Presentation is loading. Please wait.

Presentation is loading. Please wait.

Military Cryptographic Systems Information Assurance Module 3

Published byAshlynn Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "Military Cryptographic Systems Information Assurance Module 3"— Presentation transcript:

1

2 Military Cryptographic Systems Information Assurance Module 3

3 Objectives Students will learn about commonly used military cryptographic systems (ie. KG-84, KIV-7, KIV-19, STE, KG-75), including data rates, connection and fill requirements, and practical applications. Provide an Overview of the DOD Cryptographic Modernization Initiative with Focus on the Army CM Program. Be able to describe the EKMS/AKMS Programs. At the conclusion of this block, students will be able to choose a cryptographic device to encrypt a link given the data rate, terminal equipment and transmission medium. They will be able to explain the CM, EKMS and AKMS Programs.

4 Outline Cryptographic Standards NSA Cryptographic Types
Black/Red Signals Military Cryptographic Equipment (Layers 1 – 3) Telephony Cryptographic Equipment Fill Devices Key Generators Cryptographic Modernization Program Electronic/Army Key Management Systems This next block we will discuss different types of cryptographic equipment and systems.

5 Cryptographic Standards (1 of 2)
National Security Agency (NSA) Secret and above Type 1 encryption required Classified Algorithms National Institute of Standards and Technology (NIST) Set standards for Sensitive traffic de facto standards organization for commercial businesses

6 Cryptographic Standards (2 of 2)
3. American National Standards Institute (ANSI) Cryptographic standards organization for the U.S. ANSI X9 series closely mirrors NIST’s Federal Information Processing Standard (FIPS) 4. International Organization of Standards (ISO) X.509 and Common Criteria

7 Approved Cryptosystems
for the US Army are either: Produced by NSA Commercial Off the Shelf Systems approved by NSA for local purchase Electronically generated and distributed using NSA approved key generating equipment and procedures IAW NAG 16

8 NSA Cryptographic Types
Products US government/military for Classified Info Only approved commercial users are defense contractors for US classified projects US government for sensitive info Requires US government agency sponsorship Algorithms Exportable only to US corporations abroad, and remain under the control of US citizen. Exportable to any country and/or organization, except those prohibited by the US government

9 Black/Red Signals Black/Cipher Text Red/Plain Text Router
Red patch panel KIV-7 Black patch panel CSU/DSU Red patch panel Black patch panel CSU/DSU Router KIV-7

10 Red/Black Installation (1 of 2)
Separation of 1 m b/w RED processor and: BLACK equipment BLACK wire lines that exit the inspectable space or are connected to an RF transmitter BLACK power lines Conductors that exit the inspectable space Separation of 5 cm b/w RED wire line and:

11 Red/Black Installation (2 of 2)
RED and BLACK wire lines will not use a common distribution vehicle unless the power lines exiting the space are equipped with powerline filters. Patch Panels Jack fields should have incompatible connectors to prevent inadvertent RED to BLACK patching Separate RED and BLACK by 1 m 1 m separation required b/w different classifications (i.e. SIPRNET and JWICS, SIPRNET and SECRET – Coalition) SCIFs require separate red and black ground

12 Cryptographic Equipment
Layer 1 (Physical) KG-84 KIV-7 KG-194 KIV-19 KG-95 KG-189 Layer 2 (Data link) KG-75 KG-175 (2 and 3) KIV-21 Layer 3 (Network) Network Encryption System (NES)

13 KG-84 KG-84A -- 256 kbps KG-84C -- 64 kbps
Military standard DS-101 fill plug Operates from 50 to Mbps asynchronous Process up to 32 Kbps using internal clock Built-in wireline modem

14 KIV-7 Four models Interoperable with KG-84 Serial Data Interfaces
KIV Kbps KIV-7HS Mbps KIV-7HSA/B Mbps Interoperable with KG-84 Serial Data Interfaces EIA-530, EIA-449, EIA-232 Removable CIK No internal strappings Optional Wireline Module for Tactical

15 KG-194 KG-94/94A/194/194A Operates from 9.6 kbps to 13 Mbps
Uses traditional or firefly key Two versions -- tactical and fixed plant

16 KIV-19 Operates from 9.6 kbps to 13 Mbps
Use traditional or firefly key Compatible with KG-194 Newest version KIV-19A

17 KG-95 DS3 encryptor Bulk Encryption Three models:
KG-95-1 operates from Mbs KG-95-2 operates only at DS-3 rate KG-95R two KG-95-2s together

