Tait gear approved for use on GRN

[ivahri]

One last ps... and please don't take offence Matt!

I really get p*ssed off with IT geeks masquerading as radio communications experts. I see enough of them already & they totally miss the point of what radio communications is about- to communicate. If the system does this, and does this reliably & where the user needs it then it is doing its job. There are security experts suffering tunnel vision such that they only assess a network's performance by its security. Bollocks. That is just them trying to get on the gravy train... security IS important but it has to be commensurate to the risk. If all of the available funds are spent on enhancing security features such that issues such as coverage or capacity go unaddressed then the bad guys have won.

No offence Matt!

Cheers,

Richard

[ivahri]

Any form of security has limits. An ASK and authentication are intended to limit the ability of certain people to program stolen radios and use them to access the network. My agency's radios cannot be programmed, they can't even be read without an ASK & a password- which I know has not leaked.

Are you sure about that, have a look at some other boards and they say, all you need is a copy of Depot 7.0 which seems to be around the net.

Since this kerfuffle I've actually gone & done some more digging and now have the detail as to how authentication will work when implemented. There is an encrypted layer of security behind the ESN such that even if someone gets a radio (any brand), duplicates a valid ESN and network ID, the radio will still not get past the last layer of security. Depot tools will not help you...

Not saying or sharing any more information on this here as I am here to help the network and agencies become more secure, not to help those try to find a way around it... but this is going to happen (most likely) next year.

Cheers,

Richard

[citabria]

Its easy. Get a copy of TIA.201.AACE and read it.

Telling people how it works won't help them get around it - the spec is designed properly and is watertight..

[citabria]

Also worth noting - the spec has been around since 2005. The vendors just never bothered implementing it until now

[citabria]

Its actually bloody simple how it works.

Every radio has a unique authentication encryption key. The infrastructure has additional server called an AuC added to it. The AuC picks a random number, sends it to the radio, which then encrypts it with its secret authentication key. The result is sent back to the network, when then decrypts the number and compares it to what was sent originally. The algorithm used is AES-128 (good luck breaking that)

If the numbers match, the radio is authenticated. If it doesn't match, then the it is not authenticated and can't affiliate.

It requires all agencies to have a keyloader, and every radio to keyloaded with a unique authentication key. The keyloader syncs up to the AuC via VPN so that all the encryption keys are kept in sync.

[ivahri]

Matt,

I agree with everything you wrote right up to the last paragraph. That keyloader will be managed centrally, not by any agency. There is no reason for any agency to possess such a keyloader, or depot tool for that matter. The only changes any agency should be able to make is to the profile.

Cheers,

Richard

[citabria]

Gotcha - and its a good move too, the less keyloaders out there, the better (as NSW Police proved in spectacular fashion)

It makes sense because the radios only need to be loaded once when they are commissioned.

[ivahri]

Correct!

[SKEYGEN]

You really don't get it... the customers are happy. The network IS functioning as designed. You can carry on like a turkey here but all you will give yourself is an ulcer!

Then it's an exercise in simple risk management. If the users are happy to accept the fact that unauthorised users can, without signficant effort gain access to the network, but are willing to accept this in light of the operational benefits that being on the network will bring, and believe the benefits will outweigh this risk, then there's no problem.