Cryptography and Key Management

Etherstack provide a range of cryptographic solutions to support you with your secure communications needs

P25 Security Suite

The Etherstack P25 Security Suite unites our AES / DES P25 Encryption Engine with P25 Key Fill Device (KFD) support for complete P25 subscriber encryption. This provides well-defined interfaces for the encryption / decryption of P25 voice and data payload and OTAR messages. It supports the following FIPS 140-2 approved operational modes:

  • DES ECB
  • DES OFB
  • DES CBC
  • DES 1-bit CFB
  • AES-256 ECB
  • AES-256 OFB
  • AES-256 CBC

An optional P25 OTAR client that supports all mandatory and optional OTAR procedures (except for Public Key) is also available, allowing any subscriber using the suite to take full advantage of key updates over the all-IP core network or a third party infrastructure.

P25 Key Management Facility (KMF)

The Etherstack P25 Key Management Facility (KMF) integrates with the Etherstack all-IP Core Network as well as third-party soft-switched or traditional hard-switched network to support industry standard APCO P25 encryption.

The Key Management Facility provides AES and DES encryption keys to OTAR subscribers throughout the network including via portable, mobile, an Etherstack Console Engine, a gateway or a P25 Soft Radio – using the P25 OTAR standard.

The Etherstack P25 Security Suite accompanies the KMF software to provide it with encryption and key-fill services. The KMF is available either as a software solution that can be easily ported to an industrial Linux PC, or ready-deployed on an Etherstack FIPS 140-2 Cryptographic Module.

FIPS 140-2 Cryptographic Module

The Etherstack FIPS 140-2 Cryptographic Module is a single-board security device that implements APCO P25 encryption, decryption, key management and key storage services in conformance with FIPS140-2 standards. It can be used to provide FIPS 140-2 compliant encryption services to APCO P25 mobile, portable and base stations – or any other end point for voice or user data in a P25 network.

The module supports AES / DES P25 Encryption Engine plus P25 Key Fill Device (KFD) protocol support, P25 Over-The-Air-Rekeying (OTAR), New Link Layer Authentication (LLA) and P25 Key Management Facility (KMF).

The Etherstack Cryptographic module meets the Security Requirements for Cryptographic Modules standard from the National Institute of Standards and Technology (NIST). It has a dedicated 3-wire KFD interface, and includes a complete key storage and critical security material management function for TEK, KEK, UKEK, CKEK and KSK keys, with protection from unauthorized disclosure or modification.

P25 Security Dongle

The Etherstack P25 Security Suite is available on a FIPS 140-2 compliant USB dongle for fully portable, pluggable P25 AES / DES encryption. The Etherstack P25 USB Encryption Dongle includes full P25 OTAR compliant rekeying support and includes an IMBE Vocoder and audio input / output jacks to avoid routing unencrypted audio off the device.

The Etherstack P25 Soft Radio can also be deployed from mass storage on the device to allow portable secure communications from a laptop into a radio network.