18 KG-189 SONET Encryptor Operates at OC-3, OC-12 and OC-48
Type I encryption Firefly key DS-101/KSD-64

19 KG-75 (FASTLANE) ATM encryptor KG-75 - up to OC-12
KG-75A - up to OC-192 Supports up to 4094 simultaneous, cryptographically isolated ATM channels Supports DS1, DS3, OC3C and OC12C Supports PNNI 1.0, UNI 4.0 and SNMP Firefly and traditional key CYZ-10/DTD fill device

20 KG-175 (TACLANE) ATM Encryption -- 45 Mbps IP Encryption -- 7.2 Mbps
DS3 BNC connector 253 cryptographically isolated channels IP Encryption Mbps RJ-45 and AUI connector UNI 4.0 and SNMPv1 Firefly and traditional key Uses CYZ-10/DTD E-100 version provides IP encryption up to 100 Mbps

21 KIV-21 Converts black EIA-422, DB37 HDLC into red IEEE 802.3 ethernet
Replaces KIV-7/KG-84/KG-194 and CSU/DSU for a single site Throughput - 8 Kbps to 3 Mbps Frame relay

22 Network Encryption System (NES)
IP Encryption NES 4001 supports up to 3.4 Mbps NES 4001A throughput is 4.3 Mbps Required black and red IP addresses FIREFLY key distribution

23 NES - Virtual Private Network
permits traffic from one network to tunnel through another network of a dissimilar security classification

24 Telephony Equipment STU-III STE Omni Secure Cell Phones KY-68 FNBDT

25 STU-III and SDD Secure Data Device
Operate at 2.4 or 4.8 kbps code-excited line prediction (CELP) Data transmitted at 2.4, 4.8 and 9.6 kbps Supports the ITU-T standards V.26bit V.26ter V.32 KSD-64A

26 STE Replaces STU-III and KY-68 Key is Fortezza Plus (KOV-14)
Interoperable with: STU-III DNVT ISDN: NI-1, NI-2, 5ESS, DMS-100, DEFINITY Euro ISDN Network Interface ISDN S/T BRI – 1B+D or 2B+D – RJ-45 PSTN – RJ-11 TRI-TAC/MSE – 4 wire line modem EIA-232/530A Host Interface

27 Omni Secure Terminal provides Type-1 security for voice and data
Analog and Digital network FNBDT compliant Compatible with POTs and STU-III

28 Secure Cell Phones (1 of 2)
Motorola Cipher-Tac 2000 STU-III and STE compatible Type 1 analog cellular security sleeve slides between battery and phone to operate in secure mode Qualcomm Qsec 800 Secure voice and data (CMDA) Type 1 analog cellular security requires no add-on module

29 Secure Cell Phones (2 of 2)
General Dynamics Tri-band (GSM 900/1800/1900) Advanced Encryption Standard (AES) Clip-in security module Type 1 security Motorola Satellite Series 9505 satellite and cellular service type 1 end-to-end security Iridium security module attaches to it

30 KY-68 TRI-TAC and MSE Operates at 16/32 Kbps with CVSD (wideband)
Provides encryption of voice or data traffic on switched links to a circuit switch

31 Future Narrow Band Digital Terminal (FNBDT)
Designed primarily for low-bandwidth, error prone networks such as cell phones Secure global interoperability FNBDT is an open standard Satisfies both NATO and individual nation objectives Uses MELP and Forward Error Correction

32 Fill and Storage Devices
KYK-13 KOI-18 KYX-15 CYZ-10 KG-83 KGX-93 Fortezza Card KOV-14 KSD-64A

33 KYK-13 Receive, store and load key in electronic form
Can hold six 128 bit keys CCI is unclassified when empty -- takes on highest classification of key in memory

34 KOI-18 Used to read/transform paper key into electronic key
Can directly fill crypto equipment or load another fill device Unclassified No memory

35 KYX-15 Can store sixteen 128 bit keys
Unclassified when empty - takes on the highest classification of the key in memory Used to perform OTAR Can generate key locally when used with KG-84, KIV-7 or KY-68

36 AN/CYZ-10 Data Transfer Device (DTD) can emulate other fill devices
Receives, audits and transfers 128 bit keys with identification information CCI and is unclassified when empty or when the CIK is removed Referred to as an ANCD

37 Simple Key Loader (SKL)
Processor 32-bit Intel® XScale™ CPU (400 MHz) O/S Win CE.NET (4.1) RAM MB of SDRAM ROM 64 MB of Flash Memory Graphics 2-D Accelerator Size 7” x 3.5” x 1.8” Weight Approx 18 oz. 504 gms.

