3b crypto devices
Firefly Vector Set (FFVS)
-NSA developed -cooperative key generation scheme used for exchanging asymmetrical key pairs -Diffie-Hellman key exchange
Asymmetric
-PUBLIC-KEY SYSTEM -uses two different keys-a public-key and the private-key -keys generated at the same time and data encrypted with one key can be decrypted with the other key
Symmetric
-SECRET-KEY cryptography -identical copy of the key -very secure -ability to achieve high encryption/decryption speeds using hi-tech crypto systems, significantly faster than public-key systems
Data Encryption Standard (DES)
-converts plaintext into ciphertext using a key that consists of 64 binary digits -of the 64 bits, 56 bits are randomly generated and used directly by the algorithm -remaining 8 are error detection -uses 16 rounds of algorithm operations that mix the data and keys together -unsecure and insufficient for classified use
Problems with the secret-key system
-copies of one key must be distributed to all sides to est. a mirror image. -if a key is distributed through a non-secure communication channel, it may be compromised during transmission -if key is discovered/intercepted by someone else, messages encrypted with any copy of that key can easily be decrypted -very sensitive to cryptanalysis
stream ciphers
-encrypt/decrypt each bit of data one at a time in a continuous stream of encrypted data -operates by a stream of pseudo-random digits (key-stream) being combined with plaintext to generate ciphertext -
Triple Data Encryption Standard (3DES)
-more secure -three-fold compound operation for encryption/decryption -encrypts the message with one key, cipher text encrypted again with a second key, and the resulting cipher text is yet again encrypted with a 3rd key before transmitting the message
KIV-7M (Link Encryptor)
-multi-purpose, programmable Type 1 (can encrypt TS) COMSEC link encryption and key management module that can interoperate with a wide variety of legacy encryption and key management module as well as LEF -SYMMETRIC KEY SYSTEM -users must ensure local end and distant end devices are utilizing the same TEK
Diffie-Hellman key exchange
-one of the earliest -each party generates a public/private key pair and distributes the public key -after obtaining the authentic copy of each other's public keys, can compute a shared secret offline -ex shared secret can by used as key for symmetric cipher
One Time Pad
-one of the most secure types of encryption -random string of digits is used as the key to encrypt your message and that key is never used again
IP Encryption Devices
-operate at layer 3 -ensure secure network-centric connections over satellite, WANs, WiMax, Broadband, Dial-up, and wireless networks
Block Cipher
-operate by encrypting/decrypting one chunk of data at a time -most common symmetric algorithm
PKI allows you to conduct business electronically with the confidence that:
-person IDd as sending the transaction is the originator -person receiving the transacting is the intended recipient -data integrity not compromised -uses two-factor authentication
peer enclaves communication on the PT side of a KG-175D when client transmits data
1. goes through PT (Plain text) port 2. through the CT(cipher text) port at which time the PT address is masked as it is encrypted and a new header is added that the TACLANE acquired from the peer enclave 3. a NIPR routed network 4. the Black side of the distant end TACLANE 5. the message is then decrypted as it goes the the PT side 6. when the receiving client obtains the message it is readable
Confidential and Secret info requires AES of
128 bit key lengths or higher
(Rijndael) ability to utilize
128 bit, 192 bit, and 256 bit key-lengths
Top Secret requires AES
192 or 256-bit key length
(Symmetric) Specialized hardware systems utilize algorithms that fall into these two categories:
Block and Stream ciphers
how is the crypto key received?
CRO, KOAM, and the NSA inputted into the equipment by the COMSEC authorized user by using a common fill device
3 main algorithms block ciphers use to encode data
Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard
what 'routing protocol' does the TACLANE use
IP routing using a form similar to static routing called PEER ENCLAVE ROUTES
To keep the keys secure while in transient a _____ is used to encrypt the _____.
Key encryption Key (KEK) Traffic encryption key (TEK)
Advanced Encryption Standard (AES)
NIST AES selection team chose the new symmetric that commercial users and the govt could use--RIJNDAEL and the RSA algorithm
ANPYQ-10 Simple Key Loader (SKL)
NSA approved, ruggedized PDA capable of receiving, storing, and transferring key variables can store up to 500k individual key variables
what is the most common software stream cipher in use
RC4, Secure Sockets Layer (SSL) uses the RC4 protocol and is used for its simplicity and speed in software uses.
1. IP encryption _____ from the local ____ is sent to the plain text side of the encryptor.
Red data, enclave
When the encryption device encrypts the data using ____ the ____ data frame is no longer readable by a device on the ____ side except the other encryption device with the same _____ ____ and being used
TEK, red, black, TEK loaded
4. After the encryptor encrypts the traffic using the ____ it will add on an _____ so the data can be routed through the ____ along with the other unclassified data.
