COPYRIGHT 1995 (Not to be published without permission of the author).
Electronic distribution (non-profit) of this work is permitted as long as the work remains
unaltered. Seeded data present. Any copy of this work can be proven to be the work of the
author.
All proprietary and trademarked terms used below are the property of their respective owners, with
due credit given to the holder of the trademarked term.
Encryption of the human voice is a complex and intricate procedure that is accomplished
by one of two methods: analog or digital. The human voice, for the most part, occupies the
frequency range from about 100 Hz to 3 kHz, forming complex analog waveforms and patterns.
Analog speech encryption can be as simple as speech inversion, where the human voice is
"inverted", resulting in the radio traffic sounding like a popular Disney character, or quite complex,
with the voice split at about 1500 kHz, inverted at both ends, with the center carrier swept randomly
up and down several kHz from the center transmit frequency. Digital voice encryption requires that
the analog signal be sompled, digitized and encrypted, transmitted, and decrypted in real-time.
Since complex analog encryption is rather rare, our focus will be on digital encryption products
manufactured by Motorola, Inc.
Analog Encryption Types and Products
Since speech inversion is easily defeated (the Ramsey Electronics SS-70), most law
enforcement agencies have ceased using this encryption technique. I know of no federal agency
that has ever used analog encryption devices. These simple, low-cost devices are more suited to
the local police department, since all but the most serious scanner owner will not be able to
understand the radio traffic. One of the largest manufacturers of analog encryption devices, Midian
Electronics, offers a complete line of products from the simplest and smallest speech inversion
scrambler to a highly sophisticated "rolling-code" encryption device. Contact Midian Electronics at
1-800-MIDIANS for further information on their line of analog voice encryption products.
MotorolaTM Encryption Protocols and Products
Although there are still some analog Motorola encryption devices still in use, including
simple speech inversion products, the majority of devices currently in use are of the digital variety.
All Motorola voice privacy protocols are referred to simply as "SECURENET", which is a general
term that Motorola uses to identify it's digital encryption products. There are three different basic
encryption protocols, two of which have two distinct variations, for a total of five unique (and non-
compatible) encryption protocols. Each of the five protocols uses a field inserted "key", which is
what makes the communications secure. Since the author is not a cryptographer, it is simple
enough to understand that without the proper encryption "key" loaded into your radio, all that you
will hear is white noise, or static, when encrypted traffic is being passed between radios.
The Original Propreity Encryption Algorithm, DVP
DVP, a term that Motorola coined for use with their initial entry into the digital voice
encryption product field, is a proprietary Motorola protocol that uses a self-syncronizing encryption
known as cipher feedback. Depending on who you ask at Motorola, DVP actually has two different
meanings. DVP stands for Digital Voice Privacy or Digital Voice Protection, same encryption
protocol, different terminology. The basic DVP protocol is capable of 2.36 x 1021 different "keys"
to ensure protection for your voice conversations.
Data Encryption Standard
In the middle 1970's, the federal government finally decided that they needed to
standardize all federal agencies on a common encryption protocol to protect sensitive, but
unclassified data. Several different schemes were submitted, but the one approved by the National
Bureau of Standards was a protocol that became the Data Encryption Standard, or DES. Broaden
your mind for just a minute and forget about radio traffic. There are several other forms of
communication and data that must be protected from prying eyes (and ears). IRS records, Federal
Banking data, etc. is not "classified" in the military sense, but does require protection nonetheless.
This Data Encryption Standard, once standardized, would allow all federal agencies to use the
same encryption protocol, allowing them to intercommunicate when and if the need should arise.
DES is capable of using 7.2 x 1016 different key combinations and uses a self-synchronizing
method of encryption known as cipher feedback. Just remember, DES is not authorized to encrypt
communications or data that is classified in the interest of national security, but we'll get to that in
just a minute.
