14-Sep-15 Mod 6-HO-2 FA24 TSEC Military Cryptographic Systems Information Assurance Module 3.
-
Upload
ashlynn-williamson -
Category
Documents
-
view
222 -
download
4
Transcript of 14-Sep-15 Mod 6-HO-2 FA24 TSEC Military Cryptographic Systems Information Assurance Module 3.
Apr 19, 2023 Mod 6-HO-3FA24 TSEC
ObjectivesStudents will learn about commonly used military
cryptographic systems (ie. KG-84, KIV-7, KIV-19, STE, KG-75), including data rates, connection and fill requirements, and practical applications.
Provide an Overview of the DOD Cryptographic Modernization Initiative with Focus on the Army CM Program.
Be able to describe the EKMS/AKMS Programs.At the conclusion of this block, students will be able
to choose a cryptographic device to encrypt a link given the data rate, terminal equipment and transmission medium.
They will be able to explain the CM, EKMS and AKMS Programs.
Apr 19, 2023 Mod 6-HO-4FA24 TSEC
Outline• Cryptographic Standards• NSA Cryptographic Types• Black/Red Signals• Military Cryptographic Equipment
(Layers 1 – 3) • Telephony Cryptographic Equipment• Fill Devices• Key Generators• Cryptographic Modernization Program• Electronic/Army Key Management
Systems
Apr 19, 2023 Mod 6-HO-5FA24 TSEC
Cryptographic Standards (1 of 2)
1. National Security Agency (NSA)– Secret and above– Type 1 encryption required– Classified Algorithms
2. National Institute of Standards and Technology (NIST)– Set standards for Sensitive traffic– de facto standards organization for
commercial businesses
Apr 19, 2023 Mod 6-HO-6FA24 TSEC
Cryptographic Standards(2 of 2)
3. American National Standards Institute (ANSI)
– Cryptographic standards organization for the U.S.
– ANSI X9 series closely mirrors NIST’s Federal Information Processing Standard (FIPS)
4. International Organization of Standards (ISO)
– X.509 and Common Criteria
Apr 19, 2023 Mod 6-HO-7FA24 TSEC
Approved Cryptosystems
for the US Army are either:1. Produced by NSA
2. Commercial Off the Shelf Systems approved by NSA for local purchase
3. Electronically generated and distributed using NSA approved key generating equipment and procedures IAW NAG 16
Apr 19, 2023 Mod 6-HO-8FA24 TSEC
NSA Cryptographic Types1. Products
– US government/military for Classified Info– Only approved commercial users are defense
contractors for US classified projects2. Products
– US government for sensitive info– Requires US government agency sponsorship
3. Algorithms– Exportable only to US corporations abroad, and
remain under the control of US citizen. 4. Algorithms
– Exportable to any country and/or organization, except those prohibited by the US government
Apr 19, 2023 Mod 6-HO-9FA24 TSEC
Black/Red Signals
Red/Plain Text Black/Cipher Text
Router
Router
Red patch panel
Red patch panel
Black patch panel
Black patch panel
KIV-7
KIV-7
CSU/DSU
CSU/DSU
Apr 19, 2023 Mod 6-HO-10FA24 TSEC
Red/Black Installation (1 of 2)• Separation of 1 m b/w RED processor and:
– BLACK equipment– BLACK wire lines that exit the inspectable
space or are connected to an RF transmitter– BLACK power lines– Conductors that exit the inspectable space
• Separation of 5 cm b/w RED wire line and: – BLACK wire lines that exit the inspectable
space or are connected to an RF transmitter– BLACK power lines
Apr 19, 2023 Mod 6-HO-11FA24 TSEC
Red/Black Installation (2 of 2)
• RED and BLACK wire lines will not use a common distribution vehicle unless the power lines exiting the space are equipped with powerline filters.
