Infinite Key Retention & Board Removal XTS5k

[newtomotorola]

Hi all

Just wondering if Infinite Key Retention is selected and the encryption board is removed and re seated to the keys dissapear ?

Cheers

[escomm]

yes they do

[newtomotorola]

fantastic for my purpose, however this concerns me, what if a somebody gets a hold of a radio ie police and puts that encryption board in their own bingo they have keys... not good

[escomm]

it's not a concern because the keys are wiped as soon as the board is removed

[newtomotorola]

oops sorry, misinterpreted your first reply

[N4DES]

I have to disagree....I have swapped secure boards with loaded keys from radio to radio a few times and didn't had to re-load it.
It was done within a minute with the 2 radios side by side and disassembled prior to moving it.

And the yes the Infinite Key Retention was checked.

[n7maq]

I have to disagree....I have swapped secure boards with loaded keys from radio to radio a few times and didn't had to re-load it.
It was done within a minute with the 2 radios side by side and disassembled prior to moving it.

And the yes the Infinite Key Retention was checked.

Were they UCM's? IIRC to get a FIPS certification they keys can not be retained if the UCM is pulled. I have tried it a few times on XTS5000's and it has never worked for me even if was just unplugged for two to three seconds. Now the older Astro encryption boards (not UCM's) may be different, I believe I have swapped them and had the key retained.


Jim

[N4DES]

Did it on a few XTS2500's that have DES/XL OFB boards in the past few months.
Don't know what to say, but I didn't have to remove the loader from the safe to re-key them after my techs swapped the boards.

So maybe the XTS2500 isn't FIPS certified?

[escomm]

Pretty sure Motorola has level 3 protection on their modules which means in order to be FIPS certified there has to be some zeroization circuitry that can detect attempts at tampering.

[MattSR]

FIPS mode is optional.

Enabling Key Loss Key Generation and IKR makes the modules non-FIPS compliant because it *does* allow you to remove the module without losing the keys.

IKR off = keys lost when board removed.

IKR on - keys retained when board removed.

I have done this on ASTRO Saber with a UCM (3.43) an XTS3000 (3.53) and XTS5000 (5.xx) boards.

[newtomotorola]

FIPS mode is optional.

Enabling Key Loss Key Generation and IKR makes the modules non-FIPS compliant because it *does* allow you to remove the module without losing the keys.

IKR off = keys lost when board removed.

IKR on - keys retained when board removed.

I have done this on ASTRO Saber with a UCM (3.43) an XTS3000 (3.53) and XTS5000 (5.xx) boards.

Wouldnt you loose your keys if you enabe these options, i know in the past when i enabled MDC OTAR my keys dissapeard and i had to re-key.

also does the Generate Key-Loss-Key uner the general tab / OTAR have to be enabled for this to work or just IKR ?

[MattSR]

KLK and IKR are independant - im just using KLK as another example of non-FIPS mode.

And yes you're correct, because the modules are FIPs certified, changing mode will dump keys (so dont expect to be able to activate IKR and not rekey)