Encryption keys and DMR repeaters

[Clats97]

Then they aren't using RAS.

I wouldn't know. I'm just passing on what I heard. I don't know much about this. Could have been RC4, that starts with an R and has 3 letters. As I said I dont actually know.

 

[Bowlieweekender]

For anyone using 128 bit encryption, I have a Python script that will generate a cryptographically strong key that involves 14 rounds of randomization, SHA-512, PBKDF2, HMAC, a 64 byte initial token, a 64 byte dynamic salt, and 1 million iterations. They come out strong, when I histogrammed over 100 outputs and the average was remarkable, perfect randomization even distribution, keystream isn't biased, now, should a public agency use this method to pick their keys? No they'll use a library that's a lot more sophisticated than Python. But I assure you these keys are Damn close.

I use them to encrypt my commercial DMR uses (volunteer for various things that use commercial radios) and for others who have a callsign, you could encrypt your transmissions on a DMR repeater as long as you publish the key beforehand. Canadian law says no SECRET key or cipher or method of obfuscation can be used, so it has been accepted that as long as you don't hide the keys, it's okay. Case in point? View the Ontario Canada brandmeister DMR radio reference page. You will see that one repeater went full out encryption, with I believe RAS keys (restricted access to system), and on the voice AES 256, and on the data DES 56. It's perfectly legal.

You can modify the script for different key lengths, bit size, you can mess around with other variables. But this is what I use primarily, as well as one that produces 16 keys, I use that cause my radios can hold 16 keys, so every month I rotate the keys and made a command that spits out not one but 16 keys that are all cryptographically strong. This is one of the outputs I just executed:68FECD3CFCDD9BA1499CAD1684690424.

Here's the script:


import secrets
from hashlib import pbkdf2_hmac

def generate_dynamic_salt(length=64):
return secrets.token_bytes(length)

def generate_key_fixed(token, secret_key, iterations=1000000, salt_length=64):
for _ in range(14):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):

token = bytes.fromhex(token)
token_bytes = token + secret_key
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
token = token.hex().upper()[:32]
return token

token = secrets.token_bytes(64)
secret_key = secrets.token_bytes(64)

strong_key = generate_key_fixed(token, secret_key)
print(strong_key)





There you go.Enjoy!

There's an app for that!

 

[Clats97]

There's an app for that!

OMG can you link me to it? I tried googling it but couldn't find it. What's it called?

 

[Bowlieweekender]

OMG can you link me to it? I tried googling it but couldn't find it. What's it called?

You'd have to be in the Russian military and in the Ratnik program to officially get a copy of that, which probably means you're invading Ukraine.

 

[kayn1n32008]

OMG can you link me to it? I tried googling it but couldn't find it. What's it called?

Random.org will generate random strings.

 

[Bowlieweekender]

I pulled a copy off a military site in Russia and it executes as intended. Unless your PC supports the Russian character set you'll just get a lot of ????? where the text should be, but from the translated screen capture I posted it is 100% obvious. Have your very best virus checker at the ready! If you want a Dropbox link then ping me.

 

[Clats97]

Random.org will generate random strings.

Not cryptographically useful ones. I can easily generate random strings. ChatGPT will do it.

But a cryptographically strong key needs to be pseudorandom or true random for it to be acceptable for critical use.

The algorithm I use uses PBKDF2, HMAC, SHA-512, 20 rounds of randomization with key expansion, initial addroundkey, subbytes, shiftrows, mixcolumns, 2nd addroundkey, in the final round subbytes, shiftrows, and addroundkey key. Then it needs a dynamic variable salt, padding, initial token, and iterations and an initialization vector. You also want input validation and exception handling.

Random.org does not do that. You need a cryptographically strong key.

 

[Clats97]

I pulled a copy off a military site in Russia and it executes as intended. Unless your PC supports the Russian character set you'll just get a lot of ????? where the text should be, but from the translated screen capture I posted it is 100% obvious. Have your very best virus checker at the ready! If you want a Dropbox link then ping me.

Ping? As in message? If so, done.

 

[dickie757]

In the case of the Toronto repeater, what is stopping users from using repeater with no encryption? I am still learning, and finding out that I have an absolute Motorola-ton of stuff to learn, but DMR encryption does not stop repeater access, right? The communication will be encrypted, so only those with cipher will hear the message. And, the messages without encryption will still be heard by all, including radios that use E talkgroups?

 

[dickie757]

Also, found this:

DMR FAQ - VA3XPR

1. What is DMR? DMR, which is short for Digital Mobile Radio, is a published standard for digital vo

va3xpr.net

Specifically Q 17.

