Professional Documents
Culture Documents
Tetra E2E Smartcards Masterfile
Tetra E2E Smartcards Masterfile
Examensarbete
Jonas Olofsson
LiTH-ISY-EX--12/4559--SE
Linköping 2012
Jonas Olofsson
LiTH-ISY-EX--12/4559--SE
Sammanfattning
Abstract
TETRA is an open radio standard developed by ETSI. It is specifically designed for use by
government agencies, emergency services such as police forces, fire departments, and ambu-
lance, public safety networks, train radios, transport services, and the military. The TETRA
standard is used in the Swedish public safety net Rakel. Today the hand-held devices in
Rakel do not use a SIM card to hold the user identity. Instead, the terminal is personalised
by hard coding the user information in the terminal. As the users group grows a need for
SIM cards will probably emerge since it simplifies the handling of the users for the network
administrator, and allows the user to replace a broken terminal by simple moving his/her
SIM card to another terminal. This master thesis examines the TSIM standard and extracts
a specification of requirements, proposes a suitable software architecture, and partially im-
plements TSIM functionality on a smart card. The conclusion is that a TSIM application
can be integrated with an E2EE application but some modifications are needed compared to
only having the TSIM functionality in the smart card. The design and architecture described
in this master thesis can be used in systems that already use the SIM slot of the hand-held
devices for a smart card that extends the functionality of the terminal.
Nyckelord
Keywords smart card, TETRA, sim
Abstract
TETRA is an open radio standard developed by ETSI. It is specifically designed
for use by government agencies, emergency services such as police forces, fire
departments, and ambulance, public safety networks, train radios, transport ser-
vices, and the military. The TETRA standard is used in the Swedish public safety
net Rakel. Today the hand-held devices in Rakel do not use a SIM card to hold
the user identity. Instead, the terminal is personalised by hard coding the user
information in the terminal. As the users group grows a need for SIM cards will
probably emerge since it simplifies the handling of the users for the network ad-
ministrator, and allows the user to replace a broken terminal by simple moving
his/her SIM card to another terminal. This master thesis examines the TSIM stan-
dard and extracts a specification of requirements, proposes a suitable software
architecture, and partially implements TSIM functionality on a smart card. The
conclusion is that a TSIM application can be integrated with an E2EE application
but some modifications are needed compared to only having the TSIM functional-
ity in the smart card. The design and architecture described in this master thesis
can be used in systems that already use the SIM slot of the hand-held devices for
a smart card that extends the functionality of the terminal.
iii
Acknowledgments
I would like to thank Sectra Communications AB for giving me the opportunity
to carry out this master thesis. My supervisor at Sectra Jerry Falkcrona has been
a great help with both the technical questions about smart cards, the ETSI specifi-
cations and the content and structure of the report. I would also like to thank my
examiner and supervisor at Linköping University, Ola Dahl and Per Karlström,
for the help with the content and technical details about the report. Last but not
least, I would like to thank my opponent Mikael Rothin for good and constructive
criticisms.
v
Contents
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Document Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 7
2.1 TETRA – Terrestrial Trunked Radio . . . . . . . . . . . . . . . . . . 7
2.1.1 Rakel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 SIM – Subscriber Identification Module . . . . . . . . . . . 11
2.3 Sectra TETRA E2EE . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Requirements 15
3.1 SIM Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.2 Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Electronic Signals and Transmission Protocols . . . . . . . . . . . . 17
3.2.1 States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.2 Baud Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.3 ATR - Answer To Reset . . . . . . . . . . . . . . . . . . . . . 17
3.2.3.1 PPS Procedure . . . . . . . . . . . . . . . . . . . . 18
3.2.3.2 Error Handling . . . . . . . . . . . . . . . . . . . . 18
3.3 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3.1 DF – Dedicated Files . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2 EF – Elementary Files . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2.1 Transparent EF . . . . . . . . . . . . . . . . . . . . 20
3.3.2.2 Linear Fixed EF . . . . . . . . . . . . . . . . . . . . 20
3.3.2.3 Key EF . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.2.4 Cyclic EF . . . . . . . . . . . . . . . . . . . . . . . 22
3.3.3 File Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3.4 File IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
vii
viii CONTENTS
3.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4.2 OTAR Cipher Key Distribution . . . . . . . . . . . . . . . . 25
3.4.3 File Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.5 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.5.1 Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.6 Contents of the EFs . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.7 Procedures over the ME/SIM interface . . . . . . . . . . . . . . . . 32
4 Architecture 35
4.1 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.1.1 File Access Conditions . . . . . . . . . . . . . . . . . . . . . 36
4.2 System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.4 Package Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Design 41
5.1 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.1 File Access Conditions . . . . . . . . . . . . . . . . . . . . . 43
5.1.2 File Commands . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1.2.1 SELECT . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1.2.2 READ BINARY . . . . . . . . . . . . . . . . . . . . 45
5.1.2.3 UPDATE BINARY . . . . . . . . . . . . . . . . . . 46
5.1.2.4 READ RECORD . . . . . . . . . . . . . . . . . . . 46
5.1.2.5 UPDATE RECORD . . . . . . . . . . . . . . . . . . 48
5.1.2.6 SEEK . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.1.2.7 INVALIDATE . . . . . . . . . . . . . . . . . . . . . 49
5.1.2.8 REHABILITATE . . . . . . . . . . . . . . . . . . . 50
5.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.2.1 GET RANDOM . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.2 TA11/TA12 Algorithm . . . . . . . . . . . . . . . . . . . . . 52
5.2.3 TA21/TA22 Algorithm . . . . . . . . . . . . . . . . . . . . . 53
5.2.4 TB4/TE Algorithm . . . . . . . . . . . . . . . . . . . . . . . 54
5.2.5 GET RESPONSE . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.3 Package Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6 Verification 57
6.1 Requirement Verification . . . . . . . . . . . . . . . . . . . . . . . . 57
6.2 Unit Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2.1 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.3 Card Acceptance Test . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.3.1 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.3.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.4 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.4.1 Session Initialization . . . . . . . . . . . . . . . . . . . . . . 63
CONTENTS ix
7 Conclusions 65
7.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
7.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.3 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Bibliography 67
x CONTENTS
Introduction
1
This master thesis evaluates the requirements for a Subscriber Identity Module
(SIM) application for the Terrestrial Trunked Radio (TETRA) standard and pro-
poses a design for implementing the SIM application on a smart card. This chap-
ter gives a background to the master thesis, the goals are described, and a list of
abbreviations used in the report is presented.
