Click for homepage
ETSI
TETRA
TAA
TEA
  
TEA2 →
← TEA
  
TEA1
TETRA Encryption Algorithm 1

TEA1, short for TETRA Encryption Algorithm 1, 1 is a stream cipher associated with Terrestrial Trunked Radio (TETRA), a European standard for public and emergency services, standardized by the European Telecommunications Standards Institute (ETSI). Part of the TEA suite of encryption algorithms, it is intended for commercial use and restricted export. It is very similar to the TEA2 algorithm, but has a significantly reduced key length that makes it practically exploitable [1].

The algorithm was developed in 1996/97 at Philips Crypto BV in Eindhoven (Netherlands) as a consultancy job for ETSI-SAGE. As the algorithm is secret, it has never been submitted for peer-review or in-depth security analysis. Instead it was evaluated by other ETSI-SAGE members before being submitted as a formal ETSI standard. All members of the TEA family, use an 80-bit key, but in the case of TEA1 it is effectively reduced to 32 bits, which makes it vulnerable to a brute-force attack. According to one of the developers, this was mandatory to get the algorithm approved for export. It was part of the ETSI specification and was clearly visible in the code [3].

  1. Not to be confused with Tiny Encryption Algorithm.  Wikipedia

Compromise   TETRA:BURST
In July 2023, Dutch cyber security firm Midnight Blue publicly disclosed the reduced key length and identified it as an intentional backdoor. As part of their research program TETRA:BURST they had reverse-engineered the source code of a commercially available TETRA radio, and were able to isolate the algorithm, after which it could be analysed [2]. In addition, they demonstrated the weakness in a real life hack. In the event, it took approx. one minute on a commercial laptop to break the key, after which all past and future traffic (on the same key) could be read instantly.



Structure
Key reduction
The diagram below shows how the initial 80-bit key (K) is reduced to a 32-bit key (K'). The 80-bit key consists of 10 bytes and is loaded into registers K0 to K9. It is then shifted left 10 times, one byte at a time. On each shift, the output byte is mixed with the output from the key register (K'), fed through an S-box lookup table (S) and shifted into the key register (K'). In itself this is a genuine operation, but as the K' register is just 32 bits wide, the remaining 48 bits are lost.

Reduction of the key length from 80 to 32 bits. Note that all elements are bytes rather than bits.
TEA1 key compression function


Stream cipher
The diagram below shows the structure of the TEA1 key stream generator which consists of two parts: a 64-bit state register (R) and an 32-bit key register (K'). The state register (R) is initialised with the Initialisation Vector (IV), whilst the key registeris derived from the original key (K'). The key register is basically a Linear Feedback Shift Register (LFSR) with an S-box lookup table (S). It is only fed with data from itself and produces a key-dependent output, independent from the IV.

General structure of the TEA1 stream cipher. Note that all elements are bytes rather than bits.
Structure of the TEA1 stream cipher

The state register (R) is also a Linear Feedback Shift Register (LFSR) that produces the output key stream byte at the top left (R0). It consists of two parts (R0-R3 and R4-R7) with an XOR inbetween. F1 is a non-linear function that takes two input bytes (R5, R6) and produces one output byte that is mixed in the middle of the state register (R3-R4). F2 is also a non-linear function that takes two input bytes (R1, R2) and produces one output byte that is mixed with the feedback loop. (B) is a simple bit permutation of which the output is also mixed with the feedback loop.

For a more detailed description of the cipher, please refer to the paper 'All cops are broadcasting: TETRA under scrutiny' by Carlo Meijer, Wouter Bokslag and Jos Wetzels, published in August 2023 in relation to the TETRA:BURST vulnerability disclosures [4].

 Read the paper
 More about TETRA:BURST


Source code
As part of the TETRA:BURST project, Midnight Blue researchers managed to extract and reverse-engineer the firmware from an operational TETRA radio, and construct an equivalent of the code in the C programming language. This source code is now available to researchers [II]. The source code snippet below shows the implementation of the key reduction function.

     int32_t tea1_init_key_register(const uint8_t *lpKey) {
         int32_t dwResult = 0;
         for (int i = 0; i < 10; i++) {
             dwResult = (dwResult << 8) |
             g_abTea1Sbox[((dwResult >> 24) ^ lpKey[i] ^ dwResult) & 0xff];
         }
         return dwResult;
     }
     
    
The key consists of 80 bits, which is equal to 10 bytes. In the above code, the 10 bytes are processed one at a time, and then shifted into the result (
dwResult
) register. However, as the
dwResult
register is only 32 bits wide, the first 48 bits are shifted out and the key consists of the last 32 bits only, which is trivially short for a brute-force attack.

 Download the full source code


Publications
  1. Carlo Meijer, Wouter Bokslag and Jos Wetzels,
    All cops are broadcasting: TETRA under scrutiny

    Paper submitted to Crypto Museum. 9 August 2023.

  2. Full source code of TAA1, TEA1, TEA2 and TEA3 algorithms in C
    Reverse-engineered and used for analysis and real life tests.
    Midnight Blue, 9 August 2023.

  3. All Cops Are Broadcasting, Breaking TETRA after decades in the shadows
    Presentation by Jos Wetzels, Carlo Meijer and Wouter Bokslag at Black Hat 2023.
    Midnight Blue, 9 August 2023
References
  1. Wikipedia, Terrestrial Trunked Radio
    Visited 27 July 2023.

  2. TETRA:BURST
    Midnight Blue, 24 July 2023.
     More

  3. Cees Jansen, TEA co-developer at Philips Crypto BV
    Personal correspondence. Crypto Museum, July 2023.

  4. Carlo Meijer, Wouter Bokslag and Jos Wetzels,
    All cops are broadcasting: TETRA under scrutiny

    Paper submitted to Crypto Museum. 9 August 2023.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Wednesday 09 August 2023. Last changed: Saturday, 12 August 2023 - 14:01 CET.
Click for homepage