Hytera DMR Conventional Series

Encryption Application Notes

Version: R1.2

Date: Oct 29, 2012

Copyright Information
Hytera is the trademark or registered trademark of Hytera Communications Co., Ltd. (the
Company) in PRC and/or other countries or areas. The Company retains the ownership of
its trademarks and product names. All other trademarks and/or product names that may
be used in this document are properties of their respective owners.
The product described in this document may include the Companys computer programs
stored in memory or other media. Laws in PRC and/or other countries or areas protect the
exclusive rights of the Company with respect to its computer programs. The purchase of
this product shall not be deemed to grant, either directly or by implication, any rights to the
purchaser regarding the Companys computer programs. Any of the Companys computer
programs may not be copied, modified, distributed, decompiled, or reverse-engineered in
any manner without the prior written consent of the Company.

Disclaimer
The Company endeavors to achieve the accuracy and completeness of this document,
but no warranty of accuracy or reliability is given. All the specifications and designs are
subject to change without notice due to continuous technology development. No part of
this document may be copied, modified, translated, or distributed in any manner without
the express written permission of us.

If you have any suggestions or would like to learn more details, please visit our website at:
http://www.hytera.com.

Revision History
Version

Date

Description

R1.0

01-28-2011

Initial release

R1.1

05-25-2011

Modify content about basic encrypt

R1.2

10-29-2012

Add DMRA encryption and repeater

encryption

Remarks

Contents
1. Overview ....................................................................................................................... 3
1.1 Definition .............................................................................................................. 3
1.2 Principle ............................................................................................................... 3
1.2.1 Basic Encrypt............................................................................................. 3
1.2.2 Full Encrypt................................................................................................ 4
1.3 Version ................................................................................................................. 6
1.4 Scope................................................................................................................... 7
2. Encryption and Communication .................................................................................... 8
2.1 Application of Encryption...................................................................................... 8
2.2 Transfer of Encrypted Data .................................................................................. 9
3 Equipment Requirements .......................................................................................... 10
4. Configuration Guide .....................................................................................................11
4.1 Terminal Configuration ........................................................................................11
4.1.1 Software Configuration .............................................................................11
4.1.2 Terminal Menu Configuration ................................................................... 14
4.2 Repeater Configuration ...................................................................................... 15
4.2.1 Configuring the Customer Programming Software (CPS)........................ 15
4.2.2 Repeater Interface Configuration............................................................. 18
4.3 MultiKey Decrypt................................................................................................ 18
4.3 Hardware Configuration ..................................................................................... 20
5. Instruction of Application ............................................................................................. 21
6. FAQ............................................................................................................................. 22

1. Overview
1.1 Definition
This function provides end-to-end encryption for communication services (including voice
and data) on digital channels, allowing the target terminal to receive the voice and data
privately.

1.2 Principle
Hytera provides two encryption mechanisms: Basic Encrypt and Full Encrypt, which
employ a key accessible to the involved call parties only. Advanced encryption provides
two types of technologies: Hytera encryption and DMRA encryption. Hytera encryption is
named for Hyteras own encryption algorithm innovation, and DMRA encryption is DMR
standard encryption which applies the technology/encryption specified by DMR
association. In addition, basic encryption adopts the encryption technology innovated by
Hytera.

1.2.1 Basic Encrypt

The Basic Encrypt function can protect your voice or data against unintentional
eavesdropping. This mechanism has features below:
1) You can configure the key type (40 bits, 128 bits and 256 bits) and key value freely.
2) It transforms the voice or data using a simple mathematical algorithm.
Basic encryption is an encryption method which does simple mathematical manipulation
with the encryption key to the payload information (voice and text messages). It is not a
full encryption method which uses complex mathematical algorithms like AES or ARC4 to
cipher the information.
The encryption even-though with its simple mathematical manipulation uses a high
number of key pattern(up to 256 bits) which can provide superior basic encryption
functionality as it supports extensive key combinations. This high key combination itself
provides a sufficient degree of protection for most customers that want to prevent
eavesdropping.
Since no encryption parameter is required to be sent, the system access time for
encrypted and unencrypted voice is the same. See figure 1.2.1-1 for the basic encryption
flow.

Figure 1.2.1-1 Basic Encryption Work Flow

* The key plays an important role in encryption. It is recommended to configure a unique
key, which has at least five different bits from other keys after converted into binary value;
otherwise a warning will pop up.

