Encryption - Michigan · •AES (Advanced Encryption Standard) Federal grade encryption that can be loaded with Keyloader or software (in some radios). ADP encryption • “Free”

Encryption

Todd Velderman

MPSCS

Encryption history on the MPSCS

• 1996-2012 14 Keys added

February 11-14, 2020 2

• 2013-2020 83 Keys added

• ADP – 28 Keys• DES-OFB – 47 Keys• AES – 20 Keys• UKEK – 2 Keys

Total Keys – 97

Reasons for Encryption• To ensure transmissions are accessed only by

authorized personnel.

February 11-14, 2020 3

• Keep your traffic off scanners!

• To keep private and confidential information secure.

February 11-14, 2020 4

Reasons for not using Encryption• Do not use encryption if an agency is using

your talkgroups but does not have encryption in their radios.– Must use the lowest level of encryption to

maintain interoperability.

February 11-14, 2020 5

• Certain talkgroups can not be encrypted. County Com, certain event talkgroups, interop talkgroups.

Types of Encryption

• ADP (Advanced Digital Privacy)/ARC4 Low level software based encryption. Usually loaded in template but can be loaded with keyloader.

February 11-14, 2020 6

• DES-OFB (Digital Encryption Standard Output Feed Back) Mid Level encryption that is usually loaded with keyloader but can be loaded with software.

• AES (Advanced Encryption Standard) Federal grade encryption that can be loaded with Keyloader or software (in some radios).

ADP encryption• “Free” encryption that comes with all APX radios.

– May need to be removed for certain Federal grants

February 11-14, 2020 7

• Least secure of all encryption types.

• Not P25 Compliant

• Compatible with ARC4 encryption in other radios.• Basically only good for keeping radio traffic off scanners.

• Key can not be read from radio but can be seen in the template that was sent from the State.

• Not compatible with OTAR

DES-OFB Encryption• Mid tier encryption that is widely in use on the MPSCS.

February 11-14, 2020 8

• Was a P25 standard until May 2005

• Used in the event zones I and J (selectable)

• Needed to maintain compatibility with older radios.

AES Encryption• High tier encryption

February 11-14, 2020 9

• Not many agencies on the MPSCS use this

• Federal standard used by all federal agencies

• Currently the P25 standard

What makes up encryption

• Three different parts to encryption

• CKR (SLN)

• Key Data

• Key ID

February 11-14, 2020 10

CKR/SLN

• CKR – Common Key Reference

• SLN – Storage Location Number

February 11-14, 2020 11

• Used as a reference between the template in the

radio and the keyloader.

• Can be different between radios but needs to be

the same between the keyloader and template

when keyloading.

• Single key radios can have encryption but no CKR

Key Data• A string of digits that is saved on a keyloader and loaded into

the radios

February 11-14, 2020 12

• Can very in length from 10 characters to 64 characters depending on the type of algorithm that is used.

Key data as typed into keyloader

ADP – 0123456789

DES-OFB – 0123456789ABCDEF

AES -0123456789ABCDEF0123456789ABCDEF012345678

9ABCDEF0123456789ABCDEF

KEY ID’s• Four-digit code (hex) that is used to transmit what

key is used across the system.

February 11-14, 2020 13

• Must be the same in both transmitting and

receiving unit to decode traffic

• Can not have the same KID’s in the same

keyloader.

Examples of using encryption

February 11-14, 2020 14

CKR Key Data Key ID CKR Key Data Key ID

123 123456 0001 456 123456 0001

123 123456 0001 123 123456 0002

Transmit Receive

StrappingUsed to tell the radio how to transmit encryption.

February 11-14, 2020 15

• Clear – will only transmit clear traffic. Can not be changed to encrypted.

• Selectable – Can be selected for either clear or encrypted traffic. Changed with either a button or switch.

• Strapped – Will only transmit encrypted traffic. Can not be changed to clear.

Receiving Encrypted Traffic• Encryption is a transmit feature so

you can’t turn it on or off for receiving encrypted traffic. It must be turned on when you transmit.

• Most radios will decrypt encryption even if it is turned off**.

• Can see if the traffic is encrypted by the ᴓ on the display that will flash when receiving encrypted traffic.

February 11-14, 2020 16

KVL Keyloader

• A device that stores keys and manually loads them into a unit when encryption is needed.

February 11-14, 2020 17

• Can be used to keyload both Radios and Consoles

• Used for OTAR store and forward function

• Used to add encryption algorithm to radios

Adding encryption to radios• In older radios encryption was added by manually

installing an encryption module

February 11-14, 2020 18

• In newer radios encryption is added with a

software upgrade.

• Motorola APX radio need to be upgraded using a

KVL.

Software vs Hardware Keys• Software Keys

• Manually typed into the codeplug and then programmed into the radio.

• Must know the key data in order to load it and is less secure.

• Code may be seen in the codeplug in some radios.

February 11-14, 2020 19

• Hardware Keys• Must be loaded with a keyloader. • The key data is not known and more secure• In certain radios you can not have both hardware and

software keys at the same time. You must convert the software to a hardware key and load with a keyloader.

OTAR – Over the Air Rekeying

• Radios can be rekeyed thru the radio system without using a keyloader

February 11-14, 2020 20

• MPSCS has a KMF (Key Management Facility) located in a secure location that can be used to rekey radios over the system.

• Radios must be provision with the OTAR and Data options for it to work properly.

• Require a store and forward process using a KVL before the radios can use the OTAR function.

Single Key/ Multi Key• Single Key – Can have only one key in the

radio at a time. • You can have multiple algorithms (ADP, AES) but

only one key.

February 11-14, 2020 21

• Multi Key – Can have multiple keys from multiple algorithms.• OTAR radios come with multikey.

Supergroup Key (CKR 1)

• When a patch or multi select is created in the console a supergroup is created**. This allows multiple talkgroups that may have different encryption in them to be used as a single resource in the system. Because multiple keys may be used it uses a supergroup key instead. This key must also be loaded in the radios for the encryption to work.

February 11-14, 2020 22

Patch/Failsoft/Private Call Keys• This setting in the codeplug tells the radio what key to use

during certain events. Only one key can be selected for each event and is applied on a radio wide basis

February 11-14, 2020 23

• If you have the wrong key for the event then you will not be heard on the other end.

• There is no notification that you are using the wrong key.

How to get Encryption on the system

• Several things to consider when adding encryption to your radios.

– What level of encryption to use

– What talkgroups would use encryption

– What other agencies use your encrypted talkgroups.

– Contact MPSCS radio programming unit for setup.

• Coordinate existing keys

• Setup of new keys

• Template layout

• Key managementFebruary 11-14, 2020 24

Conclusion

• To maintain interoperability you must coordinate with all agencies that are using the talkgroups that are encrypted.

February 11-14, 2020 25

• It is possible to be too secure.

Questions?

February 11-14, 2020 26

Thank You!Todd Velderman

Office – 517-284-4096

Cell – 517-898-1879

[email protected]

February 11-14, 2020 27