Skip to content

Fortune Favors the Prepared

Semper Paratus, Semper Gumby

Menu
  • The Continuity Chronicles
  • Intelligence Reports
        • DAILY THREAT REPORT
        • DAILY THREAT REPORT – LITE
        • DAILY PREPAREDNESS BRIEF
        • Analytical Standards and Tradecraft
        • Acronym & Abbreviations Glossary
        • Source Registry
        • FLASH & SPECIAL REPORTS
        • Area-Specific Assessment Report
        • SOFT TARGET SECURITY BRIEF
        • THE HOUSEHOLD BRIEF
        • COMMS WATCH
        • FINANCE SECTOR
        • HEALTHCARE SECTOR
        • TRANSPORTATION & LOGISTICS SECTOR
        • AI, DATA CENTER & INFRASTRUCTURE REPORT
        • CONSTRUCTION & MANUFACTURING SECTOR
        • Water and Wastewater Security Report
        • Energy Sector Report
        • Strategic Intelligence Supplement
  • WATCH DESK
  • About
        • The Why
        • Vision and Mission
        • Services
          • Business Resiliency
        • Testimonials
        • Insider
        • Friends
          • Patriot Volunteer Examiner (VE) Team
          • Angery American
          • Signal Stuff
          • Forward Observer
  • Communications
        • Stump Knocker
          • SOI
          • STUMP KNOCKER DMR UPDATES
          • MMDVM Hotspot
        • Preparedness Communications
          • What Radio Should I Get for Preparedness?
            • What Radio to Buy?
              • What Radio to Buy? – video
              • Ham Radio on a Budget
              • Live – What Radio to Buy?
              • Portable Radio Kit
              • Mobile Communications
          • Emergency Communications Principles
          • Communications Options
          • Starter Radio Paths by Preparedness Scenario
          • How Communications Fail
          • HF Communications
            • SHTF HF Communications
            • Simple Antenna Builds for HF – video
            • NVIS in Amateur Radio
        • Amateur (HAM) Radio
          • Why Do I Need a Ham License?
            • How to Obtain Your Amateur Radio License
              • Amateur Radio Learning Resources
              • Finding a Ham Exam
                • HAM Exam Accommodation
              • Getting Into Ham Radio – Video
            • Are You Expired?
            • Why You Should Upgrade to a General Ham License
          • HAM Simplex Frequency Card
          • Analog versus Digital
          • Analog vs Digital Voice: A Preparedness-Focused Comparison
          • What are CTCSS and DCS
          • Programming Radios with Software
          • ARES, RACES, ACS and AUXCOMM
          • Ham Radio Beyond Line-of-Sight
            • Linked Analog Repeaters
            • EchoLink and IRLP
            • AllStarLink
            • Yaesu System Fusion & WIRES-X
            • D-STAR
            • Digital Mobile Radio (DMR)
            • P25 in Amateur Radio
            • NXDN in Amateur Radio
            • Amateur Radio Satellites (AMSAT)
            • The 60-Meter Band (5 MHz)
          • Meshtastic
          • HAM VoIP
        • Personal Radio Services
          • FCC Rules for Personal Radio Services
          • Family Radio Service (FRS)
          • General Mobile Radio Service (GMRS)
            • GMRS Repeaters
            • Getting a GMRS License
            • FRS / GMRS / MURS Frequency Card
          • Multi-Use Radio Service (MURS)
          • Citizen Band (CB) Radio
            • CB Frequency Card
        • Other Radio Services
          • Communications Continuity Programs and Capabilities
          • Marine Communications
        • Cell Sites and Their Services
          • When Cell Service Fails
          • Radio over LTE and Rapid Radios
            • LTE Radio Comparison
        • Satellite Communications
          • America’s Secret Eyes
          • The Commercial Eye
          • Seeing Through Everything (SAR)
            • Remote Area Emergency Communication Devices
            • Which Beacon Should You Carry?
          • Personal Satellite Communications
        • Wired Communications
          • MAG Phone System
          • TA-312/PT Field Telephone and SB-22/PT Switchboard
          • Understanding Telephone Wiring
          • The AT&T Long Lines Program
        • Communications Planning
          • Communications Plan Annex
            • Communications P.A.C.E.
            • Finding Information for Your Communications Plan
            • Area-Specific Assessment Report
          • Automatic Link Establishment (ALE)
