SECURE COMMUNICATION (ENCRYPTION)
55
Figure 11-1 Key Selection Example
Keyset ID 2
Algorithm ID
Update Item (Opt)
Time/Date (Opt)
Keyset Name (Opt)
SLN 23
SLN 25
Keyset ID 1
Algorithm ID
Update Item (Opt)
Time/Date (Opt)
Keyset Name (Opt)
Key #21: Key ID 54
Storage Loc.
SLN 24
SLN 22
SLN 21
Number (CKR)
3
5
4
2
1
PID
Key #22: Key ID 65
Key #23: Key ID 67
Key #24: Key ID 69
Key #25: Key ID 73
Key #25: Key ID 90
Key #24: Key ID 91
Key #23: Key ID 99
Key #22: Key ID 98
Key #21: Key ID 94
Crypto Group A
Keyset A1
Keyset A2
Zone 1, Chan 2
Zone 2, Chan 4
Zone 2, Chan 5
Zone 3, Chan 1
Zone 3, Chan 2
11.1.5 FIPS AND NON-FIPS MODES
FIPS 140-2 is a Federal Information Processing
Standard for encrypted radios used by the Federal
Government. This standard specifies Federal security
requirements for cryptographic modules for a wide
range of applications and environments. All 5300
models are FIPS certified.
11.2 ENCRYPTION KEYS
11.2.1 INTRODUCTION
An encryption key is a cryptographic variable
that is required by the encryption algorithm to encrypt
and decrypt voice or data. To maintain system security,
these keys must be protected from disclosure and also
periodically replaced or updated.
With the AES and DES encryption used by
EFJohnson radios (see Section 11.1.2), the same
encryption key is used by both the encrypting
(sending) and decrypting (receiving) radio. AES
encryption keys are generated from a string of 64
hexadecimal characters, and DES keys are generated
from a string of 16 hexadecimal characters. Another
four hexadecimal characters are used to specify the
key ID. Multiple keys can be loaded into a radio using
OTAR or manual loading.
When an encrypted message is transmitted, the
encryption Algorithm ID (ALID) and key ID (KID)
are usually included in the message. This tells the
receiving radio which key and algorithm must be used
to decrypt the message.
If an attempt is made to transmit a secure
message without loading the corresponding key,
“KEYFAIL” is displayed. The message must then be
transmitted in the clear mode (this is possible only if
the channel is strapped to “switchable”) or the key
must be loaded.
11.2.2 KEY AND ALGORITHM IDS
Each encryption key is programmed with a Key
ID (also called Logical ID). This ID plus the algorithm
ID (ALGID) is transmitted in the message. The radio
receiving the message must have a key programmed
with the same IDs in order to decrypt it.
11.2.3 PID/SLN KEY MANAGEMENT MODES
NOTE: The term “SLN” from the Project 25 specifica-
tion is equivalent to “CKR” (Common Key Reference)
also used to define this parameter.
The channels, talk groups, and other calls that use
encryption are linked to a specific Physical ID (PID)
when the radio is programmed using the PCConfigure
programming software. For example, Zone 1, channel
1 could be programmed to select the key in PID 1 and
Zone 1, channel 2 could select the key in PID 3. The
PID ranges are 0-15 when the PID mode is selected,