Batboard

I was wondering if anyone has used the KVL to load DES Keys to radios other than Motorola radios. A customer has XTS 3K's that accept the encryption key just fine, but when that same key is loaded to their new Kenwood 5210's and they go to encryption mode, you get a Key failure message. Is there something different you have to do when creating the key?

The Kenwood gear is spec'd to work with the KVL3000. So as a guess, the Kenwoods need a KVL that meets the APCO P25 standard key loading interface spec and your KVL3000+ is likely to only be Flashed for the legacy ASN mode. You can upgrade you KVL3000+ through Motorola. The P25 mode is covered in the '3000+ manual.

Sounds good, but the only problem is when we create a new key on the kvl, it works ok. But when we use the old key the customer is currently using and send it to the kenwoods we get the key failure. The algorhythm is DES-OFB on the old key. We are trying to avoid having to create a new key for all the radios and then having to track down every radio in the county that uses that encryption key and reloading them since it would be a long painful process.

That now leads to the question is how often do you change your keys?

I guess this means that you don't know what the old key is?

In other words it's just what's already 'in' the KVL, otherwise you'd obviously just create a new key with the same key variable...

You didn’t comment on the key loading mode you're using for the Kenwood kit, ASN or P25?


BTW, as Bruce implied it is rather bad form to keep using the same key forever, it should be changed as a matter of routine. Two reasons:

(1) A radio set can get stolen or lost and not be reported for a while leaving your comms compromised and you don't know it! At least with routine changes you know your worst case exposure.

(2) You need to have a workable method of maintaining and updating key variables that you routinely test to cater for stolen or lost radios and for introducing new radios – the situation you have now.

If you are a large organization using secure radios you should really have a designated Crypto or Communications Security Officer whose job it is to manage these tasks.

Not sure how old the key is. This is a new customers existing KVL with the key they've had in it for who knows how long. They don't want to change keys since it involves numerous radios throughout the county.

Up to this point this sherriff's dept. has been completely dependant on another radio company for all their communications issues, including encryption management. It doesn't sound like they've ever changed keys.

I'm unsure if their old key is ASN or P25 but we want to have a key that their XTS's and Kenwoods will both work on, and talk to each other on so it sounds like at this point they will have to either have us or the other radio people they have been using create a new key for them.

I am in total agreement about changing keys often, and having their own commo officer that can do that stuff on their own. It was they way we managed things when I was commo in the military and it seemed to work a whole lot better, Not to mention that way you aren't completely dependant on some outside agency for your radios and radio security.

aircommunications wrote:I'm unsure if their old key is ASN or P25 but we want to have a key that their XTS's and Kenwoods will both work on, and talk to each other on so it sounds like at this point they will have to either have us or the other radio people they have been using create a new key for them.

ASN or P25 doesn't refer to the key itself, but rather the serial protocol used by the KVL to communicate with the radio. ASN is a proprietary Motorola protocol supported only by Motorola gear and one or two other manufacturers, and the P25 keyfill protocol is supported by all secure capable P25 radios. I'm not familiar with the KVL3000+, but I believe there's an option on the device to change which protocol it'll use to talk to the radio, providing it is flashed appropriately.

On their XTS radios in CPS, under the Multikey Options tab under Secure Configuration, do they have CKR Key Management and/or Migrate from Securenet selected?

I think you need to make a case to the head honcho that a key change is well overdue.