          • Understanding Communications Resiliency
        • Communications Resiliency Programs
          • ARES, RACES and ACS
          • Auxiliary Communications (AUXCOMM)
          • Military Auxiliary Radio System (MARS)
          • U.S. Coast Guard Auxiliary Communications
          • Civil Air Patrol Communications
          • The 60-Meter Band (5 MHz)
            • Understanding the 60-Meter Band
        • Government Communications Continuity Programs
          • Government Emergency Telecommunications Service (GETS) and Wireless Priority Service (WPS)
          • National Warning System (NAWAS)
          • National Interoperable Frequencies
          • The FEMA National Net (FNARS)
          • National Emergency Communications Network (NECN)
          • The SHARES Program
          • State Emergency Capability Using Radio Effectively (Operation SECURE)
          • The High Frequency Global Communications System (HFGCS)
          • Satellite Mutual Aid Radio Talkgroup (SMART)
          • The AT&T Long Lines Program
        • Communications & Emissions Discipline
          • Communications Security (COMSEC)
            • Book Cipher
            • One Time Pads (OTP)
              • Decrypting One Time Pad Message
              • One Time Pads (OTP) Live Video
              • One Time Pad Training
          • Cryptographic Security (CRYPTOSEC)
          • Transmission Security (TRANSEC)
          • Communications Transmission Discipline (TRANSDISC)
          • Emissions Control (EMCON)
          • Communications & Emissions Training Framework
        • DMR Programming
          • DMR Programming – Talk Groups
          • DMR Programming - Roaming
          • MMDVM and Yaesu System Fusion (YSF)
          • Encryption in DMR Radios
        • Digital Mobile Radio (DMR) Networks
          • WR3IRS Interstate DMR Network
            • South Central PA (SC PA)
            • North East PA (NE PA)
            • Washington-Baltimore (W-B)
            • West Central Florida (WCF)
          • Florida Digital Amateur Radio Network (F-DARN)
          • Southeast Florida DMR Repeater Network W2GGI
          • Virginia DMR (DMRVA)
          • NC PRN DMR Network
          • SC Hospital Emergency Amateur Radio Team (SCHEART)
          • HEARS – Hospital Emergency Amateur Radio System
          • New England Digital Emergency Communications Network (NEDECN)
        • Baofeng/BTECH Radios Quick Guide
          • Manually Programming a Baofeng Radio – Video
          • A User’s User Manual for Baofeng Radios
        • MESSAGES & REPORTS
          • Phonetics
          • Procedure Words (Prowords)
          • Date Time Group (DTG)
          • NTS Radiogram Form
            • ARL Numbered Radiograms
          • SALUTE, SPOT, and SALT Reports
          • ACE/LACE Reports
          • GOTWA Report
          • CASREP (Casualty Report) Format
          • MEDEVAC Request Report
          • Formatted Messages (downloads)
        • Communications Knowledge Library
          • Communications Resiliency
          • Radio Etiquette, Jargon, and Best Practices
          • AmRRON RESOURCES & REFERENCES
          • Anytone Programmable Keys
          • Phonetics
          • Amateur Radio Colorado
            • Colorado Linked Repeater Systems
        • COMMUNICATIONS REFERENCES
  • Planning
        • Family Emergency Plan – The Basics
          • Family Emergency Plan
            • Area-Specific Assessment Report
          • Why Every Family Needs an Emergency Plan
        • Family Contingency Binder
          • Family Contingency Binder MindMap
        • Triggers
          • Preparedness Conditions – PREP-CON
            • Preparedness Conditions (PREP-CON) MindMap
          • Space Weather
        • Family Emergency Plan Workbook
          • Family Emergency Plan Workbook - owner resources
            • Area-Specific Assessment Report
            • Family Emergency Planning Form
            • Communications Plan
              • P.A.C.E.
            • Emergency Evacuation
            • Emergency Food Supplies
            • Family Contingency Binder
            • Message Drops
            • Get Home Bag
            • Bug Out Bag & Bins
            • Miscellaneous
        • Household Recovery Workbook
          • Household Recovery Workbook Updates
          • Disaster Debris — What to Do at the Curb
          • Dealing With Grief
        • Next of Kin Workbook
          • Next of Kin Workbook Updates
