Fortezza

Last updated April 02, 2019

Fortezza is an information security system^[1] that uses the Fortezza Crypto Card, a PC Card-based security token.^[2] It was developed for the U.S. government's Clipper chip project and has been used by the U.S. Government in various applications.

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. The information or data may take any form, e.g. electronic or physical. Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls, followed by assessment of the effectiveness of the risk management plan.

In computing, PC Card is a configuration for computer parallel communication peripheral interface, designed for laptop computers. Originally introduced as PCMCIA, the PC Card standard as well as its successors like CardBus were defined and developed by the Personal Computer Memory Card International Association (PCMCIA).

A security token is a physical device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access. It contains an NSA approved security microprocessor called Capstone (MYK-80) that implements the Skipjack encryption algorithm.

Capstone is the name of a United States government long-term project to develop cryptography standards for public and government use. Capstone was authorized by the Computer Security Act of 1987 and was driven by the NIST and the NSA; the project began in 1993. The initiative involved four standard algorithms: a data encryption algorithm called Skipjack, along with the Clipper chip that included the Skipjack algorithm, a digital signature algorithm, DSA, a hash function, SHA-1, and a key exchange protocol. Capstone's first implementation was in the Fortezza PCMCIA card. All Capstone components were designed to provide 80-bit security.

In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.

In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users.

The original Fortezza card (KOV-8) is a Type 2 product which means it cannot be used for classified information. The most widely used Type 1 encryption card is the KOV-12 Fortezza card which is used extensively for the Defense Message System (DMS). The KOV-12 is cleared up to TOP SECRET/SCI. A later version, called KOV-14 or Fortezza Plus, uses a Krypton microprocessor that implements stronger, Type 1 encryption and may be used for information classified up to TOP SECRET/SCI. It, in turn, is being replaced by the newer KSV-21 PC card with more modern algorithms and additional capabilities. The cards are interchangeable within the many types of equipment that support Fortezza and can be rekeyed and reprogrammed by the owners, making them easy to issue and reuse. This simplifies the process of rekeying equipment for crypto changes: instead of requiring an expensive fill device, a technician is able to put a new Fortezza card in the device's PCMCIA slot.

Classified information Material that a government body claims is sensitive information that requires protection of confidentiality, integrity, or availability

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, and intentional mishandling of the material can incur criminal penalties. A formal security clearance is required to view or handle classified documents or to access classified data. The clearance process requires a satisfactory background investigation. Documents and other information must be properly marked "by the author" with one of several (hierarchical) levels of sensitivity—e.g. restricted, confidential, secret and top secret. The choice of level is based on an impact assessment; governments have their own criteria, which include how to determine the classification of an information asset, and rules on how to protect information classified at each level. This often includes security clearances for personnel handling the information. Although "classified information" refers to the formal categorization and marking of material by level of sensitivity, it has also developed a sense synonymous with "censored" in US English. A distinction is often made between formal security classification and privacy markings such as "commercial in confidence". Classifications can be used with additional keywords that give more detailed instructions on how data should be used or protected.

The Defense Message System or Defense Messaging System (DMS) is a deployment of secure electronic mail and directory services in the United States Department of Defense. DMS was intended to replace the AUTODIN network, and is based on implementations of the OSI X.400 mail, X.500 directory and X.509 public key certificates, with several extensions to meet the specific needs of military messaging.

The KOV-14 Fortezza Plus is a US National Security Agency-approved PC card which provides encryption functions and key storage to the Secure Terminal Equipment and other devices. It is a tamper-resistant module based on the Mykotronx Krypton chip, including all of the cryptographic functionality of the original Fortezza card plus the Type 1 algorithms/protocols BATON and Firefly, the SDNS signature algorithm, and the STU-III protocol. It was developed by Mykotronx as part of the NSA's MISSI program. As of 2008, the KOV-14 is beginning to be phased out and replaced by the backwards compatible KSV-21 PC card.

The Fortezza Plus card and its successors are used with NSA's Secure Terminal Equipment voice and data encryption systems that are replacing the STU-III. It is manufactured by the Mykotronx Corporation and by Spyrus. Each card costs about $240 and they are commonly used with card readers sold by Litronic Corporation.

Secure Terminal Equipment (STE) is the U.S. Government's current, encrypted telephone communications system for wired or "landline" communications. STE is designed to use ISDN telephone lines which offer higher speeds of up to 128 kbit/s and are all digital. The greater bandwidth allows higher quality voice and can also be utilized for data and fax transmission through a built-in RS-232 port. STE is intended to replace the older STU-III office system and the KY-68 tactical system. STE sets are backwards compatible with STU-III phones, but not with KY-68 sets.

STU-III is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user. When a call is placed to another STU-III unit that is properly set up, one caller can ask the other to initiate secure transmission. They then press a button on their telephones and, after a 15-second delay, their call is encrypted to prevent eavesdropping. There are portable and militarized versions and most STU-IIIs contained an internal modem and RS-232 port for data and fax transmission. Vendors were AT&T, RCA and Motorola.