1.1 Background
SIM is a method to establish the identity of a subscriber and allow the operator
to set the appropriate user privileges in a mobile network. SIM cards are today
used in most types of mobile telephones and are mandatory according to the
Global System for Mobile Communications (GSM) standard. TETRA is an open
radio standard developed by the European Telecommunications Standards Insti-
tute (ETSI). TETRA systems today support the use of a SIM card and most mod-
ern TETRA terminals have a SIM slot. The SIM card functionality is currently not
supported by the terminals in the Swedish public safety net Rakel; Rakel is the
name of the TETRA network used by the Swedish emergency services. As TETRA
is spread to a larger user group in the community the SIM functionality can be
used to ease the handling of the subscribers for the network administrators.
1
2 1 Introduction
1.2 Goal
The goal with this master thesis is to examine the TETRA SIM (TSIM) standard,
extract a specification of requirements, propose a suitable software architecture,
and partially implement TSIM functionality on a smart card. The following work
packages have been identified:
• Analyse the standard for TSIM by ETSI and investigate unclear parts.
• Select the requirements and functions that shall be provided by a SIM card
for TETRA when the TSIM application shall coexist with an E2EE applica-
tion.
• Suggest a software architecture and a software design that are suitable for
the TSIM functionality on a smart card. The TSIM application and the ex-
isting E2EE application shall coexist on one smart card.
• Implement the TSIM functionality on a smart card and develop tests to ver-
ify the functionality. No physical terminal supporting the use of a SIM card
is available for verification, so the tests performed are the only verification
that the system works as intended.
1.2.1 Limitations
Due to licensing and the process of obtaining access to some algorithms used in
TETRA (for example the authentication algorithms), dummy algorithms are used
when the algorithm is not available. This simplification allows for testing of the
functionality but not of the actual compliance with a live network.
• Conclusions: The last chapter describes what was found during the master
thesis, thoughts about the findings, and future work.
1.4 Abbreviations 3
1.4 Abbreviations
APDU Application Protocol Data Unit
ATR Answer To Reset
CCK Common Cipher Key
CPU Central Processing Unit
DCK Derived Cipher Key
DCK1 Component one of the DCK
DCK2 Component two of the DCK
DF Dedicated File
DMO Direct-Mode Operation
E2EE End to End Encryption
EEPROM Electrically Erasable Programmable Read Only Memory
EF Elementary File
ETSI European Telecommunications Standards Institute, www.etsi.org
FIPS Federal Information Processing Standard
GCK Group Cipher Key
GSM Global System for Mobile Communications
HAL Hardware Abstraction Layer
IC Integrated Circuit
ICC Integrated Circuit Chip
IEC International Electrotechnical Commission
ISO International Organization for Standardization
ITSI Individual TETRA Subscriber Identity
K Encryption Key, a key used by the authentication process for
SwMI authentication
KE Key Encryption
KEK Key Encryption Key
KS Session Authentication Key
KS’ Session Authentication Key
ME Mobile Equipment
MF Master File
4 1 Introduction
7
8 2 Background
example, a police officer can use the TETRA terminal on the car as a gateway for
his hand-held device. A car terminal can operate at a higher e↵ect than a hand-
held device. So by using the car terminal as a relay, the operative can use his/her
hand-held device to communicate with the network even when the hand-held
device does not have network coverage. [18]
If two operatives wants to talk to each other using DMO, but are not in range of
each other or the network, a third terminal in between can be used as a repeater.
The third terminal then repeats the transmission between the operatives who
want to communicate with each other. In this way, a terminal can work as relay
for terminals that needs to communicate with each other. [18]
Figure 2.1: The car is connected via TMO with the TBS (1) and DMO with
the operative (2). In this configuration the car’s TETRA terminal works as a
gateway for the operative.
2.1.1 Rakel
Rakel is a TETRA network and is Sweden’s national communication system for
collaboration and leadership. The Swedish government owns Rakel’s infrastruc-
ture and the Swedish Civil Contingencies Agency (MSB) is responsible for the
expansion, operation, management, and development of Rakel as well as the mar-
keting and sales of subscriptions. Today Rakel covers 99,84 % of the Swedish
population and 95 % of the land area, excluding the mountain areas. The sys-
tem is built to work in the worst possible situation and all base stations have
additional power supplies, either in form of batteries or diesel generators. [1]
Rakel has been put in place to replace the earlier systems used by the emergency
services in Sweden and unite them under one communication system. The use
of a common communication system allows for easier collaboration between dif-
ferent emergency services as well as other public vital organizations, for example
power suppliers. [1]
are three di↵erent types of ICs used in smart cards: memory only, wired logic
and microcontroller. A short description of the di↵erent card types can be found
below: [12]
• Memory Only ICC cards: Memory only cards use an electronic magnetic
stripe. Compared to a magnetic card this gives the memory only cards a
higher bandwidth, bigger storage capacity and a faster read/write speed.
In addition the reader for a memory only card is cheaper than a magnetic
stripe card reader. One variant of the memory only card is the serial pro-
tected memory chip card. This card contains some hardwired data that can-
not be overwritten. This makes the card safer than the ordinary memory
only card.
• Wired Logic ICC cards: Wired logic cards contain a logic-based state ma-
chine to provide encryption and authenticated access to on-board memory.
