CKR/ASN/Multikey and keyloading
Moderator: Queue Moderator
- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
CKR/ASN/Multikey and keyloading
I have an xts3000R with DES-XL/OFB.  My KVL is the KVL-3000+ loaded with des-xl and OFB.  
I can load my XTS from the ASN mode but not the Astro 25 mode. So i cant get xl or ofb into my radio because ASN is for DES only.
Now on the Astro Spectra's that i have, i MUST use the Astro 25 mode to load them, even though we dont use XL or OFB here and we are analog, not digi.
Can anyone help me figure out why i can load my astro portable from the astro mode?????
			
			
									
									I can load my XTS from the ASN mode but not the Astro 25 mode. So i cant get xl or ofb into my radio because ASN is for DES only.
Now on the Astro Spectra's that i have, i MUST use the Astro 25 mode to load them, even though we dont use XL or OFB here and we are analog, not digi.
Can anyone help me figure out why i can load my astro portable from the astro mode?????
Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
Ok, I am having a brain fart here. What is the ASN mode?
From everything that I have used, if you are loading keys in, it shouldn't matter what mode you are in.
One thing that I have ran across is the secure screens in RSS/CPS. If you have certain things enabled/disabled it won't let you load the proper key(s).
An addition, certain options enabled/disabled in the personality screens may not let you do certain secure features (and is really annoying!)
For instance, I cannot set a conventional channel to TX Astro, RX mixed without the DES-XL checkbox enabled and greyed out. We use DVP-XL and the radio will not unmute.
			
			
									
									From everything that I have used, if you are loading keys in, it shouldn't matter what mode you are in.
One thing that I have ran across is the secure screens in RSS/CPS. If you have certain things enabled/disabled it won't let you load the proper key(s).
An addition, certain options enabled/disabled in the personality screens may not let you do certain secure features (and is really annoying!)
For instance, I cannot set a conventional channel to TX Astro, RX mixed without the DES-XL checkbox enabled and greyed out. We use DVP-XL and the radio will not unmute.
Lowband radio. The original and non-complicated wide area interoperable communications system

						
- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
ASN = Advanced SECURENET
Its just odd that my Astro Sepctras that arent even flashed with CAI will not load up in ASN mode. I have to switch to Astro Mode to load them, but my xts is just the opposite.
And its my understanding that as long as the encryption is turned on in RSS/CPS the radio should accecpt all keys and then the algorythm be turned on on a personality by personality basis and not radio wide.
Did that make any sense??
			
			
									
									Its just odd that my Astro Sepctras that arent even flashed with CAI will not load up in ASN mode. I have to switch to Astro Mode to load them, but my xts is just the opposite.
And its my understanding that as long as the encryption is turned on in RSS/CPS the radio should accecpt all keys and then the algorythm be turned on on a personality by personality basis and not radio wide.
Did that make any sense??

Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
I am at this moment pulling my hair out over similar secure issues.
Motorola does not document these things very well - or if they do have a document that completely explains secure - I have not found it.
One issue I found was that you could load a single key capable radio with the KVL3000 Plus in either ASN mode or Astro25 mode. When I tried to keyload a multi-key capable radio it would only take keys in Astro25 mode, not in ASN mode.
To fix that [with CPS] from the tree view go to:
Radio Configuration > Secure > Secure configuration > Multi-key options
You will see two boxes. By default there is check mark on the CKR Key Management box. You need to also check the other box: PID Key Management Mode.
CKR = Common Key Reference [an Astro25 term]
PID = Physical I D [an ASN term]
Between the PID's, the KID's, the LID's and the corresponding key locations and names in the radio [which are offset by one, i.e. key number one is physical key location zero] it becomes very confusing.
Add to that the issues with the fixed end. Some types of conversations [e.g. talkgroup] can be programmed in the Zone Manager to use a specific secure key [in the DIU's]
Other call types are HARD CODED to use specific physical key locations.
If anybody has completely mastered this let me know [are you looking for a job???]
			
			
									
									
						Motorola does not document these things very well - or if they do have a document that completely explains secure - I have not found it.
One issue I found was that you could load a single key capable radio with the KVL3000 Plus in either ASN mode or Astro25 mode. When I tried to keyload a multi-key capable radio it would only take keys in Astro25 mode, not in ASN mode.
To fix that [with CPS] from the tree view go to:
Radio Configuration > Secure > Secure configuration > Multi-key options
You will see two boxes. By default there is check mark on the CKR Key Management box. You need to also check the other box: PID Key Management Mode.
CKR = Common Key Reference [an Astro25 term]
PID = Physical I D [an ASN term]
Between the PID's, the KID's, the LID's and the corresponding key locations and names in the radio [which are offset by one, i.e. key number one is physical key location zero] it becomes very confusing.
Add to that the issues with the fixed end. Some types of conversations [e.g. talkgroup] can be programmed in the Zone Manager to use a specific secure key [in the DIU's]
Other call types are HARD CODED to use specific physical key locations.
If anybody has completely mastered this let me know [are you looking for a job???]
XMO: That was a brain block of mine today. I had to wrestle with the same thing, using two keys (one ea per town).
That was definatly not the most perfect way to do things, especially when you have 150 channels to deal with.
			