        • METT-TC: Decision Discipline
          • METT-TC - tactical planning
        • Planning Your Preps
          • Charity in Planning
        • Mutual Assistance Group
          • Mutual Assistance Group Workbook
            • MAG Workbook Forms & Updates
          • Mutual Assistance Groups (MAGs): Skills, Vetting, and Building Real Resilience
          • Mutual Assistance Group (MAG): Recruitment Code of Conduct
          • MAG: Private Vetting & Intake Process
          • Compartmentalization in Mutual Assistance Groups (MAGs)
          • Resiliency Index
          • Continuity of Government & Application to MAGs
  • Threat Assessment
        • Personal Preparedness Assessment Workbook
          • Personal Preparedness Assessment Report
          • Personal Preparedness Assessment Workbook - owner resources
        • Readiness Conditions for Preparedness
          • PREP-CON - Preparedness Conditions
          • COMCON – Communications Readiness Condition
          • WX-CON Weather Conditions
          • SWX-CON Space Weather Condition
          • CONCON – Civilian Continuity Conditions
        • Readiness Conditions – Hierarchy and Relationships
          • LERTCON – Alert Condition
          • DEFCON – Defense Readiness Condition
          • COGCON - Continuity of Government
          • INFOCON – Information Operations Condition
          • FPCON – Force Protection Condition
          • EMERCON – Emergency Condition
          • CYBERCON – Cyber Readiness Conditions
          • CPCON – Cyberspace Protection Condition
          • WATCHCON – Watch Condition
          • SIPRNet – Secret Internet Protocol Router Network
          • REDCON – Readiness Condition
          • NC3CON – Nuclear Command, Control, and Communications
        • Readiness Conditions in The Conspiracy Chronicles
          • CERCON – Cerberus Readiness Condition
          • COMCON – Communications Readiness Condition
          • C-OPS – CERBERUS Operational Status Conditions
          • CONCON – Civilian Continuity Conditions
        • Being Prepared for Civil Unrest
          • Civil Unrest – Area Intelligence
          • Civil Unrest – Be Prepared
          • Civil Unrest – Defense
          • Civil Unrest – Defense (part 2)
        • Staying Informed Before, During and After Emergencies
          • Weather Awareness
            • Weather Event Codes
            • Weather Radio Comparison
        • Cascade Analysis & Infrastructure
          • Cascade Effects
          • Community Lifelines
          • Area Intelligence
          • Area-Specific Assessment Report
          • National Power Grid
        • Near Earth Object / End of Life Event (ELE)
  • Intelligence
        • ANALYSIS, TRADECRAFT & REPORTING
          • Analytical Standards and Tradecraft
          • Analytical Tradecraft: A Guide to OSINT Analysis
            • OSINT Analysis Study & Reference Guide
          • Understanding Intelligence Analysis Tools
            • Understanding Analysis of Competing Hypotheses (ACH)
            • Understanding MDCOA
            • Understanding OAKOC
        • Operations Security (OPSEC)
          • OPSEC for Teens
          • OPSEC for Kids
          • The Gray Man
          • OPSEC: Don't Become the Target
          • Counterintelligence Tradecraft for the Prepared
        • Community Intelligence
          • Area Intelligence – Now!
            • Area-Specific Assessment Report
          • Community SITREP
          • Radio Traffic Situational Analysis During Emergencies
          • SALUTE, SPOT, and SALT Reports
        • ELECTRONIC THREAT & SURVEILLANCE
          • Staying Informed Before, During and After Emergencies
          • Integrated Public Alert and Warning System (IPAWS)
          • Communications Continuity Programs and Capabilities
          • Short Wave Scanning
          • Seeing Through Everything (SAR)
            • Which Beacon Should You Carry?
          • Wireless Recon Devices
        • The Architecture of Intelligence
        • Intelligence Gathering & Analysis
        • INTELLIGENCE DISCIPLINES
          • Communications Intelligence (COMINT)
          • Electronic Intelligence (ELINT)
          • Tactical Electronic Intelligence (TACELINT)
          • Signals Intelligence (SIGINT) – the basics (2020)
          • Signals Intelligence – Information Gathering Basics (2022)
          • Signals Intelligence (SIGINT)
          • Technical & Infrastructure Intelligence (TECHINT)