TEK, unencrypted header, Black (unclassified) NIPR network
SKL can store classified key data up to
Top Secret
KG-175D (TACLANE)
Type 1 In-Line Network Encryptor (INE) optimized for both tactical and strategic environment. -high speed, compact, mobile -TS/SCI -supports IP ops over standard commercial networks -rudimentary router functionality
although keys used by the US govt are secret, unclassified 3DES keys can be found in
a # of devices for commercial use such as VPN apps for secure tunneling connections
what are asymmetric algorithms better suited for
achieve authentication, integrity, and non-repudiation, and support confidentiality through key-management
all cryptographic systems utilize
an algorithm and a crypto-key
public key infrastructures (PKI)
binds public keys to entities, enables other entities to verify public key bindings, and provides the services needed for ongoing management of keys
how is they key-stream determined
by the crypto-key
enclave
can be a single computer or an entire routed SIPR network
peer enclave routes
configured with the addresses of the other (peer) TACLANE as a router of last resort or a directed route to the destination network or subnet
TEK is a key that encrypts the __________, whereas the KEK is a key that is used for the encryption or decryption of ______.
data passing through the device, other keys
what are asymmetric algorithms poorly suited for
encrypting large messages because they are relatively slow
over the air re-key (OTAR)
ensure keys are sent securely to remote locations is vital to the nation's security and war efforts
the TEKs are used to
exchange data between the peer In-Line Network Encryptors (2 IP encryptors)
KIV-7M has two _______.
independent link encryption channels -configurable RED and BLACK input/output (I/O) ports enable the KIV-7M to interface with a wide array of communications and networking equipment
a common fill device can transmit a ____ through the secure connection to another _____ at a remote location
key, common fill device
Network encryption systems enable war-fighters to ______ while sharing _____ throughout air, land, sea, space, and enterprises.
maintain their mobility, classified information
three types of rekeys depending on the type of destination
manual rekey (MK), automatic rekey (AK), manual cooperative key transfer (MK/RV)
Gateway of last resort
no peer enclave to a distant TACLANE, two client will still talk. usually has a Peer Enclave to the distant end TACLANE or it will forward the data to another that may have a peer enclave to the destination (just takes longer)
Manual cooperative key transfer (MK/RV)
point to point passing of a key that may be stored for future use in a common fill device at a remote location -useful if the area between two locations is hostile
RIJNDAEL is the most ______ in both the commercial and government sectors.
popular
automatic rekey (AK)
preferred method for point to multi-point rekey. -used to update a network with multiple suscribers -primarily done from master station or communications focal point (CFP)
manual rekey (MK)
preferred method for point-to-point rekey. -used to update a remote station that has no users at the location -main station uses its secure link to transmit and automatically install the proper key
To decrypt the 3DES
process must be reversed in sequence using the same keys
serial encryption devices
provide a secure link in serial applications between a host and a remote user (point to point) or users (point to multi-point), -layer 2
common fill device (CFD)
receive, store, and transfer key variables to End Cryptographic Units (ECU)
3. The encryptor will be configured with a _____ to send the message packets to the other ____ or _____.
routing function, SIPR network or peer enclave
The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a _________over an _____ channel. This key can then be used to encrypt subsequent communications using a _______
shared key secret, unsecure, symmetric key cipher
2. The two sides of the encryptor are configured with _____ so that they can be ____ by the local routed network.
static addresses, discovered
PPK Pre Placed Key
system that is symmetric meaning it uses only one key to encrypt/decrypt information -encryption keys pre-positioned in cryptographic unit
If the distant end KIV-7 does not have the same TEK as the local KIV-7 (either by the key expiring or deleting)
then no traffic can be sent and OTAR cannot be accomplished
the unique ____ is generated called _____ and used for encryption/decryption
third key, FIREFLY-Generated Traffic Encryption Key
over the air rekeying
to update the keys stored in the KIV-7 someone has to load them from a common fill device or distant end must be updated using 3 methods of OTAR
SIPR data is ____ through the ______ to the ______.
tunneled, NIPR network, peer enclave
over the air distribution (OTAD)
two-way secure transmission used to update or distribute a key to remote locations
Crypto Ignition Key (CIK)
used to lock and unlock access to the encrypted key database
advantage of asymmetric key cryptography
uses keys that are so different, so it would be possible to publicize one without danger of anyone being able to derive or compute the other private key cannot be determined from public key