Unit 1b

Question 1

INTRODUCTION

Answer 1

• The practice of encryption ensures messages, be it voice or data, are transmitted and received by only the intended parties.
• The goal of Communications Security (COMSEC) is to ensure information pertaining to national security stays out of the wrong hands.

Question 2

COMMUNICATIONS SECURITY
( C O M S E C )

Answer 2

• COMSEC is a Cybersecurity discipline identified in AFI 17-130 Cybersecurity Program Management with the purpose of implementing appropriate measures to protect all Air Force Information System (IS) resources and sensitive or classified information.
• Ensure the employment of measures and controls taken to deny unauthorized personnel information derived from ISs of the United States Government related to national security and to ensure the authenticity of such ISs. Encrypting information is one method of protecting information from adversaries.
• Applying security measures (e.g. cryptographic solutions, transmission security, and emission security) to communications and information systems related to classified or sensitive government information, prevents the possibility of loss, which could adversely affect national security interests. It also includes applying physical security measures to COMSEC information or materials.

Question 3

The National Security Agency (NSA)

Answer 3

• The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both signals intelligence (SIGINT) and cybersecurity.
• Tasked with preventing foreign adversaries from gaining access to classified national security information.
• Formed in 1952, the National Security Agency (NSA) took over responsibility for all U.S. Government encryption systems. Nowadays, all military encryption is standardized by the NSA guidance.

Question 4

Classifying Crypto

Answer 4

• The NSA ranks cryptographic products or algorithms by a certification called product types. Each Type Product requires a Type Key at the appropriate level to encrypt the information. The CNSSI No. 4009 National Information Assurance Glossary defines the Type 1, 2, 3, and 4 products.
• Type 1: For encrypting and decrypting classified and sensitive national security information.
• Type 2: For encrypting or decrypting sensitive national security information.
• Type 3: For encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices.
• Type 4: For unevaluated commercial cryptographic equipment that are neither NSA nor NIST certified for any Government usage. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a Federal Information Processing Standard (FIPS).

Question 5

(P.2) Classifying Crypto

Answer 5

• Classifications of encryption-device types are further broken down into two releasable categories:
• Suite A: (Confidential through Top Secret) A specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission critical information.
• Suite B: (Confidential through Secret) A specific set of cryptographic algorithms suitable for protecting both classified and unclassified national security systems and information throughout the US government and to support interoperability with allies and coalition partners.

Question 6

Cryptography

Answer 6

• The art and science of making and breaking codes and ciphers.
• NSA/CSS is responsible for creating the systems that protect U.S. communications and for analyzing systems and communications used by foreign powers.
• Making a code or cipher system is called cryptography. Those who try to “break” a cryptosystem are practicing cryptanalysis.
• Encryption is the process of converting information to a disguised form in order to send it across a potentially unsafe channel.
• Decryption is the reverse process, providing a means of revealing the information.
• Strong encryption techniques protect sensitive, valuable information against organized criminals, malicious hackers, or spies from a foreign military power.
• the advent of the information age, the value of cryptography in everyday life such as privacy, trust, electronic payments, and access control has become evident.

Question 7

Encryption Methods

Answer 7

• In cryptographic terminology, plaintext is the un-encoded or unsecure message; cipher text is the encrypted message.
• Encryption encodes the contents of the message in such a way that hides its contents from outsiders.
• Decryption is the process of retrieving the plaintext from the cipher text.

Question 8

Data Encryption

Answer 8

• Encryption and decryption methods make use of a key and a coding algorithm (aka. Scheme), so that you can only perform the decryption by possessing the proper key.
• Modern encryption schemes utilize the concepts of symmetric-keys and public-keys (aka. asymmetric keys).
• Symmetric Key: In symmetric-key schemes, the encryption and decryption keys are the same. Communicating parties must have the same key in order to achieve secure communication.
• Public Key: In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key that enables messages to be read.

Question 9

Advanced Encryption Standard

Answer 9

• one of the standard’s most used today is the symmetric-key algorithm Advanced Encryption Standard (AES), also known as “Rijndael”.
• The U.S. Government adopted this standard in 2001, moving away from the former Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES).
• DES had been the standard since 1977, but when tested in 1997, the coding could easily be broken within a day. In 1998, 3DES was implemented, using a method that encrypted the message three-times over.
• While DES and 3DES would cypher using 56-bit encryption, AES proved to be a much-needed upgrade, providing encryption using three different key lengths: 128, 192, and 256 bits.
• Confidential and Secret information requires AES of 128-bit key lengths or higher.
• Top Secret requires AES 192 or 256- bit key length.
• AES is the most popular encryption standard in both the commercial and government sectors today.