			
									
									That was definatly not the most perfect way to do things, especially when you have 150 channels to deal with.
Lowband radio. The original and non-complicated wide area interoperable communications system

						
..
even the KVL 3000 manual sucks.
nothing i have ever read explains the relationship between the keyloader "slots" and the multi-key / multi-encryption algorithm modules.
with OFB / XL, realize that these two use the same key - i.e. the same key can be used to transmit XL or OFB (and the same loader for that matter)
what i have NOT figured out is say you have a DVP-XL / DES-XL module.
how the hell do you make the distinction in the radio as to what keys / slots go to which algo.
confusing as hell. luckily, for my uses, we just use a single key for OFB and DES-XL... so we're lucky.
doug
			
			
									
									nothing i have ever read explains the relationship between the keyloader "slots" and the multi-key / multi-encryption algorithm modules.
with OFB / XL, realize that these two use the same key - i.e. the same key can be used to transmit XL or OFB (and the same loader for that matter)
what i have NOT figured out is say you have a DVP-XL / DES-XL module.
how the hell do you make the distinction in the radio as to what keys / slots go to which algo.
confusing as hell. luckily, for my uses, we just use a single key for OFB and DES-XL... so we're lucky.
doug
BRAVO MIKE JULIET ALPHA
"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
						"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
Doug,
Do you load the xl/ofb from the ASN mode or the Astro Mode on your KVL3000+? The engineers at the big M told me that my sabers must be loaded from the ASN mode and my astro spectra from the Astro 25 mode. But my xts will not talk to the KVL in the astro 25 mode. And the only algorythm available in ASN mode for me is DES. The astro 25 mode has the option of loading the radio with an XL key or an OFB key, but my radio will not talk to the loader.
M really needs to put out some more documentation on multikey and other hardware items (i.e. KVL3000+).
			
			
									
									Do you load the xl/ofb from the ASN mode or the Astro Mode on your KVL3000+? The engineers at the big M told me that my sabers must be loaded from the ASN mode and my astro spectra from the Astro 25 mode. But my xts will not talk to the KVL in the astro 25 mode. And the only algorythm available in ASN mode for me is DES. The astro 25 mode has the option of loading the radio with an XL key or an OFB key, but my radio will not talk to the loader.
M really needs to put out some more documentation on multikey and other hardware items (i.e. KVL3000+).
Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
I have a lot of the same questions everyone here does, but I can add this:
My Astro Saber has very new host/DSP software, but an older DES-XL/DES-OFB module in it (EMC 2.12).
I have to load my radio with a KVL3000 using ASN mode. Because my encryption module is so old, if I try and enable CKR key mangement in the CPS, the radio will display "EMC TOO OLD" (or something to that effect), and encryption will not function. The "ASTRO 25" KVL mode should only keyload your radio if your radio is programmed to use CKR key management.
The only algorithim type available on my KVL3000 in ASN mode is DES, and it keyloads my DES-XL or DES-OFB keys just fine.
If your encryption module is new enough (not sure what the version needs to be), you should be able to set your XTS/Astro Saber to CKR key management in the CPS, and then load using the "ASTRO 25" KVL3000 mode.
If you are forced to use ASN/PID mode, you can still talk to encrypted radios that use CKR as long as the Key ID's match. In either mode (ASTRO 25 or ASN) on the KVL, you should be prompted for a KID in ASTRO 25 mode, or a LID in ASN mode, which is a four-digit hex number in either case. As long as you use the same number and same key data, a CKR radio should talk to a PID radio.
The KID/LID value is transmitted over the air during every DES-OFB transmission. The receiving radio looks at this value and checks to see if it has a match with any one of its keys. If so, it will decrypt the transmission. If no match is found, the radio will stay muted. Of course it is posssible to have two different keys with the same Key ID. In this case the radio will attempt to decrypt, but you would hear the "squawking" sound, and no intelligible audio. The KID/LID is basically how the radio can tell whether it should try to decrypt a transmission...
For DES-XL, I believe the process is similar, but the KID is transmitted with MDC1200, and only at the beginning of the transmission (if enabled in the RSS/CPS).
Below is my speculation on the uses/pros/cons of CKR and PID key managment (so some of it may be wrong or incomplete):
I believe CKR key managment is required for OTAR systems, and can be useful for people managing keys for large fleets of radios. With CKR, instead of the multikey radio having key slots numbered 1-16, the slots can have numbers of 1-4095 & 61440-65535. I think this would be useful for large fleets of secure radios, where hundreds of keys are in service, but each radio only needs a few keys.
Say a small group of radios used one encryption key, but needed that key changed every week via OTAR. The key manager would assign this group a CKR value, say 2000, and load the radios with a key and associated KID, say 6F2D. Every week, the OTAR system would rekey the radios. Before an OTAR exchange could take place, the radio would make sure it had a slot marked for the CKR 2000 key. If so, the OTAR system would send the new key and KID to the radio. So now the radio would have the new key and KID, say 24C2, in the CKR 2000 slot. Basically, the CKR value of 2000 stays the same, while the key and key ID change every week. If the radio wanted to request a rekey from the OTAR system, of course it wouldn't know what the new KID would be, so it would have to request using the CKR value.
I believe the above could also work without an OTAR system, as long as someone with a CKR (ASTRO 25) KVL rekeyed the radios every week. I believe the KVL 3000 will only keyload to matching CKR slot numbers, so the KVL operator couldn't accidently load the key for a different fleet/group into wrong radio.
The key "indexing" is still somewhat unclear to me. I believe it is used to separate the old keys from the new keys. One would still need to hold on to the old keys in a radio for a while, since the OTAR system can't rekey radios that are not turned on or in range of the system.
If you don't need to change your keys often, or need to use an OTAR system, you probably don't need to use CKR key management.
			
