Summary/Cause:
The PTP 670 supports optional encryption for data transmitted over the wireless link using a choice of three different encryption algorithms:
- TLS RSA: The ODUs exchange RSA certificates to authorize the remote unit and agree a randomly-generated master secret. The TLS RSA option supports unencrypted operation of the wireless link, or encryption with 128-bit or 256-bit AES. TLS RSA is not described in this article.
- TLS PSK 128-bit: Both ends of the link are configured with the same 128-bit pre-shared key as a master secret. The wireless link is encrypted using 128-bit AES.
- TLS PSK 256-bit: Both ends of the link are configured with the same 256-bit pre-shared key as a master secret. The wireless link is encrypted using 256-bit AES.
Solution:
The Advanced Encryption Standard (AES) is a symmetric encryption algorithm approved by U.S. Government organizations (and others) to protect sensitive information. The AES implementation in PTP 670 is approved to FIPS 197. The use of AES encryption in PTP 670 is controlled by the AES license and enabled through the purchase of a capability upgrade
We would require an AES license feature/key to setup AES on PTP 650/670 radios.
Below are the part numbers:
PTP 650/670 128-bit AES Encryption – per ODU C000065K018A
PTP 650/670 256-bit AES Encryption – per ODU C000065K019A
Once you have purchased the required AES features, you would receive an entitlement ID from your point of purchase.
Use/enter that Entitlement ID it in our licensing portal, generate a license and apply the key in radios as shown in below link:
When the license is applied, the AES feature will appear in the Installation>Software License key page, and the option to configure AES encryption will appear in the System>Configuration tab.
Also, the new license key will change the security settings, the critical security parameters (CSPs) will be zeroized on reboot.
- Once the unit reboot up, it will ask to set new login/admin password for the unit.
- After the license is applied, we will be able to see the security tab features as below:
Note: The dialog to set a new password is only provided from 670-03-60 onwards.
-
Once we continue to Security Wizard before window will appear.
-
Select the security configuration options and click Next
-
Generate the Random key (Key of keys) and click Next
-
Key of keys is different at both Master and Slave.
-
Generate the Random key (Entropy Input) and click Next
-
Entropy Input is different at both Master and Slave.
- If you wish to use Security Banner then select Yes, else go with default option “No” and click Next
- If you want the unit to display the Login information, go with option “Yes” else go with default setting of “No” and click Next
- Enter the HTTP port number and attach the TLS Private key and the TLS Public Certificate, click Next
- An example of a private key and public certificate are available to be downloaded from the support site along with the software file.
https://support.cambiumnetworks.com/files/ptp670/
After downloading the file, please extract it and it will contain 4 files in extras>certs folder as below:
example-169_254_1_1-cert-0001.der
example-169_254_1_1-key-0001.der
example-169_254_1_2-cert-0002.der
example-169_254_1_2-key-0002.der
Note: These are example certificates for testing only, they should not be used in a real network.
-
The files ending with 0001 are for the first unit (Master) and the files ending with 0002 are for the second unit (Slave)
-
Select the Encryption Algorithm (TLS RSA, TLS PSK 128bit and TLS PSK 256 bit) and click Next
-
Generate the Random key (Wireless Pre-shared Key) and click Next
-
Wireless Pre-shared Key must be same at both Master and Slave. Copy this key and paste it in note pad and apply same on the other unit.
- Enter the HTTP and Telnet settings and click Next
Note: Do not disable HTTP until the HTTPS access is tested
- Confirm the security configuration and Reboot
The wireless encryption should match along with the RF parameters, so that the links can be formed. After a normal reboot, the unit should be accessible within 90 seconds. If the configuration is proper and there are no other RF interference issues, it should form the link within 2 to 5 minutes.