Jump to content
  • 0

AES 256 Encryption

Wrvq441

Asked by Wrvq441,

 Share

Question

Wrvq441 Enthusiast

Wrvq441

Posted
Posted

Hello everyone, and yes, I am aware that it is not legal to encrypt on GMRS, but I realize that we have much more than GMRS operators on this forum, and I’m a technology geek that likes to know how things work.

So my question basically requires a yes/no answer if you leave all of the legalities out.

If you and someone else has AES 256 Encryption installed with the same key, and can communicate back and forth on simplex; could you also communicate through a regular repeater, or would something be lost? Would it take a special repeater to relay the encryption?

Thanks in advance!

12 answers to this question

Recommended Posts

  • 0
WRKC935 Mentor

WRKC935

Posted
Posted

Yeah, the only analog (WIDE BAND ONLY) encryptions that were available were DVP and DES OFB.

Those would work through SOME analog repeaters and not in others.  There was a 'SecureNet' encryption that Motorola had back in the day but your getting WAY back.

To run AES (any version) you are gonna need a few things. 

First is radios that support that encryption algorithm.  Then you will need a way to put keys in the radios (a keyloader or some hardware tool that will load keys)

Radios will of course need to have the same keys in both of them to make it work.  And range is reduced when running secure because the error correction works better with plain P25 and the added encryption will require a lower BER (Bit Error Rate) to function correctly and not pixelate.

I run secure on a number of radios.  I will not get into where these are run, but I have equipment that supports DES and AES on VHF, UHF and 900 Mhz. 

 

  • 0
WRKC935 Mentor

WRKC935

Posted
Posted
5 hours ago, Lscott said:

The Anytone D878 and D578 claim to do AES256 bit. They don't require a keyloader either.

https://www.anytone.net/video/products-detail-935076

1501737926_D878AESEncryption.thumb.jpg.f99fe4d01501876e6df7b6103c7d541a.jpg

That right there is frankly terrifying.  There are standards and requirements for encryption to keep it secure.  At least for P25 equipment.  One of which is the fact you can't see the key other than when it's typed into a key loader.  Once it's in there, it can't be read by others.   And it's never fully displayed on the key loader beyond that.  From what you are showing me here, someone could take one of these radios and read it and have the key.  In any compliant radio, if you open the radio and attempt to access the UCM (crypto module) the module dumps the keys in it.  The backup battery for the memory actually gets grounded through the cover that protects the module.  Removing the cover disconnected the battery from the module and the memory gets erased.  Again, this is a P25 standard, DMR standards are not gonna be that high.

There are a number of other standards and requirements for securing the keys in a compliant encrypted radio.  It seems that this radio doesn't meet any of those requirements.  But I am thinking these radios are DMR and not P25.  I have not messed with AES on DMR.  The MOTOTRBO radios in the US I don't believe are available with AES encryption.  I know there are some that have it, but the ones I know of had it hacked into the radio .  It is available in other countries however.

All that being said.  I would question if the Anytone radio does any sort of analog encryption AES or otherwise or if it's JUST for DMR specifically.  Both DMR and P25 are both digital formats that a data stream gets transmitted and not analog audio.  Both have added parity and other information in the data stream beyond the audio intelligence.  

But I also remember that DVP and DES OFB in analog would significantly decrease range because there was no error correction on it at all due to there not being any overhead data stream being transmitted for error correction to take place.  And those were significantly less secure and complex than AES referring to the complexity of the key and the algorithm.  It did require a full quieting signal and any interference on the frequency in use would stop the ability of the receiving radio to decrypt the signal.

But being able to read out a radio and see the encryption key in that radio almost completely defeats the purpose of having encryption to begin with. 

I guess I should preface this with the fact I keep my encryption info and key loader in a vault located in my gun safe.  So it's stored in a vault within a vault.  The paper documents that have my keys written down on them are in the same place.  While I do have keys that are shared outside my equipment with others, I load those radios and key loaders for those that have them and I don't share MY personal key with anyone.  All my gear is multikey and the stuff I have in my inventory get keyed with a number of keys including my personal key that only exists in my radios.  Do I have a specific reason to take it that far?  Not really, other than personal OPSEC. But I can do it that way and the 'family key' isn't loaded on any gear that someone outside the family would have access to.  But when I switch to channels that are strapped secure and say something on those channels, I have little doubt that no one else hears what is said. 

 

  • 0
Lscott Grand Master

Lscott

Posted
Posted
46 minutes ago, WRKC935 said:

That right there is frankly terrifying.  There are standards and requirements for encryption to keep it secure.  At least for P25 equipment.  One of which is the fact you can't see the key other than when it's typed into a key loader.  Once it's in there, it can't be read by others.   And it's never fully displayed on the key loader beyond that.  From what you are showing me here, someone could take one of these radios and read it and have the key.  In any compliant radio, if you open the radio and attempt to access the UCM (crypto module) the module dumps the keys in it.  The backup battery for the memory actually gets grounded through the cover that protects the module.  Removing the cover disconnected the battery from the module and the memory gets erased.  Again, this is a P25 standard, DMR standards are not gonna be that high.

