Manualshelf

Operating Manual

ManualsBrandsE F Johnson ManualsElectronics5100 ES Series VHF Radio
919293949596979899100
March 2008 5100 ES Models II/III Portable Radio Operating Manual 10-7
Secure Communication (Encryption)
10.4 Over-The-Air Rekeying (OTAR)
Over-The Air-Rekeying (OTAR) is the process of sending encryption keys and related key
management messages over-the-air to specific radios. The advantage of OTAR is that it
allows these keys to be quickly and conveniently updated when necessary. It is no longer
necessary to periodically travel to the radio location or bring the radio into a maintenance
facility to load new keys.
The actual OTAR rekeying functions are performed by a Key Management Facility
(KMF) that sends Key Management Messages (KMM) to the radios. These messages are
themselves encrypted using an encryption key. Radios must be OTAR-compatible and
programmed for OTAR for this type of rekeying to occur.
OTAR is available only on P25 conventional and trunked channels, and only to program
DES-OFB and AES keys. It is not used on SMARTNET/SmartZone channels.
10.4.1 Encryption Key Types
There are two types of keys used with OTAR:
TEK (Traffic Encryption Key) - The key used to encrypt voice and data traffic. All
radios using encryption must have at least one of these keys.
KEK (Key Encryption Key) - The key used to encrypt keys contained in OTAR Key
Management Messages (KMMs). All radios which use OTAR must contain at least one
of these keys. The KEK used to decrypt/encrypt keys in an OTAR message is defined
by the algorithm and key IDs transmitted in the decryption instructions field. A KEK
may be unique to a particular radio (UKEK) or common to a group of radios (CKEK).
10.4.2 Keysets
To simplify key management, OTAR divides the TEK keyspace into multiple sets.
Exactly one of these sets is said to be active at any given time, and only keys in the
currently active set will be selected for use when encrypting voice traffic. The 5300 radio
supports two such keysets, Keyset 1 and Keyset 2. The valid SLN range for Keyset 1 and
Keyset 2 is 1 through 4095. 5300 radios can be assigned up to 64 SLNs in this range. See
Figure 10.1.
Notice that if all radios in a cryptonet are using traffic keys from the same active keyset,
the keys contained in the inactive keyset of each radio can be replaced without disrupting
encrypted communications. Once the keys in the inactive keyset are replaced for every
radio in a given cryptonet, the radios can switch active keysets and start using the new
keys. After all radios are using the new keys, the keys in the previously used keyset can
then be replaced, and so on. It is the task of the Key Management Facility to coordinate
this key cycling activity.