So, we just learned the two basic types of Motorola encryption, DES and DVP. In a
nutshell, DVP was designed to be used by anyone who needed protection from unauthorized
eavesdropping, including local government and businesses. DES, on the other hand, was
designed to be used only by the federal government. Availablity of DES products was supposed to
have been severely restricted to federal government agencies and military personnel only, but a trip
to any large hamfest will always yield at least one person selling SECURENET products and
radios.
Variations of the Originals
After DVP and DES products gained acceptance and their use became widespread, a
glaring flaw became obvious. When using their radios in the encrypted mode, agents noticed that
their radios did not seem to transmit as far as they did when in the clear mode. In a flurry of
commotion and denial, Motorola quickly went back to the drawing board and found out that sure
enough, use of the original DVP and DES protocols did limit the range of the radio, sometimes as
much as 30%. In response to these complaints, two new variations of the original protocols were
introduced, each with the added acronym "XL", leaving us with four distinctly different encryption
protocols: DVP, DVP-XL, DES and DES-XL. The "XL" variations eliminate the range loss problem
and in the case of DVP-XL, the number of available "keys" is increased to 7.9 X 1028. DVP-XL and
DES-XL both use a different type of encryption known as counter addressing. Just remember that
all radios must use the exact same type of encryption to inter-communicate in the secure mode
(DVP-DVP, DES-XL-DES-XL, etc).
Digital Voice International
The fifth unique encryption protocol, is known as DVI-XL, or Digital Voice International.
Since DES products require a munitions license to export from the U.S., DVI-XL allows other
countries to enjoy the same type of encryption as DES-XL, but with a reduced number of available
keys. DVI-XL is not common in the U.S., although is quite common in countries such as England.
Key Variable Loader
If you've been reading the above thoroughly, you may be asking yourself "Well, how do you
get the "keys" into the radio?". Good question, so let's talk about it. The device used to load these
encryption "keys" into a radio is known as a "Keyloader", or in Motorola-speak, a "KVL", or Key
Variable Loader. This is a hand-held device that looks similar to a radio, but allows the operators
use to insert the "keys" into the encryption devices of the individual radios. The KVL attaches to the
radio with a special cable and attaches to the interface port of the radio. The individual actually
enters numbers (and letters, depending on the protocol) into the KVL to produce the "key" to your
radio traffic. The KVL transcribes your input of approximately 20 characters into the "key" that is
loaded into the radios. KVL's are capable of storing about 16 "keys" in non-violatile memory,
allowing radios to be loaded when desired. Since access to the KVL constitutes access to the
entire system, these devices are usually closely guarded at the radio shop. There are five different
KVLs, one each for DVP, DVP-XL, DES, DES and DES-XL and a separate KVL for DVI-XL. Newer
loaders are made to support both DVP and DVP-XL and another to support DES and DES-XL
(Two protocols with one loader). It is rumored that there is a "super KVL" that will load any of the
four domestic encryption protocols, but the author has never seen one, and it is not listed in any
Motorola literature.
Enhanced Encryption Products
More recently, there have been solutions to nagging problems in some of the larger cities.
For example, lets say that you have to manage the entire Drug Enforcement Agency radio system
in the south Florida area, which is probably quite a large fleet of radios. You basically have two
choices, either you have one person whose only task is to keyload radios all day, or you issue each
office a KVL and allow them to do it themselves. As we spoke about earlier, if you increase the
number of KVLs, you increase the possibility that one will be lost or stolen, not to mention the fact
that KVLs are outrageously expensive ($3000+ each) to purchase. Enter OTAR, or Over-The-Air-
Rekeying. Quite simply, you have one dedicated computer, called a Key Management Controller,
or KMC, which centrally manages all of the encryption "keys". OTAR is available for any one of the
five available encryption methods as an add-on component. OTAR allows radios to have new
encryption keys loaded into them over the air, just as the name suggests. Encryption keys can also
be erased over the air in a process called "Key Zeroization". If a radio is lost or stolen, all of the
radios in the system except the lost or stolen one can be instantly re-keyed over the air. Also, lets
say that you are about to raid a clandestine drug laboratory and you accidentally remove your radios
battery, thereby erasing the encryption key. No problem, the KMC can immediately download the
encryption key back into your radio before you bash down the front door! The KMC can also
download the available system keys into KVLs by phone lines so that encryption keys may be kept
locally should the radios be out of the range of the KMC when new keys are sent out. The other
part of Advanced SECURENET is "Multikey", which is the ability to store multiple encryption keys in
one radio. Most radios can only hold one encryption key at any one time. If you have two separate
groups who don't intercommunicate, multikey allows supervisors to have both encryption keys in
their radios and converse with both groups, but individuals in the separate groups cannot monitor
each others conversations. Some radios, when equipped with Miltikey, can have as many as 16
different encryption keys.
