From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sun, 25 Oct 2015 21:00:20 +0100
Subject: import of old now defunct presentation slides svn repo

---
 .../tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png | Bin 0 -> 25520 bytes
 2011/tetra-eh2011/osmocom-tetra.pdf                | Bin 0 -> 733438 bytes
 2011/tetra-eh2011/osmocom-tetra.snm                |   0
 2011/tetra-eh2011/osmocom-tetra.tex                | 607 +++++++++++++++++++++
 2011/tetra-eh2011/osmocom_tetra.png                | Bin 0 -> 34610 bytes
 2011/tetra-eh2011/tetra_encryption.png             | Bin 0 -> 20782 bytes
 2011/tetra-eh2011/tetra_hh_secure.png              | Bin 0 -> 171183 bytes
 2011/tetra-eh2011/tetra_keys_algos.png             | Bin 0 -> 43205 bytes
 2011/tetra-eh2011/tetra_mac_llc.png                | Bin 0 -> 20376 bytes
 2011/tetra-eh2011/tetra_mutual_auth.png            | Bin 0 -> 41322 bytes
 2011/tetra-eh2011/tetra_protocol_stack.png         | Bin 0 -> 51134 bytes
 11 files changed, 607 insertions(+)
 create mode 100644 2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png
 create mode 100644 2011/tetra-eh2011/osmocom-tetra.pdf
 create mode 100644 2011/tetra-eh2011/osmocom-tetra.snm
 create mode 100644 2011/tetra-eh2011/osmocom-tetra.tex
 create mode 100644 2011/tetra-eh2011/osmocom_tetra.png
 create mode 100644 2011/tetra-eh2011/tetra_encryption.png
 create mode 100644 2011/tetra-eh2011/tetra_hh_secure.png
 create mode 100644 2011/tetra-eh2011/tetra_keys_algos.png
 create mode 100644 2011/tetra-eh2011/tetra_mac_llc.png
 create mode 100644 2011/tetra-eh2011/tetra_mutual_auth.png
 create mode 100644 2011/tetra-eh2011/tetra_protocol_stack.png

(limited to '2011/tetra-eh2011')

diff --git a/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png b/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png
new file mode 100644
index 0000000..7fb80c8
Binary files /dev/null and b/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png differ
diff --git a/2011/tetra-eh2011/osmocom-tetra.pdf b/2011/tetra-eh2011/osmocom-tetra.pdf
new file mode 100644
index 0000000..927cc61
Binary files /dev/null and b/2011/tetra-eh2011/osmocom-tetra.pdf differ
diff --git a/2011/tetra-eh2011/osmocom-tetra.snm b/2011/tetra-eh2011/osmocom-tetra.snm
new file mode 100644
index 0000000..e69de29
diff --git a/2011/tetra-eh2011/osmocom-tetra.tex b/2011/tetra-eh2011/osmocom-tetra.tex
new file mode 100644
index 0000000..9ad0650
--- /dev/null
+++ b/2011/tetra-eh2011/osmocom-tetra.tex
@@ -0,0 +1,607 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+\usepackage{url}
+\makeatletter
+\def\url@leostyle{%
+  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
+\makeatother
+%% Now actually use the newly defined style.
+\urlstyle{leo}
+
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{Warsaw}
+  % or ...
+
+  \setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+
+
+\title{OsmocomTETRA}
+
+\subtitle
+{Researching TETRA and its security}
+
+\author{Harald Welte}
+
+\institute
+{gnumonks.org\\gpl-violations.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[easterhegg 2011] % (optional, should be abbreviation of conference name)
+{EH2011, April 2011, Hamburg/Germany}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{Communications Security}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+  \tableofcontents[hideallsubsections]
+  % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{About the speaker}
+\begin{itemize}
+	\item Using + playing with Linux since 1994
+	\item Kernel / bootloader / driver / firmware development since 1999
+	\item IT security expert, focus on network protocol security
+	\item Core developer of Linux packet filter netfilter/iptables
+	\item Board-level Electrical Engineering
+	\item Always looking for interesting protocols (RFID, DECT, GSM)
+\end{itemize}
+\end{frame}
+
+\section{TETRA Introduction}
+
+\subsection{What is TETRA?}
+
+\begin{frame}{Introducing TETRA}
+TErrestrial Trunked RAdio
+\begin{itemize}
+	\item Digital PMR (Professional Mobile Radio) standard
+	\item Standardization Body ETSI started work in 1990
+	\item First specified in 1995, endorsed by EU Radiocomms Committee
+	\item Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde \& Schwarz
+	\item Chinese vendors are expected to appear on the market soon
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA vs GSM}
+\begin{itemize}
+	\item Longer range due to lower frequency (but not vs. GSM 410/450!)
