From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- .../beyond_gpl_compliance.pdf | Bin 0 -> 781236 bytes .../beyond_gpl_compliance.tex | 309 ++++ .../linux_netfilter_singapore_entertainment.jpg | Bin 0 -> 640673 bytes 2011/bio.txt | 30 + 2011/cell_prot_int-ccc2011/Gsm_structures.pdf | Bin 0 -> 674555 bytes 2011/cell_prot_int-ccc2011/Gsm_structures.svg | 1531 ++++++++++++++++++++ .../UMTS_Network_Architecture.pdf | Bin 0 -> 48957 bytes .../UMTS_Network_Architecture.svg | 916 ++++++++++++ 2011/cell_prot_int-ccc2011/cell_prot_int.pdf | Bin 0 -> 1182405 bytes 2011/cell_prot_int-ccc2011/cell_prot_int.snm | 0 2011/cell_prot_int-ccc2011/cell_prot_int.tex | 501 +++++++ 2011/cell_prot_int-ccc2011/gprs_control_stack.pdf | Bin 0 -> 43802 bytes 2011/cell_prot_int-ccc2011/gprs_control_stack.svg | 1341 +++++++++++++++++ 2011/cell_prot_int-ccc2011/gprs_pdp_ctx_act.png | Bin 0 -> 15816 bytes 2011/cell_prot_int-ccc2011/gprs_ra_upd.png | Bin 0 -> 15954 bytes 2011/cell_prot_int-ccc2011/gprs_user_stack.pdf | Bin 0 -> 46016 bytes 2011/cell_prot_int-ccc2011/gprs_user_stack.svg | 1357 +++++++++++++++++ 2011/cell_prot_int-ccc2011/umts_ps_control.pdf | Bin 0 -> 70743 bytes 2011/cell_prot_int-ccc2011/umts_ps_control.svg | 1519 +++++++++++++++++++ 2011/cell_prot_int-ccc2011/umts_ps_user.pdf | Bin 0 -> 54123 bytes 2011/cell_prot_int-ccc2011/umts_ps_user.svg | 1497 +++++++++++++++++++ 2011/gpl_enforcement-kr2011/gpl_enforcement.pdf | Bin 0 -> 751886 bytes 2011/gpl_enforcement-kr2011/gpl_enforcement.snm | 0 2011/gpl_enforcement-kr2011/gpl_enforcement.tex | 245 ++++ .../linux_netfilter_singapore_entertainment.jpg | Bin 0 -> 640673 bytes 2011/gsm-ensa2011/NevadaTestSite.jpg | Bin 0 -> 2022846 bytes 2011/gsm-ensa2011/OBTSBM2010.jpg | Bin 0 -> 772751 bytes 2011/gsm-ensa2011/abstract.txt | 26 + 2011/gsm-ensa2011/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2011/gsm-ensa2011/c123_pcb.jpg | Bin 0 -> 684904 bytes 2011/gsm-ensa2011/calypso-block.pdf | Bin 0 -> 14118 bytes 2011/gsm-ensa2011/gsm.pdf | Bin 0 -> 6393030 bytes 2011/gsm-ensa2011/gsm.snm | 0 2011/gsm-ensa2011/gsm.tex | 305 ++++ 2011/gsm-ensa2011/gsm.vrb | 13 + 2011/gsm-ensa2011/gsm_network.png | Bin 0 -> 57000 bytes 2011/gsm-ensa2011/openbsc_host.jpg | Bin 0 -> 706662 bytes 2011/gsm-ensa2011/osmosgsn.png | Bin 0 -> 26623 bytes 2011/gsm-ensa2011/part-security_research.tex | 141 ++ 2011/gsm-ensa2011/section-airprobe.tex | 33 + 2011/gsm-ensa2011/section-openbsc.tex | 208 +++ 2011/gsm-ensa2011/section-openbts.tex | 183 +++ 2011/gsm-ensa2011/section-osmocombb.tex | 296 ++++ 2011/gsm-ensa2011/section-wireshark.tex | 35 + .../500px-Pi-by-4-QPSK_Gray_Coded.png | Bin 0 -> 25520 bytes 2011/tetra-camp2011/osmocom-tetra.tex | 637 ++++++++ 2011/tetra-camp2011/osmocom_tetra.png | Bin 0 -> 34610 bytes .../tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png | Bin 0 -> 25520 bytes 2011/tetra-eh2011/osmocom-tetra.pdf | Bin 0 -> 733438 bytes 2011/tetra-eh2011/osmocom-tetra.snm | 0 2011/tetra-eh2011/osmocom-tetra.tex | 607 ++++++++ 2011/tetra-eh2011/osmocom_tetra.png | Bin 0 -> 34610 bytes 2011/tetra-eh2011/tetra_encryption.png | Bin 0 -> 20782 bytes 2011/tetra-eh2011/tetra_hh_secure.png | Bin 0 -> 171183 bytes 2011/tetra-eh2011/tetra_keys_algos.png | Bin 0 -> 43205 bytes 2011/tetra-eh2011/tetra_mac_llc.png | Bin 0 -> 20376 bytes 2011/tetra-eh2011/tetra_mutual_auth.png | Bin 0 -> 41322 bytes 2011/tetra-eh2011/tetra_protocol_stack.png | Bin 0 -> 51134 bytes .../tetra-ph2011/500px-Pi-by-4-QPSK_Gray_Coded.png | Bin 0 -> 25520 bytes 2011/tetra-ph2011/osmocom-tetra.pdf | Bin 0 -> 755997 bytes 2011/tetra-ph2011/osmocom-tetra.snm | 0 2011/tetra-ph2011/osmocom-tetra.tex | 637 ++++++++ 2011/tetra-ph2011/osmocom_tetra.png | Bin 0 -> 34610 bytes 2011/tetra-ph2011/tetra_encryption.png | Bin 0 -> 20782 bytes 2011/tetra-ph2011/tetra_hh_secure.png | Bin 0 -> 171183 bytes 2011/tetra-ph2011/tetra_keys_algos.png | Bin 0 -> 43205 bytes 2011/tetra-ph2011/tetra_mac_llc.png | Bin 0 -> 20376 bytes 2011/tetra-ph2011/tetra_mutual_auth.png | Bin 0 -> 41322 bytes 2011/tetra-ph2011/tetra_protocol_stack.png | Bin 0 -> 51134 bytes 2011/tetra-srlabs2011/osmocom-tetra.pdf | Bin 0 -> 454035 bytes 2011/tetra-srlabs2011/osmocom-tetra.snm | 0 2011/tetra-srlabs2011/osmocom-tetra.tex | 533 +++++++ 2011/tetra-srlabs2011/tetra_encryption.png | Bin 0 -> 20782 bytes 2011/tetra-srlabs2011/tetra_keys_algos.png | Bin 0 -> 43205 bytes 2011/tetra-srlabs2011/tetra_mac_llc.png | Bin 0 -> 20376 bytes 2011/tetra-srlabs2011/tetra_mutual_auth.png | Bin 0 -> 41322 bytes 2011/tetra-srlabs2011/tetra_protocol_stack.png | Bin 0 -> 51134 bytes 77 files changed, 12900 insertions(+) create mode 100644 2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.pdf create mode 100644 2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.tex create mode 100644 2011/beyond_gpl_compliance-kr2011/linux_netfilter_singapore_entertainment.jpg create mode 100644 2011/bio.txt create mode 100644 2011/cell_prot_int-ccc2011/Gsm_structures.pdf create mode 100644 2011/cell_prot_int-ccc2011/Gsm_structures.svg create mode 100644 2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.pdf create mode 100644 2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.svg create mode 100644 2011/cell_prot_int-ccc2011/cell_prot_int.pdf create mode 100644 2011/cell_prot_int-ccc2011/cell_prot_int.snm create mode 100644 2011/cell_prot_int-ccc2011/cell_prot_int.tex create mode 100644 2011/cell_prot_int-ccc2011/gprs_control_stack.pdf create mode 100644 2011/cell_prot_int-ccc2011/gprs_control_stack.svg create mode 100644 2011/cell_prot_int-ccc2011/gprs_pdp_ctx_act.png create mode 100644 2011/cell_prot_int-ccc2011/gprs_ra_upd.png create mode 100644 2011/cell_prot_int-ccc2011/gprs_user_stack.pdf create mode 100644 2011/cell_prot_int-ccc2011/gprs_user_stack.svg create mode 100644 2011/cell_prot_int-ccc2011/umts_ps_control.pdf create mode 100644 2011/cell_prot_int-ccc2011/umts_ps_control.svg create mode 100644 2011/cell_prot_int-ccc2011/umts_ps_user.pdf create mode 100644 2011/cell_prot_int-ccc2011/umts_ps_user.svg create mode 100644 2011/gpl_enforcement-kr2011/gpl_enforcement.pdf create mode 100644 2011/gpl_enforcement-kr2011/gpl_enforcement.snm create mode 100644 2011/gpl_enforcement-kr2011/gpl_enforcement.tex create mode 100644 2011/gpl_enforcement-kr2011/linux_netfilter_singapore_entertainment.jpg create mode 100644 2011/gsm-ensa2011/NevadaTestSite.jpg create mode 100644 2011/gsm-ensa2011/OBTSBM2010.jpg create mode 100644 2011/gsm-ensa2011/abstract.txt create mode 100644 2011/gsm-ensa2011/bts_tree_full.jpg create mode 100644 2011/gsm-ensa2011/c123_pcb.jpg create mode 100644 2011/gsm-ensa2011/calypso-block.pdf create mode 100644 2011/gsm-ensa2011/gsm.pdf create mode 100644 2011/gsm-ensa2011/gsm.snm create mode 100644 2011/gsm-ensa2011/gsm.tex create mode 100644 2011/gsm-ensa2011/gsm.vrb create mode 100644 2011/gsm-ensa2011/gsm_network.png create mode 100644 2011/gsm-ensa2011/openbsc_host.jpg create mode 100644 2011/gsm-ensa2011/osmosgsn.png create mode 100644 2011/gsm-ensa2011/part-security_research.tex create mode 100644 2011/gsm-ensa2011/section-airprobe.tex create mode 100644 2011/gsm-ensa2011/section-openbsc.tex create mode 100644 2011/gsm-ensa2011/section-openbts.tex create mode 100644 2011/gsm-ensa2011/section-osmocombb.tex create mode 100644 2011/gsm-ensa2011/section-wireshark.tex create mode 100644 2011/tetra-camp2011/500px-Pi-by-4-QPSK_Gray_Coded.png create mode 100644 2011/tetra-camp2011/osmocom-tetra.tex create mode 100644 2011/tetra-camp2011/osmocom_tetra.png create mode 100644 2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png create mode 100644 2011/tetra-eh2011/osmocom-tetra.pdf create mode 100644 2011/tetra-eh2011/osmocom-tetra.snm create mode 100644 2011/tetra-eh2011/osmocom-tetra.tex create mode 100644 2011/tetra-eh2011/osmocom_tetra.png create mode 100644 2011/tetra-eh2011/tetra_encryption.png create mode 100644 2011/tetra-eh2011/tetra_hh_secure.png create mode 100644 2011/tetra-eh2011/tetra_keys_algos.png create mode 100644 2011/tetra-eh2011/tetra_mac_llc.png create mode 100644 2011/tetra-eh2011/tetra_mutual_auth.png create mode 100644 2011/tetra-eh2011/tetra_protocol_stack.png create mode 100644 2011/tetra-ph2011/500px-Pi-by-4-QPSK_Gray_Coded.png create mode 100644 2011/tetra-ph2011/osmocom-tetra.pdf create mode 100644 2011/tetra-ph2011/osmocom-tetra.snm create mode 100644 2011/tetra-ph2011/osmocom-tetra.tex create mode 100644 2011/tetra-ph2011/osmocom_tetra.png create mode 100644 2011/tetra-ph2011/tetra_encryption.png create mode 100644 2011/tetra-ph2011/tetra_hh_secure.png create mode 100644 2011/tetra-ph2011/tetra_keys_algos.png create mode 100644 2011/tetra-ph2011/tetra_mac_llc.png create mode 100644 2011/tetra-ph2011/tetra_mutual_auth.png create mode 100644 2011/tetra-ph2011/tetra_protocol_stack.png create mode 100644 2011/tetra-srlabs2011/osmocom-tetra.pdf create mode 100644 2011/tetra-srlabs2011/osmocom-tetra.snm create mode 100644 2011/tetra-srlabs2011/osmocom-tetra.tex create mode 100644 2011/tetra-srlabs2011/tetra_encryption.png create mode 100644 2011/tetra-srlabs2011/tetra_keys_algos.png create mode 100644 2011/tetra-srlabs2011/tetra_mac_llc.png create mode 100644 2011/tetra-srlabs2011/tetra_mutual_auth.png create mode 100644 2011/tetra-srlabs2011/tetra_protocol_stack.png (limited to '2011') diff --git a/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.pdf b/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.pdf new file mode 100644 index 0000000..f10cf44 Binary files /dev/null and b/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.pdf differ diff --git a/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.tex b/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.tex new file mode 100644 index 0000000..9d61791 --- /dev/null +++ b/2011/beyond_gpl_compliance-kr2011/beyond_gpl_compliance.tex @@ -0,0 +1,309 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Beyond Legal Compliance} + +\subtitle +{Embracing the FOSS community} + +\author{Harald Welte} + +\institute +{gpl-violations.org\\gnumonks.org\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[2011 KFOSS CON] % (optional, should be abbreviation of conference name) +{Korean FOSS confeerence, November 2011} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Embedded Linux} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} +\item Programming computers since 1989 +\item Linux user + application developer since 1994 +\item Linux kernel development since 1999 +\item GNU GPL license enforcement since 2003 +\item IT security expert, network protocol security +\item Board-level Electrical Engineering +\item System-level Software for PPC, ARM, x86 +\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues +\end{itemize} +\end{frame} + + +\section{Historical Development} + +\begin{frame}{Historical development} +\begin{itemize} + \item 1970ies: Softare becomes copyrightable + \item 1980ies: GNU project, GPLv1 + \item 1990ies: Linux kernel, GPLv2, servers + \item 2000s: Linux and FOSS is everywhere +\end{itemize} +\end{frame} + +\subsection{FOSS is everywhere} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] +\centering +\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame}{More Linux - More License Violations} +\begin{itemize} + \item Boom of Linux results in many {\em new companies} using it in products + \item Such Linux newbies do not have a history in the FOSS community + \item They also do not share the same culture, values and norms + \item They simply use Linux to reduce royalty cost for proprietary OS + \item They run into trouble (GPL violations) +\end{itemize} +\end{frame} + +\subsection{GPL enforcement} + +\begin{frame}{More License Violations - More Enforcement} +\begin{itemize} + \item New Linux based products continue to enter the market + \item License compliance often very bad + \item Community is deeply upset about the violation of its rules + \item Often percieved as insult of the FOSS community culture + \item Lack of respect of corporations towards community + \item Legal enforcement is often the only possible way for community to educate corporations +\end{itemize} +\end{frame} + +\begin{frame}{GPL enforcement} +\begin{itemize} + \item Before 2003: Mostly Free Software Foundation + \item 2003-now: gpl-violations.org (Europe), ~ 200 cases + \item 2005-now: SFLC (United States) + \item publicly invisible enforcement + \begin{itemize} + \item e.g. MySQL (dual-licensing) + \item e.g. Asterisk (dual-licensing) + \end{itemize} +\end{itemize} +\end{frame} + +\section{Beyond minimal license compliance} + +\subsection{FOSS communities vs. license terms} + +\begin{frame}{FOSS community is technical, not legal} +\begin{itemize} + \item FOSS is created by software developers working together in +colalborative ways, often without any formal structure + \item Individuals, Universities as well as Corporations +contribute their work + \item Cooperation in a culture of sharing + \item Even direct competitors like Intel and AMD cooperate in Linux +development, because everyone needs it + \item FOSS communities are deeply technical. They hate company +politics. + \item License is {\bf just} a last resort of protection against +those who absolutely don't understand FOSS +\end{itemize} +\end{frame} + +\begin{frame}{Beyond pure legal compliance with licenses} +\begin{itemize} + \item Compliance with the legal terms of the license is the +absolute bare minimum that companies have to do + \item If you use FOSS in your products, please consider +establishing a healthy relationship with the communities that drive +development of this software + \item It is not a customer / supplier relationship! + \item The community expects you to participate in development +\end{itemize} +\end{frame} + +\subsection{Becoming part of the community} + +\begin{frame}{Why should you join?} +Benefits to Embedded electronics companies +\begin{itemize} + \item Larger number of engineers can help you improve your product + \begin{itemize} + \item optimize performance (battery, speed, ...) + \item fix more bugs than your in-house R\&D + \item have more ideas/innovation than all engineers combined inside your company! + \end{itemize} + \item Be recognized within the community as {\em somebody who understands} + \begin{itemize} + \item allows you to attract skilled developers from the FOSS world who would otherwise never consider working for you + \item makes you more attractive to most technical customer base of {\em early adopters} + \end{itemize} + \item Reduce cost of maintaining your code base +\end{itemize} +\end{frame} + +\begin{frame}{How to become part of the community} +\begin{itemize} + \item Permit your engineers to engage in technical discussions on mailing lists + \item Submit your modifications to the respective upstream projects + \item Join technical conferences and discuss technical issues + \item Encourage the community to innovate and extend your products +\end{itemize} +\end{frame} + +\begin{frame}{When and how to release source code} +\begin{itemize} + \item Legal requirement: + \begin{itemize} + \item You're used to release source code at the time product ships because the license forces you to + \end{itemize} + \item Community norm: + \begin{itemize} + \item Your engineers interact with the project maintainers during R\&D + \item Source code of your modifications undergoes review + inclusion in mainline + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Quality of the source code release} +\begin{itemize} + \item Legal requirement / Reality: + \begin{itemize} + \item {\em complete and corresponding} source code + \item Often does not compile + \item Often contains proprietary kernel modules of questinable legality + \item Often provides no (simple) way of installing re-compiled program on the actual device + \end{itemize} + \item Community norm: + \begin{itemize} + \item {\em complete and corresponding} source code + \item no proprietary kernel modules that constrain e.g. updates to later kernels + \item complete utilities to install modified version of software on the device + \item maybe even some instructions on how to do so + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Summary} +\begin{itemize} + \item Show respect for the FOSS development model based on +mutual respect and understanding + \item Actively engage and discuss with the community + \item Don't try to cheat your way out of license compliance + \item Treat community as partner in development of your products + \item Don't treat them like your enemy (DRM, Tivo-ization)! +\end{itemize} +\end{frame} + +\begin{frame}{Panel Discussion} +\begin{itemize} + \item Thanks for your attention + \item We will now have a panel discussion on the subject of FOSS community interaction beyond license compliance + \item Contact me at \href{mailto:laforge@gpl-violations.org}{laforge@gpl-violations.org} with questions, feedback and comments +\end{itemize} +\end{frame} + +\end{document} diff --git a/2011/beyond_gpl_compliance-kr2011/linux_netfilter_singapore_entertainment.jpg b/2011/beyond_gpl_compliance-kr2011/linux_netfilter_singapore_entertainment.jpg new file mode 100644 index 0000000..91b839f Binary files /dev/null and b/2011/beyond_gpl_compliance-kr2011/linux_netfilter_singapore_entertainment.jpg differ diff --git a/2011/bio.txt b/2011/bio.txt new file mode 100644 index 0000000..ff72b0e --- /dev/null +++ b/2011/bio.txt @@ -0,0 +1,30 @@ +Harald Welte is a freelancer, consultant, enthusiast, freedom fighter and +hacker who is working with Free Software (and particularly the Linux kernel) +since 1995. His first major code contribution to the kernel was within the +netfilter/iptables packet filter. + +He has started a number of other Free Software and Free Hardware projects, +mainly related to RFID such as librfid, OpenMRTD, OpenBeacon, OpenPCD, +OpenPICC. During 2006 and 2007 Harald became the co-founder of OpenMoko, where +he served as Lead System Architect for the worlds first 100% Open Free Software +based mobile phone. + +Aside from his technical contributions, Harald has been pioneering the legal +enforcement of the GNU GPL license as part of his gpl-violations.org project. +More than 150 inappropriate use of GPL licensed code by commercial companies +have been resolved as part of this effort, both in court and out of court. He +has received the 2007 "FSF Award for the Advancement of Free Software" and the +"2008 Google/O'Reilly Open Source award: Defender of Rights". + +In 2008, Harald started to work on Free Software on the GSM protocol side, both +for passive sniffing and protocol analysis, as well as an actual network-side +GSM stack implementation called OpenBSC. In 2010, he expanded those +efforts by creating OsmocomBB, a GSM teleophony-side baseband processor +firmware and protocol