1.2.2 Full Encrypt

The Full Encrypt function can provide enhanced protection for your communication
privacy by using a secure algorithm. This mechanism has features below:
1) You can configure the key type (40 bits, 128 bits and 256 bits) and key value freely.
2) The 40-bit key adopts ARC4 to generate a key stream to convert the voice or data,
while the 128-bit or 256-bit key uses AES to convert the voice or data. Such keys provide
different key streams for each voice superframe or data packet, making it impossible for
the attackers to decrypt by capturing over-the-air voice or data packet.
During the encryption key generation through the algorithm, Hytera will have extra
processing, while DMRA encryption will directly generate the key, as even with the same
value, these two technologies will generate different keys.
In this mechanism, an extra header is required for sending the encryption parameters, and
it prolongs the system access time by approximately 60ms. Additionally, the system late
entry time may also be prolonged due to encryption-related information embedded in the
voice superframe.
Hytera encryption defines its own way in embedding the encryption parameter into the
voice super frame, which is different from the DMRA encryption.

See figure 1.2.2-1 for the Full encryption flow.

Figure 1.2.2-1 Full Encryption Work Flow

With the different processes and the different ways of encryption, an encrypted radio by
Hytera and that encrypted by DMRA encryption cannot communicate with each other.

1.3 Version
1) DMR conventional series software R2.0: Basic Encrypt available;
2) DMR conventional series software R2.5: Basic Encrypt available;
3) DMR conventional series software R3.0: Basic Encrypt and Full Encrypt available (you
can view key list and create new key in the menu).
4) DMR conventional series software R4.5: Add multi-key decrypt and repeater
encryption.
5) DMR conventional series R5.0: DMRA encryption added, complying with DMR
standard protocol.

1.4 Scope
These two mechanisms encrypt voice and data only, rather than other information
involved in supplementary services (Radio enable/Radio disable, Remote monitor, Radio
check and Alert call, etc).
In advanced encryption, radios encrypted by Hytera encryption and those by DMRA
encryption cannot communicate with each other.
You cannot check the encryption key from the radios or repeaters directly. Also, when you
check it through the CPS from the PC, you will only see 000 rather than the actual key.
The key acquired by reading the data cannot be written into the radios or repeater until it is
reset and edited.

2. Encryption and Communication

2.1 Application of Encryption
The terminal that receives the encrypted voice or data, no matter whether the encryption
function is enabled, always tries to decrypt the voice or data with the key and encryption
type defined for the current channel. Decryption will be achieved if the key and encryption
type match; however, if the voice or data is not encrypted, it will be output without
decryption.
Decryption may fail in situations below:
1) Both parties adopt Basic Encrypt mechanism but different keys are employed. In this
case, the data can not be transmitted and indistinct voice will be heard at the receiving
party.
2) Both parties adopt Full Encrypt mechanism but different key IDs are employed. In this
case, the data can not be transmitted and no voice will be heard at the receiving party.
3) Both parties adopt Full Encrypt mechanism and the same key ID, but different key
values are employed (see Figure 4.1.1-1). In this case, the data can not be transmitted
and indistinct voice will be heard at the receiving party.
4) Both parties adopt different encryption mechanisms. In this case, the data can not be
transmitted and no voice will be heard at the receiving party.

2.2 Transfer of Encrypted Data

At present, there are three modes available for transferring encrypted data.
1) DM (Direct Mode)
Under this mode, the terminals communicate with each other directly over the air.

2) RM (Repeater Mode)
When transferring the radios data via air, the repeater can monitor the data even though it
is encrypted. Moreover, the repeater can transmit encrypted voice signals.
You can play the received encrypted voice through the front panel and transmit the
encrypted voice via the PTT on this panel.

3) IP Multi-site Connect Mode

Under this mode, the encrypted data can be transferred via a repeater, an IP network or
over the air. Note that only end-to-end data encryption/decryption is supported.
Under the IP Multi-site Connect mode, the repeater and IP network are dedicated to data
transfer. Both the radios and the repeater can decrypt the received data and transmit the
encrypted data. See figure 2.2-1.

Figure 2.2-1 Encrypted Data Transfer under IP Multi-site Connect Mode

Equipment Requirements

At present, the encryption function is realized through software, requiring no extra

hardware.

10

4. Configuration Guide
4.1 Terminal Configuration
The encryption function can be enabled/disabled through the CPS (Customer
Programming Software), menu or programmed key, but the encryption type can only be
set via the CPS. If the terminal does not support such menu or programmed key, the
encryption function on the current channel cannot be changed.

4.1.1 Software Configuration

Three parameters are needed to configure the encryption function via CPS: Set the
common encryption parameters, Set the digital channel and Set the programmed key and
menu.
Set the common encryption parameters
Run the CPS, and go to DMR Services -> Encrypt. See figure 4.1.1-1.
1) Set Key Length: 10 characters (40 bits), 32 characters (128 bits) and 64 characters
(256 bits)
2) Add a Key: one terminal can support 30 keys in all.

