Contents

Definitions and Acronyms ..................................................................1

General Description DES ....................................................................1DES-CFB .......................................................................................1

General Description AES ....................................................................2

Determining Radio Options ................................................................2

Determining FIPSCOM Version ..........................................................2

Encrypted Channel Setup using NeoVision ......................................3Key Setup .......................................................................................3P25 Digital ......................................................................................3Secure Analog (DES-CFB) ............................................................3

KVL Operations ...................................................................................4Equipment Required to Load Keys .................................................4Loading Keys ..................................................................................3

OTAR Configuration ............................................................................5

OTAR Operations .................................................................................6Registration ....................................................................................6User Initiated Rekey .......................................................................6KMF Initiated Rekey .......................................................................6

1BK Technologies

Definitions and Acronyms

The following acronyms are used in this document:

AES Advanced Encryption Standard

CKR Common Key Reference

DES Data Encryption Standard

FIPS Federal Information Processing Standards

KEK Key Encryption Key

KID Key Identifier

KMF Key Management Facility

KMM Key Management Message

KVL Key Variable Loader

MNP Message Number Period

OTAR Over The Air Rekeying

RSI Radio Set Identifier

SLN Storage Location Number

TEK Traffic Encryption Key

UKEK Unique Key Encryption Key

General Description DES

DES was developed by the US government in 1977. It uses a 56 bit key, plus 8 parity bits, for a total key size of 64 bits. DES encryption is adequate to protect against casual eavesdropping, but the 56 bit key is too weak to withstand sophisticated attacks. DES was withdrawn as a national standard in 2005. It is included in BK products for legacy compatibility reasons. A detailed description of DES can be found in FIPS publication 46-3.

DES-CFB DES-CFB uses a Cypher Feedback implementation of DES to scramble analog FM channels. As with other DES implementations, this is not secure against a sophisticated attack, and so should not be used to transmit highly sensitive information.

2 Encryption Operator’s Manual

General Description AES

AES was selected by the US government in 2001 as a formal replacement for the now obsolete DES encryption algorithm. It can use a 128, 192, and 256 bit keys. Project 25 implementation uses 256 bits keys for voice and data encryption, and 128 bit keys for radio and network authentication. AES implementations in BK radios are formally certified to comply with the Level 1 security standards defined in FIPS publication 140-2 (Security Requirements for Cryptographic Modules). A detailed description of AES can be found in FIPS publication 197.

Determining Radio Options

A radio’s current installed options can be viewed using the NeoVision radio editor (KAA0732). In NeoVision, select Radio Options from the Tools menu.

Determining FIPSCOM Version

Use the radio keypad to select the Versions option under the radio menu (the Versions menu option must be enabled in the radio configuration). Use the up/down arrow keys to scroll to Fipscom Application: to see the 4 byte Fipscom date code.

3BK Technologies

Encrypted Channel Setup using NeoVision

Key SetupTo make a key available for transmitting on a secure channel, its SLN must be entered in the Key table found under the Global/Common/Keys tab. An Alias can optionally be entered to label the key for reference purposes.Under the Keys tab there are check boxes to select Finite (Unchecked) or Infinite (Checked) key retention. Infinite keys are stored in non-volatile memory and will persist if power is removed from the radio. Finite keys are stored in volatile memory, and will be erased if power is removed from the radio. Using Finite keys increases key security should an encrypted radio fall into unauthorized hands. Finite keys run the risk of accidental erasure should power be accidentally lost to the radio. When using Finite keys, set the Soft Power Down Timer under the Global/Common/General tab to a large positive value to prevent key erasure when the radio power switch is turned to off.

P25 DigitalTo set up an encrypted digital channel set the Encryption parameter of the channel to Selectable or Secure. If Selectable, make sure that one of the radio buttons or menu items is set to Tx Secure. Set the Key field to reference a key in the P25 Encryption key list. Note that this parameter only applies to transmitted messages. Received message will be decrypted using the key referenced by the KID embedded in the message. Secure Analog (DES-CFB)To set up an encrypted analog channel check the DES-CFB box and set the Encryption parameter of the channel to Selectable or Secure. If Selectable, make sure that One of the radio buttons or menu items is set to Tx Secure. Set the Key field to reference a key in the P25 Encryption key list. The selected key must be DES or DES-XL. Analog encryption with AES is not supported. This key will be used for both Tx encryption and Rx decryption.

