Linking Protection

In response to concerns about the security of ALE systems against spoofing, a technique called linking protection (LP) was developed to frustrate unauthorized attempts to interact with ALE systems, either by establishing unauthorized links or interfering with the establishment of legitimate links. Note that LP does not address jamming or similar techniques, which are best countered by TRANSEC, nor is it intended to replace the COMSEC function of traffic protection. LP protects the linking function, including related addressing and control information.

4.6.1 Requirements

The approach chosen for LP is to authenticate ALE transmissions before they are accepted for action. A cryptographic technique was desired because it would provide strong authentication. The following requirements were agreed to guide the design of the LP technique:

• Transparent to ALE protocols . The first requirement was that the linking protection mechanism be completely transparent to the ALE protocols, so that it could be added modularly to any system that implements ALE. This means that the tones, timing, redundancy, interleaving, FEC, and protocols must be identical for the protected and unprotected modes of operation. In particular, linking protection could not require the transmission of any additional bits for synchronization or similar purposes.

• Self-synchronizing. Because a principal need for linking protection is in denying an adversary the ability to establish unauthorized links, the linking protection mechanism must be effective when radios are scanning; this is when links are normally established. The mechanism must therefore be self-synchronizing so that radios arriving on-channel after the start of a transmission can acquire crypto sync and begin checking for transmissions addressed to them.

• Minimum impact on scanning dwell time. Unauthorized transmissions should ideally cause a

scanning receiver to pause no longer than normal on a channel carrying deceptive signaling. Thus, a scanning receiver must be able to gauge the authenticity of received transmissions in the time usually required for word sync.

• 24-bit block operation. The basic unit of ALE transmissions is a 24-bit ALE word. The linking protection mechanism therefore needed to map 24-bit words into 24-bit words that can be transmitted immediately. Likewise, when a 24-bit word is received, the LP mechanism needs to be able to decrypt that word immediately, without a need to receive more bits. This is necessary for word sync acquisition.

• Channel- and time-varying. The ciphertext produced from identical plaintext must vary from channel to channel at any time instant, and must also vary periodically on the same channel, so that protected stations are minimally affected by tape recorder attacks.

• Moderate computational requirements. The computational complexity of the LP scheme needed to be implementable within the power and timing constraints of 1990 field radios.

• Unclassified algorithm. An unclassified cryptographic algorithm was desired for at least some applications of LP, so that a protected radio would not require the physical security needed for high-grade COMSEC devices.

4.6.2 LP Technique

The technique chosen for HF LP was time- and frequency-dependent encryption of ALE words using a 24-bit block algorithm. This provides authentication at the receiver because only a network member can produce an encrypted ALE word that will decrypt correctly.

The time of day (TOD) and operating frequency are incorporated into the encryption process through a seed that is used by LP algorithms in similar fashion to the cryptographic key. The standard seed format (see Figure 4.10) contains the following fields:

• Date: 4 bits for the month and 5 bits for the day of the month;

• Protection Interval (PI): 11 bits for minutes since midnight, 6 bits for seconds in the current minute;

• Word: a count of ALE words encrypted during this PI (see below);

• Frequency: the nominal frequency carrying the protected transmission, in binary-coded decimal (BCD). The digits range from hundreds of MHz down to hundreds of Hz.

An important consideration in TOD-based cryptography is that the network must be synchronized to roughly the same time quantization as is used in encryption. For example, if stations in the network are synchronized to within one second of each other, we should use TOD quantized to one second for encryption. Then, when a station receives a protected transmission, it is known that the TOD at the sender is within one second of the TOD at the receiver. The receiver would therefore need to try decrypting the transmission using the following TOD values:

• Receiver’s current TOD;

• Receiver’s current TOD + 1 s (the transmitter could be ahead);

• Receiver’s current TOD – 1 s (the transmitter could be behind).

If the TOD quantization used in encryption was instead 100 ms, the receiver would need to try 21 TOD values in 100 ms steps from its TOD – 1 s through its TOD + 1 s.

The time quantization used in LP is termed the protection interval (PI). The PI field in the seed contains the current time in minutes and seconds since midnight, quantized by the protection interval in use in the network. For example, if the protection interval is 2 seconds, then the PI seconds field will always be an even number.

Protection intervals are always at least one second in duration, so multiple ALE words will be encrypted in each PI. The security of the LP technique requires that a different seed be used for each ALE word;

therefore, we have a word number field in the seed that is incremented for each succeeding word in a PI.

The word field is reset to 0 at the start of the each PI.

Once a receiver is synchronized with the LP process in a transmission, the sequence of word numbers is easily followed. However, when a receiver first arrives on a channel carrying a protected scanning call, what word number should the receiver assume was used by the transmitter? To avoid the need to try a large range of word numbers, a special technique is used during the scanning call: the transmitter simply alternates between word 0 and word 1. If the receiver successfully decrypts a received word using word number 0, the next word must use word 1.

Figure 4.10 Linking protection seed.

4.6.3 Application Levels and Algorithms

Recognizing that users may desire different combinations of cost, overhead, and security for their applications of LP, a range of standard application levels was defined. Every level is able to interoperate with less protected levels when so directed by an operator. Table 4.6 defines the PI duration (synchronization requirement) and the type of cryptographic algorithm used in each application level.

Note that application level 0 (commonly abbreviated AL-0) is unprotected ALE.

