Security

From MOTOTRBO
Jump to navigation Jump to search

The Security set in a MOTOTRBO radio codeplug/configuration, contains all the parameters relating to Basic Privacy; Enhanced Privacy;AES-256; Restricted Access to System ; OTAP; OTAR and TLS-PSK Authentication.[1]

General

In general, the radio receives and decodes both unprotected and protected message, regardless of the channel’s privacy setting. By default, the radio always tries to unscramble or decrypt the message regardless of the channel's privacy setting. If a radio is never required to receive protected messages, then it should not be provisioned with keys or should be provisioned with a key that is different from the keys used elsewhere. Simply setting a channel to be privacy-disabled does not stop the radio from receiving protected messages.

A radio receives a protected message correctly as long as it has the right key. Therefore, when one radio user on a privacy-enabled channel transmits, every radio, regardless of its channel’s privacy-enabled or privacy-disabled status hears the transmission clearly if their provisioned Privacy Key is identical to that of the transmitting radio. A radio user receiving a protected transmission sees the green LED blinking rapidly. The receiving radio user should consider changing the privacy setting to match that of the call initiator when replying. With Basic Privacy, all radios only use one key and if all radios are privacy capable, it is recommended that all radios are set to privacy enabled and equipped without the option to toggle the privacy settings by a radio user.

Since Basic Privacy does not cause any degradation in audio quality, or decrease in performance, there is no reason for the normal user to switch between non-privacy and privacy. Removing the option to toggle the setting from the radio user safeguards against any complicated privacy mismatch scenarios.

The General section contains two checkboxes:

  • Fixed Privacy Key Decryption determines how the radio handles the reception of protected (encrypted) calls while configured for privacy. If a radio receives a protected (encrypted) call, and the Fixed Privacy Key Decryption option is unchecked on the selected personality, and there is a matching key (with the same Key ID and Privacy Type) in its key lists, then it decodes the call. If there is no matching key, then it cannot decode the call. If a radio receives a protected (encrypted) call, and the Fixed Privacy Key Decryption option is checked on the selected personality, and the received key (as indicated by Key ID and Privacy Type) matches the key of the configured transmit key for the selected personality, then it decodes the call. If the received key does not match the configured transmit key for the selected personality, then it does not decode the call, even if there is a matching key in the key list. This feature has no effect on Basic privacy since only one key is used for both transmitting and receiving. If the receiving radio is configured with Privacy Type selected as None or the radio user disables privacy from the radio menu or a programmable button, and the Fixed Privacy Key Decryption is checked, then the radio transmits and receives unprotected (clear) calls and decodes protected calls if the received key matches any key in the key list.
  • Ignore Rx Clear Voice/Packet Data determines how the radio handles the reception of unprotected (clear) calls while configured for privacy. If a radio receives an unprotected (clear) call while configured for no privacy, then it decodes the call normally. If a radio receives an unprotected call while configured for Basic, Enhanced, or AES privacy, and the Ignore Rx Clear Voice or Packet Data option is unchecked on the selected personality, then it decodes the call normally. If a radio receives an unprotected call while configured for Basic, Enhanced, or AES privacy, and the Ignore Rx Clear Voice or Packet Data option is checked on the selected personality, then it does not decode the call. The Ignore Rx Clear Voice or Packet Data option per personality is not available if a radio is configured for Privacy Type selected as None. When the Ignore Rx Clear Voice or Packet Data option is enabled and the radio user disables privacy from the radio menu or a programmable button, the Ignore Rx Clear Voice or Packet Data option does not apply, and the radio decodes unprotected (clear) calls normally.

Privacy

The Privacy section allows the Privacy Type; Basic Privacy Key and Enhanced Privacy Keys to be set.

There are three choices for Privacy Type:

  • None means no privacy is used and all transmissions are sent clear.
  • Basic means the radio will use Basic Privacy for all transmissions.
  • Enhanced Privacy should be chosen if the radio will use either Enhanced Privacy or AES-256.

If Basic Privacy is chosen, the Basic Privacy Key field becomes available and allows the key value to be entered. Note that only one key value is supported per system. Also, this algorithm provides almost no security when compared to the other options.

Most MOTOTRBO radios support up to 32 Enhanced Privacy Keys (prior to M2024.01 it was 16). It is possible to assign one key to one or more channels or personalities and this will be used for transmissions. The radio will however use any of the keys in this list for reception. If no matching key is found, the incoming transmission will be ignored.

Symmetric

The Symmetrical Keys table with the Add Key popup.

The Symmetric section is only shown if the AES-256 CfS licence has been purchased and activated in the radio. This table contains the AES symmetrical keys. As with Enhanced Privacy, most MOTOTRBO radios support up to 32 Symmetrical Keys (prior to M2024.01 it was 16). It is possible to assign one key to one or more channels or personalities and this will be used for transmissions. The radio will however use any of the keys in this list for reception. If no matching key is found, the incoming transmission will be ignored.

Only the Key ID and Key Alias are shown. The key value is hidden and write-only. The radio, repeater, and MNIS in a MOTOTRBO system all require configuration in order for AES to work properly.

Enhanced Privacy is independent from the Symmetric keys configuration. AES does not interoperate with Enhanced Privacy although they can coexist on the same system and radio. However, only one privacy type and key may be used per channel/personality.

To support AES, the repeater codeplug must be configured with Enhanced Privacy Type since the repeater does not encrypt or decrypt any AES payload. The Enhanced privacy option allows the repeater to repeat the AES and Enhanced privacy encrypted audio and data bursts. For proper functioning of the repeater in a system with AES encrypted transmissions, the repeater must be running on firmware version R02.30.00 or later.[2]

Restricted Access to System

Restricted Access to System (RAS) feature prevents unauthorized subscriber users from using the repeaters in the system to transmit to their targeted user or user groups. Additionally, RAS provides limited protection to prevent unauthorized radios from listening to any voice/data/CSBK transmissions from the RAS enabled repeaters. However, RAS is not a privacy feature and if voice privacy is a concern, either AES-256 or Enhanced Privacy must be used.