The encrypted access to the memory is optional and supported by a file sys-
tem provided with the wired logic chip card. The file system and command
set of a wired logic chip card can only be reconfigured by redesigning the
logic of the IC. Wired logic chip cards can exist as both contact and contact-
less smart cards.
• Secure Microcontroller ICC cards: Microcontroller cards are the most com-
plex of the three types of cards. They contain a microcontroller, an OS and
a read/write memory. The microcontroller ICs have been designed to meet
di↵erent security targets, for example the Common Access Card IC criteria
by the American Department of Defence. The commonly used term "Smart
Card" often refers to this type of card. A secure microcontroller smart card
usually consists of:
– 8-bit to 32-bit CPU.
– ROM or flash memory that contains the chip’s OS and, optionally, ap-
plication software.
– RAM for temporary registers to store temporary data.
– Non-volatile memory used for storage of user data, for example EEPROM,
ferroelectric RAM or flash memory.
– Countermeasures against known and foreseen security threats, to achieve
Common Criteria or FIPS 140-2 certifications.
– Environmental sensors.
– At least one serial port for communication with a card reader.
– A random number generator.
– Timers
– Optional cryptography accelerator(s).
– Optional dedicated peripherals.
2.2 Smart Card 11
All of the above described cards exist in many di↵erent implementations on the
market today. [12]
To use a smart card, one must be able to communicate with them. There are two
primary types of smart card interfaces: contact and contactless. The di↵erent
card types are described below: [12]
• Contactless Smart Cards: The contactless smart card uses Radio Frequency
(RF) waves to communicate with a reader. The smart card must often be
close to the reader, generally within 10 centimetres.
The focus on the rest of this document will be on the contact version of the Secure
Microcontroller Integrated Circuit Chip (ICC) card. The reason is that this is
what a SIM usually is implemented as.
Figure 2.3: Micro SIM with mini SIM and full SIM brackets. Source:
http://en.wikipedia.org/wiki/File:Telia_micro_SIM_with_brackets.jpg
In TETRA, a special type of SIM standard called TSIM is used. It di↵ers from the
SIM used in GSM due to di↵erent needs in the networks. The TSIM standard has
been developed by ETSI and can be found at http://www.etsi.org/.
Even if the standard shall be followed, not all requirements in the standard will
be fulfilled during the master thesis. The reason for this is the limited time for
the master thesis, so focus will be put on the mandatory software requirements.
Some requirements regarding the physical characteristics of the smart card are
out of scope of this thesis because they cannot be a↵ected (for these requirements
see Section 3.1 and Section 3.2).
In addition to the TSIM requirements, the TSIM application must be able to co-
exist with the existing applications, in this case Sectras E2EE application.
ID Description M/O
A unique Mandatory (M) or
A requirement description
requirement id optional (O)
The requirements given as shown in Table 3.1 are the requirements to be eval-
uated during this master thesis. Requirements only described by the text are
identified as important for a final product, but not important for a test imple-
mentation. Either because they handle non software requirements or because
they depend on the implementation environment.
15
16 3 Requirements
3.1.1 Format
On the ID-1 card, the identification number defined by EFI CCI D (described in
Section 3.6) must be printed on the card. On the plug-in SIM card, only the
individual account identifier and the check digit of the IC card identification
must be printed. [6]
3.1.2 Contacts
The position of the contacts on the smart card can be seen in Figure 3.1.
The contacts in position C4 and C8 must not be supported by the smart card or
the ME in a SIM application. C6 is not allowed to be connected to anything in the
smart card if not used by another application. If these contacts are present and
not used by another application inside the smart card the terminal shall present
them to the smart card as ground or high impedance. [6]
When the device is turned o↵ normally, the SIM card shall be deactivated as
specified in ISO/IEC 7816-3 [17]. However, if the clock to the SIM card is stopped
the ME can deactivate the contacts in any order, but the supply voltage must
always be switched o↵ last. [6]
The contact pressure must be large enough to guarantee contact. The contact
shall be guaranteed even if vibrations occur. The contact pressure shall never be
greater than 0.5 N per contact. If the contact pressure is larger then this value,
the smart card can be damaged. [6]
3.2 Electronic Signals and Transmission Protocols 17
3.2.1 States
The SIM card can be in two di↵erent states while the power supply is on. [6]
• Operating State: The SIM is in this state when executing a command. Trans-
missions to and from the ME are also included.
• Idle State: The SIM is in this state at any other time. In this state, the
temporary memory shall be kept.
The SIM may also support a clock stop mode. Clock stop means that the ME is
allowed to switch o↵ the clock to the smart card. If the clock stop mode shall be
used, the ME has to wait 1860 clock cycles after receiving the last character of
the last request before switching o↵ the clock. Before the first command is issued
after the clock has been started, the ME has to wait at least 744 clock cycles. [6]
ID Description M/O
An ATR shall be presented by the SIM card
1 M
at the beginning of every session.
The ATR shall contain the information given
2 M
in TS 100 977 [7].
The information inside the ATR shall match
both the requirements for a TSIM
3 M
application and the existing Sectra
encryption functions.
Each file consists of a header and an optional body part. Operations on files can
be performed by commands sent from the ME to the smart card. The commands
"GET RESPONSE" and "STATUS" can extract the information stored in the header.
In the header, information about the structure and attributes of the file is stored.
This information is fixed during the personalization phase. In the body part of a
file the actual data is stored. [6]
Each file has a unique file ID. The file ID consists of two bytes. The first byte
identifies the file type and can be seen below: [6]
• "3F": MF
• "7F": First level DF
• "5F": Second level DF
• "2F": EF under the MF
• "6F": EF under the first level DF
3.3 File System 19
ID Description M/O
A file shall consist of a header and an
4 M
optional body part.
Each file under a DF shall have a unique file
5 M
ID.
The file ID shall consist of two bytes,
6 M
following the rules above.
