Managing the Radio | 205
Aprisa SRi User Manual 1.1.0
Controls
The ‘Save’ button saves the Key Encryption Key settings to the radio. If the Security Level is set to Strong
(see ‘
’ on page
210), this button will be grayed out.
The ‘Load From USB’ button
loads the Key Encryption Key settings from the USB flash drive. If a USB flash
drive is not detected, this button will be grayed out
The ‘Copy To USB’ button
copies the Key Encryption Key settings to
a file called ‘
asrkek.txt
’ on
the USB
flash drive. This settings file can be used to load into other radios. If a USB flash drive is not detected or
the Security Level is set to Strong (see ‘
210), this button will not be shown.
Key Encryption Key Summary
The security of over-the-air-rekeying depends on a truly random Key Encryption Key. This is why the use of
a Raw Hexadecimal key is recommended as a plain text phrase based on known spelling and grammar
constructs is not very random. The
default
Key Encryption Key is provided only to allow testing of the
security mechanism and is not intended for operational use. Using the default Key Encryption Key
undermines the security of the AES payload encryption because an attacker using the default Key Encryption
Key would immediately recover the AES payload key after the first over-the-air-rekeying event.
When the Security Level is set to Strong, various protections are applied to the Key Encryption Key setting
to prevent tampering. In addition, the Key Encryption Key Type, Key Encryption Key Size, and the Key
Encryption Key itself are all loaded from a customer prepared USB key. This is a one way operation to
prevent key recovery from radios. While the ability to save a Key Encryption Key to USB exists in Standard
Security Level, the Strong Security Level Key Encryption Key is not compromised because the Strong Key
Encryption Key is not the same as the Standard Security Level Key Encryption Key.