38 Fortezza Card (1 of 2) Used with DMS to encrypt/decrypt
1.5 MBs processing rate Tamper proof/ultrasonically welded Exportable with State Department approval Includes RISC based processor Spyrus Grouptech Mykotronx

39 Fortezza Card (2 of 2) Provides Cryptographic Functions
Public Key Exchange Message Encryption Digital Signature Hashing Timestamp Password Certificate Algorithms used KEA, Skipjack, DSA, SHA-1 Key Exchange Algorithm Digital Signature Algorithm

40 KOV-14 (Fortezza Plus) Special PCMCIA card - provides encryption and other security services Used to enable STE Classified to level of keying material Unclassified when separated from STE Stays with COMSEC Material Control System (CMCS) until destroyed With operational key – classified With seed key -- unclassified

41 KSD-64A Contains electronic fill info for STU-III
May contain classified operational key or unclassified seed key Can operate in three modes

42 KSD-64A Modes Operational Key
Load STU-III to make direct secure calls to other STU-IIIs Fill Device Seed Key Load STU-III to electronically obtain its operational key during a rekey phone call Crypto Ignition Key (CIK) Stores an electronic "password." CIK is used in STU-III that shares this password to unlock the terminal's secure transmission features

43 Key Generators KG-83 KGX-93 LMD/KP (KOK-22)

44 KG-83 TRI-TAC and stand alone applications
Generates 128 bit TEK up to Top Secret Compatible with most COMSEC equipment that accepts 128 bit keys Requires initial/annual certification

45 KGX-93 MSE and TRI-TAC switches Generates 128 bit key up to Top Secret
Can also store key Requires initial/annual certification

46 Local Management Device/Key Processor (LMD/KP)
128 bit key Key Processor KOK-22A Key Generation Local key generation, distribution, auditing and reconciliation Access to ACCOR Tier 2 of EKMS Can load 1000 keys at once

47 Cryptographic Modernization Program
Replacement of DOD’s aging Cryptographic Equipment Inventory to meet Current and Objective Capability Needs. Intent is to achieve more robust security, network adaptability (Network-Centric) and performance enhanced equipment solutions.

48 Background (1 of 2) FY 99/00 MCEB and NSA Studies Concluded:
Technologically Obsolete years old Cannot Support Network-Centric Architectures Inventory Becoming Logistically Unsupportable Feb 01 ASD(C3I) Arthur Money memo directs: Road Map for Crypto Systems Upgrade/Replacement/Retirement Services Procure Modernized Crypto in FY03-09 POM

49 Background (2 of 2) Sep 02 JRB
9 Crypto Systems as near term Modernization efforts Approved Joint Forces Command as CRD Sponsor Directed Joint Staffing of CM MNS and Completion of CM Implementation Plan Nov 03 SIGCEN BG Hicks, signed the Charter establishing the CM ICT ICT process serves to shorten the requirements determination event of the acquisition process by employing the team approach to requirements determination.

50 Existing Deficiencies
Equipment Obsolescence Incompatibilities with new architectures/technologies Interoperability/Releasability problems Restrictions on key management pose major challenges Affects ability to support dynamic communications Lack of programmability/flexibility Incompatibility with modernized DOD KMI Lack direct interfaces Cryptographic equipment shortages Readiness and surge capabilities affected

51 Cryptographic Inventory Posture
Unsupportable within 10 years Supportable beyond 10 years 2% 2% Unsupportable within 5 years 15% 43% 38% Currently Unsupportable Programmed Replacements Current inventory 1.2 Million Items (Sources: ISSP Database, ATAV, MYNSN, UIT, CMCS) Programmed Replacements JTRS, WIN-T, FCS and Other Major Programs.

52 Threat Continuing trends reflect significantly increased risks of C4ISR, IT, and weapons systems to attacks on cryptography Increases in computing power Increasing reliance upon COTS systems Service/Allied/Coalition use Availability of Electronic Warfare Systems Widespread distribution of Computer Network Attack (CNA) and Computer Network Exploitation (CNE) Tools

53 CM Concept Leverage Latest Technology
Develop Multi-Functional Components that Replace Entire Families of Crypto Equipment NSA Partnership with Services on Program Development NSA will: - Retain Crypto Certification Approval - Fund Services for Program Development R&D Services will: - Program Funding for Procurement and Fielding - Conduct Program Development Process - Develop Equipment Shortage/Supportability Lists - Prepare Fielding and Transition Plans

