Hytera Over The Air Encrypt & Scanners

Joined
Dec 31, 2005
Messages
1,693
Location
Island of OpenSky
#1
This is regarding the newer feature in Hytera firmware for certain DMR models called "Over the air encrypt". It scrambles the signalling frames to prevent interception of radio ID's and talk group information and is set in CPS (32 digit hexadecimal key).

Initial testing shows Motorola radios (and others) light up like they want to receive but nothing is displayed on the screen and nothing is heard.


DSD plays the voice frames just fine, but of course no RID or TG info is displayed.

Has anyone tested (or has the ability to test) Hytera OTA encryption vs a DMR capable scanner such as certain Whistler or Uniden models to see if it affects their ability to decode transmissions?

I understand if I wanted to enable voice protection I'd just toggle AES 256 on. Just curious if the signalling frame encryption alone has any effect on a scanners ability to receive the transmission.

Remember hearing some had difficulty with RAS enabled systems and OTA Encrypt is similar, but appears more effective as it blocks more info.

Thanks!
 

teufler

Member
Premium Subscriber
Joined
Dec 19, 2002
Messages
2,347
Location
ST PETERS, MISSOURI
#2
ENCYPT is encrypt and you should not hear any audio or understandable audio. I have had some luch listeningh into encrypted traffic, taking a wide guess that the users are using the defalt setting, I have no police traffic in my area using DMR but casinos and I have heard some DMR traffic on Brandmeister. Usually last at night or early in the morning.that have been encrypted. Nostly just experimentors.
 
Joined
Jul 18, 2014
Messages
8,884
Location
PA
#3
ENCYPT is encrypt and you should not hear any audio or understandable audio.
Not necessarily. It's the Hytera version of RAS. If the voice frames are not encrypted, then the voice content can still be decoded by a scanner, although the TG and UID and other info will not be available. Which is what is happening with DSD.

It's a pointless feature. If your transmission is sensitive enough to warrant encryption, the voice frames should be the first thing encrypted, not the last. Better yet, encrypt all frames, and then scanners get nothing but digital noise.
 
Joined
Jan 20, 2010
Messages
351
Location
Generally Central Florida
#4
"It's a pointless feature. If your transmission is sensitive enough to warrant encryption, the voice frames should be the first thing encrypted, not the last. Better yet, encrypt all frames, and then scanners get nothing but digital noise."

It's not pointless if you run the system and want to prevent a competitor from loading his radios on your stuff. This seems to be just like (operationally)
Moto's Restricted Access to System. Since there isn't a central system "key", it's another way to protect your asset you sell time on.

If you have sensitive voice traffic, ENCRYPT, ENCRYPT, ENCRYPT. AES256 is the best way to go if you can pony up the $$$ for it. At least on Hytera, I'm not sure that Moto is offering that in DMR in NA yet.

Sent from my SAMSUNG-SGH-I337 using Tapatalk
 

WQLU507

Member
Premium Subscriber
Joined
Jan 6, 2009
Messages
38
Location
Charleston, SC
#5
I was trying to figure out a use case for this feature and MSS-Dave hit it on the head...operators of systems who lease space. No point in paying for encryption licenses on rental radios for taxis, delivery services and the like, but you also don't want people piggybacking on your system.

I don't think /\/\ is willing to enable AES256 in the US for TRBO. I think it's a P25 only feature for them. Have to keep milking those gov't contracts *eye roll*
 
Joined
Dec 31, 2005
Messages
1,693
Location
Island of OpenSky
#6
I was trying to figure out a use case for this feature and MSS-Dave hit it on the head...operators of systems who lease space. No point in paying for encryption licenses on rental radios for taxis, delivery services and the like, but you also don't want people piggybacking on your system.

I don't think /\/\ is willing to enable AES256 in the US for TRBO. I think it's a P25 only feature for them. Have to keep milking those gov't contracts *eye roll*

You could always throw one of the free voice privacy schemes (basic or arc4) in the radios.
Since Hytera basic gives up the key in the frames and ARC4 is only shades better I opted to pay for the advanced licenses for all the radios.

Still curious if the OTA signalling encryption alone messes with DMR scanners..

This is a neat feature.
 
Joined
Jul 18, 2014
Messages
8,884
Location
PA
#7
YStill curious if the OTA signalling encryption alone messes with DMR scanners.
To some extent yes. A Uniden x36 can't be programmed as a trunked system, the individual frequencies have to be programmed as conventional DMR in order to receive traffic.
 
Joined
Oct 12, 2015
Messages
84
Location
Europe
#8
Still curious if the OTA signalling encryption alone messes with DMR scanners..

This is a neat feature.
I can do it for you.
That is weird that only the singalling part is encrypted. But I will have to test if you can have both at the same time (DMRA 40-bit arc4).
If someone has access to hytera with AES it would be good to know if you can use AES to encrypt the voice part and Over the Air Encrypt to encrypt the signaling.
"Over the Air Encrypt

--------------------------------------------------------------------------------

This parameter allows you to set whether to enable the Over the Air Encrypt feature. With this feature enabled, the voice, data and signaling transmitted by the radio or repeater over the air interface are encrypted by using the key or encryption algorithm. The repeater can forward and the receiving radio can decrypt the voice, data and signaling only when the key value is correct. This prevents the unauthorized radio from occupying channel resources and interrupting communication.

At present, only signaling can be encrypted and decrypted.
That is from CPS v8.06.01.014
 
Joined
Sep 20, 2008
Messages
5,198
Location
In the 'patch
#9
It's a pointless feature. If your transmission is sensitive enough to warrant encryption, the voice frames should be the first thing encrypted, not the last. Better yet, encrypt all frames, and then scanners get nothing but digital noise.
Not pointless at all.

The OTA Encrypt keeps nosy scanner listeners from mapping your radio system and knowing which radios are using what talk-groups. AES 256 keeps those same listeners from knowing who is using your system.

OTA Encrypt, as others have said, keeps cheapskates from adding radios to your rental system with out paying for those radios.
 
Joined
Dec 31, 2005
Messages
1,693
Location
Island of OpenSky
#10
I can do it for you.
That is weird that only the singalling part is encrypted. But I will have to test if you can have both at the same time (DMRA 40-bit arc4).
If someone has access to hytera with AES it would be good to know if you can use AES to encrypt the voice part and Over the Air Encrypt to encrypt the signaling.


That is from CPS v8.06.01.014

Yes, you can use signalling and voice encryption at the same time. On the current radios in use, signalling encryption is forced while voice encryption is selectable.
 
Top