• Patch Panels– Jack fields should have incompatible connectors to
prevent inadvertent RED to BLACK patching– Separate RED and BLACK by 1 m
• 1 m separation required b/w different classifications (i.e. SIPRNET and JWICS, SIPRNET and SECRET – Coalition)
• SCIFs require separate red and black ground
Apr 19, 2023 Mod 6-HO-12FA24 TSEC
Cryptographic Equipment
Layer 1 (Physical)– KG-84– KIV-7– KG-194– KIV-19– KG-95– KG-189
Layer 2 (Data link)– KG-75– KG-175 (2 and 3)– KIV-21
Layer 3 (Network)– KG-175 (2 and 3) – Network Encryption
System (NES)
Apr 19, 2023 Mod 6-HO-13FA24 TSEC
KG-84• KG-84A -- 256 kbps• KG-84C -- 64 kbps• Military standard DS-101 fill plug• Operates from 50 to 9600 Mbps
asynchronous• Process up to 32 Kbps using
internal clock• Built-in wireline modem
Apr 19, 2023 Mod 6-HO-14FA24 TSEC
KIV-7• Four models
– KIV-7 512 Kbps– KIV-7HS 1.544 Mbps– KIV-7HSA/B 2.048 Mbps
• Interoperable with KG-84• Serial Data Interfaces
– EIA-530, EIA-449, EIA-232
• Removable CIK• No internal strappings• Optional Wireline Module for
Tactical
Apr 19, 2023 Mod 6-HO-15FA24 TSEC
KG-194• KG-94/94A/194/194A
• Operates from 9.6 kbps to 13 Mbps
• Uses traditional or firefly key
• Two versions -- tactical and fixed plant
Apr 19, 2023 Mod 6-HO-16FA24 TSEC
KIV-19
• Operates from 9.6 kbps to 13 Mbps
• Use traditional or firefly key
• Compatible with KG-194
• Newest version KIV-19A
Apr 19, 2023 Mod 6-HO-17FA24 TSEC
KG-95
• DS3 encryptor
• Bulk Encryption
• Three models:– KG-95-1 operates from 10-50 Mbs– KG-95-2 operates only at DS-3 rate– KG-95R two KG-95-2s together
Apr 19, 2023 Mod 6-HO-18FA24 TSEC
KG-189
• SONET Encryptor
• Operates at OC-3, OC-12 and OC-48
• Type I encryption
• Firefly key
• DS-101/KSD-64
Apr 19, 2023 Mod 6-HO-19FA24 TSEC
KG-75 (FASTLANE)• ATM encryptor• KG-75 - up to OC-12• KG-75A - up to OC-192• Supports up to 4094 simultaneous,
cryptographically isolated ATM channels• Supports DS1, DS3, OC3C and OC12C• Supports PNNI 1.0, UNI 4.0 and SNMP• Firefly and traditional key• CYZ-10/DTD fill device
Apr 19, 2023 Mod 6-HO-20FA24 TSEC
KG-175 (TACLANE)• ATM Encryption -- 45 Mbps
– DS3 BNC connector– 253 cryptographically isolated channels
• IP Encryption -- 7.2 Mbps– RJ-45 and AUI connector
• UNI 4.0 and SNMPv1• Firefly and traditional key• Uses CYZ-10/DTD• E-100 version provides IP encryption
up to 100 Mbps
Apr 19, 2023 Mod 6-HO-21FA24 TSEC
KIV-21• Converts black EIA-422, DB37 HDLC
into red IEEE 802.3 ethernet
• Replaces KIV-7/KG-84/KG-194 and CSU/DSU for a single site
• Throughput - 8 Kbps to 3 Mbps
• Frame relay
Apr 19, 2023 Mod 6-HO-22FA24 TSEC
Network Encryption System (NES)
• IP Encryption
• NES 4001 supports up to 3.4 Mbps
• NES 4001A throughput is 4.3 Mbps
• Required black and red IP addresses
• FIREFLY key distribution
Apr 19, 2023 Mod 6-HO-23FA24 TSEC
NES - Virtual Private Network
permits traffic from one network to tunnel through another network of a dissimilar security classification
Apr 19, 2023 Mod 6-HO-24FA24 TSEC
Telephony Equipment
• STU-III
• STE
• Omni
• Secure Cell Phones
• KY-68
• FNBDT
Apr 19, 2023 Mod 6-HO-25FA24 TSEC
