SYSTEMS.
3.4.1 (U) Information Security.
(U) Cryptosystems provide security by
preventing electronically transmitted information from falling into the hands of unauthorized persons. Machine cryptosystems and certain
“one-time” cryptosystems are the most secure methods of protecting electronically transmitted information. Manual and auto-manual
cryptosystems are used to protect electronically transmitted information only when machine systems are unavailable.
3.4.2 (U) Authentication Systems.
Authentication systems provide a defense against enemy intrusion into communications nets. These systems are also used to establish the authenticity of stations, communicators, or communications.
3.4.3 (U) Operations Security (OPSEC).
Properly used cryptosystems and authentication systems are necessary to maintain adequate OPSEC within a command.
3.4.4 (U) Approved Systems. The only cryptosystems and authentication systems approved for Army use are those systems as outlined below:
a. (U) Produced by the NSA and obtained through the procedures described within this chapter.
b. (U) Commercial Off-the-Shelf (COTS) Systems approved by the NSA/DA for local purchase under the Commercial COMSEC Endorsement Program (CCEP). See AR 710-2, Chapter 1.
c. (U) Electronic key generated and distributed using NSA-approved key generating systems.
3.4.5 (U) Selection and Use. For assistance in the selection and use of manual cryptosystems and authentication systems, contact CSLA. See Appendix F for POC information.
(1) (U) Users of each cryptosystem and authentication system will become familiar with the system’s capabilities and limitations, and have a thorough knowledge of the appropriate operating instructions.
(2) (U) Detailed operating instructions normally accompany each copy of manual systems. The NSA, in the cryptosystems Operating Instructions (KAO), Limited Maintenance Manuals (LMM) and Army Operator’s Technical Manuals I, publishes detailed
instructions for each machine
cryptosystem. An index of KAOs, LMMs and Army COMSEC Publications is listed in DA Pam 25-35.
3.5 CRYPTONETS.
3.5.1 (U) Cryptonet Elements. Establishing a cryptonet involves identifying those individuals and/or operating elements that must
TB 380-41
associated key. Cryptonet planning is
conducted in conjunction with communications network planning to ensure compatibility and interoperability with joint organizations, as well as Army Commands. CONAUTHs will give consideration to the employment of electronic key and the implementation of electronic re-key procedures. When electronically generated key is not used, the CONAUTH must send written justification to the Service Authority explaining why they are requesting hard copy key. This will limit hard copy key products to the minimum essential for mission accomplishment.
3.5.2 (U) Types of Cryptonets. The CONAUTH must consider which type of cryptonet (for example, operational or
contingency) will be most economical in terms of production, distribution, storage, and destruction costs. With the exception of irregularly
superseded key (such as one-time pads), key for operational nets is re-supplied as directed by the CONAUTH. Irregularly superseded key is re-supplied upon request of the CONAUTH. Key will be used as follows:
a. (U) Operational Key. Operational key will be used for routine day-to-day operations.
b. (U) Contingency Key. Contingency key will be used for operations that occur
infrequently (exercises less frequent than one each month). The use of operational key to secure infrequent operations is discouraged, except as explained in the following paragraph, because it will result in NEEDLESS and COSTLY destruction of unused key and it is manpower intensive.
c. (U) Use of Operational Key for Contingency Purposes. One or more editions of operational key may be identified for
training/exercise use by the CONAUTH. The CONAUTH may also choose to change the status of an operational key to contingency for future use instead of cancellation when a net has been discontinued. Both of these actions must be coordinated with CSLA Key Management and the NSA. The CONAUTH may change the key back to an operational status at a future time, if required. The CONAUTH is responsible for advising all users and CSLA of disposition instructions of unused, cancelled, or superseded key.
3.5.3 (U) Cryptonet Size. The size of the cryptonet will be as small as operationally feasible for the types of organizations and cryptosystems requiring hard copy key. The CONAUTH will always determine the number of holders and copy count requirements for key.
3.5.4 (U) Cryptonet Expansion. All cryptonets established will consist of essential members only and have a key copy count sufficient to satisfy the secure communications requirement. Additional copies of key to be used for possible expansion of Army cryptonets will not be held by a CLSF unless directed by a higher headquarters that has received prior approval from the CONAUTH and the NSA.
