MOTOTRBO: Setting up AES

***UPDATED 30.04.18***


MOTOTRBO offers three types of privacy mechanisms – Basic, Enhanced, and Advanced Encryption Standard (AES). Basic Privacy utilizes an 8-bit  XOR algorithm and therefore may not interoperable with other vendor’s privacy offerings.

Enhanced Privacy uses the well-known Alleged RC4 algorithm. The key length is 40 bits.
Enhanced Privacy should inter-operate with other vendors encryption, provided they use the same algorithm and key length. 

AES is a specification for the encryption of electronic data, established by the US National Institute of Standard and Technology. Additionally, the DMR Association has defined a specific method that AES can be used for DMR voice encryption. MOTOTRBO supports AES Payload Encryption with 256-bit shared encryption key length as defined in DMR Association standard.

The main differences between Basic and Enhanced Privacy is that Enhanced Privacy provides a higher level of protection and supports multiple keys in a radio, compared to one key in the case of Basic Privacy. AES has a higher level of protection when compared to Enhanced Privacy. Like Enhanced Privacy, AES supports multiple keys in a radio.

These three privacy mechanisms are not interoperable with each other. Basic and Enhanced Privacy mechanisms cannot operate in a radio at the same time. Similarly, AES can only coexist with Enhanced Privacy.

Also, it is not possible for Basic Privacy to coexist with Enhanced Privacy. But, it is possible for Enhanced Privacy to coexist with AES on a repeater. In direct mode, all the radios which communicate with each other on the same talkgroup must use the same privacy mode.

No configuration is required in the repeater to support AES -  other than setting the Privacy to Enhanced.The repeater does not encrypt or decrypt any encrypted payload - this done in the radio or MNIS. 

AES and Symmetric Key options are visible in the CPS only if the AES feature is purchased. The part number for the AES Licence is HKVN4241A. The radios and MNIS instances in a system require configuration for AES. In the CPS and MNIS Configuration Tool, the Symmetric Keys are listed in the Security page under AES.

Setting the Privacy to None or Enhanced is independent from the Symmetric Keys configuration. Basic Privacy does not work with AES so if it's selected, the radio/MNIS bypasses AES for any transmissions, even if Symmetric Keys are present. 
The firmware needs to be R02.30.00 or later and the AES Licence needs to be purchased
The radio allows the privacy type selection of None or Enhanced to be configured with or without Symmetric Keys. Only one privacy type is allowed on each radio channel. Radios allow up to 16 different Symmetric Keys to be configured. Each Symmetric Key can be up to 256 bits in length.

The Enhanced Privacy option allows the repeater to repeat the AES and Enhanced Privacy encrypted audio and data bursts. For proper functioning of the repeater in a system with AES encrypted transmissions, the repeater must be running on firmware version R02.30.00 or later.

A radio can be configured with both Enhanced Privacy keys and Symmetric Keys. The radio can receive audio and data calls encrypted with AES or Enhanced Privacy keys, from any talkgroup in the RX Group List that is tied to a personality, as long as the same key and privacy type of the transmitting radio is selected in the personality.
The AES key range is from 1 to FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE

Although key management is not a feature of MOTOTRBO, Radio Management can be used to pre-configure and manage the Symmetric Keys. AES uses the Symmetric Keys as encryption keys. The MNIS require Symmetric Keys configuration for AES encryption. MNIS allows up to 255
Symmetric Keys.

The key drop-down in an AES enabled radio.

25 comments:

  1. As I can to understand, encryption - the MOTOTRBO radio, and never option board feature?
    Can the encryption be feature of option board in appliance with DMR standard?

    ReplyDelete
    Replies

    1. I'm not sure I understand your question. Are you asking whether it is possible to have the option board handle the encryption handle the encryption, rather than the radio?

      Delete
  2. Is Mototrbo and Hytera interoperable by using AES 256 encryption ?

    ReplyDelete
    Replies
    1. I don't think Hytera does AES256 - only 128 bit.

