MM23772, Rev. F

51
8.28 OPENSKY ENCRYPTION (P7200 ONLY)
In the OpenSky network, both data and voice use a 128-bit or 256-bit key encryption standard published
by the Federal Information Processing Service (FIPS), called Advanced Encryption Standard (AES). AES
is approved by the U.S. Department of Commerce for encryption of classified materials.
When encryption is enabled on the network, data is encrypted from the MDIS to the Mobile End System
(MES) (e.g., P7200 portable radio). This form of encryption provides airlink security.
Voice encryption is handled either automatically or manually. Automatic encryption is initiated through
the Unified Administration Server (UAS) for a specific talk group and requires nothing from the user.
Manual encryption is initiated by two or more radio users. Both methods of encryption are discussed in
the following sections.
When a user transmits encrypted voice, any listening users with different encryption keys
hear distorted voice and “No Access” appears in the radio display.

8.28.1 Automatic Encryption

For automatic encryption, a system administrator will select the talk group to be encrypted at the interface
to the UAS. Once the talk groups have been selected and identified as secure, credentials for key
generation are generated automatically by the system and provisioned to authorized users. This process
requires that authorized users login to the network and be authenticated. Encryption keys require no
manual handling and are never sent “in the clear” over any network interface or airlink.

8.28.1.1 Using Automatic Encryption

1. Locate the talk group that has been encrypted at the system administrator level.
2. “Pls Login” appears in the display (unless the keypad was used to log in).
3. Login normally by entering your User ID and Password.
If a user is engaged in a call on a talk group encrypted at the network administrator level, “Secure Call”
will appear in the bottom line of the dwell display if the user is logged in to that talk group.
If a secure call is in progress elsewhere and the user has not logged in, the bottom of the dwell display
will alternate between “No Access” and the alias of the radio that is currently engaged in the secure call.

8.28.2 Manual Encryption (P7270 Only)

Two or more users can manually encrypt a call, if enabled, without an established encrypted talk group. A
pre-determined “key or code” is required. Note that while a user is engaged in an encrypted call, users
within the talk group that are not encrypted can still make standard voice calls on that talk group. The
encrypted user can hear the standard unencrypted calls, but cannot respond while still manually
encrypted.
Manual key entry only affects the currently selected talk group. All available talk groups within the
current profile may be independently encrypted.
The key must be pre-determined by the users prior to making a manually encrypted call on
a talk group and is entered into the radio using the keypad. For 128 bit encryption, this key
is between 1 and 16 digits. For 256 bit encryption, this key is between 17 and 32 digits.