Page 1 of 1

Zeroizing trunking authentication keys in APX subscribers

Posted: Tue Oct 10, 2017 7:49 am
by motorola_otaku
Anyone know of a way to do this? Reloading a blank default codeplug won't do it, and the erase key options (menu-driven or purple+orange buttons on a portable) only zeroize traffic keys.

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Tue Oct 10, 2017 12:26 pm
by resqguy911
use a KVL to zeroize or uncheck both infinite ukek retention and infinite key retention

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Tue Oct 10, 2017 1:59 pm
by motorola_otaku
There is no zeroize option in Radio Authentication mode, and infinite key retention only applies to traffic keys.

I'm beginning to think it's not possible, at least not without depot-level trickery.

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Tue Oct 10, 2017 2:31 pm
by MattSR
It's strange that the KVL4000 doesn't have a delete option when in Authentication mode, as the P25 specs definitely have a "Delete Authentication Command/Response" KMMs defined. The KMM has two options - delete all authentication keys or just the active key. There are KMM message IDs defined for Load Auth Key Command, Load Auth Key Response, Delete Auth Key Command, Delete Auth Key Response.

When I get a chance I'll see if this KMM actually works on a real radio and get back to you. Either way it is an oversight in the KVL4000's design, and the functionality should definitely be there.

Ref - Section 3.9.2.27 of TIA 102.AACD-A

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Sat Oct 14, 2017 12:20 pm
by chartofmaryland
Well there are 2 options

You can backdate the firmware to version 9 or 10 where after you turn power on and off to the radio about a dozen times and the authentication key will be dropped automatically, it must have been a customer feature request.

Or your can overwrite with a useless key for the purpose of not having the key in the radio that was sent to the auth server.

Never heard a reason beyond wanting extra protection that would require zeroize the auth key.

CoM

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Mon Oct 16, 2017 7:57 am
by motorola_otaku
chartofmaryland wrote:Never heard a reason beyond wanting extra protection that would require zeroize the auth key.
In this particular instance it was to verify that the system was actually challenging subscribers for authentication after a 7.17 upgrade, but it could (will) become an issue when we start sending radios to surplus.

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Mon Oct 16, 2017 9:43 am
by chartofmaryland
Well if that is what you were after,

We scheduled a service window and went from limited to restricted with the auth server which then only allowed auth’ed radios to continue operating

The same process of using a dummy key to overwrite current keys was used to confirm radios on and off the system while authentication only was enforced

CoM

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Mon Oct 23, 2017 8:38 am
by motorola_otaku
We operate in restricted/forced full-time. We specifically wanted to see the difference in behavior and notification between a radio that had a mismatched key and a radio that had no key at all (there is no system notification for a radio attempting affiliation with no key, which was elevated to the infrastructure group.)

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Mon Oct 23, 2017 2:07 pm
by chartofmaryland
Afternoon Otaku,

Interesting, we experience SYS REG REFUSED when a new radio is programmed and attempting to affiliate while the system is restricted and no auth key is present but ID is turned on.

APX6000, APX8000 and APX7000 firmware 15.13 thru 16.23

Now on XTS and XTL models i believe the radio just sits idle without any display notification

Will check that in the coming days

CoM

Re: Zeroizing trunking authentication keys in APX subscribers

Posted: Tue Oct 24, 2017 9:14 am
by motorola_otaku
Sorry, should've clarified... the radio will alert and display when authentication fails (if programmed to do so) but UEM will only generate a notification when a radio attempts authentication with a mismatched key, not with no key at all.