stack. Other recent projects include +OsmocomTETRA, a receive-only implementation of the ETSI TETRA radio +interface. + +Harald is co-founder of sysmocom - systems for mobile communications +GmbH, but continues to operate his technology consulting business +hmw-consulting.de + diff --git a/2011/cell_prot_int-ccc2011/Gsm_structures.pdf b/2011/cell_prot_int-ccc2011/Gsm_structures.pdf new file mode 100644 index 0000000..cc54575 Binary files /dev/null and b/2011/cell_prot_int-ccc2011/Gsm_structures.pdf differ diff --git a/2011/cell_prot_int-ccc2011/Gsm_structures.svg b/2011/cell_prot_int-ccc2011/Gsm_structures.svg new file mode 100644 index 0000000..331298c --- /dev/null +++ b/2011/cell_prot_int-ccc2011/Gsm_structures.svg @@ -0,0 +1,1531 @@ + + + + GSM structure + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + GSM structure + 2009-12-09 + + + Kevin (tsaitgaist) Redon + + + key elements of the structure of a GSM network + + + + - terminal icons gnome (devices) the gnome icon package +- servers from http://openclipart.org/media/files/Anonymous/7274 + + + + + + + + Base Station Subsystem (BSS) + + Structure of a GSM network (key elements) + Network SubSystem (NSS) + + GPRS Core Network + + Mobile Station (MS) + + + + + + + + + + + + + + + R + Air + (Um) + A-bis + A + Gb + H/E etc + Gr/Gs + Gn + Gi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PSTN + + + SS7 network + + + + GPRS backboneIP netwok + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Internet + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + # + 0 + * + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + BTS + BTS + BSC + PCU + MSC/VLR + SGSN + GGSN + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + HLR/AUC(EIR) + + MT/TE + TE + SIM(UICC) + + \ No newline at end of file diff --git a/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.pdf b/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.pdf new file mode 100644 index 0000000..38ce3d8 Binary files /dev/null and b/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.pdf differ diff --git a/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.svg b/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.svg new file mode 100644 index 0000000..4168c13 --- /dev/null +++ b/2011/cell_prot_int-ccc2011/UMTS_Network_Architecture.svg @@ -0,0 +1,916 @@ + + + + + UMTS Network Architecture + + + + image/svg+xml + + UMTS Network Architecture + https://secure.wikimedia.org/wikipedia/commons/wiki/File:UMTS_Network_Architecture.png + vector version of https://secure.wikimedia.org/wikipedia/commons/wiki/File:UMTS_Network_Architecture.png + 2010-04-14 + + + Kevin (tsaitgaist) Redon + + + + + + + + + + + + + + + + + + + + + + + + + + + + Services + Core Network + UTRAN + RNS + CBC + SGSN + MSC Server + MGW + RNC + RNC + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + NodeB + + + + + + + lur + + + + + + + + + + + lub + lub + + + + + + + + + lub + lub + + + + + + + + lu-BC + + + + + + + lu-PS + + + + + + + + lu-CS + + + + + + + lu-CS + + + + + + + RNS + Source:Wikipedia, User: tsaitgaist, CC-BY-SA + + diff --git a/2011/cell_prot_int-ccc2011/cell_prot_int.pdf b/2011/cell_prot_int-ccc2011/cell_prot_int.pdf new file mode 100644 index 0000000..f7e5b1c Binary files /dev/null and b/2011/cell_prot_int-ccc2011/cell_prot_int.pdf differ diff --git a/2011/cell_prot_int-ccc2011/cell_prot_int.snm b/2011/cell_prot_int-ccc2011/cell_prot_int.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/cell_prot_int-ccc2011/cell_prot_int.tex b/2011/cell_prot_int-ccc2011/cell_prot_int.tex new file mode 100644 index 0000000..2c329bb --- /dev/null +++ b/2011/cell_prot_int-ccc2011/cell_prot_int.tex @@ -0,0 +1,501 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Cellular Protocols for Mobile Internet} + +\subtitle +{GPRS, EDGE, UMTS, HSPA demystified} + +\author{Harald Welte } + +\institute +{gnumonks.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[28c3] % (optional, should be abbreviation of conference name) +{28C3, December 2011, Berlin/Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + +\section{Evolution of cellular networks} + +\subsection{GSM/GPRS/EDGE} + +\begin{frame}{GSM / CSD} +\begin{itemize} + \item GSM is the first digital cellular system, developed in 1980ies, first deployment 1990 + \item GSM is a pure circuit-switched technology, like POTS/ISDN in the land-line world + \item GSM offers CSD (circuit switched data) to provide similar service as analog modems in land-line telephone network + \item CSD offers data rates 2400 / 4800 / 9600 / 14400 bps + \item CSD still supported by a number of operators today +\end{itemize} +\end{frame} + +\begin{frame}{GSM / HSCSD} +\begin{itemize} + \item HSCSD is High-Speed CSD + \item HSCSD bundles up to four GSM time-slots to achieve 38.4/57.6kbps data speeds + \item very expensive in terms of network load (1 data session occupies 4 to 8 times the bandwidth of a phone call) + \item was popular for a very short time only, dead by now +\end{itemize} +\end{frame} + +\begin{frame}{GPRS} +\begin{itemize} + \item GPRS (General Packet Radio Servie) specified in 1990ies, first deployed 1999 + \item A separate, independent network to GSM, using same modulation/channeling and time-slot structure + \item Introduces lots of GPRS-specific equipment (CCU, PCU, SGSN, GGSN) to the network + \item packet-switched, not circuit switched + \item net band-width for IP around 56 to 114 kbits/sec + \item available virtually anywhere on the world except Japan/Korea +\end{itemize} +\end{frame} + +\begin{frame}{EDGE} +\begin{itemize} + \item Enhanced Data-rates for GSM evolution, EGPRS and ECSD + \item Actually, most people mean only EGPRS when they say EDGE + \item uses same channel/bandwidth/TDMA as GPRS + \item physical layer uses 8PSK modulation instead of GMSK + \item no real changes to any higher protocol layers + \item most phones support EGPRS up to 236 kbits/sec + \item available virtually anywhere on the world except Japan/Korea +\end{itemize} +\end{frame} + +\subsection{UMTS - 3G} + +\begin{frame}{UMTS} +\begin{itemize} + \item UMTS (Universal Mobile Telephony System) developed in 1996-1999 + \item First commercial deployments 2002 + \item 384 kbits/sec downlink, 128 kbits/sec uplink + \item entirely new system, not an evolution/extensions of GSM/GPRS/EDGE + \item Wideband CDMA (WCDMA) used as modulation technique + \item Supports CS (ciruit switched) and PS (packet switched) services + \item fixed part of the network heavily uses ATM over SONET/SDH +\end{itemize} +\end{frame} + +\begin{frame}{HSDPA} +\begin{itemize} + \item introduces new transport channel: HS-DSCH (High Speed Downlink Shared Channel) + \item added in UMTS Release >= 5 + \item uses new physical channels: HS-SCCH, HS-DPCCH, HS-PDSCH + \item adaptive modulation (QPSK, 16-QAM, 64-QAM) + \item 3.6 Mbits/sec downlink + \item Rel-5 also introduces 384 kbits/sec uplink +\end{itemize} +\end{frame} + +\begin{frame}{HSUPA} +\begin{itemize} + \item HSUPA (High Speed Uplink Packet Access) == EUL (Enhanced Uplink) + \item added in UMTS Releae >= 6 + \item similar techniques as for HSUPA but uplink + \item new physical channels: E-AGCH, E-RGCH, E-DPCH, E-HICH, E-DPCCH, E-DPDCH + \item Hybrid-ARQ to improve performance of re-transmissions + \item common use up to 5.76 Mbits/sec +\end{itemize} +\end{frame} + +\begin{frame}{HSPA+} +\begin{itemize} + \item HSPA+ == ESPA (Evolved High Speed Packet Access) + \item added in UMTS Release >= 7 + \item up to 84 Mbits/sec DL, up to 22Mbits/s UL + \item MIMO, QAM-64, combining two cells (dual-cell) + \item theoretical maximum at 186 Mbit/s + \item first deployments in 2008 +\end{itemize} +\end{frame} + + +\section{GSM / GPRS / EDGE} + +\subsection{Circuit Switched Data (CSD)} + +\begin{frame}{Circuit Switched Data} +\begin{itemize} + \item Not covered here, only historic relevance... +\end{itemize} +\end{frame} + +\subsection{GPRS Stacking and Layers} + +\begin{frame}{GSM / GPRS Network Structure} +\begin{figure}[h] + \centering + \includegraphics[width=95mm]{Gsm_structures.pdf} +\end{figure} +\end{frame} + +\begin{frame}{GPRS Control Plane Stacking} +\begin{figure}[h] + \centering + \includegraphics[width=115mm]{gprs_control_stack.pdf} +\end{figure} +\end{frame} + +\begin{frame}{GPRS User Plane Stacking} +\begin{figure}[h] + \centering + \includegraphics[width=115mm]{gprs_user_stack.pdf} +\end{figure} +\end{frame} + +\begin{frame}{GPRS Lower Layers} +\begin{itemize} + \item MAC (Medium Access Control), TS 44.060 + \item MAC layer immediately on top of PDTCH physical channel + \item RLC (Radio Lonk Control), also TS 44.060 + \item RLC layer on top of MAC layer + \item resource allocation always controlled by network + \item message encoding specified in CSN.1 (Concrete Syntax Notation) +\end{itemize} +\end{frame} + +\begin{frame}{GPRS Gb Layers} +\begin{itemize} + \item NS (Network Service) layer, TS 08.16 + \begin{itemize} + \item maintains (redundant) physical links on top of frame relay + \item fail-over and load-sharing over various links + \item NS originally used over FR (Frame Relay) + \item sometimes NS in FR in IP + \item later also NS-over-IP (NSIP) using UDP + \end{itemize} + \item BSSGP (Base Station Subsystem Gateway Protocol), TS 08.18 + \begin{itemize} + \item BVCI (BSSGP Virtual Connection Identifier) + \item maintains one BVC for each BTS in a BSS + \item maintains one additional BVC for each BSS (paging) + \item implements flow control (BSS, MS, PFC) + \item very inefficient due to large headers for every msg + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GPRS LLC Layer} +\begin{itemize} + \item SNDCP (Sub-Network Dependent Convergence Protocol), TS 04.64 + \item LLC (Logical Link Control) established between SGSN and MS + \item supports acknowledged and unacknowledged mode + \item one SAPI for signalling (GMM, SM) + \item additional SAPIs available for user traffic in SNDCP + \item GEA encryption happens on LLC layer + \item Checksumming +\end{itemize} +\end{frame} + +\begin{frame}{GPRS SNDCP Layer} +\begin{itemize} + \item SNDCP (Sub-Network Dependent Convergence Protocol), TS 04.65 + \item general-purpose encapsulation for user packte data + \item intiially intended for X.25 and OSI protocols, also IP + \item today only used with IP payload + \item IP header compression, v.42bis payload compression + \item multiple streams (NSAPI) can exist over a LLC SAPI +\end{itemize} +\end{frame} + +\begin{frame}{GPRS Mobility Management} +\begin{itemize} + \item GMM (GPRS Mobility Management) corresponds to GSM MM + \item signalling directly on top of LLC, no SNDCP is used + \begin{itemize} + \item Routeing Area Update + \item GPRS Attach/Detach + \item Authentication (same as GSM A3/A8) + \item P-TMSI reallocation + \item Identification Procedure + \item SMS delivery via GPRS + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Example GRPS MM Procedure} +\begin{figure}[h] + \centering + \includegraphics[width=65mm]{gprs_ra_upd.png} +\end{figure} +\end{frame} + + +\begin{frame}{GPRS Session Management} +\begin{itemize} + \item SM (Session Management) maintains tunnels to external +packet data networks + \item each session is called a PDP Context + \item multiple PDP contexts can be active at any point in time + \item Address of tunnel broker (GGSN) called APN (access point name) + \item SSGN uses (private) DNS zones for resolving GGSN IP based on APN + \item SGSN maintains state, but actual establishment is handled via GTP-C by the GGSN + \item each PDP context has its APN, QoS, IPv4/IPv6 address, etc. +\end{itemize} +\end{frame} + +\begin{frame}{Example GRPS SM Procedure} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{gprs_pdp_ctx_act.png} +\end{figure} +\end{frame} + +\subsection{Core Network Protocols} + +\begin{frame}{GTP Protocol between SGSN and GGSN} +\begin{itemize} + \item GTP (GPRS Tunnelling Protocol), TS 29.060 + \item the only protocol specified over IP right from the beginning + \item GGSN can be an IP-only device, no SS7/SIGTRAN/E1/FR required + \item GTP-C for tunnel setup/teardown (SM procedures) + \item GTP-U for encapsulating actual user data + \item no authentication/encryption, intended to be used in private intra or inter-operator links only +\end{itemize} +\end{frame} + + +\section{UMTS / HSDPA / HSUPA} + +\subsection{UMTS Protocol Overview} + +\begin{frame}{UMTS PS Intro} +\begin{itemize} + \item Higher layers (GMM, SM) re-used from GPRS + \item SGSN and GGSN functional entities remain almost unchanged + \item Large differences in SGSN-RAN communication (RANAP instead of BSSGP/NS) + \item Anything below RANAP again quite different from GPRS +\end{itemize} +\end{frame} + +\begin{frame}{UMTS Network Architecture} +\begin{figure}[h] + \centering + \includegraphics[width=90mm]{UMTS_Network_Architecture.pdf} +\end{figure} +\end{frame} + +\begin{frame}{UMTS Control Plane Stacking} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{umts_ps_control.pdf} +\end{figure} +\end{frame} + +\begin{frame}{UMTS User Plane Stacking} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{umts_ps_user.pdf} +\end{figure} +\end{frame} + +\begin{frame}{UMTS RLC/MAC Layer} +\begin{itemize} + \item MAC specified in TS 25.321 + \item RLC specified in TS 25.322 + \item not in any formal syntax (uncommon in UMTS!) + \item RLC level implements encryption, segmentation, retransmission +\end{itemize} +\end{frame} + +\begin{frame}{UMTS RRC Layer} +\begin{itemize} + \item RRC specified in TS 25.331 + \item completely new protocol, unlike GSM/GRPS RR + \item formally specified in ASN.1, uses PER + \begin{itemize} + \item measurement control + \item ciphering control + \item paging + \item radio bearer management + \item SYS\_INFO broadcast + \item integrity check + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{UMTS PDCP Layer} +\begin{itemize} + \item PDCP specified in TS 25.323 + \item corresponds to functionality of SNDCP in GPRS + \item handles user data payload and header compression + \item utilizes RFC 3095 (ROHC) and RFC 2507 (IP Hdr Comp) + \item between User IP and RLC +\end{itemize} +\end{frame} + +\subsection{UMTS network internal protocols} + +\begin{frame}{UMTS RANAP Layer} +\begin{itemize} + \item RANAP (Radio Access Network Application Part), TS 25.413 + \item signalling between SGSN and RAN (RNC) + \item formally specified in ASN.1, uses PER encoding + \item never visible to the user, only in back-haul network + \item Vodafone UK / Alcatel-Lucent Femtocells use RANAP! +\end{itemize} +\end{frame} + + +\begin{frame}{UMTS NBAP Layer} +\begin{itemize} + \item NBAP (NodeB Application Part), TS 25.443 + \item signalling between RNC and NodeB inside RAN + \item formally specified in ASN.1 + \item never visible to the user, only in back-haul network + \item is what you need to implment first to drive UMTS NodeBs from eBay ;) +\end{itemize} +\end{frame} + +\begin{frame}{UMTS GTP Layer between SGSN and GGSN} +\begin{itemize} + \item exactly the same as for GPRS + \item some new/extended information elements for e.g. 3G QoS + \item GGSN doesn't need to change between 2G and 3G networks +\end{itemize} +\end{frame} + +\begin{frame}{HSPA+ related changes} +\begin{itemize} + \item SGSNs have become a bottleneck in modern data-driven cellular networks + \item SGSNs can be bought up to 40Gbps throughput, but most are smaller + \item think of 20,000 cells, each 3 sectors with 20Mbps+ each... + \item HSPA+ eNodeB contains small SGSN internally, user data directly passed to GGSN + \item this means segmentation, compression and encryption is no longer on a centralized node but done on the edge of the network +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2011/cell_prot_int-ccc2011/gprs_control_stack.pdf b/2011/cell_prot_int-ccc2011/gprs_control_stack.pdf new file mode 100644 index 0000000..1dbd26e Binary files /dev/null and b/2011/cell_prot_int-ccc2011/gprs_control_stack.pdf differ diff --git a/2011/cell_prot_int-ccc2011/gprs_control_stack.svg b/2011/cell_prot_int-ccc2011/gprs_control_stack.svg new file mode 100644 index 0000000..8622512 --- /dev/null +++ b/2011/cell_prot_int-ccc2011/gprs_control_stack.svg @@ -0,0 +1,1341 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + MAC + RLC + LLC + + LLC + + E1 + + + + + PhysicalLayer + + + + + + + Um + A-bis + Gb + Gc + MS + BTS+CCU + BSC+PCU + SGSN + GPRS Control Plane + + + FrameRelay + NS + + BSSGP + + + E1 + + PhysicalLayer + TRAUFraming + + + MAC + RLC + + + E1 + + + + E1 + FrameRelay + NS + + BSSGP + TRAUFraming + + + + GMM + SM + + + GMM + SM + + E1 + + SCCP + + TCAP + + MAP + + MTP3 + + MTP2 + HLR + + E1 + + SCCP + + TCAP + + MAP + + MTP3 + + MTP2 + + + + + diff --git a/2011/cell_prot_int-ccc2011/gprs_pdp_ctx_act.png b/2011/cell_prot_int-ccc2011/gprs_pdp_ctx_act.png new file mode 100644 index 0000000..46a7cb0 Binary files /dev/null and b/2011/cell_prot_int-ccc2011/gprs_pdp_ctx_act.png differ diff --git a/2011/cell_prot_int-ccc2011/gprs_ra_upd.png b/2011/cell_prot_int-ccc2011/gprs_ra_upd.png new file mode 100644 index 0000000..3877d30 Binary files /dev/null and b/2011/cell_prot_int-ccc2011/gprs_ra_upd.png differ diff --git a/2011/cell_prot_int-ccc2011/gprs_user_stack.pdf b/2011/cell_prot_int-ccc2011/gprs_user_stack.pdf new file mode 100644 index 0000000..c9a280c Binary files /dev/null and b/2011/cell_prot_int-ccc2011/gprs_user_stack.pdf differ diff --git a/2011/cell_prot_int-ccc2011/gprs_user_stack.svg b/2011/cell_prot_int-ccc2011/gprs_user_stack.svg new file mode 100644 index 0000000..6b702a2 --- /dev/null +++ b/2011/cell_prot_int-ccc2011/gprs_user_stack.svg @@ -0,0 +1,1357 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + MAC + RLC + LLC + + LLC + + E1 + + + IP + Ethernet + + GTP-U + + + IP + Ethernet + + GTP-U + + + + + + PhysicalLayer + + + + + + + Um + A-bis + Gb + Gn + MS + BTS+CCU + BSC+PCU + SGSN + GGSN + GPRS User Plane + + + FrameRelay + NS + + BSSGP + + + E1 + + PhysicalLayer + TRAUFraming + + + MAC + RLC + + + E1 + + + + E1 + FrameRelay + NS + + BSSGP + TRAUFraming + + + UDP + + UDP + SNDCP + + SNDCP + + + + IP + + + + IP + + + + + TCP + + + + TCP + + + + HTTP + + + + HTTP + + + + + + + diff --git a/2011/cell_prot_int-ccc2011/umts_ps_control.pdf b/2011/cell_prot_int-ccc2011/umts_ps_control.pdf new file mode 100644 index 0000000..ae1ef74 Binary files /dev/null and b/2011/cell_prot_int-ccc2011/umts_ps_control.pdf differ diff --git a/2011/cell_prot_int-ccc2011/umts_ps_control.svg b/2011/cell_prot_int-ccc2011/umts_ps_control.svg new file mode 100644 index 0000000..0e24f88 --- /dev/null +++ b/2011/cell_prot_int-ccc2011/umts_ps_control.svg @@ -0,0 +1,1519 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + Iub-FP + + + + + + + MAC + RLC + RRC + GMM + SM + + + + + MAC + RLC + RRC + + + + GMM + SM + + + + RANAP + + + + RANAP + + + + + + + + ATM + SAR + CPCS + SSCOP + SSCF/UNI + + Iub-FP + + + + + + ATM + SAR + CPCS + SSCOP + SSCF NNI + + + + + + SCCP + MTP3b + M3UA + SCTP + IP + + + + + + + + ATM + SAR + CPCS + SSCOP + SSCF NNI + + + + + + SCCP + MTP3b + M3UA + SCTP + IP + + + + UDP + IP + Ethernet + + + GTP-C + + + + UDP + IP + Ethernet + + GTP-C + + + + + + + PhysicalLayer + + + + + + + ATM + SAR + CPCS + SSCOP + SSCF/UNI + + PhysicalLayer + + TransportChannels + + TransportChannels + + + + + + + Uu + Iub + Iu-ps + Gn + MT + NodeB + RNC + SGSN + GGSN + UMTS Packet Switched Control Plane + + diff --git a/2011/cell_prot_int-ccc2011/umts_ps_user.pdf b/2011/cell_prot_int-ccc2011/umts_ps_user.pdf new file mode 100644 index 0000000..78a195f Binary files /dev/null and b/2011/cell_prot_int-ccc2011/umts_ps_user.pdf differ diff --git a/2011/cell_prot_int-ccc2011/umts_ps_user.svg b/2011/cell_prot_int-ccc2011/umts_ps_user.svg new file mode 100644 index 0000000..eb8eacf --- /dev/null +++ b/2011/cell_prot_int-ccc2011/umts_ps_user.svg @@ -0,0 +1,1497 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + Iub-FP + + + + MAC + RLC + PDCP + + + + MAC + RLC + PDCP + + Iu-FP + + Iu-FP + + ATM + + Iub-FP + + + + ATM + SAR + CPCS + + + + ATM + SAR + CPCS + + + IP + Ethernet + + + IP + Ethernet + + + + + + PhysicalLayer + + + + ATM + CPS + SSSAR + + PhysicalLayer + TransportChannels + + TransportChannels + + + + + + + Uu + Iub + Iu-ps + Gn + MT + NodeB + RNC + SGSN + GGSN + UMTS Packet Switched User Plane + + + IP + + + + GTP-U + + GTP-U + + + GTP-U + + GTP-U + + + + CPS + SSSAR + + + UDP + UDP + + IP + + UDP + + IP + + UDP + + + IP + + + + + TCP + + + + TCP + + + + HTTP + + + + HTTP + + + + + diff --git a/2011/gpl_enforcement-kr2011/gpl_enforcement.pdf b/2011/gpl_enforcement-kr2011/gpl_enforcement.pdf new file mode 100644 index 0000000..533c648 Binary files /dev/null and b/2011/gpl_enforcement-kr2011/gpl_enforcement.pdf differ diff --git a/2011/gpl_enforcement-kr2011/gpl_enforcement.snm b/2011/gpl_enforcement-kr2011/gpl_enforcement.