Question 10

High Assurance Internet Protocol Encryption

Answer 10

• High Assurance Internet Protocol Encryption (HAIPE) provides a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network, such as commercial internet.
• HAIPE provides a tactical advantage to military radio communications by introducing the ability to establish secure mobile ad hoc networking (MANET) capabilities for users.
• HAIPE is also being inserted into client devices that provide both wired and wireless capabilities.

Question 11

Secure Voice

Answer 11

• refers to the encryption of voice communications over a range of systems such as radio, telephone or internet protocol (IP).
• From the introduction of voice encryption during World War II to today, encryption techniques have evolved drastically.
• Digital technology has effectively replaced old analog methods of voice encryption. By using complex algorithms, voice encryption has become much more secure and efficient.

Question 12

Secure Communications Interoperability Protocol

Answer 12

• The Secure Communications Interoperability Protocol (SCIP) is a standard for secure voice and data communication.
• The protocol is platform-independent, meaning as it makes no assumptions about the underlying hardware.
• SCIP supports different modes of operation, including national (US) and multi-national modes with different types of encryptions.
• SCIP can be used over a variety of communication systems, such as public switched telephone network (PSTN), Integrated Services Digital Network (ISDN), radio links, satellites, cellular phones and internet (Voice over IP, or VoIP).
• The only requirement is a minimum bandwidth of 2400 Hz. Once a SCIP device connects to another SCIP device, they first negotiate the parameters and then choose the best possible mode of operation.
• The Secure Terminal Equipment (STE) is an example of a SCIP-compatible system using ISDN and PSTN phone lines to provide secure voice and data transfer.

Question 13

Voice Over Internet Protocol

Answer 13

• Voice over IP is a technology used to transmit voice communication over a data network using Internet Protocol.
• Secure Voice over IP (SVoIP) is when secure phones are used to protect information sent over the VoIP network.
• The vIPer Universal Secure Phone is an example of an SVoIP device, providing end-to-end encryption over commercial wired networks.
• Voice over Secure IP (VoSIP) is the same as SVoIP in that they are technologies used to securely transmit voice communications, but with VoSIP, the security is provided by separate encryption devices in the network rather than the secure phones themselves.

Question 14

Trunk Encryption

Answer 14

• Optical fiber, coaxial cable, microwave relay, and communication satellites transmit wideband data-stream signals that modern communication systems multiplex together. These wide-band circuits require very fast encryption systems.
• Trunk encryption, (aka. bulk encryption) provides a secure connection for multiple users in a network by encrypting a multiplexed line, which combines multiple data and/or voice lines into a single output.
• This type of encryption typically supports large amounts of data. The use of these devices allows for interoperability. The bulk-encryption method supports many end instruments within a network and is commonly placed on truncated circuits.
• The KG-84 (Figure 1-12) originated in the early 1980s as a dedicated loop encryption device for digital data. Measuring at 38 x 19.5 x 19 cm and weighing approximately 10 kg., the KG-84 (A/C) had a wide range of configuration options.
• In asynchronous mode, it can handle data rates between 50 – 9600 baud. In synchronous mode – using the internal clock – it can handle data up to 32,000 baud, and with an external clock connected it can even go up to 64,000 baud.
• Furthermore, the KG-84 is suitable for full-duplex, half-duplex and simplex communication. Over time, the device was replaced by the smaller, more versatile KIV-7 which contained an embedded KG-84 module.

Question 15

CRYPTOGRAPHIC EQUIPMENT

Answer 15

• Encryption protects information by converting it into a code (encoding) before transmission, then reconverting the code into readable intelligence (decoding) after reception.
• When an encryption device is correctly configured with the proper codes, it is considered “keyed.” The absence of the code renders the device useless; and it is then considered “un-keyed”.
• A keyed encryption device assumes the same security classification as the key that is inputted.
• Depending on the classification level, the device must be handled and secured in the same manner as other COMSEC items at that level.
• Un-keyed encryption devices are classified differently. When the device is empty and free of codes, COMSEC hardware is categorized as a “controlled cryptographic item” (CCI), and it is considered UNCLASSIFIED.

