Results 1 to 22 of 22

Thread: EFJ Encryption vs. Motorola

  1. #1
    Join Date
    Jan 06, 2013
    Location
    Noblesville, IN
    Posts
    31
    Thanks
    27
    Thanked 6 Times in 4 Posts
    Country: United States

    Default EFJ Encryption vs. Motorola

    While working to implement Motorola subs on an EFJ System, I've run into a stumbling block and I'm looking for confirmation of my findings and maybe even a work around that I've missed.

    The EFJ System has two keys, each using a different algo. From what I've been able to see by examining an EFJ subscriber, they are able to enable both hardware/software encryption at the same time. Such a configuration option allows for duplication of the SLN/CKR, which presents issues for integrating a Motorola subscriber. Of course they are using SLN/CKR 1.

    Thus far, I've not been able to discover the logic used to determine what keys are used where. It seems that even inside an agency, there is a random mix of the two algos. So it's not like LE uses one also and EMS/Fire uses another.

    So in order for a Moto sub to use both keys, the only option would be to appeal to the vendor/administrator to reconsider their key model, which we all know how that will end......


  2. #2
    Join Date
    Feb 04, 2012
    Posts
    1,823
    Thanks
    142
    Thanked 535 Times in 252 Posts

    Default

    First you will need to verify the algos are compatible. If they are not then your finished. If they are then you need the KID/ALGO/KEY information. The rest is just programming. It wont matter if the user is using hardware or software based encryption. As far as the system is concerned its the same thing like using a mobile or a portable the system doesnt care what the source is.

  3. #3
    Join Date
    Feb 04, 2012
    Posts
    1,823
    Thanks
    142
    Thanked 535 Times in 252 Posts

    Default

    CKR is just the position of the KID/Key in the radios list of keys

  4. #4
    Join Date
    Jan 06, 2013
    Location
    Noblesville, IN
    Posts
    31
    Thanks
    27
    Thanked 6 Times in 4 Posts
    Country: United States

    Default

    Understood. The algos are ADP/DES. Where I'm stuck is how to configure/keyload both an ADP key and a DES key on a Motorola (with a properly equipped UCM/MACE of course) both with a CKR of 1.

    It seems the EFJ subs don't have a problem here since I can enable software and hardware encryption on a per channel basis and each key can have a CKR of 1 (different key sets as I believe they call it).

  5. #5
    Join Date
    Jan 06, 2013
    Location
    Noblesville, IN
    Posts
    31
    Thanks
    27
    Thanked 6 Times in 4 Posts
    Country: United States

    Default

    Understood. The algos are ADP/DES. Where I'm stuck is how to configure/keyload both an ADP key and a DES key on a Motorola (with a properly equipped UCM/MACE of course) both with a CKR of 1.

    It seems the EFJ subs don't have a problem here since I can enable software and hardware encryption on a per channel basis and each key can have a CKR of 1 (different key sets as I believe they call it).

  6. #6
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by wdatkinson View Post
    Understood. The algos are ADP/DES. Where I'm stuck is how to configure/keyload both an ADP key and a DES key on a Motorola (with a properly equipped UCM/MACE of course) both with a CKR of 1.

    It seems the EFJ subs don't have a problem here since I can enable software and hardware encryption on a per channel basis and each key can have a CKR of 1 (different key sets as I believe they call it).
    The SLN (P25 standard term) or CKR (Motorola proprietary term) is just the slot the algorithm id / key id / key variable combination lives in. The SLN/CKR is not transmitted over the air and is there so you can have multiple keys with the same key id. Only the algorithm id and key id is transmitted over the air.

    You can set up:

    sln: 0x05, algid: 0xAA (ADP), keyid: 0x??, key variable: xxxx
    sln: 0x06, algid: 0x81 (DES-OFB), keyid: 0x??, key variable: yyyy

  7. #7
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by wdatkinson View Post
    The EFJ System has two keys, each using a different algo. From what I've been able to see by examining an EFJ subscriber, they are able to enable both hardware/software encryption at the same time. Such a configuration option allows for duplication of the SLN/CKR, which presents issues for integrating a Motorola subscriber. Of course they are using SLN/CKR 1.

    Thus far, I've not been able to discover the logic used to determine what keys are used where. It seems that even inside an agency, there is a random mix of the two algos. So it's not like LE uses one also and EMS/Fire uses another.

    So in order for a Moto sub to use both keys, the only option would be to appeal to the vendor/administrator to reconsider their key model, which we all know how that will end......
    Wait, are they using two different algorithms on the same channel, and it is just based on the luck of the draw either the ADP or DES key is used? And the EFJ radio is trying both keysets, the one in the software and the one in the hardware and using the one that works?