4 Encryption Operator’s Manual

KVL Operations

A KVL can be used to manually manage keys and encryption parameters on the radio. For OTAR systems a KVL is required to initialize the UKEKs in the radio.The KVL must be attached to the radio with a KVL Interface Cable and the radio must be powered on. From this point, all keyloading operations are controlled from the KVL keypad or touchpad.

Equipment Required to Load Keys• One KNG P150/P400 portable radio with option KZA0577 (encryption module).(Radio should be flashed with firmware version 5.1.0 or later)

• A Motorola KVL 3000+ or KVL 4000 keyloader.• An appropriate Motorola data cable and gender bender to connect it to the KVL data port.

• One KAA0587A keyloader interface cable.• One KAA0710 programming adapter and one USB cable.

Loading Keys (as referenced from the KVL User’s Manual)1. On the KVL main screen, Select Load Keys & groups → Load Keys & groups.2. Connect the target device to the KVL using an appropriate key load cable (KAA0587A).3. Select the key you want to load by dragging the slider to the right.4. Select another key to load, or tap Done.5. Tap Done to return to the KVL main screen.(See the KVL User’s Manual for more information.)

5BK Technologies

OTAR Configuration

For a radio to operate on an OTAR network, the KMF operator will need to create a Radio Record for that radio. The radio will then need to be configured with the appropriate IDs and encryption keys so it can operate on the network. Use NeoVision and a KVL to set up the radios as follows:• P25 Unit ID: Under the System/Conventional/General tab. This is used to identify the radio to the network. The network will reject registration attempts with a Unit ID it does not recognize. If a specific Unit ID is not provided use the Individual RSI value in this field.• Data Parameters: Under the System/Conventional/Data/OTAR tab. The Confirmed Data parameters control how long to wait for a response before resending a data packet, and how many times to retry before giving up. These parameters should be set to values recommended by the KMF operator.• OTAR Parameters: Under the System/Conventional/Data/OTAR tab. The OTAR Enable box must be checked. The Rekey Request Timeout parameter sets the amount of time before the radio reports the failure of an incomplete user initiated rekey request. Note that even after the radio reports a rekey failure, the radio will still respond to KMMs send by the KMF, so setting this value too low may cause the radio to report a rekey failure even when the rekey was successful.• Identifiers: The Individual RSI, KMF RSI, and MNP can be loaded using a KVL or NeoVision under the Global/Common/Keys tab. • UKEKs: These keys are loaded into the KVL by the KMF operator, and are then loaded into the radio from the KVL. There should be one UKEK for each key algorithm type used (AES, DES, etc.).• Channel Setup: To communicate with the KMF over a radio network it is necessary to have one or more digital channels set up. Under Zone/Channel set Tx and Rx modes to digital, and set the frequencies and NACs to the appropriate values for the network. Check the OTAR/Data Enable box.• Miscellaneous Settings: If user initiated rekey is a desired feature, then a radio button or menu selection will need to be configured for Rekey Request. This can be done under the Global/Conventional/Menus or Global/Conventional/Buttons tab. The main purpose of OTAR is to acquire TEKs for secure Voice/Data communication. See the Encrypted Channel Setup section for information on setting up secure channels.

6 Encryption Operator’s Manual

OTAR Operations

RegistrationThe radio will automatically attempt to register with the network when it is set to an OTAR enabled channel. If the registration fails the radio will retry every 3 minutes. Successful registration is required before any rekey can be performed.A successfully registered radio will transmit a deregister message when it is powered off or the channel is changed.

User Initiated RekeyThe user can initiate a rekey by pressing the rekey button or selecting Rekey from the radio menu. The radio will prompt the user with a “Rekey Now?” message. Press the YES button to initiate the rekey request. If the radio is not registered, or is on a non-OTAR channel, the radio will display “Rekey Failed. Not Registered.”The user will see the radio’s status LED flash red and green as it interacts with the network. The radio will beep each time a message is successfully processed. The radio will display “Rekey Complete” when all KMMs have been processed. If the rekey is not completed before the timeout period is reached, the radio will buzz and a Rekey Failed message will be displayed. If the radio is unable to unwrap (decrypt) the received keys using the provisioned UKEKs a Check KEK error will be displayed.

KMF Initiated RekeyThe KMF may initiate a rekey to a specified radio. From the user’s standpoint this will appear the same as a radio initiated rekey, except the radio will never timeout.