3.6 ESTABLISHMENT OF CRYPTONETS.
a. (U) Requests for Establishment of Cryptonets (Physical Key). Requests for establishing machine or auto-manual cryptonets (including requests for approved cryptosystems and authentication systems) will be submitted via message by the commander of the requesting activity. These requests, in the form of a memorandum or message, will be submitted to CSLA with the information addressees of the NSA, Y132 and the requestor’s next higher headquarters listed. For KG-84 key, provide this information to the NSA, ATTN: Y271 and Y132.
See Appendix F for POC addresses.
(1) (U) Requests for manual cryptosystems will be submitted to the action and information addressees listed in the preceding paragraph. This includes OPCODES, One-Time Pads (OTP), Authentication Systems, etc.
(2) (U) AKMS accounts will utilize the attributes in the LCMS. Refer to the LMD/KP Operators Manual.
b. (U) Standard Request Form. Requests for physical key will contain the following
information, as appropriate. Message requests for classified key will be classified as
CONFIDENTIAL due to the compilation of information. Request for UNCLASSIFIED key will be marked and handled as FOUO.
TB 380-41
will be employed to the maximum extent feasible.
(a) (U) Indicate type of key required (KG-84C, KY-57/58, etc). If the request is for the Traffic Encryption Key (TEK) transition training tape, provide the number of months the tape will be required. The tape production will be scheduled for the requested period only.
(b) (U) If the request is for Key
Encryption Key (KEK) tape, specify the reason for KEK tape instead of local generation of KEK (e.g., KG-83 is not available for generation of KEKs).
(2) (U) Designated CONAUTH. Include CONAUTH message address, a point-of-contact, e-mail address and telephone number.
(3) (U) Nature of Request. Indicate nature of request (i.e., new equipment or establishment of cryptonet).
(4) (U) Key Usage. Indicate key usage:
National Emergency Operations (NEO), State Emergency support/Civil Action, etc. For machine or auto-manual cryptosystems, provide a brief statement describing the scenario under which the requested key is to be used. For manual cryptosystems, provide a detailed
description of the requirement.
(5) (U) Classification. Indicate the classification of information to be encrypted (CONFIDENTIAL, SECRET, or TOP SECRET).
(6) (U) Number of Copies. Indicate the required number of editions and the total copy count per edition. Also, when requesting establishment of a cryptonet, indicate the canister configurations requested. See paragraph 4.8.1a and b for canister configuration.
(7) (U) COMSEC Account Numbers.
Indicate the COMSEC account
(8) (U) Delivery Date. Indicate the Required Delivery Date (RDD). Normal production lead-time is 120 days from receipt of the request by the NSA.
(9) (U) Purpose of Operation. Include information (such as exercise name and dates or dates and length of the
on-the-air test) to assist in identifying when the material will be used.
(a) (U) CSLA, the NSA (Y13), and the supporting CLSF (when applicable) will be notified when a newly established operational cryptonet (using regularly superseded key) has started operations. This notification allows the automatic re-supply of key to begin (see Figure 3-1).
(b) (U) CSLA and the NSA will also be notified each time an edition of any contingency key is implemented.
Contingency key will only be re-supplied when the CONAUTH requests it.
(10) (U) Net Structure and Operation.
Indicate net structure and operation, and state if cryptonet is point-to-point or netted.
(11) (U) Short Title. Indicate the Short Title of the key to be replaced, if applicable.
(12) (U) Quantity of Crypto-equipment. For machine cryptosystems, indicate the total quantity of crypto-equipment on-hand that will use the key requested.
(a) (U) If the crypto-equipment is not on-hand, show the equipment delivery date as established by the CSLA. If the delivery date is more than four months away, the key will not be requested. Also, if the communications equipment used in support of the crypto-equipment is not on-hand, and is not due to be delivered within four months, the key will not be requested.
(b) (U) For One-Time Tapes/Pads/Disks,
TB 380-41
would consist of five editions, each edition consisting of one encipher and four decipher pads/tapes/disks).
Indicate type of circuit (full-duplex, half-duplex, etc.).
(13) (U) Emergency Reaction Force.
