Understanding Encryption

[wnxc912]

Hello All-

I was wondering if anybody could give me a little bit more understanding about digital encryption amoung users. I basically understand that encrypted channels are "scrambled" or unintelligible with other users "off" the network. So my question is, if one county is operating with encryption and the need for assistance from outside that county (mutual aid) is requested, will the mutual aid be able to switch there digital radios to the requesting county and automatically be on the encrypted network? Thanks in advance for any insight.

 

[buddrousa]

It is very simple to either switch off the encryption or to have a second channel that links analog systems to the the type system that is being used. Like we did in the old cross band repeater days VHF to UHF now it is done by using say a P25 Digital radio to a Analog radio as a interop channel.

 

[rapidcharger]

So my question is, if one county is operating with encryption and the need for assistance from outside that county (mutual aid) is requested, will the mutual aid be able to switch there digital radios to the requesting county and automatically be on the encrypted network? Thanks in advance for any insight.

In short, It's possible.
But the radios have to have the encryption key programmed in (just like a network router) as well as the other particulars to affiliate with any trunking system. And a lot of times they don't. They may use unencrypted mutual aid channels if there's ever a need to talk to neighboring agency responders directly.

Encryption can be enabled full time or it can be switched on or off momentarily by a switch on the radio. It all depends on how its set up whether you will hear everything, hear some things or hear nothing.

 

[ofd8001]

Encryption can be enabled full time or it can be switched on or off momentarily by a switch on the radio. It all depends on how its set up whether you will hear everything, hear some things or hear nothing.

It isn't that simple, unfortunately. Some radios do have a "special" switch that turns encryption on and off. Other radios have a "multi purpose" concentric ring around the channel selection, that could be programmed to turn encryption on and off. Whether users remember it works that way is a story in itself.

Lastly, there are systems where users cannot turn encryption off by design.

Mutual aid using encrypted radios could be an issue, especially for channels dedicated for mutual aid, but infrequently used. Keeping up with encryption key programming is a challenge among different agencies.

 

[SCPD]

Like all said above. Depending on local politics and procedures and the system admin radios can be strapped solid or have a pre programmed user defined button or rotary switch to unstrap when needed or need be. Keep in mind depending on the setup the admin can program say a apx or xts to have a secure/clear button but in the programming the particular channel can be locked to strapped and pushing the button would do nothing I'm any case. It's a mix depending on where you go at one admins theory for easy user access and functions. Some may program a duplicate talkgroup or channel in clear mode and have the other duplicate strapped. Some choose to just program it up clear and if a user or talkgroup needs secure comms they can be switched by button or rotary some systems can get over the air programming or assigning. In event mutual aid occurs this is where practical training comes in but like said saying or having the idea is totally different then it being done. Ideally some agencies outside can be over the air programmed or keyed during a incident just for the time needed. Where the clear/secure button or rotary or clear channel or group is not a option the idea of the interop channels would fall into play. The set of mutual users and home county users would direct to a common tactical or interop channel all can comm on. Vhf or uhf 700 interops etc. Patches can be also done by dispatch. Example is I believe garden Grove California and orange county use non national tones on interop freqs and are all strapped encrypted and user has no ability to shut off. In event a mutual aide is needed any unit calling in dispatch can hear in the regional comm center and a patch or link can be requested on interop with dual tones so outsiders can hear and reply to local units on interop channels. If it was a desired or required deal the enc talkgroup or channel csn be patched onto another in clear if they needed it in some places. It just depends what agency it is the policies and the system admin how they coordinate the setup and mutual aide. Forgot to mention I have seen agencies where town a uses its own key on its channels and town b has its own also but doesn't share for various or whatever reasons or police or sheriff etc but have localized joint interop channel or talkgroups with the same key loaded for secure comms and if all fails the national interops which I believe last I knew where meant for clear comms. But that is one option if nobody shares anther key to have a common set for both agencies where all the traffic csn go to on that particular incident

 

[wnxc912]

Thank you for your information. Another question I have is, if you run encryption "full-time" is there additional maintenence costs to keep it in place? Or will it be an additional feature?

 

[buddrousa]

Encryption is not cheap and it cost for each radio that is programmed to use it.

 

[SCPD]

