async STANAG-4481F with KG-84/KIV-7 encryption (DHFCS)

updates: spotted on 6245.20, 8127.0, and 10272.0 KHz (all Cf)

We are used to see (and recognize) KG-84/KIV-7 encryption in synchronous STANAG-4481F, but this time I ran across such encryption in async S-4481F (75Bd/850) transmissions heard on 8127.0 KHz (cf). The demodulated bitstream has the classic 5N1 framing (Baudot) from which you don't get much, at least until you have the chance to record the beginning of a new message, as shown in Figure 1 (monitoring gets on files).

Fig. 1 - 5N1 bitstream after demodulation

One way to get an idea of what you heard is obviously to remove the start/stop bits and then examine the Baudot code you get, then the experience comes in help. Infact, if it happens to  see the words:
VMGTCNJ <line feed>
BH
we are facing a message which is secured by KG-84/KIV-7 devices. Notice that due to the add of the framing bits, your decoders (such as K500 or Sorcerer) wont intercept the typical KG-84 sync pattern. The classic approach is the examination of the headers of the message after the removal of the start/stop bits and 64-bit period reshaping (Figure 2).

Fig. 2 - analysis of the message headers

 

The first two lines are a short idle state (RYRYRYRY...)
0101010101010101010101010101010101010101010101010101010101010101
0101010101010101010101010101010101010101010101010101010101010101

 

The third line is the well-known 64-bit sync pattern used by KG-84/KIV-7 devices
1111101111001110101100001011100011011010010001001100101010000001

(just the Baudot chars VMGTCNJ <line feed> BH)

 

The following 128-bit Initialization Vector is splitted in two 64-bit groups: 0x118A4DBCD0FA80BE 0x01AC4C5F065D8517 each repeated twice (lines 4,5 and 6,7). That's another interesting feature of these transmissions: indeed the two 64-bit groups forming the initialzation vector are usually repeated four times (the same behavior was noted in 2815.0 KHz transmissions, 75Bd/850 fom UK MoD).

1000100001010001101100100011110100001011010111110000000101111101
1000100001010001101100100011110100001011010111110000000101111101
1000000000110101001100101111101001100000101110101010000111101000
1000000000110101001100101111101001100000101110101010000111101000

Direction finding tests indicate north UK as probable transmitter' location, more precisely I think it's the DHFCS (UK MoD) Tx station located in Crimond (Aberdeenshire, Scotland): operations are remotely managed by Forest Moor net center. As a further clue, it's to be noticed that the DHFCS ALE callsign "XSS" has been heard many times on 8125.0 KHz/USB, ie on the tuning frequency of the S-4481F transmissions (cf - 2000Hz).

Fig. 3 - TDoA runs point to DHFCS site of Crimond

From what I have been able to see these days, the transmission take place only in the morning (never heard after 1300Z), don't know if they are training transmissions or scheduled broadcasts.

 

Fig. 4 - DHFCS Crimond, former RNAS Rattray (HMS Merganser) (1)

(1) photo on the left by flickr  https://www.flickr.com/photos/53277566@N06/36701528042/

22th March update
same on 10272.0 KHz (cf)

24th March update
same on 6245.20 KHz (cf)

 

https://disk.yandex.com/d/srBx7guPz5HdyQ 
https://disk.yandex.com/d/wHBsgEtJx9eLkg