top of page
Search

DART - LMR Key Management 101

Before jumping into LMR Key Management, we have to go over some acronyms and terminology. Familiarizing with the following list will greatly aid in your understanding of how LMR Key Management works.


  1. KVL - A Key Variable Loader (KVL) is used to generate, store and load/transfer keys. More about KVLs will be discussed in DART - LMR Key Management 201.

  2. KMF - A Key Management Facility (KMF) is a server that manages keys for agencies and/or groups by generating and storing keys and updating devices via transferring keys to a KVL or OTAR. More about KMFs will be discussed in DART - LMR Key Management 301.

  3. OTAR - Over the Air Rekeying (OTAR) is used to update devices remotely "Over the Air."

  4. OTEK - Over the Ethernet Keying (OTEK) is used to update devices remotely "Over the Ethernet."

  5. CKR - A Common Key Reference (CKR) is a known reference ID for a radio net or talkgroup that stores a shared Keyset of a pair of Keys for encrypting and decrypting traffic. (This is not the same as a KID)

  6. Keyset - A Keyset contains a pair of Keys (Active Key and Inactive Key).

  7. Key - An encryption key.

  8. KID - The Key Identification (KID) is a 4 digit number that is assigned to the key for identification.

  9. CKEK - A Common Key Encryption Key (CKEK) is a special key used to assign to a group of radios to encrypt the traffic between the KMF and the radios, securing the transfer of keys for OTAR and OTEK operations. This is a Common key shared across multiple devices, typically used in Conventional systems.

  10. UKEK - A Unique Key Encryption Key (UKEK) is a special key used to assign to a single device to encrypt the traffic between the KMF and the device, securing the transfer of keys for OTAR and OTEK operations. This is a unique key that should only be paired to a single device, typically used in Trunking systems.

  11. KLK - A Key Loss Key (KLK) is an optional redundant key for encrypting the transfer of keys for OTAR and OTEK operations automatically generated by a KMF after a successful update to a device, if enabled.

  12. Store and Forward - The proper process to provision radios in a KMF by assigning the device profile to a KVL and then storing the keys assigned to the device temporarily in the KVL until the KVL loads the keys to the desired device and the KVL stores the transaction until it is once again connected to the KMF and updates the profile as provisioned. This process can be bypassed by "Marking" the device as "Provisioned" in the KMF and perform an OTAR or OTEK update to the device as long as the device contains the CKEK or UKEK.

  13. Update Keys - A process to update the devices CKRs with updated Keys in the Keysets from a KMF.

  14. Perform Keyset Changeover - A process to change the Keysets in the CKRs from Active to Inactive and vice versa.

  15. Infinite Key Retention - A setting in radios to infinitely retain traffic encryption key data after removing the radio from its power source.

  16. Infinite UKEK Retention - A setting in radios to infinitely retain the UKEK data after removing the radio from its power source. All traffic keys will be loss with a power removal (My preferred setting as the UKEK can be automatically generated and easily changed per device versus changing traffic keys for all devices).


ree

Comments

bottom of page