Future - Classified Radio Communications
As we previously mentioned, even with the high level of security offered by the Data
Encryption Standard, no classified traffic may be encrypted with DES. A new type of encryption,
known as Facinator, offers the government the ability to encrypt land-mobile and other radio traffic
up to the level of Top Secret. Facinator is a completely different algorithm whose details are still
classified. The U.S. Secret Service is reported to be using Facinator in their Motorola Saber UHF
radios for executive protection and security details.
Motorola's latest development, the "ASTRO" TM system, is capable of transmitting either
analog or digital voice, clear or secure, conventional or trunking. This system is currently being
installed in south Florida for the Florida Highway Patrol on 800 MHz trunking (without much
success, I might add). LAPD is also switching over to the Astro system and most reports received
so far indicate that the system works fine.
Radios
Digital voice encryption is not a cheap endeavor. There are several Motorola portable and
mobile radios that offer SECURENET as an option. Even a 15 year old Motorola MX350S portable
radio that has DVP is about $350 used. These are 4-32 channel models that are quite large and
cumbersome, but incredibly durable. The most popular is the SaberTM portable radio. Although
still large and bulky, the Saber offers many options and is still the top-of-the-line portable radio.
The Saber comes in three different varieties, known as Saber I, II and III. Both SECURENET and
non-SECURENET radios are available. A Saber I has 12 channels and no display; a Saber II has
72 channels with three buttons and a display; a Saber III has 120 channels, a full keypad and a
display. Additionally, Saber II and III radios offer scan capabilities. A used Saber III with voice
encryption installed goes for about $800 on the used market. Not bad, considering that current list
price is over $3000! I cannot stress enough the importance of being extremely careful when you
purchase a used radio. Be careful, and be sure you get a reciept.
Repeaters and SECURENET Products
Using digital encryption does have it's drawbacks. The common repeater, which consists
of an input frequency and output frequency, normally uses some sort of Continuous Tone Coded
Squelch System, or CTCSS, trademarked as Private LineTM (PL) by Motorola or
ChannelGuardTM by General Electric, to prevent unauthorized or inadvertent access to the
repeater. Well, to put it simply, you can't send a CTCSS tone with any form of digital encryption.
There are two ways around this shortcoming; either the repeater does not use a CTCSS tone,
which is called a transparent repeater, or a repeater such as the Motorola MSF5000TM is used.
The MSF5000 can be operated in the transparent mode, which allows both clear and secure
transmissions to be passed, or the repeater itself can be keyloaded with the same encryption key
as the radios, allowing only those transmissions with the proper encryption key to be re-transmitted.
It is commonly said that most open (no PL) repeaters will not pass digitally encrypted voice. This is
simply not true. The repeater will pass the digital signal, which actually has a narrower deviation
than regular FM voice, just fine. Whether or not the signal is still intact enough for decryption is the
big question.
Conclusion
It is clear that monitors will probably never be able to eavesdrop on digitally encrypted radio
traffic, but I hope that this short introduction to the many facets of encryption products available
helps you to better understand their use and operation. The fact remains, however, that it will be
many years before the home computer advances to a stage that scanner owners can decrypt a
secure radio transmission.
Note: Many of the terms used in the above article are trademarked by Motorola, Inc. including, but
not limited to: SECURENET, DVP, DVP-XL, MX-350S, MSF5000, Saber, OTAR, and PL.