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/gpl_enforcement-kr2011/gpl_enforcement.tex b/2011/gpl_enforcement-kr2011/gpl_enforcement.tex new file mode 100644 index 0000000..0170796 --- /dev/null +++ b/2011/gpl_enforcement-kr2011/gpl_enforcement.tex @@ -0,0 +1,245 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{GNU GPL License Compliance} + +\subtitle +{Current issues and Outlook} + +\author{Harald Welte} + +\institute +{gpl-violations.org\\gnumonks.org\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[September 2011] % (optional, should be abbreviation of conference name) +{September 2011} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Embedded Linux} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} +\item Linux user since 1994 +\item Linux kernel development since 1999 +\item GNU GPL license enforcement since 2003 +\item IT security expert, network protocol security +\item Board-level Electrical Engineering +\item System-level Software for PPC, ARM, x86 +\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues +\end{itemize} +\end{frame} + + +\section{What happened so far} + +\subsection{Historical development} + +\begin{frame}{Historical development} +\begin{itemize} + \item 1970ies: Softare becomes copyrightable + \item 1980ies: GNU project, GPLv1 + \item 1990ies: Linux kernel, GPLv2, servers + \item 2000s: Linux and FOSS is everywhere +\end{itemize} +\end{frame} + +\subsection{FOSS is everywhere} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] +\centering +\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\subsection{GPL enforcement} + +\begin{frame}{GPL enforcement} +\begin{itemize} + \item Before 2003: Mostly Free Software Foundation + \item 2003-now: gpl-violations.org (Europe), ~ 200 cases + \item 2008-now: SFLC (United States) + \item publicly invisible enforcement + \begin{itemize} + \item e.g. MySQL (dual-licensing) + \item e.g. Asterisk (dual-licensing) + \end{itemize} +\end{itemize} +\end{frame} + +\section{Fewer blatant violations} + +\begin{frame}{Fewer blatant GPL violations} +In recent years, +\begin{itemize} + \item most companies understand they have to care about compliance + \item most products ship with written offer, license text + \item some form of source code is provided +\end{itemize} +so where's the problem? +\end{frame} + +\begin{frame}{Problem with current source code offers} +The problem is: +\begin{itemize} + \item source code is often incorrect + \item source code is often incomplete + \item source code is often missing for firmware updates +\end{itemize} +\end{frame} + +\begin{frame}{The License is a tool, not an end in itself!} +\begin{itemize} + \item GPL created by demand from Engineers, not Lawyers + \item Idea: Protect freedom of code and users + \item Community based, collaborative development + \item Industry should think about how they engange with the +community in a productive way, {\em beyond mere license compliance} +\end{itemize} +\end{frame} + +\section{New interesting legal case in Germany} +\begin{frame}{New interesting legal case in Germany} +\begin{itemize} + \item DSL router vendor (AVM) is using GPL code (Linux kernel, etc.) + \item 3rd party company (Cybits) is creating additional software to be +installed onto the DSL router + \begin{itemize} + \item Only GPL licensed components are modified + \end{itemize} + \item AVM sues Cybits over {\em modification of its firmware} + \item gpl-violations.org intervenes on defendant's side +\end{itemize} +\end{frame} + +\begin{frame}{AVM ./. Cybits} +Significance of this {\em AVM ./. Cybits} case +\begin{itemize} + \item GPL was created to enable and encourage innovation + \item Innovation can not be restricted to vendor + \item Everyone (customer, 3rd parties, ...) have right to make and distribute modified versions + \item Levels the playing field, encourages competition, prevents monopolies + \item Homebrew 3rd party firmware projects like OpenWRT, Cyanogenmod are widely used +\end{itemize} +\end{frame} + +\section{Outlook} + +\begin{frame}{Outlook} + \begin{itemize} + \item + Blatant GPL violations in embedded devices are declining, but are likely to continue due to lack of skill or negligence. + \item + We'll see more {\em derivative works} types of GPL violations, and we'll see actual legal enforcement and precedent in this area over the next years. + \item + Stronger copyright protection demanded by content industry will also mean stronger protection for FOSS licenses. Imagine GPL enforcement with {\em three strikes} law in France ?!? + \end{itemize} +\end{frame} + +\end{document} diff --git a/2011/gpl_enforcement-kr2011/linux_netfilter_singapore_entertainment.jpg b/2011/gpl_enforcement-kr2011/linux_netfilter_singapore_entertainment.jpg new file mode 100644 index 0000000..91b839f Binary files /dev/null and b/2011/gpl_enforcement-kr2011/linux_netfilter_singapore_entertainment.jpg differ diff --git a/2011/gsm-ensa2011/NevadaTestSite.jpg b/2011/gsm-ensa2011/NevadaTestSite.jpg new file mode 100644 index 0000000..aa3a627 Binary files /dev/null and b/2011/gsm-ensa2011/NevadaTestSite.jpg differ diff --git a/2011/gsm-ensa2011/OBTSBM2010.jpg b/2011/gsm-ensa2011/OBTSBM2010.jpg new file mode 100644 index 0000000..7759978 Binary files /dev/null and b/2011/gsm-ensa2011/OBTSBM2010.jpg differ diff --git a/2011/gsm-ensa2011/abstract.txt b/2011/gsm-ensa2011/abstract.txt new file mode 100644 index 0000000..2a3542c --- /dev/null +++ b/2011/gsm-ensa2011/abstract.txt @@ -0,0 +1,26 @@ +Free Software for GSM networks + +During its 25 year history, Free Software has ventured in many areas of +computing, such as TCP/IP networks, Internet servers, personal computers, +laptops, desktop computers, embedded devices, and so on. + +However, there are other areas of computing that - until very recently - have +not yet seen any Free Software. One prime example is cellular telephony +networks. More than 3 billion subscribers use GSM cellular phones around the +world. All components in the public GSM networks are proprietary +both on the network side and on the telephon side. + +The cellular networks consist of components like base stations, telephone +switches, all running proprietary software. + +The cellular phones - even those running Free Software based operating systems +liek Android - have a separate computer called "baseband processor" that +interacts with the GSM network and runs proprietary software. + +Since 2009, projects like OpenBTS, OpenBSC and OsmocomBB have been created to +change this. They all implement components of a GSM network as Free Software. + +Harald Welte is the founder of OpenBSC and OsmocomBB. He will discuss the +proprietary nature of the GSM world, the progress of Free Software in GSM +and how the GSM related Free Software projects can be used in research +and production. diff --git a/2011/gsm-ensa2011/bts_tree_full.jpg b/2011/gsm-ensa2011/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2011/gsm-ensa2011/bts_tree_full.jpg differ diff --git a/2011/gsm-ensa2011/c123_pcb.jpg b/2011/gsm-ensa2011/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2011/gsm-ensa2011/c123_pcb.jpg differ diff --git a/2011/gsm-ensa2011/calypso-block.pdf b/2011/gsm-ensa2011/calypso-block.pdf new file mode 100644 index 0000000..27f8be8 Binary files /dev/null and b/2011/gsm-ensa2011/calypso-block.pdf differ diff --git a/2011/gsm-ensa2011/gsm.pdf b/2011/gsm-ensa2011/gsm.pdf new file mode 100644 index 0000000..bb403ee Binary files /dev/null and b/2011/gsm-ensa2011/gsm.pdf differ diff --git a/2011/gsm-ensa2011/gsm.snm b/2011/gsm-ensa2011/gsm.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/gsm-ensa2011/gsm.tex b/2011/gsm-ensa2011/gsm.tex new file mode 100644 index 0000000..746611f --- /dev/null +++ b/2011/gsm-ensa2011/gsm.tex @@ -0,0 +1,305 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +\usepackage{subfigure} +\usepackage{hyperref} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Free Software for GSM cellular telephony} + +\subtitle +{OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\osmocom.org\\airprobe.org\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[ENSA 2011] % (optional, should be abbreviation of conference name) +{ENSA, May 2011, Tetouan/Morocco} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{GSM Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with GNU/Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Trained as Electrical Engineer + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\begin{frame}{Success of Free Software}{depending on area of computing} +\begin{itemize} + \item Free Software has proven to be successful in many areas of +computing + \begin{itemize} + \item Operating Systems (GNU/Linux) + \item Internet Servers (Apache, Sendmail, Exim, Cyrus, +...) + \item Desktop Computers (gnome, KDE, Firefox, LibreOffice, ...) + \item Mobile Devices + \item Embedded network devices (Router, Firewall, NAT, WiFi-AP) + \end{itemize} + \item There are more areas to computing that people tend to +forget. Examples in the communications area: + \begin{itemize} + \item Cellular telephony networks (GSM, 3G, LTE) + \item Professional Mobile Radio (TETRA, TETRAPOL) + \item Cordless telephones (DECT) + \end{itemize} +\end{itemize} +\end{frame} + +\include{part-security_research} + +\begin{frame}{Security analysis of GSM}{The bootstrapping process} +\begin{itemize} + \item Start to read GSM specs (> 1000 PDF documents!) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\subsection{The GSM network} + +\begin{frame}{The GSM network} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{gsm_network.png} + \end{figure} +\end{frame} + +\begin{frame}{GSM network components} + \begin{itemize} + \item The BSS (Base Station Subsystem) + \begin{itemize} + \item MS (Mobile Station): Your phone + \item BTS (Base Transceiver Station): The {\em cell tower} + \item BSC (Base Station Controller): Controlling up to hundreds of BTS + \end{itemize} + \item The NSS (Network Sub System) + \begin{itemize} + \item MSC (Mobile Switching Center): The central switch + \item HLR (Home Location Register): Database of subscribers + \item AUC (Authentication Center): Database of authentication keys + \item VLR (Visitor Location Register): For roaming users + \item EIR (Equipment Identity Register): To block stolen phones + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}{GSM network interfaces} + \begin{itemize} + \item Um: Interface between MS and BTS + \begin{itemize} + \item the only interface that is specified over radio + \end{itemize} + \item A-bis: Interface between BTS and BSC + \item A: Interface between BSC and MSC + \item B: Interface between MSC and other MSC + \end{itemize} + GSM networks are a prime example of an asymmetric distributed network, + very different from the end-to-end transparent IP network. +\end{frame} + + +\subsection{The GSM protocols} + +\begin{frame}{GSM network protocols}{On the Um interface} + \begin{itemize} + \item Layer 1: Radio Layer, TS 04.04 + \item Layer 2: LAPDm, TS 04.06 + \item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08 + \item Layer 4+: for USSD, SMS, LCS, ... + \end{itemize} +\end{frame} + +\begin{frame}{GSM network protocols}{On the A-bis interface} + \begin{itemize} + \item Layer 1: Typically E1 line, TS 08.54 + \item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56 + \item Layer 3: OML (Organization and Maintenance Layer, TS 12.21) + \item Layer 3: RSL (Radio Signalling Link, TS 08.58) + \item Layer 4+: transparent messages that are sent to the MS via Um + \end{itemize} +\end{frame} + +\include{section-openbsc} + +\include{section-osmocombb} + +\include{section-openbts} +\include{section-airprobe} +\include{section-wireshark} + +%\section{Summary} +%\subsection{What we've learned} + +\begin{frame}{Summary}{What we've learned} +\begin{itemize} + \item The GSM industry is making security analysis very difficult + \item It is well-known that the security level of the GSM stacks is very low + \item We now have multiple solutions for sending arbitrary protocol data + \begin{itemize} + \item From a rogue network to phones (OpenBSC, OpenBTS) + \item From a FOSS controlled phone to the network (OsmocomBB) + \item From an A-bis proxy to the network or the phones + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Where we go from here} + +\begin{frame}{TODO}{Where we go from here} +\begin{itemize} + \item The tools for fuzzing mobile phone protocol stacks are available + \item It is up to the security community to make use of those tools (!) + \item Don't you too think that TCP/IP security is boring? + \item Join the GSM protocol security research projects + \item Boldly go where no (free) man has gone before +\end{itemize} +\end{frame} + +\begin{frame}{Current Areas of Work / Future plans} +\begin{itemize} + \item UMTS(3G) support for NodeB and femtocells + \item SS7 / MAP integration (Erlang and C) + \item Playing with SIM Toolkit from the operator side + \item Playing with MMS + \item More exploration of RRLP + SUPL +\end{itemize} +\end{frame} + +%\subsection{Further Reading} + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf} + \item \url{http://bb.osmocom.org/} + \item \url{http://openbsc.osmocom.org/} + \item \url{http://openbts.sourceforge.net/} + \item \url{http://airprobe.org/} +\end{itemize} +\end{frame} + +\end{document} diff --git a/2011/gsm-ensa2011/gsm.vrb b/2011/gsm-ensa2011/gsm.vrb new file mode 100644 index 0000000..d917a88 --- /dev/null +++ b/2011/gsm-ensa2011/gsm.vrb @@ -0,0 +1,13 @@ +\frametitle {OpenBTS USRP Clocking}\framesubtitle {Kalibrator Example} +\begin{block}{Example of running {\tt kal}} +\begin{lstlisting} +[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +USRP side: B +FPGA clock: 52000000 +Decimation: 192 +Antenna: RX2 +Sample rate: 270833.343750 +average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +\end{lstlisting} +\end{block} +The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} diff --git a/2011/gsm-ensa2011/gsm_network.png b/2011/gsm-ensa2011/gsm_network.png new file mode 100644 index 0000000..c5f6399 Binary files /dev/null and b/2011/gsm-ensa2011/gsm_network.png differ diff --git a/2011/gsm-ensa2011/openbsc_host.jpg b/2011/gsm-ensa2011/openbsc_host.jpg new file mode 100644 index 0000000..10c575d Binary files /dev/null and b/2011/gsm-ensa2011/openbsc_host.jpg differ diff --git a/2011/gsm-ensa2011/osmosgsn.png b/2011/gsm-ensa2011/osmosgsn.png new file mode 100644 index 0000000..f1dbc85 Binary files /dev/null and b/2011/gsm-ensa2011/osmosgsn.png differ diff --git a/2011/gsm-ensa2011/part-security_research.tex b/2011/gsm-ensa2011/part-security_research.tex new file mode 100644 index 0000000..676a4f5 --- /dev/null +++ b/2011/gsm-ensa2011/part-security_research.tex @@ -0,0 +1,141 @@ +%\part{Security Research} +\section{Researching GSM/3G security} +%\begin{frame}{Part 3 -- Researching GSM/3G security} +%\tableofcontents +% You might wish to add the option [pausesections] +%\end{frame} + +%\subsection{An interesting observation} + +\begin{frame}{Free specs / Free implementations} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 proprietary protocol stack implementations + \item GSM chip set makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +%\subsection{The closed GSM industry -- Network side} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \item minimal network using standard components definitely in the 100,000s of EUR range + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +From my experience with Operators (prove me wrong!) +\begin{itemize} + \item Operators are mainly finance + marketing today + \item Many operators outsources + \begin{itemize} + \item Network servicing / deployment, even planning + \item Other aspects of business like Billing + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No free software protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item MADos, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if equipment is available, much easier/faster progress + \item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs day and night (> 1000 PDF documents) + \item Gradually grow knowledge about the protocols + \begin{itemize} + \item OpenBSC: Obtain actual GSM network equipment (BTS) + \item OpenBTS: Develop SDR based GSM Um Layer 1 + \end{itemize} + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + + diff --git a/2011/gsm-ensa2011/section-airprobe.tex b/2011/gsm-ensa2011/section-airprobe.tex new file mode 100644 index 0000000..526e317 --- /dev/null +++ b/2011/gsm-ensa2011/section-airprobe.tex @@ -0,0 +1,33 @@ +\subsection{airprobe} + +\begin{frame}{Open Source GSM Tools: Airprobe} +\begin{itemize} + \item {\em airprobe} is a collection of Um protocol analyzer tools using the USRP software defined radio + \item A number of different Um