Encryption and Patching?

[JethrowJohnson]

Hi all, I'm somewhat curious if some radios are made in a way that they have to be off secure if their TG is patched to another to allow interoperability?

The Washington County Sheriff's Office doesn't have any problem with this as far as I know. They use exclusive encryption but they never had any trouble patching to MARIETTA PD 1 (back when they were still UHF) or POST-84, and of course you could hear them if they were patched to either or both of those channels, but at the same time, all traffic including the units on the other channels were still encrypted on XSO84DISP.

But a few weeks ago, OSHP Post 84 units were sent up to Guernsey County to help Post 30, Guernsey County Sheriff's Office, and Cambridge PD with a manhunt after a suspect assaulted deputies and fled on foot after a traffic stop. CAMBRIDGE PD, XSO30DISP, POST-30 and POST-84 were all patched, but they had poor MARCS coverage in part of the location where it happened. But the Guernsey County dispatcher told all the deputies and Cambridge units that they needed to take their radios off secure so that everyone could hear each other. But the way I understood, encryption or not, everyone can hear everyone if two or more channels are patched. So does it matter? And how exactly is it possible for non-encrypted traffic to be passed along with encryption just because the patched TG is secured?

TIA

 

[kayn1n32008]

The best answer is:

It depends.

It depends on many factors:

What kind of console is being used to do patching?

How are the radios are configured for secure operation.

What is the radios secure configurpatchirelated to patching.

What brands of radios are being used by ALL parties involved in the patch?

There are just too many variables to give you an answer

 

[MTS2000des]

Secure patching from a console requires key management and setup in several places to work correctly and pass secure traffic with different keys, even with CCGW resources. I learned this the hard way last year. But as the previous poster said, without knowing how the FNE in question is setup, it's hard to say over the internet to give one a definitive answer.

 

[wa8pyr]

Hi all, I'm somewhat curious if some radios are made in a way that they have to be off secure if their TG is patched to another to allow interoperability?

The Washington County Sheriff's Office doesn't have any problem with this as far as I know. They use exclusive encryption but they never had any trouble patching to MARIETTA PD 1 (back when they were still UHF) or POST-84, and of course you could hear them if they were patched to either or both of those channels, but at the same time, all traffic including the units on the other channels were still encrypted on XSO84DISP.

But a few weeks ago, OSHP Post 84 units were sent up to Guernsey County to help Post 30, Guernsey County Sheriff's Office, and Cambridge PD with a manhunt after a suspect assaulted deputies and fled on foot after a traffic stop. CAMBRIDGE PD, XSO30DISP, POST-30 and POST-84 were all patched, but they had poor MARCS coverage in part of the location where it happened. But the Guernsey County dispatcher told all the deputies and Cambridge units that they needed to take their radios off secure so that everyone could hear each other. But the way I understood, encryption or not, everyone can hear everyone if two or more channels are patched. So does it matter? And how exactly is it possible for non-encrypted traffic to be passed along with encryption just because the patched TG is secured?

TIA

If Talkgroup A (encrypted) is patched to Talkgroup B (clear), the traffic from Talkgroup A will be in the clear on Talkgroup B, and vice-versa (Talkgroup B will be encrypted on the Talkgroup A side). Patching two encrypted talkgroups can introduce other problems, as the others have noted, if the fixed equipment isn't set up just right.

This is one of the reasons use of encryption during interoperability operations is frowned upon as it just introduces variables that you really don't want to deal with in a situation that's really fluid.

Ideally, they shouldn't have had anything patched in that situation; they should have been using one of the oodles of interoperability talkgroups available on MARCS for situations just such as that. Probably one of the on-scene commanders didn't even think of it and just said "patch A to B." This is where well-trained telecommunicators come into play; they can make recommendations to the OIC for these things and quickly resolve a lot of potential problems.

 

[JethrowJohnson]

Thank you all for all your responses. I think they did eventually switch to an interop channel because they found the suspect and were tracking him with a drone as ground units were moving in, and then it got quiet for a long time, and then a Post 84 unit made a traffic stop just as if nothing ever happened, but I had it on ID Search and still wasn't getting anything. So I thought maybe they switched to one of the federal interop channels since they were having trouble with MARCS.

 

[wa8pyr]

Thank you all for all your responses. I think they did eventually switch to an interop channel because they found the suspect and were tracking him with a drone as ground units were moving in, and then it got quiet for a long time, and then a Post 84 unit made a traffic stop just as if nothing ever happened, but I had it on ID Search and still wasn't getting anything. So I thought maybe they switched to one of the federal interop channels since they were having trouble with MARCS.

You wouldn't have heard anything on the interop talkgroup in Marietta if all the fun was happening up around Cambridge, unless someone was affiliated on that talkgroup to the Marietta tower site. The dispatcher at Post 84 was probably monitoring on the console, but that won't affiliate the talkgroup to the RF site.

They wouldn't have been using a federal interop channel; if the local OIC didn't think of a MARCS interop talkgroup, I seriously doubt he/she would think of a federal interop channel, which in any case are strictly limited to use in situations where Federal law enforcement is involved.

 

[kv6o]

At least on our Motorola system, if you patch 2 talkgroups, the default system key gets used. SO, you need to have the TG keys, as well as the default system keys loaded on radios and consoles if you're going to patch 2 encrypted TGs. YMMV.

 

[rescue161]

The system that I am a system admin for uses encryption, full time for every talkgroup. Our interop partners out in town do not. When we create patches from our side, our units remain encrypted on our side and the out in town agencies stay unencrypted. Once our encrypted traffic reaches the UAC at our interop suite, it is decrypted and the decrypted audio is passed to a radio that is programmed for the correct talkgroup on the out in town system. At that point, the transmission is decrypted and comms between agencies can occur.

 

[JethrowJohnson]

Okay. Sounds a lot like the setup they're using here.

 

[rescue161]

As long as system owners sit down and come up with a plan, anything is possible. No real need to share keys or decrypt traffic if things are set up correctly. We have also reached out and offered to set up the county radios on our system to allow them to OTAR from our KMF, so they can have their radios affiliate to our system, but they have not taken us up on that offer yet.

 

[N4DES]

At least on our Motorola system, if you patch 2 talkgroups, the default system key gets used. SO, you need to have the TG keys, as well as the default system keys loaded on radios and consoles if you're going to patch 2 encrypted TGs. YMMV.

It's not a "default key" as there is no such thing. It's called a Patch Key and is defined in CPS in the System folder and does need to be shared with all the users that have the ability to do encryption on the system. The same key (CKR) is also defined in Provisioning Manager to match what is in the radio for console patching.