  8. #8
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by duggerd View Post
    sln: 0x05, algid: 0xAA (ADP), keyid: 0x??, key variable: xxxx
    sln: 0x06, algid: 0x81 (DES-OFB), keyid: 0x??, key variable: yyyy
    Actually don't use SLN/CKR values 1 to 20 (0x01 to 0x14) - they are reserved (see appendix A):

    https://www.dhs.gov/sites/default/fi...20Draft508.pdf

  9. #9
    Join Date
    Jan 06, 2013
    Location
    Noblesville, IN
    Posts
    31
    Thanks
    27
    Thanked 6 Times in 4 Posts
    Country: United States

    Default

    They aren't using multiple algos per channel. Each channel is strapped with either ADP or DES and then selected at the TG level in Armada.

    Thank you for the additional information. For some reason I was under the impression that SLN/CKR needed to be unique. I'll look in the EFJ sub that I have and see what the KID is set to for each key and if I'm thinking correctly, I can then copy those values in my Motorola sub.

  10. #10
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by wdatkinson View Post
    They aren't using multiple algos per channel. Each channel is strapped with either ADP or DES and then selected at the TG level in Armada.
    Ah, good - I am less horrified then.

    Quote Originally Posted by wdatkinson View Post
    Thank you for the additional information. For some reason I was under the impression that SLN/CKR needed to be unique. I'll look in the EFJ sub that I have and see what the KID is set to for each key and if I'm thinking correctly, I can then copy those values in my Motorola sub.
    Nope, SLN/CKR values only need to be unique within the radio (assuming one cryptographic system like hardware encryption or software encryption). The meaning of SLN and CKR if you don't know are:

    SLN = Storage Location Number

    CKR = Common Key Reference

    Also disclaimer that both ADP (RC4, 40 bit) and DES-OFB (56 bit) have been broken in practice and should not be relied upon anymore for security. In fact the DES portion of the P25 standard has been withdrawn (ADP/RC4 was never part of the P25 standard). It is strongly suggested that only AES-256 is used now.

  11. #11
    Join Date
    Feb 04, 2012
    Posts
    1,823
    Thanks
    142
    Thanked 535 Times in 252 Posts

    Default

    Ill have to try a KID of 1234 ADP and a KID of 1234 AES (hardware UCM) and see what happens. I suspect duggerd is 100% correct the Moto radios will look at both the KID and the algo ID before attempting decode. Ill post the results soonish.

  12. #12
    Join Date
    Jan 06, 2013
    Location
    Noblesville, IN
    Posts
    31
    Thanks
    27
    Thanked 6 Times in 4 Posts
    Country: United States

    Default

    I still have a KID conflict for ADP with another system/agency in my KVL. I edited that key and moved it to a new KID (had re-enter the key, thank goodness I'm not dealing with AES). After that, I entered in new/unique SLN/CKR's and used KID #1 for both of the new keys. After editing my CP and adding the keys as well as strapping the appropriate channels, I set about keyloading. This is where things get a bit odd.

    When I keyload, I get the normal high/low tone from the KVL, however, my APX7k emitted a single low tone and displayed KEY/ALG. But, going into my manual key selection, it appears to have loaded the keys. So I'm not quite sure what I have at this point. Unfortunately I'm out of range of the system I need to test with.

  13. #13
    Join Date
    Feb 04, 2012
    Posts
    1,823
    Thanks
    142
    Thanked 535 Times in 252 Posts

    Default

    Test results. Moto APX look at both the KID and ALGO. I was able to test both algos using the same KID. Im not sure how a ASTRO25 will work doing the same thing.

  14. #14
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by wdatkinson View Post
    I still have a KID conflict for ADP with another system/agency in my KVL. I edited that key and moved it to a new KID (had re-enter the key, thank goodness I'm not dealing with AES). After that, I entered in new/unique SLN/CKR's and used KID #1 for both of the new keys. After editing my CP and adding the keys as well as strapping the appropriate channels, I set about keyloading. This is where things get a bit odd.
    You shouldn't have key id conflicts at all, within the radio and keyloader you can have:

    sln: 0x40, algid 0x84, keyid 0x01, and keyvar: xxxx

    and

    sln: 0x41, algid 0x84, keyid 0x01, and keyvar: xxxx (same as sln 0x40)

    Also the algorithm id and key id are checked before decrypting, so that has to match what the transmitter is sending.