STU-III and SDD• Secure Data Device • Operate at 2.4 or 4.8 kbps code-excited line prediction (CELP)• Data transmitted at 2.4, 4.8 and 9.6 kbps• Supports the ITU-T standards
– V.26bit– V.26ter– V.32
• KSD-64A
Apr 19, 2023 Mod 6-HO-26FA24 TSEC
STE• Replaces STU-III and KY-68• Key is Fortezza Plus (KOV-14)• Interoperable with:
– STU-III– DNVT – ISDN: NI-1, NI-2, 5ESS, DMS-100, DEFINITY– Euro ISDN
• Network Interface– ISDN S/T BRI – 1B+D or 2B+D – RJ-45– PSTN – RJ-11– TRI-TAC/MSE – 4 wire line modem– EIA-232/530A
• Host Interface– EIA-232/530A
Apr 19, 2023 Mod 6-HO-27FA24 TSEC
Omni• Secure Terminal provides Type-1
security for voice and data
• Analog and Digital network
• FNBDT compliant
• Compatible with POTs
and STU-III
Apr 19, 2023 Mod 6-HO-28FA24 TSEC
Secure Cell Phones (1 of 2)Motorola Cipher-Tac 2000
• STU-III and STE compatible
• Type 1 analog cellular security
• sleeve slides between battery and phone to operate in secure mode
Qualcomm Qsec 800
• Secure voice and data (CMDA)
• Type 1 analog cellular security
• requires no add-on module
Apr 19, 2023 Mod 6-HO-29FA24 TSEC
Secure Cell Phones (2 of 2)General Dynamics
• Tri-band (GSM 900/1800/1900)
• Advanced Encryption Standard (AES)
• Clip-in security module
• Type 1 security
Motorola Satellite Series 9505
• satellite and cellular service
• type 1 end-to-end security
• Iridium security module attaches to it
Apr 19, 2023 Mod 6-HO-30FA24 TSEC
KY-68
• TRI-TAC and MSE
• Operates at 16/32 Kbps with CVSD (wideband)
• Provides encryption of voice or data traffic on switched links to a circuit switch
Apr 19, 2023 Mod 6-HO-31FA24 TSEC
Future Narrow Band Digital Terminal (FNBDT)
• Designed primarily for low-bandwidth, error prone networks such as cell phones
• Secure global interoperability• FNBDT is an open standard• Satisfies both NATO and individual nation
objectives• Uses MELP and Forward Error Correction
Apr 19, 2023 Mod 6-HO-32FA24 TSEC
Fill and Storage Devices• KYK-13• KOI-18• KYX-15• CYZ-10• KG-83• KGX-93• Fortezza Card• KOV-14• KSD-64A
Apr 19, 2023 Mod 6-HO-33FA24 TSEC
KYK-13
• Receive, store and load key in electronic form
• Can hold six 128 bit keys
• CCI is unclassified when empty -- takes on highest classification of key in memory
Apr 19, 2023 Mod 6-HO-34FA24 TSEC
KOI-18• Used to read/transform paper key into
electronic key
• Can directly fill crypto equipment or load another fill device
• Unclassified
• No memory
Apr 19, 2023 Mod 6-HO-35FA24 TSEC
KYX-15• Can store sixteen 128 bit keys
• Unclassified when empty - takes on the highest classification of the key in memory
• Used to perform OTAR
• Can generate key locally when used with KG-84, KIV-7 or KY-68
Apr 19, 2023 Mod 6-HO-36FA24 TSEC
• Data Transfer Device (DTD) can emulate other fill devices
• Receives, audits and transfers 128 bit keys with identification information
• CCI and is unclassified when empty or when the CIK is removed
• Referred to as an ANCD
AN/CYZ-10
Apr 19, 2023 Mod 6-HO-37FA24 TSEC
Simple Key Loader (SKL)Processor 32-bit Intel® XScale™ CPU (400 MHz)
O/S Win CE.NET (4.1)
RAM 128 MB of SDRAM
ROM 64 MB of Flash Memory
Graphics 2-D Accelerator
Size 7” x 3.5” x 1.8”
Weight Approx 18 oz. 504 gms.