          • Electronic Counter-Surveillance
          • Open-Source Intelligence (OSINT)
            • How to Conduct a Daily Threat Analysis Using OSINT
          • Measurement and Signature Intelligence (MASINT)
          • Electronic Surveillance (ES)
          • Overhead Imagery & Geospatial Intelligence (IMINT / GEOINT)
        • INTELLIGENCE REFERENCES
  • Medical
        • Medical Training
          • Patient Assessment & Casualty Management
            • MARCH-PAWS Rapid Assessment
              • MARCH-PAWS TRAINING CURRICULUM
            • DCAP-BTLS – Secondary Trauma Assessment
            • SAMPLE + OPQRST Secondary Assessment
              • Medical History as a Preparedness Skill
            • START Triage
            • MEDEVAC Request Report
            • Patient Assessment – Documentation
              • Patient Care Report Forms
              • CASREP (Casualty Report) Format
        • Medical Kits
          • Individual First Aid Kit (IFAK)
          • BooBoo and IFAK Kits Video
          • BooBoo & IFAK Kit Mind Map
          • Large Kit - video
        • Medical Myths
          • Medical Myths – Tampons
          • Medical Myths – Ingested Poisoning
        • MEDICAL REFERENCES
  • Transportation
    • Transportation Plan B
    • Improvised Transportation
    • Preparedness For Winter Travel
  • Animals
    • Preparedness for Pets
  • Food
        • Why You Should Start a Food Storage Plan
        • Food Storage Quick Start
        • Buying in Bulk
        • Inventory Tracking
        • FOOD PRESERVATION RESOURCES
  • Water
    • Water From Air
  • Power
        • Power Grid
        • UPS
        • The Data Center Next Door
  • Bags etc.
        • Bug Out versus Get Home Bags
        • Get Home Bag – Contents
          • Get Home Bag – video
          • Get Home and Bug Out Bags - video from live 2-10
  • Navigation & Signalling
        • Practitioners Guide to GPS
          • Quick Instruction Sets
        • Emergency Signaling
        • Covert Signals
        • Which Emergency Beacon Should You Carry?
        • Sketched Strip Map
  • References
        • PLANNING & OPERATIONS
        • SECURITY OPERATIONS
        • INTELLIGENCE
        • CRYPTOLOGY
        • COMMUNICATIONS
        • REPORTING FORMATS
        • GENERAL/MISC
        • MEDICAL
        • FOOD PRESERVATION
        • CRITICAL INFRASTRUCTURE
        • SURVIVAL MANUALS
        • OPSEC
        • COUNTER INSURGENCY & CIVIL DISTURBANCE
        • EMP / CME
        • Training
          • Training Videos
          • One Time Pad (OTP) Exercises
            • 45662
            • 222135ZDEC22
  • Blog
    • Boomer
      • Day 1 – The Journey Home
      • Day 2 – First Day in the New Home
      • Day 3 – More Training
      • Day 4 – Dad Goes Back to Work
      • Day 5 – A Day at Home with More Training with Dad (Boomer’s version)
      • Day 6 – More Training with Dad at Home
      • Day 7 – Dad Goes Back to Work, Boring Day
    • Mountain Readiness Fallout Workshops
    • Mapping DMR Repeaters
    • COMMUNICATIONS RESILIENCY
    • Getting The Message Through
    • What are you preparing for?
    • Never Let an Opportunity Go To Waste
    • Cascade Effects and the Perfect Storm
    • DO NOT REPLY
    • Space Weather Warning
    • Good, and Sad, News
    • Necessity vs. Luxury
    • Don’t Put off Until Tomorrow
    • No Plan Survives First Contact
    • Threat and Hazard Identification and Risk Assessment (THIRA)
    • Live – What Radio to Buy?
    • Big Daddy Unlimited Affiliate
    • Food – Tue 16th 7pm MST
    • Live from 2021-2-3
    • Live 2021-01-26
    • FLASH SALE
    • Live 2021-01-11
    • What Is Freedom?
    • Preparedness for Pets
    • What If The Lights Go Out?
    • Hoarding or Prepping?
    • Why Do I Need a Ham License?
    • How Bad is the SolarWinds Orion Issue?
    • How To Begin Prepping
    • Members Only Live Videos
    • Live 11/24
    • Ham Radio VoIP Phone
    • Training Calendar
    • A Chat (with some whisky)
    • Blog 2020 11 02
    • Live with Charlie Hogwood
    • EARTH EX 2020
    • A Live with Angery American
    • Have You Woken Up Yet?
    • BUG OUT READY
    • The Gray Man
    • Area Intelligence – Now!
    • Being Prepared for Civil Unrest
    • It Depends
    • The Art of Being Prepared – The New Prepper
    • Get Home versus Bug Out Bags
    • Why You Need an IFAK AND Training
  • Training Curriculum
  • Shop
  • Contact
    • Mailing List
  • Media and Press
Menu

