TRAKS: A Universal Key Management Scheme for ERTMS
Richard J. Thomas, Mihai Ordean, Tom Chothia and Joeri de Ruiter
Submitted to Annual Computer Security Applications Conference (ACSAC) 2017
This paper presents a new Key Management and Distribution Scheme for use in the European Rail Traffic Management System (ERTMS). Its aim is to simplify key management and improve cross-border operations through hierarchical partitioning. The current scheme used in ERTMS involves the creation and distribution of 3DES keys to train and trackside entities, which are then used as part of the Euro Radio Protocol to provide message authentication. This results in the distribution of tens of thousands of keys using portable media, a prohibitively high burden on management and resourcing. We present a symmetric key solution, TRAKS, which has the benefit of being backwards compatible with the current ERTMS standard and being post-quantum secure. This new scheme reduces the number of cryptographic keys in circulation, and maintains the current security model. We achieve this by dynamically deriving unique keys from a shared secret, i.e. the line secret, which is combined with IDs of trains, and of signalling equipment. In addition to providing better key management, our scheme also adds authentication to the location data provided by EuroBalises.
Summary of TRAKS
The current standards require a unique cryptographic key for every pair of devices in the rail network - this can require infrastructure managers and operators to manage tens of thousands of keys, with a significant manual overhead. This makes the scheme very difficult to run in an efficient manner, resulting in a risk that out of date keys are used.
TRAKS makes it possible to manage these keys in a secure, efficient way. This replaces the tens of thousands of keys currently required with a master secret for each line, which can then be combined with the identifiers of the trains and train controllers to calculate unique, secure cryptographic keys for the devices to communicate, whenever needed. These line secrets only need to be installed once when a piece of equipment is first deployed.
TRAKS is fully backwards compatible with the current standards, allowing infrastructure managers to replace the existing ERTMS protocol with TRAKS gradually, without any operational downtime. An accompanying mathematical proof is given which shows the scheme to be cryptograhpically secure against attackers.
TRAKS would also be secure against attackers who use quantum computers. The lifespan of installed rail equipment can be up to 30 years, and it is possible that quantum computers will become practical in this time, therefore it is important that any proposed rail control system is also secure against the kinds of attacks that quantum computers could enable, which would for instance break other popular protocols, such as the widely-used TLS protocol.
We worked extensively with the UK’s National Cyber Security Centre (NCSC), the Birmingham Centre for Rail Research and Education (BCRRE) and a number of train and infrastructure companies to start the process of making TRAKS an official standard for trains.
This paper was presented on Thursday, 7th December 2017 at Hilton Orlando Lake Buena Vista, United States of America.
- Slides: acsac_presentation.pdf
An executive summary of TRAKS, which presents our work at a higher, less technical level is available here: traks-executive-summary.pdf
The paper is available here: traks_paper.pdf