Apr 19, 2023 Mod 6-HO-38FA24 TSEC
Fortezza Card (1 of 2)
• Used with DMS to encrypt/decrypt• 1.5 MBs processing rate• Tamper proof/ultrasonically welded• Exportable with State Department approval• Includes RISC based processor
Apr 19, 2023 Mod 6-HO-39FA24 TSEC
Fortezza Card (2 of 2)
• Provides Cryptographic Functions– Public Key Exchange– Message Encryption– Digital Signature– Hashing– Timestamp– Password– Certificate
• Algorithms used– KEA, Skipjack, DSA, SHA-1
Apr 19, 2023 Mod 6-HO-40FA24 TSEC
KOV-14 (Fortezza Plus)• Special PCMCIA card - provides encryption and
other security services• Used to enable STE• Classified to level of keying material• Unclassified when separated from STE• Stays with COMSEC Material Control System
(CMCS) until destroyed• With operational key – classified• With seed key -- unclassified
Apr 19, 2023 Mod 6-HO-41FA24 TSEC
KSD-64A• Contains electronic fill info for STU-III• May contain classified operational key or
unclassified seed key• Can operate in three modes
Apr 19, 2023 Mod 6-HO-42FA24 TSEC
KSD-64A Modes1. Operational Key
– Load STU-III to make direct secure calls to other STU-IIIs
– Fill Device2. Seed Key
– Load STU-III to electronically obtain its operational key during a rekey phone call
– Fill Device3. Crypto Ignition Key (CIK)
– Stores an electronic "password." – CIK is used in STU-III that shares this password to
unlock the terminal's secure transmission features
Apr 19, 2023 Mod 6-HO-44FA24 TSEC
KG-83
• TRI-TAC and stand alone applications
• Generates 128 bit TEK up to Top Secret
• Compatible with most COMSEC equipment that accepts 128 bit keys
• Requires initial/annual certification
Apr 19, 2023 Mod 6-HO-45FA24 TSEC
KGX-93
• MSE and TRI-TAC switches• Generates 128 bit key up to
Top Secret• Can also store key• Requires initial/annual
certification
Apr 19, 2023 Mod 6-HO-46FA24 TSEC
Local Management Device/Key Processor (LMD/KP)
• 128 bit key• Key Processor
– KOK-22A– Key Generation
• Local key generation, distribution, auditing and reconciliation
• Access to ACCOR• Tier 2 of EKMS• Can load 1000 keys at once
Apr 19, 2023 Mod 6-HO-47FA24 TSEC
• Replacement of DOD’s aging Cryptographic Equipment Inventory to meet Current and Objective Capability Needs. • Intent is to achieve more robust security, network adaptability (Network-Centric) and performance enhanced equipment solutions.
Cryptographic Modernization Program
Apr 19, 2023 Mod 6-HO-48FA24 TSEC
Background (1 of 2)
FY 99/00 MCEB and NSA Studies Concluded:
•Technologically Obsolete 20-30 years old
•Cannot Support Network-Centric Architectures
• Inventory Becoming Logistically Unsupportable
Feb 01 ASD(C3I) Arthur Money memo directs:
•Road Map for Crypto Systems Upgrade/Replacement/Retirement
•Services Procure Modernized Crypto in FY03-09 POM
Apr 19, 2023 Mod 6-HO-49FA24 TSEC
Background (2 of 2)Sep 02 JRB
• 9 Crypto Systems as near term Modernization efforts
• Approved Joint Forces Command as CRD Sponsor
• Directed Joint Staffing of CM MNS and Completion of CM Implementation Plan
Nov 03 SIGCEN
• BG Hicks, signed the Charter establishing the CM ICT
• ICT process serves to shorten the requirements determination event of the acquisition process by employing the team approach to requirements determination.
Apr 19, 2023 Mod 6-HO-50FA24 TSEC
Existing Deficiencies• Equipment Obsolescence• Incompatibilities with new architectures/technologies • Interoperability/Releasability problems
• Restrictions on key management pose major challenges
• Affects ability to support dynamic communications
• Lack of programmability/flexibility • Incompatibility with modernized DOD KMI
• Lack direct interfaces • Cryptographic equipment shortages
• Readiness and surge capabilities affected
Apr 19, 2023 Mod 6-HO-51FA24 TSEC
38%
43%
Programmed Replacements
2%
15%
2%
Unsupportable within 10 years
Supportable beyond 10 years
Unsupportable within 5 years
Current inventory 1.2 Million Items (Sources: ISSP Database, ATAV, MYNSN, UIT, CMCS)
Programmed Replacements JTRS, WIN-T, FCS and Other Major Programs.