Special 24-bit cryptographic block algorithms were developed for LP. The unclassified LATTICE algorithm [8] was designed for efficient software implementation in 1990-era microcontrollers. It was eventually approved for export. The Type II and Type I algorithms are more tightly controlled, and are implemented in special hardware modules. The Type I module requires COMSEC-level physical security, and so is rarely used.

4.6.4 Time Synchronization

Synchronizing station time bases across a network is simple if every radio has access to GPS time.

However, when HF radio is intended for backup beyond-line-of-sight communications when satellites have been disabled, it is necessary to provide organic means to synchronize an HF network, without recourse to GPS. Therefore, a suite of time exchange protocols was developed for HF networks that use LP. (Recall that unprotected networks are asynchronous and do not require synchronized time bases.)

4.6.4.1 Time Quality

The concept of a time uncertainty window is fundamental in time distribution for linking protection. It measures the amount of uncertainty in a time source; for example, how far that timebase may have drifted from coordinated universal time (UTC). The size of a time uncertainty window at a station is determined by the accuracy and precision with which that timebase was last set, plus a term that grows with time at a rate determined by the stability of that time base.

Table 4.6 Link Protection Application Levels uncertainty window grows at a rate of 72 ms per hour.

Now, assume that this station sends time to another station 3 hours after its clock was last set. The time uncertainty window has grown to 236 ms, so the station receiving time will need to start its time uncertainty window at this size, plus any additional timing uncertainty that arises in the time transfer. Unless we know the propagation delay over the HF channel, we should add 70 ms of uncertainty for skywave propagation. If there is 100 ms of processing time uncertainty at the distant station, the total time uncertainty window at that distant station will start at 236 + 70 + 100 = 406 ms.

Instead of using a lot of bits to report the time uncertainty window at a time source, the time exchange CMD instead quantizes uncertainty into 8 levels of time quality. The upper bounds on time uncertainty for each time quality level are listed in Table 4.7.

Reworking our example, the time source would report that its time is quality 3, and the receiving station will start its time uncertainty window at 500 + 70 + 100 = 670 ms.

The time uncertainty window concept is useful in computing how often a station must resynchronize its timebase to stay synchronized within the PI duration of its network. Continuing with our example, the station that received time over the air starts its time uncertainty window at 670 ms. If its timebase stability is ±10 ppm, how long can it go before it needs to request an update to maintain AL-2 synchronization? The maximum time uncertainty for AL-2 is 2000 ms, so our station must request an update after (2000 – 670) / 72 = 18 hours.

4.6.4.2 Time Service Protocols

A range of time delivery protocols is specified in Appendix B of MIL-STD-188-141 [5], covering several situations:

network, a protected time exchange handshake can be used to deliver time securely, relying upon the cryptographic protection afforded by the LP algorithm.

• A station that is not synchronized cannot use a protected handshake, but can instead send an unprotected request for time. This request includes a random nonce to help authenticate the response.

A time server responds to an unprotected request with the correct time, its time quality, and an authentication word. The authentication word is produced by encrypting the nonce using the network key and the reported time. If the requester validates this authentication word, the time response is probably authentic.

• Protected and unprotected (but authenticated) time broadcasts are also defined.

4.6.4.3 Time Iteration Protocol

It is possible to measure the propagation delay on the HF channel, and so remove this element of time uncertainty from the time delivery process. This is accomplished by exchanging delta time reports, which contain the differences between measured and reported timestamps. Using these, stations obtain samples of the offset between their respective local times plus residual randomness. The iteration continues until the resulting time uncertainty is reduced to an acceptable window [9]. This protocol has not been standardized.

References

[1] Teters, L. R., J. L. Lloyd, G. W. Haydon, and D. L. Lucas, “Estimating the Performance of Telecommunication Systems Using the Ionospheric Transmission Channel–Ionospheric Communications Analysis and Prediction Program User’s Manual,” Report NTIA 83-127, National Telecommunication and Information Administration, Boulder, CO, 1983.

[2] Reagan, R., National Security Decision Directive Number 97, “National Security Telecommunications Policy,” The White House, Washington, DC, June 13, 1983.

[3] Harrison, G., “Functional Analysis of Link Establishment in Automated HF Systems,” Working Paper 86 W00015, MITRE Corporation, McLean, VA, December 1985.

[4] Federal Standard 1045, Telecommunications: HF Radio Automatic Link Establishment, General Services Administration, January 24, 1990

[5] MIL-STD-188-141A, Interoperability and Performance Standards for Medium and High Frequency Radio , September 15, 1988. (This version has been superseded by MIL-STD-188-141C, dated 25 July 2011.) [6] Johnson, E. E., “An Efficient Golay Codec for MIL-STD-188-141A and FED-STD-1045,” Technical Report

NMSU-ECE-91-001, NMSU, February 1991.

[7] Johnson, E. E., “Addition of a 49th Bit to the MITRE HF ALE Waveform,” Technical Report PRC-EEJ-88-002, NMSU, March 1988.

[8] Johnson, E. E., “A 24-Bit Encryption Algorithm for Linking Protection,” Technical Report NMSU-ECE-89-027 (Restricted Distribution), 1989. (Also available as “USAISEC Technical Report ASQB-OSO-S-TR-92-04.”)

[9] Johnson, E. E., “Time Iteration Protocol for TOD Clock Synchronization,” NMSU, 1992.

1. Signal loss is detected either by the radio or by the Golay decoder.

CHAPTER 5