    Quote Originally Posted by wdatkinson View Post
    When I keyload, I get the normal high/low tone from the KVL, however, my APX7k emitted a single low tone and displayed KEY/ALG. But, going into my manual key selection, it appears to have loaded the keys. So I'm not quite sure what I have at this point. Unfortunately I'm out of range of the system I need to test with.
    Uh, I haven't encountered that before... I can't find reference to 'KEY/ALG' in the APX BSM/DSM/user manuals, or KVL manuals...

    Do you get a keyfail tone when you have that key active?

  15. #15
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by duggerd View Post
    Uh, I haven't encountered that before... I can't find reference to 'KEY/ALG' in the APX BSM/DSM/user manuals, or KVL manuals...

    Do you get a keyfail tone when you have that key active?
    Disregard that, that message is when a duplicated SLN/KID is loaded.

  16. #16
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    853
    Thanks
    186
    Thanked 463 Times in 198 Posts
    Country: Australia

    Default

    Quote Originally Posted by duggerd View Post
    I can't find reference to 'KEY/ALG' in the APX BSM/DSM/user manuals, or KVL manuals...
    That error occurs if you try to load a duplicated KID/AlgID pair into a different SLN.

    The reason being is that on Rx, the radio sees the KID and AlgID over the air and automatically picks the matching key. So what is it supposed to do if you have two keys that match that KID/ AlgID pair? The radio doesn’t know which one is the intended key, so the solution to this problem was to enforce unique KID/AlgID pairs.

  17. #17
    Join Date
    Jul 08, 2013
    Location
    Florida
    Posts
    218
    Thanks
    87
    Thanked 318 Times in 107 Posts
    Country: United States

    Default

    Quote Originally Posted by MattSR View Post
    That error occurs if you try to load a duplicated KID/AlgID pair into a different SLN.

    The reason being is that on Rx, the radio sees the KID and AlgID over the air and automatically picks the matching key. So what is it supposed to do if you have two keys that match that KID/ AlgID pair? The radio doesn’t know which one is the intended key, so the solution to this problem was to enforce unique KID/AlgID pairs.
    You are absolutely correct. My mind and fingers were out of sync when I wrote this:

    Quote Originally Posted by duggerd View Post
    sln: 0x40, algid 0x84, keyid 0x01, and keyvar: xxxx

    and

    sln: 0x41, algid 0x84, keyid 0x01, and keyvar: xxxx (same as sln 0x40)
    I still had my mind on the original post with ADP and DES (different algorithm IDs).

    Also the error message is not 'KEY/ALG' but 'KeyID/AlgoID' (didn't recognize it at first)

  18. #18
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    668
    Thanks
    117
    Thanked 193 Times in 98 Posts
    Country: Canada

    Default

    Harris works in a similar way as the EFJ. I can load an ARC4 key and a DES key with the same KID into my XG-75 and it works fine. Mother Moto has decided however not to let us do that... (at least in Astro/25 series radios).

  19. #19
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    853
    Thanks
    186
    Thanked 463 Times in 198 Posts
    Country: Australia

    Default

    Quote Originally Posted by Forts View Post
    Harris works in a similar way as the EFJ. I can load an ARC4 key and a DES key with the same KID into my XG-75 and it works fine. Mother Moto has decided however not to let us do that... (at least in Astro/25 series radios).
    That is strange - I can't understand why they have done that...

  20. #20
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    853
    Thanks
    186
    Thanked 463 Times in 198 Posts
    Country: Australia

    Default

    OK, so I just tested this out, Motorola will let you load a DES key and an ADP key with the same KeyID (or any other algos - as long as they are different)

    The radio does bonk "DUPLICATE LID" at you as a warning, but both keys will still be loaded and will work.

    It's just a warning, not an error as such.

  21. #21
    Join Date
    Sep 18, 2018
    Location
    Roanoke, Indiana
    Posts
    9
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Country: United States

    Default

    wdatkinson,

    We ran into this a few months ago. On hardware encryption (DES). EFJ uses a different K.I.D. range. So if EFJ uses a KID of 1, Motorola radios would use KID 2?
    For some unknown reason ADP is not affected using the same KID?

    Give this a try?

  22. The Following User Says Thank You to WB9VLE For This Useful Post:

    wdatkinson (Apr 15, 2019)

  23. #22
    Join Date
    Feb 04, 2012
    Posts
    1,823
    Thanks
    142
    Thanked 535 Times in 252 Posts

    Default

    Might be in EFJ code someone may have made a math error. Happens a lot when converting from hex to decimal etc. Hex treats 00 as a number decimal treats it as a place holder. If the code writer didnt take that into consideration the value could be out by 1.