COM-03 COMSEC Lesson 3

COM-03 — Lesson 3 of 5

Cryptographic Security Fundamentals

Why procedure, not math, decides most real-world crypto failures

Where this fits: This lesson covers CRYPTOSEC at the level every operator should know. A full course dedicated to cryptographic security in depth — COM-09, Cryptographic Security (CRYPTOSEC) — covers this domain the way COM-06 covers Authentication and COM-07 covers One-Time Pads: as a dedicated deep dive on a domain this course only introduces.

Lesson Objectives

  • State the core principles of cryptographic security (CRYPTOSEC)
  • Explain the Enigma case as a lesson in procedural failure, not mathematical failure
  • Describe modern voice encryption standards at a conceptual level
  • Identify where One-Time Pads, book ciphers, and steganography fit — and where to go for depth
  • Evaluate common commercial messaging apps and cellular PTT radios honestly against the four COMSEC domains

Part A — Core Principles

Cryptanalysis exploits people as often as math

Cryptanalysis — the practice of breaking codes — exploits mathematical weaknesses in an algorithm, but far more often it exploits human and procedural failures around that algorithm. Three principles cover most of what goes wrong in the field:

  • The longer a key is used, the more vulnerable it becomes. Every use gives an analyst another data point. Keys are meant to be rotated, not adopted permanently.
  • Poor implementation defeats strong algorithms. A mathematically unbreakable cipher used incorrectly is not unbreakable in practice. The algorithm is only as strong as the discipline applied around it.
  • Reuse is catastrophic in manual systems. Manual ciphers such as one-time pads depend entirely on never reusing key material. Reuse does not weaken the system a little — it can break it completely.

Part B — The Enigma Lesson

A historical case study in procedural collapse

German Enigma machines changed their keys daily and were, mathematically, an extremely difficult system to break through pure cryptanalysis alone in the time available. What actually enabled sustained Allied exploitation was not a mathematical shortcut against the algorithm — it was a series of human and procedural failures in how the machine was actually used. Two specific failures are worth knowing in detail, because they are exactly the kind of thing this course exists to prevent.

Predictable message keys: the “Cillies”

Each Enigma message opened with a three-letter message key that was supposed to be chosen at random by the operator. In practice, many operators took shortcuts under time pressure — typing keyboard patterns, or personal initials, instead of genuinely random letters. Codebreakers at Bletchley Park came to call these predictable keys “cillies,” reportedly after one operator was found repeatedly using his girlfriend’s initials instead of a random letter group. Once analysts noticed an operator’s habit, that operator’s daily key setting was no longer a secret at all — it was a guess with a very high chance of being correct, and it gave codebreakers a foothold into that day’s traffic.

Predictable content: cribs from weather reports and sign-offs

The second failure was on the content side, not the key side. German message traffic was formulaic enough that Bletchley Park could often guess a fragment of the plaintext in advance — a technique called a “crib.” Routine weather reports used standardized wording and were transmitted at predictable times, so the word for “weather” could often be expected near the start of a message. Many messages also closed with the same sign-off, “Heil Hitler.” Neither of these facts broke the Enigma algorithm itself — but knowing that a specific word almost certainly appeared somewhere in a specific message let codebreakers work backward from a known plaintext-ciphertext pairing, dramatically narrowing the machine settings the Bombe had to search.

This history is dramatized in the 2014 film The Imitation Game. The film takes real dramatic license with several plot details, but the underlying cryptographic facts — predictable operator habits creating “cillies,” and predictable message content creating cribs — are genuine, documented weaknesses that Bletchley Park exploited.

Further reading: For the fuller institutional history behind Bletchley Park — how the Government Code & Cypher School fit into the founding of MI5 and MI6, the Special Operations Executive, and the wartime spy network that later seeded the American intelligence community — see MI5, MI6, Bletchley Park & Camp X, Part 1 of the Architecture of Intelligence series.