receiver implementations + \begin{description}[gsm-receiver] + \item[gssm] One of the two early Um receiver implementations (M\&M clock recovery) + \item[gsmsp] The other early Um receiver implementation + \item[gsm-tvoid] For a long time the Um receiver with best performance + \item[gsm-receiver] The latest generation of Um receiver + \end{description} + \item Today, gsm-receiver seems to be the most popular choice +\end{itemize} +\end{frame} + +\begin{frame}{Open Source GSM Tools: Airprobe} +\begin{itemize} + \item Some other airprobe tools + \begin{description}[viterbi\_gen] + \item[gsmdecode] A standalone text-mode Um L2 frame parser + \item[wireshark] Dissector code for feeding Um frames into wireshark + \item[gsmstack] An unfinished more modular implementation of a Rx-only L1 + \item[viterbi\_gen] Generate C++ implementations of a viterbi decoder + \end{description} + \item Still under development, no user friendly solution + \begin{itemize} + \item gsmtap frame format needs to be added as clean wireshark interface + \item receivers need automatic frequency scanning + \item full solution needs proper UI + \end{itemize} +\end{itemize} +\end{frame} diff --git a/2011/gsm-ensa2011/section-openbsc.tex b/2011/gsm-ensa2011/section-openbsc.tex new file mode 100644 index 0000000..3095cd9 --- /dev/null +++ b/2011/gsm-ensa2011/section-openbsc.tex @@ -0,0 +1,208 @@ +\section{OpenBSC} + +\subsection{OpenBSC Introduction} + +\begin{frame}{OpenBSC software} +OpenBSC is a Open Source implementation of (not only) the BSC features +of a GSM network. +\begin{itemize} + \item Support A-bis interface over E1 and IP + \item Support for BTS vendor/model is modular, currently Siemens BS-11 and ip.access nanoBTS + \item Multiple BTS models/vendors can be mixed! + \item Can work as a {\em pure BSC} or as a full {\em network in a box} + \item Supports mobility management, authentication, intra-BSC hand-over, SMS, voice calls (FR/EFR/AMR) + \item GPRS + EDGE support if combined with OsmoSGSN and OpenGGSN +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item Supports Siemens BS-11 BTS (E1) and ip.access nanoBTS (IP based) + \item Has classic 2G signalling, voice and SMS support + \item Implements various GSM protocols like + \begin{itemize} + \item A-bis RSL (TS 08.58) and OML (TS 12.21) + \item TS 04.08 Radio Resource, Mobility Management, Call Control + \item TS 04.11 Short Message Service + \end{itemize} + \item Telnet console with Cisco-style interface +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC software architecture} +\begin{itemize} + \item Implemented in pure C, similarities to Linux kernel + \begin{itemize} + \item Linked List handling, Timer API, coding style + \end{itemize} + \item Single-threaded event-loop / state machine design + \item Telnet based command line interface {\em Cisco-style} + \item Input driver abstraction (mISDN, Abis-over-IP) +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: GSM network protocols}{The A-bis interface} + \begin{description}[Layer 4+] + \item[Layer 1] Typically E1 line, TS 08.54 + \item[Layer 2] A variant of ISDN LAPD with fixed TEI's, TS 08.56 + \item[Layer 3] OML (Organization and Maintenance Layer, TS 12.21) + \item[Layer 3] RSL (Radio Signalling Link, TS 08.58) + \item[Layer 4+] transparent messages that are sent to the MS via Um + \end{description} +\end{frame} + +\begin{frame}{OpenBSC: How it all started} +\begin{itemize} + \item In 2006, I bought a Siemens BS-11 microBTS on eBay + \begin{itemize} + \item This is GSM900 BTS with 2 TRX at 2W output power (each) + \item A 48kg monster with attached antenna + \item 200W power consumption, passive cooling + \item E1 physical interface + \end{itemize} + \item I didn't have much time at the time (day job at Openmoko) + \item Started to read up on GSM specs whenever I could + \item Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support + \item Found somebody in the GSM industry who provided protocol traces +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: Timeline} +\begin{itemize} + \item November 2008: I started the development of OpenBSC + \item December 2008: we did a first demo at 25C3 + \item January 2009: we had full voice call support + \item Q1/2009: Add support for ip.access nanoBTS + \item June 2009: I started with actual security related stuff + \item August 2009: We had the first field test with 2BTS and > 860 phones + \item Q1/2010: The first 25 OpenBSC instances running in a commercial network +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: Field Test at HAR2009} +\begin{figure}[h] +\subfigure{\includegraphics[width=5cm]{bts_tree_full.jpg}} +\subfigure{\includegraphics[width=5cm]{openbsc_host.jpg}} +\end{figure} +\end{frame} + + +\subsection{OpenBSC Network In The Box} + +\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode} +The {\tt osmo-nitb} program +\begin{itemize} + \item implements the A-bis interface towards any number of BTS + \item provides most typical features of a GSM network in one software + \item no need for MSC, AuC, HLR, VLR, EIR, ... + \begin{itemize} + \item HLR/VLR as SQLite3 table + \item Authentication + Ciphering support + \item GSM voice calls, MO/MT SMS + \item Hand-over between all BTS + \item Multiple Location Areas within one BSC + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC NITB features} +OpenBSC NITB features +\begin{itemize} + \item Run a small GSM network with 1-n BTS and OpenBSC + \item No need for MSC/HLR/AUC/... + \item No need for your own SIM cards (unless crypto/auth rqd) + \item Establish signalling and voice channels + \item Make incoming and outgoing voice calls between phones + \item Send/receive SMS between phones + \item Connect to ISDN PBX or public ISDN via Linux Call Router +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode} +The {\tt osmo-nitb} program +\begin{itemize} + \item does not implement any other GSM interfaces apart from A-bis + \item no SS7 / TCAP / MAP based protocols + \item no integration (roaming) with existing traditional GSM networks + \item wired telephony interfacing with ISDN PBX {\tt lcr} (Linux Call Router) + \item Has been tested with up to 800 subscribers on 5 BTS + \item Intended for R\&D use or private PBX systems +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC LCR integration}{Interfacing with wired telephony} +OpenBSC (NITB mode) can be linked into Linux Call Router ({\tt lcr}) +\begin{itemize} + \item OpenBSC is compiled as libbsc.a + \item libbsc.a includes full OpenBSC NITB mod code + \item linking the library into {\tt lcr} results in GSM {\em line interfaces} to become available inside {\tt lcr} + \item OpenBSC no longer takes care of call control, but simply hands everything off to {\tt lcr} + \item Dialling plan, etc. is now configure in {\tt lcr} like for any other wired phones +\end{itemize} +\end{frame} + +\subsection{OpenBSC BSC-only mode} + +\begin{frame}{OpenBSC in BSC-only mode} +The {\tt osmo-bsc} program +\begin{itemize} + \item behaves like a classic GSM BSC + \item uses SCCP-Lite (ip.access multipex) to any SoftMSC like ADC + \item used in production/commercial deployments (~ 75 BSCs) + \item mainly intended to replace proprietary BSC in traditional GSM networks +\end{itemize} +\end{frame} + +%\begin{frame}{OpenBSC} +% Demonstration +%\end{frame} + +\subsection{OpenBSC GPRS support} + +\begin{frame}{GPRS and OpenBSC} +\begin{itemize} + \item The BSC doesn't really do anything related to GPRS + \item GPRS implemented in separate SGSN and GGSN nodes + \item GPRS uses its own Gb interface to RAN, independent of A-bis + \item OpenBSC can configure the nanoBTS for GPRS+EDGE support via OML + \item Actual SGSN and GGSN implemented as OsmoSGSN and OpenGGSN programs +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSGSN} +The Osmocom SGSN program implements +\begin{itemize} + \item basic/minimal SGSN functionality + \item the Gb interface (NS/BSSGP/LLC/SNDCP) + \item mobility management, session management +\end{itemize} +It's a work in progress, many missing features +\begin{itemize} + \item no HLR integration yet + \item no paging coordination with MSC/BSC + \item no encryption support yet +\end{itemize} +\end{frame} + +\begin{frame}{OpenGGSN} +\begin{itemize} + \item GPL licensed Linux program implementing GGSN node + \item Implements GTP-U protocol between SGSN and GGSN + \item User-configurable range/pool of IPv4 addresses for MS + \item Uses {\tt tun} device for terminating IP tunnel from MS + \item provides GTP implementation as libgtp + \item Experimental patches for IPv6 support +\end{itemize} +\end{frame} + +%\begin{frame}{OpenBSC + OpenGGSN + OsmoSGSN} +% Demonstration +%\end{frame} + +\begin{frame}{OpenBSC and OsmoSGSN based network} +\begin{figure}[h] +\includegraphics[width=10cm]{osmosgsn.png} +\end{figure} +\end{frame} + +% FIXME: include slide showing full OpenBSC+OsmoSGSN+OpenGGSN network diff --git a/2011/gsm-ensa2011/section-openbts.tex b/2011/gsm-ensa2011/section-openbts.tex new file mode 100644 index 0000000..9c04222 --- /dev/null +++ b/2011/gsm-ensa2011/section-openbts.tex @@ -0,0 +1,183 @@ +\section{OpenBTS, airprobe and wireshark} + +\subsection{OpenBTS Introduction} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item is {\em NOT} a BTS in the typical GSM sense + \item is better described as a GSM-Um to SIP gateway + \item implements the GSM Um (air interface) as SDR + \item uses the USRP hardware as RF interface + \item does not implement any of BSC, MSC, HLR, etc. + \item bridges the GSM Layer3 protocol onto SIP + \item uses SIP switch (like Asterisk) for switching calls + SMS + \item is developed as C++ program and runs on Linux + MacOS +\end{itemize} +\end{frame} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item Open implementation of Um L1 \& L2, an all-software BTS. + \item L1/L2 design based on an object-oriented dataflow approach. + \item Includes L3 RR functions normally found in BSC. + \item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway. + \item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con). +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Hardware} +OpenBTS supports the following SDR hardware +\begin{itemize} + \item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards + \begin{itemize} + \item Modification for external clock input recommended + \item External 52 MHz precision clock recommended + \end{itemize} + \item Kestrel Signal Processing / Range Networks custom radio + \item Close Haul Communications / GAPfiller (work in progress) + \item Ported to other radios by other clients +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS History + Tests} +\begin{itemize} + \item Started work in August 2007, first call in January 2008, first SMS in December 2008. + \item First public release in September 2008, assigned to FSF in October 2008. + \item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada. + \item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada. + \item Release 2.5 is about 13k lines of C++. + \item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3) +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Software Architecture} +\begin{itemize} + \item {\tt Transceiver} program + \begin{itemize} + \item SDR processing for Layer 0 + \item BTS-side GSM Um Layer 1 implementation + \item sends GSM burst data via UDP socket + \end{itemize} + \item {\tt OpenBTS} program + \begin{itemize} + \item GSM Um Layer 2 (04.06) + 3 (04.08) implementation + \item SIP UA implementation + \item GSM Layer 3 CC to SIP bridge implementation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS GSM <-> SIP mapping} +\begin{itemize} + \item Location Updates mapped to SIP registration + \begin{itemize} + \item Use IMSI as SIP user name + \end{itemize} + \item Call Control mapped to SIP transactions + \begin{itemize} + \item relatively straight-forward + \end{itemize} + \item GSM Traffic Channels mapped to RTP channels + \begin{itemize} + \item No transcoding inside OpenBTS, FR/EFR messages are simply relayed + \end{itemize} + \item SMS mapped to SIP messaging according to RFC 3428 + \begin{itemize} + \item A separate {\tt smqueue} daemon implements store+forward + \end{itemize} +\end{itemize} +\end{frame} + +%\subsection{Clocking} + +\begin{frame}{OpenBTS USRP Clocking}{Clock Stability} +\begin{itemize} + \item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy + \item GSM requires 20ppb carrier clock accuracy + \item possible solutions + \begin{itemize} + \item use external VCTCXO clocking module + \item use external OCXO clocking module + \item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks + \end{itemize} + \item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900 +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock} +\begin{itemize} + \item The USRP master clock is 64 Mhz + \item In GSM, all clocks are derived from 13 MHz + \item Thus, a poly-phase re-sampler is part of SDR software + \item Alternative: use 52 MHz (13 MHz * 4) external clock + \item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz + \begin{itemize} + \item Make sure to never use the wrong transceiver for your clock! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS USRP Clocking}{Software Calibration} +Basic idea: Use real GSM cell as clock source +\begin{itemize} + \item Implemented by the {\em Kalibrator} ({\tt kal}) program + \item Acquire the FCCH burst of a real GSM cell + \item Measure the clock difference between USRP XO and that cell + \item Use the computed error as offset to USRP up/downconverter + \item However, temperature and other drift will make clocks go out of sync over time + \item Can only be used if a real-world GSM network is within range +\end{itemize} +\end{frame} + +%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example} +%\begin{block}{Example of running {\tt kal}} +%\begin{lstlisting} +%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +%USRP side: B +%FPGA clock: 52000000 +%Decimation: 192 +%Antenna: RX2 +%Sample rate: 270833.343750 +%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +%\end{lstlisting} +%\end{block} +%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} +%\end{frame} + +\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{NevadaTestSite.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Burning Man 2010 Tower Base} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{OBTSBM2010.jpg} +\end{figure} +\end{frame} + +%\begin{frame}{OpenBTS} +% Demonstration +%\end{frame} + +\begin{frame}{OpenMS} +\begin{itemize} + \item Subscriber side stack based on OpenBTS. + \item Called MS, but just a BTS stack with data flows reversed and a different RR control logic. + \item Behavior is more like a passive interceptor that can also transmit. + \item Release 1.0 supports non-hopping multi-ARFCN networks. + \item Most L3 control logic provided by the end user. + \item A platform for + \begin{itemize} + \item passive interceptors + \item custom subscriber-side applications + \item environment analysis + \item intelligent jamming + \end{itemize} + \item NOT Open Source +\end{itemize} +\end{frame} diff --git a/2011/gsm-ensa2011/section-osmocombb.tex b/2011/gsm-ensa2011/section-osmocombb.tex new file mode 100644 index 0000000..a8f4cd1 --- /dev/null +++ b/2011/gsm-ensa2011/section-osmocombb.tex @@ -0,0 +1,296 @@ +\section{OsmocomBB Project} + +\begin{frame}{A GSM phone baseband processor} +\begin{itemize} + \item GSM protocol stack always runs in a so-called baseband processor (BP) + \item What is the baseband processor + \begin{itemize} + \item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones) + \begin{itemize} + \item Runs some RTOS (often Nucleus, sometimes L4) + \item No memory protection between tasks + \end{itemize} + \item Some kind of DSP, model depends on vendor + \begin{itemize} + \item Runs the digital signal processing for the RF Layer 1 + \item Has hardware peripherals for A5 encryption + \end{itemize} + \end{itemize} + \item The software stack on the baseband processor + \begin{itemize} + \item is written in C and assembly + \item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{A GSM Baseband Chipset} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{calypso-block.pdf} + \end{figure} + \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf} +\end{frame} + +\begin{frame}{Requirements for GSM security analysis} +What do we need for protocol-level security analysis? +\begin{itemize} + \item A GSM MS-side baseband chipset under our control + \item A Layer1 that we can use to generate arbitrary L1 frames + \item A Layer2 protocol implementation that we can use + modify + \item A Layer3 protocol implementation that we can use + modify +\end{itemize} +None of those components existed, so we need to create them! +\end{frame} + +\begin{frame}{A GSM baseband under our control} +The two different DIY approaches +\begin{itemize} + \item Build something using generic components (DSP, CPU, ADC, FPGA) + \begin{itemize} + \item No reverse engineering required + \item A lot of work in hardware design + debugging + \item Hardware will be low-quantity and thus expensive + \end{itemize} + \item Build something using existing baseband chipset + \begin{itemize} + \item Reverse engineering or leaked documents required + \item Less work on the 'Layer 0' + \item Still, custom hardware in low quantity + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{A GSM baseband under our control} +Alternative 'lazy' approach +\begin{itemize} + \item Re-purpose existing mobile phone + \begin{itemize} + \item Hardware is known to be working + \item No prototyping, hardware revisions, etc. + \item Reverse engineering required + \item Hardware drivers need to be written + \item But: More time to focus on the actual job: Protocol software + \end{itemize} + \item Searching for suitable phones + \begin{itemize} + \item As cheap as possible + \item Readily available: Many people can play with it + \item As old/simple as possible to keep complexity low + \item Baseband chipset with lots of leaked information + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Baseband chips with leaked information} +\begin{itemize} + \item Texas Instruments Calypso + \begin{itemize} + \item DBB Documentation on cryptome.org and other sites + \item ABB Documentation on Chinese phone developer websites + \item Source code of GSM stack / drivers was on sf.net (tsm30 project) + \item End of life, no new phones with Calypso since about 2008 + \item No cryptographic checks in bootloader + \end{itemize} + \item Mediatek MT622x chipsets + \begin{itemize} + \item Lots of Documentation on Chinese sites + \item SDK with binary-only GSM stack libraries on Chinese sites + \item 95 million produced/sold in Q1/2010 + \end{itemize} +\end{itemize} +Initial choice: TI