ID Description M/O
A DF shall consist of a header but no body
7 M
part.
ID Description M/O
An EF shall consist of both a header and a
8 M
body part.
The transparent EF shall function as
9 M
described in Section 3.3.2.1.
The linear fixed EF shall function as
10 M
described in Section 3.3.2.2.
The key EF shall function as described in
11 O
Section 3.3.2.3.
The cyclic EF shall function as described in
12 M
Section 3.3.2.4.
3.3.2.1 Transparent EF
Linear Fixed EF consists of a sequence of records. All records have the same
length and the records are numbered from 1 to n. The header stores the record
length as well as the record length multiplied with the total number of records.
Figure 3.4 shows the structure of a Linear Fixed EF. A Linear Fixed EF cannot
keep more than 255 records and a record must not be greater than 255 bytes. [6]
The following list describes the di↵erent ways of accessing a record inside the EF
(if an action is aborted for some reason, the pointer shall keep the value that it
had before the action was started): [6]
• When the record pointer is not set, the first and last record can be accessed.
3.3 File System 21
• When the record pointer is set, one can perform actions on the current, next
and previous record (unless the pointer is set to the last or first record).
• Identify a record using pattern seek starting:
– Forward from the start of the file.
– Forward from the next record of which the pointer is set (if not the
pointer is set to the last record).
– Backwards from the end of the file.
– Backward from the previous record of which the pointer is set (if the
pointer is not set to the first record).
3.3.2.3 Key EF
A Key EF consists of a sequence of records of the same length. They are numbered
from 1 to n. The header stores the length of a record as well as a multiple of the
length and the number of records. The structure can be seen in Figure 3.5. To
access a Key EF, only absolute addressing can be used and the address is the
record number. One EF cannot store more than 255 records and the length of
a record cannot exceed 255 bytes. This is the same limitations as for the Linear
Fixed EF. [6]
3.3.2.4 Cyclic EF
Cyclic EF is used to store records in chronological order. The records are num-
bered from 1 to n where n is the oldest record. The structure can be seen in
Figure 3.6. The record numbers in a Cyclic EF are changing so that the newest
records always is record 1. A cyclic EF consists of a fixed number of records with
the same length. The last and the first records are linked together so that a cycle
is formed. [6]
In Section 5.1.2.4, di↵erent modes are described for accessing the Cyclic EF. When
updating a record the "PREVIOUS" mode shall be used, but when reading a
record the modes "NEXT", "PREVIOUS", "CURRENT", or "RECORD NUMBER"
can be used. The record pointer shall always point to the oldest record. If an
action is aborted, the record pointer shall not be changed. The same limitation
as for the above described EFs holds for the Cyclic EF as well, there can never be
more than 255 records in the EF and a record cannot exceed 255 bytes. [6]
In order to select an EF, the DF for that EF must first be selected. An example
of how files can be accessed can be seen in Table 3.6. The "Current Directory" is
always set when the MF or a DF is selected, and the "Current EF" is cleared once
a new "Current Directory" is set. The "Current EF" is set once an EF is selected.
The "Current EF" is always a child of the "Current Directory". [6]
Table 3.6: Allowed file selection for the example structure given in Fig-
ure 3.7.
ID Description M/O
A file shall only be selected according to the
13 M
rules given in EN 300 812-3 [6].
ID Description M/O
The reserved file IDs defined in EN 300
14 M
812-3 [6] shall be used.
3.4 Security
This section will only handle the security related TETRA features that are rele-
vant to the SIM. For other security aspects of TETRA see EN 300 392-7 [9] and
EN 300 396-6 [10].
The security of an MS is defined by a security class, see EN 300 392-7 [9] for
more information. Table 3.9 shows what the SIM needs to support in terms of
functions and key storage for di↵erent security classes.
3.4 Security 25
3.4.1 Authentication
The authentication process is built around a symmetric key. To read more about
symmetric keys see [4]. The key shall be shared between two parties that shall
be able to authenticate each other. The key must be kept secret from everyone
else. The two authentication parties shall prove to each other that they know the
shared key through the authentication process. The parties are the authentication
center of the SwMI and the MS. The MS is representing the user as defined by
the assigned Individual TETRA Subscriber Identity (ITSI). The SwMI can use a
base station for the authentication process. [9]
In the MS, the authentication key must be protected. A common way to do this is
to force the user of the MS to enter a Personal Identification Number (PIN) before
the authentication key can be used. [9]
ID Description M/O
A shared key shall be used for the
15 M
authentication process.
16 The authentication key shall be protected. M
The authentication key shall be protected by
17 O
a PIN.
The authentication process shall follow the
18 M
behaviour described in EN 300 392-7 [9].
ID Description M/O
It shall only be possible to access a file if its
19 M
access condition has been met.
3.5 Functions
A function is an operation that consists of a command being sent to the smart card
from the terminal. The command then triggers an operation inside the smart
card. The smart card then returns a response consisting of two status words
telling how the operation went and optional data. This section lists the available
commands.
The following functions are described in EN 300 812-3 V2.3.1 [6]:
• SELECT
• STATUS
• READ BINARY
• UPDATE BINARY
• READ RECORD
• UPDATE RECORD
• READ KEY
• SEEK
• VERIFY PIN
• CHANGE PIN
• DISABLE PIN
• ENABLE PIN
• UNBLOCK PIN
• INVALIDATE
• REHABILITATE
• TETRA Authentication Algorithms
– GET RANDOM
– TA11/TA12
– TA21/TA22
– TB4/TE
28 3 Requirements
• OTAR Algorithms
– TA32
– TA41/TA48
– TA41/TA52
– TA71/TE
– TB7/TA52
– TA41/TA92
– TB7/TA52
The requirements on the functions are shown in Table 3.13.
ID Description M/O
Functions handling files shall exist if the
20 M
corresponding file type exist.
21 All PIN functions shall exist. M
The invalidate and rehabilitate function
22 O
shall exist.
