Table of Contents
Advertisement
necessary. It is no longer necessary to periodically
travel to the radio location or bring the radio into a
maintenance facility to load new keys.
The actual OTAR rekeying functions are
performed by a Key Management Facility (KMF) that
sends Key Management Messages (KMM) to the
radios. These messages are themselves encrypted
using a unique key. Radios must be OTAR-compatible
and programmed for OTAR for this type of rekeying to
occur.
Currently, OTAR is available only on P25
conventional channels, and to program DES-OFB and
AES keys (future programming on P25 trunked chan-
nels is planned). It is not used on SMARTNET/Smart-
Zone channels or to load DES/DES-XL keys.
10.4.2 ENCRYPTION KEY TYPES
There are two types of keys used with OTAR:
TEK (Traffic Encryption Key) - The key used to
encrypt voice and data traffic. All radios using encryp-
tion must have at least one of these keys. This is also
another name for the keys used without OTAR.
KEK (Key Encryption Key) - The key used to
encrypt keys contained in OTAR Key Management
Messages (KMMs). All radios which use OTAR must
contain at least one of these keys. The KEK used to
decrypt/encrypt keys in an OTAR message is defined
by the algorithm and key IDs transmitted in the
decryption instructions field. A KEK may be unique to
a particular radio (UKEK) or common to a group of
radios (CKEK).
10.4.3 KEYSETS
To simplify key management, a number of keys
may be grouped together in a keyset. A keyset is
simply a set of one or more keys of the same type
(either TEK or KEK). Keysets are identified by Keyset
IDs, and the upper four bits of this ID specify the
crypto group (see next section).
The KEK keyset is considered always active and
is ID 255. Two TEK keysets are normally used, and
one is always active and the other inactive. This allows
the inactive keyset to be replaced without interrupting
operation. One is Keyset ID 1 and the other Keyset ID
SECURE COMMUNICATION (ENCRYPTION)
2. With EFJohnson radios, each keyset can contain up
to 128 keys, but less than 16 are normally used for
optimum keying efficiency and because only up to 16
can be selected by the radio.
The active keyset is usually selected by the Key
Management Facility. It can also be selected by the
keyloader function of the EFJohnson SMA
(Subscriber Management Assistant) or by the user if
the Change Keyset option switch or menu parameter is
programmed. Automatic keyset changeovers are not
supported by EFJohnson radios. In the SLN mode (see
Section 10.2.3), two TEK keysets can be used if
desired even if OTAR is not used.
A diagram of a keyset is shown in Figure 10-2.
Some information may be optional as shown. The
41xx portable does not support or use the Update Item
and Time/Date parameters.
16-Bit Keyset ID
Algorithm ID
Update Item (Opt)
Time/Date (Opt)
Keyset Name (Opt)
Key 1
Key 2
Key 4096
Figure 10-2 Keyset Diagram
10.4.4 CRYPTO GROUPS
A crypto group contains up to 16 keysets of the
same type of key, either TEK or KEK (see Section
10.4.2). However, only two keysets are typically used
as just described. Crypto groups are used to help
manage keys such as when a radio uses keys with
different active times or multiple algorithms.
Currently, only one crypto group is supported, and it is
always ID 0. As shown in Figure 10-3, the crypto
group ID is the upper four bits of both the SLN and
Keyset IDs.
10.4.5 KEY MANAGEMENT FACILITY
The Key Management Facility (KMF) provides
key management and OTAR functions to applicable
65
(upper 4 bits are
Crypto Group)
Advertisement
Table of Contents