I dont have an opinion on the law or E on non commercial freqs, just interesting topic.

 

[Clats97]

In the case of the Toronto repeater, what is stopping users from using repeater with no encryption? I am still learning, and finding out that I have an absolute Motorola-ton of stuff to learn, but DMR encryption does not stop repeater access, right? The communication will be encrypted, so only those with cipher will hear the message. And, the messages without encryption will still be heard by all, including radios that use E talkgroups?

well, i was told it has RAS, but another commentor said that if its a hytera, it cant have RAS because its a moto proprietary feature. so obviously, hytera has their own version of it. plus, the frequency isnt public you gotta ask the right person for the freq, colour code, slot, and tgs

 

[alcahuete]

plus, the frequency isnt public you gotta ask the right person for the freq, colour code, slot, and tgs

None of that is difficult to find. A scanner or SDR will very easily tell you that information.

 

[kayn1n32008]

Also, found this:

DMR FAQ - VA3XPR

1. What is DMR? DMR, which is short for Digital Mobile Radio, is a published standard for digital vo

va3xpr.net

Specifically Q 17.

I dont have an opinion on the law or E on non commercial freqs, just interesting topic.

Tye answer to Q17 is catagorically wrong in Canada. There are some caveats, but encryption is legal in Canada.

 

[Scannerboy1999]

I wish they would let us use encryption on dmr in the USA

 

[paulears]

I suppose the whole purpose of amateur radio is the premise that strangers can communicate. As soon as you need or want encryption, you may as well licence a non-amateur system. private ham groups have always been an annoyance since I started. They may not wish to talk to you or listen to you, but they could never stop people wigging in - how ham radio is supposed to work.

 

[Clats97]

I suppose the whole purpose of amateur radio is the premise that strangers can communicate. As soon as you need or want encryption, you may as well licence a non-amateur system. private ham groups have always been an annoyance since I started. They may not wish to talk to you or listen to you, but they could never stop people wigging in - how ham radio is supposed to work.

Yeah, I get that. One of the principles of ham radio is openness. However, I am mostly a commercial user, so it's different. But I understand the desire for Ham users to have restrictions or encryption, as there are pirate hams that disrupt and interfere, and there's a magical feeling when you know others except intended recipients cannot hear you, lol.

 

[Scannerboy1999]

Make the keys public on a website but they check and make sure your a ham radio operator before you get access to the website to get the encryption key and make it all rc4 cause all dmr radio have rc4 encryption and make it one key for all radios and change it every month

 

[Scannerboy1999]

That’s the best thing about system fusion and d-star no scanners can listen in on the conversations

 

[Clats97]

Make the keys public on a website but they check and make sure your a ham radio operator before you get access to the website to get the encryption key and make it all rc4 cause all dmr radio have rc4 encryption and make it one key for all radios and change it every month

I know. My radios have 40 bit RC4 and 128 bit AES. There's really no reason to use RC4 if you can use AES. The only benefit is when you create the keys, RC4 is a stream cipher and is VERY fast, I can generate 16 keys (max amount of keys the radio will hold) in less than 5 seconds, with AES it takes over 10 minutes be cause it's a symmetric block cipher. My Python script utilizes PBKDF2, HMAC, SHA-512, 20 rounds of randomization, 128 byte initial token, 128 byte dynamic variable salt, and 2 million iterations with input validation and exception handling. I do have RC4 keys loaded in the radio, but they won't be used.

And sure there aren't scanners that support dstar, but you can use SDRs to decode it with specialized software.

 

[KevinC]

I know. My radios have 40 bit RC4 and 128 bit AES. There's really no reason to use RC4 if you can use AES. The only benefit is when you create the keys, RC4 is a stream cipher and is VERY fast, I can generate 16 keys (max amount of keys the radio will hold) in less than 5 seconds, with AES it takes over 10 minutes be cause it's a symmetric block cipher. My Python script utilizes PBKDF2, HMAC, SHA-512, 20 rounds of randomization, 128 byte initial token, 128 byte dynamic variable salt, and 2 million iterations with input validation and exception handling. I do have RC4 keys loaded in the radio, but they won't be used.

And sure there aren't scanners that support dstar, but you can use SDRs to decode it with specialized software.

I thought is was 14 rounds and 1 million iterations?

For anyone using 128 bit encryption, I have a Python script that will generate a cryptographically strong key that involves 14 rounds of randomization, SHA-512, PBKDF2, HMAC, a 64 byte initial token, a 64 byte dynamic salt, and 1 million iterations