may ignore a pre-emption request (without sending a response) if the security class used for the pre-emption request is insufficient. The master shall respond to any pre-emption request using the SCKN that it considers to be the current SCK for the ongoing call (as indicated by the security profile for the ongoing call). This shall be the same SCKN that the master was using for the call transaction prior to receiving the pre-emption request. Any pre-emption request shall be sent in a manner that the current call master can understand. 5.3.2 Normal behaviour When making an attempt to follow on a pre-existing call the new call master shall establish a new independent TVP. On receipt of call setup the DM-MS shall extract the encryption parameters from the DMAC-SYNC PDU. These parameters shall be compared with the predefined security profile associated with the destination address. If the parameters match in full the call may be accepted (i.e. speech or data path opened). 5.3.3 Exceptional behaviour On receipt of call setup the DM-MS shall extract the encryption parameters from the DMAC-SYNC PDU. These parameters shall be compared with the predefined security profile associated with the destination address. If the parameters do not match the security profile (i.e. KSG-id is not identical, SCKN does not belong the KAG specified for the address, or security class is not equal to or greater than the minimum required for the destination address) the call should be rejected (i.e. speech or data path shall be closed) with reason "security parameter mismatch" in call setup with presence check acknowledgement or ignored where no presence check is used. If the minimum security class required by any subsequent call transaction in the call is not attained the call shall be rejected.
If the minimum security class required by the master to accept any pre-emption request is not attained, or the parameters do not match in full the predefined security profile associated with the destination address of the call, the pre-emption request shall be ignored or rejected. If a pre-emption request is received using a different class to that of the call being pre-empted, the response to the pre-emption request should be sent using the lower of the two security classes. An MS shall use only class 2C to attempt to pre-empt an ongoing class 2C call. NOTE: A master may ignore a pre-emption request (without sending a response) if the security class used for the pre-emption request is insufficient. SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 14 6 Air interface authentication and key management mechanisms 6.1 Authentication An explicit authentication protocol between mobile terminals in DMO is not provided. The fact that static cipher keys are used (which are generated, controlled and distributed through the DMO system security management which may use the TMO system or may be distributed by a fill gun) provides an implicit authentication between mobile stations as belonging to the same DMO net when successful communication takes place. In dual-watch mode a DM-MS shall be a valid member of the TETRA TMO network for its TMO operation and when operating in TMO shall operate in accordance with the security class of that network using the procedures defined in EN 300 392-7 [4]. In dual-watch mode a DM-MS operating in DMO shall operate in accordance with the procedures defined in the present document. 6.2 Repeater mode operation A repeater shall not modify the security class of a call. A repeater shall not modify the KSG-id and SCK applied to the call. NOTE 1: The DPRES-SYNC signal is not mandatory on a free channel. Where DPRES-SYNC is not broadcast on a free channel there needs to be a prior arrangement to identify the channel, location and other parameters normally present in DPRES-SYNC. NOTE 2: The DPRES-SYNC signal is sent in clear. Therefore it may be preferable for users who operate in class DM-2-C (or class DM-2-B) to obtain their authorization to use the repeater by prior arrangement so that the repeater does not broadcast their addresses in the DPRES-SYNC signal. 6.3 Gateway mode operation Calls established through a gateway (i.e. DM-GATE or DM-REP/GATE) shall be considered as multi-hop calls and as such shall use a tandem call setup protocol (i.e. DMO to GATE, GATE to TMO). In gateway mode the gateway shall be a valid member of the TETRA TMO network and shall operate in accordance with the security class of that network using the procedures defined in EN 300 392-7 [4]. The gateway presence signal (see EN 300 396-5 [8], clauses 13.4.6.2 and 14.1.2) shall indicate the encryption state (encryption applied or clear operation) of the TMO system using the "gateway encryption state on SwMI" information element defined in table 6.1. DMO systems interoperating with TMO systems should use the same encryption state.
EXAMPLE: If TMO encryption state is on, the DMO terminal should communicate in class DM-2-A or
DM-2-B or DM-2-C. Table 6.1: Gateway encryption state on SwMI information element encoding Information element Length Value Remark Gateway encryption state on SwMI 1 02 The link to the SwMI is not encrypted (Gateway operating in class 1).
12 The link to the SwMI is encrypted (Gateway operating in class 2 or 3). NOTE 1: The value of the element shall follow the encryption state of the link to the SwMI. NOTE 2: There is no relationship between DMO and TMO encryption states.
Class 2 TMO systems interworking with DMO systems operating in encrypted mode should not use the same SCK on the TMO side of the gateway as is used on the DMO-net. SIST EN 300 396-6 V1.4.1:2010

ETSI ETSI EN 300 396-6 V1.4.1 (2010-07) 15 The gateway shall be considered as having two synchronized protocol stacks with the TMO network acting as the synchronization master for the call (see figure 6.1). NOTE 1: The TVP in DMO used for synchronization remains independent of the frame numbering used in TMO.
DMO Protocol Layer 1 Layer 2 Layer 3 Layer 1 Layer 2 Layer 3 Layer 1 Layer 2 Layer 3 Layer 1 Layer 2 Layer 3 DM Mobile TMO SwMI GATEWAY CALL SETUP #1 CALL SETUP #2 TMO Protocol DMO Protocol TMO Protocol DMO Encryption DMO Encryption TMO Encryption TMO Encryption
Figure 6.1: TETRA DMO to TETRA TMO gateway On initial call setup from a DMO-net to a TMO-net the keys in use are as shown in figure 6.2.
Gateway DMO-Class 2, SCK TMO-Class 2, SCK on uplink and downlink
TMO-Class 3, DCK on uplink, DCK/CCK/MGCK on downlink
Figure 6.2: Gateway initial key allocations Throughout an encrypted call (which may include the call setup phase) each layer 2 (i.e. the DMO-protocol layer 2 and the TMO-protocol layer 2) shall decrypt incoming messages and encrypt outgoing messages. This may impose some delay on the end-to-end link. The present document shall not describe methods for correcting this delay. If the DM-MS is a party t
...