Encryption- CKR and keysets

This forum is dedicated to discussions pertaining specifically to the Motorola ASTRO line of radios (those that use VSELP/IMBE/AMBE), including using digital modulation, digital programming, FlashPort upgrades, etc. If you have general questions please use the General or Programming forums.

Moderator: Queue Moderator

Post Reply
k5rpd
Posts: 80
Joined: Wed Jul 28, 2004 8:41 pm

Encryption- CKR and keysets

Post by k5rpd »

I am trying to understand the different ways that CKR can be used in combination with KID in A25 mode and LID in ASN mode. I have read through the topics on CKR/KID/LID/PID etc but still have a few questions.
Here's the situation:
The system is 700/800 P25 Digital trunked. Mcc7500 consoles with multikey secure cards. There is NO KMF. Keyloading will be done to each radio and console with a KVL4000. The KVL4000 has ADP, AES256 and AES-GCM. We will be using AES256 on our local talkgroups, and ADP to only use for the local county talkgroup that has ADP already in place on their radios. Radios are APX mobiles and portables and XTL5k mobiles with multikey hardware kits.

I'm trying to understand If I can use the PID mode/slots to accomplish using two keysets in the users radios. For example: For the first time period the users would use Keyset A and for the second time period the users would use Keyset B. During the second time period, the users radios would be touched for maintenance and a new set of keys for Keyset A. When they rotate back to the new Keyset A, the radios would come in for maintenance and a new set of keys for Keyset B. This would continue ad infinitum...

I'm just not clear on how to accomplish such a thing or if it's possible. I know that Console/Trunking controller systems reference to the CKR and a certain AES256 TEK for that talkgroup. Can what I am envisioning happen by using the PID slots in conjunction with a Keyset menu item? -By using the A25 mode KID that is associated with the CKR # and then referencing that KID to the associated LID that is loaded into the appropriate time period's keyset slot via ASN mode???

Yes, using the KMF and OTAR would be the solution but there is no funding for that currently. Yes, it would be easy to just stay with a single key and not rotate keys/keysets. Yes, the operations of a small town agency could be considered "not that critical to worry about encryption and all of the trouble."

Thoughts?
Thanks in advance!
JJ
User avatar
xmo
Moderator
Posts: 2549
Joined: Fri Oct 12, 2001 4:00 pm

Re: Encryption- CKR and keysets

Post by xmo »

Even though you aren't planning on using the KMF, you can find some good information on keysets and so on in the manual which you can download from MOL.

[6871018P43-A]
IL02
New User
Posts: 1
Joined: Tue Sep 25, 2012 6:20 am

Re: Encryption- CKR and keysets

Post by IL02 »

Which key the console uses is configured via the system network management suite (ZCM, UCM, or URS depending on the vintage of your system release). The key (really, the CKR) is effectively strapped, the console may not choose another key to transmit with for a trunked talkgroup, unlike conventional operation. This applies even if the talkgroup is clear/secure selectable on the console.

The first question is, how many console positions will be affected by your key rotation schedule? If it is a small number in a single location, then arranging a few minutes of downtime on the secure talkgroups while you rekey should not be an issue. If they are many and/or spread out across a large geographical area, then you may have to look into other options.

The CKR reference for talkgroups can be changed in the NMC application, so you could load the "new" CKR into the MCC7500 and then change the reference, which would instruct the console to start using the new CKR. However the change is not instantaneous and does require some time for the information to be received by the console operator position. In addition a restart of the application may be required to effect that change.

From the subscriber perspective, if there is enough channel capacity you might be able to create two copies of each talkgroup, each set referencing a different CKR in the radio. Then, when it comes time to switch, users simply select the opposite set of talkgroups.
Post Reply

Return to “Legacy Batboard Motorola ASTRO (VSELP/IMBE/AMBE) Equipment Forum”