Static Cipher Key Encryption (Class 2)
The radio supports static AIE using a set of up to 32 static cipher keys (SCK) shared by the SwMI and all authorized
radios. The radio then determines which static keys to use based on the SCK Number (SCKN) and SCK version
number (SCK-VN) broadcast by the SwMI.
A radio can be configured to support static key encryption. In such case it identifies itself in registration as a Security
Class 2 radio, and attempts to negotiate Security Class 2 encryption. Each radio then uses either the TEA1 or the
TEA2 (TEA 3 — for Asia and Pacific) Key Stream Generator (KSG) algorithm. Each radio contains only one of
those algorithms in its software.
When Security Class 2 Encryption has been negotiated, encrypted PDUs are encrypted using SCK.
In DMO, the system manager may choose the SCK and the key may be distributed from the TMO SwMI using the
OTAR mechanism or provided manually using KVL.
Derived Cipher Key and Common Cipher Keys Encryption (Class 3)
DCK/CCK are required to prevent over-exposure of key material. Existing encryption systems use Static Cipher Keys
(SCK), where one key is used for all radios and all calls. Key material is often exposed and SCK logistics of changing
keys consist in programming all radios and base stations.
DCK is used for individually addressed TM-SDU (Service Data Unit). DCK/CCK encryption provides Derived
Cipher Key (DCK) for uplink (from the radio to the BTS) communication and Common Cipher Key (CCK) for
downlink (from the BTS to the radios) group communication. The DCK is derived from either the one way or mutual
authentication process and the CCK is received during registry.
The radios supporting the dynamic key encryption identify themselves to the system as Class 3 radios during registry
and attempt to negotiate Class 3 encryption. A Class 3 radio supports group addressed signaling and group call traffic
encryption using CCKs as well as encryption of uplink and down link individually addressed signaling messages and
individual call traffic (private or phone) using its DCKs. The radios support Over-the-Air-Rekeying (OTAR) of the
CCK by the system.
A clear radio can set up calls to and receive calls from encrypted radios. The system informs the encrypted radios that
the call is with a clear radio and they switch to clear operation. Class 2 and 3 radios can only act as described if they
are allowed to operate in a lower class.
Group Cipher Keys Encryption (Class 3G)
For the Security Class 3G the system allows grouping addressed signaling and dedicated group call traffic encryption
using GCKs to cryptographically isolate talkgroups. The downlink signaling is encrypted using MGCK that is
cryptographically derived from the CCK associated with the serving cell and the GCK associated with a given
talkgroup. The SwMI does not change GCK and CCK simultaneously. Whenever a GCK change occurs, CCK
changes are frozen for this time period.
The DCK is derived from either the one way or mutual authentication process and the CCK is received during
registry, whereas the GCK is received through OTAR mechanism only.
The radio supports over-the-air and manual provisioning of key associations that link a GCK to one or more TMO
talkgroups, and manual provisioning of KAG to one or more DMO talkgroups.
The system can provide the ability for the operator to group contiguous ranges of TMO SSI. This case occurs where
any talkgroup residing within the address range is assigned using the same GCK association. These ranges, referred to
as Key Association Ranges (KAR), are used to convey the TMO talkgroup and GCK relationships to the relevant
SwMI and radios responsible for GCK functions.
Over-the-Air-Rekeying
TETRA systems support GCK encryption for specific talkgroups:
• Group Over-the-Air-Rekeying (OTAR) of GCK.
Services and Features | 43
68015000878-G | | Send Feedback
To Next Page
Loading...