Calypso (GSM stack source available) +\end{frame} + + +\subsection{OsmocomBB Introduction} + +\begin{frame}{OsmocomBB Introduction} +\begin{itemize} + \item Project was started only in January 2010 (9 months ago!) + \item Implementing a GSM baseband software from scratch + \item This includes + \begin{itemize} + \item GSM MS-side protocol stack from Layer 1 through Layer 3 + \item Hardware drivers for GSM Baseband chipset + \item Simple User Interface on the phone itself + \item Verbose User Interface on the PC + \end{itemize} + \item Note about the strange project name + \begin{itemize} + \item Osmocom = Open Source MObile COMmunication + \item BB = Base Band + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Software Architecture} +\begin{itemize} + \item Reuse code from OpenBSC where possible (libosmocore) + \begin{itemize} + \item We build libosmocore both for phone firmware and PC + \end{itemize} + \item Initially run as little software in the phone + \begin{itemize} + \item Debugging code on your host PC is so much easier + \item You have much more screen real-estate + \item Hardware drivers and Layer1 run in the phone + \item Layer2, 3 and actual phone application / MMI on PC + \item Later, L2 and L3 can me moved to the phone + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Software Interfaces} +\begin{itemize} + \item Interface between Layer1 and Layer2 called L1CTL + \begin{itemize} + \item Fully custom protocol as there is no standard + \item Implemented as message based protocol over Sercomm/HDLC/RS232 + \end{itemize} + \item Interface between Layer2 and Layer3 called RSLms + \begin{itemize} + \item In the GSM network, Um Layer2 terminates at the BTS but is controlled by the BSC + \item Reuse this GSM 08.58 Radio Signalling Link + \item Extend it where needed for the MS case + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{OsmocomBB Software} + +\begin{frame}{OsmocomBB Target Firmware} +\begin{itemize} + \item Firmware includes software like + \begin{itemize} + \item Drivers for the Ti Calypso Digital Baseband (DBB) + \item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB) + \item Drivers for the Ti Rita TRF6151 RF Transceiver + \item Drivers for the LCD/LCM of a number of phones + \item CFI flash driver for NOR flash + \item GSM Layer1 synchronous/asynchronous part + \item Sercomm - A HDLC based multiplexer for the RS232 to host PC + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Host Software} +\begin{itemize} + \item Current working name: layer23 + \item Includes + \begin{itemize} + \item Layer 1 Control (L1CTL) protocol API + \item GSM Layer2 implementation (LAPDm) + \item GSM Layer3 implementation (RR/MM/CC) + \item GSM Cell (re)selection + \item SIM Card emulation + \item Supports various 'apps' depending on purpose + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{OsmocomBB Hardware Support} + +\begin{frame}{OsmocomBB Supported Hardware} +\begin{itemize} + \item Baseband Chipsets + \begin{itemize} + \item TI Calypso/Iota/Rita + \item Some early research being done on Mediatek (MTK) MT622x + \end{itemize} + \item Actual Phones + \begin{itemize} + \item Compal/Motorola C11x, C12x, C13x, C14x and C15x models + \item Most development/testing on C123 and C155 + \item GSM modem part of Openmoko Neo1973 and Freerunner + \end{itemize} + \item All those phones are simple feature phones built on a ARM7TDMI based DBB +\end{itemize} +\end{frame} + +\begin{frame}{The Motorola/Compal C123} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{c123_pcb.jpg} + \end{figure} +\end{frame} + + +\subsection{OsmocomBB Project Status} + +\begin{frame}{OsmocomBB Project Status: Working} +\begin{itemize} + \item Hardware Drivers for Calypso/Iota/Rita very complete + \item Drivers for Audio/Voice signal path + \item Layer1 + \begin{itemize} + \item Power measurements + \item Carrier/bit/TDMA synchronization + \item Receive and transmit of normal bursts on SDCCH + \item Transmit of RACH bursts + \item Automatic Rx gain control (AGC) + \item Frequency Hopping + \end{itemize} + \item Layer2 UI/SABM/UA frames and ABM mode + \item Layer3 Messages for RR / MM / CC + \item Cell (re)selection according GSM 03.22 +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Working (2/2)} +OsmocomBB can now do GSM Voice calls (since 08/2010) +\begin{itemize} + \item Very Early Assignment + Late Assignment + \item A3/A8 Authentication of SIM + \item A5/1 + A5/2 Encryption + \item Full Rate (FR) and Enhanced Full Rate (EFR) codec +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Not working} +\begin{itemize} + \item Layer1 + \begin{itemize} + \item Automatic Tx power control (APC) + \item Neighbor Cell Measurements (WIP) + \item In-call hand-over to other cells (WIP) + \end{itemize} + \item Actual UI on the phone + \item Circuit Switched Data (CSD) calls + \item GPRS (packet data) + \item No Type Approval for the stack! +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Executive Summary} +\begin{itemize} + \item We can establish control/signalling channels to both hopping and non-hopping GSM cells + \begin{itemize} + \item Control over synthesizer means we can even go to GSM-R band + \end{itemize} + \item We can send arbitrary data on those control channels + \begin{itemize} + \item RR messages to BSC + \item MM/CC messages to MSC + \item SMS messages to MSC/SMSC + \end{itemize} + \item TCH (Traffic Channel) support for voice calls + \begin{itemize} + \item Has been used on real networks for 30+ minute calls! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB use cases} +OsmocomBB can be used today for +\begin{itemize} + \item practical lab exercises in education on any level of GSM, +from the radio modem through the protocol stack + \item applied research in GSM protocols and GSM security + \item penetration testing of GSM operator equipment + \item measurement and exploration of real operator networks +\end{itemize} +With (your?) help, we can turn it into an actual mobile phone for +regular users, i.e. bringing the freedom of Free Software into one of +the most closed areas of computing. +\end{frame} diff --git a/2011/gsm-ensa2011/section-wireshark.tex b/2011/gsm-ensa2011/section-wireshark.tex new file mode 100644 index 0000000..a3ee9c6 --- /dev/null +++ b/2011/gsm-ensa2011/section-wireshark.tex @@ -0,0 +1,35 @@ +\subsection{wireshark Protocol Analyzer} + +\begin{frame}{The wireshark protocol analyzer} +\begin{itemize} + \item Software protocol analyzer for plethora of protocols + \item Portable, works on most flavors of Unix and Windows + \item Decode, display, search and filter packets with configurable level of detail + \item Over 1000 protocol decoders + \item Over 86000 display filters + \item Live capturing from many different network media + \item Import files from other capture programs + \item Used to be called ethereal, but is now called wireshark +\item \url{http://www.wireshark.org/} +\item \url{http://www.wireshark.org/download/docs/user-guide-a4.pdf} +\end{itemize} +\end{frame} + +\begin{frame}{The wireshark protocol analyzer} +GSM protocol dissectors in wireshark +\begin{itemize} + \item TCP/IP (transport layer for Abis/IP) + \item E1 Layer 2 (LAPD) + \item GSM Um Layer 2 (LAPDm) + \item GSM Layer 3 (RR, MM, CC) + \item A-bis Layer 3 (RSL) + \begin{itemize} + \item A-bis OML for Siemens and ip.access in OpenBSC git + \end{itemize} + \item GSMTAP pseudo-header (airprobe, OpenBTS, OsmocomBB) +\end{itemize} +\end{frame} + +%\begin{frame}{The wireshark protocol analyzer} +% Demonstration +%\end{frame} diff --git a/2011/tetra-camp2011/500px-Pi-by-4-QPSK_Gray_Coded.png b/2011/tetra-camp2011/500px-Pi-by-4-QPSK_Gray_Coded.png new file mode 100644 index 0000000..7fb80c8 Binary files /dev/null and b/2011/tetra-camp2011/500px-Pi-by-4-QPSK_Gray_Coded.png differ diff --git a/2011/tetra-camp2011/osmocom-tetra.tex b/2011/tetra-camp2011/osmocom-tetra.tex new file mode 100644 index 0000000..0bef072 --- /dev/null +++ b/2011/tetra-camp2011/osmocom-tetra.tex @@ -0,0 +1,637 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{OsmocomTETRA} + +\subtitle +{Applied research on TETRA security} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[CCC Camp 2011] % (optional, should be abbreviation of conference name) +{CCCamp2011, August 2011, Berlin/Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\section{TETRA Introduction} + +\subsection{What is TETRA?} + +\begin{frame}{Introducing TETRA} +TErrestrial Trunked RAdio +\begin{itemize} + \item Digital PMR (Professional Mobile Radio) standard + \item Standardization Body ETSI started work in 1990 + \item First specified in 1995, endorsed by EU Radiocomms Committee + \item Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde \& Schwarz + \item Chinese vendors are expected to appear on the market soon +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +\begin{itemize} + \item Longer range due to lower frequency (but not vs. GSM 410/450!) + \item Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz) + \item Specified to work at speeds above 400 km/h + \item one-to-one, one-to-many and many-to-many (but: GSM-R ASCI) + \item offers direct mode between handsets in case base station is out of range + \item separate infrastructure from public networks (but: GSM-R) + \item de-central fall-back, i.e. base stations switching local calls +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +Summary +\begin{itemize} + \item Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band + \item Local call switching can be implemented in GSM (think of OpenBSC) + \item GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is {\em very} different from trunked mode +\end{itemize} +It seems, the industry rather re-invented an entirely different system to ensure +the resulting equipment can be sold at multiples of the commercial-grade GSM +equipment. +\end{frame} + + +\subsection{Where is TETRA deployed?} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item In 2009, TETRA was deployed in 114 countries (every continent except North America) + \item Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard + \item But also: Private company networks (industrial plants) + \item In Germany there are 63 registered networks (only 5 are BOS) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item Follow TETRA Newsletter released by TETRA MoU organization + \item Majority of recent deployments seems to be in Asia, specifically China. + \item Examples typically include police, public transportation, airports, harbours, industrial plants +\end{itemize} +\end{frame} + +\section{TETRA Technical Intro} + +\subsection{TETRA Air Interface} + +\begin{frame}{TETRA Frequencies} +\begin{itemize} + \item European Emergency Services + \begin{itemize} + \item 380-383 MHz and 390-393 MHz + \item 383-385 MHz and 393-395 MHz (optional) + \end{itemize} + \item European Private/Commercial Systems + \begin{itemize} + \item 410-430 MHz + \item 450-470 MHz + \end{itemize} + \item Other Countries + \begin{itemize} + \item Depending on local regulatory requirements + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Frequency plan} +\begin{itemize} + \item Single TETRA carrier normally 25kHz wide, no guard bands + \item Channel grid can align on 6.25, 12.5 and 25kHz offset + \item This allows seamless migration / co-existence with analog FM PMR in same band + \item Uplink/Downlink spacing can depend on band, typically 10MHz + \item Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation} +\begin{itemize} + \item pi/4 DQPSK (Differential Quaternary Phase Shift Keying) + \item 2 bits per symbol + \item Phase {\em difference} encodes information + \item 8 phase constellations, 4 possible transitions + \item Requires very linear amplifier as it is not constant envelope + \item Used within TETRA at 36 kbits/sec (18 kSymbols/sec) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation}{pi/4 DQPSK (8 constellations, 4 transitions)} +\begin{figure}[h] + \centering + \includegraphics[width=55mm]{500px-Pi-by-4-QPSK_Gray_Coded.png} +\end{figure} +Source: Wikipedia / User:Splash +\end{frame} + +\begin{frame}{TETRA TDMA Frame structure} +\begin{itemize} + \item Each time-slot contains 510 bits (GSM: 156) + \item TDMA frame with 4 time-slots (GSM: 8) + \item Duration of TDMA frame: 56.67 ms (GSM: 4.6 ms) + \item Multiframe: 18 TDMA frames (GSM: 26/51) + \item Hyperframe: 60 Multiframes (GSM: 2715648) +\end{itemize} +\end{frame} + +\subsection{TETRA Protocol Stack} + +\begin{frame}{TETRA Protocol Stack} +\begin{itemize} + \item The TETRA protocol stack is more complex than GSM + \item Shared Stacking: PHY/lowerMAC/upperMAC/LLC + \item Above LLC there is MLE (resembles GSM RR), on top: + \begin{itemize} + \item MM (Mobility Management) + \item CMCE (Circuit Mode Control Entity) + \item CONS (Connection Oriented Service) + \item CNLS (Connectionless Service) + \end{itemize} + \item Call Control, Supplementary services on top of CMCE + \item Packet data on top of CNLS and CONS +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_mac_llc.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_protocol_stack.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security} + +\begin{frame}{TETRA Security} +\begin{itemize} + \item Once again all security features optional, like in GSM + \item Security features include + \begin{itemize} + \item Authentication + \item Air interface encryption + \item End-to-End encryption + \item Over-the-air re-keying (OTAR) + \item Remote locking of stolen devices + \end{itemize} + \item Not all handsets support all features + \item Key material can be stored in handset flash or in SIM +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{itemize} + \item Authentication messages part of Mobility Management (MM) + \item Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3 + \item Supports three modes + \begin{itemize} + \item Authentication of user by infrastructure (TA11, TA12) + \item Authentication of infrastructure by user (TA21, TA22) + \item Mutual authentication (four-pass, TA11, TA12, TA21, TA22) + \end{itemize} + +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{figure}[h] + \centering + \includegraphics[width=60mm]{tetra_mutual_auth.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{itemize} + \item Like GSM: Encrypts only the air interface, not the core network + \item Unlike GSM: Not between L1 and L0 but inside the upper MAC layer + \begin{itemize} + \item Thus, no idle frames with known plaintext + \item Thus, no redundant information due to FEC before crypto + \end{itemize} + \item Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK) + \item IV is concatenation of hyperframe, multiframe, frame and slot number +\end{itemize} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{tetra_encryption.png} +\end{figure} +\end{frame} + +\begin{frame}{TETRA Encryption Keys} +\begin{itemize} + \item SCK (Static Cipher Key) + \begin{itemize} + \item pre-shared key, used in networks without authentication + \item up to 32 possible keys, selected by SYSINFO. + \end{itemize} + \item DCK (Derived Cipher Key) + \begin{itemize} + \item Generated by authentication procedure (like GSM A3/A8) + \item different for each user + \end{itemize} + \item CCK (Common Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for group calls within one location area + \end{itemize} + \item GCK (Group Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for specific protected groups + \end{itemize} + \item MGCK (Modified GCK) + \begin{itemize} + \item GCK modified by CCK + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Encryption Algorithms} +There are 4 specified TETRA Encryption Algorithms (TEA): +\begin{description}[TEA4] + \item[TEA1] generally available, original algorithm, relaxed export + \item[TEA2] for public safety users in Schengen + EU countries + \item[TEA3] for public safety users elsewhere + \item[TEA4] generally available, reflects relaxed 1998 Wassenaar arrangement +\end{description} +It is assumed that at least original ciphers are 80-bit stream ciphers. +None of them have ever leaked publicly! +\end{frame} + +\begin{frame}{TETRA Air Interface Encryption}{Keys and Algorithms} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{tetra_keys_algos.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security Conclusions} + +\begin{frame}{Is it really secure?