MIL 188-220 Appendix D, standards for COMSEC transmissions

A recent post in radioscanner (my nickname is "ansanto" there), and some interesting discussions with a friend of mine, gave me the opportunity to study that signal and deepen the theme that is dealt with by MIL 188-220. In particular, the signal in question (courtesy by KarapuZ) concerns a transmission with link encryption provided by external COMSEC devices, in accordance with what is reported in the Appendix D of the cited standard, ie "transmission frame structure in either external and embedded COMSEC modes".

In short, in external COMSEC transmission frame the clear-text (not encrypted) part of the transmission frame is the "COMSEC Preamble", depicted below, which consists of the subfields: 
a. COMSEC Bit Synchronization
b. COMSEC Frame Synchronization
c. Message Indicator - MI or, better, Initialization Vector - IV (1)

The COMSEC Frame Synchronization subfield is used to provide a framing signal indicating the start of the encoded MI to the receiving station. This subfield is 465 bits long, consisting of 31 Phi-encoded bits. The Phi patterns are a method of redundantly encoding data bits. The logical data bits 1 and 0 are encoded as shown in figure. 

The Message Indicator subfield (MI) contains the COMSEC-provided MI, a stream of random bits that are redundantly encoded using Phi patterns.

Alternatively, in the embedded COMSEC transmission frame the clear-text part, depicted below, is composed of the following components:
a. Phasing
b. Frame synchronization (Standard Frame Sync or Robust Frame Sync)
c. Robust Frame Format (RCP only)
d. Message Indicator/ Initialization Vector
 

Back to the signal, it was heard by KarapuZ in the 33 MHz band and it is a GFSK modulation at a rate of 16000 Baud that can be easily processed using SA (Fig. 1).

Fig. 1

Once demodulated it turns out to be an encrypted transmission with the COMSEC Preamble that is easily identified  and consisting of the initial phasing part followed by two 15-bit encoded blocks: likely the encoded frame sync and Message Indicator (Fig. 2).

 

Fig. 2

Since 188-220 is based on the VINSON algorithm, the used encryption is presumably KY-57 and taking into account the band where it was listened... everything points to the SINCGARS radio (Single Channel Ground and Airborne Radio System) [1]. 

 

By the way, a dear friend of mine sent me a recording but once demodulated it uses 16 bits encoding patterns frames instead of 15 bits ones (Fig. 3). "I guess it is some modern crypto using a backwards compatibility mode, the clue is that it could be KY-99 that is the replacement for KY-57 in SINCGARS, but that point is unconfirmed. More signals and work will be necessary to clarify these points", my friend says. 

Fig.3

 

It is interesting to see how NATO KG-84 encryption relates to 188-220 Appendix D (Fig. 4).
KG-84 is similar to the emebedded COMSEC transmission frame, although the 64-bit pattern of KG-84 Standard Frame sync 

1111101111001110101100001011100011011010010001001100101010000001

is different from the patterns reported in Appendix D for Standard and Robust Frame sync. Moreover, the Message Indicator is not encoded using the Phi 15 bits, although it is redundantly encoded. That's probably ok since KG-84 is based on SAVILLE algorithm and 188-220 is VINSON based. Note as in some KG-84 "detectors" the Standard Frame sync is termed as "SYNC" and the MI data as "Initialization vectors".

Fig. 4 - NATO KG-84 encryption and 188-220 embedded COMSEC

 

The Turkish-Mil FSK, also using KG-84, deserves aside consideration (Fig. 5). Perhaps they encode the Mesage Indicator field using Golay and do not use redundant n-bit encoding, but it's only IMO. However "the encoding with Phi patterns is used for backward compatibility", 188-220 says.

Fig. 5 - Turkish-Mil FSK and 188-220 embedded COMSEC

(1) An Initialization Vector (IV) or starting variable (SV) is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process. An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. However, in most cases, it is important that an initialization vector is never reused under the same key.[2] [3]

Please notice that just starting with this post I will use the term "Initialization Vector" to indicate the (repeated) pseudo-random sequence that is used to synch the receive crypto equipment. 

