Product Code Database
Digital Mobile Radio ( DMR) is a digital radio standard for voice and data transmission in non-public Radio network. It was created by the European Telecommunications Standards Institute (ETSI), and is designed to be low-cost and easy to use. DMR, along with P25 phase II and NXDN are the main competitor technologies in achieving 6.25 kHz equivalent bandwidth using the proprietary AMBE+2 vocoder. DMR and P25 II both use two-slot TDMA in a 12.5 kHz channel, while NXDN uses discrete 6.25 kHz channels using frequency division and TETRA uses a four-slot TDMA in a 25 kHz channel.
DMR was designed with three tiers. DMR tiers I (Unlicensed) and II (Conventional Licensed) were first published in 2005, and DMR III (Trunked version) was published in 2012, with manufacturers producing products within a few years of each publication.
The primary goal of the standard is to specify a digital system with low complexity, low cost and interoperability across brands, so radio communications purchasers are not locked into a proprietary solution.
The DMR standard operates within the existing 12.5 kHz channel spacing used in land mobile frequency bands globally, but achieves two voice channels through two-slot TDMA technology built around a 30 ms structure. The modulation is 4-state FSK, which creates four possible symbols over the air at a rate of 4,800 symbols/s, corresponding to 9,600 bit/s. After overhead, forward error correction, and splitting into two channels, there is 2,450 bit/s left for a single voice channel using DMR, compared to 4,400 bit/s using P25 and 64,000 bit/s with traditional telephone circuits.
The standards are still (as of late 2015) under development with revisions being made regularly as more systems are deployed and improvements are discovered. DMR association press release Oct 27 2015 stating revision to standard It is very likely that further refinements will be made to the standard, which will necessitate firmware upgrades to terminals and infrastructure in the future to take advantage of these new improvements, with potential incompatibility issues arising if this is not done.
DMR covers the RF range 30 MHz to 1 GHz.
There are DMR implementations, (as of early 2016), that operate as low as 66 MHz (within the European Union, in 'Lo-Band VHF' 66–88 MHz.)
Note that a licence free allocation is not present at this frequency outside of Europe, which means that PMR446 radios including DMR Tier I radios can only be used legally in other countries once an appropriate radio licence is obtained by the operator.
Some DMR radios sold by Chinese manufacturers (most notably Baofeng) have been mis-labelled as DMR Tier I. A DMR Tier I radio would only use the PMR446 licence–free frequencies, and would have a maximum transmitted power of 0.5 watts as required by law for all PMR446 radios.
Although the DMR standard allows Tier I DMR radios to use continuous transmission mode, all known Tier I radios currently use TDMA, the same as Tier II. This is probably due to the 40% battery savings that come with transmitting only half the time instead of continuously.
The standard allows DMR manufacturers to implement additional features on top of the standards which has led to practical non-interoperability issues between brands, in contravention to the DMR MOU.
The DMRA now manages an interoperable voice and data encryption scheme for DMR. 40 Bit ARC4, 64 bit DES, 128 and 256 bit AES options are defined. These encryption schemes are interoperable between manufacturers and support voice call late entry, multiple keys, and with no discernible degradation of voice quality.
Some DMR encryption algorithms have been released, such as PC4, released in 2015 with source code available. PC4 is a block cipher specifically designed for DMR radio communication systems, using 253 rounds and a key size from 8 bits to 2112 bits. The block size is 49 bits, which is equal to the size of an AMBE+ DMR voice frame.
A firmware that implements PC4 encryption is available for the Tytera MD-380 and MD-390 radios.
In Motorola Basic Encryption, AMBE frames are encrypted by simple XOR using one of 255 possible static keys.
The Basic mode from other manufacturers offers 10-, 32-, or 64-character keys to produce a 882-bit fixed string of random characters that is combined via XOR with AMBE frames. The entire superframe, rather than each individual AMBE frame, is XORed with this longer static key. A superframe contains 18 AMBE frames, i.e. 882 bits, and it is these 882 bits that will be encrypted with this 882-bit fixed string.
PC4 encryption mode encrypts an entire 49-bit frame in ECB mode. A single bit that differs makes the entire encrypted block completely different.
For the Enhanced (ARC4) or Advanced (AES) mode, each complete superframe is also encrypted with a 32-bit IV (initialization vector). As a result, the encryption is no longer fixed for the same key, but changes with each superframe, improving security.
In the DMR standard does not leave any room to store this IV, so the IV (with the addition of an error-correcting code, for a total of 72 bits) replaces 4 low-order bits in each 49-bit AMBE frame. These 4 bits are therefore lost, degrading the voice quality, which is not the case with fixed ciphers in Basic mode. The 72-bit encoded IV is thus spread across all 18 AMBE frames in the superframe.
RC4 encryption is a stream cipher that must use an IV (Initialization_vector) each time it performs encryption. The size of this IV should be large enough so that there is no repetition of this IV during the entire use of the same key.
RC4 weak IV encryption has already been compromised in the WEP Wi-Fi encryption system because the IV size was too short (24 bits).
Motorola has opted to use a slightly longer IV size (32-bit) but not that much longer than the WEP's 24-bit IV. Motorola calls this IV the MI (Message Indicator).
Motorola's official explanation for this short IV is that the DMR standard was not originally intended for encryption and that they had to use bits from voice frames to put the IV into it. To avoid degrading the voice too much, only 32 bits can be inserted.
According to the author of the DSD-FME software, a DMR specialist, this claim is false because there is the possibility of creating custom DMR frames. Such a frame could therefore have contained a large IV (128 bits for example).
Some users discovered that Anytone radios (such as the Anytone 878) using ARC4, had the IV constant (0x12345678) at the beginning of each transmission. This flaw was fixed in AnyTone D878UVII firmware update V3.03 (2023-12-18).: 5. Modify the firmware to make the AES encryption have a variable Vector(IV) instead of fixed "12345678".
The Motorola ARC4 DMRA should by design provide at least 4 billion different IVs, so there should be 4 billion superframes with a different IV (2^32-bits possible IVs).
But one user discovered that Motorola uses a non-primitive LFSR for the ARC4 to generate the IVs. Instead of 4 billion different IVs, there are only 294,903 different IVs. So instead of a 32-bit IV, you get an 18-bit IV, which is much shorter than the 24-bit WEP Wi-Fi IV.
It doesn't seem conceivable that it was a mistake on Motorola's part to have used a non-primitive IV in its standard, so the mistake seems to be intentional. It may be a backdoor.
If such a backdoor has been introduced in the ARC4 DMRA standard, one can wonder about the security of the AES256 DMRA standard, although no backdoor has been made public at the moment.
According to cryptologist Eric Filiol, it is likely that all exported products with a key length of more than 56 bits have a backdoor, as this is a legal requirement due to the Wassenaar Arrangement.
|
|