Question 16

KG-175D

Answer 16

lightweight, ruggedized, encryption device that is ideal for both tactical and strategic environments. It provides end-to-end encryption for IPv4/IPv6 networks such as NIPR/SIPR/VoIP/VoSIP using HAIPE keying and providing 200 Mb/s throughput.

Question 17

KIV-7/M

Answer 17

• provides traditional bulk encryption for non-IP–based systems, such as the Ground Multiband Terminal (GMT).
• The KIV-7 family of embeddable KG-84 COMSEC modules are lightweight, compact, cryptographic devices that provide protection for NSA Type-1 certified digital and voice communications.
• It requires a Crypto Ignition Key (CIK), at least one Traffic Encryption Key (TEK) or fill and can support up to 10 fills. The CIK prevents unauthorized access and protects all internally stored keys. When unkeyed, or when the CIK is removed and not collocated, the KIV-7 is handled as an unclassified CCI. When keyed, it is handled at the classification level of the stored key.
• The KIV-7M version adds network functionality to the list of features. It supports synchronous data rates up to 50 Mbps and is backwards compatible with all previous KIV–7 models. It is also interoperable with the KG-84, KG- 194/A, and KIV-19.

Question 18

KY-99A

Answer 18

• The KY–99A Advanced Narrowband Digital Voice Terminal (ANDVT) Miniaturized Terminal (MINTERM) is a lightweight, low power, single-channel, half-duplex, narrowband/wideband/wireline terminal providing secure voice and data communications. The KY–99A is compatible with most other COMSEC systems. The unit holds up to six codes and can receive a fill from devices like the PYQ–10, KIK-30, or OTAR.
• These devices are called external cryptographic equipment because their main purpose is to take an incoming non-secure/red data signal and encrypt it to become secure/black data at its output. However, many radios we use today have embedded crypto modules inside the radio so that external devices are not required

Question 19

Fill Devices

Answer 19

• A key transfer device (aka. fill device) is an electronic device used primarily by the military for the distribution of cryptographic variables such as Transmission Encryption Keys (TEK), a key used to encrypt messages, and Transmission Security Keys (TSK), used to secure the link by which the message will travel.
• Fill devices often use a standard data protocol such as DS-101 or DS-102, both developed by the NSA, but some devices use proprietary protocols as well. Fill devices can store and transfer: TEKs, TSKs, GPS (Global Positioning System) data, IFF (Identification Friend or Foe) data, and software updates.

Question 20

PYQ-10

Answer 20

• The AN/PYQ-10 , otherwise known as the Simple Key Loader (SKL), is a ruggedized, portable, hand-held fill device for securely receiving, storing, and transferring data between compatible cryptographic and communications equipment. It provides all the functions of legacy fill equipment and incorporates new features that provide streamlined management of COMSEC keys.
• The AN/PYQ-10 utilizes the Microsoft Windows CE.net operating system for a more user-friendly interface. The SKL is backward compatible with existing End Cryptographic Units (ECU) and forward compatible with future security equipment and systems.

Question 21

KIK-30

Answer 21

The KIK-30 Really Simple Key Loader (RASKL) is a user-friendly, ruggedized, handheld fill device approved by the NSA for the distribution of Type 1 cryptographic keys. It can store and transfer related communications security material, including control data (“load sets”) for frequency hopping radios, such as SINCGARS and Have Quick. It replaces legacy fill devices (i.e KIK-13), is small, lightweight, and can store up to 40 cryptographic keys. Most all NSA devices can use the KIK-30.

Question 22

KVL

Answer 22

The Key Variable Loader (KVL) 3000 Plus (Figure 1-18) is a device for loading cryptographic material (key variables) into a series of Motorola brand two-way radios, commonly referred to as Land Mobile Radios (LMRs). The system uses a variety of cryptographic algorithms and is compatible with a variety of radios. The KVL generally uses a proprietary data protocol for transferring keys to the radio. Additionally, the device is equipped with a matrix display (bitmap), allowing icons and graphics to be displayed. It has the capability to store up to 1024 keys.

Question 23

SUMMARY

Answer 23

Knowing how to properly load and operate crypto equipment will be an important part of getting communications up and running whether you are maintaining a mission at home-station or deployed. These examples of voice, data, and trunk methods and equipment give a little more insight into what is becoming an integral part of the role you play in cyberspace support.