First of all the following terms are defined:
frame: a binary sequence, for example arising from an iteration of a cryptographic module, of length Sframe (Sframe>1 bit);
block: a group of n consecutive frames, with n≧1;
super-frame: a group formed of p consecutive blocks, with p≧1;
encrypted data stream: a succession of super-frames.
The terms frame, block and super-frame defined above within the context of an application stream between remote terminal equipments do not prejudge the underlying structuring of the streams by the transmission bearer service: a super-frame, or a block or a frame, sent by an application may for example correspond to an unsegmented packet transmitted in the transport layer.
A difficulty created by the implementation of secure communications is that receivers in the equipment must be synchronized or resynchronized sufficiently rapidly with an encrypted data stream. The specifications of the known cryptographic suites consider only a single assumption about the frequency of the cryptographic synchronizations, dimensioned around time constants associated with a given underlying network. This is problematic for an end-to-end encrypted data stream whose terminal equipments operate in dissimilar networks. For example, for a point-to-point communication or for a teleconference, the terminal communication equipments may be diverse: a first terminal equipment may be bound to a wired network, a second terminal equipment may be situated in a cell of a cellular radiocommunication network for mobiles, a third terminal equipment is a satellite communication terminal, and a fourth terminal equipment is an HF radio apparatus operating with frequency shifts.
Transmission of an encrypted data stream between fixed terminal equipments of a wired network whose communication service is reliable requires essentially only slow cryptographic synchronization.
Transmission of an encrypted data stream via a network, certain segments of which cater for non-reliable transmissions, for example radio transmissions, may lead certain receivers not to receive the entire cryptographic synchronization information necessary for processing the encrypted data stream or may lead certain receivers to lose the necessary synchronism between the decryption and the reception of frames of the encrypted data stream. A method of fast resynchronization is then necessary.
Fast synchronization is also necessary when a terminal equipment of the communication requires an intercell transfer (or “handover”) or an announced cell reselection, that is to say when the encrypted data stream changes transmission channel, thereby temporarily interrupting reception and causing the terminal equipment to lose cryptographic synchronism.
Fast synchronization is also necessary when a terminal equipment wishing to participate in an encrypted communication already begun between other terminal equipments requires late entry into the communication.
Furthermore, fast synchronization is useful when the encrypted data stream received continuously by a receiver for a given communication has undergone upstream a pre-emption of a sender by a sender of higher priority.
The measurement of the speed of cryptographic synchronization and the limitations of the prior art are presented hereinafter.
There exist various modes of cryptographic synchronization, some of which require the explicit transmission of parameters of a cryptographic state word so as to initialize the decryption process. Some of these modes, such as the OFB (Output FeedBack mode) and CTR (CounTeR mode) modes, are for example described in the American publication from the National Institute of Standards and Technology “NIST Special Publication 800-38A 2001 Edition, Recommendation for Block Cipher Modes of Operation—Methods and Techniques”. The transmitted parameters of the cryptographic state word define a synchronization management word SY.
In the prior art, the synchronization management word is typically transmitted in association with each super-frame of an encrypted data stream.
Two known association procedures are recalled below.
In the first association procedure, the bandwidth BSY necessary for transmitting the frame containing the synchronization management word is sampled by frame stealing from the bandwidth BT Of the stream of encrypted traffic frames. The necessary total bandwidth, expressed in bit/s, is then B=BT. The first association procedure by frame stealing is described in the standard ETSI EN 302 109 V1.1.1, “Terrestrial Trunked Radio (TETRA); Security; Synchronization mechanism for end-to-end encryption” June 2003, pages 1-17.
In the second association procedure, the bandwidth BSY necessary for transmitting the synchronization management word can be complementary to the bandwidth BT necessary for transmitting the stream of encrypted traffic frames. Two logical channels are then defined: a traffic channel for the encrypted frames and a signaling channel associated with the traffic channel for the frames containing the synchronization management word. The necessary total bandwidth is then B=BSY+BT. The second procedure is described in international patent application WO 2004/014019.
