Encryption keys and DMR repeaters

[mikewazowski]

That’s the best thing about system fusion and d-star no scanners can listen in on the conversations

But a $10 dongle will with free software.

 

[dickie757]

The Hash got a bit too salted

 

[KevinC]

And sure there aren't scanners that support dstar, but you can use SDRs to decode it with specialized software.

My IC-R30 supports D-STAR.

 

[Scannerboy1999]

Not to many people know how to use dsd and you can’t take a computer every where’s with them like on a run or walk like you can a scanner and the receiver are to expensive for most people like there is a receiver that can descamble nxdn 15 bit digital scrambler but it’s to expensive for most people with today economy

 

[Scannerboy1999]

And a lot of people don’t know how to setup dsd and sdr receiver to get them working right scanner are way more easy for people to setup that’s where fusion and d-star gives you a little privacy with them but not like encryption cause there will never be a scanner or sdr that can decrypt encrypted communications ones digital communications goes encrypted it’s gone forever

 

[Clats97]

I thought is was 14 rounds and 1 million iterations?

It was. I changed the script to make it more secure. Here it is, analyze it or run it and you will find the following:

1. PBKDF2
2. HMAC
3. SHA-512
4. 128 byte initial token
5. 128 byte dynamic variable salt
6. 2M iterations
7. 20 rounds of randomization
8. Input validation
9. Exception handling

import secrets
from hashlib import pbkdf2_hmac, sha512

def generate_dynamic_salt(length=128):
return secrets.token_bytes(length)

def hash_with_sha512(data):
hasher = sha512()
hasher.update(data)
return hasher.digest()

def validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds):
if not isinstance(token, (bytes, str)):
raise TypeError("Token must be bytes or a hexadecimal string.")
if not isinstance(secret_key, bytes):
raise TypeError("Secret key must be bytes.")
if not isinstance(iterations, int) or iterations < 1:
raise ValueError("Iterations must be a positive integer.")
if not isinstance(salt_length, int) or salt_length < 1:
raise ValueError("Salt length must be a positive integer.")
if not isinstance(rounds, int) or rounds < 1:
raise ValueError("Rounds must be a positive integer.")

def generate_strong_key(token, secret_key, iterations=2000000, salt_length=128, rounds=20):
validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds)
for _ in range(16):
for _ in range(rounds):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):
token = bytes.fromhex(token)
token_bytes = hash_with_sha512(token + secret_key)
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
yield token.hex().upper()[:32]

def main():
try:
token = secrets.token_bytes(128)
secret_key = secrets.token_bytes(128)
for i, key in enumerate(generate_strong_key(token, secret_key), 1):
print(f"AES-128 Bit Key {i}: {key}")
except Exception as e:
print(f"An error occurred: {e}")

if __name__ == "__main__":
main()

 

[Clats97]

And a lot of people don’t know how to setup dsd and sdr receiver to get them working right scanner are way more easy for people to setup that’s where fusion and d-star gives you a little privacy with them but not like encryption cause there will never be a scanner or sdr that can decrypt encrypted communications ones digital communications goes encrypted it’s gone forever

Yup, but there are some agencies that respect the principle of open government and operate in the clear, or use partial encryption. I am in talks with the ministry to prevent PSRN from going fully encrypted. I know the contract is signed and sealed and already in the works, but the system administrators can easily NOT apply the encryption. My suggestion is to have only one encrypted channel per talkgroup, only to be used if nessecary. 90% of the traffic doesn't need to be encrypted. Dispatch channels, primary and secondary channels, and tactical channels should all be in the clear. Investigative channels I do understand the need for encryption there. But you do not need to encrypt everything.

 

[KevinC]

It was. I changed the script to make it more secure. Here it is, analyze it or run it and you will find the following:

1. PBKDF2
2. HMAC
3. SHA-512
4. 128 byte initial token
5. 128 byte dynamic variable salt
6. 2M iterations
7. 20 rounds of randomization
8. Input validation
9. Exception handling

import secrets
from hashlib import pbkdf2_hmac, sha512

def generate_dynamic_salt(length=128):
return secrets.token_bytes(length)

def hash_with_sha512(data):
hasher = sha512()
hasher.update(data)
return hasher.digest()

def validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds):
if not isinstance(token, (bytes, str)):
raise TypeError("Token must be bytes or a hexadecimal string.")
if not isinstance(secret_key, bytes):
raise TypeError("Secret key must be bytes.")
if not isinstance(iterations, int) or iterations < 1:
raise ValueError("Iterations must be a positive integer.")
if not isinstance(salt_length, int) or salt_length < 1:
raise ValueError("Salt length must be a positive integer.")
if not isinstance(rounds, int) or rounds < 1:
raise ValueError("Rounds must be a positive integer.")

def generate_strong_key(token, secret_key, iterations=2000000, salt_length=128, rounds=20):
validate_key_generation_inputs(token, secret_key, iterations, salt_length, rounds)
for _ in range(16):
for _ in range(rounds):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):
token = bytes.fromhex(token)
token_bytes = hash_with_sha512(token + secret_key)
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
yield token.hex().upper()[:32]

def main():
try:
token = secrets.token_bytes(128)
secret_key = secrets.token_bytes(128)
for i, key in enumerate(generate_strong_key(token, secret_key), 1):
print(f"AES-128 Bit Key {i}: {key}")
except Exception as e:
print(f"An error occurred: {e}")

if __name__ == "__main__":
main()

Thanks, but I don't use any radios that support AES-128.

 

[Clats97]

Thanks, but I don't use any radios that support AES-128.

Whys that?

 

[KevinC]

Whys that?

Because I use professional radios and none of them (as far as I know) support AES-128. It's either some form of DES or AES-256 or RC4/ADP.

 

[Scannerboy1999]

Everything is going to be encrypted one day and scanners and sdr will be a thing of the past

 

[hrh17]

Tait DMR radios support the following encryption
ARC4
Des
AES128
AES256

 

[Clats97]

Because I use professional radios and none of them (as far as I know) support AES-128. It's either some form of DES or AES-256 or RC4/ADP.

Oh wow they don't have all bit sizes for AES? Do you know what that is? 128 bit is more resistant to side channel attacks than 256 is. There are benefits to shorter keys, you don't always need 256.

My radios support 40 bit RC4 and 128 bit AES

 

[Clats97]

Tait DMR radios support the following encryption
ARC4
Des
AES128
AES256

Nice

 

[Clats97]

The Hash got a bit too salted

Lool

 

[kayn1n32008]

They may not wish to talk to you or listen to you, but they could never stop people wigging in - how ham radio is supposed to work.

See, some of us don't want nosey busy bodies worming their way in and gossiping about our business. Encryption stops that.