			
									
									
						My Astro Saber has very new host/DSP software, but an older DES-XL/DES-OFB module in it (EMC 2.12).
I have to load my radio with a KVL3000 using ASN mode. Because my encryption module is so old, if I try and enable CKR key mangement in the CPS, the radio will display "EMC TOO OLD" (or something to that effect), and encryption will not function. The "ASTRO 25" KVL mode should only keyload your radio if your radio is programmed to use CKR key management.
The only algorithim type available on my KVL3000 in ASN mode is DES, and it keyloads my DES-XL or DES-OFB keys just fine.
If your encryption module is new enough (not sure what the version needs to be), you should be able to set your XTS/Astro Saber to CKR key management in the CPS, and then load using the "ASTRO 25" KVL3000 mode.
If you are forced to use ASN/PID mode, you can still talk to encrypted radios that use CKR as long as the Key ID's match. In either mode (ASTRO 25 or ASN) on the KVL, you should be prompted for a KID in ASTRO 25 mode, or a LID in ASN mode, which is a four-digit hex number in either case. As long as you use the same number and same key data, a CKR radio should talk to a PID radio.
The KID/LID value is transmitted over the air during every DES-OFB transmission. The receiving radio looks at this value and checks to see if it has a match with any one of its keys. If so, it will decrypt the transmission. If no match is found, the radio will stay muted. Of course it is posssible to have two different keys with the same Key ID. In this case the radio will attempt to decrypt, but you would hear the "squawking" sound, and no intelligible audio. The KID/LID is basically how the radio can tell whether it should try to decrypt a transmission...
For DES-XL, I believe the process is similar, but the KID is transmitted with MDC1200, and only at the beginning of the transmission (if enabled in the RSS/CPS).
Below is my speculation on the uses/pros/cons of CKR and PID key managment (so some of it may be wrong or incomplete):
I believe CKR key managment is required for OTAR systems, and can be useful for people managing keys for large fleets of radios. With CKR, instead of the multikey radio having key slots numbered 1-16, the slots can have numbers of 1-4095 & 61440-65535. I think this would be useful for large fleets of secure radios, where hundreds of keys are in service, but each radio only needs a few keys.
Say a small group of radios used one encryption key, but needed that key changed every week via OTAR. The key manager would assign this group a CKR value, say 2000, and load the radios with a key and associated KID, say 6F2D. Every week, the OTAR system would rekey the radios. Before an OTAR exchange could take place, the radio would make sure it had a slot marked for the CKR 2000 key. If so, the OTAR system would send the new key and KID to the radio. So now the radio would have the new key and KID, say 24C2, in the CKR 2000 slot. Basically, the CKR value of 2000 stays the same, while the key and key ID change every week. If the radio wanted to request a rekey from the OTAR system, of course it wouldn't know what the new KID would be, so it would have to request using the CKR value.
I believe the above could also work without an OTAR system, as long as someone with a CKR (ASTRO 25) KVL rekeyed the radios every week. I believe the KVL 3000 will only keyload to matching CKR slot numbers, so the KVL operator couldn't accidently load the key for a different fleet/group into wrong radio.
The key "indexing" is still somewhat unclear to me. I believe it is used to separate the old keys from the new keys. One would still need to hold on to the old keys in a radio for a while, since the OTAR system can't rekey radios that are not turned on or in range of the system.
If you don't need to change your keys often, or need to use an OTAR system, you probably don't need to use CKR key management.
..
not sure how much more i can contribute to this thread, but i will try.
i have a KVL 3000+ w/ DES.
i load all of my radios with ASN mode.
CKR (as indicated above) is really just a different way of indexing the keys in the radio as compared to PID (physical ID)
CKR is enabled/disabled IN THE RADIO CODEPLUG.
CKR (as indicated above) requires the loader to be in ASTRO25 mode.
rusty, you should be able to read your astro spectrsas, disable CKR Key Management in the codeplug - and load them in ASN mode.
you have no need to utilize CKR, as you do not utilize OTAR or (to my knowledge) multikey.
Physical ID (PID) IMHO relates more to the olden days of multikey saber/systems saber radios. in these radios, the encryption module actually had slots (up to 8 i think) for encryption keys.
Now you have LID (logical ID) - a 4 digit (as above) hex number associated with each key. Me being the inventive type, i always use LID 0001. No need to complicate things further in my single key environment. I do know that if you attempt to load a duplicate LID into a radio (regardless of slot) - the radio bonks at you with DUPLICATE LID on the display.
back to the question i posed earlier. In a radio with a dual mode module (there are actually Quad mode modules out there - DES, DVP, OFB and AES-256...god knows what those cost) : how in the hell do you determine what algo goes with which key slot?
obviously a radio with mutliple algo's will have "multikey" - even if it's just two keys - one for each algo.
i have always ASSumed that when the radio flashes:
KG1 - DES-OFB
KG2 - DES-XL
KG3 - NONE
that the key groups corresponded to the "slot" MINUS 1. This is due to the jackass firmware in the KVL's that have ALWAYS called the first slot ZERO.
dunno guys - maybe i am off on a tangent here... but this has more than one person stumped. there has to be a book that better describes this stuff... i am going to look tonight and see what i can come up with.
i know for a fact there was a good description in the T3011DX operators manual... but of course, that's ASN / PID - NOT CKR....and it goes even further with shadow keys for OTAR blah blah blah
now i have a headache.
doug
			
