Encrypted voice and data systems are well known. Many of these systems provide secure communication between two or more users by sharing one piece of information between the users, which permits only those users knowing it to properly decrypt the message. This piece of informatin is known as the encryption key variable, or key for short. Loading this key into the actual encryption device in the secure communication unit is a basic requirement that allows secure communication to occur. To retain security over a long period of time, the keys are changed periodically, typically weekly or monthly.
Loading new keys, called rekeying, can be done in various ways. Over-the-channel rekeying is achieved by transmitting the encrypted keys from a central keyloading site to the units in the subscriber group over a typical secure channel. Manual rekeying is accomplished by connecting a cable from a hand-held keyloading device (also called a key variable loader, or keyloader for short) to the secure unit and downloading the keys from the keyloader into the communication unit by pressing the appropriate buttons on the keyloader. Over-the-channel rekeying takes a few seconds, and the process involved in manual keyloading, including locating the unit, connecting the loader, etc., takes much longer.
It is evident that use of an over-the-channel rekeying system is a big time-saver and a security improvement when rekeying a large system. As systems grow larger, with thousands of subscriber units in one system, the need for multiple keys becomes evident. In secure RF trunked systems, such as the system described in U.S. Pat. No. 4,882,751, it is often likely that different groups within a large system require their own encryption key or keys, possibly to increase internal security or to minimize the number of times it is necessary to reload keys over a period of time.
In over-the-channel rekeying systems, a time exists when some communication units have the new set of keys and the remaining units from the same group have the old set of keys, preventing them from secure communication with each other. This happens because a communication unit must be powered-up and must be within the RF range of the system to be rekeyed. A rekeying method is needed that can rekey all communication units, especially if they were not powered-up or in the system's Rf range when the initial rekeying message occurred.
With the continually increasing size of systems and the growing need for system security, it is apparent that an approach to key management with an over-the-channel protocol that handles multiple keys is essential. This protocol must provide rekeying for all communication units, even if they were not powered-up or in the system's Rf range during the original rekeying time.