SLN/CKR, Key management in large fleets/networks

This forum is dedicated to discussions pertaining specifically to the Motorola ASTRO line of radios (those that use VSELP/IMBE/AMBE), including using digital modulation, digital programming, FlashPort upgrades, etc. If you have general questions please use the General or Programming forums.

Moderator: Queue Moderator

Post Reply
User avatar
sethcwilliams
Posts: 57
Joined: Wed May 14, 2008 3:25 am
What radios do you own?: Moto, Harris, GD, Raytheon

SLN/CKR, Key management in large fleets/networks

Post by sethcwilliams »

At the suggestion (appropriately I think) of one of our admins, I'm creating a new thread to continue a conversation that had gone waaaaay off topic. OP's problem had been resolved, but the topic carried on digging deeper into key management. Here's the original text as it pertains to this topic in it's current form:
radioinstl wrote:Not to hijack the tread, but to add on to it since someone will ask sooner or later and since we are seeing more and more non Motorola radio with DES and AES out there.

ASN mode = Motorola's own mode for loading radios
PID - Physical ID management - 3011xX and KVL-3000 or KVL3000+ ASN mode - ("slot 0, 1, 2....") - (L.I.D. FFFF, key data ABC123.........)
ASTRO mode = P25 Keyload mode. This is standard for all radios that are P25 of any brand
CKR - Common Key Reference management - KVL-3000 and KVL-3000+ ASTRO25 mode - (CKR00001, CKR00002,......) - (K.I.D. FFFF, key data ABC123......)

CKR (Motorola) = SLN ( P25 standard name)

MattSR wrote:radioinstl wrote:
CKR (Motorola) = SLN ( P25 standard name)

This isn't strictly true either but its close. A CKR is the 12 least significant bits of the true P25 SLN which is a 16 bit number that contains with info thats not within the scope of this thread..

sethcwilliams wrote:To break down MattSR's post a little further, here's a quote from the thread I linked to earlier:

515 wrote:
I believe CKR key managment is required for OTAR systems, and can be useful for people managing keys for large fleets of radios. With CKR, instead of the multikey radio having key slots numbered 1-16, the slots can have numbers of 1-4095 & 61440-65535. I think this would be useful for large fleets of secure radios, where hundreds of keys are in service, but each radio only needs a few keys.


And here's the math:

CKR - 12 LSB (least significant bits) - 111111111111 binary = 4095 decimal or 1-4095
SLN - 16 bits - 1111111111111111 binary = 65535 decimal or 61440-65535

You'll notice that the bottom and top end of SLN (61440-65535) are 4095 apart.

(SLAP IN THE FACE) I'm back on topic.....
Wazzzzz..... glad you worked it out!

MattSR wrote:Bonus points to anyone that can explain what the 4 most significant bits of the SLN are used for...

sethcwilliams wrote:This is a complete guess, I'm not running OTAR so I have no practical knowledge. Only what I've read and experimented with.

Looks like SLN and CKR are interchangeable terms in practical application. There are two identifier ranges, 1-4095 and 61440-65535. 1-4095, 12 bit binary, is used to catalog TEKs (traffic encryption keys used to encrypt the payload). 61440-65535, 16 bit binary, is used to catalog KEKs (key encryption keys used to encrypt the key exchange during rekey operation). I assume that the first four bits of the 16 bit identifier are always on (1's) which is why the range starts at 61440 (= 1111000000000000 binary). Reaching even further into la-la land, that may be done to denote the difference and pair the TEKs with the KEKs that secure them during the key transfer. The first four bits always on, the last 12 varying along with the TEK identifier used (TEK 1 with KEK 61441, TEK 4095 with KEK 65535). // EDIT - 22MAY09 1039Z // OR, just adding a HEX "F" in front of the TEK identifier to denote the KEK would be another way to describe it. // EDIT - 22MAY09 1039Z // Am I close, or just crazy?

radioinstl wrote:And here's the math:

CKR - 12 LSB (least significant bits) - 111111111111 binary = 4095 decimal or 1-4095
SLN - 16 bits - 1111111111111111 binary = 65535 decimal or 61440-65535

You'll notice that the bottom and top end of SLN (61440-65535) are 4095 apart.

I do not belive this is correct per the P25 standard. Does anyone have any documentation to back up the above?

