Encryption keys and DMR repeaters

mikewazowski · Dec 23, 2023

Scannerboy1999 said:
That’s the best thing about system fusion and d-star no scanners can listen in on the conversations

But a $10 dongle will with free software.

dickie757 · Dec 23, 2023

The Hash got a bit too salted

KevinC · Dec 23, 2023

Clats97 said:
And sure there aren't scanners that support dstar, but you can use SDRs to decode it with specialized software.

My IC-R30 supports D-STAR.

Scannerboy1999 · Dec 23, 2023

Not to many people know how to use dsd and you can’t take a computer every where’s with them like on a run or walk like you can a scanner and the receiver are to expensive for most people like there is a receiver that can descamble nxdn 15 bit digital scrambler but it’s to expensive for most people with today economy

Scannerboy1999 · Dec 23, 2023

And a lot of people don’t know how to setup dsd and sdr receiver to get them working right scanner are way more easy for people to setup that’s where fusion and d-star gives you a little privacy with them but not like encryption cause there will never be a scanner or sdr that can decrypt encrypted communications ones digital communications goes encrypted it’s gone forever

Clats97 · Dec 23, 2023

KevinC said:
I thought is was 14 rounds and 1 million iterations?

It was. I changed the script to make it more secure. Here it is, analyze it or run it and you will find the following:

1. PBKDF2
2. HMAC
3. SHA-512
4. 128 byte initial token
5. 128 byte dynamic variable salt
6. 2M iterations
7. 20 rounds of randomization
8. Input validation
9. Exception handling

import secrets
from hashlib import pbkdf2_hmac, sha512

def generate_dynamic_salt(length=128):
return secrets.token_bytes(length)

def hash_with_sha512(data):
hasher = sha512()
hasher.update(data)
return hasher.digest()

def validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds):
if not isinstance(token, (bytes, str)):
raise TypeError("Token must be bytes or a hexadecimal string.")
if not isinstance(secret_key, bytes):
raise TypeError("Secret key must be bytes.")
if not isinstance(iterations, int) or iterations < 1:
raise ValueError("Iterations must be a positive integer.")
if not isinstance(salt_length, int) or salt_length < 1:
raise ValueError("Salt length must be a positive integer.")
if not isinstance(rounds, int) or rounds < 1:
raise ValueError("Rounds must be a positive integer.")

def generate_strong_key(token, secret_key, iterations=2000000, salt_length=128, rounds=20):
validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds)
for _ in range(16):
for _ in range(rounds):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):
token = bytes.fromhex(token)
token_bytes = hash_with_sha512(token + secret_key)
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
yield token.hex().upper()[:32]

def main():
try:
token = secrets.token_bytes(128)
secret_key = secrets.token_bytes(128)
for i, key in enumerate(generate_strong_key(token, secret_key), 1):
print(f"AES-128 Bit Key {i}: {key}")
except Exception as e:
print(f"An error occurred: {e}")

if __name__ == "__main__":
main()

Clats97 · Dec 23, 2023

Scannerboy1999 said:
And a lot of people don’t know how to setup dsd and sdr receiver to get them working right scanner are way more easy for people to setup that’s where fusion and d-star gives you a little privacy with them but not like encryption cause there will never be a scanner or sdr that can decrypt encrypted communications ones digital communications goes encrypted it’s gone forever

Yup, but there are some agencies that respect the principle of open government and operate in the clear, or use partial encryption. I am in talks with the ministry to prevent PSRN from going fully encrypted. I know the contract is signed and sealed and already in the works, but the system administrators can easily NOT apply the encryption. My suggestion is to have only one encrypted channel per talkgroup, only to be used if nessecary. 90% of the traffic doesn't need to be encrypted. Dispatch channels, primary and secondary channels, and tactical channels should all be in the clear. Investigative channels I do understand the need for encryption there. But you do not need to encrypt everything.

KevinC · Dec 23, 2023

Clats97 said:
It was. I changed the script to make it more secure. Here it is, analyze it or run it and you will find the following:

1. PBKDF2
2. HMAC
3. SHA-512
4. 128 byte initial token
5. 128 byte dynamic variable salt
6. 2M iterations
7. 20 rounds of randomization
8. Input validation
9. Exception handling

import secrets
from hashlib import pbkdf2_hmac, sha512

def generate_dynamic_salt(length=128):
return secrets.token_bytes(length)

def hash_with_sha512(data):
hasher = sha512()
hasher.update(data)
return hasher.digest()

def validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds):
if not isinstance(token, (bytes, str)):
raise TypeError("Token must be bytes or a hexadecimal string.")
if not isinstance(secret_key, bytes):
raise TypeError("Secret key must be bytes.")
if not isinstance(iterations, int) or iterations < 1:
raise ValueError("Iterations must be a positive integer.")
if not isinstance(salt_length, int) or salt_length < 1:
raise ValueError("Salt length must be a positive integer.")
if not isinstance(rounds, int) or rounds < 1:
raise ValueError("Rounds must be a positive integer.")

def generate_strong_key(token, secret_key, iterations=2000000, salt_length=128, rounds=20):
validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds)
for _ in range(16):
for _ in range(rounds):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):
token = bytes.fromhex(token)
token_bytes = hash_with_sha512(token + secret_key)
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
yield token.hex().upper()[:32]

def main():
try:
token = secrets.token_bytes(128)
secret_key = secrets.token_bytes(128)
for i, key in enumerate(generate_strong_key(token, secret_key), 1):
print(f"AES-128 Bit Key {i}: {key}")
except Exception as e:
print(f"An error occurred: {e}")

if __name__ == "__main__":
main()

Thanks, but I don't use any radios that support AES-128.

Clats97 · Dec 23, 2023

KevinC said:
Thanks, but I don't use any radios that support AES-128.

Whys that?

KevinC · Dec 23, 2023

Clats97 said:
Whys that?

Because I use professional radios and none of them (as far as I know) support AES-128. It's either some form of DES or AES-256 or RC4/ADP.

Scannerboy1999 · Dec 23, 2023

Everything is going to be encrypted one day and scanners and sdr will be a thing of the past

hrh17 · Dec 24, 2023

Tait DMR radios support the following encryption
ARC4
Des
AES128
AES256

Clats97 · Dec 24, 2023

KevinC said:
Because I use professional radios and none of them (as far as I know) support AES-128. It's either some form of DES or AES-256 or RC4/ADP.

Oh wow they don't have all bit sizes for AES? Do you know what that is? 128 bit is more resistant to side channel attacks than 256 is. There are benefits to shorter keys, you don't always need 256.

My radios support 40 bit RC4 and 128 bit AES

Clats97 · Dec 24, 2023

hrh17 said:
Tait DMR radios support the following encryption
ARC4
Des
AES128
AES256

Nice

Clats97 · Dec 24, 2023

dickie757 said:
The Hash got a bit too salted

Lool

kayn1n32008 · Jan 7, 2024

paulears said:
They may not wish to talk to you or listen to you, but they could never stop people wigging in - how ham radio is supposed to work.

See, some of us don't want nosey busy bodies worming their way in and gossiping about our business. Encryption stops that.

Encryption keys and DMR repeaters

mikewazowski

Forums Manager/Global DB Admin

dickie757

Wired

KevinC

Other

Scannerboy1999

Member

Scannerboy1999

Member

Clats97

Member

Clats97

Member

KevinC

Other

Clats97

Member

KevinC

Other

Scannerboy1999

Member

hrh17

Member

Clats97

Member

Clats97

Member

Clats97

Member

kayn1n32008

ØÆSØ

Similar threads