+	\item Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz)
+	\item Specified to work at speeds above 400 km/h
+	\item one-to-one, one-to-many and many-to-many (but: GSM-R ASCI)
+	\item offers direct mode between handsets in case base station is out of range
+	\item separate infrastructure from public networks (but: GSM-R)
+	\item de-central fall-back, i.e. base stations switching local calls
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA vs GSM}
+Summary
+\begin{itemize}
+	\item Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band
+	\item Local call switching can be implemented in GSM (think of OpenBSC)
+	\item GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is {\em very} different from trunked mode
+\end{itemize}
+It seems, the industry rather re-invented an entirely different system to ensure
+the resulting equipment can be sold at multiples of the commercial-grade GSM
+equipment.
+\end{frame}
+
+
+\subsection{Where is TETRA deployed?}
+
+\begin{frame}{TETRA deployments}
+\begin{itemize}
+	\item In 2009, TETRA was deployed in 114 countries (every continent except North America)
+	\item Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard
+	\item But also: Private company networks (industrial plants)
+	\item In Germany there are 63 registered networks (only 5 are BOS)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA deployments}
+\begin{itemize}
+	\item Follow TETRA Newsletter released by TETRA MoU organization
+	\item Majority of recent deployments seems to be in Asia, specifically China.
+	\item Examples typically include police, public transportation, airports, harbours, industrial plants
+\end{itemize}
+\end{frame}
+
+\section{TETRA Technical Intro}
+
+\subsection{TETRA Air Interface}
+
+\begin{frame}{TETRA Frequencies}
+\begin{itemize}
+	\item European Emergency Services
+	\begin{itemize}
+		\item 380-383 MHz and 390-393 MHz
+		\item 383-385 MHz and 393-395 MHz (optional)
+	\end{itemize}
+	\item European Private/Commercial Systems
+	\begin{itemize}
+		\item 410-430 MHz
+		\item 450-470 MHz
+	\end{itemize}
+	\item Other Countries
+	\begin{itemize}
+		\item Depending on local regulatory requirements
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Frequency plan}
+\begin{itemize}
+	\item Single TETRA carrier normally 25kHz wide, no guard bands
+	\item Channel grid can align on 6.25, 12.5 and 25kHz offset
+	\item This allows seamless migration / co-existence with analog FM PMR in same band
+	\item Uplink/Downlink spacing can depend on band, typically 10MHz
+	\item Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Modulation}
+\begin{itemize}
+	\item pi/4 DQPSK (Differential Quaternary Phase Shift Keying)
+	\item 2 bits per symbol
+	\item Phase {\em difference} encodes information
+	\item 8 phase constellations, 4 possible transitions
+	\item Requires very linear amplifier as it is not constant envelope
+	\item Used within TETRA at 36 kbits/sec (18 kSymbols/sec)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Modulation}{pi/4 DQPSK (8 constellations, 4 transitions)}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=55mm]{500px-Pi-by-4-QPSK_Gray_Coded.png}
+\end{figure}
+Source: Wikipedia / User:Splash
+\end{frame}
+
+\begin{frame}{TETRA TDMA Frame structure}
+\begin{itemize}
+	\item Each time-slot contains 510 bits (GSM: 156)
+	\item TDMA frame with 4 time-slots (GSM: 8)
+	\item Duration of TDMA frame: 56.67 ms (GSM: FIXME)
+	\item Multiframe: 18 TDMA frames (GSM: 26/51)
+	\item Hyperframe: 60 Multiframes (GSM: FIXME)
+\end{itemize}
+\end{frame}
+
+\subsection{TETRA Protocol Stack}
+
+\begin{frame}{TETRA Protocol Stack}
+\begin{itemize}
+	\item The TETRA protocol stack is more complex than GSM
+	\item Shared Stacking: PHY/lowerMAC/upperMAC/LLC
+	\item Above LLC there is MLE (resembles GSM RR), on top:
+	\begin{itemize}
+		\item MM (Mobility Management)
+		\item CMCE (Circuit Mode Control Entity)
+		\item CONS (Connection Oriented Service)
+		\item CNLS (Connectionless Service)
+	\end{itemize}
