Encryption keys and DMR repeaters

[Clats97]

For anyone using 128 bit encryption, I have a Python script that will generate a cryptographically strong key that involves 14 rounds of randomization, SHA-512, PBKDF2, HMAC, a 64 byte initial token, a 64 byte dynamic salt, and 1 million iterations. They come out strong, when I histogrammed over 100 outputs and the average was remarkable, perfect randomization even distribution, keystream isn't biased, now, should a public agency use this method to pick their keys? No they'll use a library that's a lot more sophisticated than Python. But I assure you these keys are Damn close.

I use them to encrypt my commercial DMR uses (volunteer for various things that use commercial radios) and for others who have a callsign, you could encrypt your transmissions on a DMR repeater as long as you publish the key beforehand. Canadian law says no SECRET key or cipher or method of obfuscation can be used, so it has been accepted that as long as you don't hide the keys, it's okay. Case in point? View the Ontario Canada brandmeister DMR radio reference page. You will see that one repeater went full out encryption, with I believe RAS keys (restricted access to system), and on the voice AES 256, and on the data DES 56. It's perfectly legal.

You can modify the script for different key lengths, bit size, you can mess around with other variables. But this is what I use primarily, as well as one that produces 16 keys, I use that cause my radios can hold 16 keys, so every month I rotate the keys and made a command that spits out not one but 16 keys that are all cryptographically strong. This is one of the outputs I just executed:68FECD3CFCDD9BA1499CAD1684690424.

Here's the script:


import secrets
from hashlib import pbkdf2_hmac

def generate_dynamic_salt(length=64):
return secrets.token_bytes(length)

def generate_key_fixed(token, secret_key, iterations=1000000, salt_length=64):
for _ in range(14):
dynamic_salt = generate_dynamic_salt(salt_length)
if isinstance(token, str):

token = bytes.fromhex(token)
token_bytes = token + secret_key
token = pbkdf2_hmac('sha512', token_bytes, dynamic_salt, iterations)
token = token.hex().upper()[:32]
return token

token = secrets.token_bytes(64)
secret_key = secrets.token_bytes(64)

strong_key = generate_key_fixed(token, secret_key)
print(strong_key)





There you go.Enjoy!

 

[AB5ID]

Define "published"

 

[Clats97]

Define "published"

Not secret & publically available.

 

[AB5ID]

Not secret & publically available.

Specifically, where would you publish your key?

 

[RaleighGuy]

Not secret & publically available.

If it is "Not secret & publically [sic] available" how does encryption protect the traffic? That's kind of like saying it is protected from anyone who doesn't have a radio or the internet.

 

[mikewazowski]

View the Ontario Canada brandmeister DMR radio reference page. You will see that one repeater went full out encryption, with I believe RAS keys (restricted access to system), and on the voice AES 256, and on the data DES 56. It's perfectly legal.

Got a link to that page?

 

[Clats97]

Specifically, where would you publish your key?

It has to be on something accessible to others, so a blog, website, Facebook, Twitter, or the forums here would be sufficient.

 

[Clats97]

If it is "Not secret & publically [sic] available" how does encryption protect the traffic? That's kind of like saying it is protected from anyone who doesn't have a radio or the internet.

Well, you have to have a radio compatible with the encryption algorithm you're using, which narrows the pool down, but also, because most hams don't scour the internet looking for encryption keys then trying to intercept an encrypted transmission with the key, not really gonna happen. The person would have to know the Rx and TX freq, the colour code, slot, talkgroup, etc. So sure, a public encryption key isn't as secure as a secret one, but the letter of the law requires you to publish it otherwise its considered secret and therefore illegal. You gotta work within the framework that's there 🤷 it's better than nothing

 

[Clats97]

Got a link to that page?

Yeah here's a screenshot and a link

Link: DMR-MARC Ontario Amateur Repeater Network Trunking System, Multiple Locations, Multi-State

Screenshot attached.

 

[RaleighGuy]

Got a link to that page?

Communications with Radio Apparatus in the Amateur Radio Service​

[SOR/2000-78, s. 8]

47 A person who operates radio apparatus in the amateur radio service may only

• (a) communicate with a radio station that operates in the amateur radio service;
• (b) use a code or cipher that is not secret; and
• (c) be engaged in communication that does not include the transmission of
  • (i) music,
  • (ii) commercially recorded material,
  • (iii) programming that originates from a broadcasting undertaking, or
  • (iv) radiocommunications in support of industrial, business or professional activities.

Radiocommunication Regulations

Federal laws of Canada

laws-lois.justice.gc.ca

This is really vague, are they talking about a PL code or actual encryption.

 

[Clats97]

Communications with Radio Apparatus in the Amateur Radio Service​

[SOR/2000-78, s. 8]

47 A person who operates radio apparatus in the amateur radio service may only

• (a) communicate with a radio station that operates in the amateur radio service;
• (b) use a code or cipher that is not secret; and
• (c) be engaged in communication that does not include the transmission of
  • (i) music,
  • (ii) commercially recorded material,
  • (iii) programming that originates from a broadcasting undertaking, or
  • (iv) radiocommunications in support of industrial, business or professional activities.