			
									
									i have a KVL 3000+ w/ DES.
i load all of my radios with ASN mode.
CKR (as indicated above) is really just a different way of indexing the keys in the radio as compared to PID (physical ID)
CKR is enabled/disabled IN THE RADIO CODEPLUG.
CKR (as indicated above) requires the loader to be in ASTRO25 mode.
rusty, you should be able to read your astro spectrsas, disable CKR Key Management in the codeplug - and load them in ASN mode.
you have no need to utilize CKR, as you do not utilize OTAR or (to my knowledge) multikey.
Physical ID (PID) IMHO relates more to the olden days of multikey saber/systems saber radios. in these radios, the encryption module actually had slots (up to 8 i think) for encryption keys.
Now you have LID (logical ID) - a 4 digit (as above) hex number associated with each key. Me being the inventive type, i always use LID 0001. No need to complicate things further in my single key environment. I do know that if you attempt to load a duplicate LID into a radio (regardless of slot) - the radio bonks at you with DUPLICATE LID on the display.
back to the question i posed earlier. In a radio with a dual mode module (there are actually Quad mode modules out there - DES, DVP, OFB and AES-256...god knows what those cost) : how in the hell do you determine what algo goes with which key slot?
obviously a radio with mutliple algo's will have "multikey" - even if it's just two keys - one for each algo.
i have always ASSumed that when the radio flashes:
KG1 - DES-OFB
KG2 - DES-XL
KG3 - NONE
that the key groups corresponded to the "slot" MINUS 1. This is due to the jackass firmware in the KVL's that have ALWAYS called the first slot ZERO.
dunno guys - maybe i am off on a tangent here... but this has more than one person stumped. there has to be a book that better describes this stuff... i am going to look tonight and see what i can come up with.
i know for a fact there was a good description in the T3011DX operators manual... but of course, that's ASN / PID - NOT CKR....and it goes even further with shadow keys for OTAR blah blah blah
now i have a headache.
doug
BRAVO MIKE JULIET ALPHA
"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
						"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
There is one document that helps clarify some of these issues - 6881098E35 - unfortunately it is several years old and does not cover CKR.
First - let's touch on indexing. It is meant to help those agencies that re-key their radios regularly - but don't have OTAR.
Basically, indexing divides the physical storage locations in a radio [or a device like a DIU] into two equal sized groups. In a multi-key radio with 16 locations for example, you would have eight keys in each index. That allows you to use one index today and the other tomorrow [or this week / next week OR this month / next month - whatever rekey period you choose]
While using one index the other index can be re-keyed radio by radio and everbody can still talk.
____________________________________________________________
Now - as to CKR, I don't think you can start out with a CKR=2000 because as I understand it the whole point is 'Common Key Reference'. When you have your keyloader in Astro25 mode you can choose which key to load [by its CKR] but you don't get to choose which location in the radio that key gets loaded into as you do when the keyloader is in ASN mode. The KVL automatically loads CKR=0001 into the radio's first location, etc.
[edit - the above paragraph is not accurate! As posted later here by 515 - the CPS does not start the CKR numbers at 0001 - the user has a great deal of flexibility - what the keyloader does is match the CKR of the key you are loading to the CKR of a key in the radio so that unlike ASN mode you don't choose a physical location in the radio to put a key into when you keyload it. ] Read the later posts for further clarification.
_______________________________________________________________
The whole thing gets very confusing when you look at all the numbers. In Astro25 mode the keys use CKR numbers that are decimal starting at 1. The radio physical locations are decimal starting at zero. And the radio's default key names are decimal starting at one.
In ASN mode the traffic key locations apparently used to be in HEX starting at zero [according to 6881098E35] but my KVL 3000 plus seems to number them in decimal starting at zero. In either case the radio is the same as above but you can put any traffic key into any radio location.
Confused yet? I know my head hurts!
Here are a couple of things I found out that are significant [for us at least]
If you load one radio with your keyloader in ASN mode and another with your [or another] keyloader in Astro25 mode - the radios will talk IF the key data is the same AND the ASN LID is the same as the Astro25 KID.
Also, you can load one location in a multi-key radio with a keyloader in ASN mode and another location in the same radio can be loaded with the KVL in Astro25 mode.[assuming you have both CKR and PID enabled in the radio's codeplug]
What you can't have is duplicate KID's. Here is the problem. Suppose we have County A with 1000 single key radios they loaded in Astro 25 mode with CKR=0001 and KID=0001.
Now their neighbor County B puts in a system and not knowing any better they load their 1000 radios with Astro25 mode - different key data, but they also choose CKR=0001 and KID=0001.
Later their mutual SWAT teams execute an interoperability agreement [homeland defense]. They decide to share secure comm. They will pay to flash their radios to multi-key. The problem is - you can't take the County A KVL and put their key into location number two in County B's radios because they have the same KID!
Now if County A chose the use KID=A001 and County B chose to use KID=B001 - that would work, but if you did not think of it ahead of time - you would have to rekey all 1000 radios of one of the counties to eliminate the duplicate KID.
There are other issues related to this when you consider the interaction between the HARD CODED key selections in the Smartzone infrastructure vs. subscriber programming.
All of the above is based on using DES-OFB. AES and ADP will add two more cans of worms!
			
