Zeroizing trunking authentication keys in APX subscribers

Covering the following Subscriber devices: APX1000/1500, APX3000, APX4000/4500, APX6000, APX6000XE, APX6500, APX7000, APX7000XE, APX7000L, APX7500, and APX8000.

Moderator: Queue Moderator

Post Reply
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Zeroizing trunking authentication keys in APX subscribers

Post by motorola_otaku »

Anyone know of a way to do this? Reloading a blank default codeplug won't do it, and the erase key options (menu-driven or purple+orange buttons on a portable) only zeroize traffic keys.
resqguy911
Posts: 613
Joined: Sat Jun 26, 2004 3:35 pm

Re: Zeroizing trunking authentication keys in APX subscribers

Post by resqguy911 »

use a KVL to zeroize or uncheck both infinite ukek retention and infinite key retention
"TDMA = digital and same great taste, half the bits"
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Re: Zeroizing trunking authentication keys in APX subscribers

Post by motorola_otaku »

There is no zeroize option in Radio Authentication mode, and infinite key retention only applies to traffic keys.

I'm beginning to think it's not possible, at least not without depot-level trickery.
MattSR
Posts: 770
Joined: Mon Apr 21, 2003 10:00 pm

Re: Zeroizing trunking authentication keys in APX subscribers

Post by MattSR »

It's strange that the KVL4000 doesn't have a delete option when in Authentication mode, as the P25 specs definitely have a "Delete Authentication Command/Response" KMMs defined. The KMM has two options - delete all authentication keys or just the active key. There are KMM message IDs defined for Load Auth Key Command, Load Auth Key Response, Delete Auth Key Command, Delete Auth Key Response.

When I get a chance I'll see if this KMM actually works on a real radio and get back to you. Either way it is an oversight in the KVL4000's design, and the functionality should definitely be there.

Ref - Section 3.9.2.27 of TIA 102.AACD-A
User avatar
chartofmaryland
Batboard $upporter
Posts: 411
Joined: Sat Dec 28, 2002 11:25 pm
What radios do you own?: Alot

Re: Zeroizing trunking authentication keys in APX subscribers

Post by chartofmaryland »

Well there are 2 options

You can backdate the firmware to version 9 or 10 where after you turn power on and off to the radio about a dozen times and the authentication key will be dropped automatically, it must have been a customer feature request.

Or your can overwrite with a useless key for the purpose of not having the key in the radio that was sent to the auth server.

Never heard a reason beyond wanting extra protection that would require zeroize the auth key.

CoM
If the lights are out when you leave the station and then come on the second you key up, you know you have enough power.
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Re: Zeroizing trunking authentication keys in APX subscribers

Post by motorola_otaku »

chartofmaryland wrote:Never heard a reason beyond wanting extra protection that would require zeroize the auth key.
In this particular instance it was to verify that the system was actually challenging subscribers for authentication after a 7.17 upgrade, but it could (will) become an issue when we start sending radios to surplus.
User avatar
chartofmaryland
Batboard $upporter
Posts: 411
Joined: Sat Dec 28, 2002 11:25 pm
What radios do you own?: Alot

Re: Zeroizing trunking authentication keys in APX subscribers

Post by chartofmaryland »

Well if that is what you were after,

We scheduled a service window and went from limited to restricted with the auth server which then only allowed auth’ed radios to continue operating

The same process of using a dummy key to overwrite current keys was used to confirm radios on and off the system while authentication only was enforced

CoM
If the lights are out when you leave the station and then come on the second you key up, you know you have enough power.
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Re: Zeroizing trunking authentication keys in APX subscribers

Post by motorola_otaku »

We operate in restricted/forced full-time. We specifically wanted to see the difference in behavior and notification between a radio that had a mismatched key and a radio that had no key at all (there is no system notification for a radio attempting affiliation with no key, which was elevated to the infrastructure group.)
User avatar
chartofmaryland
Batboard $upporter
Posts: 411
Joined: Sat Dec 28, 2002 11:25 pm
What radios do you own?: Alot

Re: Zeroizing trunking authentication keys in APX subscribers

Post by chartofmaryland »

Afternoon Otaku,

Interesting, we experience SYS REG REFUSED when a new radio is programmed and attempting to affiliate while the system is restricted and no auth key is present but ID is turned on.

APX6000, APX8000 and APX7000 firmware 15.13 thru 16.23

Now on XTS and XTL models i believe the radio just sits idle without any display notification

Will check that in the coming days

CoM
If the lights are out when you leave the station and then come on the second you key up, you know you have enough power.
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Re: Zeroizing trunking authentication keys in APX subscribers

Post by motorola_otaku »

Sorry, should've clarified... the radio will alert and display when authentication fails (if programmed to do so) but UEM will only generate a notification when a radio attempts authentication with a mismatched key, not with no key at all.
Post Reply

Return to “APX Series Subscribers”