E F Johnson Company 2424140 Benutzerhandbuch
SECURE COMMUNICATION (ENCRYPTION)
66
radios within the radio system. One of the main tasks
of the KMF is to maintain a data base of information
of the KMF is to maintain a data base of information
Figure 10-3 Encryption Parameter IDs
contained in each radio. This information may include
the following:
the following:
•
TEKs (main Traffic Encryption Keys)
•
KEKs (Key Encryption Keys) used to encrypt
OTAR messages
OTAR messages
•
Keysets (groups of TEKs or KEKs)
•
Crypto groups (groups of keysets)
•
Cryptonets (groups of radios using same keys)
•
Individual and group Radio Set Identifiers (RSIs)
•
List of probable lost or stolen radios
The KMF performs OTAR functions by
exchanging Key Management Messages (KMMs) with
the radios. Both the KMF and radio can originate
messages. Some functions performed by the KMF are
as follows:
the radios. Both the KMF and radio can originate
messages. Some functions performed by the KMF are
as follows:
•
Loading new keys
•
Modifying keys
•
Initiating keyset switch overs
•
Modifying keyset attributes
•
Deleting one or more keys to remove a radio from a
cryptonet)
cryptonet)
•
Deleting all keys (zeroize) when a radio may be lost
or compromised
or compromised
•
Determining if a radio is on the air and reading key
information
information
•
Changing individual and group RSIs
10.4.6 MESSAGE NUMBER PERIOD (MNP)
One of the parameters that is programmed in a
radio utilizing OTAR is Message Number Period
(MNP). This parameter is programmed as described in
(MNP). This parameter is programmed as described in
Section 10.5.2. This parameter is used to minimize the
possibility of someone sending messages to “spoof”
the system. The MNP is used as follows.
possibility of someone sending messages to “spoof”
the system. The MNP is used as follows.
Every message sent out has a message number.
The message number increments by one with each
message sent. The MNP is the maximum difference
allowed between messages. For example, if the MNP
is set to 1000 and the last message number received by
the radio is different by more than 1000 from the
current message number, the current message is
ignored. If the MNP is set to 65535, message numbers
are ignored.
message sent. The MNP is the maximum difference
allowed between messages. For example, if the MNP
is set to 1000 and the last message number received by
the radio is different by more than 1000 from the
current message number, the current message is
ignored. If the MNP is set to 65535, message numbers
are ignored.
When determining this number, consider the like-
lihood of someone trying to spoof the system by
retransmitting recorded messages and then adjust the
MNP accordingly. The higher the risk, the smaller the
MNP should be. A disadvantage of setting a low MNP
is that the chance of blocking out intended messages
becomes higher. In addition, traffic level and terrain
contribute to lost messages and should also be consid-
ered when selecting this number.
retransmitting recorded messages and then adjust the
MNP accordingly. The higher the risk, the smaller the
MNP should be. A disadvantage of setting a low MNP
is that the chance of blocking out intended messages
becomes higher. In addition, traffic level and terrain
contribute to lost messages and should also be consid-
ered when selecting this number.
A setting of 1000 is a good compromise because
it blocks out real old messages but is unlikely to affect
anything intentionally sent out by the system (1000
messages sent to a single radio is not likely to occur in
a system in less than a year with normal usage).
anything intentionally sent out by the system (1000
messages sent to a single radio is not likely to occur in
a system in less than a year with normal usage).
10.4.7 DEFINITIONS
Algorithm - Refers to the specific encryption standard
(DES or AES) that is used to encrypt a message. Each
standard uses different calculations to perform the
encryption (see Section 10.1.2).
(DES or AES) that is used to encrypt a message. Each
standard uses different calculations to perform the
encryption (see Section 10.1.2).
Algorithm ID (ALGID) - Identifies the algorithm
(DES or AES) used to encrypt a message. This ID and
the Key ID are transmitted with each message to
uniquely identify the key being used.
(DES or AES) used to encrypt a message. This ID and
the Key ID are transmitted with each message to
uniquely identify the key being used.
Black - Refers to information that is encrypted. The
opposite is “Red” which refers to unencrypted infor-
mation.
opposite is “Red” which refers to unencrypted infor-
mation.
Common Key Encryption Key (CKEK) - This is a
KEK common to a group of subscriber units which
share the same encryption keys (are part of same
crypto group). These keys can be the DES or AES
KEK common to a group of subscriber units which
share the same encryption keys (are part of same
crypto group). These keys can be the DES or AES
Crypto Group ID
(4-Bit = 0-15/0-F)
Keyset ID
8-Bit = 0-255/0-FF
xxxx xxxx
xxxx
SLN/CKR ID
16-Bit = 0-65535/0-FFFF
xxxx
xxxxxxxxxxxx