Physical capture of code material and captured machines mattered too, but neither of the failures above required capturing anything. Both were purely procedural: an operator taking a shortcut under pressure, and a communications culture predictable enough to write down in advance. Once those procedural habits were understood, the cryptographic advantage collapsed, regardless of how sound the underlying machine was.

Lesson: Crypto is only as strong as its procedures. A message key is only random if it is actually random — not convenient, not memorable, not personal. This is the single most important idea in this lesson, and it applies as directly to a preparedness group’s radio net as it did to a wartime cipher machine. If your group ever adopts a keyed cryptosystem, the operator who picks “easy to remember” keys is doing exactly what the Enigma operator did with his girlfriend’s initials.


Part C — Modern Voice Encryption

What “secure” typically means today

Modern secure voice systems generally rely on the Advanced Encryption Standard (AES). AES is described in Federal Information Processing Standard (FIPS) 197, and FIPS 140-2 governs how AES is actually applied to cryptographic modules in radio systems — the algorithm and its implementation are governed by two separate standards. AES became effective as a federal government standard on May 26, 2002, after NIST found it compliant with FIPS security requirements and the Secretary of Commerce approved it.

AES replaced the older Data Encryption Standard (DES), and the timeline matters: DES, developed in 1977, was first cracked by the Electronic Frontier Foundation in 1997 in 84 days, then cracked again faster in 1998 and twice more in 1999. NIST withdrew its endorsement of DES for secure federal communications after May 2005, and AES became required for all federal agency communications systems beyond May 2007. FIPS 140-2 requires all federal agencies to use AES encryption, and under the Cybersecurity Enhancement Act of 2014, any state or local agency that wants to interoperate on a federal Land Mobile Radio (LMR) system must also have AES on their subscriber units.

Many agencies and organizations have transitioned from DES-based to P25 AES-based systems, which has left a surplus of older encrypted radios and key-loading devices on secondary markets, including legacy platforms and certain key loader device series. These older systems typically require dedicated encryption modules, licensing, and programming software, and remain line-of-sight limited without repeater infrastructure — and improper key handling or a programming error can silently break interoperability without any obvious warning.

Key rotation in practice

The baseline agency policy across most government users is to rotate encryption keys every 30 days, with some agencies rotating more frequently depending on their own risk posture — this is the same “assume lost equals compromised” and rotation-schedule discipline from Lesson 2, applied to a specific cadence. Historically, the practical obstacle to frequent rotation was physical: every radio in a fleet had to be connected to a key loader by hand. Modern radio systems remove that obstacle with Over-The-Air Rekeying (OTAR), which pushes new keys to every subscriber radio remotely through the network itself, and Over-The-Air Programming (OTAP), which does the same for full radio reprogramming. Between them, an agency can now rotate keys on schedule — or immediately after a loss — without physically touching every radio in the field.

Further reading — CISA/SAFECOM encryption guidance: the Cybersecurity and Infrastructure Security Agency (CISA), through the Federal Partnership for Interoperable Communications (FPIC) and SAFECOM/NCSWIC, publishes the standing reference set on LMR encryption for public safety. Organized by function:

  • Foundational/overview: The Who, What, When, Where, How, and Why of Encryption in P25 Public Safety Land Mobile Radio Systems (May 2023) — the current comprehensive guide, consolidating three earlier 2016 documents into one; Considerations for Encryption in Public Safety Radio Systems and its companion fact sheet, Determining the Need for Encryption in Public Safety Radios; Guidelines for Encryption in Land Mobile Radio Systems: Determining What Encryption Method to Use for Public Safety Radios.
  • Key management specifics: Operational Best Practices for Encryption Key Management (Aug 2020), the detailed how-to on obtaining, distributing, and managing crypto keys, referencing FIPS PUB-197 and the TIA-102.AAAD-B Block Encryption Protocol; the Encryption Key Management Fact Sheet (2020), the shorter version covering the National Law Enforcement Communications Center’s role and the AES-256 recommendation.
  • Algorithm transition: The Transition to Advanced Encryption Standard White Paper, covering DES vulnerabilities, the AES transition, and CJIS Policy and PCII Program context.
  • Link-layer security: Link Layer Authentication (LLA) and Link Layer Encryption (LLE): Are You Really Secure? (2022), distinguishing LLA from LLE, plus companion short explainer videos.
  • Cybersecurity/risk context: Cyber Risks to Land Mobile Radio — First Edition (2022); Communications Security — Protecting Critical Information, Personnel, and Operations.