23 The authentication functions shall exist. M
24 The OTAR functions shall exist. O
3.5.1 Mapping
Functions are mapped onto Application Protocol Data Units (APDUs) and are
then used by the transmission protocol. An APDU can be a command APDU or
a response APDU. Figure 3.8 shows a command APDU and Figure 3.9 shows a
response APDU. [6]
More about the specific combinations and codes that shall be used can be found
in Section 4.2 and ETSI EN 300 812-3 [6].
More information about file types and what the EFs contain can be found in ETSI
EN 300 812-3 [6].
32 3 Requirements
ID Description M/O
The mandatory EFs given in Table 3.14 shall
25 M
exist.
The optional EFs given in Table 3.14 shall
26 O
exist.
Procedure Mode
General Procedures
Reading an EF ME
Updating an EF ME
Invalidating an EF ME
SIM Management Procedures
SIM initialization ME
TETRA session initialization ME
TETRA session termination ME
Language preference request ME
Administrative information request ME
SIM service table request ME
SIM phase request ME
SIM presence detection ME
PIN Related Procedures
PIN verification MMI
PIN value substitution MMI
PIN disabling MMI
PIN enabling MMI
PIN unblocking MMI
TETRA Security Related Procedures
TETRA algorithms computation NET
TETRA key computation NET
ITSI request NET
ITSI disabling NET
Location Information NET
Broadcast network information NET
3.7 Procedures over the ME/SIM interface 33
Figure 4.1: The file structure showing the DF that is used by the TSIM ap-
plication.
35
36 4 Architecture
The fields in the command APDU have the following meaning: [6]
• CLA: The class of instruction, "A0" for the selected application.
• INS: The instruction code for the specific command.
• P1, P2: Parameters for the instruction, specific use for each instruction.
• Lc: The length of the data in the command APDU.
• DATA: The data that is sent together with the command.
• Le: The expected length of the response, if "00" 256 bytes can be received.
4.2 System Commands 37
The response APDU is shown in Figure 4.3. The fields in the response APDU
have the following meaning: [6]
• DATA: The response data.
• SW1, SW2: Status words to indicate a successful or unsuccessful command,
see Table 4.1.
Table 4.1 shows the coding of the status words SW1 and SW2 that are used with
the response APDU.
Table 4.1: The coding of the status words SW2 and SW1. [6]
SW2 Description
"00" No further information
"82" Security status not satisfied
"83" PIN blocked
"84" Referenced data invalidated
"86" Command not allowed
"89" Device driver inoperable
Table 4.2: The coding of the status word SW2 when SW1 = "69". [6]
SW2 Description
"80" Incorrect parameter in data field
"81" Function code not supported
"82" File not found
"83" Record not found
"86" Incorrect parameter in P1 of P2
"88" Referenced data not found
Table 4.3: The coding of the status word SW2 when SW1 = "6A". [6]
4.3 Authentication 39
4.3 Authentication
Figure 4.4 shows an overview of a mutual authentication between the SIM and
the SwMI. In this process the algorithms TA11, TA12, TA21, TA22, and TB4 are
performed in the SIM on the MS side.
The variables produced during the authentication process are specified in ETSI
EN 300 392-7 [9] and the dimensions are shown in Table 4.4. These dimensions
shall be kept to guarantee compatibility with the standard.
Figure 4.4: Mutual authentication between the SIM and SwMI. [9]
The packages are divided into two groups, application packages and card/devel-
opment packages.
The card/development packages include the Hardware Abstraction Layer (HAL)
package and the Security Layer Package. These packages are parts of the smart
card and the development environment. They handle the on chip security and
the calls to the di↵erent parts of the smart card. These packages can only be
accessed by the OS Package. To use any of the functions that are accessed through
either the HAL packge or the Security Layer Package, the function call must pass
through the OS Package.
The OS Package does not contain an OS, it is just a name for the package con-
taining the functions to be used when using the functionality in the HAL and
Security Layer Packages.
The application packages are described in Section 5.3.
5
Design
This chapter presents the design of the system. The design shall comply with the
architecture described in Chapter 4. The design shall be testable, to provide a
way to verify the requirements given in Chapter 3. The verification is described
in Chapter 6.
Requirements 1 to 3 are covered by the existing ATR in the smart card. For
more information about how the ATR shall be built, see ETSI TS 100 977 [7]
and ISO/IEC 7816-3 [17].
The same situation holds for requirement 21, since the smart card application
has support for two levels of PIN, and the functions VERIFY PIN, CHANGE PIN,
DISABLE PIN, ENABLE PIN and UNBLOCK PIN. For more information about
the PIN see ETSI EN 300 812-3 [6].
41
42 5 Design
Table 5.1: The file structure, shows the hierarchy and the file identifiers.
More information about the content of the files and how the bytes are coded
can be found in ETSI EN 300 812-3 [6]. T = Transparent EF, LF = Linear
fixed EF, C = Cyclic EF. [6]
Table 5.2: The read and update conditions for the files that shall be imple-
mented. [6]
Table 5.3: The command APDU for SELECT, P1 and P2 values depends on
how the SELECT command shall be used see ETSI TS 102 224 [11]. [11]
Description Tag
File descriptor "82"
File identifier "83"
Proprietary information (only for MF) "A5"
Life cycle status integer "8A"
"8B", "8C"
Security attribute
or "AB"
PIN status template DO "C6"
Table 5.5: The order of the response data when SELECT is used on an MF or
a DF. [11]
Description Tag
File descriptor "82"
File identifier "83"
Proprietary information (only for MF) "8A"
Life cycle status integer "8A"
"8B", "8C"
Security attribute
or "AB"
File size "80"
Table 5.6: The order of the response data when SELECT is used on an EF.
[11]
The command reads one complete record in the current linear fixed or cyclic EF.