      Delete
    2. I had a look and some hytera radios do AES256 and will work with MOTOTRBO radios. What is not clear, is which (hytera) models and which firmware packages - not all of them seem to support this apparently.

      Delete
  3. Dear Mr.Wayne,

    Is AES 256 can be OTARED and if yes what are the requirements ?Thanks for your support.

    ReplyDelete
    Replies
    1. Yes, the key in a radio can be updated over the air by OTAP and Radio Management.

      Delete
    2. The only requirements are: Radio Management setup and AES in the radio.

      Delete
  4. Is this EID (AES-256) easily purchased from MOL, will they sell it to the public? I have heard there is issues with buying this option.

    ReplyDelete
    Replies
    1. In EMEA at least, unless you are on one of the antiterrorist or the country isn't under embargo/sanction, then you can purchase this. I don't know about North America though.

      Delete
    2. I have heard that in Canada it is next to impossible.

      Delete
    3. Sorry, I have no knowledge of how this work in North America. My suggestion would be to contact a local dealer via the SUPPORT link above.

      Delete
  5. Hi Wayne,

    I was wondering if you could assist me.
    we run a radio net through a shared repeater, all of our radios are are on enhanced privacy, but we still hear the other users in clear even though we are transmitting Enhanced privacy.
    is there a setting that we can apply to only receive our own enhanced privacy transmissions, or does Mototrbo not cater for this?
    Thanks in advance for the help !
    Nick

    ReplyDelete
    Replies
    1. A radio which has Enhanced Privacy enabled will un-mute to calls on the same Talkgroup which are clear. Currently the way to avoid this, is to put the encrypted radios/calls on another Talkgroup.

      Delete
  6. Hi friend can you help me? Some frequencies here use Basic Privacy (BP) How can I find out the 255 keys so that I can test one by one and see which is the correct key on a frequency that releases the audio from the transmission? I have a Motorola DGM6100 + radio and I do not know how to discover this basic privacy key. Can you help me? Thank you very much.

    ReplyDelete
    Replies
    1. Contact the owner of the system.

      Delete
  7. Good morning Wayne,

    Can a 256 bit AES enable radio inter-operate with a 128 bit AES radio? ie: be a 128 bit AES radio when it needs to be, and a 256 bit AES radio at other times?

    ReplyDelete
    Replies
    1. The DMR standard does not allow for that since the frame structure would be different if 128 bit or 256 bit encryption was used.

      Delete
    2. Thank you for that, Wayne. Have a great day.

      Delete
  8. Hi!

    I have installed AES on three radios (EMEA, DP4801e and SL4010e, latest 15.5 CPS and firmware), so far it works fine.

    Just one thing is annoying, each channel with AES enabled defaults to AES. However I would like to have this as additional feature, to turn it on on demand, as not all radios in the net have AES. When I disable it by the menu (or the assigned key), the channel keeps this setting, and AES remains off. However reprogramming the radio reverts this setting. Also it does not work to disable AES manually on the affected channels, read the radio and write it again, to have this setting in the codeplug file. No way :(

    Do I miss something, or is this behavior intended?

    Ralph.

    ReplyDelete
    Replies
    1. That seems odd. Without exact details it’s hard to say. Maybe this is something for your Dealer/Distributor to investigate — see https://cwh050.blogspot.de/p/support.html.

      Delete
    2. Ah, well, our dealers and distributors hardly know what AES is, and I don't expect being taken seriously there :) Really a pity that Mother Moto is as tight as an oyster to the normal small customers. But I will dig a bit around and pull some wires...

      Delete
    3. I checked and my observations differ from what you are seeing. This is why I've asked you to involve your Distributor/Reseller as some investigation is needed. It is their responsibility to provide the support you need.

      I am not Motorola technical support, so your Distributor/Reseller needs to "Nägel mit Köpfen machen" and help you. If you're not satisfied with their response, please share the details with me so I can "Feuer unterm Ar$ch machen".

      Delete
    4. My contact form is located at http://bit.ly/2FUvbaB

      Delete
  9. This comment has been removed by the author.

    ReplyDelete

Powered by Blogger.