Plantronics’ CS500 series headsets were amongst the first products to gain DECT security certification.
10
STANDARDS, SECURITY AND CERTIFICATION FOCUS
Maintaining
security in the DECT
ecosystem
By: Anders Berggren, Ascom Wireless Solutions & Member of DECT Forum Board
The DECT Security Certification program has been a tremendous success since it was launched by the DECT Security Working Group. Trust in the DECT technology increased a lot, and remains very high. The certification program has been very important for some vertical markets, especially in the enterprise area, where some customers demand very high security. Certification has also been very useful as a way of promoting the certified products. Today, there is still work to do to implement Step B in the certification process, in what is a three step roadmap.
The DECT Security Certification program enables full members of the DECT Forum to obtain formal certification for their products to confirm that they are compliant with the security requirements of the DECT standard. After passing the certification program a vendor can promote its products by using the DECT Security logo, which is owned by the DECT Forum. So far, six DECT Forum members have certified 33 of their products through the certification program. First out was Plantronics in August 2013 with its DECT headsets, closely followed by Ascom with its handsets and base stations. The latest certification was achieved by SGW in July 2015. The complete list can be found at the DECT Forum site (DECT.org)
The move to improve security in the DECT standard started in 2009, following concerns raised by the market. A Security Working Group was created within the DECT Forum. This involved security experts from several companies, including deDECTed.org, as they set out to define the enhancements of the Standard. These security enhancements were defined in a three step roadmap, A to C, in order to address immediate, mid-term and long term concerns. The improvements in step A were ratified by ETSI during early 2010 and the improvement in step B was approved during 2012.
Promoting certification
The DECT forum board would like to encourage more manufacturers to participate in the certification program. Key values for
implementing DECT security and putting products through a DECT Security Certification are:
• A more secure product, bringing less risk of having a security problem and the resulting bad publicity.
• Beneficial promotion of the product using the Certificate and the DECT security logo
• Differentiation of the product.
A manufacturer who wants to certify one or several products can find information about the process under ‘downloads’ on the DECT Forums’ web site. In short, the process starts by submitting a request for certification to a Security Qualification Laboratory. The
laboratory performs the required tests and issues a test report. An assessment and notification is sent to the Security Qualification Body, who makes an Application for Certificate to the DECT forum. In turn, the DECT forum requests a license fee. After receiving the license fee a certification is issued by the DECT forum via the Security Qualification Body.
The security improvements were defined in three steps. Today the certification program covers step A, and some of the most important improvements are: Early encryption, Base station not open for registration for longer than 120 sec, Cipher key used by encryption engine is updated at least once per 60sec and then Evaluation of peer sides behavior regarding encryption and call release in case of suspicion behavior. The test equipment (the DA1220P), which is used by vendors and Security Qualification Laboratories, is available from Dosch&Amand.
Recently, some DECT Forum member companies have seen an increased interest from their customers regarding DECT security Step B. This contains an improved authentication algorithm called DECT Standard Authentication Algorithm 2 (DSAA2). The DSAAA2 specification is approved and can be implemented. The implementation should normally only require a firmware update of the product. For the time being, no approved certification equipment is available.
Finally there is Step C - DECT Standard Cypher 2 (DSC2) - which contains an improvement of the encryption algorithm. DSC2 will require support from the DECT chip.
DECT Today - The Success Story Continues · www.dect.org