P25 encryption – Codan Radio P25 Training Guide User Manual

TRAINING GUIDE | P25 RADIO SYSTEMS

Chapter 3: P25 Technical Information

Page 40

P25 ENCRYPTION

P25 Encryption applies to both trunking and conventional systems, as well as voice messages and
data packets. The IMBE™ vocoder produces a digital bit stream for voice messages that is relatively
easy to encrypt. Major advantages of the P25 encryption design are that encryption does not affect
speech intelligibility nor does it affect the system’s usable range. Both of these advantages are major
improvements over encryption previously used in analog systems.

Encryption requires that both the transmitting and the receiving devices have an encryption key, and
this key must be the same in each unit. This may be done using a Key Loader. Most P25 subscriber
equipment is optionally available with the capability of storing and using multiple keys. That is, a unit
could use one key for one group of users and use a separate key for another group of users. System
management of keys may be done in a Key Management Facility, or KMF.

In the U.S. there are four general “types” of encryption algorithms. Type 1 is for U.S classifi ed material
(national security), Type 2 is for general U.S federal interagency security, Type 3 is interoperable
interagency security between U.S. Federal, State and Local agencies, and Type 4 is for proprietary
solutions (exportable as determined by each vendor and the U.S. State Department). The CAI supports
use of any of the four types of encryption algorithms. P25 documents currently standardize two different
Type 3 encryption processes. One encryption process is the U.S. Data Encryption Standard, or DES
algorithm, which uses 64 bit Output Feed Back and is denoted as DES-OFB. Another encryption
process is the Advanced Encryption Standard (AES) which is a 256 bit algorithm.

P25 also includes a standardized Over The Air Rekeying (OTAR) function. OTAR is a way to greatly
increase the utility of encryption systems by allowing transfer of encryption keys via radio. This remote
rekey ability, controlled from a Key Management Facility, or KMF, means that radios no longer have to
be physically touched in order to install a new or replacement key into a radio. OTAR signaling is sent
as Packet Data Units over the Common Air Interface.

Optionally, multiple encryption keys can be stored in P25 radio equipment. In order to identify the keys,
they are stored with an associated label called a Key Identifi er or KID. The type of algorithm to be used
with the key is identifi ed by an Algorithm ID or ALGID.

To be able to decrypt messages, the receiver decryption module software must be in the same
state as the transmitter encryption module software. The CAI provides space for up to 72 bits of this
synchronization information in the Message Indicator (MI) vector at the beginning of the message (in
the header), and periodically during the message in the LDU2 portion of the voice superframe.

AES and DES-OFB encryption solutions were tested and verifi ed by an accredited National Institute of
Science and Technology (NIST) laboratory as compliant with the security requirements of the Federal
Information Processing Standard (FIPS).