The RAS key table contains all the keys the radio will use to access the system(s) it will be used on. One RAS key may be provisioned per channel/personality. Most radios support up to 16 RAS keys. The key must match the RAS key in the repeater in order for radio transmit or receive to work.[2]

Over the Air Programming

Over the Air Programming (OTAP) allows the codeplug in radios to be remotely updated, either using the RF channel (the radio system itself) or Wi-Fi. To prevent the radios from being tampered with, OTAP messages are protected with an OTAP key.

The OTAP key is write-only. It is only known to the radio (and stored in protected memory) and Radio Management Server and is used to authenticate the validity of write jobs. The repeater; MNIS or Control Station do not need this value to support OTAP. OTAP messages can also be encrypted using any of the Privacy mechanisms mentioned above (if enabled).

The OTAP key table contains all the keys needed for OTAP jobs. Generally, only one key will be used.[2]

TLS-PSK Authentication

The TLS-PSK table in CPS/RM.

When enabled (Security Mode is set to Enhanced), a radio or repeater allows its codeplug to be read or written only by an application that uses the TLS-PSK protocol, such as Radio Management. TLS-PSK is described in RFC4279 and RFC5246.[2]

This feature is only available in R2.10.5 onwards.[3][4]

The TLS-PSK based authentication used by Radio Management uses a symmetric key shared between the device and Device Programmer. Each device has a unique key, which is obtained from a Master Key (MK) and added to the device through RM. The main advantage of using the MK is that it is possible to manage authentication for all devices with one key only.

Radio Management (RM) retrieves a 128-bit key for each device using the specified Master Key (MK) and the ID of the device as per the algorithm described in FIPS PUB 198-1, and delivers the key and the ID of the Master Key to the device. The PSK ID/Alias is a 128-bit field in the codeplug consisting of up to 16 ASCII characters, while the PSK data is a 128-bit value.

Security Mode allows the technician programming a radio to set the security mode for the radio as either Standard or Enhanced.

Pre-Shared Key Value displays the Pre-Shared Key (PSK) value for the transport layer security pre-shared key (TLS-PSK) Authentication displayed and the Pre-Shared Key Alias drop-down allows the user to select Pre-Shared Key (PSK) Alias for the transport layer security pre-shared key (TLS-PSK) Authentication.

Over the Air Rekeying

The OTAR table showing a single entry.


The Over the Air Rekeying (OTAR) section of the Security set is only visible when the OTAR CfS license has been purchased. It will not be listed in the feature flags table when not purchased. The CfS licence is only available to certain customers. Like AES-256, it is export controlled.

OTAR allows customers to make changes to their radios either on a scheduled basis or as needed in order to protect the security of their voice and data communications. Since these changes are delivered over-the-air, the system manager can distribute and manage AES-256 keys remotely, eliminating the time-consuming process of retrieving radios from the field and manually rekeying them individually.

In order to use OTAR, the system needs to be equipped with a Key Management Facility (KMF).

OTAR supports the following functionality in end user radios:

  • The KMF will poll a radio to determine whether it is within the coverage area of the system.
  • The KMF can erase a compromised radio’s encryption keys to protect the integrity of the network. When the radio is recovered, the radio can be re-enabled and securely restored to the network.
  • Radios that are turned off or out of range can be accounted for during the rekeying process. Once these radios get back into the system, they will be updated.
  • The radio user can initiate a rekeying request by OTAR, and the system will respond by delivering all appropriate encryption keys.

The Key Management Facility (KMF) is the heart of the OTAR system. The KMF simply replenishes the supply of keys when the inventory drops below a preset volume. The KMF allows the system manager to:

  • Implement their security plan
  • Generate and store encryption keys
  • Track radios containing certain keys
  • Distribute updated keys to radio users
  • Maintain the encryption keys in the system
  • Log, archive, and report events

An administrator and an operator are both needed to operate the KMF. The administrator sets security policy, organizes the radio fleet and its secure communications, and is responsible for generating and assigning encryption keys. The operator monitors the OTAR activities, generates reports, and performs regular database management.

MOTOTRBO radio and repeaters do not support a Key Variable Loader (KVL) like P25 and TETRA radios do.

The OTAR table contain the following values:

  • Traffic Encryption Key (TEK) Value is the Key Variable, a unique hexadecimal key used to encrypt and decrypt voice and data traffic.
  • The TEK Alias is an easy way to find this TEK while configuring the personality.
  • TEK ID is used to identify the TEK.
  • The TEK Common Key Reference (CKR) (a.k.a. Storage Location Number) refers to an encryption key slot in the radio  In cases when the key is associated with a specific talkgroup, the CKR can be used to designate the encrypted talkgroup.[5]

See Also

References

  1. MOTOTRBO CPS Help Text. Retrieved 01.03.2024.
  2. 2.0 2.1 2.2 2.3 MOTOTRBO System Planner 68007024085-PA. Retrieved 05.03.2024.
  3. MOTOTRBO: TLS-PSK programming for added security. Retrieved 05.03.2024.
  4. P@$$w0rds ar3 g0!ng, well sort of. Retrieved 05.03.2024.
  5. The Need for Encryption on Public Safety Radio Systems. cisa.gov. Retrived 05.03.2024.
Retrieved from "https://cwh050.mywikis.wiki/w139/index.php?title=Security&oldid=5210"