There are a number of other standards and requirements for securing the keys in a compliant encrypted radio.  It seems that this radio doesn't meet any of those requirements.  But I am thinking these radios are DMR and not P25.  I have not messed with AES on DMR.  The MOTOTRBO radios in the US I don't believe are available with AES encryption.  I know there are some that have it, but the ones I know of had it hacked into the radio .  It is available in other countries however.

All that being said.  I would question if the Anytone radio does any sort of analog encryption AES or otherwise or if it's JUST for DMR specifically.  Both DMR and P25 are both digital formats that a data stream gets transmitted and not analog audio.  Both have added parity and other information in the data stream beyond the audio intelligence.  

But I also remember that DVP and DES OFB in analog would significantly decrease range because there was no error correction on it at all due to there not being any overhead data stream being transmitted for error correction to take place.  And those were significantly less secure and complex than AES referring to the complexity of the key and the algorithm.  It did require a full quieting signal and any interference on the frequency in use would stop the ability of the receiving radio to decrypt the signal.

But being able to read out a radio and see the encryption key in that radio almost completely defeats the purpose of having encryption to begin with. 

I guess I should preface this with the fact I keep my encryption info and key loader in a vault located in my gun safe.  So it's stored in a vault within a vault.  The paper documents that have my keys written down on them are in the same place.  While I do have keys that are shared outside my equipment with others, I load those radios and key loaders for those that have them and I don't share MY personal key with anyone.  All my gear is multikey and the stuff I have in my inventory get keyed with a number of keys including my personal key that only exists in my radios.  Do I have a specific reason to take it that far?  Not really, other than personal OPSEC. But I can do it that way and the 'family key' isn't loaded on any gear that someone outside the family would have access to.  But when I switch to channels that are strapped secure and say something on those channels, I have little doubt that no one else hears what is said. 

 

I have no doubt you're shocked! The latest version of the radio's CPS no longer allows you to read the radio to get the keys. Of course that does nothing to protect the secrecy of the keys before that point.

I have a bunch of Kenwood commercial radios that can use encryption. The encryption, if you can really call it that, is a simple bit scrambler's for the digital part and voice inversion for the analog. The NXDN radios do have a a form of encryption built in, it's part of the  "standard" for that mode, a 15 bit scrambler. For a more robust encryption an optional board is installed that can do AES and or DES. there is a port on the back a user can open to install it. That board has to meet a bunch of requirements. See attached file. This more like what you would expect.

To load the keys it seems you need a separate keyloader, or a special bit of software to load the keys and a hardware dongle to let the keyloader software to run. This one is for the older version of the module.

https://kenwoodcommunications.co.uk/acc/software/firmware/KPG-151AE/

I found your comments about the reliability of encrypted communications interesting. I never gave any thought to the idea it could be any different. Do you have any links to more info on that?

 

NX-300 Option Port.JPG

Kenwood Secure Cryptographic Module.pdf

  • 0
SteveShannon Grand Master

SteveShannon

Posted
Posted
2 hours ago, WRKC935 said:

That right there is frankly terrifying.  There are standards and requirements for encryption to keep it secure.  At least for P25 equipment.  One of which is the fact you can't see the key other than when it's typed into a key loader.  Once it's in there, it can't be read by others.   And it's never fully displayed on the key loader beyond that.  From what you are showing me here, someone could take one of these radios and read it and have the key.  In any compliant radio, if you open the radio and attempt to access the UCM (crypto module) the module dumps the keys in it.  The backup battery for the memory actually gets grounded through the cover that protects the module.  Removing the cover disconnected the battery from the module and the memory gets erased.  Again, this is a P25 standard, DMR standards are not gonna be that high.

There are a number of other standards and requirements for securing the keys in a compliant encrypted radio.  It seems that this radio doesn't meet any of those requirements.  But I am thinking these radios are DMR and not P25.  I have not messed with AES on DMR.  The MOTOTRBO radios in the US I don't believe are available with AES encryption.  I know there are some that have it, but the ones I know of had it hacked into the radio .  It is available in other countries however.

All that being said.  I would question if the Anytone radio does any sort of analog encryption AES or otherwise or if it's JUST for DMR specifically.  Both DMR and P25 are both digital formats that a data stream gets transmitted and not analog audio.  Both have added parity and other information in the data stream beyond the audio intelligence.  

But I also remember that DVP and DES OFB in analog would significantly decrease range because there was no error correction on it at all due to there not being any overhead data stream being transmitted for error correction to take place.  And those were significantly less secure and complex than AES referring to the complexity of the key and the algorithm.  It did require a full quieting signal and any interference on the frequency in use would stop the ability of the receiving radio to decrypt the signal.