[1] http://www.cryptomuseum.com/radio/sincgars/

[2] https://en.wikipedia.org/wiki/Initialization_vector

[3] https://en.wikipedia.org/.../Initialization_vector_(IV)

 

STANAG-4481 PSK

STANAG-4481 PSK (4481-P) is basically a STANAG-4285 sub-mode which adopts fixed 300 bps data-rate and long interleaving. As well as 4285, 4481-P is mostly used in  NATO Naval broadcast  due to its repeated preamble  for which it's easy to maintain sync during long transmissions. 

In the heard transmission, spotted on 8322.2 KHz/USB, it's interesting to note the presence of the 64-bit KG84 sync pattern into the demodulated bitstream (Fig. 2)

Fig. 1

Fig. 2

unid FSK 150Bd/250 with KG-84 encryption

I copied this FSK modem on 06252.2 KHz (cf) on 7 December morning, carrying several messages with a very good signal strength here in JN52 (about 70 dB). The modem use a frequency shift of 250 Hertz and a modulation speed of  150 bps (Figs 1,2).

Fig. 1

Fig. 2

The most interesting thing is that the initial part of the messages contains the 64-bit sync pattern which is typical of KG-84 encryption

1111101111001110101100001011100011011010010001001100101010000001

followed by the 2 x 64 bit initialization vectors (each vector is repeated four times), as shown in Figs. 3,4:

Fig. 3

Fig. 4

The presence of KG-84 leads to think to a NATO country as source, surely - since the signal strength - the site of transmitter is very close to my antenna (center Italy), most likely in the Mediterranean area. 

https://yadi.sk/d/tSWCjgbB32gfUb 

Turkish Mil, FSK 300Bd/400Hz KG-84C

Weak signal heard on 5115.5 KHz, central frequency, at 0549 UTC. Analysis with SA reveals an FSK signal running at 300Bd and 400 Hz shift.

fig. 1

fig. 2

Once demodulated, the presence of the KG-84C 64-bit sync pattern (fig. 3)  leads to think about a NATO partner Nation: looking at precedent posts,  most likely the signal belongs to the Turkish  FSK waveforms.

 

fig. 3

https://yadi.sk/d/QXv7FXiYxdbjH

Turkish Mil, FSK 600Bd/400Hz & 1200Bd/800Hz KG-84C

weak signal heard on 10551.0 KHz/USB  0805z, variant of the more frequent 600Bd/400 reported here.

The low quality of my recordings does not allow its demodulation and then further investigations to check the presence of KG-84 encryption, anyway generally used in this kind of signals (FSK, both 600 and 1200 Baud speed). KarapuZ provided me a better quality recording so it was pretty easy to verify the KG-84 "flag"

KG-84 evidences

I tried out to look at some signals that use KG-84 encryption (based on Saville algorithm) in order to identify its footprint inside them and differences (if any), specifically: the two NATO widely used waveforms STANAG-4285 and STANAG-4481-FSK, one of the STANAG-4285 variants (this one possibly a Croatian version) and the FSK 600Bd/400Hz by Turkish Military. Since only four waveforms, this does not claim to be a complete view, rather it will be updated as soon as I'll get other such encrypted signals.

 -

Given a signal, as previously seen, the existence of  KG-84 encryption can be detected by its well-known 64-bit sync pattern that is inserted at the beginning of each session/message and followed by the encryption initialization:

 1111101111001110101100001011100011011010010001001100101010000001

In order to highlight the sync pattern we need to work with bitstream files, also known as ASCII-bits file, containing only the binary symbols 0 and 1 and provided by decoders such as k500 or Sorcerer (in the picture belows). This because - for example - the PSK-8 demodulated output from signals analyzers such SA, provide on-the-air symbols that still contains extra-symbols due to FEC and they should de-scrambled, de-interleaved and converted from HEX values to binary. 
The bitstream analysis is performed using a bit flow processor and editor.

