30 May 2018


Finally a useful and fast tool to check the presence of T207 encoding in FSK bitstreams. The tool T207_test runs on Octave, a programming language for scientific computing, and was originally - and roughly - coded by me and then optimized and speeded-up by Christoph:

The script builds a n x 14 test matrix and for each row computes the number of "1" bits in the first 12 columns; then check if the 13-14 bits value is the one expected according to the table below. Since the 2-bit 'checksum' can occur everywhere within the 14-bit frame, the stream is shifted up to 14 times building a new test matrix at each shift. The script counts the success checks for each test matrix and display the results. The better test matrix is also plotted along the frame start offset (ie after how many shifts).

25 May 2018

NATO naval broadcast and KW-46 encryption

This post follows up and completes the one of Christoph where he noticed the presence of LFSR delimited 7-bit frames in STANAG-4285 payloads using GNU Octave scripts.
Given that: 

1) the HF waveform STANAG-4285 is largely used for NATO naval broadcasts;

2) the markers consist of the bits of pseudo-random sequence generated by the polynomial x^31+x^3+1, as specified by STANAG-5630 and already seen in FSK 50Bd/850;

3) those bits (termed "Fibonacci bits") are used by KW-46 cryptographic equipment to provide  synchronization; 

we can assume that NATO naval broadcasts are secured with KW-46 encryption (code name Vallor). 

We analyzed several STANAG-4285 transmissions in both 600L and 1200L sub-modes picked up in well-known frequencies belonging to British, Danish, Dutch, French, German, Norwegian and Spanish Navy as (frequency USB/S4285 sub-mode):
and in all we verified the presence of the Fibonacci bits.

STANAG-4285 bitstreams after deinterleaving and convolutional decoding
Fibonacci bits (before descrambling) 

By the way, NATO naval broadcast consists of a continuous coded stream of data which is typically be transmitted over multiple HF frequencies at the same time, providing an uninterrupted data flow from shore to ships. In the absence of messages to be transmitted, "jam" messages (pseduo-random chars) is injected into the data stream.

28 May update
NATO RATT (4481-F) 75Bd/850, same story as above, ie:
"taps" 1000000000000000000000000000100 = polynomial x^31+x^3+1 = KW-46 encryption. 
This stream has been processed using Octave scripts and Christoph's C++ code.


23 May 2018

French Navy Broadcast, FSK 50Bd/850

Following the previous post, I decided to analyze the French FSK 50Bd/850 in order to replicate the results obtained by my friend Christoph Mayer in his blog: happy to say that the results coincide.

French-Ny FSK 50Bd/850 has a characteristic 21-bit period and, in a way similar to STANAG-5065, two/three sub-frames which are delimited by the bits of two LFSR markers M1 M2 and a logical "1" value bit (1-bit). The sequences for the two markers are generated by the LFSRs described by the polynomials x^6+x^5+1 and x^7+x^6+1.
Since the missing of an initial sync in the recording, the 1-bit can occur in any position within the 21-bit frame therefore markers' positions are reported as relative to the 1-bit. A possible more significative layout shows 2 possible sub-frames (5 and 13 bits length).

Obviously, the length of the markers' patterns match the length of the respective generator polynomials.

One of such transmissions  heard on 8516.8/usb (offset + 2000Hz) has DF'ed to "La Regine" (Saissac), callsign of the station is FUG

22 May 2018

Exploring FSK 50Bd/850 transmissions for STANAG-5065 and KW-46 encryption

Although STANAG-5065 indicates the standards required for naval LF shore-to-ship broadcast with KW-46 encryption devices [1], some implementations of this standards can also be found in HF waveforms such as the FSK 50Bd/850. I came up with the idea to depeen after reading an interesting Christoph Mayer' post .

Quoting STANAG-5065 Annex A, BASEBAND PROCESSING [2]: 
"Encryption and decryption sall be provided by KW-46 interoperable cryptographic equipment operating in the 6.0 Stepped Digital mode. Encryption by the KW-46 equipment sall be coded in the 7-0 unit SART-TOP ITA2 alphabet. Encryption by the KW-46 equipment will result in bits 1 through 6 being encrypted and bit 7 (STOP) being replaced with an unencrypted and deterministic Fibonacci bit", where "Fibonacci bits = Deterministic unencrypted bits used by the KW-46 interoperable cryptographic equipment to provide synchronization defined by the polynomial x^31+x^3+1."