+	\item Call Control, Supplementary services on top of CMCE
+	\item Packet data on top of CNLS and CONS
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Protocol Stack}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=80mm]{tetra_mac_llc.png}
+\end{figure}
+\end{frame}
+
+
+\begin{frame}{TETRA Protocol Stack}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=80mm]{tetra_protocol_stack.png}
+\end{figure}
+\end{frame}
+
+\subsection{TETRA Security}
+
+\begin{frame}{TETRA Security}
+\begin{itemize}
+	\item Once again all security features optional, like in GSM
+	\item Security features include
+	\begin{itemize}
+		\item Authentication
+		\item Air interface encryption
+		\item End-to-End encryption
+		\item Over-the-air re-keying (OTAR)
+		\item Remote locking of stolen devices
+	\end{itemize}
+	\item Not all handsets support all features
+	\item Key material can be stored in handset flash or in SIM
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Authentication}
+\begin{itemize}
+	\item Authentication messages part of Mobility Management (MM)
+	\item Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3
+	\item Supports three modes
+	\begin{itemize}
+		\item Authentication of user by infrastructure (TA11, TA12)
+		\item Authentication of infrastructure by user (TA21, TA22)
+		\item Mutual authentication (four-pass, TA11, TA12, TA21, TA22)
+	\end{itemize}
+	
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Authentication}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=60mm]{tetra_mutual_auth.png}
+\end{figure}
+\end{frame}
+
+
+\begin{frame}{TETRA Air Interface Encryption}
+\begin{itemize}
+	\item Like GSM: Encrypts only the air interface, not the core network
+	\item Unlike GSM: Not between L1 and L0 but inside the upper MAC layer
+	\begin{itemize}
+		\item Thus, no idle frames with known plaintext
+		\item Thus, no redundant information due to FEC before crypto
+	\end{itemize}
+	\item Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK)
+	\item IV is concatenation of hyperframe, multiframe, frame and slot number
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{TETRA Air Interface Encryption}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=100mm]{tetra_encryption.png}
+\end{figure}
+\end{frame}
+
+\begin{frame}{TETRA Encryption Keys}
+\begin{itemize}
+	\item SCK (Static Cipher Key)
+	\begin{itemize}
+		\item pre-shared key, used in networks without authentication
+		\item up to 32 possible keys, selected by SYSINFO.
+	\end{itemize}
+	\item DCK (Derived Cipher Key)
+	\begin{itemize}
+		\item Generated by authentication procedure (like GSM A3/A8)
+		\item different for each user
+	\end{itemize}
+	\item CCK (Common Cipher Key)
+	\begin{itemize}
+		\item  Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR
+		\item Used for group calls within one location area
+	\end{itemize}
+	\item GCK (Group Cipher Key)
+	\begin{itemize}
+		\item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR
+		\item Used for specific protected groups
+	\end{itemize}
+	\item MGCK (Modified GCK)
+	\begin{itemize}
+		\item GCK modified by CCK
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TETRA Encryption Algorithms}
+There are 4 specified TETRA Encryption Algorithms (TEA):
+\begin{description}[TEA4]
+	\item[TEA1] generally available, original algorithm, relaxed export
+	\item[TEA2] for public safety users in Schengen + EU countries
+	\item[TEA3] for public safety users elsewhere
+	\item[TEA4] generally available, reflects relaxed 1998 Wassenaar arrangement
+\end{description}
+It is assumed that at least original ciphers are 80-bit stream ciphers.
+None of them have ever leaked publicly!
+\end{frame}
+
+\begin{frame}{TETRA Air Interface Encryption}{Keys and Algorithms}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=75mm]{tetra_keys_algos.png}
+\end{figure}
+\end{frame}
+
+\subsection{TETRA Security Conclusions}
+
+\begin{frame}{Is it really secure?}
+Given all those security features, is TETRA really secure?