The function shall only be performed if the read access conditions are satisfied
(see Section 4.1.1). If the operation is unsuccessful, the record pointer shall not
be updated. The input and output are given below: [6]
Mode, record number (for absolute mode) and
• Input from ME:
the length of the record
CURRENT: The current record is read and the record pointer is kept.
ABSOLUTE: The record given by the record number is read, the record pointer
is not a↵ected.
NEXT: The record pointer is incremented and then the record is read. If the
record pointer has not been set, the first record shall be read.
PREVIOUS: The record pointer is decremented before the record is read. If the
record pointer has not been set, the last record shall be read.
The command APDU can be seen in Table 5.11. The response parameters can be
seen in Table 5.13.
Mode P1 P2
CURRENT "00" "04" and P1 set to "00"
ABSOLUTE "00" "02"
NEXT "00" "03"
PREVIOUS Record number "04"
Table 5.12: The P1 and P2 parameters for READ RECORD and UPDATE
RECORD depending on the mode of operation. [6]
5.1.2.6 SEEK
This function searches through the current linear fixed EF to find a record start-
ing with the given pattern and set the record pointer to point on that record.
The SEEK command can only be used when the read access is satisfied (see Sec-
tion 4.1.1). There are two types of SEEK: [6]
Type 1:
• Input from ME: Type and mode, pattern, length of the pattern
• Input from SIM: None
• Output to ME: None
Type 2:
• Input from ME: Type and mode, pattern, length of the pattern
• Input from SIM: None
• Output to ME: Status/Record number
Four modes are defined for SEEK:
5.1 File System 49
Type/Mode P2
Type 1, from the beginning forward "00"
Type 1, from the end and backward "01"
Type 1, from the next location and forward "02"
Type 1, from the previous record and backward "03"
Type 2, from the beginning forward "10"
Type 2, from the end and backward "11"
Type 2, from the next location and forward "12"
Type 2, from the previous record and backward "13"
5.1.2.7 INVALIDATE
This function is used to invalidate the current EF. The function shall only inval-
idate files if the invalidate access condition is satisfied (see Section 5.1.1). An
invalidated file shall not be available in the file system. The SELECT and REHA-
BILITATE commands are the only ones that can be used on an invalidated file.
The input and the output are: [6]
50 5 Design
5.1.2.8 REHABILITATE
This function rehabilitates the invalidated current EF. This function shall only be
performed if the rehabilitate access condition is satisfied (see Section 5.1.1). The
input and the output are: [6]
• Input from ME: None
• Input from SIM: None
• Output to ME: None
The command APDU can be seen in Table 5.21.
5.2 Authentication
The authentication procedure with the network can be divided into a set of com-
mands that the MS send to the SIM. These commands are described in the follow-
ing subsections. They shall only be accessible if a correct PIN has been presented
to the SIM. The APDUs for these commands are the same as described in Sec-
tion 5.1.2.
The access to the algorithms TA11, TA12, TA21, TA22 and TB4 is restricted. The
algorithms used in the functions below are therefore only dummy algorithms and
the only similarity with the real algorithms is the dimension of the variables. The
GET RANDOM function described in Section 5.2.1 is not a dummy algorithm
and can be used with a live system in a real network.
The use of dummy functions, having the correct variable dimension and thereby
the correct interface format, in test situations where the actual algorithm is not
tested. In a live system, the dummy algorithms will be replaced by algorithms
5.2 Authentication 51
integer carry = 0
/ / Add t h e b y t e s c o v e r e d by b o t h a r r a y s
f o r ( i = 0 ; ( i < minLength ) && ( i < sum . Length ) ; i ++)
sum [ i ] = termA [ i ] + termB [ i ] + c a r r y
c a r r y = C a l c u l a t e C a r r y ( c a r r y , termA [ i ] , termB [ i ] )
The dummy algorithm described by Algorithm 5.1 replaces the plus operator in
the equations in the subsections below. The only requirements on the dummy
algorithm described in Algorithm 5.1 was that it should somehow change the
data depending on the input.
As seen in Figure 4.4 the TA11 algorithm has K and RS as input and produces KS.
Inside the TA11 block the dummy algorithm described in (5.1) is performed.
The TA12 algorithm takes KS and RAND1 as input and produces RES1 and
DCK1. The dummy algorithm for producing RES1 can be seen in (5.2) and the
dummy algorithm for DCK1 can be seen in (5.3).
As seen in Figure 4.4, the TA21 algorithm has K and RS as input and produces KS’.
Inside the TA21 block, the dummy algorithm described in (5.4) is performed.
The TA22 algorithm takes KS’ and RAND2 as input and produces XRES2 and
DCK2. The operation for producing XRES2 can be seen in (5.5) and the operation
for DCK2 can be seen in (5.6).
As seen in Figure 4.4, the TB4 algorithm has DCK1 and DCK2 as input and pro-
duces DCK. Inside the TB4 block, the dummy algorithm described in (5.7) is
performed.
This chapter describes how the design in Chapter 5 and the architecture in Chap-
ter 4 are verified to see that the requirements in Chapter 3 are fulfilled. As stated
earlier, testing with a simulated terminal is the only way to verify that the system
works because it cannot yet be tested in a device connected to a real network.
Two di↵erent test methods are used for testing of functionality; unit testing (see
Section 6.2) and card acceptance tests with a real smart card connected to a PC,
simulating MEs from di↵erent manufacturers (see Section 6.3).
Unit testing is used to verify that the code works as expected before programming
the smart card. This makes it easier to debug the code, since once the code is
written to the smart card there is no way to step one line at a time. But the
unit tests cannot simulate the memory handling on the smart card. The MMU
behavior can only be tested correctly by running the code on a smart card.
Req.
Status Comment
no.
Already Fulfilled by the existing ATR in the smart card. Ver-
1 to 3
implemented ified by analyzing the code and the existing tests
57
58 6 Verification
Req.
Status Comment
no.