			
													First - let's touch on indexing. It is meant to help those agencies that re-key their radios regularly - but don't have OTAR.
Basically, indexing divides the physical storage locations in a radio [or a device like a DIU] into two equal sized groups. In a multi-key radio with 16 locations for example, you would have eight keys in each index. That allows you to use one index today and the other tomorrow [or this week / next week OR this month / next month - whatever rekey period you choose]
While using one index the other index can be re-keyed radio by radio and everbody can still talk.
____________________________________________________________
Now - as to CKR, I don't think you can start out with a CKR=2000 because as I understand it the whole point is 'Common Key Reference'. When you have your keyloader in Astro25 mode you can choose which key to load [by its CKR] but you don't get to choose which location in the radio that key gets loaded into as you do when the keyloader is in ASN mode. The KVL automatically loads CKR=0001 into the radio's first location, etc.
[edit - the above paragraph is not accurate! As posted later here by 515 - the CPS does not start the CKR numbers at 0001 - the user has a great deal of flexibility - what the keyloader does is match the CKR of the key you are loading to the CKR of a key in the radio so that unlike ASN mode you don't choose a physical location in the radio to put a key into when you keyload it. ] Read the later posts for further clarification.
_______________________________________________________________
The whole thing gets very confusing when you look at all the numbers. In Astro25 mode the keys use CKR numbers that are decimal starting at 1. The radio physical locations are decimal starting at zero. And the radio's default key names are decimal starting at one.
In ASN mode the traffic key locations apparently used to be in HEX starting at zero [according to 6881098E35] but my KVL 3000 plus seems to number them in decimal starting at zero. In either case the radio is the same as above but you can put any traffic key into any radio location.
Confused yet? I know my head hurts!
Here are a couple of things I found out that are significant [for us at least]
If you load one radio with your keyloader in ASN mode and another with your [or another] keyloader in Astro25 mode - the radios will talk IF the key data is the same AND the ASN LID is the same as the Astro25 KID.
Also, you can load one location in a multi-key radio with a keyloader in ASN mode and another location in the same radio can be loaded with the KVL in Astro25 mode.[assuming you have both CKR and PID enabled in the radio's codeplug]
What you can't have is duplicate KID's. Here is the problem. Suppose we have County A with 1000 single key radios they loaded in Astro 25 mode with CKR=0001 and KID=0001.
Now their neighbor County B puts in a system and not knowing any better they load their 1000 radios with Astro25 mode - different key data, but they also choose CKR=0001 and KID=0001.
Later their mutual SWAT teams execute an interoperability agreement [homeland defense]. They decide to share secure comm. They will pay to flash their radios to multi-key. The problem is - you can't take the County A KVL and put their key into location number two in County B's radios because they have the same KID!
Now if County A chose the use KID=A001 and County B chose to use KID=B001 - that would work, but if you did not think of it ahead of time - you would have to rekey all 1000 radios of one of the counties to eliminate the duplicate KID.
There are other issues related to this when you consider the interaction between the HARD CODED key selections in the Smartzone infrastructure vs. subscriber programming.
All of the above is based on using DES-OFB. AES and ADP will add two more cans of worms!
					Last edited by xmo on Thu Oct 21, 2004 7:33 am, edited 1 time in total.
									
