5 June 2023

Harris Citadel II secured transmissions, 12/32 bytes length IVs

Continuing the monitoring and analyzing the receivable signals around 7 MHz band, I am increasingly convinced that the Harris Citadel II is the encryption algorithm used for these transmissions. In the analysis of the bitstreams published in the previous post [1], I have spotted patterns that look like 32 bytes Initialization Vectors:  the 256 bits are split in two 128 bits parts, each 3 times repeated, sent just after the Citadel sync sequence and prepended the ciphertext (Figure 1). 

Fig. 1 - 32 bytes (256 bits) IV

This type of encrypted transmissions occurs when the STANAG-4538 circuit mode service is used, in the packet mode service (L/HDL protocols) - although Citadel is also used there - the bitstreams do not show any repeating pattern: my guess is that in such a case the Citadel I algorithm is being used.
That said, I took care of catching & recording only the circuit mode transmissions, still within the same portion of HF band. Bitstreams analysis turned out to be very useful, especially the transmissions recorded on 6769.5 and 6772.5 KHz/USB; indeed, in these transmissions the used Initialization Vector (IV) is 12 bytes (96 bits) length and it's three times repeated (Figure 2): this is really interesting since I would have expected to see 32 bytes IV as in other similar recordings.

Fig. 2 - 12 bytes (96 bits) IVs after removal of the initial sync sequences

I have verified this characteristic in all transmissions recorded on that frequency, Figure 2 lists only a few for brevity.

Fig. 3

So far, I've observed the following format (related to S-4538 circuit mode services):

16 bytes start/sync sequence 0x1E561E561E561E001A5D1A5D1A5D1A5D (Citadel)
12 bytes IV (3 times rptd) - OR - 32 bytes IV (2×128 bits parts, each 3 times rptd)     
ciphertext
...
8 bytes end sequence 0x1E561E561E561E08 (Citadel)  

The different lengths of the used Initialization Vectors (12 and 32 bytes) suggest that the Citadel II algorithm (if this is the case) can be configured for different block cipher modes with different block lengths; moreover it's backward compatible with its predecessor Citadel I, given the coexistence of circuit/packet modes within the same logical link (see the comment in previous post). Anyway, different configurations of the algorithm in different frequencies make me think about field tests: indeed war theaters are formidable test-beds not only for weapons but also for milcomm technologies, new waveforms and COMSEC.

The few informations I could find by googling the web seem confirm my guess, even if I've still no confirm: "The Citadel II algorithm can be operated using any block cipher traffic mode [...] include Cipher Feedback mode (CFB), Counter Mode and Self Synchronizing Cipher Feedback Mode (SSCFB). The 256-bit Citadel II algorithm provides a configuration that is interoperable with current Citadel I-based applications and a configuration that is fully disclosable" [2]. Note that although Citadel I and II  are referred to as algorithms, they are actually ASIC chips (Application-Specific Integrated Circuit), ie algorithms rendered in hardware, which are embedded - for example - in Harris Falcon II, Falcon III family radios. 

It is still not clear to me why the (presuemed) Citadel II encryption is not used in packet mode transmissions, ie in LDL/HDL protocols: I don't think it's due to problems acquiring the IVs since at the upper layer surely sits a data link protocol like S-5066 which is able to assemble the received packets.

Obviously - as said - these are just a my speculation and comments are welcome: further recordings and bit luck may help...

https://disk.yandex.com/d/2ceYFGyy0LWdJA

[1] https://i56578-swl.blogspot.com/2023/05/harris-citadel-ii-secured-traffic.html
[2] https://www.researchgate.net/...

No comments:

Post a Comment