7-bit frame delimited by KW-46 sync bit
x x x x x x KW-46
1 2 3 4 5 6 7

The goal was to arrange the demodulated bits (courtesy of Christoph) into a 7-bit format stream and then process each column of the stream in order to find a descrambler polynomial - if any - that was the same as the one indicated in STANAG-5065 standard. As expected, only the bit-7 column can be successfully descrambled using the LFSR described by the polynomial x^31+x^3+1.

As seen,  STANAG-5065 and KW-46 can be meet also in HF secured naval broadcasts with the commonly used FSK waveform 50Bd/850Hz. For what concerns the users, such signals were recorded on 4905, 4985, 7455 and 16123 Khz (all CFs) using KiwiSDRs located at DF0KL and at Newport,OR: user is probably US Navy.

 [1] In the late 1980's, the KW-46 simplex cryptosystem was introduced in order to provide communications security (COMSEC) for naval broadcasts to naval fleets (Fleet Broadcast). Formally, this equipment is called "Fleet Broadcast Security Equipment, TSEC/KW-46". The  KW-46 consists of the KWT-46 transmitter and the KWR-46 receiver (code name Vallor).

[2] STANAG-5065 Annex A


16 May 2018

MIL 188-220 Appendix D, standards for COMSEC transmissions

A recent post in radioscanner (my nickname is "ansanto" there), and some interesting discussions with a friend of mine, gave me the opportunity to study that signal and deepen the theme that is dealt with by MIL 188-220. In particular, the signal in question (courtesy by KarapuZ) concerns a transmission with link encryption provided by external COMSEC devices, in accordance with what is reported in the Appendix D of the cited standard, ie "transmission frame structure in either external and embedded COMSEC modes".

In short, in external COMSEC transmission frame the clear-text (not encrypted) part of the transmission frame is the "COMSEC Preamble", depicted below, which consists of the subfields: 
a. COMSEC Bit Synchronization
b. COMSEC Frame Synchronization
c. Message Indicator - MI or, better, Initialization Vector - IV (1)

The COMSEC Frame Synchronization subfield is used to provide a framing signal indicating the start of the encoded MI to the receiving station. This subfield is 465 bits long, consisting of 31 Phi-encoded bits. The Phi patterns are a method of redundantly encoding data bits. The logical data bits 1 and 0 are encoded as shown in figure. 

The Message Indicator subfield (MI) contains the COMSEC-provided MI, a stream of random bits that are redundantly encoded using Phi patterns.

Alternatively, in the embedded COMSEC transmission frame the clear-text part, depicted below, is composed of the following components:
a. Phasing
b. Frame synchronization (Standard Frame Sync or Robust Frame Sync)
c. Robust Frame Format (RCP only)
d. Message Indicator/ Initialization Vector

Back to the signal, it was heard by KarapuZ in the 33 MHz band and it is a GFSK modulation at a rate of 16000 Baud that can be easily processed using SA (Fig. 1).

Fig. 1
Once demodulated it turns out to be an encrypted transmission with the COMSEC Preamble that is easily identified  and consisting of the initial phasing part followed by two 15-bit encoded blocks: likely the encoded frame sync and Message Indicator (Fig. 2).
Fig. 2

Since 188-220 is based on the VINSON algorithm, the used encryption is presumably KY-57 and taking into account the band where it was listened... everything points to the SINCGARS radio (Single Channel Ground and Airborne Radio System) [1]. 
By the way, a dear friend of mine sent me a recording but once demodulated it uses 16 bits encoding patterns frames instead of 15 bits ones (Fig. 3). "I guess it is some modern crypto using a backwards compatibility mode, the clue is that it could be KY-99 that is the replacement for KY-57 in SINCGARS, but that point is unconfirmed. More signals and work will be necessary to clarify these points", my friend says. 

It is interesting to see how NATO KG-84 encryption relates to 188-220 Appendix D (Fig. 4).
KG-84 is similar to the emebedded COMSEC transmission frame, although the 64-bit pattern of KG-84 Standard Frame sync 
is different from the patterns reported in Appendix D for Standard and Robust Frame sync. Moreover, the Message Indicator is not encoded using the Phi 15 bits, although it is redundantly encoded. That's probably ok since KG-84 is based on SAVILLE algorithm and 188-220 is VINSON based. Note as in some KG-84 "detectors" the Standard Frame sync is termed as "SYNC" and the MI data as "Initialization vectors".

