[DHS] Comments Requested on Nonstandard P25 Encryption CAP Document

[kb4cvn]

Comments Requested on Nonstandard P25 Encryption CAP Document

Comments Requested on Nonstandard P25 Encryption CAP Document
Tuesday, January 03, 2017


The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Office for Interoperability and Compatibility (OIC) released a draft Project 25 (P25) Compliance Assessment Bulletin (CAB) to “to stop the practice of manufacturers providing subscriber units with a non-P25 standard encryption without also including P25 standard AES 256 encryption.”

The document said the P25 Compliance Assessment Program (CAP) advisory panel (AP) deliberated for many months concerning the widespread use and continued shipment of P25 subscriber unit equipment that includes non-P25 standard encryption without also including P25 advanced encryption standard (AES) 256 encryption.

P25 equipment with only non-P25 standard encryption has caused interoperability challenges in the field. When multiple agencies need to communicate securely as a group, every subscriber unit in the group must use the same encryption algorithm and key. Matching keys can be loaded into the subscriber units in a straightforward manner, but the same encryption algorithm must be present in each subscriber unit before keys can be loaded.

Most equipment submitted to the P25 CAP includes the AES 256 encryption algorithm as an optional feature. The P25 CAP suppliers’ declaration of compliance (SDoC) and summary test report (STR) documents indicate that encryption was an option when the approved equipment was tested, but public-safety agencies can use grant funds to purchase P25 CAP-approved equipment with or without the optional AES 256 encryption. P25 CAP AP has no intention of requiring AES 256 equipment for public safety. A problem occurs, however, when the P25 equipment manufacturer provides a non-P25 standard encryption algorithm with the equipment when the optional AES 256 encryption is not ordered.

The P25 CAP AP wants to stop the practice of manufacturers providing subscriber units with non-P25 standard encryption without also including P25 standard AES 256 encryption. The P25 CAP AP recommends that OIC consider the following acceptable — if a vendor ships a radio with no encryption, standard AES 256 encryption, or standard and nonstandard encryption.

The P25 CAP AP created a resolution recommending DHS OIC take clear actions to stop this practice and to ask that manufacturers provide a path for public-safety users to add AES 256 to fielded P25 subscriber units that are now only equipped with non-P25 standard encryption. Specifically, this action should be taken for equipment bought with federal grants and those equipment purchases intended to be P25 CAP Approved equipment.

The full CAB is at the below URL:
https://www.dhs.gov/sites/default/f..._CAB-Non-Standard-Feature-Way-Forward-508.pdf


The draft P25 CAP CAB on encryption requirements is available for public comment. Submit comments to p25cap@hq.dhs.gov by Jan. 22.

 

[Forts]

So... no ADP basically. Yet we are starting to see more vendors (like Harris) adding ADP/ARC4 compatibility to their products.

 

[mmckenna]

Good idea that came too late.

Seems like Mother M will just push to get ARC4 called a "standard". With others offering it now, it's not the issue it was a while back.

DHS shutting the barn door after the horses already got out. Still, good to have it in writing, if they actually follow through.

 

[ElroyJetson]

GOOD. Hard to believe I'm saying something good about anything DHS wants or does.

Government pushback on non-standard features is a good thing.

Every company sings The Interoperability Song but their feet are dancing the Proprietary Features To Lock you Into Our Products Dance.

That dance needs to be banned.

I can see this coming:

"New federal regulations prohibit the inclusion of features in communications equipment that are not specifically defined in the Project 25 standards, or that are vendor-specific, for any radio equipment that is or may be used in an interoperable mode of communications between local, state, and federal authorities.

The inclusion or usage of any features or technology in any such radio equipment which creates an operational incompatibility between radios of different types or from different vendors is specifically prohibited.

No federal grants or funding or assistance shall be provided which facilitates the purchase, usage, or maintenance of any equipment not compliant with this regulation.

Operators of public safety systems which contain such non-compliant equipment are directed to discontinue usage of the non-compliant features and take measures to have specification compliant encryption features added to said equipment where possible. Retirement of non-upgradable equipment is strongly recommended."

 

[gesucks]

This is not no ADP(nonStandard).
This no free ADP(nonstandard) with out free AES(Standard).
If you include nonstandard encryption you must also have standard AES256 as well to get a SDoc

 

[RFI-EMI-GUY]

Wow, Motorola can use this "fait accompli" to wrangle more radio sales. "Sorry Chief, the feds are saying you have to stop using those shiny new APX radios with ADP and buy shinier new APX radios with AES. Just sign here and we will be on our way"!