By analyzing the code, all files were verified to con-
sist of a header and a body when needed. Analysis
Code shows that all files has a unique file ID if they are
4 to 6
analysis placed under the same DF, the file ID consist of two
bytes, and are specified according to the rules given
in Section 3.3
Code Code analysis verifies that all DFs only consist of a
7
analysis header
Code analysis verifies that all EFs consist of both a
Code
8 header and a body. This is also verified by the tests
analysis
for each file type
Verified by testing the functions operating on the
9, 10
Tested files. The tests are described in Section 6.2.1 and
and 12
Section 6.3.1
Not The key EF is not implemented because no manda-
11
implemented tory file is of the key type
Files are verified that they can be selected. Not
enough tests are performed to verify that a file can-
13 Partly tested not be selected from the wrong location. Tests are
not performed to verify that a file cannot be selected
from all other DFs then the direct parent
Code
The file ID are verified by code analysis and the se-
14 analysis and
lection tests are described in Section 6.3.1
test
Code
15 to Verified by code analysis and by running the tests
analysis and
18 described in Section 6.2.2 and Section 6.3.2
tests
19 Tested Verified by the tests described in Section 6.3.2
Verified by checking which file types that exists, and
Analysis and then verifying that the corresponding functions are
20
tested available. The functions are verified in Section 6.2.1
and Section 6.3.1
This functionality already exists in the available
Already
21 smart card. The functionality is not explicitly tested
implemented
but the functions are used during other test cases
Verified by the tests described in Section 6.2.1 and
22 Tested
Section 6.3.1
Verified by the tests described in Section 6.2.2 and
23 Tested
Section 6.3.2
Not
24 The OTAR functionality is not implemented
implemented
6.2.2 Authentication
To verify that the authentication algorithms work as intended the algorithms
were called upon and the result was compared to the expected results given for
each algorithm.
GET RANDOM (Section 5.2.1) is tested by calling the function and reading out
the result RAND2. The result is then tested by Algorithm 6.1. The algorithm
takes an array of bytes and views the data as a matrix, 8 bits wide and length
high, and verifies that each column contains at least one ’0’ and one ’1’.
/ / Check t h e d a t a
f o r ( i = 0 ; i < l e n g t h ; i ++)
mask1 = mask1 | data [ i ] ;
mask2 = mask2 & data [ i ] ;
/ / Does t h e d a t a l o o k random ?
i f ( mask1 != " FF " ) && ( mask2 != " 00 " )
return f a l s e ;
else
return t r u e ;
TA11/TA12 (Section 5.2.2) is tested with the data given in Table 6.2 to verify that
the function works as expected. The result RES1 is returned from the command
and DCK1 is read from the internal storage.
6.2 Unit Test 61
Parameter Content
Input
RAND1 "11 22 33 44 55 66 77 88 99 AA"
RS "FF EE DD CC BB AA 99 88 77 66"
Output
RES1 "10 22 33 44"
DCK1 "10 22 33 44 55 66 77 88 99 AA"
Expected Output
RES1 "10 22 33 44"
DCK1 "10 22 33 44 55 66 77 88 99 AA"
Table 6.2: TA11/TA12 test data, the expected output is generated by running
Algorithm 5.1 by hand.
TA21/TA22 (Section 5.2.3) is tested with the data given in Table 6.3 to verify that
the function works as expected. The result XRES2 is returned from the command
and DCK2 is read from the internal storage.
Parameter Content
Input
RES2 "10 22 33 44"
RS "FF EE DD CC BB AA 99 88 77 66"
RAND2 "11 22 33 44 55 66 77 88 99 AA"
Output
XRES2 "10 22 33 44"
DCK2 "10 22 33 44 55 66 77 88 99 AA"
Expected Output
XRES2 "10 22 33 44"
DCK2 "10 22 33 44 55 66 77 88 99 AA"
Table 6.3: TA21/TA22 test data, the expected output is generated by running
Algorithm 5.1 by hand.
TB4/TE (Section 5.2.4) is tested with the data given in Table 6.4 to verify that the
function works as expected. The result, DCK, is returned from the command.
62 6 Verification
Parameter Content
Input
DCK1 "11 22 33 44 55 66 77 88 99 AA"
DCK2 "FF EE DD CC BB AA 99 88 77 66"
Output
DCK "10 22 33 44 55 66 77 88 99 AA"
Expected Output
DCK "10 22 33 44 55 66 77 88 99 AA"
Table 6.4: TB4/TE test data, the expected output is generated by running
Algorithm 5.1 by hand.
6.3.2 Authentication
To test GET RANDOM, the function is called 1000 times and the values are com-
pared to see that no values are equal. This way the function is proved to give dif-
ferent values. However it is not a proof that the values are random, but enough
for this implementation.
The input used to test TA11/TA12 is described in Table 6.5. In addition to the
input given in Table 6.5, randomly generated input is used as well. To verify that
6.4 Use Cases 63
Parameter Content
Test case 1
RAND1 "11 22 33 44 55 66 77 88 99 AA"
RS "FF EE DD CC BB AA 99 88 77 66"
Test case 2
RAND1 "FF FF FF FF FF FF FF FF FF FF"
RS "FF FF FF FF FF FF FF FF FF FF"
The input used for testing TA21/TA22 is described in Table 6.6. In addition to
the input given in Table 6.6, random input is used as well. To compare the result
the same method as described above for TA11/TA12 is used. When testing the
TA21/TA22 function, GET RANDOM must first be executed to get RAND2.
Parameter Content
Test case 1
RES2 "00 00 00 00"
RS "FF EE DD CC BB AA 99 88 77 66"
Test case 2
RES2 "00 00 00 00"
RS "FF FF FF FF FF FF FF FF FF FF"
When testing TB4/TE, only random input is used to TA11/TA12 and TA21/TA22.
Testing the TB4/TE function, one tests a complete mutual authentication.