Indicate if the unit is part of a Command Emergency Reaction Force.
(14) (U) Validation by Higher Headquarters.
Include a statement to verify the higher headquarters has validated the need for the cryptonet.
c. (U) AKMS Accounts. AKMS accounts will send requests using the free form text directly through the message server. Refer to Chapter 6 of this TB for additional key issues pertaining to AKMS.
Free form text messages will adhere to the standard English rules of convention (e.g., spacing, punctuation, grammar). Failure to construct a legible message may result in the request being returned to the sender unfulfilled.
TB 380-41
***CONFIDENTIAL***
01 02 081241Z FEB 03 RR RR CCCC AA ZYUW TTC-1 NO
FROM CDR PIRMASENS GE //5A0419//
TO DIRCSLA FT HUACHUCA AZ//SELCL-ID-KEY//
DIRNSA FT MEADE MD //Y132//
INFO NCTAMS LANT NORFOLK VA //159039 C O N F I D E N T I A L
SUBJECT: ESTABLISHMENT OF CRYPTONET (U)
A. (U) TB 380-41 PROCEDURES FOR SAFEGUARDING, ACCOUNTING, AND SUPPLY CONTROL OF COMSEC MATERIAL
1. (C) THIS PARAGRAPH IS CONFIDENTIAL DUE TO COMPILATION IAW CHAPTER 3, REFERENCE A. THIS ACTIVITY HAS A REQUIREMENT TO ESTABLISH A CRYPTONET USING APPROVED KEY.
A. (U) TYPE OF KEY: KG-84() OPERATIONAL OTAR KEY KEYTAPE, TENNLEY (KEY ENCRYPTION KEK WITH WEEKLY OTAR, QUARTERLY CRYPTOPERIOD, ANNUAL EDITION SUPERSESSION).
B. (U) CONAUTH: CDR PIRMASENS GE //5A0419//, DSTN/STU-III: XXXXX.
C. (U) NATURE OF REQUEST: NEW REQUIREMENT.
D. (U) KEY USAGE: OPERATIONAL.
E. (U) CLASS: TOP SECRET.
F. (U) COPY COUNT:
(1) NUMBER OF EDITIONS: 2.
(2) TOTAL COPY COUNT PER EDITION: 2.
(3) CANISTER CONFIGURATIO N: 16-1-16 (DIGRAPH GF).
G. (U) SHIP TO: CA 5A0419 1 CY CA 159039 1 CY.
H. (U) RDD: 24 APR 00
I. (U) PURPOSE OF OPERATION: MATERIAL WILL BE USED FOR GENSER DIRECT AUTODIN FULL TIME CIRCUIT BETWEEN CDR PIRMASENS AND NCTAMS LANT NORFOLK VA (CCSD 7D35).
J. (U) NET STRUCTURE/OPERATION: POINT -TO-POINT, FULL -TIME PIRMASENS CDR TO NORFOLK, VA. ACTIVATION SCHEDULED NLT 01 AUG 2000.
K. (U) SHORT TITLE REPLACED: NONE.
L. (U) KG-84() AUTHORIZED: CA 5A0419: AUTH 1 OH: 1, CA 159039: AUTH: 1 OH: 1
M. (U) THIS UNIT IS NOT PART OF A COMMAND EMERGENCY REACTION FORCE.
N. (C) KEY USAGE: TO BE USED BY ACTIVITIES MENTIONED IN SUBPARA 1 ON ITS DAY-TO-DAY MISSION.
2. ALL ADRS WILL BE NOTIFIED BY THE CONAUTH WHEN CRYPTONET IS IMPLEMENTED.
3. THIS REQUEST HAS BEEN COORDINATED AND APPROVED BY OUR NEXT HHQ, 5TH SIG CMD, ATTN: ASQK-S.
4. (U) POC IS MR. DENNIS HILLIARD, CONAUTH.
P. MICHAUD DERIVED FROM: TB 380 -41
CONAUTH, 5932 DECLASSIFY ON SOURCE MARKED OADR
DATE OF SOURCE: JUN 03 DON OWEN, MAJ, CDR
This is an example of a message request to establish a cryptonet. Content will vary according to local requirements. Classification is for example purposes only.