Communications security

Last updated April 20, 2024

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications ^[1] in an intelligible form, while still delivering content to the intended recipients.

In the North Atlantic Treaty Organization culture, including United States Department of Defense culture, it is often referred to by the abbreviation COMSEC. The field includes cryptographic security, transmission security, emissions security and physical security of COMSEC equipment and associated keying material.

COMSEC is used to protect both classified and unclassified traffic on military communications networks, including voice, video, and data. It is used for both analog and digital applications, and both wired and wireless links.

Voice over secure internet protocol VOSIP has become the de facto standard for securing voice communication, replacing the need for Secure Terminal Equipment (STE) in much of NATO, including the U.S.A. USCENTCOM moved entirely to VOSIP in 2008.^[2]

Specialties

Cryptographic security: The component of communications security that results from the provision of technically sound cryptosystems and their proper use. This includes ensuring message confidentiality and authenticity.
Emission security (EMSEC): The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from communications systems and cryptographic equipment intercepts and the interception and analysis of compromising emanations from cryptographic equipment, information systems, and telecommunications systems.^[1]
Transmission security (TRANSEC): The component of communications security that results from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis (e.g. frequency hopping and spread spectrum).
Physical security: The component of communications security that results from all physical measures necessary to safeguard classified equipment, material, and documents from access thereto or observation thereof by unauthorized persons.

Related terms

AKMS – the Army Key Management System
AEK – Algorithmic Encryption Key
CT3 – Common Tier 3
CCI – Controlled Cryptographic Item - equipment which contains COMSEC embedded devices
ACES – Automated Communications Engineering Software
DTD – Data Transfer Device
ICOM – Integrated COMSEC, e.g. a radio with built in encryption
TEK – Traffic Encryption Key
TED – Trunk Encryption Device such as the WALBURN/KG family
KEK – Key Encryption Key
KPK – Key production key
OWK – Over the Wire Key
OTAR – Over the Air Rekeying
LCMS – Local COMSEC Management Software
KYK-13 – Electronic Transfer Device
KOI-18 – Tape Reader General Purpose
KYX-15 – Electronic Transfer Device
KG-30 – family of COMSEC equipment
TSEC – Telecommunications Security (sometimes referred to in error transmission security or TRANSEC)
SOI – Signal operating instructions
SKL – Simple Key Loader
TPI – Two person integrity
STU-III – (obsolete secure phone, replaced by STE)
STE – Secure Terminal Equipment (secure phone)

Types of COMSEC equipment:

Crypto equipment: Any equipment that embodies cryptographic logic or performs one or more cryptographic functions (key generation, encryption, and authentication).
Crypto-ancillary equipment: Equipment designed specifically to facilitate efficient or reliable operation of crypto-equipment, without performing cryptographic functions itself.^[3]
Crypto-production equipment: Equipment used to produce or load keying material
Authentication equipment:

DoD Electronic Key Management System

The Electronic Key Management System (EKMS) is a United States Department of Defense (DoD) key management, COMSEC material distribution, and logistics support system. The National Security Agency (NSA) established the EKMS program to supply electronic key to COMSEC devices in securely and timely manner, and to provide COMSEC managers with an automated system capable of ordering, generation, production, distribution, storage, security accounting, and access control.

The Army's platform in the four-tiered EKMS, AKMS, automates frequency management and COMSEC management operations. It eliminates paper keying material, hardcopy Signal operating instructions (SOI) and saves the time and resources required for courier distribution. It has 4 components:

LCMS provides automation for the detailed accounting required for every COMSEC account, and electronic key generation and distribution capability.
ACES is the frequency management portion of AKMS. ACES has been designated by the Military Communications Electronics Board as the joint standard for use by all services in development of frequency management and crypto-net planning.
CT3 with DTD software is in a fielded, ruggedized hand-held device that handles, views, stores, and loads SOI, Key, and electronic protection data. DTD provides an improved net-control device to automate crypto-net control operations for communications networks employing electronically keyed COMSEC equipment.
SKL is a hand-held PDA that handles, views, stores, and loads SOI, Key, and electronic protection data.

