Redes .1 Red de agua

2.7.1 Introduction

The Advanced Encryption Standard (AES) feature provides a method for securing the data traffic traveling across the radio link by encrypting the information.

The AES feature, and the associated procedures in this section, are applicable to MPT-GC systems mod- els, -E and -3TDM. These systems are available as factory-configured or field-upgrade to AES.

In cryptography, AES is a block cipher adopted as an encryption standard by the U.S. government. AES is one of the most popular algorithms used in symmetric key cryptography. The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information requires use of either the 192 or 256 key lengths. The Alcatel-Lucent AES solution uses the 256 key length.

For the 256 Key, 64, 4-bit HEX characters or 32, 8-bit ASCII keyboard text characters are used for the key. When upgrading the system with the STM-4 license file, please be aware that a new FPGA version is required.

The unit clocks data into the SONET/SDH interface, based on the exter- nal clock being received from the connected equipment. Therefore, when the SONET/SDH port is configured for OC-12/STM-4, the interface will still clock an OC-3/STM-1 signal over the link transparently, if connected.

By default, the AES capable units that are factory configured or upgraded have a matching default key active on both ends of the link.

The Link Quality voltage reading, which is used to determine the performance of the link, is fully functional, independent of AES configuration.

2.7.2 AES upgrade procedure

Upgrading your radio to AES involves obtaining an AES license and firmware from Alcatel-Lucent. Use the following steps to upgrade your radio to include AES.

1) Connect to the Web interface of both the High-Band and Low-Band units, and click on Tools, License.

2) Click the Request License button in the License Page.

3) Select Save from the File Download dialog box and save the lic_MAC00xxxx.ini file to a known location.

4) Email this file to Alcatel-Lucent after purchasing the AES upgrade.

5) Once the upgrade has been purchased, Alcatel-Lucent will email a license file and a .bit file (firmware/FPGA) that must be uploaded to the radio units. Save these files to a known location. Each file can be used for both units.

6) From the Web interface of each unit, select the Tools/Maintenance page. Under the Upload section, click Browse and locate the license file received from Alcatel-Lucent, then select Upload. A confirmation message is displayed upon successful upload.

7) Click Browse from the Upload section, locate the .bit file (firmware/FPGA), then click Upload. A confirmation message is displayed upon successful upload.

8) Restart the unit.

The unit can then be configured using the AES Setup page.

The unit’s firmware should not be upgraded until after the license file has been received and properly installed.

HTTPS does not have to be enabled (in the Configuration, IP Setup page) to enable and configure AES.

User Manual Overview 9500 MPR for ANSI and ETSI

3DB19025AAAA Issue 2

36/234

2.7.3 AES setup procedure

The AES function may either be supplied from the factory or as an upgrade.

1) AES should only be configured after proper installation has been completed, and an unen- crypted link has been established and validated. Confirm you are working with a fully opera- tional link.

2) Using a Web browser, connect to the Web interface of the local (near-end) unit and click on AES. The AES Setup page shown below appears:

3) Under the Set Key section, enter up to 32 ASCII text characters into the Key (ASCII) field, and then click the Set Key button. The ASCII characters will automatically be converted to hexa- decimal format. Alternatively, hexadecimal characters can be entered directly into the Key (Hex) field. After Set Key is clicked, the buttons become grayed out while the key is being saved to flash. This process can take up to 4 minutes.

Check the key closely before performing the Set Key operation. The key contents will not be displayed after performing the Set Key operation.

Click AES to refresh the page until the buttons are no longer grayed out. Do not hit the browser Refresh option to update the page. This will cause the key to re-save, and the buttons will continue to be grayed out.

Please be patient. It may take up to 4 minutes for the 256 key data to be written to the radio memory. The buttons on the AES page will be grayed out during this process.

4) Log into the remote (far-end) unit, being sure to enter the same key at both ends of the link, and perform the Set Key operation outlined in Step 3. Again, it can take up to 4 minutes for the key to be written to the flash memory.

5) Next, click the Activate Key button on the remote (far-end) unit first, and then the local (near- end) unit. This applies the key to the internal encryption hardware, but does not enable encryp- tion.

6) The Encryption menu is used to enable or disable encryption and is set to Enable by default. Verify that both the local (near-end) and remote (far-end) unit Encryption menus are set to Enable. If Disable is set, select Enable from the Encryption menu on the remote (far-end) unit, click the Set Encryption button, then perform the same on the local (near-end) unit.

On Protection systems, all four radios must have the same AES key con- figured. Otherwise, traffic will not flow over the link when switching to the standby unit.

If connectivity across the link cannot be established after enabling encryption, check the Packets Received field under the Radio section of the Radio Status page. If errors are displayed followed by the Check AES setup message, shown below, the keys are most likely mismatched and should be re-entered into both the local and remote units.

User Manual Overview 9500 MPR for ANSI and ETSI

3DB19025AAAA Issue 2

38/234