			
									
						- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
As confusing as all this is, there is some very usefull data in this post.  Is there anyway we can add this to the "STICKY" list in this forum????????????  Please???
Also, I have email my Area Mot Field service Eng to ask if he can provide me with some more data on all of this. If i get anything i will certainly post it. I am hoping he sends me a pdf with all the documentation on it.
			
			
									
									Also, I have email my Area Mot Field service Eng to ask if he can provide me with some more data on all of this. If i get anything i will certainly post it. I am hoping he sends me a pdf with all the documentation on it.
Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
I agree, a lot of useful information to be found in this thread. I shall make it sticky. Any further info can be added to this thread to make it even better.wb4bsd wrote:As confusing as all this is, there is some very usefull data in this post. Is there anyway we can add this to the "STICKY" list in this forum???????????? Please???
Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.
Welcome to the /\/\achine.
						Welcome to the /\/\achine.
Of course I can't try this, since my radio's module doesn't support CKR, but I figured you would enter the CKR numbers you want to use in the CPS "Secure Hardware Multikey Table":Now - as to CKR, I don't think you can start out with a CKR=2000 because as I understand it the whole point is 'Common Key Reference'. When you have your keyloader in Astro25 mode you can choose which key to load [by its CKR] but you don't get to choose which location in the radio that key gets loaded into as you do when the keyloader is in ASN mode. The KVL automatically loads CKR=0001 into the radio's first location, etc.
My CPS let me put any number between 1-4095 in the CKR blanks. Although the KVL3000 states CKRs 61440-65535 are also valid, they won't work in the XTS/Astro Saber CPS. Maybe those values are reserved for infrastructure or something...
If I were to program my radio with the above table, I would then have to create keys with those CKRs in the KVL3000. If I don't create those exact CKR numbers, I don't think the KVL won't load any keys to this radio.
I would think this is how you can have a large fleet of encrypted radios, and you would assign a CKR value to each sub-group, like a talkgroup on a trunked system. You could easily change the key data very often with an OTAR system, so the KID/LID would then change every time as well, which would be a real pain if you had to keep track of your whole fleet's keys using only KID/LID. To my understanding, the point of CKR is to allow the person in charge of key management to really only have to worry about what CKR value is assigned to what sub-group, which stays the same no matter how often the key data is changed via OTAR or manual rekeying.
The CKR values are not transmitted over the air during a regular DES-OFB transmission. The CKR values only apply to exchanges between the radio and the OTAR system or KVL. The KID/LID is transmitted over the air, so that how the radios can pick the right key out of their 16 key list. And as long as you are using indexing, the old key from a regularly scheduled key data change could still be in the radio, and used when needed to communicate with a radio that hasn't been rekeyed yet.
For most people who don't use OTAR or have your radios rekeyed regularly as part of a large fleet, PID/ASN mode should work just fine. My only advice is to use a "random" LID, so the chances of another user appearing on your channel using the same LID but different key data are very slim.
"...My CPS let me put any number between 1-4095 in the CKR blanks..."
___________________________________________________________
It certainly does - and if I had been able to clear my head of the confusion of all these other issues - I might have gone back to the CPS and seen that.
We just started programming our test radios with CKR0001 and I never got back to experimenting with it. I think it would be safe to say that the CKR you program in the KVL must match a CKR in the radio or you won't be able to do a keyload.
I may go back and edit some of the information I previously posted so someone won't read that far and miss the later corrections posted by 515.
You are right - the CKR is an administrative / management tool and is only used between the keyloader [or OTAR] and the target device. As we are learning how all these features work the capabilities become more clear. Your suggestions on fleet / key management are definitely valuable.
I would still say that the KID / LID issue needs to be addressed in a logical manner. For example, if you were in a State like Iowa that numbers their Counties, you could use the County number as part of your KID / LID. e.g. Polk County = 77, hence the number one key there would be 7701, Woodbury = 97, hence their number one key = 9701.
Another possibility, if you have no potential secure neighbors, would be to use a number that reflects your rekey periods, e.g 0401 = the number one key for this year, or 2701 = the number one key for the 27th week, or 0101 = the number one key for January.
These complexities really point out the importance of the System Administrator and key management in modern systems. Planning and documentation - mandatory!
Hopefully the sharing of information in this thread will help us to all understand the subject better!
			