Currently Unsupportable
Cryptographic Inventory Posture
Apr 19, 2023 Mod 6-HO-52FA24 TSEC
ThreatContinuing trends reflect significantly increased
risks of C4ISR, IT, and weapons systems to attacks on cryptography
• Increases in computing power
• Increasing reliance upon COTS systems
• Service/Allied/Coalition use
• Availability of Electronic Warfare Systems • Widespread distribution of Computer Network
Attack (CNA) and Computer Network Exploitation (CNE) Tools
Apr 19, 2023 Mod 6-HO-53FA24 TSEC
CM Concept• Leverage Latest Technology
• Develop Multi-Functional Components that Replace Entire Families of Crypto Equipment
• NSA Partnership with Services on Program Development
NSA will:
- Retain Crypto Certification Approval
- Fund Services for Program Development R&D
Services will:
- Program Funding for Procurement and Fielding
- Conduct Program Development Process
- Develop Equipment Shortage/Supportability Lists
- Prepare Fielding and Transition Plans
Apr 19, 2023 Mod 6-HO-54FA24 TSEC
CM Core Capabilities• Programmable/Reprogrammable Algorithms
• Capable of Receiving an Algorithm
• Scalable Components
• Embedded Modules (Whenever Possible)
• EKMS/KMI Compliant/Capable
• Network-Centric Functionality
• Assured control of DOD networks
• Interoperability
• Physical - Form and Fit
Apr 19, 2023 Mod 6-HO-55FA24 TSEC
PROGRAM SERVICE LEAD UTILIZATION
IFF Mode V Navy AVN/GND-Air/Water Craft KG-30 (NC2) Air Force Joint Interface
KI-22 (Air Force Only) Air Force N/A
KG-40 (LINK 11) Navy ADA/Joint Interface
CTIC/CDH Air Force Integrated Modules
KG-94 (Family) NSA Trunk Encryptors
NES (INE) NSA Inline Network Encryptors
STU III Replacement NSA Secure Voice/Data
KY-68/78 Army Tactical DSVT
Priority Nine Systems
Apr 19, 2023 Mod 6-HO-56FA24 TSEC
• EKMS Architecture and Concepts• AKMS Description and Operational
Concepts• Doctrinal Impacts
• Roles/Responsibilities• Issues
EKMS and AKMS
Apr 19, 2023 Mod 6-HO-57FA24 TSEC
• DOD initiative to modernize management/distribution
of COMSEC to support the warfighter and non-military
government users.
• Replaces slow cumbersome paper and manpower
intensive processes of management and distribution of
COMSEC material.
• Increase security of key management processes
• Increase responsiveness to user needs
• Provide for interoperability
Electronic Key Mgt System
Apr 19, 2023 Mod 6-HO-58FA24 TSEC
0. National Security Agency (NSA)
1. Central Office of Record (COR)
2. LCMS COMSEC User Accounts
3. Common Fill Devices
EKMS Tier Levels
Apr 19, 2023 Mod 6-HO-59FA24 TSEC
LOCAL ELEMENT
LOCAL ELEMENT
EKMS ID
LOCAL ELEMENT
EKMS ID ACCOUNT
LOCAL ELEMENT
LOCAL ELEMENT
• NO SUBACCOUNTS
• ONLY ACCOUNTS AND LOCAL ELEMENTS
TIER 0: POLICIES, MODERN KEYCF
AKMSAKMS AKMSAKMS
CORCOR
EKMS ID ACCOUNT
EKMS ID
TIER 1: COR, RA, PCM,OPM
TIER 2: ACCOUNTS
TIER 3: DTD/SKL (HAND
RECEIPT HOLDERS)
EKMS Operations
Apr 19, 2023 Mod 6-HO-60FA24 TSEC
National Security Agency (NSA)
Provides for production, management, and distribution of specialized electronic cryptographic key and associated materials.