Figure 4.1.1-1 Common Encryption Parameters

Keys that are defined through CPS can not be read, edited or deleted through terminal
operation. Once a key is employed for a terminal, it can only be overwritten by a new one.
11

And it can not be programmed via the remote control or air interface.

Set the digital channel

Go to Channel -> Digital Channel -> Encrypt. See figure 4.1.1-2.
1) Encrypt option: check it to enable encryption function; vice versa (for transmitting party
only).
2) Encrypt Type: select a encryption type between Basic Encrypt and Full Encrypt.
3) Encrypt Key: assign a key for the current channel.

Figure 4.1.1-2 Encryption Parameter Settings

These settings are set for a certain channel only. If they can also be edited through the
menu or programmed key of a terminal, the modification will be applied to the current
channel only. Even if the channel or zone is changed, these settings will be reserved.
Please note that modification to a specific channel will not apply to other channels.

Set the programmed key and menu

1) Go to General Setting -> Buttons, and assign a certain key with Scramble/Encrypt
function. See figure 4.1.1-3. After the encryption function is configured to a key, you can
enable or disable it via the key directly.

12

Figure 4.1.1-3 Button Programming

2) Go to General Setting -> Menu -> Encrypt, and check the parameters shown below.
See figure 4.1.1-4. And then you can edit these parameters via the menu directly.

Figure 4.1.1-4 Menu Configuration

* For security reason, the key information of a terminal can not be written into another
terminal directly. However, there is a shortcut to apply a key to a number of desired
terminals. First, program one terminal via CPS, and save the settings as the template for
other terminals; then program other terminals according to this template.
* The Full Encrypt function is available for users authorized by Hytera only. To enable it,
click the Feature Check button. See figure 4.1.1-5.

Figure 4.1.1-5 Full Encrypt Access

13

4.1.2 Terminal Menu Configuration

If a key has been programmed for the current channel via CPS, you can
1) Use the programmed key to enable or disable the encryption function;
2) Use the menu to:
2.1) enable or disable the encryption function on the current channel;
2.2) change the key of the current channel;
2.3) add keys for the terminal. See figure 4.1.2-1.

Figure 4.1.2-1 Encryption Menu on Terminal

The settings made through the programmed key or menu will be saved.
In non-emergency status, the LCD displays an encryption icon for channels on which the
encryption is enabled. See figure 4.1.2-2. However, if this function is disabled, the icon will
not appear.

Figure 4.1.2-2 Encryption Icon on LCD

14

4.2 Repeater Configuration

The repeater can monitor the received voice signals. If the signals are encrypted, it will
need to enable the decryption feature for decrypting the signals. Same as the encryption
setting for radios, the Encryption feature must be enabled before the repeater encrypts its
transmitted data; to decrypt the data, the encryption key configuration via the repeater
menu is a must.

4.2.1 Configuring the Customer Programming Software (CPS)

There are three steps to finish the digital encryption configuration via CPS: Set the
common encryption parameters, Set the corresponding encryption key and Set the menu
and the programmable keys.
Common Encryption Parameter Configuration
Configure the parameters via DMR Service -> Encrypt as shown in Figure 4.2.1-1.
1) Encrypt key length options: 40 bits, 128 bits, 256 bits.
2) A radio can save up to 30 encryption keys.

Figure 4.2.1-1 Common Encryption Parameters

Encryption: To enable the Encrypt feature, the Encrypt option must be checked.
Encrypt Key Length: In this box, 10 characters indicate 40 bits, 32 characters equal to 128
15

bits and 64 characters indicate 256 bits

If you want to set the key to any of the length, please check the corresponding option in
this box.
After the encryption key and the key length option are checked, you can configure the key
in the list:
Key ID: the unique value of a key, used to search for the key.
Key Alias: the name of a key for easier identification of it.
Key Length: This parameter allows you to define the encryption key length. The
length is corresponding to the Encrypt Key Length option you choose.
Key Value: the exact value of a key that you can edit. Its length is subject to the
Encrypt Key Length.
Add: Click this button to add a key into the list. The list can contain at least 1 key and
at most 30 keys.
Insert: Click this button to insert a new key in front of the chosen key in the list.
Delete: Click this button to delete the chosen key in the list.

The key defined for a radio via the CPS is unreadable, unchangeable and undeletable to
users. Once the key is programmed into a radio, it cannot be read via the CPS, but can be
overwritten by a new key. The Encrypt feature supports only the processing on the key via
the CPS rather than remote or Via Air.

Corresponding encryption key: to set the corresponding key for the channel.
Enter Channel -> Digital Channel -> Encrypt, as shown in Figure 4.2.1-2.
1) Encrypt: to decide whether the transmitted voice/data by the current channel is to be
encrypted. This option is applicable to the transmitting party only.
2) Encrypt Type: to select the encrypt type (Basic/Advanced).
3) Encrypt Key: to select an encryption key for the transmitting slot of the current channel.

