30 March 2020

few comments on the secured 50-75Bd/850 FSK transmissions

Just to spend a bit of time during this ugly period, I thought I'd take a look at the naval BRASS systems (1) that use the 50Bd/850 and 75Bd/850 (STANAG-4481F) FSK waveforms as well as the  crypto devices that are used in those transmissions. 
A necessary introduction, to not forget, concerns the use of the terms KG-84 and KW-46: well, it does not necessarily mean that those devices are physically deployed ashore or aboard. Rather than to the equipments, these names must be understood as referring to the used "algorithms", since - unless few exceptions - many of those devices are now obsolete and no longer used. Actually, the algorithms are emulated by interoperable and more compact devices such as, for example, the KIV-7M Programmable Multi-Channel Encryptor that can be used for communicating with the older KG-84/KIV-7 family of devices. So, I talk about

- KG-84: when is detected the presence of the 64-bit frame sync
followed by the 128-bit message indicator;

- KW-46: when is is detected the presence of the Fibonacci's bits generated by the polinomyal
x^31 + x^3 +1 (KW-46T uses that M-sequences to synch the KW-46R receive devices).

Using KiwiSDRs located in various parts of the world, and with some lists of logs from UDXF friends, I spent some days browsing the HF spectrum, recording and analyzing as many 50-75Bd/850 FSK transmissions as possible (so far I have come up to 51 different FSK channels), and logging the results into a spreadsheet. By the way, I added the "false 75Bd" frequencies (see this post) to the group of the 50Bd FSK.
Beyond that the "working" list of frequencies is certainly not complete, a fact appears to emerge quite clearly: all the 50Bd/850 FSK transmissions use KW-46 encryption while all the 75Bd/850 FSK use KG-84/KIV-7 encryption!

Fig. 1
(French Navy 50Bd/850 FSK is a separate discussion: they use a 21-bit period stream consisting of frames which are delimited by two LFSR markers M1 M2 generated by the polynomials x^6+x^5+1 and x^7+x^6+1 and a logical "1" value bit; these transmissions were not considered here).

Given that KW-46 is used to secure the fleet broadcasts and KG-84 is used to secure Point-To-Point  (PTP) circuits and multi-station nets [1], it follows that 50Bd/850 FSK is used for broadcast.
For what concerns the 75Bd/850 FSK transmissions, they consist of a continuous  flow of short/long messages; thus, since by their nature  PTP and MRL (2) transmissions are sporadic  and short-lived, 75Bd/850 FSK is used for a "some type of broadcast" for those unspecified multi-station nets. In this regards, it's to notice that some stations may operate simultaneously with the two waveforms, as for example NPN Lualualei (Hawaii, US) which has been heard on 9075 KHz (75Bd) and 9112 KHz (50Bd), thus serving  two different scopes at the same time (Fig. 2).

Fig. 2
It's also to notice that different baud rates and encryption devices were used for GENSER (General Service) traffic and for CRITICOMM (operational intelligence) traffic, but that information is from old non-classified documents from 50 years ago.
I've not clear in mind what "multi-station net" stand for neither if they still refer to naval communications (it could also be that 75Bd just repeate the 50Bd broadcast). The FSK hunt continues...

(1) BRASS (Broadcast and Ship to Shore) is an approach used by Navies, particularly in NATO countries, to communicate between Ships and Shore using HF Radio. The core of a BRASS service is a continuous HF broadcast going out to multiple ships and on several frequencies (typically four or five) to allow ships to select a frequency that works.

(2) The BRASS service makes use of three types of point to point link:
- Ship to Shore. A special link that supports message flow from a ship to shore and request to re-send missing or corrupt messages. Frequency Assignment Broadcast (FAB) is used to allow ships to share a pool of HF frequencies for ship to shore communication.
- Ship to Ship: to support direct communications between ships.
- Maritime Rear Link (MRL).  A link between selected ships (usually "Command Afloat") and shore, supporting message flow in both directions.

15 March 2020

Again about the STANAG-4481F transmissions from NRTF Niscemi

(cryptomaster, I56578. KarapuZ)

STANAG-4481F on 18370 KHz from NPN US Navy, Guam
This is an update and just some remarks to a previous post post which I reference for background. All frequencies are CF (tuning + 2k).

