Results 1 to 24 of 24

Thread: Astro secure issues

  1. #1
    Join Date
    May 01, 2012
    Posts
    185
    Thanks
    14
    Thanked 15 Times in 12 Posts

    Default Astro secure issues

    I have spent most of the day trying to solve this issue. I have 3 Astro Soectra radios that have old style DES-XL modules. I can get the radios to work in analog DES or DES-XL , but I have tried every possible programming combination and the radios will not talk to one another in Astro mode secure I have tried clicking the DES-XL box and without, no change . I tried migrate from secure net and without that box not checked still no change, the radio just gives me a blinking RX light which means secure, but no usable audio, just the scrambled audio. Now I am wondering if the modules are too old to do Astro secure. Any ideas?


  2. #2
    Join Date
    May 16, 2012
    Location
    terra australis incognita
    Posts
    474
    Thanks
    0
    Thanked 5 Times in 4 Posts

    Default

    That's probably because you need DES-OFB for digital, DES-XL will not work on P25.

    Block ciphers such as DES require a whole block of uncorrupted data for any part of the block to be decrypted, because of all the error correction going on within P25 data it is not possible to use a pure block cipher.

    DES and AES (which are both block ciphers) can however be used on P25 if they are run in Output FeedBack mode (OFB), which generates a keystream, which can then be used to XOR the data stream in the same way a stream cipher (such as ADP) would.

    Basically, you're up for a UCM upgrade (or three) if you want to run P25 encrypted.
    Andrew

  3. #3
    Join Date
    Apr 29, 2012
    Posts
    65
    Thanks
    1
    Thanked 9 Times in 4 Posts

    Default

    * You don't need a UCM to use P25 encryption on an Astro radio, any Astro compatible crypto module can be used.
    * You can use the -XL encryption on P25. Its algo 0x9F.
    * I'm not sure what your going on about in regards to AES and DES and block sizes, IIRC they are 256 and 64 bits respectively. The point of OFB is so that the encrypted data is not encrypted with the same key for each block, but with a derived key. This is to prevent pattern analysis of the data.
    * DES-XL does not need OFB mode because it works on a counter system, Motorola anticipated its use in P25, so its fully supported by Motorola's implementation and some other implementations.
    * You are correct that OFB is better for P25 than say CFB or CBC modes. (For those wondering what the hell OFB, CBC and CFB are, see: http://en.wikipedia.org/wiki/Block_c...s_of_operation )


    Edit:
    As for the original issue, it might be a key ID issue. I dont have any codeplugs to look at to say how to fix this.

  4. #4
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    944
    Thanks
    297
    Thanked 694 Times in 258 Posts
    Country: Australia

    Default

    Yeah it will - DES-XL has P25 AlgID 0x9F.


    Quote Originally Posted by Bigfella237 View Post
    DES-XL will not work on P25.

  5. #5
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    944
    Thanks
    297
    Thanked 694 Times in 258 Posts
    Country: Australia

    Default

    Not quite. The purpose of OFB is that bit errors aren't propagated throughout the keystream. Its used in systems where there is the possibility of errors creeping in (such as an RF channel where theres potential for noise)

    Quote Originally Posted by kayfox View Post
    The point of OFB is so that the encrypted data is not encrypted with the same key for each block, but with a derived key. This is to prevent pattern analysis of the data.
    What you're actually thinking of is the MI (Initialisation vector) - thats what prevents pattern analysis and TMTO attacks.

  6. #6
    Join Date
    Apr 29, 2012
    Posts
    65
    Thanks
    1
    Thanked 9 Times in 4 Posts

    Default

    Quote Originally Posted by MattSR View Post
    Not quite. The purpose of OFB is that bit errors aren't propagated throughout the keystream. Its used in systems where there is the possibility of errors creeping in (such as an RF channel where theres potential for noise)
    Yeah, I was just going off what I could remember at the time and probably should have read the thing I linked and then rewrote it. Gimme some credit, its the weekend.

    Quote Originally Posted by MattSR View Post
    What you're actually thinking of is the MI (Initialisation vector) - thats what prevents pattern analysis and TMTO attacks.
    I was trying to differentiate it from ECB mode, which is not really all too secure: http://upload.wikimedia.org/wikipedi...f0/Tux_ecb.jpg

    At any rate, Im at the unfortunate disadvantage of not having really studied all the terms used in cryptography, which Im attempting to rectify.