Tier 0 – NSA Central Facility
MODEM key
Apr 19, 2023 Mod 6-HO-61FA24 TSEC
• CORs are focal points for production, management, auditing, and distribution of Service-Unique electronic cryptographic key and materials
• Supports joint operations at theater and strategic levels
• Act as alternates to the other in cases of degraded operations, activity, and geographic location
• Major functional areas:– Central Office of Record (COR)– Registration Authority (RA)– Privilege Certificate Manager (PCM)– Ordering Privilege Manager (OPM)
Tier 1 - Central Office of Record
Apr 19, 2023 Mod 6-HO-62FA24 TSEC
EXTENSION TIER 1
COR – Ft. Huachuca
- Facilities replicate Tier 1
- Does not provide COR capability for users
- Installed geographically CONUS/OCONUS
in area containing concentrations of accounts
COR – Kelly AFB
Extension Tier 1
Apr 19, 2023 Mod 6-HO-63FA24 TSEC
• Represents individual EKMS user accounts
• Developed by NSA
• Used by all services
• Individual service policies and procedures
• AKMS – Army Tier 2
outlines Army policies and
procedures
Tier 2 – LCMS User Accounts
Apr 19, 2023 Mod 6-HO-64FA24 TSEC
• Replaces slow, cumbersome paper and manpower intensive processes
• Provides a reliable, responsive and secure system• Implements an electronic key strategy w/in the Army• Provides Tier 0 and Tier 1 electronic interoperability• Provides COMSEC and communications planning
capabilities• Provides real time key generation and distribution• To make AKMS work as a system, all three
components (LCMS, ACES, DTD) are required
AKMS
Apr 19, 2023 Mod 6-HO-65FA24 TSEC
• NSA and Army produced and distributed
• Automated account management
• Local key generation, distribution, auditing, reconciliation
• Access to CF and COR
LCMS Workstation
Apr 19, 2023 Mod 6-HO-66FA24 TSEC
• Army produced and distributed
• Designed for Cryptonet planning and management
• Includes SOI/ EP planning and management
• Employs ACES-specific application functions
ACES Workstation
Apr 19, 2023 Mod 6-HO-67FA24 TSEC
• Receive, distribute, store,
and manage key
• Receive, transfer, and
display SOI
• Perform AuditSKL
DTD
Fill Device
Apr 19, 2023 Mod 6-HO-68FA24 TSEC
U.S. MILITARY IS NEEDED SOMEWHERE
COMMUNICATIONS PLAN
ACESOPERATOR
SHORT TITLE INFORMATION
KEY REQUIREMENTS
DTD/SKL(TIER 3)
PLAN
DA
TALCMSOPERATOR
(TIER 2)
S-3
KEYS DISTRIBUTED AS NEEDED
ACES
ACES Scenario
Apr 19, 2023 Mod 6-HO-69FA24 TSEC
• Accounts no longer manual• Acclaims no longer in effect• Sub-accounts no longer authorized• Key produced locally and distribution process
streamlined• Electronic key transfer increased; physical
key transfer decreased• Modern key ordering incorporated to
mainstream
Doctrinal Impacts
Apr 19, 2023 Mod 6-HO-70FA24 TSEC
• CIO/G-6: EKMS/AKMS oversight; IA system integrator
• G-2: COMSEC Policy• G-8: Program Funding• PEO C3T: Responsible PEO; DAA• PM TRCS: PM for LCMS, ACES, and DTD, under
PM WIN-T
• CSLA: Primary service authority role; primary Tier 1 segment (COR); EKMS subject matter experts and support to IA directorate
• CECOM: Tier 1 software support activity; Tier 2 life-cycle support (minus SW)
• SIGCEN: AKMS requirements and operational concepts; sustainment training
Roles/Responsibilities
Apr 19, 2023 Mod 6-HO-71FA24 TSEC
• Provides EKMS/AKMS oversight
• Provides representation to:– KMI Committee (KMI EC) – Joint Key Management Infrastructure Working
Group EKMS Transition Team (ETT)– Tier 1 System Management Board (TSMB)– Other working groups and boards
• Chairs AKM Infrastructure Working Group (AKMIWG)
• Facilitates exchange of info/coordination among Army Orgs (G-8, G-2, CIO/G-6, SIGCEN, CSLA, PM WIN-T)
IA Directorate (DCD) Role