Key Management Infrastructure (KMI) Program

KMI is intended to replace the legacy Electronic Key Management System to provide a means for securely ordering, generating, producing, distributing, managing, and auditing cryptographic products (e.g., asymmetric keys, symmetric keys, manual cryptographic systems, and cryptographic applications).^[4] This system is currently being fielded by Major Commands and variants will be required for non-DoD Agencies with a COMSEC Mission.^[5]

Related Research Articles

The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary which used to define Type 1, 2, 3, and 4 products. The definitions of numeric type products have been removed from the government lexicon and are no longer used in government procurement efforts.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

Articles related to cryptography include:

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, and local law enforcement officials the ability to decode intercepted voice and data transmissions." It was intended to be adopted by telecommunications companies for voice transmission. Introduced in 1993, it was entirely defunct by 1996.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

There are a number of standards related to cryptography. Standard algorithms and protocols provide a focus for study; standards for popular applications attract a large amount of cryptanalysis.

STU-III is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user. When a call is placed to another STU-III unit that is properly set up, one caller can ask the other to initiate secure transmission. They then press a button on their telephones and, after a 15-second delay, their call is encrypted to prevent eavesdropping. There are portable and militarized versions and most STU-IIIs contained an internal modem and RS-232 port for data and fax transmission. Vendors were AT&T, RCA and Motorola.

The National Security Agency took over responsibility for all U.S. Government encryption systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified, but much more about its early systems have become known and its most modern systems share at least some features with commercial products.

The Electronic Key Management System (EKMS) is a United States National Security Agency led program responsible for Communications Security (COMSEC) key management, accounting, and distribution. Specifically, EKMS generates and distributes electronic key material for all NSA encryption systems whose keys are loaded using standard fill devices, and directs the distribution of NSA produced key material. Additionally, EKMS performs account registration, privilege management, ordering, distribution, and accounting to direct the management and distribution of physical COMSEC material for the services. The common EKMS components and standards facilitate interoperability and commonality among the armed services and civilian agencies.

The Secure Communications Interoperability Protocol (SCIP) is a US standard for secure voice and data communication, for circuit-switched one-to-one connections, not packet-switched networks. SCIP derived from the US Government Future Narrowband Digital Terminal (FNBDT) project. SCIP supports a number of different modes, including national and multinational modes which employ different cryptography. Many nations and industries develop SCIP devices to support the multinational and national modes of SCIP.

The KSD-64[A] Crypto Ignition Key (CIK) is an NSA-developed EEPROM chip packed in a plastic case that looks like a toy key. The model number is due to its storage capacity — 64 kibibits, enough to store multiple encryption keys. Most frequently it was used in key-splitting applications: either the encryption device or the KSD-64 alone is worthless, but together they can be used to make encrypted connections. It was also used alone as a fill device for transfer of key material, as for the initial seed key loading of an STU-III secure phone.

This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA). For classification of keys according to their usage see cryptographic key types.

CYPRIS was a cryptographic processor developed by the Lockheed Martin Advanced Technology Laboratories. The device was designed to implement NSA encryption algorithms and had a similar intent to the AIM and Sierra crypto modules. However, the principal references date back to the late 1990s and it does not appear that the CYPRIS ever earned NSA's Type 1 certification, without which it could not be used to protect classified government traffic.

Over-the-air rekeying (OTAR) refers to transmitting or updating encryption keys (rekeying) in secure information systems by conveying the keys via encrypted electronic communication channels. It is also referred to as over-the-air transfer (OTAT), or over-the-air distribution (OTAD), depending on the specific type, use, and transmission means of the key being changed. Although the acronym refers specifically to radio transmission, the technology is also employed via wire, cable, or optical fiber.

<span class="mw-page-title-main">Fill device</span> Module used to load cryptographic keys into encryption machines

A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated.