    As for the issue at hand:

    From that I see this is how it should be setup:
    Needs feature "Hardware Multikey"
    Secure Configuration -> General -> "XL Encryption" checked.
    Secure Hardware Multikey list needs to have all the entries in it.

    Your Conventional Personality needs "DES-XL Tx Default" checked, Im also assuming you have Secure Voice/Signal Type set to ASTRO.
    Secure II is where you set the key, remember the correlation you saw in the key list where key "1" is key 0 when loading it into slots, etc, IE: key 16 is F.
    Key strapping can be Select or Strapped, the difference here (based on my experience with the XTS5000) is strapped restricts changing the key from the key menu on the radio.

    Thats all I can see right away, I remember it being a little picky at the time.

  7. #7
    Join Date
    Dec 21, 2011
    Posts
    4,893
    Thanks
    4,951
    Thanked 8,393 Times in 2,317 Posts
    Country: Canada

    Default

    Quote Originally Posted by Bigfella237 View Post
    That's probably because you need DES-OFB for digital, DES-XL will not work on P25.
    Not to keep beating on you; you've been told LOL

    But I think your confusion on this one comes from the association of SecureNet CVSD (oldschool) and the DES-XL algorithm. The contention comes from the fact DES-OFB and AES-256 (OFB) are not compatible with the CVSD scheme. Sometimes, people think "DES-XL" means "SecureNet", which is not accurate.

    The following SecureNet CVSD algorithms will also work with P25:

    DES-XL
    DVP-XL
    DVI-XL
    DVI-SPFL (listed in ASTRO host firmware, but I've never seen a KVL with this algorithm. What Algo ID?)

    UCMs are only required for newer algorithms (AES-256, ADP) and CKR/ASTRO25 keyloading mode.

  8. #8
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    944
    Thanks
    297
    Thanked 694 Times in 258 Posts
    Country: Australia

    Default

    For those who are interested in old school digital encryption (think 1970's), this is a pearler of a description of CVSD --> http://www.datasheetcatalog.org/data...ML/mXxyzvw.pdf

  9. #9
    Join Date
    May 16, 2012
    Location
    terra australis incognita
    Posts
    474
    Thanks
    0
    Thanked 5 Times in 4 Posts

    Default

    Apologies for assuming that ASTRO radios used UCMs like the newer radios, I don't have anything that old myself.

    Quote Originally Posted by kayfox View Post
    * I'm not sure what your going on about in regards to AES and DES and block sizes, IIRC they are 256 and 64 bits respectively. ~
    I'm not sure what you're going on about in regard to block "sizes"? Who mentioned block sizes?

    It's taken me some time to find the document my information came from again, but looking at this PDF titled:

    Department of Computer & Information Science
    Technical Reports (CIS)
    University of Pennsylvania
    Year 2010
    Security Weaknesses in the APCOProject 25 Two-Way Radio System
    Sandy Clark
    Perry Metzger
    Zachary Wasserman
    Kevin Xu
    Matthew A. Blaze


    Specifically, see the last three paragraphs of page 6 to reference what I posted. The authors of this document I would have thought are about as expert in this field as you could ask for so I hope you can understand why I took them at their word! Apologies if I have interpreted this information incorrectly?
    Last edited by Bigfella237; Feb 18, 2013 at 12:48 PM.
    Andrew

  10. #10
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    944
    Thanks
    297
    Thanked 694 Times in 258 Posts
    Country: Australia

    Default

    Yep, what they said in those three paragraphs is exactly what I was saying here:-

    The purpose of OFB is that bit errors aren't propagated throughout the keystream. Its used in systems where there is the possibility of errors creeping in (such as an RF channel where theres potential for noise)
    I dont want to get into too much detail here because it will bore people, but the trick with OFB is that it doesn't encrypt the voice data directly. It encrypts an IV (MI) which is a random number that is transmitted in the clear in every HDU and LDU2 frame. This value is protected from errors by the encoding and interleaving in the frame. So, by ensuring that the MI/IV has enough FEC (Forward Error Correction) applied, then you can ensure that the keystream is valid. So the issue with having perfect data is negated. As long as the IV gets through without damage, then you can be assured that the encryption algorithm will do its job.

