The encryption for a DECT product is 64 bit. Below you will find an Sennheiser official memo regarding DECT security and encryption as well as an extract from a paper written by ETSI (European Telecommunications Standards Institute) about DECT technology.
- Sennheiser memo
- ETSI extract
- The DECT Security Chain
- The Pairing Process
- Other Security Measures in DECT Devices
- Security Concerns and Countermeasures
The DECT security chain is made up of the three main processes:
Most DECT enabled devices follow these processes. The DECT standard however, does not define exactly how pairing data should be exchanged. The sections below detail the generic DECT processes, as well as the two common pairing methods used by headset manufacturers.
An overview of Validation and Pairing
In order for a DECT headset and base station to pair, they first need to validate each other with a matching 4-digit PIN code. An automatic process known as ‘easy pairing’ is used in most DECT headsets, enabling pairing to start without the user having to manually enter a PIN code.
When validation is complete, pairing can initiate. This process is driven by an algorithm only available to DECT manufacturers, called the DECT Standard Authentication Algorithm (DSAA). The algorithm is executed simultaneously in the headset and base using the 4-digit PIN code and a random number stream. The results of the algorithm are exchanged and must match for successful pairing.
The Master Security Key – the key to keeping out DECT intruders
Another output of the DSAA algorithm is the Master Security Key (also known as the 128-bit UAK). The Master Security Key is used in all subsequent DECT security procedures. Since it could be used to compromise the security of a DECT communication system, it is critical to keep the Master Security Key protected from potential intruders.
Wireless pairing – a vulnerable area in the DECT security chain – in some DECT devices
It is a DECT requirement that the PIN code and Master Security Key are never exchanged ‘over the air’. However, some DECT devices transfer the data used to calculate the Master Security Key wirelessly. This opens up the possibility of an attacker ‘sniffing’ the pairing data, using highly sophisticated equipment. With very deep and specialized knowledge about DECT encryption, the intruder could, in theory, calculate the Master Security Key and thereby compromise the security of the system.
Protected pairing – the key to security in Sennheiser DECT devices
Sennheiser DECT devices have a very high security level, due to the process required to pair a Sennheiser headset and base station.
Rather than transferring pairing data ‘over the air’, the charging terminals are used for data communication. This means that a Sennheiser headset needs to be physically docked in a Sennheiser base, in order for the registration and security bindings to be established. This makes it virtually impossible for a third party to ‘sniff’ or intercept the pairing data from a remote location.
Since the Master Security Key is stored on the devices and never transmitted over the air, this feature provides best in class security against any kind of unauthorized access.
Conference pairing – a unique Master Security Key in each headset ensures no misuse
In Sennheiser headsets, it is possible to establish a DECT conference with up to four headsets connected to one base. In this scenario, each headset will get its own unique Master Security Key. This ensures that the Master Security Key stored in a guest headset cannot be misused later on the conference base station.
Per Call Authentication
Every time a call is made, the base needs to ensure that the connected headset has been paired – and is therefore safe to communicate with. The base does this by sending a random number stream – also known as a ‘challenge’ – to the headset. The headset and base station then simultaneously run an authentication algorithm, using the random numbers and Master Security Key as input. The headset sends its ‘response’ back to the base station and if the calculation outputs match, the call can be placed. If not, the call is rejected. Another output of the “Per Call Authentication” process is the generation of a Session Encryption Key, which is further described in the “Encryption” section below.
The Per call authentication process flow:
It is the industry standard to authenticate headsets ‘over the air’ prior to each call. While this data can be ‘sniffed’ by an intruder, it is of little value without knowing the Master Security Key. In the case of Sennheiser devices, it would only be possible to retrieve the data used to calculate the Master Security Key with physical access, making it even more difficult, and virtually impossible, for intruders to attack.
Once a secure link is established between the headset and base, the units can communicate. To protect against passive eavesdropping, voice data is encrypted in both directions. A DECT standard encryption algorithm called DSC (with 64-bit encryption key) is used to encrypt voice data and call- related digital signaling. For an unauthorized user, the encrypted data would look like a meaningless stream of digital data.
The encryption process flow:
A new Session Encryption Key is produced for each call during the Per Call Authentication process (as described previously). As a result, an intruder cannot gain access to the Session Encryption Key without hacking into the pairing process. In the case of Sennheiser devices, this can only be done through a physical connection between headset and base, making the exchange of voice data extremely secure.
The security features described provide a very high security level against unauthorized access. The table below summarizes the main perceived threats and countermeasures.
* Standard DECT devices defined as those using ‘over the air’ pairing procedures