There are 16 Crypto-groups each with 4096 SLN's
Crypto-Group 0 SLN 1-4095
Crypto-Group 1 SLN 4096-8191
Crypto-Group 2 SLN 8192-12287
Crypto-Group 3 SLN 12288-16383
Crypto-Group 4 SLN 16384-20479
Crypto-Group 5 SLN 20480-24575
Crypto-Group 6 SLN 24576-28671
Crypto-Group 7 SLN 28672-32767
Crypto-Group 8 SLN 32768-36863
Crypto-Group 9 SLN 36864-40959
Crypto-Group A SLN 40960-45055
Crypto-Group B SLN 45056-49151
Crypto-Group C SLN 49152-53247
Crypto-Group D SLN 53248-57343
Crypto-Group E SLN 57344-61439
Crypto-Group F SLN 61440-65535

Now Motorola has always used Crypto-group 1 for TEKs and Crypto-group F (16) for KEKs but you are not limited to those 2 groups

sethcwilliams wrote:Good call, brother. Like I said, I'm just guessing. What you just wrote is a few chapters more than I knew before I read it. (that's not saying much ) So those first four bits do change, and they're there to identify crypto groups?

wowbagger wrote:Well, at the protocol level, it works like this:

During the Header Data unit (which is sent once at the start of the call), and in the Logical Data Unit 2 (which is one of the frame types that carries voice data) the transmitter sends the data needed to track encryption. Among the data transmitted are the algorithm ID and the key ID to be used.

The receiver is supposed to use that <ALGID/KEYID> pair to locate the encryption key for that algorithm, and use that to decode the data.

The ALGID is an 8 bit value, the KEYID is a 16 bit value. So in theory the system can use up to 65536 keys for EACH algorithm supported by the radio. However, whether a given radio can handle the same KID for different ALGIDs is up in the air.

MattSR wrote:Wowbagger wrote:
However, whether a given radio can handle the same KID for different ALGIDs is up in the air.

Motorolas dont seem to have a problem with this

MattSR wrote:My sincerest apologies to the original poster for dragging this way off topic, but here is the original Motorola document that explains the relationship between crypto groups, keysets and SLNs.

If you have a bit of nous you will see how CKR fits in and how its different to a SLN.

http://priorartdatabase.com/IPCOM/000008997/

sethcwilliams wrote:My apologies as well, Wazzzz.... If we keep this up, the Admin/Mod team may have to rename the thread.

MattSR, the more digging around I do, I'm starting to think Radioinstl was right in the first place. I ended up on the National Institute of Standards and Technologies and a few other .gov sites, most of them referring to various FIPS standards. Even some of Motorola's own documentation states that SLN and CKR are interchangeable terms. The document you linked to earlier was published in 1999, and only references 12 bits total (4 for the crypto-group, 8 for the keyset ID) even when referring to the APCO 25 standard. Is it possible that APCO25 had a revision between then and now that extended what we now know as SLN/CKR to 16 bits total (4 crypto-group, 12 keyset ID)? Thanks for making me study up, man!

akardam wrote:I'd suggest you guys start a specific CKR/SLN thread, post this info (and anything else you might have), and continue the discussion there. We'll leave this thread as is so that context is preserved, and since the OP's issue has been solved, this thread will be closed.

I hope somebody has some more info to add. The more questions I ask, the more questions I end up having..... which isn't a bad thing.
Semper Fi,
BONZ

Not a Motorola Guy, but I play one throughout the week....
radioinstl
Posts: 354
Joined: Tue Feb 11, 2003 1:07 pm
What radios do you own?: Liberty MBITR APX7000 75000

Re: SLN/CKR, Key management in large fleets/networks

Post by radioinstl »

Is it possible that APCO25 had a revision between then and now that extended what we now know as SLN/CKR to 16 bits total (4 crypto-group, 12 keyset ID)?

I will check at work tomorrow, one of our engineers is the new chairman of the TIA encryption committee.
MattSR
Posts: 770
Joined: Mon Apr 21, 2003 10:00 pm

Re: SLN/CKR, Key management in large fleets/networks

Post by MattSR »

Hi mods,

Can I make a suggestion that since this thread purely relates to P25, that it be moved to the ASTRO forums please :)

regards,
Matt
User avatar
alex
Administrator
Posts: 5761
Joined: Mon Sep 03, 2001 4:00 pm

Re: SLN/CKR, Key management in large fleets/networks

Post by alex »

Done.
The Radio Information Board: http://www.radioinfoboard.com
Your source for information on: Harris/Ma-Comm/EFJ/RELM/Kenwood/ICOM/Thales, equipment.
MattSR
Posts: 770
Joined: Mon Apr 21, 2003 10:00 pm

Re: SLN/CKR, Key management in large fleets/networks

Post by MattSR »

Is it possible that APCO25 had a revision between then and now that extended what we now know as SLN/CKR to 16 bits total (4 crypto-group, 12 keyset ID)?
I've done some homework - It appears to have always been 16 bits. Motorola just decided to hide the 4 MSB's, and in turn defined Crypto Group 1 for TEKs and CG 16 for KEKs to take some of the brain work out of it. Motorolas help file from the ASTRO25 CPS confirms that CKR is only 12 bits wide - but the SLN field when transmitted over the air is definitely 16 bits.
CPS Help wrote:CKR Number - Minimum = 00001 Maximum = 04095
Cheers,
Matt
Post Reply

Return to “Legacy Batboard Motorola ASTRO (VSELP/IMBE/AMBE) Equipment Forum”