Restricted Access to System
Restricted Access to System (RAS) feature prevents unauthorized radios from accessing a repeater or system. It also presents unauthorized radio users from intercepting voice or data transmissions. The unauthorized radio could be a MOTOTRBO radio or any other DMR radio.
It does, however, not provide protection from deliberate interception using bespoke surveillance equipment and is also not a form of encryption. If voice privacy is a concern, Basic Privacy; Enhanced Privacy or AES-256 should be used.
RAS works by manipulating the header CRC bits and is a proprietary feature only available on MOTOTRBO radios and systems. It supports all existing ADP interfaces and is supported in all MOTOTRBO system configurations except Capacity Max (which has its own method of access control).
This feature provides two methods to prevent a subscriber from accessing the system:
- RAS Key Authentication
- Radio ID Range Check
These two methods are independent of each other and may be enabled/disabled separately or together. When used together, they provide a robust and flexible way to control the subscribers’ access to the system.[1]
Key Authentication
In this method, both the repeater and subscriber are configured with a secret Restricted Access to System (RAS) key through CPS/RM.
When a subscriber transmits, the subscriber uses its configured RAS key to encode the bursts. When a repeater receives the bursts, the repeater also uses its configured RAS key to decode the bursts. If the RAS keys in the subscriber and repeater are the same, the repeater decodes and repeats the bursts successfully. However, if the subscriber does not have a RAS key or its RAS key does not match the one configured in the repeater, the decoding process in the repeater fails, and the transmission is blocked at the repeater. Therefore, the bursts from the unauthorized subscriber are not repeated and cannot reach the targeted user or user group.
This method is secure and difficult to break or circumvent, because the RAS ID length ranges from 6 to 24 characters. The algorithm is very robust. However, this method requires CPS configurations in the subscriber’s codeplug, resulting in more time and extra effort, when changes have to be made to a fleet of radios.
The RAS key authorization is enabled by default. The following table shows the default settings for RAS configuration in a repeater and a subscriber:
| RAS Configuration | Default Setting |
|---|---|
| In a repeater all RAS configuration is performed
in the ‘Security’ section and therefore applies to all channels in the repeater. |
Authentication = Enabled |
| Authentication Key Alias = Default | |
| Authentication Key = 000000 | |
| In a subscriber, most RAS configuration is performed
in the ‘Security’ section. |
Authentication Key Alias = Default |
| Authentication Key = 000000 | |
| In a subscriber the enablement of RAS is on a
per channel basis. |
RAS Alias = Default (in a channel) |
The following are several scenarios when adding these RAS key authentication enabled repeaters/radios into an existing system:
- If cloning is utilized on the device, there are no new configuration steps when deploying into an existing system utilizing RAS or an existing system not utilizing RAS.
- If cloning is not utilized and the existing system is RAS disabled, the RAS enabled repeaters/radios need to be RAS disabled using the CPS/RM tool, before they can be used in the system.
- If cloning is not utilized and the existing system is RAS enabled with a customer chosen RAS key, the RAS enabled repeaters/radios (with the default RAS key) need to be re-programmed with the customer chosen RAS key using the CPS/RM tool.
Radio ID Range Check
In this method, up to 64 radio ID ranges can be provisioned in the repeaters. Each of these radio ID ranges may be configured as allowed or left as unconfigured. If the radio ID is within any of the allowed radio ID ranges when the repeater receives a transmission from a subscriber, the repeater repeats it normally. However, if the subscriber’s radio ID is not within any of the allowed radio ID ranges, the repeater blocks the transmission. Hence, the transmission from unauthorized subscribers are not repeated and cannot reach the targeted user or user group.
This method only requires configurations in the repeaters. Therefore, it is very easy to make changes quickly. However, an unauthorized user may analyze the radio transmission over-the-air, or use other means to guess some allowed radio IDs and create clones of authorized IDs, thus gaining access to use the repeater.
See Also
References
- ↑ MOTOTRBO System Planner 68007024085-PA