+\begin{itemize}
+	\item much better than GSM
+	\item however, all security again optional
+	\item security of a given network depends on its configuration
+	\item reality is sad: Government networks secure, private networks insecure
+	\item vendors to blame
+	\begin{itemize}
+		\item 200 EUR cost increase in handset for crypto
+		\item authentication center in core network very expensive
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Case Study: tetra-hamburg.de}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=50mm]{tetra_hh_secure.png}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Case Study: tetra-hamburg.de}
+\begin{itemize}
+	\item public tetra network available for paying users (like cellular carrier)
+	\item by DFP TETRA Hamburg Ges. fuer Digitalfunk mbH 
+	\item website claims it is secure against eavesdropping {\em because it is digital}
+	\item the network does not use any form ef TEA encryption
+	\item all signalling, voice, SDS and packet data transferred in plaintext
+	\item digital radio receiver + protocol decoder sufficient for eavesdropping
+\end{itemize}
+\end{frame}
+
+\section{TETRA Data Services}
+
+\subsection{Short Data Service}
+\begin{frame}{SDS - Short Data Service}
+\begin{itemize}
+	\item SDS can be compared with GSM/UMTS SMS
+	\item short messages of up to 140 bytes length
+	\item everything like GSM, but not 100\% identical
+\end{itemize}
+\end{frame}
+
+\subsection{Packet Data Service}
+\begin{frame}{TETRA SNDCP - Packte Data}
+\begin{itemize}
+	\item SNDCP (Sub-Network Dependent Convergence Protocol)
+	\item facilitates packet switched services like IPv4 over TETRA
+	\item leverages the GPRS network architecture and protocols
+	\item PDP Context to APN (like GPRS)
+	\item very slow unless both base station and handset support QAM modulation
+\end{itemize}
+\end{frame}
+
+
+\section{Osmocom TETRA}
+
+\begin{frame}{Osmocom TETRA Demodulator}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=90mm]{osmocom_tetra.png}
+\end{figure}
+\end{frame}
+
+\subsection{Demodulator}
+
+\begin{frame}{Osmocom TETRA Demodulator}
+\begin{itemize}
+	\item 1:1 code re-use from APCO-25 Software receiver project
+	\item Hierarchical block fully based on gnuradio blocks
+	\begin{itemize}
+		\item Root-raised cosine filter
+		\item M-PSK receiver block
+		\item Costas Loop for carrier tracking
+		\item Muller\&Muller synchronizer
+		\item output: Float value between -3 and 3 in units of pi/4
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{Lower MAC and PHY}
+
+\begin{frame}{Osmocom TETRA PHY}
+The burst synchronizer ({\tt tetra\_burst\_sync.c})
+\begin{itemize}
+	\item First acquires the Sync Burst training sequence by correlation
+	\item Later locks on Normal Burst (NB) training sequences
+	\item Splits actual payload sections out of training sequences, 
+\end{itemize}
+The burst generator ({\tt tetra\_burst.c})
+\begin{itemize}
+	\item puts together various bursts such as NB, SB and others
+	\item calculates phase alignment bits
+	\item used to test receiver code
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Osmocom TETRA lower MAC}{Receive Side}
+\begin{itemize}
+	\item Receives bursts from PHY layer
+	\item Applies the following operations depending on burst type
+	\begin{itemize}
+		\item De-scrambling
+		\item De-Interleaving
+		\item De-Puncturing (RCPC code)
+		\item Viterbi decoder (RCPC code)
+		\item Compute + Verify CRC-16
+	\end{itemize}
+	\item Recover TETRA Time (frame number) from SYNC burst
+	\item Hands decoded payload data to upper MAC
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Osmocom TETRA lower MAC}{Transmit Side}
+\begin{itemize}
+	\item Receives payload from upper MAC
+	\item Applies the following operations depending on burst type
+	\begin{itemize}
+		\item Append tail bits
+		\item Compute CRC-16
+		\item Convolutional encoder (RCPC code)
+		\item Puncturing (RCPC code)
+		\item Interleaving
+		\item Scrambling
+	\end{itemize}
+	\item Hands decoded payload data to PHY
+\end{itemize}
+Tx is currently only used in testing the Rx code
+\end{frame}
+
+\begin{frame}{Osmocom TETRA upper MAC}
+\begin{itemize}
+	\item Rx-only
+	\item Not a complete implementation, just to decode SYSINFO, ACCESS-ASSIGN and (more and more) other bits.