Most radio equipment comes standard now days included with some form of encryption module or software defined like moto for cheap adds adp boards weal enc basically scanner buster or for a alloted amount or deal they have single board dual boards or tri boards etc adp, des, aes types depending on model etc. Some come pre equipped at order with des or aes. You'd have to get the keys loaded by a dealer or someone with the proper key loader. It really depends who the vendor is and what contract a agency signs into for purchases or the alloted equipment or chooses. One thing to add adp software defined can be programmed by the regular software but if your a agency it is not reccomended as the grants won't cover costs and it is a weak enc. But for basically busting scanners out or simple privacy it is handy and if you don't use or plan to use grants on the system or equipment costs later. Des variances and aes is typical choices by law and fire. It really depends with costs how many you buy what you exactly need with the handhelds and mobiles. A dealer csn help out with actual numbers if given what you need. If you want fancy patching on systems etc you'd need the proper console system that can decode and equipment needed with it to patch frequencies or simulcast. Depending on what you need there are several. Repeater equipment too should be considered into play but I seem some skip that and use the typical quantar on a moto conv and have no issues but I'd prefer to go the right way. If it's just a user with admin permission wanting to obtain his own equipment say one radio he could probably get a basic apx for starting price new oem around 4 grand with basic flash options. Of course a large agency can work contract del as get things added or removed at no cost if the contract is agreed on and X amount years etc to get discounts. You'd have to also consider is it in house installation or would a contractor be doing it and the cost of them. If it's moto or Harris usually it's also in the agency contract. It is hard to give a exact estimate unless a agency talks to different vendors see what they have to offer and ask does it work with this or this what is the additional costs etc or discounts. I've seen small cities use in house techs working for county or state or city maintaining radios or systems completely with no problems by passing a contractor like /\/\ doing it but some trs or most require moto to be maintaining it. Conv is another story and can be in house maintained easy eith the in house techs.

 

[SCPD]

Most as if your a gov entity. Not public joe. Wanted to clear that out loud. Gov entity with a bargaining contract agreement can get enc included from start. As for public Joe there is models with Harris or moto already equipped with a form of enc with included cost or would cost additinal. It really depends on what radio you want it's features and what form of enc. With the cost questions. It be wise to talk to various vendors and see who offers the better deal. There are some that are fully interop with motorola. Just make sure it's exactly what you need and if it'll work with town b or county b interop or use. Most are capable bc they do analog anyway but if town a wants to monitor town b's setup and they are digital they need to make sure they are purchasing equip to do just that and make sure they get the neighboring admin manager to allow use of trs etc.

 

[wnxc912]

All your responses are very helpful and greatly appreciated! Wow, you guys really know your systems and technology also. Thanks again.

 

[ofd8001]

Encryption is not cheap and it cost for each radio that is programmed to use it.

Encryption costs are all "up-front". It's all "pricey" to some degree or another.

Motorola has a thing called "ADP" or Advanced Digital Protection, which is Motorola exclusive. When our community migrated to a digital trunked radio system, Motorola offered this as a $10-15 option per radio. While that may sound reasonable, it locks folks into using Motorola radios. No other brand can be substituted later on.

The "Gold Standard" for encryption is "AES" or Advanced Encryption Standard. This is more or less, a board that is inside a radio. This is an "open" thing, meaning it is usable by Motorola, Johnson and other radio manufacturers. It is a higher level of encryption.

AES is really costly - I'm thinking about $1,000 per radio. Usually you have to have a higher tier radio (most manufacturers offer three tiers radios). So the cost is for the higher tier radio and the AES "board" for that radio.

Then a device called a "key-loader" which looks like a real big hand held calculator. This device loads the encryption key in the radio. Usually a system will have several, just in case one breaks down at the worst possible time. They ain't cheap either.

The only real "on-going" cost is the staff time involved in periodic re-keying of radios to ensure as much security as possible. Some systems have the ability to re-key radios via over the air programming. Others are set up to where hands have to be laid on the radio.

 

[wnxc912]

So if you have 500 radios they each need re-keying peridically? And I', guessing that's a maintenece fee that is extra or would that be covered under the vendor contract?

 

[nlr009]

Encryption

It doesn't have to be complex. We operate on a statewide P25 digital system with two conventional analog 800 MHz backup repeaters licensed to the city. All our department talk groups are strapped full time encrypted. All our city, county, and state interoperability talk groups and our conventional repeaters are strapped full time unencrypted. The user can not change the encryption settings. As mentioned, AES is hardware inside the radio and is a P25 standard. ADP is software based and is proprietary to Motorola. All our new APX series radios have both ADP and AES capability.

We stream our primary dispatch talk group on Broadcastify with a 30 minute delay so the public and media have access.

The trunked radio system backbone is maintained by the state. Our radios and our repeaters are maintained by a local Motorola shop under a contract with the city. I don't know if there was an additional cost added to the contract to maintain our encryption. The police department is the only city department using encryption.

 

[ofd8001]

So if you have 500 radios they each need re-keying peridically? And I', guessing that's a maintenece fee that is extra or would that be covered under the vendor contract?

There is a school of thought that radio encryption keys be changed periodically as an added level of security. In reality it probably doesn't happened.

A system having that number of radios probably does its own re-keying by its own personnel. The system I am familiar with has probably close to 3,000 radios. There are several technicians in the radio shop and they do the key loading as needed.

Loading a key in a radio isn't that difficult if you have the right gizmo.

If it was done by a vendor, I'm sure a fee would be charged.

 

[INDY72]

Ever heard of OTAR? Over The Air Rekeying. It makes switching keys fast, and an easy process. Alongside OTAP (Over The Air Programming), it is one of the greatest things in radio technology on the market. What used to take a lot of "touching" now takes only a few keypresses.