    Block ciphers usually operate on the data itself, but in this case, the IV is encrypted, and then that creates a keystream that is the XORed with the voice data. Error correction is a side issue.

    A block cipher operating in OFB mode is essentially a stream cipher. You keep encrypting the output with the same key and you end up with a stream of pseudorandom data.

    Quote Originally Posted by Bigfella237 View Post
    The authors of this document I would have thought are about as expert in this field as you could ask for
    Kinda. The detailed cryptanalysis of P25 was done in OP25 before the UPenn guys had published their findings. In fact, they openly admitted that they didn't bother to look at the inner workings of the crypto algorithm in their DEFCON talk last year, and my understanding is that was because this area of research was already covered by the OP25 project. These guys are academics looking for original areas or research to publish papers on.



    Last edited by MattSR; Feb 18, 2013 at 12:52 PM.

  11. #11
    Join Date
    May 01, 2012
    Posts
    185
    Thanks
    14
    Thanked 15 Times in 12 Posts

    Default

    Thanks you for all the background, it's all very interesting. I havn't delved this deeply into Securenet since my days at Mother M many years ago. I am going to post the model number of the DES-XL module and a code plug from an Astro Saber. I thought I had tried all possible combinations, but will accept any help offered. Fortunately I don't have to narrow band my equipment (T Band channel) so I can continue to use the multikey DES repeater I have . Eventually though I would like to have P-25 in my radios for a future upgrade.

  12. #12
    Join Date
    Feb 18, 2013
    Location
    CLASSIFIED
    Posts
    39
    Thanks
    20
    Thanked 2 Times in 2 Posts
    Country: United States

    Default

    The older NTN1153D modules will work quite well with ASTRO P25. You have to set the mode/personality for ASTRO TX and ASTRO RX or Mixed Mode RX. In fact, if you have a Mixed Mode RX setting, Secure transmit defaults to ASTRO TX. Both radios need to be XL enabled or have Non-XL TX to work properly, I believe. (They can be either so long as they match) There were older EMCs that had problems, I think, trying to talk ASTRO. Or they didn't like certain HOST F/W revisions. But the 1153Ds in my AS IIIs play just fine with late R7 HOST. EMC rev is R01.00 in both. Make sure the encryption settings match for each radio. Securenet does NOT synchronize keys over the air by Key ID where ASTRO will. Make sure the same key (if these are multikey radios) is selected.

    I'll have to read one of my AS IIIs & examine the settings.

  13. #13
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,235
    Thanked 1,531 Times in 738 Posts
    Country: Christmas Island

    Default

    Quote Originally Posted by grandnational View Post
    But the 1153Ds in my AS IIIs play just fine with late R7 HOST. EMC rev is R01.00 in both. Make sure the encryption settings match for each radio. Securenet does NOT synchronize keys over the air by Key ID where ASTRO will. Make sure the same key (if these are multikey radios) is selected.
    A minor correction - the Key ID auto-switch does work on SecureNet as well as ASTRO, it's accomplished via MDC. You have to enable it the same way you have to in the ASTRO config screens. Enabling TX Key ID allows the transmitting radio to send LID's (the key ID number, entered in the KVL when the key is created), and enabling RX Key ID allows the receiving unit to auto-switch to one with a matching LID. The only notable exception is if the LID is 0000, the the RX won't auto-switch, there was a thread here discussing this recently.

    The bit about using Rev 1.0 EMC's instead of later rev UCM's (Rev 2 and higher) is true, they will work fine IF you turn off CKR and the "Migrate from SecureNet" features, otherwise the radio will come up with an "OLD EMC" error message and secure will not function. The "CKR" box may be greyed out in the CPS, you have to turn OFF "ASTRO OTAR" in order to un-grey (enable) the check-box and allowing you to then turn off CKR.

    Finally, the receiving radio will auto-switch to -XL or not automatically, but that is only selectable with SecureNet, and you can only select that on the transmitting radio, there is no selection for the receiver to use one or the other, as I said it auto-switches.