But being able to read out a radio and see the encryption key in that radio almost completely defeats the purpose of having encryption to begin with. 

I guess I should preface this with the fact I keep my encryption info and key loader in a vault located in my gun safe.  So it's stored in a vault within a vault.  The paper documents that have my keys written down on them are in the same place.  While I do have keys that are shared outside my equipment with others, I load those radios and key loaders for those that have them and I don't share MY personal key with anyone.  All my gear is multikey and the stuff I have in my inventory get keyed with a number of keys including my personal key that only exists in my radios.  Do I have a specific reason to take it that far?  Not really, other than personal OPSEC. But I can do it that way and the 'family key' isn't loaded on any gear that someone outside the family would have access to.  But when I switch to channels that are strapped secure and say something on those channels, I have little doubt that no one else hears what is said. 

 

Except that you have now announced in an online forum where you store your keys.  If you want to delete that part of your post, I’ll edit this post.

  • 0
WRKC935 Mentor

WRKC935

Posted
Posted
2 hours ago, Sshannon said:

Except that you have now announced in an online forum where you store your keys.  If you want to delete that part of your post, I’ll edit this post.

If they are motivated enough to break into the safe, and then the vault in the safe and steal the info or the keyloader, I will know about it of course and have to rekey anyway.

The reason for all that is simple. I have my keys and the keys for others there as well.  And like I said, it's a little overkill, but the safes are in place for other reasons.  And besides that, I don't keep ALL my firearm's in the safe at all times.  Ohio is now a Castle Doctrine state and there are other security measures in place to access the gun vault that would alert me within seconds of a breach of the perimeter, structure and room the vault is located.  Figuring that the outer vault is a 2 hour T n T (torch and Tool) rated enclosure I don't worry a lot about it.  

I had a buddy that got called about his front door being open on his house by the Sheriff years ago that had some of the same hardware I have.  He told them the firearms in that safe due to the caliber exceeded the ratings for standard body armor (300 WinMag and above).  They established a perimeter and brought in the SWAT team to clear the house.  Turns out it was nothing.  The door didn't latch that morning and the wind just blew it open.  This was determined after the fact by reviewing the video of the door. 

Of course newer systems have motion recognition and email alerting with pictures inform the system owners of these types of things in almost real time.  Some of those systems are now open source and freely downloadable and require inexpensive IP camera's to setup.  They are also smart enough to segregate area's within the overall view of the camera (create an active perimeter) so a camera pointed in the front yard doesn't trip when a car on the road doesn't trip an alert but a car in the driveway or other motion in the active perimeter will trip an alarm and send an email to me. 

And that's stuff you can just go download and install on a spare computer and build a network of 'cheap' camera's with.  If you get into the high end stuff, and the pricey camera's they will do LPR (license plate recognition) facial recognition and can be integrated with access control, physical alarm systems, phone, radio and cloud based monitoring and alerting so the video and photographic evidence of an event is elsewhere and not delete-able.  I don't go THAT far, but I do have dual DVR's (digital video recorders) with one being off site at a remote location that see's everything the other one does and sends the same emails.     Since Motorola decided to get into the access control and video surveillance business, I got the nod to be the guy at my office to learn all this crap.  And of course learning it means doing it somewhere.  Sort of a hands on training. When you are sitting in meetings and your phone beeps when Amazon drops a package on your door step with a photo from your video system it happened, they figured I would be the guy to learn the product.  I just haven't convinced them to let me borrow the  facial rec camera's yet. :)

  • 0
Lscott Grand Master

Lscott

Posted
Posted
1 hour ago, WRKC935 said:

When you are sitting in meetings and your phone beeps when Amazon drops a package on your door step with a photo from your video system it happened, they figured I would be the guy to learn the product.  I just haven't convinced them to let me borrow the  facial rec camera's yet.

Nothing like getting a high-resolution photo of the porch pirate giving your camera the thumbs-up as they run off with your Amazon delivery. 

  • 0
WRKC935 Mentor

WRKC935

Posted
Posted
On 2/27/2023 at 9:16 AM, Wrvq441 said:

Thank you everyone.

So much for my request for a “Yes/No” answer. ?

OK, to simplify it

Simplex. Yes it will work but it's questionable if it's legal or not.

Repeater. NO would require it to be DMR and not analog, which isn't legal on GMRS so the repeaters SHOULDN'T exist.  But if they did yes it would work.

Ham frequencies, not legal either.

 

  • 0
gortex2 Veteran

gortex2

Posted
Posted
1 hour ago, WRKC935 said:

 

Simplex. Yes it will work but it's questionable if it's legal or not.

Repeater. NO would require it to be DMR and not analog, which isn't legal on GMRS so the repeaters SHOULDN'T exist.  But if they did yes it would work.

 

Simplex in digital mode yes. No encryption in Analog (p25/DMR)

P25 repeater will also carry encryption. 

None of this applies to GMRS channels. 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Guidelines.

  I accept