1) the signal

Discussing the signal together, my friend cryptomaster had the suspect that a 50 bps data flow is transmitted using a device which is designed to transmit only with a speed of 75 bps: it could be correct.  The ratio 75/50 is equal to 1.5 thus each "original" bit is repeated 1.5 times. The bit editors work with an integer number of bits (they can't represent half bit) thus the 1.5 bit view is possible only by aggregating two consecutive frames and then getting an integer number of 3 consecutive bits (i.e. 1.5 x 2): thus the 3-bit structure that we see (it's the same of the async 5N1.5 framing which is represented as a 15-bit pattern, i.e. 7.5 x 2). Therefore the bits of the stream are allocated as follows:

A S-4481F transmission lasting 10 seconds produces 750 bits that can be arranged into a 3 x 250 bits pattern; by removing one column we get 2 x 250 = 500 bits that just match a 50bps transmission of the same duration (10 seconds).
But what about the M-sequence generated by the polynomial x^31+x^3+1 ? Notice that the Wagner(13,12) coding, which is used for example in STANAG-5065, replaces each second Fibonacci bit with the parity bit: well, the new Fibocaccci sequence bits (the half of the original one!) still belongs to the same polynomial x^31+x^3+1 (see this post).
Indeed, filtering out the replicated third bits from a 75bps demodulated stream from NSY Niscemi and resizing the resulting stream into a 7-bit pattern, it turns out that we get an usual KW-46 encrypted 7-bit stream (Fig. 1).

Fig. 1
In the light of the above, I analyzed again the signals in order to verify what we hypothesized and found above. I compared a signal from NSY Niscemi recorded on 6383 KHz (3-bit pattern S-4481F) and another one from NAU Isabela 12120 KHz (plain S-4481F) by using the the modified quadrature amplitude detector of SA software: you can valuate the different results (Fig. 2).

Fig. 2
Even more interesting: all the signals from Niscemi show the extra harmonics EXCEPT the signal on 6942 KHz which is correctly modulated (Fig. 3) and coincidentally does not has the 3-bit pattern (Fig. 8).

Fig. 3
Then I selected the 50 Hz clock from the NSY signal and subsequently I demodulate it by using the synch'ed FSK demodulator: the test was successful and replicated the same results that I found using the theory and manipulating the bitstreams (Fig. 4). So, 50 bps seems to be the right working speed.

If our analysis is correct and we are right, it seems that they use the 75 bps STANAG-4481F waveform to send 50 bps streams (?!). We do not know the reason but probably you can  do this. In synchronous transmissions the DTE usually provides the transmit clock to the modem but perhaps they could use a modem - e.g. like the Harris RF-5710A - which can recover the clock automatically from the incoming transmit data (transmit clock set to "DATA" or in "recovery mode").

As proved, decoding those signals using standards modes, or changing the speeds to 50 bps, unfortunately does not work: the only successful way is to sync the FSK demodulator to the 50 Hz clock of the signals. Since we are talking about shore-to-ship broadcast, I wonder how the receive ships may manage these transmissions.

2) the source

(monitoring was carried out according to a list of frequencies from logs and in any case not 24/7)

a) Using remote KiwiSDRs, and with the help of my friend Mike "mco", I checked several S-4481F transmissions from AJE Barford St.John, NAU Isabela, NPG Dixon, NPM Lualualei, NPN Guam, NSY Niscemi, and NSS Davidsonville but - so far - only those from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Despite many attempts, still not heard S-4481F transmissions from Totsuka and San Diego and I'm not aware of such transmissions from Diego Garcia (50Bd/850 only?) or any other station.
Below the current list of the successful frequencies:

5120.5 NSY
6383.0 NSY
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

It's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters [1][2]. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant) [3][4]. 

b) Interestingly, 8145 KHz is shared by NSY and AJE; often I have been able to see contemporary broadcasts and same contents (Figs 5,6). The modified AM detector shows the same results as the ones of Fig. 3

The modified AM detector shows the same results as the ones of Fig. 3:

Fig. 7

 c) According to the Tx sites (NSY in Italy and AJE in UK) this type of traffic is beamed only by some European stations. 

d) As said above, I also spotted a S-4481F transmission on 6942 KHz that DF points to southern Sicily, thus it's again NSY. However, this signal does not have the expected 3-bit structure although it's contemporaneous to another S-4481F transmission beamed from NSY on 6383 Khz (Figs 8,9). So, it seems that most of the 3-bit structured signals come from NSY,  but not all those coming from NSY have that feature. Still not heard S-4881F transmissions on the other NSY frequencies 10974 and 15018 KHz.