28 September 2020

S-4538/110A transmissions using (unid) 256-bit IV encryption

While monitoring the 6 MHz band looking for the 48KBd "monster", I ran into some STANAG-4538 "circuit mode service" transmissions on 6898 KHz/USB using the 110A Serial Tone in 2400bps/S mode as traffic waveform: likely US Military.  The bitstream after 110A removal (Figure 1) clearly shows the use of encrypted frames which are characterized by 256-bit length Initialization Vectors (IVs), the underlying data-link protocol is then blacked.

Fig. 1 - demodulated bitstream

The transmission frames structure (Figure 2) is very interesting and - in some way - it reminds the embedded COMSEC frame structure as per MIL-STD 188-110D App.D; in this case (the recorded samples) the COMSEC preamble should consist of five components:

a) 192-bit string of alternating ones and zeros (bit-sync/phasing?)

b) 226-bit sequence (frame sync?)

c) 8 x 256-bit (32 bytes) Initialization Vectors (a same IV is repeated eight times)

d) 350-bit string of alternating ones and zeros (bit-sync/phasing?)

e) 150-bit sequence (frame sync?)

Encrypted data block follows, ended by the 40-bit sequence: 0000010010110110010110100101101100100000 (probably acting as EOM).

Fig. 2 - transmission frame structure

Interestingly, the sequences b) and e) have a period length of 60 bits and each sequence may be descrambled by the polynomial x^3+x^2+x+1.

About the initialization vectors (Figure 3), it's to notice that a 16-bit segment (positions 113-128, as if they consist of two 128-bit blocks) has the same value in all the four vectors, but it could be just a mere coincidence and thus futher samples are needed.  Anyway, it's the first time I meet 256-bit length initialization vectors: since their size is as large as the block size of the chiper in use (or as large as the encryption key) it is probably a 256-bit encryption system. In this regard, I only know about "HC-256", a software stream cipher for embedded systems which generates keystream from a 256-bit secret key and a 256-bit initialization vector [1], but this is still speculative.
Since 110A was using a data rate of 2400 bps, the time needed to send a complete IV sequence (2048 bits long) is about 853 msec. 

Fig. 3 - four initialization vectors

Recordings were made thanks to KC9FFV Marco who run a KiwiSDR at Forney, TX USA [2].

[1] https://www.ecrypt.eu.org/stream/ciphers/hc256/hc256.pdf
[2] http://marcocam.selfip.com:8073/

21 September 2020

48 KBaud OQPSK unid wideband transmissions

This post originates from an email from my friend KE9NS Darrin who noticed  a strange transmission around 6.8 MHz with an occupied bandwidth of about 48 KHz. According to his reports, the signal seems to start somewhere between 0000 and 0100 UTC, likely ON until sun rise. Interestingly, the signal tends to move around the band slightly probably trying to find an open slot in the band. Indeed, some breaks were observed and Darrin just noted that when it shut down for a break there was a STANAG 4285 signal within its 48 KHz passband: it must have realized and moved to an open spot.
Darrin kindly sent me his IQ recordings for analysys since it's impossible for me to get such samples using remote KiwiSDRs.

The waveform has a speed of 48000 Baud and occupies a band of about 48 KHz: as shown in Figure 1, the spectrum width, equal to the manipulation speed and the presence of the third line in the 4th power, lead to think to the Offset QPSK (OQPSK) modulation.

Fig. 1
Although GMSK and OQPSK have a lot in common, some further clues in favor of OQPSK come from the phase plane (Figs. 2a, 2b): OQPSK looks like GMSK with BT < 0.25 (the lower the BT index, the more it's similar to OQPSK).

Fig. 2a - OQPSK phase plane

Fig. 2b - syntesized OQPSK signal
Similar results were obtained from the analysis of CIS-1280 waveform (Figure 3).
Fig. 3 - CIS-1280 OQPSK waveform

OQPSK is a constant-envelope modulation that has no 180-deg phase shifts and, therefore, has a much higher spectral containment than non-offset QPSK when transmitted over band-limited nonlinear channels. To further bandlimit an OQPSK signal, Shaped OQPSK (SOQPSK) was introduced and its initial version was referred to as MIL-STD SOQPSK after it was adopted as part of a military standard. 
Since OQPSK is like a GMSK with a small index, it is possible to do some demodulation attempts using the "FSK3 method" introduced by guys from radioscanner.ru [1]. In this regard, I also tried that FSK3 method by demodulating the 48 KBaud signal on three FSK levels (Figure 4) and then appropriately converting the ternary symbols through a small program written with Octave. It is difficult to establish the accuracy of the final bitstream, anyway the links to download the intermediate FSK3 file are below: everyone can try the demodulation by following the method described and post their comments and the obtained bitstreams.

Fig. 4 - FSK3 demodulation

Back to the 48 KBaud signal, it's always very strong, likely a very powerful transmitter. Quoting Darrin "Its a long shot but, the company that was supposedly trying to transmit stock trades via HF radio has a radio tower located in a town near to me. Supposedly they have a huge antenna array in Elburn, IL and transmit 20kw with an ERP of 808kw (very big stacked curtain log-periodic antennas) pointed 48deg and a special FCC license. It turns out, that antenna array is pointed directly towards my home in Bartlett, IL". We also thought of 188-110D App.D (per STANAG-5069) tests but such a waveform is not indicated.

https://yadi.sk/d/J76M1y-l-u42Sg (wav file) 
https://yadi.sk/d/_3o-UTVKEQpKNw (FSK3 demod)

[1] http://www.radioscanner.ru/forum/topic43183.html#msg865791

11 September 2020

110-220Bd/330 FSK, TMS-430/TC-535 (Swiss Army)