+	\item Mainly a proof-of-concept to ensure PHY and lower MAC work
+\end{itemize}
+\end{frame}
+
+\subsection{wireshark integration}
+
+\begin{frame}{Osmocom TETRA via GSMTAP}
+\begin{itemize}
+	\item The GSMTAP pseudo-header has been extended for TETRA
+	\item Change is backward-compatible with existing GSMTAP
+	\item current version of libosmocore supports extended GSMTAP
+	\item OsmocomTETRA {\tt tetra-rx} contains GSMTAP output support
+\end{itemize}
+\end{frame}
+
+\begin{frame}{wireshark TETRA integration}
+\begin{itemize}
+	\item TETRA messages are unaligned bit-fields, full of variable-length and optional parts
+	\item Writing manual decoding/encoding routines is tiresome and error-prone
+	\item Beijing Institute of Technology has developed wireshark dissectors based on describing TETRA messages as ASN.1 PER (described in IEEE paper)
+	\item We contacted them and they were willing to release their code under GNU GPL
+	\item Zecke has extended it with GSMTAP support it has been included in wireshark mainline
+\end{itemize}
+\end{frame}
+
+\subsection{TETRA transmit code}
+
+\begin{frame}{Transmitting TETRA}
+\begin{itemize}
+	\item The lower MAC and PHY code exists and is proven
+	\item OP25 project contains modulator for pi/4 DQPSK
+	\item Combining the two should render simplistic TETRA transmitter
+	\item Sending continuous sequence of BSCH in SB and BNCH in NB comprises valid beacon and should allow handsets to lock on the signal
+	\item So far no time to experiment with it
+	\item Could be first step in SDR TETRA Base Station
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Thanks}
+Thanks to
+\begin{itemize}
+	\item Dieter Spaar for discovering the APCO25 demodulator and his work on speech decoding
+	\item Sylvain Munaut for implementing our own Viterbi decoder
+	\item Holger Freyther for his work on CRC, Shortened Reed-Muller and wireshark
+	\item horiz0n for providing sample captures of TETRA radio traffic
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Further Reading}
+\begin{itemize}
+	\item \url{http://tetra.osmocm.org/}
+	\item \url{http://www.tetramou.com/}
+	\item \url{http://www.etsi.org/website/Technologies/TETRA.aspx}
+	\item \url{http://www.tetramou.com/uploadedFiles/About\_TETRA/TETRA\%20Security\%20pdf.pdf}
+	\item \url{http://www.tetrawatch.net/}
+	\item {\em Digital Mobile Communications and the TETRA System} by John Dunlop, Demessie Girma, James Irvine - Wiley
+\end{itemize}
+\end{frame}
+
+
+\end{document}
diff --git a/2011/tetra-eh2011/osmocom_tetra.png b/2011/tetra-eh2011/osmocom_tetra.png
new file mode 100644
index 0000000..918dee5
Binary files /dev/null and b/2011/tetra-eh2011/osmocom_tetra.png differ
diff --git a/2011/tetra-eh2011/tetra_encryption.png b/2011/tetra-eh2011/tetra_encryption.png
new file mode 100644
index 0000000..bd50366
Binary files /dev/null and b/2011/tetra-eh2011/tetra_encryption.png differ
diff --git a/2011/tetra-eh2011/tetra_hh_secure.png b/2011/tetra-eh2011/tetra_hh_secure.png
new file mode 100644
index 0000000..0059e23
Binary files /dev/null and b/2011/tetra-eh2011/tetra_hh_secure.png differ
diff --git a/2011/tetra-eh2011/tetra_keys_algos.png b/2011/tetra-eh2011/tetra_keys_algos.png
new file mode 100644
index 0000000..9fdd51b
Binary files /dev/null and b/2011/tetra-eh2011/tetra_keys_algos.png differ
diff --git a/2011/tetra-eh2011/tetra_mac_llc.png b/2011/tetra-eh2011/tetra_mac_llc.png
new file mode 100644
index 0000000..cf99a84
Binary files /dev/null and b/2011/tetra-eh2011/tetra_mac_llc.png differ
diff --git a/2011/tetra-eh2011/tetra_mutual_auth.png b/2011/tetra-eh2011/tetra_mutual_auth.png
new file mode 100644
index 0000000..db0e35b
Binary files /dev/null and b/2011/tetra-eh2011/tetra_mutual_auth.png differ
diff --git a/2011/tetra-eh2011/tetra_protocol_stack.png b/2011/tetra-eh2011/tetra_protocol_stack.png
new file mode 100644
index 0000000..2044853
Binary files /dev/null and b/2011/tetra-eh2011/tetra_protocol_stack.png differ
-- 
cgit v1.2.3