CDR XL family radios use Blowfish encryption and may be configured with keys of 8 to 448 bits.
CDR XL family radios encrypt packets in a cipher-block chaining (CBC) mode, using a randomly chosen initialization vector (IV). A hardware entropy source is used to select the next IV used, so unlike pseudo-random (PR) IVs, IV selection will not repeat periodically.
CDR XL family radios use a keyed-hash message authentication code (HMAC) to digitally "sign" each packet. The hashing function used is SHA-1, and the full 20 byte HMAC is appended to each encrypted packet. No HMAC truncation is performed and all 20 HMAC bytes are tested by the receiver to validate the packet's authenticity.
By default, the CDR XL family radios will discard all unencrypted packets received when encryption is enabled, but it is possible to disable this feature. All encrypted packets which can not be validated (i.e. sent with an incorrect HMAC or encrypted with a different key) are discarded, regardless of radio configuration.