A clear radio can set up calls to and receive calls from encrypted radios. The system informs the encrypted radios that
the call is with a clear radio and they switch to clear operation. Class 2 and 3 radios can only act as described if they
are allowed to operate in a lower class.
Group Cipher Keys Encryption (Class 3G)
For the Security Class 3G the system allows grouping addressed signaling and dedicated group call traffic encryption
using GCKs to cryptographically isolate talkgroups. The downlink signaling is encrypted using MGCK that is
cryptographically derived from the CCK associated with the serving cell and the GCK associated with a given
talkgroup. The SwMI does not change GCK and CCK simultaneously. Whenever a GCK change occurs, CCK
changes are frozen for this time period.
The DCK is derived from either the one way or mutual authentication process and the CCK is received during
registry, whereas the GCK is received through OTAR mechanism only.
The radio supports over-the-air and manual provisioning of key associations that link a GCK to one or more TMO
talkgroups, and manual provisioning of KAG to one or more DMO talkgroups.
The system can provide the ability for the operator to group contiguous ranges of TMO SSI. This case occurs where
any talkgroup residing within the address range is assigned using the same GCK association. These ranges, referred to
as Key Association Ranges (KAR), are used to convey the TMO talkgroup and GCK relationships to the relevant
SwMI and radios responsible for GCK functions.
Over-the-Air-Rekeying
TETRA systems support GCK encryption for specific talkgroups:
• Group Over-the-Air-Rekeying (OTAR) of GCK.
• Group OTAR of fallback TM-SCK.
• Group OTAR of DM-SCK, including management of the cryptographic schedule of DM-SCKs.
The group OTAR mechanisms require a use of the group session key for OTAR (GSKO). The GSKO is delivered to
the radio only by using individual OTAR and the session key for OTAR (KSO).
For the systems utilizing group OTAR, the fundamental system operation (with respect to SCK/GCK OTAR) relies
on the sites regular transmission. In other words, the sites are regularly broadcasting information regarding which
security class and associated keys are in use. The sites transmit future versions of the respective keys to groups of
radios belonging to the same cryptographic management group (CMG). The radios acquire the keys before the SwMI
activates them. Then the air interface encryption service uses the keys. The sites also broadcast the current key that is
in use which can be sent using OTAR mechanism to the radio on request.
Note: When a radio has not received a new key before activation by the SwMI, the radio requests the
missing keys.
Some systems adopt only individual OTAR methods for delivery of SCK and GCK to the radio. In such cases GSKO
is not used. Some systems employ a mix of individual and group OTAR methods. The radio supports the complement
to functionality required for supporting the superset of different SwMI behaviors, for example:
• Individual OTAR (using KSO) of SCK and GCK.
• Group OTAR (using GSKO) of SCK and GCK.
• Individual OTAR (using KSO) of GSKO.
• Secure DMO Key Management (via SwMI).
• Crypto Management Group.
• Storage of 10 KAG (equivalent to 30 DM-SCK).
• Storage of 16 GCK (includes current/future versions).
• Storage of 2 TM-SCK.
• Storage of Group Association attribute per Talkgroup.
• GCK Air Interface Encryption.
• Seamless key changes of GCK.
42 | Services and Features
Send Feedback | |
To Next Page
Loading...
