OTAK

Over-The-Air-Key Management (TETRA)

Security
Introduced in Rel-15
A security mechanism for managing cryptographic keys over the air in TETRA networks. It enables secure distribution and updating of encryption keys to mobile devices, ensuring confidentiality and integrity of critical communications for public safety and professional users.

Description

Over-The-Air-Key Management (OTAK) is a standardized security procedure defined within 3GPP specifications for Terrestrial Trunked Radio (TETRA) systems. TETRA is a digital mobile radio standard widely used by public safety organizations, transportation services, and utilities for mission-critical voice and data communications. OTAK operates within the TETRA security architecture, specifically addressing the lifecycle management of cryptographic keys used for air interface encryption (AIE) and end-to-end encryption (E2EE). The core function is to securely deliver new or updated encryption keys from a Key Management Facility (KMF) to TETRA mobile stations (MS) or terminals without requiring physical access to the device.

The architecture involves several key entities: the Key Management Facility (KMF), which is the trusted authority generating and distributing keys; the TETRA infrastructure, including base stations (TBS) and switching and management infrastructure (SwMI); and the TETRA Mobile Station (MS). The KMF uses the existing TETRA signaling channels to transmit key management messages. These messages are themselves protected using existing keys or a hierarchy of keys, ensuring that new key material is delivered securely. The process typically involves the KMF encrypting the new traffic encryption key (TEK) or group key using a key encryption key (KEK) that is already securely stored on the mobile station.

OTAK procedures are defined to handle various scenarios, including initial key provisioning, periodic key updates for enhanced security (rekeying), and emergency key revocation in case a key is compromised. The protocol ensures that only authorized devices receive the keys, often using identifiers like the TETRA Subscriber Identity (TSI) and group identifiers. The successful delivery and activation of a new key are acknowledged by the mobile station back to the KMF, providing assurance of the key management process. This over-the-air capability is crucial for large fleets of devices where manual key loading is impractical, enabling scalable and responsive security management for critical communication networks.

Purpose & Motivation

OTAK was created to address the significant operational and security challenges of manual key management in large-scale, professional mobile radio systems like TETRA. Prior to OTAK, cryptographic keys were often loaded into radios via physical connections (e.g., key fill devices or cables), a process that is time-consuming, logistically difficult, and prone to error for organizations with hundreds or thousands of deployed devices. For public safety and critical infrastructure operators, the inability to quickly change encryption keys across an entire fleet represented a major security vulnerability, especially if a device was lost, stolen, or a key was suspected to be compromised.

The motivation for OTAK stems from the need for dynamic, remote security management that matches the operational tempo of modern critical communications. It solves the problem of maintaining cryptographic agility—the ability to change encryption algorithms or keys rapidly in response to evolving threats. By enabling over-the-air updates, OTAK allows network operators to enforce security policies, perform regular key rotations to limit the impact of potential cryptanalysis, and instantly invalidate keys across the network during security incidents. This capability is foundational for maintaining the long-term confidentiality of sensitive communications in government, emergency services, and industrial applications that rely on TETRA technology.

Key Features

  • Secure remote distribution of traffic encryption keys (TEKs) and group keys
  • Utilizes a hierarchy of keys (e.g., KEKs) to protect the key delivery process
  • Supports procedures for initial key provisioning, periodic rekeying, and emergency key revocation
  • Operates over standard TETRA signaling channels without requiring dedicated data sessions
  • Includes acknowledgment mechanisms from the mobile station to confirm key receipt and activation
  • Integrates with TETRA's authentication and infrastructure security mechanisms

Evolution Across Releases

Rel-15 Initial

Initially standardized in 3GPP Release 15, OTAK was defined to provide a standardized over-the-air key management framework for TETRA systems. The specifications established the basic procedures, message formats, and security protocols for securely delivering encryption keys from a Key Management Facility to TETRA mobile stations, addressing the core need for remote key management in critical communications.

TS 23.283TS 23.783TS 24.883

Defining Specifications

SpecificationTitle
TS 23.283 3GPP TS 23.283
TS 23.783 3GPP TS 23.783
TS 24.883 3GPP TS 24.883