  14. #14
    Join Date
    Jun 08, 2012
    Location
    Old Continent
    Posts
    145
    Thanks
    315
    Thanked 31 Times in 16 Posts
    Country: Switzerland

    Default

    A bit off-topic: I wonder if its possible to upgrade older Astro Saber ECM's to the last version?
    Got some very old modules that won't work with newer host /firmware versions.
    Thanks!

  15. #15
    Join Date
    Dec 21, 2011
    Posts
    4,893
    Thanks
    4,951
    Thanked 8,393 Times in 2,317 Posts
    Country: Canada

    Default

    Quote Originally Posted by SwissMoto View Post
    A bit off-topic: I wonder if its possible to upgrade older Astro Saber ECM's to the last version?
    Got some very old modules that won't work with newer host /firmware versions.
    Thanks!
    The R01.xx and R02.xx series modules are not upgradable. Only R03.xx ones are, and I believe those are done through the KVL3000 Plus with appropriate PCMCIA upgrade card. I have never seen the card, however.

    Personally, I have reworked R03.xx UCMs by manually manipulating the flash ROM with newer firmware and algorithms. Motorola does not sell/support them any longer, so they're fair game.

  16. #16
    Join Date
    Jun 08, 2012
    Location
    Old Continent
    Posts
    145
    Thanks
    315
    Thanked 31 Times in 16 Posts
    Country: Switzerland

    Default

    Thanks for this info, Mars! My Astro Saber ECM's unfortunately are R01.00.
    In case you would be willing to part with a couple of these newer UCM's please let me know
    Looking for DES-XL / DES-OFB / AES 256.

  17. #17
    Join Date
    Dec 21, 2011
    Posts
    4,893
    Thanks
    4,951
    Thanked 8,393 Times in 2,317 Posts
    Country: Canada

    Default

    Quote Originally Posted by SwissMoto View Post
    Thanks for this info, Mars! My Astro Saber ECM's unfortunately are R01.00.
    In case you would be willing to part with a couple of these newer UCM's please let me know
    Looking for DES-XL / DES-OFB / AES 256.
    I will check inventory and let you know over the weekend.

  18. #18
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,235
    Thanked 1,531 Times in 738 Posts
    Country: Christmas Island

    Default

    Quote Originally Posted by SwissMoto View Post
    Thanks for this info, Mars! My Astro Saber ECM's unfortunately are R01.00.
    In case you would be willing to part with a couple of these newer UCM's please let me know
    Looking for DES-XL / DES-OFB / AES 256.
    Just to re-iterate, those old EMC's work fine with the later firmware, but you have to turn off CKR to use them or the radio will say "OLD EMC" on power-up. In order to turn off CKR you have to turn off ASTRO OTAR first. Then you can use the old 1.00 EMC's with the latest firmware.

  19. #19
    standardmissile No Longer Registered

    Default

    Be wary of the DES-XL modules for anything other than SecureNet CVSD. In my experience, intertwining them with others users on APCO-25 who do not have that algo option can be a royal pain in the kiester. I have always been blessed with the fact that we have DES-XL mandatory in equipment that still supports DES at all, even if OFB is what is used.

    That said, I do experience a sense of nostalgia for how CVSD sounds like the old Nam/1980s era NESTOR/VINSON COMSEC gear. So much that I am working to get the local FCC enforcement office to issue an official statement allowing SecureNet on Ham freqs, similar to DMR/TRBO/APCO so that some local entities might have a reasonable deterrent against having to listen to kids with pirate gear screw with us every night.

  20. #20
    Join Date
    Jan 05, 2013
    Location
    Planet Vulcan
    Posts
    189
    Thanks
    133
    Thanked 102 Times in 49 Posts

    Default

    Quote Originally Posted by standardmissile View Post
    Be wary of the DES-XL modules for anything other than SecureNet CVSD. In my experience, intertwining them with others users on APCO-25 who do not have that algo option can be a royal pain in the kiester. I have always been blessed with the fact that we have DES-XL mandatory in equipment that still supports DES at all, even if OFB is what is used.
    It is also a major pain on a mixed-mode 3600 system. Had an issue with a self maintained user who re-programmed all of his secure radios and clicked the XL check box thinking it would be "better". Well I loaded his key into the DIU, strapped the key to the correct slot in the tg record and then spent hours trying to find out why the audio would not pass through the DIU to the Gold Elite consoles, not knowing that he checked the XL box initally. My radio with OFB worked correctly but none of his did. He felt about 3 inches tall when I told him that he needed to reprogram all of his subs and the reason why. Well he took the easy route and told the narc officers that if they needed to talk to dispatch they needed to go to a clear channel.

