SECURE COMMUNICATION (ENCRYPTION)
60
Black -
Refers to information that is encrypted. The
opposite is “Red” which refers to unencrypted
information.
Common Key Encryption Key (CKEK) -
This is a
KEK common to a group of subscriber units which
share the same encryption keys (are part of same
crypto group). These keys can be the DES or AES
type. The use of a common key allows the subscriber
units to be rekeyed by the KMF using one Key
Management Message. Refer to “KEK” for more
information.
Common Key Reference (CKR) Group -
Same as
Storage Location Number (SLN).
Crypto Group -
A group of up to 16 keysets
containing the same type of keys (either TEK or
KEK). Although a crypto group can contain up to 16
keysets, only two are normally used. Only one keyset
in a crypto group is active at a time. EFJohnson radios
currently support only one crypto group.
Cryptographic Variable -
The variable used by a
cryptographic algorithm to encrypt a message. Also
called a “key”.
Currency -
Relates to the need for key updates. If a
subscriber unit is current, it does not require a key
update at the current time. If it is not current, the KMF
has new keys for that subscriber unit or CKR group
have not been sent or have been sent but not acknowl-
edged.
Group Rekeying -
The process of changing the keys
in several subscriber units with a single message
addressed to the group rather than changing each
subscriber unit separately. This addressing is done
using a group RSI. Group rekeying reduces system
overhead and makes rekeying more efficient.
Subscriber units in the same group must be
programmed with a common KEK (CKEK) and use
the same TEKs.
Key -
A variable used by a cryptographic algorithm to
encrypt voice or data. Also called “Cryptographic
Variable”.
Key Encryption Key (KEK) -
A key used to encrypt
keys contained in Key Management Messages
(KMMs) during OTAR. These messages may them-
selves be encrypted by the currently active TEK.
These keys can be the AES or DES type. There are
KEKs unique to a subscriber unit (UKEK) and
common to a group (CKEK). The other type of key is
the Traffic Encryption Key (TEK) used to encrypt
voice and data messages.
Key ID -
This is a 16-bit (four hex digit) number iden-
tifier from 1-65535 for an encryption key which
allows the key to be identified without revealing the
actual key variable. This ID and the Algorithm ID
uniquely identify a key within the KMF or subscriber
unit. Therefore, two keys can have the same ID if they
have different algorithm IDs and vice versa. The Key
ID and Algorithm ID are usually transmitted with a
message to identify the key that must be used to
decrypt it. Key ID 0 is not used with OTAR.
Key Management Facility (KMF) -
The equipment
and software which provide OTAR and related key
management services to the subscriber units.
Key Management Message (KMM) -
These are the
messages composed by the KMF to send encryption
information to subscriber units via the keyloader or
OTAR. KMMs are themselves encrypted using two
layers of encryption: inner and outer. The inner layer
of encryption is the KEK and the outer layer is the
TEK. At this layer, the KMMs are also included in a
Common Air Interface (CAI) message which adds
another layer of addressing. In addition, a Message
Authentication Code (MAC) is used.
Keyset -
A group of keys of the same type (KEK or
TEK) that are managed as a single entity (they can be
updated, deleted, and rekeyed with a single
command).
Keyset Changeover -
The process used to switch a
subscriber unit to another keyset so that the unused
keyset can be replaced without interrupting encrypted
communication.
Key Loader -
Any type of device used to load encryp-
tion keys into a radio. With OTAR, this device must be
used to provide the initial key loading of a subscriber
unit so that it contains the basic keys needed for
OTAR by the KMF. If OTAR is not utilized, is always
used to load encryption keys. All keys stored in the