Decoding Encryption with Permission...

WayneH · Mar 3, 2007

RainbowSix said:
Where would one find software and or equipment to even start to try and decode the data stream and so on???

R6

You would have to write the code. You would need an oscilloscope at the minimum for equipment.

I know there are people on here capable of taking on the project (starting, finishing is something else) but I think that's like 1-2% of this community.

JnglMassiv · Mar 3, 2007

The way I see it, the problem can be broken down as follows:
1. Digitize the audio. (fairly trivial..data slice & dice)
2. Run audio thru a yet-unnamed (and probably un-invented) application to brute force DES key attempts.
3. Test audio from brute attacks for proper decoding.

Clearly, 2 & 3 are the meat of the issue. Even if you had a piece of software that quickly ran through every key possiblility, it would be difficult for the computer/software to know it had a match. I've long argued that there must be a PL-like tone injected into the audio prior to encoding so that the receiving radio 'know' that the decode was successful. Otherwise, two secure radios with different keys would unmute and play hash every time its counterpart transmitted.

It's definately an easier said than done project. I'd say your radios are safe, Scott.

SCPD · Mar 3, 2007

I think everyone here is missing a key component of Scott's challenge. I think Motorola's DES encrypted audio is actually VSELP compressed audio with DES encryption applied to the VSELP bits. Anyone serious about this would first need to create something that can handle plain VSELP first.

Scott ... this has nothing to do with the actual challenge you've put forth, but would you post recording of a plain (no DES or XL or whatever) digital encoded (but not encrypted) transmission? This would of course be discriminator audio.

From a decoding perspective - the DES sample you posted looks good. For those wondering ... the signal is a two level trapezoid or "pulse" waveform at 12000 baud (yes, that's twelve-thousand). It's definitely not ProVoice or Astro 25.

The VSELP task sounds like a nice summer project.

-rick

mancow · Mar 3, 2007

VSELP?

All my documents say it's CVSD Continuously Variable Slope Delta modulation. The waveform generator is a device that produces a steadily increasing or decreasing voltage at a known rate. The 0 or 1 data bit tells it to produce a negative or positive output. If the incoming digital stream is a steady 0101010 there is no output at all.

Or, at least that's how I read it.

SCPD · Mar 3, 2007

CVSD ... I haven't seen that format since ... ugh ... 1989 (in telecom, not radio). I had no idea Motorola was using this here.

At 12000 bits per second ... a 3000 hz tone would look like 011001100. This must have terrible high frequency response. If that's the case (CVSD) ... then a full quieting silent pause would provide you with known text for a brute force attack.

Okay ... but I'd still like a clear VSELP sample!

-rick

mancow · Mar 3, 2007

Yea, it has some pretty terrible frequency response. the -XL format is even worse. It sounds like frying bacon in the background.

10-95 · Mar 3, 2007

I think the answer to the question depends on who's actually doing the cracking of the DES.
I think certain sectors of the government can crack DES within 10-40 minutes .
But, anyway, I thought I'd post this link to the Wiki for DES, I thought it was nicely done..

http://en.wikipedia.org/wiki/Data_Encryption_Standard

N_Jay · Mar 3, 2007

RainbowSix said:
Where would one find software and or equipment to even start to try and decode the data stream and so on???

R6

LOL, in the DSP of a secure radio.

In a modulation test sets.

I can think of a few other places.

N_Jay · Mar 3, 2007

rfmobile said:
I think everyone here is missing a key component of Scott's challenge. I think Motorola's DES encrypted audio is actually VSELP compressed audio with DES encryption applied to the VSELP bits. Anyone serious about this would first need to create something that can handle plain VSELP first.

Scott ... this has nothing to do with the actual challenge you've put forth, but would you post recording of a plain (no DES or XL or whatever) digital encoded (but not encrypted) transmission? This would of course be discriminator audio.

From a decoding perspective - the DES sample you posted looks good. For those wondering ... the signal is a two level trapezoid or "pulse" waveform at 12000 baud (yes, that's twelve-thousand). It's definitely not ProVoice or Astro 25.

The VSELP task sounds like a nice summer project.

-rick

Hit to all.

Old DVP/DES is CVSD encoded voice, and I think it is 11 KBPS FSK.
I think they dud a 4 level at 5.5 baud for simulcast (FRED).

But I am no expert on this stuff, as I have not been to secure school in a long time.

mancow · Mar 4, 2007

It is 12 kbps for regular old securenet.

I have a Key Variable Loader service manual. I can try to dig out some details if that will turn anyone on.

