Contents hide
1 MOTOROLA KVL6K E2EE Key Variable Loader
2 FAQs
3 CONNECTION INFORMATION
4 Key management
5 Secure solution
6 SPECIFICATION
7 DIMENSION
8 Documents / Resources
8.1 References
9 Related Posts

MOTOROLA-LOGO

MOTOROLA KVL6K E2EE Key Variable Loader

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-PRODUCT

FAQs

  • Q: Can KVL 4000 E2EE cables be used with the KVL6K E2EE?
    • A: No, KVL 4000 E2EE cables cannot be re-used with the KVL6K E2EE.
  • Q: What devices are compatible with the KVL6K E2EE?
    • A: A full list of compatible devices is provided on page 4 of the user manual.

CONNECTION INFORMATION

End-to-end encryption (E2EE) provides an extra layer of security across your DIMETRA™ system for voice, data, and location information: from end-point to end-point. This is in addition to Air-Interface Encryption between the base station and TETRA devices, and IPSec encryption between base stations and the DIMETRA core.

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (1)

Air interface encryption and end-to-end encryption

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (2)

KVL6K E2EE

  • The KVL6K E2EE is a Key Variable Loader (KVL) that provides secure generation, secure storage, secure transportation, and secure loading of keys to enable end-to-end encryption for DIMETRA TETRA infrastructure components and Motorola Solutions TETRA devices.1
  • The KVL6K E2EE consists of a USB Hardware Security Module (HSM) that provides secure storage and cryptographic operations and a KVL6K E2EE application that runs on a computer using the Microsoft® Windows® operating system.
  • The KVL6K E2EE application has an intuitive user interface and allows users to easily manage and load keys. The KVL6K E2EE builds on the capabilities of the KVL 40002 E2EE with a new look and feel improved usability and functionalities.

Key management

  • KVL6K E2EE provides a means for creating and transferring encryption keys to Motorola Solutions TETRA devices (mobiles and portables) and infrastructure. Encryption keys can be entered manually by a KVL user, autogenerated by the KVL’s HSM, or downloaded from a Key Management Facility (KMF) as part of the store-and-forward feature.
  • Automatic key loading of the end-to-end Encryption Key into Motorola Solutions TETRA devices is an option that helps to speed up the provisioning process. When a Motorola Solutions TETRA radio is connected to the KVL6K E2EE, the radio is detected automatically, and the key loading process starts.
  • The KVL6K E2EE provides the ability to define and load Primary Protection Keys to different infrastructure crypto modules, including the DIMETRA KMF’s CryptR, to secure their databases. It can also be used for crypto module settings configuration and firmware updates.
    • 1 A full list of compatible devices is listed on page 4.
    • 2 KVL 4000 E2EE cables cannot be re-used with the KVL6K E2EE.

Intuitive user interface

The KVL6K E2EE Windows application has an intuitive user interface and supports touchscreen devices, as well as both night and day modes. The application dashboard helps with day-to-day operations and enables fast and easy key maintenance. Different views including Talkgroups, Cryptogroups, and KMF-related operations, provide an additional level of information to make key management more efficient.

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (3)

Secure solution

The security of keys is paramount. To help keep your keys secure and your DIMETRA TETRA systems protected, the KVL6K E2EE uses multiple security capabilities.

  • Physical USB HSM
    • The KVL6K E2EE allows the user to take advantage of using a standard “off-the-shelf” Windows device to run the KVL6K E2EE application while maintaining a high level of security. This is accomplished by utilizing a USB HSM designed to meet FIPS 140-3 level 3 hardware specifications to protect, store, and secure all sensitive key material and enable key transfer to the target devices. The USB HSM utilizes a secure boot so that only Motorola Solutions approved code can run on it, and has countermeasures like tamper protection built into the hardware to protect against exfiltration of data through probing of the HSM or from environmental attacks — such as extreme temperatures or over voltage.
  • Secure processing of key material
    • All the key material that the KVL6K E2EE creates, stores, and transfers to target devices and infrastructure during the provisioning process is secure and never visible to the application or user in an unencrypted form. (The only exception is when a user enters a key – after which the key can never be seen in unencrypted form again.) Only the USB HSM is able to decrypt key material, and only when connected to a target TETRA device that needs its E2EE key loaded.
  • Environment protection
    • The KVL6K E2EE uses the Microsoft Package Integrity Check feature in Windows, which enables Windows to run integrity checks on the entire contents of the host application package. This enables Windows to initiate a package remediation and repair workflow before launching the application if it detects a tampered or corrupted package.
  • Multi-layer key material protection
    • The KVL6K E2EE includes multi-layer key material protection. Each key used by the KVL6K E2EE is encrypted using the USB HSM before storing it.
    • In addition, the entire KVL6K E2EE keystore is encrypted by a key stored within the HSM, so the data remains protected while at rest.
  • Encrypted connection to USB HSM
    • The KVL6K E2EE provides an AES 256 encrypted USB connection between the USB HSM and the KVL6K E2EE application to keep data exchanged over the link secure.
  • Secure remote connection
    • Remote connection with the DIMETRA Key Management Facility is protected by a pre-shared key, which encrypts all transmitted key material. The KVL6K E2EE does not expose any endpoints, and a remote connection is only available on demand.
  • Authorization and security
    • Access to the KVL6K E2EE is secured by requiring Windows user authentication, possession of the USB HSM, and authentication to enable the USB HSM. Separate Administrator and Operator roles are available for users. Adopting roles enables users to have the appropriate authorization of key management activities, including authorization of firmware upgrades and critical parameter changes. In addition, having a mandatory password protects the KVL6K E2EE application, while user timeout automatically logs a user out of the application after a specified period of inactivity. The KVL6K E2EE also maintains an audit log of actions including managing and loading talk groups, store-and-forward operations, settings changes, or firmware management.

SPECIFICATION

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (6) MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (7)

DIMENSION

MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (4) MOTOROLA-KVL6K-E2EE-Key-Variable-Loader-FIG-1 (5)To learn more, visit: www.motorolasolutions.com/tetrasecurity.

  • Motorola Solutions Ltd., Nova South, 160 Victoria Street, London, SW1E 5LB, United Kingdom
  • All specifications are subject to change without notice
  • MOTOROLA, MOTO, MOTOROLA SOLUTIONS, and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC, and are used under license.
  • All other trademarks are the property of their respective owners. ©2024 Motorola Solutions, Inc.
  • All rights reserved. 09-2024 [BG05]

Documents / Resources

MOTOROLA KVL6K E2EE Key Variable Loader [pdf] Owner's Manual
KVL6K, KVL6K E2EE Key Variable Loader, KVL6K E2EE, Key Variable Loader, Variable Loader, Loader

References

Related Posts

Leave a comment

Your email address will not be published. Required fields are marked *