54 CM Core Capabilities Programmable/Reprogrammable Algorithms
Capable of Receiving an Algorithm Scalable Components Embedded Modules (Whenever Possible) EKMS/KMI Compliant/Capable Network-Centric Functionality Assured control of DOD networks Interoperability Physical - Form and Fit

55 Priority Nine Systems PROGRAM SERVICE LEAD UTILIZATION
IFF Mode V Navy AVN/GND-Air/Water Craft KG-30 (NC2) Air Force Joint Interface KI-22 (Air Force Only) Air Force N/A KG-40 (LINK 11) Navy ADA/Joint Interface CTIC/CDH Air Force Integrated Modules KG-94 (Family) NSA Trunk Encryptors NES (INE) NSA Inline Network Encryptors STU III Replacement NSA Secure Voice/Data KY-68/78 Army Tactical DSVT

56 EKMS and AKMS EKMS Architecture and Concepts
AKMS Description and Operational Concepts Doctrinal Impacts Roles/Responsibilities Issues

57 Electronic Key Mgt System
DOD initiative to modernize management/distribution of COMSEC to support the warfighter and non-military government users. Replaces slow cumbersome paper and manpower intensive processes of management and distribution of COMSEC material. Increase security of key management processes Increase responsiveness to user needs Provide for interoperability

58 EKMS Tier Levels 0. National Security Agency (NSA)
Central Office of Record (COR) LCMS COMSEC User Accounts Common Fill Devices

59 EKMS Operations CF COR COR AKMS EKMS ID ACCOUNT EKMS ID ACCOUNT
TIER 0: POLICIES, MODERN KEY COR COR TIER 1: COR, RA, PCM,OPM AKMS TIER 2: ACCOUNTS EKMS ID ACCOUNT EKMS ID ACCOUNT EKMS ID LOCAL ELEMENT EKMS ID LOCAL ELEMENT LOCAL ELEMENT NO SUBACCOUNTS ONLY ACCOUNTS AND LOCAL ELEMENTS LOCAL ELEMENT LOCAL ELEMENT TIER 3: DTD/SKL (HAND RECEIPT HOLDERS)

60 National Security Agency (NSA)
Tier 0 – NSA Central Facility Provides for production, management, and distribution of specialized electronic cryptographic key and associated materials. MODEM key National Security Agency (NSA)

61 Tier 1 - Central Office of Record
CORs are focal points for production, management, auditing, and distribution of Service-Unique electronic cryptographic key and materials Supports joint operations at theater and strategic levels Act as alternates to the other in cases of degraded operations, activity, and geographic location Major functional areas: Central Office of Record (COR) Registration Authority (RA) Privilege Certificate Manager (PCM) Ordering Privilege Manager (OPM)

62 Extension Tier 1 EXTENSION TIER 1
COR – Ft. Huachuca COR – Kelly AFB EXTENSION TIER 1 - Facilities replicate Tier 1 - Does not provide COR capability for users Installed geographically CONUS/OCONUS in area containing concentrations of accounts

63 Tier 2 – LCMS User Accounts
Represents individual EKMS user accounts Developed by NSA Used by all services Individual service policies and procedures AKMS – Army Tier 2 outlines Army policies and procedures

64 AKMS Replaces slow, cumbersome paper and manpower intensive processes
Provides a reliable, responsive and secure system Implements an electronic key strategy w/in the Army Provides Tier 0 and Tier 1 electronic interoperability Provides COMSEC and communications planning capabilities Provides real time key generation and distribution To make AKMS work as a system, all three components (LCMS, ACES, DTD) are required

65 LCMS Workstation NSA and Army produced and distributed
Automated account management Local key generation, distribution, auditing, reconciliation Access to CF and COR

66 ACES Workstation Army produced and distributed
Designed for Cryptonet planning and management Includes SOI/ EP planning and management Employs ACES-specific application functions

67 Fill Device Receive, distribute, store, and manage key
Receive, transfer, and display SOI Perform Audit DTD SKL

68 ACES Scenario U.S. MILITARY IS NEEDED SOMEWHERE S-3 ACES ACES OPERATOR
COMMUNICATIONS PLAN PLAN DATA KEY REQUIREMENTS SHORT TITLE INFORMATION LCMS OPERATOR (TIER 2) KEYS DISTRIBUTED AS NEEDED DTD/SKL (TIER 3)

69 Doctrinal Impacts Accounts no longer manual
Acclaims no longer in effect Sub-accounts no longer authorized Key produced locally and distribution process streamlined Electronic key transfer increased; physical key transfer decreased Modern key ordering incorporated to mainstream