			
									
									
						___________________________________________________________
It certainly does - and if I had been able to clear my head of the confusion of all these other issues - I might have gone back to the CPS and seen that.
We just started programming our test radios with CKR0001 and I never got back to experimenting with it. I think it would be safe to say that the CKR you program in the KVL must match a CKR in the radio or you won't be able to do a keyload.
I may go back and edit some of the information I previously posted so someone won't read that far and miss the later corrections posted by 515.
You are right - the CKR is an administrative / management tool and is only used between the keyloader [or OTAR] and the target device. As we are learning how all these features work the capabilities become more clear. Your suggestions on fleet / key management are definitely valuable.
I would still say that the KID / LID issue needs to be addressed in a logical manner. For example, if you were in a State like Iowa that numbers their Counties, you could use the County number as part of your KID / LID. e.g. Polk County = 77, hence the number one key there would be 7701, Woodbury = 97, hence their number one key = 9701.
Another possibility, if you have no potential secure neighbors, would be to use a number that reflects your rekey periods, e.g 0401 = the number one key for this year, or 2701 = the number one key for the 27th week, or 0101 = the number one key for January.
These complexities really point out the importance of the System Administrator and key management in modern systems. Planning and documentation - mandatory!
Hopefully the sharing of information in this thread will help us to all understand the subject better!
.
riddle me this.
in the saber/sys saber era, the secure module was physically different between single key and multi-key radios (i.e. they had different part numbers)
since the MTS 2000 came about, only single module sets were issued for each algorithm....until the astro saber/spectra multiple-algo modules were released.
now, it seems as though the radio Flash determines whether or not the radio is capable of multikey.
if your radio is flashed to support multikey (H868/W969 Multikey Operation), then you have the option in the software of making the appropriate entries to support multiple encryption keys... if not... then you don't.
interesting, since the flash now controls a hardware function... the encryption keys have always been stored physically on the secure hardware... but it's interesting that the ability for the radio to store multiple keys is controlled by the flash instead of the hardware...
obviously, there are some very old EMC's out there - i have seen EMC 1.00 des-xl modules installed in some gov't astro saber radios... it would be nice to see a revision history of the various EMC's - what was added/deleted with each "fix"
doug
			
			
									
									in the saber/sys saber era, the secure module was physically different between single key and multi-key radios (i.e. they had different part numbers)
since the MTS 2000 came about, only single module sets were issued for each algorithm....until the astro saber/spectra multiple-algo modules were released.
now, it seems as though the radio Flash determines whether or not the radio is capable of multikey.
if your radio is flashed to support multikey (H868/W969 Multikey Operation), then you have the option in the software of making the appropriate entries to support multiple encryption keys... if not... then you don't.
interesting, since the flash now controls a hardware function... the encryption keys have always been stored physically on the secure hardware... but it's interesting that the ability for the radio to store multiple keys is controlled by the flash instead of the hardware...
obviously, there are some very old EMC's out there - i have seen EMC 1.00 des-xl modules installed in some gov't astro saber radios... it would be nice to see a revision history of the various EMC's - what was added/deleted with each "fix"
doug
BRAVO MIKE JULIET ALPHA
"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
						"You can do whatever you want, there are just consequences..."
IF SOMEONE PM'S YOU - HAVE THE COURTESY TO REPLY.
In addition, HOST/DSP seems to play a part. I had the latest HOST/DSP for a 512k radio, and EMC 0.6. It would allow multikey, but the same module in the same radio with DSP 8 now, will report EMC too old and no longer supports the CKR function.
			
			
									
									Lowband radio. The original and non-complicated wide area interoperable communications system

						
- sglass
- Batboard $upporter
- Posts: 2282
- Joined: Sat May 18, 2002 2:03 pm
- What radios do you own?: sonic screwdriver
Re: .
I've wondered about that lately. Now is it that way with all radios that have infinite key retention? If so, would it stand to reason that the radio itself is doing most of the work-not the module?batdude wrote: interesting, since the flash now controls a hardware function... the encryption keys have always been stored physically on the secure hardware... but it's interesting that the ability for the radio to store multiple keys is controlled by the flash instead of the hardware...
Seth
- sglass
- Batboard $upporter
- Posts: 2282
- Joined: Sat May 18, 2002 2:03 pm
- What radios do you own?: sonic screwdriver
Pj wrote:I have all my Astro's set for infinate retention. I took one out of a saber, put it in a spectra, and didn't need to reload the radio. Would have figured that it would have erased the key...but it didn't.
so the key writes to nonvolatile memory in the module?
now that is interesting
so it would stand to reason the enc board is capable if holding multiple keys, and the radio just chooses which to address?
- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
Where does Software encryption come into all this.  It seems that in CPS if you setup the software encyrption you can enter your own key and varible, would this equate to an actual encryption key so you wouldnt need a KVL, or is software encryption something to do with OTAR and the Key Managment System?
			