} +Given all those security features, is TETRA really secure? +\begin{itemize} + \item much better than GSM + \item however, all security again optional + \item security of a given network depends on its configuration + \item reality is sad: Government networks secure, private networks insecure + \item vendors to blame + \begin{itemize} + \item 200 EUR cost increase in handset for crypto + \item authentication center in core network very expensive + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{figure}[h] + \centering + \includegraphics[width=50mm]{tetra_hh_secure.png} +\end{figure} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{itemize} + \item public tetra network available for paying users (like cellular carrier) + \item by DFP TETRA Hamburg Ges. fuer Digitalfunk mbH + \item website claims it is secure against eavesdropping {\em because it is digital} + \item the network does not use any form of TEA encryption + \item all signalling, voice, SDS and packet data transferred in plaintext + \item digital radio receiver + protocol decoder sufficient for eavesdropping +\end{itemize} +\end{frame} + +\begin{frame}{Case Study: BVG - Berlin subway} +\begin{itemize} + \item private TETRA network for Berlin subway system (BVG) + \item incompatible with bus and tram radio (TETRAPOL) of BVG + \item almost no publicly available information, except some 2 press releases when they made big equipment purchasing deals + \item the network does not use any form of TEA encryption + \item all signalling and voice data transferred in plaintext + \item digital radio receiver + protocol decoder sufficient for eavesdropping +\end{itemize} +\end{frame} + +\section{TETRA Data Services} + +\subsection{Short Data Service} +\begin{frame}{SDS - Short Data Service} +\begin{itemize} + \item SDS can be compared with GSM/UMTS SMS + \item short messages of up to 140 bytes length + \item everything like GSM, but not 100\% identical +\end{itemize} +\end{frame} + +\subsection{Packet Data Service} +\begin{frame}{TETRA SNDCP - Packet Data} +\begin{itemize} + \item SNDCP (Sub-Network Dependent Convergence Protocol) + \item facilitates packet switched services like IPv4 over TETRA + \item leverages the GPRS network architecture and protocols + \item PDP Context to APN (like GPRS) + \item very slow unless both base station and handset support QAM modulation +\end{itemize} +\end{frame} + + +\section{Osmocom TETRA} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{figure}[h] + \centering + \includegraphics[width=90mm]{osmocom_tetra.png} +\end{figure} +\end{frame} + +\subsection{Demodulator} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{itemize} + \item 1:1 code re-use from APCO-25 Software receiver project + \item Hierarchical block fully based on gnuradio blocks + \begin{itemize} + \item Root-raised cosine filter + \item M-PSK receiver block + \item Costas Loop for carrier tracking + \item Muller\&Muller synchronizer + \item output: Float value between -3 and 3 in units of pi/4 + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Lower MAC and PHY} + +\begin{frame}{Osmocom TETRA PHY} +The burst synchronizer ({\tt tetra\_burst\_sync.c}) +\begin{itemize} + \item First acquires the Sync Burst training sequence by correlation + \item Later locks on Normal Burst (NB) training sequences + \item Splits actual payload sections out of training sequences, +\end{itemize} +The burst generator ({\tt tetra\_burst.c}) +\begin{itemize} + \item puts together various bursts such as NB, SB and others + \item calculates phase alignment bits + \item used to test receiver code +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Receive Side} +\begin{itemize} + \item Receives bursts from PHY layer + \item Applies the following operations depending on burst type + \begin{itemize} + \item De-scrambling + \item De-Interleaving + \item De-Puncturing (RCPC code) + \item Viterbi decoder (RCPC code) + \item Compute + Verify CRC-16 + \end{itemize} + \item Recover TETRA Time (frame number) from SYNC burst + \item Hands decoded payload data to upper MAC +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Transmit Side} +\begin{itemize} + \item Receives payload from upper MAC + \item Applies the following operations depending on burst type + \begin{itemize} + \item Append tail bits + \item Compute CRC-16 + \item Convolutional encoder (RCPC code) + \item Puncturing (RCPC code) + \item Interleaving + \item Scrambling + \end{itemize} + \item Hands decoded payload data to PHY +\end{itemize} +Tx is currently only used in testing the Rx code +\end{frame} + +\begin{frame}{Osmocom TETRA upper MAC} +\begin{itemize} + \item Rx-only + \item Not a complete implementation, just to decode SYSINFO, ACCESS-ASSIGN and (more and more) other bits. + \item Mainly a proof-of-concept to ensure PHY and lower MAC work +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA LLC} +\begin{itemize} + \item Rx-only + \item gathers and de-fragments LLC fragments of MAC PDUs + \item offers them to higher layer protocols like MM, CMCE, SNDCP + \item Mainly a proof-of-concept implementation, nothing fancy +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA speech frame export} +\begin{itemize} + \item Not in the public git repository yet + \item simply identifies and dumps speech frames to a file + \item data still needs to be de-compressed + \item luckily, ETSI specs come with C reference code for the +speech codec, so we can generate raw PCM files that we can play back +\end{itemize} +\end{frame} + +\subsection{wireshark integration} + +\begin{frame}{Osmocom TETRA via GSMTAP} +\begin{itemize} + \item The GSMTAP pseudo-header has been extended for TETRA + \item Change is backward-compatible with existing GSMTAP + \item current version of libosmocore supports extended GSMTAP + \item OsmocomTETRA {\tt tetra-rx} contains GSMTAP output support +\end{itemize} +\end{frame} + +\begin{frame}{wireshark TETRA integration} +\begin{itemize} + \item TETRA messages are unaligned bit-fields, full of variable-length and optional parts + \item Writing manual decoding/encoding routines is tiresome and error-prone + \item Beijing Institute of Technology has developed wireshark dissectors based on describing TETRA messages as ASN.1 PER (described in IEEE paper) + \item We contacted them and they were willing to release their code under GNU GPL + \item Zecke has extended it with GSMTAP support it has been included in wireshark mainline +\end{itemize} +\end{frame} + +\subsection{TETRA transmit code} + +\begin{frame}{Transmitting TETRA} +\begin{itemize} + \item The lower MAC and PHY code exists and is proven + \item OP25 project contains modulator for pi/4 DQPSK + \item Combining the two should render simplistic TETRA transmitter + \item Sending continuous sequence of BSCH in SB and BNCH in NB comprises valid beacon and should allow handsets to lock on the signal + \item So far no time to experiment with it + \item Could be first step in SDR TETRA Base Station +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks to +\begin{itemize} + \item Dieter Spaar for discovering the APCO25 demodulator and his work on speech decoding + \item Sylvain Munaut for implementing our own Viterbi decoder + \item Holger Freyther for his work on CRC, Shortened Reed-Muller and wireshark + \item horiz0n for providing sample captures of TETRA radio traffic +\end{itemize} +\end{frame} + + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://tetra.osmocm.org/} + \item \url{http://www.tetramou.com/} + \item \url{http://www.etsi.org/website/Technologies/TETRA.aspx} + \item \url{http://www.tetramou.com/uploadedFiles/About\_TETRA/TETRA\%20Security\%20pdf.pdf} + \item \url{http://www.tetrawatch.net/} + \item {\em Digital Mobile Communications and the TETRA System} by John Dunlop, Demessie Girma, James Irvine - Wiley +\end{itemize} +\end{frame} + + +\end{document} diff --git a/2011/tetra-camp2011/osmocom_tetra.png b/2011/tetra-camp2011/osmocom_tetra.png new file mode 100644 index 0000000..918dee5 Binary files /dev/null and b/2011/tetra-camp2011/osmocom_tetra.png differ diff --git a/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png b/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png new file mode 100644 index 0000000..7fb80c8 Binary files /dev/null and b/2011/tetra-eh2011/500px-Pi-by-4-QPSK_Gray_Coded.png differ diff --git a/2011/tetra-eh2011/osmocom-tetra.pdf b/2011/tetra-eh2011/osmocom-tetra.pdf new file mode 100644 index 0000000..927cc61 Binary files /dev/null and b/2011/tetra-eh2011/osmocom-tetra.pdf differ diff --git a/2011/tetra-eh2011/osmocom-tetra.snm b/2011/tetra-eh2011/osmocom-tetra.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/tetra-eh2011/osmocom-tetra.tex b/2011/tetra-eh2011/osmocom-tetra.tex new file mode 100644 index 0000000..9ad0650 --- /dev/null +++ b/2011/tetra-eh2011/osmocom-tetra.tex @@ -0,0 +1,607 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{OsmocomTETRA} + +\subtitle +{Researching TETRA and its security} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[easterhegg 2011] % (optional, should be abbreviation of conference name) +{EH2011, April 2011, Hamburg/Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\section{TETRA Introduction} + +\subsection{What is TETRA?} + +\begin{frame}{Introducing TETRA} +TErrestrial Trunked RAdio +\begin{itemize} + \item Digital PMR (Professional Mobile Radio) standard + \item Standardization Body ETSI started work in 1990 + \item First specified in 1995, endorsed by EU Radiocomms Committee + \item Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde \& Schwarz + \item Chinese vendors are expected to appear on the market soon +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +\begin{itemize} + \item Longer range due to lower frequency (but not vs. GSM 410/450!) + \item Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz) + \item Specified to work at speeds above 400 km/h + \item one-to-one, one-to-many and many-to-many (but: GSM-R ASCI) + \item offers direct mode between handsets in case base station is out of range + \item separate infrastructure from public networks (but: GSM-R) + \item de-central fall-back, i.e. base stations switching local calls +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +Summary +\begin{itemize} + \item Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band + \item Local call switching can be implemented in GSM (think of OpenBSC) + \item GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is {\em very} different from trunked mode +\end{itemize} +It seems, the industry rather re-invented an entirely different system to ensure +the resulting equipment can be sold at multiples of the commercial-grade GSM +equipment. +\end{frame} + + +\subsection{Where is TETRA deployed?} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item In 2009, TETRA was deployed in 114 countries (every continent except North America) + \item Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard + \item But also: Private company networks (industrial plants) + \item In Germany there are 63 registered networks (only 5 are BOS) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item Follow TETRA Newsletter released by TETRA MoU organization + \item Majority of recent deployments seems to be in Asia, specifically China. + \item Examples typically include police, public transportation, airports, harbours, industrial plants +\end{itemize} +\end{frame} + +\section{TETRA Technical Intro} + +\subsection{TETRA Air Interface} + +\begin{frame}{TETRA Frequencies} +\begin{itemize} + \item European Emergency Services + \begin{itemize} + \item 380-383 MHz and 390-393 MHz + \item 383-385 MHz and 393-395 MHz (optional) + \end{itemize} + \item European Private/Commercial Systems + \begin{itemize} + \item 410-430 MHz + \item 450-470 MHz + \end{itemize} + \item Other Countries + \begin{itemize} + \item Depending on local regulatory requirements + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Frequency plan} +\begin{itemize} + \item Single TETRA carrier normally 25kHz wide, no guard bands + \item Channel grid can align on 6.25, 12.5 and 25kHz offset + \item This allows seamless migration / co-existence with analog FM PMR in same band + \item Uplink/Downlink spacing can depend on band, typically 10MHz + \item Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation} +\begin{itemize} + \item pi/4 DQPSK (Differential Quaternary Phase Shift Keying) + \item 2 bits per symbol + \item Phase {\em difference} encodes information + \item 8 phase constellations, 4 possible transitions + \item Requires very linear amplifier as it is not constant envelope + \item Used within TETRA at 36 kbits/sec (18 kSymbols/sec) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation}{pi/4 DQPSK (8 constellations, 4 transitions)} +\begin{figure}[h] + \centering + \includegraphics[width=55mm]{500px-Pi-by-4-QPSK_Gray_Coded.png} +\end{figure} +Source: Wikipedia / User:Splash +\end{frame} + +\begin{frame}{TETRA TDMA Frame structure} +\begin{itemize} + \item Each time-slot contains 510 bits (GSM: 156) + \item TDMA frame with 4 time-slots (GSM: 8) + \item Duration of TDMA frame: 56.67 ms (GSM: FIXME) + \item Multiframe: 18 TDMA frames (GSM: 26/51) + \item Hyperframe: 60 Multiframes (GSM: FIXME) +\end{itemize} +\end{frame} + +\subsection{TETRA Protocol Stack} + +\begin{frame}{TETRA Protocol Stack} +\begin{itemize} + \item The TETRA protocol stack is more complex than GSM + \item Shared Stacking: PHY/lowerMAC/upperMAC/LLC + \item Above LLC there is MLE (resembles GSM RR), on top: + \begin{itemize} + \item MM (Mobility Management) + \item CMCE (Circuit Mode Control Entity) + \item CONS (Connection Oriented Service) + \item CNLS (Connectionless Service) + \end{itemize} + \item Call Control, Supplementary services on top of CMCE + \item Packet data on top of CNLS and CONS +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_mac_llc.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_protocol_stack.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security} + +\begin{frame}{TETRA Security} +\begin{itemize} + \item Once again all security features optional, like in GSM + \item Security features include + \begin{itemize} + \item Authentication + \item Air interface encryption + \item End-to-End encryption + \item Over-the-air re-keying (OTAR) + \item Remote locking of stolen devices + \end{itemize} + \item Not all handsets support all features + \item Key material can be stored in handset flash or in SIM +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{itemize} + \item Authentication messages part of Mobility Management (MM) + \item Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3 + \item Supports three modes + \begin{itemize} + \item Authentication of user by infrastructure (TA11, TA12) + \item Authentication of infrastructure by user (TA21, TA22) + \item Mutual authentication (four-pass, TA11, TA12, TA21, TA22) + \end{itemize} + +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{figure}[h] + \centering + \includegraphics[width=60mm]{tetra_mutual_auth.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{itemize} + \item Like GSM: Encrypts only the air interface, not the core network + \item Unlike GSM: Not between L1 and L0 but inside the upper MAC layer + \begin{itemize} + \item Thus, no idle frames with known plaintext + \item Thus, no redundant information due to FEC before crypto + \end{itemize} + \item Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK) + \item IV is concatenation of hyperframe, multiframe, frame and slot number +\end{itemize} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{tetra_encryption.png} +\end{figure} +\end{frame} + +\begin{frame}{TETRA Encryption Keys} +\begin{itemize} + \item SCK (Static Cipher Key) + \begin{itemize} + \item pre-shared key, used in networks without authentication + \item up to 32 possible keys, selected by SYSINFO. + \end{itemize} + \item DCK (Derived Cipher Key) + \begin{itemize} + \item Generated by authentication procedure (like GSM A3/A8) + \item different for each user + \end{itemize} + \item CCK (Common Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for group calls within one location area + \end{itemize} + \item GCK (Group Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for specific protected groups + \end{itemize} + \item MGCK (Modified GCK) + \begin{itemize} + \item GCK modified by CCK + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Encryption Algorithms} +There are 4 specified TETRA Encryption Algorithms (TEA): +\begin{description}[TEA4] + \item[TEA1] generally available, original algorithm, relaxed export + \item[TEA2] for public safety users in Schengen + EU countries + \item[TEA3] for public safety users elsewhere + \item[TEA4] generally available, reflects relaxed 1998 Wassenaar arrangement +\end{description} +It is assumed that at least original ciphers are 80-bit stream ciphers. +None of them have ever leaked publicly! +\end{frame} + +\begin{frame}{TETRA Air Interface Encryption}{Keys and Algorithms} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{tetra_keys_algos.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security Conclusions} + +\begin{frame}{Is it really secure?} +Given all those security features, is TETRA really secure? +\begin{itemize} + \item much better than GSM + \item however, all security again optional + \item security of a given network depends on its configuration + \item reality is sad: Government networks secure, private networks insecure + \item vendors to blame + \begin{itemize} + \item 200 EUR cost increase in handset for crypto + \item authentication center in core network very expensive + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{figure}[h] + \centering + \includegraphics[width=50mm]{tetra_hh_secure.png} +\end{figure} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{itemize} + \item public tetra network available for paying users (like cellular carrier) + \item by DFP TETRA Hamburg Ges. fuer Digitalfunk mbH + \item website claims it is secure against eavesdropping {\em because it is digital} + \item the network does not use any form ef TEA encryption + \item all signalling, voice, SDS and packet data transferred in plaintext + \item digital radio receiver + protocol decoder sufficient for eavesdropping +\end{itemize} +\end{frame} + +\section{TETRA Data Services} + +\subsection{Short Data Service} +\begin{frame}{SDS - Short Data Service} +\begin{itemize} + \item SDS can be compared with GSM/UMTS SMS + \item short messages of up to 140 bytes length + \item everything like GSM, but not 100\% identical +\end{itemize} +\end{frame} + +\subsection{Packet Data Service} +\begin{frame}{TETRA SNDCP - Packte Data} +\begin{itemize} + \item SNDCP (Sub-Network Dependent Convergence Protocol) + \item facilitates packet switched services like IPv4 over TETRA + \item leverages the GPRS network architecture and protocols + \item PDP Context to APN (like GPRS) + \item very slow unless both base station and handset support QAM modulation +\end{itemize} +\end{frame} + + +\section{Osmocom TETRA} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{figure}[h] + \centering + \includegraphics[width=90mm]{osmocom_tetra.png} +\end{figure} +\end{frame} + +\subsection{Demodulator} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{itemize} + \item 1:1 code re-use from APCO-25 Software receiver project + \item Hierarchical block fully based on gnuradio blocks + \begin{itemize} + \item Root-raised cosine filter + \item M-PSK receiver block + \item Costas Loop for carrier tracking + \item Muller\&Muller synchronizer + \item output: Float value between -3 and 3 in units of pi/4 + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Lower MAC and PHY} + +\begin{frame}{Osmocom TETRA PHY} +The burst synchronizer ({\tt tetra\_burst\_sync.c}) +\begin{itemize} + \item First acquires the Sync Burst training sequence by correlation + \item Later locks on Normal Burst (NB) training sequences + \item Splits actual payload sections out of training sequences, +\end{itemize} +The burst generator ({\tt tetra\_burst.c}) +\begin{itemize} + \item puts together various bursts such as NB, SB and others + \item calculates phase alignment bits + \item used to test receiver code +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Receive Side} +\begin{itemize} + \item Receives bursts from PHY layer + \item Applies the following operations depending on burst type + \begin{itemize} + \item De-scrambling + \item De-Interleaving + \item De-Puncturing (RCPC code) + \item Viterbi decoder (RCPC code) + \item Compute + Verify CRC-16 + \end{itemize} + \item Recover TETRA Time (frame number) from SYNC burst + \item Hands decoded payload data to upper MAC +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Transmit Side} +\begin{itemize} + \item Receives payload from upper MAC + \item Applies the following operations depending on burst type + \begin{itemize} + \item Append tail bits + \item Compute CRC-16 + \item Convolutional encoder (RCPC code) + \item Puncturing (RCPC code) + \item Interleaving + \item Scrambling + \end{itemize} + \item Hands decoded payload data to PHY +\end{itemize} +Tx is currently only used in testing the Rx code +\end{frame} + +\begin{frame}{Osmocom