I56578, cryptomaster

This is the well-known Swiss Army 220Bd/330 FSK system consisting of the Telematik-Set 430 (TMS-430) [1] in combination with the cipher device TC-535 [2], the utilized HF transceiver is most likely the SE-430 [3]. This signal is commonly logged as "TMS-430", although TMS-430 is actually the DTE device, while the modem function is performed by TC-535 in conjunction wih SE-430.
These transmissions can be heard almost every day on 4495 KHz (CF) around 1800 UTC, a list of frequencies (apparently constant) at which this signal was noted is: 3502 4594 5182 and 5202 kHz; old logs also reports the 120Bd waveform. Recordings used in this analysis were made thanks to the Twente WebSDR and refer to the 4495 KHz channel. 
Looking carefully at the signal, it's possible to note short initial segments which are sent at the speed of 110Bd (Figure 1):
Fig. 1 - initial segment sent at 110Bd
This apparently oddity intrigued me and my friend cryptomaster and so we decided to study the demodulated streams in more detail. Since the TC-535 is directly connected to the HF transceiver, from the analysis of the stream it is possible to trace and verify the operating phases of the cipher. It's to be mentioned that, given the two speeds, the streams were obtained by demodulating the signal from time to time at 110 or 220 Baud depending on the bit segment that had to be studied; the demodulation speed used for a given figure is shown in its caption.
TC-535 Synchronization sequence (COMSEC preamble) consists of a PN (Pseudo Noise) sequence termed as "Synchronizing Template" sent at the speed of 220 Baud (Figure 2). In addition to synchronization, the PN sequence is also used for (encrypted) commands transmission.  Grouping the PN sequences into a single stream and analyzing it, turns out the presence of the polynomial x^7+x^3+1: likely this is just the 7-bit LFSR (indicated as C7 in the Control Unit circuit board) which generates the PN (pseudo noise) sequence.
Fig. 2 - the initial "sync template" sequence (demod speed: 220Bd)
The sync template is then followed by the  so-called "Additional Key" (AK): a time and key-dependent 64-bit block which is tree times repeated and sent in clear-text ASCII 8N2 at the speed of 110 Baud (Figure 3, in opposite polarity). The correct additional key information is obtained by majority decision from the three additional key blocks, which are identical under good transmission conditions, and mixed with the basic key to initialize the cipher generator at the receive TC-535 (thus the AK field may be termed as the Initialization Vector for TC-535).
Fig. 3 - the tree 64-bit Additional Key blocks (demod speed: 110Bd)

The sync phase (PN + AKs) is then followed by a 22-bit long alternating sequence of "0"s and "1"s  which separates AK blocks from encrypted data and allows the speed change to 220Bd (Figure 4).
Fig. 4 - 22-bit "01" sequence, also visible in Fig. 2, unless some bit in error (demod speed: 220Bd)

An optionally switchable FEC protection is built into the TC-535. If FEC is enabled, additional check bits are added to the data, which increase the data volume by a factor of 1.4 to 2.0 depending on the user code (Baudot/ASCII). In case of ASCII, the inserted check bits reduce the useful bit rate to half and consequently bit rate shall be increased by a factor of 2, thus the 220 Baud since the ASCII operational speed is 110 Baud. This clarifies the initial 110 Baud speed used to send the AK blocks (sent as async, clear-text, no FEC)! Note that the encrypted data are only transmitted in synchronous mode and returned asynchronously to the data sink.
The doubled data volume means that FEC encoder function is accomplished by a rate 1/2 convolutional coder (as indeed confirmed in [2], "Encryption method: Bitstream encryption"). Thus, the 220 Baud speed is a sign that FEC is activated and user data are ASCII coded. 
About the canche to trace a check matrix/polynomial in the streams, it should be noted that documentation says "The check bits are obtained from useful bits that have already been sent and added to the data to be sent before encryption", thus FEC encoding happens before the encryption process (!) and unfortunately there will be no interesting signs to look for in the streams. 
However, it can be noted that sometimes a single transmission carries more than one AK blocks (Figure 5), so we think that a single transmission may carry multiple messages/files, each preceded - most likely - by an appropriate an PN sequence.

Fig. 5 (demod speed: 220Bd)

TMS-430 (TelematikSet 430) consists of an NEMP-protected (protection against Nuclear ElectroMagnetic Pulses) device set in a large fiberglass box, consisting of: a notebook computer Toshiba 110CS, Pentium 100 MHz, VGA screen 11.3 inches, an Epson LX 300 matrix printer, two boot disks with DOS - based software.The (in the meantime no longer completely up-to-date) notebook is equipped with a hard drive, but is intended to be started from a boot floppy disk, if necessary any other commercially available IBM-compatible computer can be used. The messages to be transmitted can be recorded directly on the system, but usually a diskette is used to transfer the text message from the command post to the transmission office.
TC-535 (TeleCrypto 535) is more than "just" an encryption device since it also automatically controls the change of direction of the radio stations involved in the link. The most important features are the time and key-dependent initialization sequence, random filler text when in idle and the non-disruptive change of direction. The device is controlled via the TmS-430 keyboard.
As said, the utilized HF transceiver should be the SE-430. The complete communications system consists of a control unit (BE-430), usually connected to a encrypter, and a radioteletype machine. The signal is transferred over field telephone lines to the transmitter site, which can be installed at quite a long distance. The transmitter site equipment consists of the transmitter SE-430, it's power supply SG-430 and the automated antenna tuner AG-510/430.

Fig. 6 - TMS-430 (on the left) and TC-535 (source: Historisches Armeematerial Führungsunterstützung HAMFU)