Fig. 4 - NATO KG-84 encryption and 188-220 embedded COMSEC

The Turkish-Mil FSK, also using KG-84, deserves aside consideration (Fig. 5). Perhaps they encode the Mesage Indicator field using Golay and do not use redundant n-bit encoding, but it's only IMO. However "the encoding with Phi patterns is used for backward compatibility", 188-220 says.

Fig. 5 - Turkish-Mil FSK and 188-220 embedded COMSEC

(1) An Initialization Vector (IV) or starting variable (SV) is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process. An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. However, in most cases, it is important that an initialization vector is never reused under the same key.[2] [3]
Please notice that just starting with this post I will use the term "Initialization Vector" to indicate the (repeated) pseudo-random sequence that is used to synch the receive crypto equipment. 

[1] http://www.cryptomuseum.com/radio/sincgars/

12 May 2018

unid PSK-8 bursts on 8040.0 & 11072.0 (all usb)

8040.0/usb 0755z 188-110A Serial, long sequence of 1200ms bursts (noise by adiacent Northwood HF-fax) bearing the same sequence


11072.0 CF PSK-8 2800Bd, two stations exchanging 700ms bursts. The waveform fas a period of 140 symbols, most likely 40 symbols are used for mini-probes and 100 symbols for data. Bursts start and end with a short 2500Hz tone.

7 May 2018

Telsy/Q-MAC MPSK 30+1 48.8Bd 60Hz
i56578, DF3LZ,KarapuZ

Radio-check bewteen voice callsigns GAMMA 130 and ROSTRO 530 (respectively It-GdF shore station and patrol-boat) followed by short MPSK blocks, most likely digital voice.  
The MPSK signal occupies a bandwidth of ~2280Hz and has a FSK-2 600Hz shift preamble lasting 150ms (Fig. 1). Except for the 1st block, the FSK preambles of the following 3 blocks are similar. The 30 tones are 60Hz spaced: in the lower group of 20 tones the π/4-DQPSK modulation at 48.8Bd is used; in the upper group of 10 tones, a mix of modulations (MFSK, DBPSK and π/4-DQPSK) at same 48,8Bd speed is used (Fig. 2).

Fig. 1
Fig. 2 - upper group of 10 tones (credits to KarapuZ)
The tone in between the two groups is modulated using DBPSK2 at 48.8Bd (same speed as above) and is used for for synch purposes. The 3 blocks have the same sequences transmitted in the sync channel (Fig. 3). 

Fig. 3

This signal is similar to the Q-MAC HF modem waveform reported by radioscanner, except for the presence of the FSK preamble (Fig. 4). Indeed, a DXer from UDXF suggested the  Telsy TCH01c  rather than Q-MAC modem. Quoting form Telsy documentation [1]: "The TCH01c – Telsy Crypto Handset – is a unique and sophisticated encryption unit, combining an encryption module, a vocoder and a modem in a single handset."  Well, in August 2009 Barrett Communications has announced its acquisition of Q-MAC Electronics:
and it's interesting to note that Barrett recommends the Telsy TCH01c crypto handset for some of their transceivers:
That said, perhaps Telsy embeds the modem in their handset using a Q-MAC/Barret EOM license? I emailed Telsy but I did not have any reply.
Fig. 4 - signal by radioscanner (upper) and the signal being analyzed

It's also interesting to note that the digital signal was preceded by the following comms:
GAMMA 160: let's have a try with a 'passage' in red, I'll take you
ROSTRO 530: yes go ahead, take me up
usually "red" stands for not encrypted transmissions so it seems that they used a clear-text transmission for the modem check.

2 May 2018

188-110C/D Appendix D, waveform Id 0 (ortogonal Walsh modulation)

9213.0/usb: 188-110C/D Appendix D waveform Id 0 (WID0) using ortogonal Walsh modulation in preamble section and in data blocks. The use of this waveform leads to think to poor channel conditions...

Symbols are scrambled to appear as PSK-8 on-air, symbol-rate 2400Bd.

audio recording (wav): https://yadi.sk/d/N9979JiT3VAbtW
binary stream after PSK-8 demodulation: https://yadi.sk/d/iwgDYrr73VAcCj