TETRA upper MAC} +\begin{itemize} + \item Rx-only + \item Not a complete implementation, just to decode SYSINFO, ACCESS-ASSIGN and (more and more) other bits. + \item Mainly a proof-of-concept to ensure PHY and lower MAC work +\end{itemize} +\end{frame} + +\subsection{wireshark integration} + +\begin{frame}{Osmocom TETRA via GSMTAP} +\begin{itemize} + \item The GSMTAP pseudo-header has been extended for TETRA + \item Change is backward-compatible with existing GSMTAP + \item current version of libosmocore supports extended GSMTAP + \item OsmocomTETRA {\tt tetra-rx} contains GSMTAP output support +\end{itemize} +\end{frame} + +\begin{frame}{wireshark TETRA integration} +\begin{itemize} + \item TETRA messages are unaligned bit-fields, full of variable-length and optional parts + \item Writing manual decoding/encoding routines is tiresome and error-prone + \item Beijing Institute of Technology has developed wireshark dissectors based on describing TETRA messages as ASN.1 PER (described in IEEE paper) + \item We contacted them and they were willing to release their code under GNU GPL + \item Zecke has extended it with GSMTAP support it has been included in wireshark mainline +\end{itemize} +\end{frame} + +\subsection{TETRA transmit code} + +\begin{frame}{Transmitting TETRA} +\begin{itemize} + \item The lower MAC and PHY code exists and is proven + \item OP25 project contains modulator for pi/4 DQPSK + \item Combining the two should render simplistic TETRA transmitter + \item Sending continuous sequence of BSCH in SB and BNCH in NB comprises valid beacon and should allow handsets to lock on the signal + \item So far no time to experiment with it + \item Could be first step in SDR TETRA Base Station +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks to +\begin{itemize} + \item Dieter Spaar for discovering the APCO25 demodulator and his work on speech decoding + \item Sylvain Munaut for implementing our own Viterbi decoder + \item Holger Freyther for his work on CRC, Shortened Reed-Muller and wireshark + \item horiz0n for providing sample captures of TETRA radio traffic +\end{itemize} +\end{frame} + + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://tetra.osmocm.org/} + \item \url{http://www.tetramou.com/} + \item \url{http://www.etsi.org/website/Technologies/TETRA.aspx} + \item \url{http://www.tetramou.com/uploadedFiles/About\_TETRA/TETRA\%20Security\%20pdf.pdf} + \item \url{http://www.tetrawatch.net/} + \item {\em Digital Mobile Communications and the TETRA System} by John Dunlop, Demessie Girma, James Irvine - Wiley +\end{itemize} +\end{frame} + + +\end{document} diff --git a/2011/tetra-eh2011/osmocom_tetra.png b/2011/tetra-eh2011/osmocom_tetra.png new file mode 100644 index 0000000..918dee5 Binary files /dev/null and b/2011/tetra-eh2011/osmocom_tetra.png differ diff --git a/2011/tetra-eh2011/tetra_encryption.png b/2011/tetra-eh2011/tetra_encryption.png new file mode 100644 index 0000000..bd50366 Binary files /dev/null and b/2011/tetra-eh2011/tetra_encryption.png differ diff --git a/2011/tetra-eh2011/tetra_hh_secure.png b/2011/tetra-eh2011/tetra_hh_secure.png new file mode 100644 index 0000000..0059e23 Binary files /dev/null and b/2011/tetra-eh2011/tetra_hh_secure.png differ diff --git a/2011/tetra-eh2011/tetra_keys_algos.png b/2011/tetra-eh2011/tetra_keys_algos.png new file mode 100644 index 0000000..9fdd51b Binary files /dev/null and b/2011/tetra-eh2011/tetra_keys_algos.png differ diff --git a/2011/tetra-eh2011/tetra_mac_llc.png b/2011/tetra-eh2011/tetra_mac_llc.png new file mode 100644 index 0000000..cf99a84 Binary files /dev/null and b/2011/tetra-eh2011/tetra_mac_llc.png differ diff --git a/2011/tetra-eh2011/tetra_mutual_auth.png b/2011/tetra-eh2011/tetra_mutual_auth.png new file mode 100644 index 0000000..db0e35b Binary files /dev/null and b/2011/tetra-eh2011/tetra_mutual_auth.png differ diff --git a/2011/tetra-eh2011/tetra_protocol_stack.png b/2011/tetra-eh2011/tetra_protocol_stack.png new file mode 100644 index 0000000..2044853 Binary files /dev/null and b/2011/tetra-eh2011/tetra_protocol_stack.png differ diff --git a/2011/tetra-ph2011/500px-Pi-by-4-QPSK_Gray_Coded.png b/2011/tetra-ph2011/500px-Pi-by-4-QPSK_Gray_Coded.png new file mode 100644 index 0000000..7fb80c8 Binary files /dev/null and b/2011/tetra-ph2011/500px-Pi-by-4-QPSK_Gray_Coded.png differ diff --git a/2011/tetra-ph2011/osmocom-tetra.pdf b/2011/tetra-ph2011/osmocom-tetra.pdf new file mode 100644 index 0000000..c079891 Binary files /dev/null and b/2011/tetra-ph2011/osmocom-tetra.pdf differ diff --git a/2011/tetra-ph2011/osmocom-tetra.snm b/2011/tetra-ph2011/osmocom-tetra.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/tetra-ph2011/osmocom-tetra.tex b/2011/tetra-ph2011/osmocom-tetra.tex new file mode 100644 index 0000000..0bef072 --- /dev/null +++ b/2011/tetra-ph2011/osmocom-tetra.tex @@ -0,0 +1,637 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{OsmocomTETRA} + +\subtitle +{Applied research on TETRA security} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[CCC Camp 2011] % (optional, should be abbreviation of conference name) +{CCCamp2011, August 2011, Berlin/Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\section{TETRA Introduction} + +\subsection{What is TETRA?} + +\begin{frame}{Introducing TETRA} +TErrestrial Trunked RAdio +\begin{itemize} + \item Digital PMR (Professional Mobile Radio) standard + \item Standardization Body ETSI started work in 1990 + \item First specified in 1995, endorsed by EU Radiocomms Committee + \item Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde \& Schwarz + \item Chinese vendors are expected to appear on the market soon +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +\begin{itemize} + \item Longer range due to lower frequency (but not vs. GSM 410/450!) + \item Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz) + \item Specified to work at speeds above 400 km/h + \item one-to-one, one-to-many and many-to-many (but: GSM-R ASCI) + \item offers direct mode between handsets in case base station is out of range + \item separate infrastructure from public networks (but: GSM-R) + \item de-central fall-back, i.e. base stations switching local calls +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +Summary +\begin{itemize} + \item Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band + \item Local call switching can be implemented in GSM (think of OpenBSC) + \item GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is {\em very} different from trunked mode +\end{itemize} +It seems, the industry rather re-invented an entirely different system to ensure +the resulting equipment can be sold at multiples of the commercial-grade GSM +equipment. +\end{frame} + + +\subsection{Where is TETRA deployed?} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item In 2009, TETRA was deployed in 114 countries (every continent except North America) + \item Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard + \item But also: Private company networks (industrial plants) + \item In Germany there are 63 registered networks (only 5 are BOS) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item Follow TETRA Newsletter released by TETRA MoU organization + \item Majority of recent deployments seems to be in Asia, specifically China. + \item Examples typically include police, public transportation, airports, harbours, industrial plants +\end{itemize} +\end{frame} + +\section{TETRA Technical Intro} + +\subsection{TETRA Air Interface} + +\begin{frame}{TETRA Frequencies} +\begin{itemize} + \item European Emergency Services + \begin{itemize} + \item 380-383 MHz and 390-393 MHz + \item 383-385 MHz and 393-395 MHz (optional) + \end{itemize} + \item European Private/Commercial Systems + \begin{itemize} + \item 410-430 MHz + \item 450-470 MHz + \end{itemize} + \item Other Countries + \begin{itemize} + \item Depending on local regulatory requirements + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Frequency plan} +\begin{itemize} + \item Single TETRA carrier normally 25kHz wide, no guard bands + \item Channel grid can align on 6.25, 12.5 and 25kHz offset + \item This allows seamless migration / co-existence with analog FM PMR in same band + \item Uplink/Downlink spacing can depend on band, typically 10MHz + \item Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation} +\begin{itemize} + \item pi/4 DQPSK (Differential Quaternary Phase Shift Keying) + \item 2 bits per symbol + \item Phase {\em difference} encodes information + \item 8 phase constellations, 4 possible transitions + \item Requires very linear amplifier as it is not constant envelope + \item Used within TETRA at 36 kbits/sec (18 kSymbols/sec) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation}{pi/4 DQPSK (8 constellations, 4 transitions)} +\begin{figure}[h] + \centering + \includegraphics[width=55mm]{500px-Pi-by-4-QPSK_Gray_Coded.png} +\end{figure} +Source: Wikipedia / User:Splash +\end{frame} + +\begin{frame}{TETRA TDMA Frame structure} +\begin{itemize} + \item Each time-slot contains 510 bits (GSM: 156) + \item TDMA frame with 4 time-slots (GSM: 8) + \item Duration of TDMA frame: 56.67 ms (GSM: 4.6 ms) + \item Multiframe: 18 TDMA frames (GSM: 26/51) + \item Hyperframe: 60 Multiframes (GSM: 2715648) +\end{itemize} +\end{frame} + +\subsection{TETRA Protocol Stack} + +\begin{frame}{TETRA Protocol Stack} +\begin{itemize} + \item The TETRA protocol stack is more complex than GSM + \item Shared Stacking: PHY/lowerMAC/upperMAC/LLC + \item Above LLC there is MLE (resembles GSM RR), on top: + \begin{itemize} + \item MM (Mobility Management) + \item CMCE (Circuit Mode Control Entity) + \item CONS (Connection Oriented Service) + \item CNLS (Connectionless Service) + \end{itemize} + \item Call Control, Supplementary services on top of CMCE + \item Packet data on top of CNLS and CONS +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_mac_llc.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_protocol_stack.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security} + +\begin{frame}{TETRA Security} +\begin{itemize} + \item Once again all security features optional, like in GSM + \item Security features include + \begin{itemize} + \item Authentication + \item Air interface encryption + \item End-to-End encryption + \item Over-the-air re-keying (OTAR) + \item Remote locking of stolen devices + \end{itemize} + \item Not all handsets support all features + \item Key material can be stored in handset flash or in SIM +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{itemize} + \item Authentication messages part of Mobility Management (MM) + \item Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3 + \item Supports three modes + \begin{itemize} + \item Authentication of user by infrastructure (TA11, TA12) + \item Authentication of infrastructure by user (TA21, TA22) + \item Mutual authentication (four-pass, TA11, TA12, TA21, TA22) + \end{itemize} + +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{figure}[h] + \centering + \includegraphics[width=60mm]{tetra_mutual_auth.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{itemize} + \item Like GSM: Encrypts only the air interface, not the core network + \item Unlike GSM: Not between L1 and L0 but inside the upper MAC layer + \begin{itemize} + \item Thus, no idle frames with known plaintext + \item Thus, no redundant information due to FEC before crypto + \end{itemize} + \item Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK) + \item IV is concatenation of hyperframe, multiframe, frame and slot number +\end{itemize} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{tetra_encryption.png} +\end{figure} +\end{frame} + +\begin{frame}{TETRA Encryption Keys} +\begin{itemize} + \item SCK (Static Cipher Key) + \begin{itemize} + \item pre-shared key, used in networks without authentication + \item up to 32 possible keys, selected by SYSINFO. + \end{itemize} + \item DCK (Derived Cipher Key) + \begin{itemize} + \item Generated by authentication procedure (like GSM A3/A8) + \item different for each user + \end{itemize} + \item CCK (Common Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for group calls within one location area + \end{itemize} + \item GCK (Group Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for specific protected groups + \end{itemize} + \item MGCK (Modified GCK) + \begin{itemize} + \item GCK modified by CCK + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Encryption Algorithms} +There are 4 specified TETRA Encryption Algorithms (TEA): +\begin{description}[TEA4] + \item[TEA1] generally available, original algorithm, relaxed export + \item[TEA2] for public safety users in Schengen + EU countries + \item[TEA3] for public safety users elsewhere + \item[TEA4] generally available, reflects relaxed 1998 Wassenaar arrangement +\end{description} +It is assumed that at least original ciphers are 80-bit stream ciphers. +None of them have ever leaked publicly! +\end{frame} + +\begin{frame}{TETRA Air Interface Encryption}{Keys and Algorithms} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{tetra_keys_algos.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security Conclusions} + +\begin{frame}{Is it really secure?} +Given all those security features, is TETRA really secure? +\begin{itemize} + \item much better than GSM + \item however, all security again optional + \item security of a given network depends on its configuration + \item reality is sad: Government networks secure, private networks insecure + \item vendors to blame + \begin{itemize} + \item 200 EUR cost increase in handset for crypto + \item authentication center in core network very expensive + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{figure}[h] + \centering + \includegraphics[width=50mm]{tetra_hh_secure.png} +\end{figure} +\end{frame} + +\begin{frame}{Case Study: tetra-hamburg.de} +\begin{itemize} + \item public tetra network available for paying users (like cellular carrier) + \item by DFP TETRA Hamburg Ges. fuer Digitalfunk mbH + \item website claims it is secure against eavesdropping {\em because it is digital} + \item the network does not use any form of TEA encryption + \item all signalling, voice, SDS and packet data transferred in plaintext + \item digital radio receiver + protocol decoder sufficient for eavesdropping +\end{itemize} +\end{frame} + +\begin{frame}{Case Study: BVG - Berlin subway} +\begin{itemize} + \item private TETRA network for Berlin subway system (BVG) + \item incompatible with bus and tram radio (TETRAPOL) of BVG + \item almost no publicly available information, except some 2 press releases when they made big equipment purchasing deals + \item the network does not use any form of TEA encryption + \item all signalling and voice data transferred in plaintext + \item digital radio receiver + protocol decoder sufficient for eavesdropping +\end{itemize} +\end{frame} + +\section{TETRA Data Services} + +\subsection{Short Data Service} +\begin{frame}{SDS - Short Data Service} +\begin{itemize} + \item SDS can be compared with GSM/UMTS SMS + \item short messages of up to 140 bytes length + \item everything like GSM, but not 100\% identical +\end{itemize} +\end{frame} + +\subsection{Packet Data Service} +\begin{frame}{TETRA SNDCP - Packet Data} +\begin{itemize} + \item SNDCP (Sub-Network Dependent Convergence Protocol) + \item facilitates packet switched services like IPv4 over TETRA + \item leverages the GPRS network architecture and protocols + \item PDP Context to APN (like GPRS) + \item very slow unless both base station and handset support QAM modulation +\end{itemize} +\end{frame} + + +\section{Osmocom TETRA} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{figure}[h] + \centering + \includegraphics[width=90mm]{osmocom_tetra.png} +\end{figure} +\end{frame} + +\subsection{Demodulator} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{itemize} + \item 1:1 code re-use from APCO-25 Software receiver project + \item Hierarchical block fully based on gnuradio blocks + \begin{itemize} + \item Root-raised cosine filter + \item M-PSK receiver block + \item Costas Loop for carrier tracking + \item Muller\&Muller synchronizer + \item output: Float value between -3 and 3 in units of pi/4 + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Lower MAC and PHY} + +\begin{frame}{Osmocom TETRA PHY} +The burst synchronizer ({\tt tetra\_burst\_sync.c}) +\begin{itemize} + \item First acquires the Sync Burst training sequence by correlation + \item Later locks on Normal Burst (NB) training sequences + \item Splits actual payload sections out of training sequences, +\end{itemize} +The burst generator ({\tt tetra\_burst.c}) +\begin{itemize} + \item puts together various bursts such as NB, SB and others + \item calculates phase alignment bits + \item used to test receiver code +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Receive Side} +\begin{itemize} + \item Receives bursts from PHY layer + \item Applies the following operations depending on burst type + \begin{itemize} + \item De-scrambling + \item De-Interleaving + \item De-Puncturing (RCPC code) + \item Viterbi decoder (RCPC code) + \item Compute + Verify CRC-16 + \end{itemize} + \item Recover TETRA Time (frame number) from SYNC burst + \item Hands decoded payload data to upper MAC +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Transmit Side} +\begin{itemize} + \item Receives payload from upper MAC + \item Applies the following operations depending on burst type + \begin{itemize} + \item Append tail bits + \item Compute CRC-16 + \item Convolutional encoder (RCPC code) + \item Puncturing (RCPC code) + \item Interleaving + \item Scrambling + \end{itemize} + \item Hands decoded payload data to PHY +\end{itemize} +Tx is currently only used in testing the Rx code +\end{frame} + +\begin{frame}{Osmocom TETRA upper MAC} +\begin{itemize} + \item Rx-only + \item Not a complete implementation, just to decode SYSINFO, ACCESS-ASSIGN and (more and more) other bits. + \item Mainly a proof-of-concept to ensure PHY and lower MAC work +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA LLC} +\begin{itemize} + \item Rx-only + \item gathers and de-fragments LLC fragments of MAC PDUs + \item offers them to higher layer protocols like MM, CMCE, SNDCP + \item Mainly a proof-of-concept implementation, nothing fancy +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA speech frame export} +\begin{itemize} + \item Not in the public git repository yet + \item simply identifies and dumps speech frames to a file + \item data still needs to be de-compressed + \item luckily, ETSI specs come with C reference code for the +speech codec, so we can generate raw PCM files that we can play back +\end{itemize} +\end{frame} + +\subsection{wireshark integration} + +\begin{frame}{Osmocom