			
									
									Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
I think software encryption only worked with older VSELP radios - I'm not 100% positive on that or not, but it's one of those options in "nick" flashes that I thought never worked.wb4bsd wrote:Where does Software encryption come into all this. It seems that in CPS if you setup the software encyrption you can enter your own key and varible, would this equate to an actual encryption key so you wouldnt need a KVL, or is software encryption something to do with OTAR and the Key Managment System?
-Alex
I think Alex is correct, the old 'Software Encryption' that is enabled in the "Chicago Flash" that Nick always used was apparently only supported in certain VSELP capable firmware.  It was never released for general sale.
There is a new version of the software encryption concept that is available now for general sale. It is called ADP [Advanced Digital Privacy]
			
			
									
									
						There is a new version of the software encryption concept that is available now for general sale. It is called ADP [Advanced Digital Privacy]
- 
				wb4bsd
- Batboard $upporter
- Posts: 255
- Joined: Fri Mar 14, 2003 10:07 am
- What radios do you own?: XTS5000v, XTS3000v, XTS2500
After speaking with the M engineers (man that was scary).  The informed me that even if a radio is loaded with DES from the ASN mode of a KVL3000+, the radio determines whether it operates in XL or OFB mode.  When CKR is activated in the codeplug, then the Astro 25 mode will work and is used for things such as multikey.
I am sure all this was said before but i wanted to confirm it.
Also, they advised that there is no literature out there with information on multikey or anything that goes into more detail. Trial and Error and experience is what they use to firgue this stuff out.
			
			
									
									I am sure all this was said before but i wanted to confirm it.
Also, they advised that there is no literature out there with information on multikey or anything that goes into more detail. Trial and Error and experience is what they use to firgue this stuff out.
Rusty
(I no longer have nextel. I now have an iPhone)
						(I no longer have nextel. I now have an iPhone)
Bringing a post back from the dead...
I have a few astro's with DES/DVP in them. I have access to a DES and DVP DX keyloader.
If I wanted two keys of 1, and one key of another, would I have to make 3 slots available in the multikey settings in rss/cps, or will 2 do it for each?
			
			
									
									I have a few astro's with DES/DVP in them. I have access to a DES and DVP DX keyloader.
If I wanted two keys of 1, and one key of another, would I have to make 3 slots available in the multikey settings in rss/cps, or will 2 do it for each?
Lowband radio. The original and non-complicated wide area interoperable communications system

						
If I have a customer with new XTS5000 radios, and a KVL3000+ with only ASN mode flashed into it, is there any way to keyload the 5000s? You cannot uncheck "CKR key management" in the 5000 like you can in the 3000. Will they require a flash upgrade to Astro25 mode for their KVL?
Todd
			
			
									
									Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.
Welcome to the /\/\achine.
						Welcome to the /\/\achine.
From ye olde help file for Astro25 Portable:
PID Key Management Mode
(Secure Configuration, Multikey Options)
[x] Enables the use of Physical ID (PID) Key Management in the radio. This field is automatically enabled and becomes view-only when the MDC OTAR field is enabled. This feature applies on a radio wide basis.
[ ] When disabled, CKR Key Management is used solely by the radio during secure encrypted communications.
IMPORTANT NOTE:
When using the ASN mode (Advanced SecureNet) in the KVL 3000 or the KVL 3000 Plus key-loaders, encryption keys can only be loaded to the radio when PID Key Management has been enabled in the radio.
ACCESSED ONLY:
When the Secure Equipped field is enabled, and
when the Secure Type - Advanced Digital Privacy field is not enabled.
			
			
									
									
						PID Key Management Mode
(Secure Configuration, Multikey Options)
[x] Enables the use of Physical ID (PID) Key Management in the radio. This field is automatically enabled and becomes view-only when the MDC OTAR field is enabled. This feature applies on a radio wide basis.
[ ] When disabled, CKR Key Management is used solely by the radio during secure encrypted communications.
IMPORTANT NOTE:
When using the ASN mode (Advanced SecureNet) in the KVL 3000 or the KVL 3000 Plus key-loaders, encryption keys can only be loaded to the radio when PID Key Management has been enabled in the radio.
ACCESSED ONLY:
When the Secure Equipped field is enabled, and
when the Secure Type - Advanced Digital Privacy field is not enabled.
- radio-link
- Posts: 245
- Joined: Sun Mar 16, 2003 8:49 am
Re: CKR/ASN/Multikey and keyloading
About storage of keys and such: The FIPS certification defines a "crypto boarder". In this physical range all key handling and storage must be done, and all the en/decryption work. The UCMs and also the older hybrids physical appearance _is_ the crypto boarder. So it is clear, all the keys are stored inside the module. As memory has become cheap the UCMs just get told from the radio ow many keys they should store. The older hybrids really had physical differences, it was not just software like nowadays.
			
			
									
									regards - Ralph, dk5ras
--
Ralph A. Schmid http://www.bclog.de [email protected]
Tel./SMS +49-171-3631223
						--
Ralph A. Schmid http://www.bclog.de [email protected]
Tel./SMS +49-171-3631223
 
				