7.1 Results
The TSIM standard from ETSI was analysed and a specification of requirements
was written. The requirements are described in Chapter 3. The goals in Sec-
tion 1.2 specify that unclear parts shall be investigated. One unclear part during
the master thesis was if the files for TSIM should be placed under a DF or if a ap-
plication DF should be used. The conclusion was that the files should be placed
in a DF as described in the report. The reason is that the files need to be accessible
from other applications.
From the specification of requirements, a system design consisting of an archi-
tecture and a design was proposed. The system design describes how the TSIM
application should be implemented to fulfill the requirements from ETSI and at
the same time work together with the existing E2EE application. The architecture
is given in Chapter 4 and the design in Chapter 5.
From the system design, the TSIM application was implemented and tested. The
implementation consisted of all files given in the design, as well as all functions
given in the design that did not exist already. The tests were done as described
in Chapter 6. Important to notice about the verifications was that the system
was not tested together with a real network and/or terminal. The system was
only tested through a computer that simulated the behaviour of a terminal. The
reason was, as mentioned, that the terminals existing today in Rakel does not
support the use of a SIM card.
65
66 7 Conclusions
7.2 Conclusions
From the results described above, an important conclusion from this master the-
sis is that it is possible to combine an E2EE application and a TSIM application
on a smart card. This solution is not limited to an E2EE application. It should
be possible to integrate any application together with a TSIM application and
get a smart card with dual functionality. However, the TSIM is not implemented
as a separate application, instead the TSIM functions and files shall be accessi-
ble from the already existing application(s). The reason why this is done is that
the TSIM files and functions needs to be accessed continuously while the E2EE
application is running.
A simplification that has been made is that the authentication algorithms for the
authentication with the SwMI are replaced by dummy algorithms. This simplifi-
cation has been done because the access to the real algorithms is limited by ETSI
and is only handed to those operating in a real network. Even if this simplifica-
tion has been done, the variables and data sent to and from the command have
been kept according to the standard. So if the system shall be used only the
algorithms themselves need to be replaced.
All files implemented need to be filled up with the correct (operator dependent)
data. This is something that is not relevant for testing the functionality in a
simulated environment, if it shall be tested in a live network this data must be
correct. This stage is part of the smart card manufacturing and personalization.
67
68 Bibliography
[10] ETSI. EN 300 396-6 V1.4.1 (2010-07). European norm, ETSI, 2010. [online]
Available at: <http://www.etsi.org/> [Accessed 7 February 2012]. Cited on
pages 24 and 25.
[11] ETSI. TS 102 221 V10.0.0 (2011-12). Technical specification, ETSI, 2011.
[online] Available at: <http://www.etsi.org/> [Accessed 23 January 2012].
Cited on pages 44 and 45.
[12] Bill Holcombe. Government smart card handbook. Technical report, GSA
(U.S. General Service Administration), February 2004. [online] Available at:
<http://www.smartcardalliance.org/resources/pdf/smartcardhandbook.pdf>
[Accessed 26 January 2012]. Cited on pages 9, 10, and 11.
[13] M G Limaye. Software Testing. Tata McGraw-Hill, 2009. ISBN 978-0-07-
013990-9. Cited on pages 51 and 59.
[14] MSDN (Microsoft Developer Network). Unit Testing. [on-
line], 2012. Available at: <http://msdn.microsoft.com/en-
us/library/aa292197(v=vs.71).aspx> [Accessed 21 Mars 2012]. Cited
on page 59.
[15] Peter Nyman and Jerry Falkcrona. System Specification Tetra E2EE smart card.
System specification, February 17 2012. Y-SC-11.163.0.3. Note: Company
Confidential. Cited on page 13.
[16] Peter Nyman, Jerry Falkcrona, and Johan Hedström. Product description –
Tetra E2EE smart card v2.0 full feature. Product description, February 16
2012. SC-10.705.4.0. Note: Company Confidential. Cited on page 12.
[17] SS-ISO/IEC. 7816-3:2007 (2007-07-13). Swedish standard, SS-ISO/IEC,
2007. Cited on pages 16, 18, and 41.
[18] Wikipedia. Terrestrial Trunked Radio. [online], January 18 2012. Available at:
<http://en.wikipedia.org/wiki/TETRA> [Accessed 23 January 2012]. Cited
on pages 7 and 8.
Upphovsrätt
Detta dokument hålls tillgängligt på Internet — eller dess framtida ersättare —
under 25 år från publiceringsdatum under förutsättning att inga extraordinära
omständigheter uppstår.
Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skri-
va ut enstaka kopior för enskilt bruk och att använda det oförändrat för icke-
kommersiell forskning och för undervisning. Överföring av upphovsrätten vid
en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av
dokumentet kräver upphovsmannens medgivande. För att garantera äktheten,
säkerheten och tillgängligheten finns det lösningar av teknisk och administrativ
art.
Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i
den omfattning som god sed kräver vid användning av dokumentet på ovan be-
skrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form
eller i sådant sammanhang som är kränkande för upphovsmannens litterära eller
konstnärliga anseende eller egenart.
För ytterligare information om Linköping University Electronic Press se förlagets
hemsida http://www.ep.liu.se/
Copyright
The publishers will keep this document online on the Internet — or its possi-
ble replacement — for a period of 25 years from the date of publication barring
exceptional circumstances.
The online availability of the document implies a permanent permission for any-
one to read, to download, to print out single copies for his/her own use and to use
it unchanged for any non-commercial research and educational purpose. Subse-
quent transfers of copyright cannot revoke this permission. All other uses of the
document are conditional on the consent of the copyright owner. The publisher
has taken technical and administrative measures to assure authenticity, security
and accessibility.
According to intellectual property law the author has the right to be mentioned
when his/her work is accessed as described above and to be protected against
infringement.
For additional information about the Linköping University Electronic Press and
its procedures for publication and for assurance of document integrity, please
refer to its www home page: http://www.ep.liu.se/
© Jonas Olofsson