SECURE COMMUNICATION (ENCRYPTION)
58
11.4 OTAR (OVER-THE-AIR REKEYING)
11.4.1 INTRODUCTION
OTAR stands for “Over-The Air-Rekeying”. This
is the process of sending encryption keys and related
key management messages over-the-air to specific
radios. The advantage of OTAR is that it allows these
keys to be quickly and conveniently updated when
necessary. It is no longer necessary to periodically
travel to the radio location or bring the radio into a
maintenance facility to load new keys.
The actual OTAR rekeying functions are
performed by a Key Management Facility (KMF) that
sends Key Management Messages (KMM) to the
radios. These messages are themselves encrypted
using a unique key. Radios must be OTAR-compatible
and programmed for OTAR for this type of rekeying to
occur.
Currently, OTAR is available only on P25
conventional channels, and only to program DES-OFB
keys (future programming on P25 trunked channels
and of AES keys is planned). It is not used on
SMARTNET/SmartZone channels or to load DES/
DES-XL keys.
11.4.2 ENCRYPTION KEY TYPES
There are two types of keys used with OTAR:
TEK (Traffic Encryption Key) -
The key used to
encrypt voice and data traffic. All radios using encryp-
tion must have at least one of these keys. This is also
another name for the keys used without OTAR.
KEK (Key Encryption Key) -
The key used to
encrypt keys contained in OTAR Key Management
Messages (KMMs). All radios which use OTAR must
contain at least one of these keys. The KEK used to
decrypt/encrypt keys in an OTAR message is defined
by the algorithm and key IDs transmitted in the
decryption instructions field. A KEK may be unique to
a particular radio (UKEK) or common to a group of
radios (CKEK).
11.4.3 KEYSETS
To simplify key management, a number of keys
may be grouped together in a keyset. A keyset is
simply a set of one or more keys of the same type
(either TEK or KEK). Keysets are identified by Keyset
IDs, and the upper four bits of this ID specify the
crypto group (see next section).
The KEK keyset is considered always active and
is ID 255. Two TEK keysets are normally used, and
one is always active and the other inactive. This allows
the inactive keyset to be replaced without interrupting
operation. One is Keyset ID 1 and the other Keyset ID
2. With EFJohnson radios, each keyset can contain up
to 128 keys, but less than 16 are normally used for
optimum keying efficiency and because only up to 16
can be selected by the radio.
The active keyset is usually selected by the Key
Management Facility. It can also be selected by the
EFJohnson SMA keyloader or by the user if the
KY
CHG
option switch is programmed. Automatic keyset
changeovers are not supported by EFJohnson radios.
In the SLN mode (see Section 11.2.3), two TEK
keysets can be used if desired even if OTAR is not
used.
A diagram of a keyset is shown in Figure 11-2.
Some information may be optional as shown. The
5300 mobile does not support or use the Update Item
and Time/Date parameters.
Figure 11-2 Keyset Diagram
11.4.4 CRYPTO GROUPS
A crypto group contains up to 16 keysets of the
same type of key, either TEK or KEK (see Section
11.4.2). However, only two keysets are typically used
as just described. Crypto groups are used to help
manage keys such as when a radio uses keys with
different active times or multiple algorithms.
16-Bit Keyset ID
Algorithm ID
Update Item (Opt)
Time/Date (Opt)
Keyset Name (Opt)
Key 1
Key 2
Key 4096
(upper 4 bits are
Crypto Group)