• Effective immediately we will be deleting, without notice, any negative threads or posts that deal with the use of encryption and streaming of scanner audio.

    We've noticed a huge increase in rants and negative posts that revolve around agencies going to encryption due to the broadcasting of scanner audio on the internet. It's now worn out and continues to be the same recycled rants. These rants hijack the threads and derail the conversation. They no longer have a place anywhere on this forum other than in the designated threads in the Rants forum in the Tavern.

    If you violate these guidelines your post will be deleted without notice and an infraction will be issued. We are not against discussion of this issue. You just need to do it in the right place. For example:
    https://forums.radioreference.com/rants/224104-official-thread-live-audio-feeds-scanners-wait-encryption.html

Security Researchers Crack APCO P25 Encryption

Status
Not open for further replies.

kayn1n32008

Member
Joined
Sep 20, 2008
Messages
5,494
Location
In the 'patch
Wirelessly posted (Mozilla/5.0 (BlackBerry; U; BlackBerry 9780; en-US) AppleWebKit/534.8+ (KHTML, like Gecko) Version/6.0.0.600 Mobile Safari/534.8+)

*sigh* DES encryption, which has been around for YEARS... Pretty bland artical, lacking specific info. Was this done in real time? And how long does key recovery take?
 

N4DES

Member
Joined
Dec 19, 2002
Messages
2,141
And how long does key recovery take?


If I'm reading it correctly for DES:

A commodity 2.5GHz Intel Core i7 processor can easily compute one million
DES keys per second in software using the OpenSSL library. This is, however,
optimized for the case of encrypting the key with large volumes of traffic and not
key searching. A bit-sliced implementation carefully optimized for key searching
can reach in excess of twenty-eight million keys/second. Even so, DES is not
trivially defeated. Even at one hundred million keys per second it will take almost
twenty-three years to search the whole key space. It is possible to achieve much
better performance using dedicated hardware and many processors running in
parallel. In 1998 the EFF constructed an ASIC-based device that could search
the DES keyspace within 9 days at a cost of 250,000 US$ [8].


And for ADP:

In a single core of a dual-core Intel i7 processor the search will take, on average,
10.6 days.
 

drdiesel1

Member
Joined
Jul 5, 2007
Messages
140
Location
Terre Haute IN
In a single core of a dual-core Intel i7 processor the search will take, on average,
10.6 days.
And AMD just released a 16 Core chip! No real performance results yet but who knows.

Also, I wonder how often the keys are rotated? If it's once a month and only takes a day or so to crack might not be too bad.
 

N4DES

Member
Joined
Dec 19, 2002
Messages
2,141
The 10 days is only for ADP and not DES or AES. I don't think that ADP has taken off that much in popularity, not like DES, to acquire the tools or knowledge. And from what I have seen in CPS I don't think you can OTAR ADP as it is programmed into a CPS field most of the time.

Also the research is on the conventional side of the house. On a TRS, either a 3600 or APCO25, when you employ encryption the ability to make a clear call on a talk-group that is strapped for secure is impossible. And even using a different key will not allow the rogue user to be able to communicate with valid users as they will not be able to hear each other.

The paper is not all inclusive, especially where trunking systems are employed that create additional layers of protection. Conventional is very easy to manipulate and the more experienced technical users are well aware of it. The most important thing is that the end user devices are properly programmed and secure channels are strapped secure only. If a radio looses its keys it should be taken out of service and a loaner radio supplied unti it can be re-keyed by a keyloader or OTAR.
 

BLAH

Member
Joined
Jan 18, 2006
Messages
36
Location
LA area
In theory, What if a person who has access to and encrypted P25 xts3000 or 5000 radio. Cant the radio just be cloned, or the encryption code be seen via software and put in another radio ?????

Just a thought..
Dr. Blah :p
 

fineshot1

Member
Joined
Sep 17, 2004
Messages
2,478
Location
NJ USA (Republic of NJ)
In theory, What if a person who has access to and encrypted P25 xts3000 or 5000 radio. Cant the radio just be cloned, or the encryption code be seen via software and put in another radio ?????

Just a thought..
Dr. Blah :p
no - it does not work that way. you can not clone any motorola radio that has an
encryption key loaded into it and have the key moved to another radio. when you
clone this way the key is not viewable or readable in any way. you would still have
to key load the radio with a key loader you have cloned the codeplug to.
 

RKG

Member
Joined
May 23, 2005
Messages
1,081
In theory, What if a person who has access to and encrypted P25 xts3000 or 5000 radio. Cant the radio just be cloned, or the encryption code be seen via software and put in another radio ?????

Just a thought..
Dr. Blah :p
No.

1) Reading a radio with a computer different from the one that programmed it with an ADP key will not show the key. For that reason, it will also not clone the key to a different target radio.

2) Reading a radio that has a UCM will not show the key, and, since the UCM key is not part of the radio's codeplug, cloning does not reach it.
 

RKG

Member
Joined
May 23, 2005
Messages
1,081
no - it does not work that way. you can not clone any motorola radio that has an
encryption key loaded into it and have the key moved to another radio. when you
clone this way the key is not viewable or readable in any way. you would still have
to key load the radio with a key loader you have cloned the codeplug to.
Close, but: you can clone with the key so long as either (a) you are using the same computer that programmed the key into the source radio or (b) you know the key and type it into the source codeplug before the first clone.
 

b7spectra

EMS Dispatcher
Joined
Jul 8, 2002
Messages
3,140
Location
Cobb County, GA
I'm surprised the SAPS haven't chimmed in. As per the law, you can not LEGALLY unencrypt encrypted transmissions. Now that said, if I were to be able to nail one of those systems, do you really think I'm going to come here to RR and let everyone know that I have done it?

The media in Jacksonville has probably already started researching this one!
 

signal500

Member
Premium Subscriber
Joined
Jul 9, 2004
Messages
511
Location
Florida Panhandle
For what it's worth to this discussion, I know from experience that most highly secured facilities / agencies change encryption keys daily, most with OTAR - Over The Air Rekey / OTAT - Over The Air Transfer......
 

fineshot1

Member
Joined
Sep 17, 2004
Messages
2,478
Location
NJ USA (Republic of NJ)
Close, but: you can clone with the key so long as either (a) you are using the same computer that programmed the key into the source radio or (b) you know the key and type it into the source codeplug before the first clone.
You must be referring to ADP software encryption code entry as is done with the CPS.

DES & AES you use a KVL plus to program the enc codes not a computer.
 

fineshot1

Member
Joined
Sep 17, 2004
Messages
2,478
Location
NJ USA (Republic of NJ)
Some radios don't need a KVL to input DES keys, the Thales 25 for example can key load DES right from the regular radio programming software.
prcguy
In my response to "BLAH" I was only referring to the motorola radio equipment that he was referring to
in his post and not any another manufactures.
 

johnls7424

Member
Premium Subscriber
Joined
Jul 22, 2012
Messages
1,314
Location
Somewhere in NJ
They have mentioned in other article too where a person could interrupt p25 encryption on any level by blocking a users signal. Forcing such user to turn off encryption and speak in clear to be heard. An illegal and unlawful third party source with another compatibld radio when transmissions were made try to counter talk over them blocking the transmission all together.
 
Status
Not open for further replies.
Top