 

[ElroyJetson]

"Operators of public safety systems which contain such non-compliant equipment are directed to discontinue usage of the non-compliant features and take measures to have specification compliant encryption features added to said equipment where possible. Retirement of non-upgradable equipment is strongly recommended."

That clause would cover that scenario. If only it were real.

 

[slicerwizard]

So... no ADP basically. Yet we are starting to see more vendors (like Harris) adding ADP/ARC4 compatibility to their products.

Exactly. The other vendors can add ADP to their firmware and problem solved. There's nothing special about ARC4 or the LFSR used to generate the MIs. If Motorola doesn't like it, too bad.

 

[NavyBOFH]

With that, they should include that radios built/sold after a specific date (or whatever rule they can deem valid) should be upgraded to include AES if capable.

I can see right now as others said, Motorola and others going to these customers and saying 1) you need new radios or 2) Well you need AES now - and we can upgrade them - for $500 a unit (IIRC that was around the price of adding AES to an APX).

DHS needs to protect their wallets with this and see that they're going to open the floodgates for further price gouging to customers which will eventually come out of their wallet.

 

[prcguy]

I hope DHS simply stops purchasing from or dealing with companies that don't comply. Ya wanna sell me a radio? It better do what I want and not you want to dump on me.
prcguy

 

[Hooligan]

The blame should lay with the public safety agency that either didn't recognize a need for secure interoperability or was negligent in not knowing that ADP isn't the same as AES-256. It's not the fault of Motorola, no matter how much you whiners want to cry about them.

 

[mmckenna]

It's not the fault of Motorola, no matter how much you whiners want to cry about them.

I'd mostly agree with you, however Motorola sales has a long history of selling radios to agencies with misleading or shadowy tactics. Had it happen to me, but I knew more than the sales guy did.

Motorola has a lot of issues. They do make good radios (mostly) but their sales and marketing is what's going to kill them.

 

[kb4cvn]

GOOD. Hard to believe I'm saying something good about anything DHS wants or does.

Government pushback on non-standard features is a good thing.

Every company sings The Interoperability Song but their feet are dancing the Proprietary Features To Lock you Into Our Products Dance.

That dance needs to be banned.

My humble 2¢ worth on this topic of standard vs. proprietary and interop communications:

Standards are just that, a single common point of reference everyone can agree on, and use.
Interop communications? Hell yes. Keep it standard and use AES-256.
Avoid “side roads” of single source encryption.

But, on the flip side, YES keep all your interop comms standard, but when you are in your own private sandbox. You are free to do whatever the heck you want. Standard is always the preferred solution though. Going to some wackadoodle encryption algorithm may be cool, but is it really worth it? Especially at taxpayer expense?

 

[kb4cvn]

I'd mostly agree with you, however Motorola sales has a long history of selling radios to agencies with misleading or shadowy tactics. Had it happen to me, but I knew more than the sales guy did.

Motorola has a lot of issues. They do make good radios (mostly) but their sales and marketing is what's going to kill them.

Motorola's radios and engineering is as good as anyone's.
It is their management and sales staff's which have the "Dorsal Fin", and predatory business practices.

 

[Hooligan]

I'd mostly agree with you, however Motorola sales has a long history of selling radios to agencies with misleading or shadowy tactics. Had it happen to me, but I knew more than the sales guy did.

Motorola has a lot of issues. They do make good radios (mostly) but their sales and marketing is what's going to kill them.

Tru dat -- I too go back to the era where LEAs would say "What do you mean it's not secure -- we use 'Private Line' mode!"

But the long history you mention is something that should be well-known to the agencies who are responsible for the radio systems, & thus have a duty to perform due diligence.

 

[RFI-EMI-GUY]

The blame should lay with the public safety agency that either didn't recognize a need for secure interoperability or was negligent in not knowing that ADP isn't the same as AES-256. It's not the fault of Motorola, no matter how much you whiners want to cry about them.

Partly the blame are agencies who don't take the time and minor expense to hire a truly vendor neutral Consultant to do a needs analysis and draft specs. The other problem is with agencies whose inner politics have them ignoring Consultant's recommendations.

Sent from my SM-T350 using Tapatalk