STANAG-4481P (STANAG-4285 300bps/L)
 

pic. 1 - NATO STANAG-4481P

in this case the sync is followed by a 512 bits group consisting of two 64 bits sequences repeated 4 times: the two 64 bits sequences form the 128 bits key, k500 call them as "inizialization vectors" and are clearly indicated in its output as two strings each of 32 HEX characters. As far as I can see, both the sync and the key are inserted at the beginning of the session and are not re-inserted or repeated so that the message can not be deciphered in case of late entry.

STANAG-4481F (FSK 75Bd/850)

pic. 2 - NATO STANAG-4481-FSK

since the same operating environment (NATO), STANAG-4481-FSK adopts the same structure as in 4285. It is worth noting in pic. 3 that the 64-bit sync patterns produce ~850ms ACF spikes visible in the initial part of the signal.

pic. 3 - 850ms ACF spikes due to key insertion

STANAG-4285 variant

pic. 4 a STANAG-4285 variant

although it's compatible with NATO S-4285, this waveform (the user is suggested to be Croatian) does not provide KG-84 encryption (coud not find the sync pattersn) but rather a sort of linear encryption taht is not detected by the standard S-4285 decoders such as k500 and Sorcerer.

Turkish FSK 600Bd/400Hz

pic. 5 - the Turkish FSK/600/400

for what concerns KG-84 encryption, this waveform exhibits an interesting peculiarity: the sync pattern is not followed by the 512-bits key block as seen in NATO 4285 and 4481 implementations. I do not know if the  128 bits immediately following the syncr are indeed the key or else the key is obscured to standard decoders. 

As expected, since this trasmission consists of 7 blocks, the sync is repeated  7 times each 3954 bits exactly: since the apparently lack of the key I don't know if the transmission carries seven distinct messages or if the repetion is an help in case of late entry (so the messages are the same?).

pic. 6 - the seven resolvers

It's quite useless and waste of space and bandwidth to list here concepts and images that are easily found on the web about KG-84, below just few links:

https://en.wikipedia.org/wiki/KG-84 

https://www.ia.nato.int/niapc/Product/Elcrodat-4-2_124

http://www.jproc.ca/crypto/kg84.html

http://www.cryptomuseum.com/crypto/usa/kyk13/index.htm

Thanks to my friend KarapuZ for pointing me this argument and his stimolous to deepen.

Turkish Mil, FSK 600Bd/400Hz KG-84C

Although the signal is weak, you could easily find its basic parameters as in pictures 1 and 2. The signal has been heard on 07932.5 KHz (cf) around 0744z and also analyzed here by radioscanner.ru friends.

pic.1

pic. 2

This signal use cipher NATO KG-84, it can be identified by the 64-bit sequence in each session (the KG-84 frame sync)

1111101111001110101100001011100011011010010001001100101010000001

highlighted in pic. 3

pic.3

The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency (NSA) to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device (DLED), and both devices are General-Purpose Telegraph Encryption Equipment (GPTEE). The KG-84A is primarily used for point-to-point encrypted communications via landline, microwave, and satellite systems. The KG-84C is an outgrowth of the U.S. Navy high frequency (HF) communications program and supports these needs. The KG-84A and KG-84C are devices that operate in simplex, half-duplex, or full-duplex modes. The KG-84C contains all of the KG-84 and KG-84A modes, plus a variable update counter, improved HF performance, synchronous out-of-sync detection, asynchronous cipher text, plain text, bypass, and European TELEX protocol. 

Compared to the KG-84A, the KG-84C had some interesting extras. It has a variable update counter,

improved HF performance, out-of-sync detection (when in synchronous mode), asynchronous ciphertext, plaintext bypass, and the European Telex protocol. When used with a suitable digital telephone unit, the KG-84 could also be used for secure voice transmissions. Data could be handled by the KG-84 in asynchronous mode at rates between 50 and 9600 baud. In synchronous mode, it could even go up to 32,000 baud (or even 64,000 baud when used in combination with an external clock). 

https://en.wikipedia.org/wiki/KG-84

https://www.ia.nato.int/niapc/Product/Elcrodat-4-2_124