70 Roles/Responsibilities
CIO/G-6: EKMS/AKMS oversight; IA system integrator G-2: COMSEC Policy G-8: Program Funding PEO C3T: Responsible PEO; DAA PM TRCS: PM for LCMS, ACES, and DTD, under PM WIN-T CSLA: Primary service authority role; primary Tier 1 segment (COR); EKMS subject matter experts and support to IA directorate CECOM: Tier 1 software support activity; Tier 2 life-cycle support (minus SW) SIGCEN: AKMS requirements and operational concepts; sustainment training

71 IA Directorate (DCD) Role
Provides EKMS/AKMS oversight Provides representation to: KMI Committee (KMI EC) Joint Key Management Infrastructure Working Group EKMS Transition Team (ETT) Tier 1 System Management Board (TSMB) Other working groups and boards Chairs AKM Infrastructure Working Group (AKMIWG) Facilitates exchange of info/coordination among Army Orgs (G-8, G-2, CIO/G-6, SIGCEN, CSLA, PM WIN-T)

72 E/AKMS Issues Simple Key Loader (SKL) Testing
Tier 1 & Tier 2 phase 4 certification and accreditation Software Support Activity (SSA) merging of EKMS, KMI, and COMSEC modernization programs ACES Fielding

Download ppt "Military Cryptographic Systems Information Assurance Module 3"

Similar presentations

Chapter 5 Voice Communication Concepts and Technology.

Chapter 5 Voice Communication Concepts and Technology.
Networking at Home the Office and Globe

Networking at Home the Office and Globe
Networking at Home and Abroad

Networking at Home and Abroad
Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 – Circuit Switching and Packet Switching.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 – Circuit Switching and Packet Switching.
Simple Key Loader (SKL) Army Fielding Strategy SYSTEM OVERVIEW.

Simple Key Loader (SKL) Army Fielding Strategy SYSTEM OVERVIEW.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Circuit Switching Blocking occurs when the network is unable to connect to stations because all possible paths between them are already in use. Non-blocking.

Circuit Switching Blocking occurs when the network is unable to connect to stations because all possible paths between them are already in use. Non-blocking.
IST 201 Chapter 5. LAN Technologies Ethernet – most widely used technology in LANS In 1970, developed and implemented by: Digital Intel Xerox IEEE 802.3.

IST 201 Chapter 5. LAN Technologies Ethernet – most widely used technology in LANS In 1970, developed and implemented by: Digital Intel Xerox IEEE
(part 4).  Gateways  A gateway is responsible for translating information from one format to another and can run at any layer of the OSI model, depending.

(part 4).  Gateways  A gateway is responsible for translating information from one format to another and can run at any layer of the OSI model, depending.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Week 1 Things you want to know. Week 1 This is a series of things you want to know as you walk away from the course. What elements make up a communication.

Week 1 Things you want to know. Week 1 This is a series of things you want to know as you walk away from the course. What elements make up a communication.
Module 2.2: ADSL, ISDN, SONET

Module 2.2: ADSL, ISDN, SONET
DAKNET Presented By: rreema.

DAKNET Presented By: rreema.
SAMEER NETAM RAHUL GUPTA PAWAN KUMAR SINGH ONKAR BAGHEL OM PANKAJ EKKA Submitted By:

SAMEER NETAM RAHUL GUPTA PAWAN KUMAR SINGH ONKAR BAGHEL OM PANKAJ EKKA Submitted By:
4/11/40 page 1 Department of Computer Engineering, Kasetsart University 204325 Introduction to Computer Communications and Networks CONSYL Computer and.

4/11/40 page 1 Department of Computer Engineering, Kasetsart University Introduction to Computer Communications and Networks CONSYL Computer and.
Selecting a WAN Technology Lecture 4: WAN Devices &Technology.

Selecting a WAN Technology Lecture 4: WAN Devices &Technology.
Lecture 9 Modems and Access Devices. Overview Computers are connected to telephone lines through the use of modems –modems: are connecting devices between.

Lecture 9 Modems and Access Devices. Overview Computers are connected to telephone lines through the use of modems –modems: are connecting devices between.
Section Eight: Communication Security (COMSEC) Note: All classified markings contained within this presentation are for.

Section Eight: Communication Security (COMSEC) Note: All classified markings contained within this presentation are for.
Networking Technologies

Networking Technologies
Module 1 WANs and Routers.

Module 1 WANs and Routers.

Similar presentations

Ads by Google