Nick Meacher, the author of this course, was directly involved in drafting two of the documents referenced above: Considerations for Encryption in Public Safety Radio Systems and Guidelines for Encryption in Land Mobile Radio Systems: Determining What Encryption Method to Use for Public Safety Radios.


Part D — Where OTP, Book Ciphers, and Steganography Fit

A preview, not the full course

Three additional methods deserve a brief mention here, each with its own dedicated depth elsewhere in the curriculum or worth knowing conceptually:

Method Core idea Where it fits
One-Time Pad (OTP) When used correctly — truly random keys, key length at least equal to message length, never reused, destroyed immediately after use — OTP encryption is provably unbreakable. Violating any single rule collapses the security entirely. Full course: COM-07, One-Time Pads
Book ciphers Rely on two identical books and pre-agreed indexing rules. Offer plausible deniability and require no obvious crypto material, but are vulnerable to modern computational analysis and known-plaintext attacks, and produce a large amount of ciphertext for a small message. Covered conceptually here; useful mainly in low-threat, covert-in-plain-sight scenarios
Steganography Hiding a message inside an ordinary-looking media file rather than encrypting it. Not encryption by itself — best used after encryption, as a way to conceal that a protected message exists at all. Covered conceptually here; a covert digital delivery tool, not a standalone protection method

The rule that ties all three together is the same one from Part A: whatever the method, it is only as strong as the discipline applied around it.

Field reference: the same Brevity Cards for OTP set used for brevity codes in Lesson 4 also includes a bonus checkerboard, encryption/decryption instructions, and an OTP conversion grid for pairing with the full One-Time Pad course, COM-07.


Part E — Commercial Messaging Apps and Cellular PTT in a COMSEC Context

What your phone already does, evaluated honestly

Most groups already use a phone-based app for day-to-day coordination alongside radio. Every one of these tools sits entirely on the CRYPTOSEC side of the four domains from Lesson 1 — none of them provide TRANSEC, EMSEC, or continuity when cellular and internet infrastructure are down. Evaluate each honestly rather than trusting a marketing claim of “encrypted.”

Platform Content encryption Metadata / context exposure COMSEC notes
Signal True end-to-end by default (Signal Protocol, open-source, independently audited) for all messages, calls, and groups Minimal — Sealed Sender hides sender identity from Signal’s own servers; subpoena history shows almost nothing is retained Best-in-class CRYPTOSEC of this group. Requires a phone number to register, and both parties must be on Signal
Session True end-to-end (Signal-derived protocol) Best of this group — no phone number or email, onion-routed through a decentralized node network, no central log of who talks to whom Public “Communities” are not end-to-end. Smaller audit history and user base than Signal
Telegram Not end-to-end by default. Ordinary “Cloud Chats” are encrypted only client-to-server; true end-to-end exists solely in opt-in “Secret Chats” (one-on-one only, unavailable on desktop) Weak — retains IP address, device details, and phone number Treat default Telegram chats as readable by the provider. Custom protocol has drawn cryptographer criticism for lacking Signal’s audit history
WhatsApp True end-to-end for message content (runs the Signal Protocol) by default Weak — owned by Meta, which collects contact, timing, and frequency metadata explicitly outside the encryption guarantee Protects what is said, not who is talking to whom or how often. Cloud backups require a separate opt-in for full encryption
Zello Depends entirely on tier. Free “Friends & Family” open/public channels are not encrypted at all; paid “Zello Work” channels are encrypted (RSA key exchange plus AES) Weak on open channels, which are public by design A free-tier open channel is functionally a public broadcast. Know which tier and which setting you are actually using before treating it as private
PoC radios (cellular push-to-talk, e.g. Motorola WAVE, ESChat, Kodiak) AES-256 is common on modern devices, sometimes referencing FIPS validation Weak — many devices ship with built-in GPS/location tracking as a core feature, plus vendor-retained cloud server logs Encryption is hop-to-hop through the vendor’s cloud server, not end-to-end — the provider has a technical decryption point in the middle. Most platforms are proprietary and do not interoperate with each other without a dedicated gateway

What “PoC” means: Push-to-Talk over Cellular turns a smartphone or purpose-built device into a walkie-talkie using cellular data instead of RF spectrum. Some are carrier-based (tied to one cellular provider, such as AT&T Enhanced PTT or Verizon PTT Plus); others are carrier-agnostic “over-the-top” services that run on any carrier’s data network (such as Motorola WAVE PTX or ESChat). Both flavors depend entirely on commercial cellular coverage — if the towers are down, a PoC radio is no more useful than a phone with no signal. The basic path every transmission takes is Radio → Cellular Network → PoC Server → Cellular Network → Radio — that PoC Server in the middle is exactly the point where a vendor’s cloud infrastructure has a technical opportunity to decrypt and process the call, discussed further below.

