Valid for:

N610

N670

N870

N870E

Embedded Integrator

Virtual Integrator

Introduction
  • The security aspects in the DECT standard have been improved after concerns were raised in the market since early 2009
  • The DECT Forum Security Working Group has worked closely with deDECTed.org, who were instrumental in raising the concerns and providing their expertise on the legacy security mechanisms
  • Security enhancements are being introduced in a step-wise manner to address immediate, mid-term and long-term concerns
  • Over the past years the DECT Forum has developed a certification program that is being launched at the annual DECT Conference
  • This presentation will provide an overview of the certification program and also touches upon the future steps in the DECT Security Roadmap

STEP A:

  • Improvement of the DECT standard to rectify a number of security weaknesses
  • Step A was ratified by ETSI early 2010

STEP B:

  • Software 2.53 or higher is needed
  • Improvement of the authentication algorithm
  • The improved algorithm is called DECT Standard Authentication Algorithm 2 (DSAA2) was published during 2012

STEP C:

  • Improvement of the encryption algorithm
  • The improved version is called DECT Standard Cypher 2 (DSC2)
  • Introduction time of Step C is not yet decided
SECURITY FEATURES – STEP A


Note: M = Mandatory, O = Optional

FeatureDECT GAPDECT SecurityWHAT DO THESE FEATURES MEAN?

Registration procedure and time limits for setting of a44 bit  

OMThe base station will not be kept “open for registration” for longer than 120 seconds

"Encryption activation FT initiated" (Base & Handset)

Note : all voice calls encrypted

OMThe base station and handset will support encryption activation, and the base will activate it for all
calls (including voice calls, List Access sessions, SUOTA/ Light data services, etc.)

On air key allocation (Base & Handset)

OMThe base station will create and allocate a (64 bit) authentication key (UAK) when the
handset is registered

Authentication of PP (Base & Handset)

OMThe base can authenticate the handset (utilizing its UAK), to ensure it is the genuine handset, and not
an intruder or an attempt to imitate the real handset.

Evaluation of peer sides behavior regarding encryption including

timeout values for triggering of call release

OM

If the peer behaves differently as expected, e.g. it doesn’t initiate encryption in a timely manner,
then the device will assume it is an attempt to breach security and the call will be dropped

Early encryption

OM

Guarantees encryption activation immediately after connection establishment, before any higher
layer protocol messages are exchanged (including Caller ID, dialed digits, etc.)

Procedure for re-keying with a new derived cipher key during a call

OM

The cipher key used by the encryption engine is updated at least once per 60 seconds, to foil any
attempt to crack the ciphering by brute-force techniques e.g. like super computing