  21. #21
    standardmissile No Longer Registered

    Default

    Ohhh man...... How quickly was his butt marched into the line of fire w/o backup? I'd bet my next paycheck that if he had to call in an 11-99 after that kind of dips**t remark, other than for a cop killer like Dorner, that not to many would want to help him out from either Vice or Narco.

    I almost forgot how much of a pain in the arse that XL check box was. I remember having ticked that thing accidentally and having one radio just refuse to talk to anyone else. I was tearing out my hair (or trying since its too short to grab onto) for a month trying to figure out why that one ASaber would not talk to any of the other units properly when switched to tactical. However that was many moons ago, and luckily I don't have to deal with SecureNet anymore other than for my own amusement.

  22. #22
    standardmissile No Longer Registered

    Default

    Also some eye candy for you guys regarding the Astro Saber, and that Toy of Toys, that Batlabs bragged about knowing of, NSN and all...


    WebFLIS - Public Search-AstroSaberVHF.pdf

    WebFLIS - Public Search-AstroSaberVHF-headset.pdf

  23. #23
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,235
    Thanked 1,531 Times in 738 Posts
    Country: Christmas Island

    Default

    My head nearly exploded from all the acronyms! For all us civilians out there, what does all that gibberish mean? I'm sure it's a real thigh-slapper if you can grok all the mil-speak in it...

  24. #24
    standardmissile No Longer Registered

    Default

    To transcribe and then translate the Defense Logistics Agency's jargan/acronyms into the "Civillian" English dialect. The First one describes the Astro Saber "National Stock Number" or NSN. This is the successor to the "Federal Stock Number" that was used during the Cold War to the late 1980s to early 1990s, that allows all items to be accounted for in the DoD, by Manufacturer, country of origin, contract number, Item type, branch being used by, and specific details of how it is being used.

    The first page describes Motorola's contract to issue Astro Saber II VHF portables to the DoD from 1992-1995. It also states that the items are no longer in "active" inventory meaning that they are mothballed or removed to be properly disposed of. Another indicator states that they are to be 'De-milled" likeley due to the FACCINATOR/PADSTONE algos that were used by the USMC EDACS combat net, deployed in support of the former MARSOG (Marine Special Operations Group). We have all heard the rumors, and since it's mostly obsolete due to the 01-01-2013 LMR FCC mandate and the migration to AES/Blowfish/Serpet baesed ciphers, I can elaborate a bit more than even just a few years ago. Other descriptors on the page are for precious metals, contractor info, price tags, and other DLA garbage to probably just F**K with any GAO accountant whom might have to audit the contract at any given point in time.

    The second page gives a lot more details, some of which are meaninless. However this page actually links the headsets that attach to the early 2000s Modular Integrated Communications Helmet, the successor to the 1980s M88 PASGT, and predecessor to the current ACH (Army Combat Helmet) to the Astro Sabers/legacy Sabers. Those MICH helmets were initially fielded by Tier 1 and 2 US Army SPECOPS units (DELTA, Green Berets, Rangers, 150th SOAR, CRBN shock units, DIA TDYers), as well as other premier Special Forces/Black Ops units of other branches (MARSOG, DEVGRU, RED HORSE, AFSS, BLUE LIGHT, Ect.), before being handed down to regular units in 2005, whom finally transitioned to the ACH/LWH in 2007/8. That data shows that the headsets were procured for the USMC in 2002 by the DLA, and are in "active" inventory. Meaning that they are still on the books and being used on a regular/semi-regular basis, my guess is as instructional aids or for the legendary OPFOR at the NTC/RED FLAG Exercises.

    I hope that this can lend to some credibility on my part, and may help remove the red tag beside my forum handle. If you have any other questions please ask, as I hate seeing some of the BS that people spew on these wonderful little gems of the past.