22 June 2018

redefining T207 (CIS-14) checksums

T-207 (T-207, T-207 2M "VIKTORIA" - Soviet teletype encryption device) is a multiplexed two channels "system" that is used in several CIS waveforms. Since the lack of official documentation it's difficult to say much more about the T207: guys from radioscanner talk about "equipment" as a in-line ciphering device while ex DDR STASI archives refer to T207 as an "encryption algorithm".
CIS-14 (also known as as TORG 14) is a designation of a transmission mode: a full duplex system using FSK at several speeds (42.1Bd, 47.5Bd, 48Bd, 50Bd, 70.5Bd, 72Bd, 83.3Bd, 84.21Bd, 94.11Bd, 96Bd, 100Bd, 144Bd, 192Bd, 200Bd, 288Bd, ...) and shifts. Data of two independent data channels can be processed; they are in MTK-2 alphabet (Russian [Cyrillic] Third-shift ITA-2, sometimes also called "ITA-2 Cyrillic M2") thus have 5 bits per character, but are transmitted in 14-bit frames, each containing two characters.
As shown in figure 1, the data code words (A in the figure) of the two channels are amended with two leading "channel state" bits and then either word-interleaved (case B) or bit-interleaved (case C). Two parity bits are calculated over the complete 12-bit frame generated and expand it to the final 14-bit frame. The two bits indicating the channel state signify whether the channel contains traffic(bit = 0) or idle (bit = 1) sequences at the moment.
Fig. 1 - 14 bit frame (from R&S Manual of transmitting methods)
Additionally, a variant of CIS-14 has been observed using frames of 28 bits. As can be seen in figure 2, after having established the 14-bit frame(s) (B) form the datawords (A) as explained above, two of these frames are bit-interleaved (C) to the new28-bit frame.

Fig. 2 - 28 bit frame (from R&S Manual of transmitting methods)
Note that although T207 is "hardware" while CIS-14 is a transmission mode, I use T207 in this blog as an implicit reference to CIS-14.

software tools (download)
- The Octave script T207_detect.m  has been used for the check of T207/CIS-14 mode:
- The Octave script T207_detect_e.m also extracts the two world and bit interleaved channels:
(the two Octave scripts are coded by me and Christoph, you will need GNU Octave package [1] to run them)
- The software CIS14-C.exe (coded by cryptomaster) can be used to etract the two 5-bit channels from a 10-bit stream C-interleaved:

As said in a previous posts, T207 detection had to be manually spotted by processing the demodulated bitstream and checking if it matches the criteria described in this post in radioscanner forum: the Octave scripts are now improved and detects the presence of T207 checksums in a given bit stream and for each permutation of the checksum bits.  T207_detect scripts are very useful since encrypted CIS-14 messages have ACF=0 and anonymous demodulated streams, clear-text messages instead may be recognized as CIS-14 by the "solid" columns of the channel state bits.

I run the script against several waveforms and the results are very interesting.So far, I found two checksum modes termed "3" or [3120] and "20" or [0312]:

T207/CIS-14 verified waveforms (so far)
(note that some waveforms  can be coded with both the two checksums)

checksum mode 3 [3120]:
VFT 3x100Bd/1440, VFT 6x100Bd/120
FSK 50Bd/1000, FSK 100Bd/500 
F7B 100Bd/1000 (on one channel)

checksum mode 20 [0312]:
VFT 3x100Bd/1440, VFT 6x100Bd/120
FSK 50Bd/1000, FSK 96Bd/500, FSK 96Bd/1000
FSK 100Bd/500, FSK 100Bd/1000, FSK 100Bd/2000
F7B 96Bd/500 (on one channel), F7B 100Bd/1000 (on one channel) 


No comments:

Post a comment