Harris Citadel II secured traffic?

For some days now I have been dedicating some time to monitoring the 6.8-7.1 MHz band where it is possible to receive several STANAG-4538 (3G-HF) signals and among which also WHARQ wideband activity [1], the latter waveforms developed by Harris (now:L3Harris) [1]. Figure 1 is an example.

Fig. 1 - L3Harris WHARQ traffic [1]

 

What turned out to be very interesting are the S-4538 circuit mode services where MS-110A is used as the traffic waveform (Figure 2), note also that sometimes the packet mode service follows, in the case of Figure 2 using low-latency data link (LDL) protocol and BW3-BW4 waveforms

Fig. 2 - STANAG-4538 traffic using circuit mode and packet mode services

After demodulation of some MS-110A segments, the presence of the well-known sync sequence:
1E 56 1E 56 1E 56 1E 00 1A 5D 1A 5D 1A 5D 1A 5D 
in all the segments indicates that the traffic is secured by the Harris Citadel cryptographic engine [2], so far nothing new (Figure 3).

Fig. 3

What really surprised me is that once removed the sync sequence (or reshaping the bitstream to to 128-bit length period) a 256-bit pattern, split in 2 parts each 3 times repeated, emerge from the bitstreams... never seen before in such secured transmissions!

74 04 9F 5C 72 1C 0F 51 CB EE 30 AA F6 01 ED 1A 54 F0 CE C2 DA 02 C8 CB 81 91 3C 8A C9 07 67 01
EE 82 FB 12 56 78 A1 2E 75 7F 21 39 26 24 A7 A8 F4 A6 CF CE 56 B0 E4 18 22 E2 F1 C0 1E 8E 17 DA
40 36 4B A6 74 6A 63 05 A5 E8 81 14 A7 65 25 73 43 26 17 13 0D AB 4C F0 90 8D 5B 5A AB A5 4C 9A

Fig. 4 - 256-bit patterns (2x128)

Even more interesting is the fact that the bitstream resulting from the demodulation of one of the BW3 bursts (the same 111-byte packet was sent several times) while indicating Citadel encryption does not show those 2x128 bits patterns (Figure 5).

Fig. 5 - BW3 bitstream (8/128 bits period)

So: 

* since, for example, KG-84/KIV-7 use a 16 bytes length Initialization Vector and it is sent in 2 parts of 64 bits length (each 4 times repeated), 
* given the presence of the well-known Citadel start/stop sequences,
* it's not an AES algorithm since the length of its Initialization Vector is 16 bytes regardless of the key size (12 bytes for AES-GCM) 

It's a mine guess that maybe we see  32 bytes Initialization Vectors, which are sent in 2 parts of 128 bits length, each 3 times repeated, and that these transmissions could be secured by the 256-bit Harris Citadel II algorithm [3] which likely needs such IVs.
Obviously that's just a my speculation, comments are welcome.

Monitoring was possible thanks to KiwiSDRs from Romania (YO8SGV - Dorohoi)  and Russia (radiorubka - Tambov) so they must be using low power and NVIS techniques.

https://disk.yandex.com/d/B_dK5qiBJTnn3g

[1] https://i56578-swl.blogspot.com/search/label/WHARQ
[2] https://www.cryptomuseum.com/crypto/harris/citadel/index.htm
[3] https://www.cryptomuseum.com/crypto/harris/citadel2/index.htm
 

yet another unid signal

A strange as unid signal appeared last week on about 5458 KHz (1730Z) and 15200 KHz (1629-1700Z), both apparently using USB (Figure 1); the first was logged by cryptomaster and the other by Philby (Nicolas, from dxuti.fr), they kindly sent me their recordings.

Fig. 1

Although the type of emission is different (continuous and burst mode) some characteristics suggest that they are the same type of signal. Figure 2 shows that the continuous signal has a period of 71 msec conisting of six frames, each consisting of 12 msec.

 

Fig. 2 - periodicity and frame structure of the continuous-mode signal

Looking at the 15200 KHz recording, each burst lasts about 333,34 ms and is characterized by a 71.4 ms period, each period consisting of six frames of about 12 ms. Notice the different speeds of the header and the body (Figure 3).

 

Fig. 3 - periodicity and frame structure of the burst-mode signal

No idea about the purposes and the user, maybe a kind of alignment signal... really don't know, at glance, strings of "01"s... but I could be wrong: some unid signals emerge during this war times.

As for locating the Tx site, my friend Philby attempted a TDoA search which resulted in a site near Lake Urmia (Fig. 4): the lake is located between the provinces of East Azerbaijan and West Azerbaijan in Iran, and west of the southern portion of the Caspian Sea. It's interesting to notice that near this location you may find a combined Mil/Civ airfield hosting  a IRIAF (Islamic Republic of Iran Air Force) composite unit helicopter/transporter aircraft as support of the border regiment of Urmia.

 

Fig. 4

 Comments are always welcome.

 

https://disk.yandex.com/d/SbeVWgE2eeuHUw

TADIRAN HF modem running in scrambler mode (2)

Fig. 1

Tadiran/ElbitHF modem, probably the HF-6000 model, running in COMSEC mode using FSK 125Bd/300Hz Digital Coded Squelch (DCS) and scrambled voice-comms. The FSK segmentes (the DCS part) sent during the scrambled voice-comms have a speed of 125Bd and 300Hz shift, ie same parameters of the initial F7B (apparently MFSK-4) waveform, and cosists of a 160-bit period bitstream (Figure 2).

Fig. 2 - main DCS parameters

 It's worth note that the transmission was sent using LSB (Figure 3).

Fig. 3

https://disk.yandex.com/d/novPamUmQksXmg