Browse Prior Art Database

AUTOMATED KEY MANAGEMENT TO FACILITATE SECURE KEY DISTRIBUTION

IP.com Disclosure Number: IPCOM000004642D
Original Publication Date: 2001-Mar-13
Included in the Prior Art Database: 2001-Mar-13
Document File: 1 page(s) / 7K

Publishing Venue

Motorola

Related People

Walter F.C Anderson: AUTHOR [+2]

Abstract

AUTOMATED KEY MANAGEMENT TO FACILITATE SECURE KEY DISTRIBUTION

This text was extracted from a RTF document.
This is the abbreviated version, containing approximately 68% of the total text.

AUTOMATED KEY MANAGEMENT

TO FACILITATE SECURE KEY DISTRIBUTION

by Walter F.C Anderson and Mark Conrad Gonsalves

In Over The Air Rekeying (OTAR) or similar key distribution systems, encryption keys and related parameters are managed and distributed to encryption capable devices via a Key Management Facility (KMF). The distribution of the key material and other encryption attributes is performed in an encrypted manner because of the sensitivity of the data in the payload.

Typically, messages containing encryption attributes must be encrypted by a Traffic Encryption Key (TEK,) and messages containing actual encryption key material must be both "inner layer" encrypted by a Key Encryption Key (KEK) and "outer layer" encrypted by a TEK. Further, key distribution messages also typcially require a Message Authentication Code (MAC) to be included in the payload, which is generated using a TEK. This methodology is required by both the APCO Project 25 OTAR Standard and the emerging European Tetra Standards.

In order to deliver useful key distribution messages, the KMF must therefore utilize both TEKs and KEKs known by the receiving target units. OTAR systems typically provide the capability to broadcast OTAR messages to a group of targets, thus requiring the KMF to utilize one or more TEKs and KEKs known to all or some members of the target group. Because OTAR systems exist in order to deliver new encryption keys and encryption attributes to target units and to remove old keys and attributes, the problem of reliably and efficiently selecting a TEK and KEK known to the target or group of targets is not trivial for the KMF.

Existing systems, such as the implementation of APCO Project 25 OTAR in Astro System Release R3.1, are capable of assigning and managing a unique KEK (UKEK) for each OTARable unit in the KMF's database and a common KEK (CKEK) for each target group; these UKEKs and CKEKs are used in the "inner layer" encryption of key distribution messages. However, for TEKs used in the "outer layer" of key distribution messaging, the current implementation selects one of the TEKs that has been assigned to a unit or group for use during voice and data communications under normal operating conditions. This approach has several drawbacks that require special handling when voice and data TEKs are to be erased during the OTAR operation, and when the TEK that is to be replaced during the operation is selected as the TEK for use in encrypting the key distribution messaging.

This paper proposes an automated methodolgy for avoiding these drawbacks. In this method, the KMF manages a UKEK for each unit and automatically creates and manages a CKEK for each target group in the KMF's database in a manner consistent with the current implementation; however, the KMF also automatically creates and manages a unique TEK (UTEK) for each unit and a common TEK (CTEK) for each group, and it is thes...