The recurring pattern: content encryption is common; metadata protection is rare; infrastructure independence is nearly nonexistent. Signal and Session are the only two in this table with strong metadata protection, and none of the six provide any communications capability at all without cellular or internet service. In a PACE plan, every tool on this table belongs in the Primary or Alternate tier — never Contingency or Emergency.

Further reading on how PoC radios actually work, their range, and where they fit in a layered communications plan: Radio over LTE (cellular), Book of Knowledge.


Knowledge Check

According to this lesson, what most often causes real-world cryptographic failures?

Knowledge Check

What do ‘cillies’ and weather-report cribs have in common as Enigma weaknesses?

Knowledge Check

What single rule violation is enough to collapse the security of a One-Time Pad?

Knowledge Check

Which of the following best describes steganography’s role relative to encryption?

Knowledge Check

How does encryption on a typical cellular PoC (Push-to-Talk over Cellular) radio differ from Signal’s end-to-end encryption?

Knowledge Check

What problem do OTAR (Over-The-Air Rekeying) and OTAP (Over-The-Air Programming) solve?

Related courses: COM-04 EMCON  •  COM-06 Authentication & Challenge/Reply  •  COM-07 One-Time Pads  •  COM-08 Dead Drop & Courier Protocols  •  COM-09 Cryptographic Security  •  SEC-02 OPSEC  •  INT-02 RTSA  •  INT-03 SALUTE & SPOT Reporting  •  PLN-04 PREP-CON  •  PLN-05 COMCON

← Lesson 2 Answer all questions to continue


Login with Patreon

Login with Patreon

Search Site

Products

  • Family Emergency Plan and Household Recovery Workbooks - Patreon Family Emergency Plan and Household Recovery Workbooks - Patreon $34.95
  • Bundle - Family Emergency Plan and Household Recovery Workbooks Bundle - Family Emergency Plan and Household Recovery Workbooks $46.95
  • Household Recovery Workbook Household Recovery Workbook $29.95
  • The Continuity Chronicles Seal Decal The Continuity Chronicles Seal Decal $5.00 Original price was: $5.00.$3.00Current price is: $3.00.
  • Family Emergency Plan Workbook - Patreon Family Emergency Plan Workbook - Patreon $19.95
  • Personal Preparedness Assessment Workbook - Patreon Personal Preparedness Assessment Workbook - Patreon $19.95
  • The Next of Kin Workbook - Patreon The Next of Kin Workbook - Patreon $23.95
  • Personal Preparedness Assessment Report Personal Preparedness Assessment Report $179.95
  • Bundle - Family Emergency Plan + Next of Kin Workbooks Bundle - Family Emergency Plan + Next of Kin Workbooks $49.95
  • The Next of Kin Workbook The Next of Kin Workbook $29.95
  • ASAR — 50 Mile Radius ASAR — 50 Mile Radius $139.95
  • ASAR 50-MILE + FEP WORKBOOK ASAR 50-MILE + FEP WORKBOOK $169.95
  • ASAR — 50 Mile Radius - Patreon ASAR — 50 Mile Radius - Patreon $39.95
  • Bundle - The Series Starter (Paperback) Bundle - The Series Starter (Paperback) $29.98
  • The Brush (Paperback) The Brush (Paperback) $15.99
  • The Meadow Protocol (Paperback) The Meadow Protocol (Paperback) $13.99
  • Cards (4x6) - Brevity Cards for OTP Cards (4x6) - Brevity Cards for OTP $24.95
  • Communications Card bundle (13 cards) Communications Card bundle (13 cards) $41.95
  • Personal Preparedness Assessment Workbook Personal Preparedness Assessment Workbook $24.95
  • Family Emergency Plan Workbook Family Emergency Plan Workbook $24.95

Product categories

Cart

©2026 Fortune Favors the Prepared | Built using WordPress and Responsive Blogily theme by Superb