TETRA via GSMTAP} +\begin{itemize} + \item The GSMTAP pseudo-header has been extended for TETRA + \item Change is backward-compatible with existing GSMTAP + \item current version of libosmocore supports extended GSMTAP + \item OsmocomTETRA {\tt tetra-rx} contains GSMTAP output support +\end{itemize} +\end{frame} + +\begin{frame}{wireshark TETRA integration} +\begin{itemize} + \item TETRA messages are unaligned bit-fields, full of variable-length and optional parts + \item Writing manual decoding/encoding routines is tiresome and error-prone + \item Beijing Institute of Technology has developed wireshark dissectors based on describing TETRA messages as ASN.1 PER (described in IEEE paper) + \item We contacted them and they were willing to release their code under GNU GPL + \item Zecke has extended it with GSMTAP support it has been included in wireshark mainline +\end{itemize} +\end{frame} + +\subsection{TETRA transmit code} + +\begin{frame}{Transmitting TETRA} +\begin{itemize} + \item The lower MAC and PHY code exists and is proven + \item OP25 project contains modulator for pi/4 DQPSK + \item Combining the two should render simplistic TETRA transmitter + \item Sending continuous sequence of BSCH in SB and BNCH in NB comprises valid beacon and should allow handsets to lock on the signal + \item So far no time to experiment with it + \item Could be first step in SDR TETRA Base Station +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks to +\begin{itemize} + \item Dieter Spaar for discovering the APCO25 demodulator and his work on speech decoding + \item Sylvain Munaut for implementing our own Viterbi decoder + \item Holger Freyther for his work on CRC, Shortened Reed-Muller and wireshark + \item horiz0n for providing sample captures of TETRA radio traffic +\end{itemize} +\end{frame} + + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://tetra.osmocm.org/} + \item \url{http://www.tetramou.com/} + \item \url{http://www.etsi.org/website/Technologies/TETRA.aspx} + \item \url{http://www.tetramou.com/uploadedFiles/About\_TETRA/TETRA\%20Security\%20pdf.pdf} + \item \url{http://www.tetrawatch.net/} + \item {\em Digital Mobile Communications and the TETRA System} by John Dunlop, Demessie Girma, James Irvine - Wiley +\end{itemize} +\end{frame} + + +\end{document} diff --git a/2011/tetra-ph2011/osmocom_tetra.png b/2011/tetra-ph2011/osmocom_tetra.png new file mode 100644 index 0000000..918dee5 Binary files /dev/null and b/2011/tetra-ph2011/osmocom_tetra.png differ diff --git a/2011/tetra-ph2011/tetra_encryption.png b/2011/tetra-ph2011/tetra_encryption.png new file mode 100644 index 0000000..bd50366 Binary files /dev/null and b/2011/tetra-ph2011/tetra_encryption.png differ diff --git a/2011/tetra-ph2011/tetra_hh_secure.png b/2011/tetra-ph2011/tetra_hh_secure.png new file mode 100644 index 0000000..0059e23 Binary files /dev/null and b/2011/tetra-ph2011/tetra_hh_secure.png differ diff --git a/2011/tetra-ph2011/tetra_keys_algos.png b/2011/tetra-ph2011/tetra_keys_algos.png new file mode 100644 index 0000000..9fdd51b Binary files /dev/null and b/2011/tetra-ph2011/tetra_keys_algos.png differ diff --git a/2011/tetra-ph2011/tetra_mac_llc.png b/2011/tetra-ph2011/tetra_mac_llc.png new file mode 100644 index 0000000..cf99a84 Binary files /dev/null and b/2011/tetra-ph2011/tetra_mac_llc.png differ diff --git a/2011/tetra-ph2011/tetra_mutual_auth.png b/2011/tetra-ph2011/tetra_mutual_auth.png new file mode 100644 index 0000000..db0e35b Binary files /dev/null and b/2011/tetra-ph2011/tetra_mutual_auth.png differ diff --git a/2011/tetra-ph2011/tetra_protocol_stack.png b/2011/tetra-ph2011/tetra_protocol_stack.png new file mode 100644 index 0000000..2044853 Binary files /dev/null and b/2011/tetra-ph2011/tetra_protocol_stack.png differ diff --git a/2011/tetra-srlabs2011/osmocom-tetra.pdf b/2011/tetra-srlabs2011/osmocom-tetra.pdf new file mode 100644 index 0000000..758db21 Binary files /dev/null and b/2011/tetra-srlabs2011/osmocom-tetra.pdf differ diff --git a/2011/tetra-srlabs2011/osmocom-tetra.snm b/2011/tetra-srlabs2011/osmocom-tetra.snm new file mode 100644 index 0000000..e69de29 diff --git a/2011/tetra-srlabs2011/osmocom-tetra.tex b/2011/tetra-srlabs2011/osmocom-tetra.tex new file mode 100644 index 0000000..5ef384e --- /dev/null +++ b/2011/tetra-srlabs2011/osmocom-tetra.tex @@ -0,0 +1,533 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{OsmocomTETRA} + +\subtitle +{Researching TETRA and its security} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\OpenBSC\\OsmocomBB\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[SRLabs 2011] % (optional, should be abbreviation of conference name) +{SRLabs, January 2011, Berlin/Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\section{TETRA Introduction} + +\subsection{What is TETRA?} + +\begin{frame}{Introducing TETRA} +TErrestrial Trunked RAdio +\begin{itemize} + \item Digital PMR (Professional Mobile Radio) standard + \item Standardization Body ETSI started work in 1990 + \item First specified in 1995, endorsed by EU Radiocomms Committee + \item Commercial Vendors: Motorola, EADS/Nokia, Arteva/Simoco/Pye/Philips, Rohde \& Schwarz + \item Chinese vendors are expected to appear on the market soon +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +\begin{itemize} + \item Longer range due to lower frequency (but not vs. GSM 410/450!) + \item Higher spectral efficiency (4 speech channels in 25kHz vs. 16 speech channels in 270kHz) + \item Specified to work at speeds above 400 km/h + \item one-to-one, one-to-many and many-to-many (but: GSM-R ASCI) + \item offers direct mode between handsets in case base station is out of range + \item separate infrastructure from public networks (but: GSM-R) + \item de-central fall-back, i.e. base stations switching local calls +\end{itemize} +\end{frame} + +\begin{frame}{TETRA vs GSM} +Summary +\begin{itemize} + \item Most of the TETRA advantages could be achieved using GSM-R in a lower frequency band + \item Local call switching can be implemented in GSM (think of OpenBSC) + \item GSM requires modifications on the air interface for direct mode, but even in TETRA, direct mode is {\em very} different from trunked mode +\end{itemize} +It seems, the industry rather re-invented an entirely different system to ensure +the resulting equipment can be sold at multiples of the commercial-grade GSM +equipment. +\end{frame} + + +\subsection{Where is TETRA deployed?} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item In 2009, TETRA was deployed in 114 countries (every continent except North America) + \item Typical users: Police, Transportation, Army, Fire Service, Ambulance, Customs, Coast Guard + \item But also: Private company networks (industrial plants) + \item In Germany there are 63 registered networks (only 5 are BOS) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA deployments} +\begin{itemize} + \item Follow TETRA Newsletter released by TETRA MoU organization + \item Majority of recent deployments seems to be in Asia, specifically China. +\end{itemize} +\end{frame} + +\section{TETRA Technical Intro} + +\subsection{TETRA Air Interface} + +\begin{frame}{TETRA Frequencies} +\begin{itemize} + \item European Emergency Services + \begin{itemize} + \item 380-383 MHz and 390-393 MHz + \item 383-385 MHz and 393-395 MHz (optional) + \end{itemize} + \item European Private/Commercial Systems + \begin{itemize} + \item 410-430 MHz + \item 450-470 MHz + \end{itemize} + \item Other Countries + \begin{itemize} + \item Depending on local regulatory requirements + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Frequency plan} +\begin{itemize} + \item Single TETRA carrier normally 25kHz wide, no guard bands + \item Channel grid can align on 6.25, 12.5 and 25kHz offset + \item This allows seamless migration / co-existence with analog FM PMR in same band + \item Uplink/Downlink spacing can depend on band, typically 10MHz + \item Advanced TETRA-2 modes can operate at 50, 75 or 100kHz bandwidth +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Modulation} +\begin{itemize} + \item pi/4 DQPSK (Differential Quaternary Phase Shift Keying) + \item 2 bits per symbol + \item Phase {\em difference} encodes information + \item 8 phase constellations, 4 possible transitions + \item Requires very linear amplifier as it is not constant envelope + \item Used within TETRA at 36 kbits/sec (18 kSymbols/sec) +\end{itemize} +\end{frame} + +\begin{frame}{TETRA TDMA Frame structure} +\begin{itemize} + \item Each time-slot contains 510 bits (GSM: 156) + \item TDMA frame with 4 time-slots (GSM: 8) + \item Duration of TDMA frame: 56.67 ms (GSM: FIXME) + \item Multiframe: 18 TDMA frames (GSM: 26/51) + \item Hyperframe: 60 Multiframes (GSM: FIXME) +\end{itemize} +\end{frame} + +\subsection{TETRA Protocol Stack} + +\begin{frame}{TETRA Protocol Stack} +\begin{itemize} + \item The TETRA protocol stack is more complex than GSM + \item Shared Stacking: PHY/lowerMAC/upperMAC/LLC + \item Above LLC there is MLE (resembles GSM RR), on top: + \begin{itemize} + \item MM (Mobility Management) + \item CMCE (Circuit Mode Control Entity) + \item CONS (Connection Oriented Service) + \item CNLS (Connectionless Service) + \end{itemize} + \item Call Control, Supplementary services on top of CMCE + \item Packet data on top of CNLS and CONS +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_mac_llc.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Protocol Stack} +\begin{figure}[h] + \centering + \includegraphics[width=80mm]{tetra_protocol_stack.png} +\end{figure} +\end{frame} + +\subsection{TETRA Security} + +\begin{frame}{TETRA Security} +\begin{itemize} + \item Once again all security features optional, like in GSM + \item Security features include + \begin{itemize} + \item Authentication + \item Air interface encryption + \item End-to-End encryption + \item Over-the-air re-keying (OTAR) + \item Remote locking of stolen devices + \end{itemize} + \item Not all handsets support all features + \item Key material can be stored in handset flash or in SIM +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{itemize} + \item Authentication messages part of Mobility Management (MM) + \item Based on secret User Authentication Key (UAK) in SIM, generating Authentication key K by use of Algorithms TB1, TB2 or TB3 + \item Supports three modes + \begin{itemize} + \item Authentication of user by infrastructure (TA11, TA12) + \item Authentication of infrastructure by user (TA21, TA22) + \item Mutual authentication (four-pass, TA11, TA12, TA21, TA22) + \end{itemize} + +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Authentication} +\begin{figure}[h] + \centering + \includegraphics[width=60mm]{tetra_mutual_auth.png} +\end{figure} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{itemize} + \item Like GSM: Encrypts only the air interface, not the core network + \item Unlike GSM: Not between L1 and L0 but inside the upper MAC layer + \begin{itemize} + \item Thus, no idle frames with known plaintext + \item Thus, no redundant information due to FEC before crypto + \end{itemize} + \item Encryption happens with different keys (SCK, DCK, CCK, GCK, MGCK) + \item IV is concatenation of hyperframe, multiframe, frame and slot number +\end{itemize} +\end{frame} + + +\begin{frame}{TETRA Air Interface Encryption} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{tetra_encryption.png} +\end{figure} +\end{frame} + +\begin{frame}{TETRA Encryption Keys} +\begin{itemize} + \item SCK (Static Cipher Key) + \begin{itemize} + \item pre-shared key, used in networks without authentication + \item up to 32 possible keys, selected by SYSINFO. + \end{itemize} + \item DCK (Derived Cipher Key) + \begin{itemize} + \item Generated by authentication procedure (like GSM A3/A8) + \item different for each user + \end{itemize} + \item CCK (Common Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for group calls within one location area + \end{itemize} + \item GCK (Group Cipher Key) + \begin{itemize} + \item Generated by infrastructure and distributed to MS through DCK-encrypted connection using OTAR + \item Used for specific protected groups + \end{itemize} + \item MGCK (Modified GCK) + \begin{itemize} + \item GCK modified by CCK + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{TETRA Encryption Algorithms} +There are 4 specified TETRA Encryption Algorithms (TEA): +\begin{description}[TEA4] + \item[TEA1] generally available, original algorithm, relaxed export + \item[TEA2] for public safety users in Schengen + EU countries + \item[TEA3] for public safety users elsewhere + \item[TEA4] generally available, reflects relaxed 1998 Wassenaar arrangement +\end{description} +It is assumed that at least original ciphers are 80-bit stream ciphers. +None of them have ever leaked publicly! +\end{frame} + +\begin{frame}{TETRA Air Interface Encryption}{Keys and Algorithms} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{tetra_keys_algos.png} +\end{figure} +\end{frame} + +\section{Osmocom TETRA} + +\subsection{Demodulator} + +\begin{frame}{Osmocom TETRA Demodulator} +\begin{itemize} + \item 1:1 code re-use from APCO-25 Software receiver project + \item Hierarchical block fully based on gnuradio blocks + \begin{itemize} + \item Root-raised cosine filter + \item M-PSK receiver block + \item Costas Loop for carrier tracking + \item Muller\&Muller synchronizer + \item output: Float value between -3 and 3 in units of pi/4 + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Lower MAC and PHY} + +\begin{frame}{Osmocom TETRA PHY} +The burst synchronizer ({\tt tetra\_burst\_sync.c}) +\begin{itemize} + \item First acquires the Sync Burst training sequence by correlation + \item Later locks on Normal Burst (NB) training sequences + \item Splits actual payload sections out of training sequences, +\end{itemize} +The burst generator ({\tt tetra\_burst.c}) +\begin{itemize} + \item puts together various bursts such as NB, SB and others + \item calculates phase alignment bits + \item used to test receiver code +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Receive Side} +\begin{itemize} + \item Receives bursts from PHY layer + \item Applies the following operations depending on burst type + \begin{itemize} + \item De-scrambling + \item De-Interleaving + \item De-Puncturing (RCPC code) + \item Viterbi decoder (RCPC code) + \item Compute + Verify CRC-16 + \end{itemize} + \item Recover TETRA Time (frame number) from SYNC burst + \item Hands decoded payload data to upper MAC +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom TETRA lower MAC}{Transmit Side} +\begin{itemize} + \item Receives payload from upper MAC + \item Applies the following operations depending on burst type + \begin{itemize} + \item Append tail bits + \item Compute CRC-16 + \item Convolutional encoder (RCPC code) + \item Puncturing (RCPC code) + \item Interleaving + \item Scrambling + \end{itemize} + \item Hands decoded payload data to PHY +\end{itemize} +Tx is currently only used in testing the Rx code +\end{frame} + +\begin{frame}{Osmocom TETRA upper MAC} +\begin{itemize} + \item Rx-only + \item Not a complete implementation, just to decode SYSINFO, ACCESS-ASSIGN and some other bits. + \item Mainly a proof-of-concept to ensure PHY and lower MAC work +\end{itemize} +\end{frame} + +\subsection{wireshark integration} + +\begin{frame}{Osmocom TETRA via GSMTAP} +\begin{itemize} + \item The GSMTAP pseudo-header has been extended for TETRA + \item Change is backward-compatible with existing GSMTAP + \item current version of libosmocore supports extended GSMTAP + \item OsmocomTETRA {\tt tetra-rx} contains GSMTAP output support +\end{itemize} +\end{frame} + +\begin{frame}{wireshark TETRA integration} +\begin{itemize} + \item TETRA messages are unaligned bit-fields, full of variable-length and optional parts + \item Writing manual decoding/encoding routines is tiresome and error-prone + \item Beijing Institute of Technology has developed wireshark dissectors based on describing TETRA messages as ASN.1 PER (described in IEEE paper) + \item We contacted them and they were willing to release their code under GNU GPL + \item Zecke has extended it with GSMTAP support and is in the process of submitting it to wireshark mainline +\end{itemize} +\end{frame} + +\subsection{TETRA transmit code} + +\begin{frame}{Transmitting TETRA} +\begin{itemize} + \item The lower MAC and PHY code exists and is proven + \item OP25 project contains modulator for pi/4 DQPSK + \item Combining the two should render simplistic TETRA transmitter + \item Sending continuous sequence of BSCH in SB and BNCH in NB comprises valid beacon and should allow handsets to lock on the signal + \item So far no time to experiment with it + \item Could be first step in SDR TETRA Base Station +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks to +\begin{itemize} + \item Dieter Spaar for discovering the APCO25 demodulator and his work on speech decoding + \item Sylvain Munaut for implementing our own Viterbi decoder + \item Holger Freyther for his work on CRC, Shortened Reed-Muller and wireshark + \item horiz0n for providing sample captures of TETRA radio traffic +\end{itemize} +\end{frame} + + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://tetra.osmocm.org/} + \item \url{http://www.tetramou.com/} + \item \url{http://www.etsi.org/website/Technologies/TETRA.aspx} + \item \url{http://www.tetramou.com/uploadedFiles/About\_TETRA/TETRA\%20Security\%20pdf.pdf} + \item \url{http://www.tetrawatch.net/} + \item {\em Digital Mobile Communications and the TETRA System} by John Dunlop, Demessie Girma, James Irvine - Wiley +\end{itemize} +\end{frame} + + +\end{document} diff --git a/2011/tetra-srlabs2011/tetra_encryption.png b/2011/tetra-srlabs2011/tetra_encryption.png new file mode 100644 index 0000000..bd50366 Binary files /dev/null and b/2011/tetra-srlabs2011/tetra_encryption.png differ diff --git a/2011/tetra-srlabs2011/tetra_keys_algos.png b/2011/tetra-srlabs2011/tetra_keys_algos.png new file mode 100644 index 0000000..9fdd51b Binary files /dev/null and b/2011/tetra-srlabs2011/tetra_keys_algos.png differ diff --git a/2011/tetra-srlabs2011/tetra_mac_llc.png b/2011/tetra-srlabs2011/tetra_mac_llc.png new file mode 100644 index 0000000..cf99a84 Binary files /dev/null and b/2011/tetra-srlabs2011/tetra_mac_llc.png differ diff --git a/2011/tetra-srlabs2011/tetra_mutual_auth.png b/2011/tetra-srlabs2011/tetra_mutual_auth.png new file mode 100644 index 0000000..db0e35b Binary files /dev/null and b/2011/tetra-srlabs2011/tetra_mutual_auth.png differ diff --git a/2011/tetra-srlabs2011/tetra_protocol_stack.png b/2011/tetra-srlabs2011/tetra_protocol_stack.png new file mode 100644 index 0000000..2044853 Binary files /dev/null and b/2011/tetra-srlabs2011/tetra_protocol_stack.png differ -- cgit v1.2.3