Let SSY be the size of the synchronization word SY expressed in bits, determined consistently with the choice of the encryption flow chart, of the mode of synchronization and of a crypto-period. This size does not depend directly on the structuring of the stream into frames, blocks and super-frames.
According to a first assumption, the synchronization management word has a size SSY less than or equal to the size of a traffic frame.
The stream actually transmitted according to the first association procedure consists of a series of super-frames of dimension 1. Each of these super-frames is formed of a single block (p=1) comprising a synchronization frame containing the synchronization management word of the super-frame and n−1 frames of encrypted traffic data. The first traffic frame is stolen and replaced with the synchronization frame and is therefore not transmitted.
The stream actually transmitted according to the second association procedure consists of a series of super-frames of dimension 2. Each of these super-frames is formed of a single block (p=1) comprising for example in the signaling channel a synchronization frame containing the synchronization management word of the super-frame and in the associated traffic channel n frames of encrypted traffic data.
According to a second assumption, the synchronization management word of the super-frame has a size SSY greater than or equal to the size Sframe of a frame. Without restricting the generality of this assumption, the synchronization management word must be transmitted in identifiable frames separable from the traffic frames of the encrypted data stream, the converse case being overcome by segmenting the frames of the encrypted data stream into as many ad-hoc frames. According to a simple example, it is assumed that SSY=P×Sframe and the synchronization management word results from the concatenation of p synchronization frames for a given super-frame.
The stream actually transmitted according to the first association procedure then consists of a series of super-frames. Each of these super-frames is formed of p blocks of dimension 1 each comprising a respective synchronization frame followed by n−1 traffic frames, the synchronization frames respectively in the p blocks of the super-frame and concatenated in the order in which they are sent constituting the synchronization management word replacing p traffic frames.
The stream actually transmitted according to the second association procedure still consists of a series of super-frames. Each of these super-frames is formed of a single block (p=1) of dimension 2 which comprises in the signaling channel the synchronization management word followed in the traffic channel by n traffic frames.
Thus, according to the prior art, whatever the assumption regarding the size SSY of the synchronization management word and the first or the second association procedure, cryptographic synchronization is possible approximately after each occurrence of a super-frame, once the synchronization management word is known. This leads approximately to an inter-synchronization period equal to Tsync=(n p Sframe)/B.
The measurement of the speed Tsync of cryptographic synchronization for a real example highlights the limitations of the prior art: with B=2400 bit/s, Sframe=54 bits, n=24, p=3, we obtain Tsync=1.62 s; with B=2400 bit/s, Sframe=54 bits, n=24, p=4, we obtain Tsync=2.16 s.
These values of inter-synchronization period Tsync are satisfactory for a point-to-point communication in a telephone network with slow call setup, of the order of a few seconds. They are nevertheless incompatible with fast synchronization time constants, typically of the order of 0.3 to 1 second at the maximum, necessary in radiocommunication networks for mobiles implementing functions for intercell transfer, late entry or pre-emption. They are furthermore much greater than the typical duration of a phoneme in a speech signal which is encrypted into the encrypted data stream. These values of inter-synchronization period Tsync are thus incompatible with the needs of interoperable secure communications simultaneously involving user terminal equipment through dissimilar networks. The requirement for fast synchronization can be illustrated by a multi-user secure teleconference involving equipments such as a user terminal of an ISDN or IP wired network, a mobile terminal of a GSM or UMTS cellular radiocommunication network and/or a mobile terminal of a PMR professional mobile radiocommunication network.
A synchronization method is moreover known, described in European patent application 1209844, which adds extra synchronization frames in the encrypted data stream. The addition of these extra synchronization frames modifies the bandwidth initially necessary for the encrypted data stream and does not satisfy a requirement for fast synchronization in an optimized manner. Furthermore, this synchronization method destroys the synchronism of the encrypted data stream and therefore the prior slow synchronization, thereby requiring that all the receivers process the extra synchronization frames and thus constituting an interoperability limitation on security. Consequently, this method is inappropriate for ensuring a fast synchronization coexisting with a pre-existing slow synchronization, from which it profits.