The AN/PYQ-10 Simple Key Loader (SKL) is a ruggedized, portable, hand-held fill device, for securely receiving, storing, and transferring data between compatible cryptographic and communications equipment. The SKL was designed and built by Ralph Osterhout and then sold to Sierra Nevada Corporation, with software developed by Science Applications International Corporation (SAIC) under the auspices of the United States Army. It is intended to supplement and eventually replace the AN/CYZ-10 Data Transfer Device (DTD). The PYQ-10 provides all the functions currently resident in the CYZ-10 and incorporates new features that provide streamlined management of COMSEC key, Electronic Protection (EP) data, and Signal Operating Instructions (SOI). Cryptographic functions are performed by an embedded KOV-21 card developed by the National Security Agency (NSA). The AN/PYQ-10 supports both the DS-101 and DS-102 interfaces, as well as the KSD-64 Crypto Ignition Key. The SKL is backward-compatible with existing End Cryptographic Units (ECU) and forward-compatible with future security equipment and systems, including NSA's Key Management Infrastructure.

A cryptoperiod is the time span during which a specific cryptographic key is authorized for use. Common government guidelines range from 1 to 3 years for asymmetric cryptography, and 1 day to 7 days for symmetric cipher traffic keys.

Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).

References

1 2 "AIR FORCE AIR INTELLIGENCE, SURVEILLANCE AND RECONNAISSANCE AGENCY INSTRUCTION 33-203" (PDF). The Air Force ISR Agency Tempest and Emission Security Program. Air Force Intelligence, Surveillance and Reconnaissance Agency. May 25, 2011. Archived from the original (PDF) on October 20, 2013. Retrieved October 3, 2015.
↑ USCENTCOM PL 117-02-1.
↑ INFOSEC-99
↑ "FY20 DOD PROGRAMS – Key Management Infrastructure (KMI)" (PDF). Retrieved 2023-08-21.
↑ "Archived copy" (PDF). Archived from the original (PDF) on 2016-09-17. Retrieved 2016-09-16.{{cite web}}: CS1 maint: archived copy as title (link)

External links

This article incorporates public domain material from Federal Standard 1037C. General Services Administration. Archived from the original on 2022-01-22. (in support of MIL-STD-188).
National Information Systems Security Glossary
This article incorporates public domain material from Dictionary of Military and Associated Terms . United States Department of Defense.
"INFORMATION SECURITY GUIDELINES FOR THE DEPLOYMENT OF DEPLOYABLE SWITCHED SYSTEMS" (PDF). Joint Staff. February 1, 2001. Archived from the original (PDF) on September 16, 2012.
"Communications Security (COMSEC) awareness training". U.S. ARMY SIGNAL CENTER AND FORT GORDON. April 17, 2000. Archived from the original on March 30, 2009.
https://web.archive.org/web/20121002192433/http://www.dtic.mil/whs/directives/corres/pdf/466002p.pdf
"Army Key Management Systems (AKMS)". Project Manager NETOPS Current Force. Archived from the original on September 30, 2010.
Cryptography machines

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 "AIR FORCE AIR INTELLIGENCE, SURVEILLANCE AND RECONNAISSANCE AGENCY INSTRUCTION 33-203" (PDF). The Air Force ISR Agency Tempest and Emission Security Program. Air Force Intelligence, Surveillance and Reconnaissance Agency. May 25, 2011. Archived from the original (PDF) on October 20, 2013. Retrieved October 3, 2015.

[2] USCENTCOM PL 117-02-1.

[3] INFOSEC-99

[4] "FY20 DOD PROGRAMS – Key Management Infrastructure (KMI)" (PDF). Retrieved 2023-08-21.

[5] "Archived copy" (PDF). Archived from the original (PDF) on 2016-09-17. Retrieved 2016-09-16.{{cite web}}: CS1 maint: archived copy as title (link)

[1]

[2]

[3]

[4]

[5]