The funny thing is it took almost two whole pages just to get the files posted for download. How the hell are we going to actually decrypt it. :lol:

All I know is that the feds must not be too worried. I had the opportunity to see the radio in a local FBI car a couple years back. They were still using a trunk mount Syntor X with an HHCH setup to the front and of course an ASN type crypto box. I suppose it could have been some uber cool type 1 hybrid in there but from what I've gathered many of these old setups are plain old DES-XL. They are still using it to this day in my area. Only one repeater carries P25 CAI traffic.

Grog · Mar 4, 2007

wayne_h said:
I know there are people on here capable of taking on the project (starting, finishing is something else) but I think that's like 1-2% of this community.

Some days we're lucky if 1-2% can spell every word in their post correctly

mancow said:
All I know is that the feds must not be too worried. I had the opportunity to see the radio in a local FBI car a couple years back. They were still using a trunk mount Syntor X with an HHCH setup to the front and of course an ASN type crypto box. I suppose it could have been some uber cool type 1 hybrid in there but from what I've gathered many of these old setups are plain old DES-XL. They are still using it to this day in my area. Only one repeater carries P25 CAI traffic.

Good to see they are not more secure than my junker $30 sabers :lol:

SCPD · Mar 4, 2007

Scott;

Here's your MP3 file rendered as a 12 kilobit stream. Each bit in the attached file corresponds to one bit in the stream. I'm too lazy to perform the delta-modulation. I played the MP3 twice while capturing the resulting bit stream so ... if you were to convert this file to audio ... you should hear the same phrase or sound repeated twice.

Are you sure this data is encrypted? I see a sequence of alternating 1's and 0's at the very end of the transmission. If that's silence ... this transmission was sent in the clear.

Note - I named the file "SecureNet.DAT.zip" to make the vBulletin forum happy. It didn't like a file ending in "DAT". Remove the ZIP from the file name. It's a plain binary file (32 bit words in little endian format) - but not zip compressed. Most significant bit of each word was sent first.

-rick

N_Jay · Mar 4, 2007

rfmobile said:
Scott;

Here's your MP3 file rendered as a 12 kilobit stream. Each bit in the attached file corresponds to one bit in the stream. I'm too lazy to perform the delta-modulation. I played the MP3 twice while capturing the resulting bit stream so ... if you were to convert this file to audio ... you should hear the same phrase or sound repeated twice.

Are you sure this data is encrypted? I see a sequence of alternating 1's and 0's at the very end of the transmission. If that's silence ... this transmission was sent in the clear.

Note - I named the file "SecureNet.DAT.zip" to make the vBulletin forum happy. It didn't like a file ending in "DAT". Remove the ZIP from the file name. It's a plain binary file (32 bit words in little endian format) - but not zip compressed. Most significant bit of each word was sent first.

-rick

He might just lose the scanner if he sent it with a zero key.

rescue161 · Mar 4, 2007

I can assure you that the transmission is encrypted and it is not a zero key.

mancow · Mar 4, 2007

The alternating 0s and 1s are the end of transmission tone that tell the radio to close the audio path.

WayneH · Mar 4, 2007

Grog said:
Some days we're lucky if 1-2% can spell every word in their post correctly

What Grog is hinting to is he can do this in less than one week but he doesn't want to show off. Lets see you work your magic Grog! I'm rooting for ya even though Rick has a head start on you now.

cabfeegig · Mar 4, 2007

Sorry to be a pain here, but this whole thread is rediculous. The theory of encryption is based on the efforts to break exceed realistic efforts. I think this thread supports this already.

rescue161 · Mar 4, 2007

cabfeegig said:
Sorry to be a pain here, but this whole thread is rediculous. The theory of encryption is based on the efforts to break exceed realistic efforts. I think this thread supports this already.

So you think it'll take longer than a week... Man, I knew I should have put that in the pole.

rescue161 · Mar 4, 2007

No edit...

I meant "POLL"... lol

cabfeegig · Mar 4, 2007

Not sure what "POLL" means, but given unlimitted resources in theory most crypto can be broken. The idea is the length of time to do so would exceed the value of the data that was encypted.

Decoding Encryption with Permission...

How secure is DES for radio traffic? - NOT text documents.

DES used in radio traffic can be decoded in less than 24 hours.

DES used in radio traffic would take longer than 24 hours, but definitely less than 1 week.

Forums Veteran

Member

QRT

Member

QRT

Member

Member

N_Jay

Guest

N_Jay

Guest

Member

Completely Banned for the Greater Good

QRT

Attachments

N_Jay

Guest

KE4FHH

Member

Forums Veteran

Member

KE4FHH

KE4FHH

Member

Similar threads