Radiocommunication Regulations

Federal laws of Canada

laws-lois.justice.gc.ca

This is really vague, are they talking about a PL code or actual encryption.

A PL tone is not a cipher. It says "code or cipher" and the term "code" based on common law is generally accepted to mean "the method of transforming a message to keep it secret".

So very clearly referring to encryption, as they mentioned both code and cipher, and we all know what a cipher is. You can't argue that a cipher isn't encryption.

 

[iowajm780]

Encryption with private keys should be allowed here in the U.S on amateur radio. Should get rid of the old fogeys who want to interrupt good conversations with garbage talk.

 

[Clats97]

Also

Communications with Radio Apparatus in the Amateur Radio Service​

[SOR/2000-78, s. 8]

47 A person who operates radio apparatus in the amateur radio service may only

• (a) communicate with a radio station that operates in the amateur radio service;
• (b) use a code or cipher that is not secret; and
• (c) be engaged in communication that does not include the transmission of
  • (i) music,
  • (ii) commercially recorded material,
  • (iii) programming that originates from a broadcasting undertaking, or
  • (iv) radiocommunications in support of industrial, business or professional activities.

Radiocommunication Regulations

Federal laws of Canada

laws-lois.justice.gc.ca

This is really vague, are they talking about a PL code or actual encryption.

Also, here's a direct quote:

"In Canada, from what Industry Canada (now called ISED) has said, it is legal to use encryption on the amateur frequencies as long as you use a key that is published."

 

[Clats97]

Encryption with private keys should be allowed here in the U.S on amateur radio. Should get rid of the old fogeys who want to interrupt good conversations with garbage talk.

I agree. Also a lot of people forget that the US isn't the only country in the world, lol.

 

[RaleighGuy]

Also

Also, here's a direct quote:

"In Canada, from what Industry Canada (now called ISED) has said, it is legal to use encryption on the amateur frequencies as long as you use a key that is published."

I posted that in support of you and not to argue with you, I wasn't disagreeing with you I simply added my opinion it seemed vague, but clearly is allowed.

 

[MTS2000des]

In the US, the other option to get rid of Bowelturds and unwanted/unauthorized users is RAS. Granted, you will be limited to MSI subscribers, but no RAS key no kerchunk for you! Completely legal under part 97, listen to voice traffic all day long on scanner or Chinaturd DMR radio, just can't use someone else' equipment without the key. They can cry and whine to the FCC, it's no different than using PL or DTMFs to limit access, which is the purpose, not to "obscure the meaning of transmissions" but rather to Restrict Access to System!

 

[Clats97]

I posted that in support of you and not to argue with you, I wasn't disagreeing with you I simply added my opinion it seemed vague, but clearly is allowed.

Nooo I'm sorry mate my intention wasn't to come off as defensive!! Just replying to the best of my ability and trying to provide as much useful info as possible because some people can't wrap their head around encrypted amateur radio, but in Canada it's a real thing. There's just very little caselaw on the specific issue of the interpretation of the relevant statutes. So you are right, it's vague, and needs an overhaul. Like a lot of things... Lol... I don't see this changing anytime soon, and even if it WAS illegal, I guarantee ISED won't be using their resources to track down people using radios to talk in private when we do it on cellphones every day and the government uses radio encryption themselves so what's sauce for the goose is sauce for the gander

 

[kayn1n32008]

View the Ontario Canada brandmeister DMR radio reference page. You will see that one repeater went full out encryption, with I believe RAS keys (restricted access to system), and on the voice AES 256, and on the data DES 56. It's perfectly legal.

Motorola does not offer DES encryption for their DMR offerings.

While they may be using RAS, they would only be able to use AES encryption on their local talk groups.

AFIAK the software brandmeister uses, does not support ARC4/AES256.

Unless they are using some sort of interface to decrypt/encrypt networked comms from/to the network, if they transmit encrypted, then those encrypted comms would go out over the network.

The repeater itself does not have any way to encrypt/decrypt. It only applies error correction before the voice and data is passed to the network.


This raises some interesting technical questions if ALL comms, both local and networked talk groups are encrypted on the Toronto repeater.

 

[Clats97]

Motorola does not offer DES encryption for their DMR offerings.

While they may be using RAS, they would only be able to use AES encryption on their local talk groups.

AFIAK the software brandmeister uses, does not support ARC4/AES256.

Unless they are using some sort of interface to decrypt/encrypt networked comms from/to the network, if they transmit encrypted, then those encrypted comms would go out over the network.

The repeater itself does not have any way to encrypt/decrypt. It only applies error correction before the voice and data is passed to the network.


This raises some interesting technical questions if ALL comms, both local and networked talk groups are encrypted on the Toronto repeater.

It's not a Motorola repeater.

 

[KevinC]

It's not a Motorola repeater.

Then they aren't using RAS.