16

Figure 4.2.1-2 Parameter Configuration for Encrypt

Slot 1 Encrypt: This option decides whether the transmitting slot of the current
channel will be encrypted. To encrypt the slot, you must check this option.
Slot 1 Encrypt Type: to select the encrypt type from Basic and Advanced for Slot 1.
Slot 1 Encrypt Key: to select a defined key list to be corresponding to Slot 1. The key
is used to encrypt the services during transmission and to decrypt them when they
are received. Only when the two parties are using the same key can they
communicate with and read the messages from each other normally.
These parameters are set for a certain channel only. If the users configure the encryption
via the menu options or the CPS, only the selected channel will be defined. The
configuration will be reserved even if the users switch to another channel or zone, and it is
only effective to the configured channel.
Set the Menu and the Programmable Key.
1) Go to General Configuration -> Buttons, and assign a certain key with
Scramble/Encrypt function. See figure 4.2.1-3. The repeater can only enable the Encrypt
feature via the CPS and the programmable key rather than through the repeaters menu.

17

Figure 4.2.1-3 Programmable Key Configuration

4.2.2 Repeater Interface Configuration

The repeater can only configure Encrypt with the programmable key instead of via its
menu.

4.3 MultiKey Decrypt

MultiKey Decrypt is used to decrypt the received voices and data from different radios with
multiple keys defined in the list. Please be noted that the signal can only be decrypted with
the corresponding key. Upon the receipt of the encrypted voice or data, the radio will find a
key from the list to decrypt it. The MultiKey Decrypt is significant to system with strong
confidentiality.
MultiKey Decrypt configuration: To configure the MultiKey Decrypt, you need to set the
key list and enable MultiKey Decrypt feature. As the configuration for the repeater is the
same with that of radios, we take the repeater as an example in the following
introductions.
Set the Key List:
Go to DMR Service -> Encrypt as shown in the following figure 4.3-1.

18

Figure 4.3-1 Set the Key list

After the encryption key and the key length option are checked, you can configure the key
in the list:
Add: Click this button to add a key into the list. The list can contain at least 1 key and
at most 30 keys.
Insert: Click this button to insert a new key in front of the chosen key in the list.
Delete: Click this button to delete the chosen key in the list.
You can edit the key ID, key alias and key value.

19

Enable the MultiKey Decrypt function

Go to Channel -> Digital Channel -> Encrypt, as shown in the following figure 4.3-2.

Figure 4.3-2 Multikey configuration

To enable this function, you must check the Encrypt option, and select Advanced as the
Encrypt Type. and then check the MultiKey Decrypt option. The MultiKey Decrypt feature
is corresponding to the channel, so only the channel with this option checked can use
MultiKey Decrypt feature.

4.3 Hardware Configuration

At present, there is no such configuration required.

20

5. Instruction of Application
As a tool for commanding and dispatching, the conventional wireless communication
system plays an important role widely. However, its security and reliability encounter a
great challenge due to poor privacy. Therefore, all kinds of important voice or data must
be transferred securely. In response to the security issue, Hytera develops a unique digital
encryption function, which can secure the privacy of voice and data in two levels: Basic
Encrypt and Full Encrypt.
By applying ARC4 and AES, Full Encrypt is an ideal solution for communication security in
many areas such as government, public security, energy and transportation.

21

6. FAQ
6.1 Can both encryption mechanisms apply to one terminal?
Yes, but each channel supports one mechanism only.

6.2 How many key-length options are available?

We provide three options: 40 bits, 128 bits and 256 bits.

6.3 Can we use our own encryption devices?

At present, the encryption function is embedded in the DMR terminal, requiring no extra
device. In the future a port will be reserved for users to further develop such function.

6.4 What is the purpose of encryption?

This function provides end-to-end encryption for voice and data on digital channels, so as
to enhance the communication security.

6.5 Will encryption affect the communication coverage and voice

quality?
No at all.

6.6 Will the encryption settings work for both parties operating on
the same channel?
Yes, but the Encrypt option applies to the transmitting party only, that is, if this option is
checked, the data to be transferred will be encrypted; otherwise, the data will not be
encrypted. See figure 4.1.1-2.

22

6.7 Can A Radio with Hytera Encryption and That with DMRA
Encryption Communicate with Each Other?
No, they cannot communicate with each other, because of the different ways in the key
generation and embedding, as well as processing the encryption parameters between
Hytera encryption and DMRA encryption. Advanced encryption provides two types of
protocols: Hytera encryption and DMRA encryption. Hytera encryption adopts the
encryption algorithm innovated by itself, and DMRA encryption is DMR standard
encryption.

23