The Fortezza card has been used in government, military, and banking applications to protect sensitive data.^[3]

Related Research Articles

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients.

The U.S. National Security Agency (NSA) ranks cryptographic products or algorithms by a certification called product types. Product types are defined in the National Information Assurance Glossary which defines Type 1, 2, 3, and 4 products.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. It is used in virtual private networks (VPNs).

In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes.

Articles related to cryptography include:

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

In cryptography, RC2 is a symmetric-key block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5, and RC6.

There are a number of standards related to cryptography. Standard algorithms and protocols provide a focus for study; standards for popular applications attract a large amount of cryptanalysis.

The National Security Agency took over responsibility for all U.S. Government encryption systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified, but much more about its early systems have become known and its most modern systems share at least some features with commercial products.

BATON is a Type 1 block cipher in use since at least 1995 by the United States government to secure classified information.

The vast majority of the National Security Agency's work on encryption is classified, but from time to time NSA participates in standards processes or otherwise publishes information about its cryptographic algorithms. The NSA has categorized encryption items into four product types, and algorithms into two suites. The following is a brief and incomplete summary of public knowledge about NSA algorithms and protocols.

CYPRIS was a cryptographic module developed by the Lockheed Martin Advanced Technology Laboratories. The device was designed to implement NSA encryption algorithms and had a similar intent to the AIM and Sierra crypto modules. However, the principal references date back to the late 1990s and it does not appear that the CYPRIS ever earned NSA's Type 1 certification, without which it could not be used to protect classified government traffic.

CYPRIS was designed to address the cryptographic requirements of military software radios and wireless systems. Designed under an NSA contract, CYPRIS was optimized to implement a variety of legacy COMSEC and TRANSEC algorithms while enabling field upgrades to new and emerging INFOSEC algorithms. CYPRIS contains a high performance RISC core, a reconfigurable hardware unit, and a suite of programmable and automatic system check features. Unprogrammed, CYPRIS is an unclassified, non CCI, exportable device; when programmed it assumes the classification of its software. Over 20 core cryptoalgorithms were developed on CYPRIS.

Fill device module used to load cryptographic keys into electronic encryption machines

A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated.

In computing, Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. Previously tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License, NSS upgraded to GPL-compatible MPL 2.0 with release 3.14.

The KSV-21 Enhanced Crypto Card is a US National Security Agency-approved PC card that provides Type 1 encryption functions and key storage to the STE secure telephones and other devices.

Cryptography practice and study of techniques for secure communication in the presence of third parties

Cryptography or cryptology is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, electrical engineering, communication science, and physics. Applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

References

↑ Shirey, Robert (August 2007). "Definitions". Internet Security Glossary, Version 2. IETF. p. 133. doi: 10.17487/RFC4949 . RFC 4949. Retrieved February 16, 2012.
↑ "FIPS-140-1 Security and FORTEZZA Crypto Cards". Choosing Security Solutions That Use Public Key Technology. Microsoft. Retrieved February 16, 2012.
↑ John R. Vacca (May 1995). "NSA provides value-added crypto security - National Security Agency; Group Technology's Fortezza Crypto Card". Communications News. Nelson Publishing. Retrieved February 16, 2012.

"FORTEZZA crypto card". Jane's Military Communications. Jane's Information Group. Aug 10, 2009. Retrieved February 16, 2012.
Workstation Security Products Division (2 January 1997). "Basic Certification Requirements for FORTEZZA™ Applications". National Security Agency. Retrieved February 16, 2012.
"NSA provides value-added crypto security".
"Fortezza Crypto Card". Crypto Museum. Retrieved February 16, 2012.
Kenneth W. Dam and Herbert S. Lin, ed. (1996). "The Capstone/Fortezza Initiative". Cryptography's role in securing the information society. National Research Council. Washington, DC: National Academy Press. pp. 176–177. ISBN 978-0-309-05475-1 . Retrieved 16 February 2012.
Peter Gutmann (2004). "The Capstone/Fortezza Generator". Cryptographic security architecture: design and verification. New York: Springer. pp. 236–237. ISBN 978-0-387-95387-8 . Retrieved 16 February 2012.

International Standard Book Number Unique numeric book identifier

The International Standard Book Number (ISBN) is a numeric commercial book identifier which is intended to be unique. Publishers purchase ISBNs from an affiliate of the International ISBN Agency.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Shirey, Robert (August 2007). "Definitions". Internet Security Glossary, Version 2. IETF. p. 133. doi: 10.17487/RFC4949 . RFC 4949. Retrieved February 16, 2012.

[2] "FIPS-140-1 Security and FORTEZZA Crypto Cards". Choosing Security Solutions That Use Public Key Technology. Microsoft. Retrieved February 16, 2012.

[3] John R. Vacca (May 1995). "NSA provides value-added crypto security - National Security Agency; Group Technology's Fortezza Crypto Card". Communications News. Nelson Publishing. Retrieved February 16, 2012.