[This just arrived in the list inbox. I'm not exactly sure that it is
particularly interesting, accurate or informative, but unfortunately
because it arrived anonymously I'm not really in a position to ask for
an improved version. Anyway, I decided to forward it. --Perry]
---------- Forwarded message ----------
>Subject: Crypto Equipment Guide -- Part One of Two
>Date: Mon, 17 May 1999 16:01:59 -0500
CRYPTO EQUIPMENT GUIDE
----------------------------------------------------------------------------
----
This guide contains general information about NSA approved cryptographic
devices that are currently available through the Commercial COMSEC Equipment
Program (CCEP) or by direct purchase from NSA. Contractors for DOE must have a
properly executed Controlled Cryptographic Item agreement with NSA. This guide
is not intended to be a complete source of information but rather a summary.
The information herein is only in sufficient detail to familiarize the reader
with the basic capabilities of the equipment. Please note that the purchase and
use of any product identified as "embeddable" requires prior DOE headquarters
approval. A Memorandum of Agreement (MOA) with NSA must be properly executed in
cases where a DOE or DOE contractor/ supplier proposes to use embedded products
for classified operations.
NETWORK
EMBEDDED
OPTICAL
DATALINK
STU
OTHER
MISSI
----------------------------------------------------------------------------
----
Network Encryption Equipment
----------------------------------------------------------------------------
----
CANEWARE
NETWORK ENCRYPTION SYSTEM
WANG TRUSTED LAN INTERFACE UNIT
FASTLANE ATM ENCRYPTOR
----------------------------------------------------------------------------
----
CANEWARE
CANEWARE is a host-to-host network encryption system designed to provide
multi-level security on a packet switched network. It is compatible with Secure
Data Network System (SDNS) standards and is transparent to network operations.
The CANEWARE system consists of a CANEWARE Front End (CFE) unit, a CANEWARE
Control Processor (CCP) unit, and an Auxiliary Vector Management System (AVMS).
The AVMS augments the SDNS Electronic Key Management System (EKMS) Mandator
Access Control (MAC) information by distributing additional security
attributes. The EKMS information and additional security attributes from the
AVMS along with Discretionary Access Controls (DAC) from the CCP are used by
the CFEs to enforce access controls to the network. The CFE also provides data
encryption on communication links. A CFE is required at each network point. The
CCP is used to provide DAC information to the CFEs. DAC information is used by
the CFE to limit access to each host based on need-to-know information provided
by the host to the CCP. A single CCP can control up to 5000 CFEs, which is the
maximum number for a single domain. Up to 1000 domains can be supported by the
CANEWARE system.
CANEWARE is capable of encrypting and decrypting at through put rates from 1200
bps to 750 kbps full duplex and supports I/O rates up to the T1 rate (1.544
Mbps). It supports standard protocols such as GOSIP X.25, DDN X.25 and CCITT
1984 X.25. The standard KSD-64A is used for loading configuration information
and initial keying material. It also serves as a crypto ignition key for the
CFE. A multi-level security host encryption system functions on X.25, IEEE
802.3, and Ethernet packets switched networks.
The CANEWARE system is approved for use at all classification levels.. The
development program is complete. They are currently establishing production
requirements. The approximate cost is $19,500.
----------------------------------------------------------------------------
----
NETWORK ENCRYPTION SYSTEM
The Motorola Network Encryption System (NES) provides encryption security to
local area networks (LANs) and Wide Area Networks (WANs). The NES is designed
for system high data encryption and can accomodate multiple security
communities through network partitioning into separate domains. It provides
data confidentiality, data integrity, peer identification and authentication,
and mandatory/discretionary access control services. The NES is configured at
start up by a configuration disk created by the product server. A product
server can be any IBM compatible personal computer. Each product server is
capable of serving a maximum of 2000 NES platforms. The configuration disk
created by the product server contains application software, discretionary
access control (DAC) tables, static routing tables and other configuration
information. This information is used to control access to the network
protected by a NES platform. The NES can provide secure connections between
802.3/Ethernet and other 802.2/Ethernet networks with a speed up to 1.3 Mbps
(half duplex, 1400 byte packets) or 320 packets per second (64 byte packets).
Key distribution can be provided from the Electornic Key Management System
(EKMS) or the NES may be physically keyed using a KSD-64A. Up to 250 Traffic
Encryption Keys (TEKs) can be supported at one time by the NES. A security
battery allows key retention when primary power to the NES is interrupted.
DOE users should contact HR-433 if NES is being considered for any application.
The authorized vendor for NES is Motorola Government Electronics Gr., 8201 E.
McDowell Road., Scottsdale, AZ 85252-1417. Additional information may be
obtained by accessing their web site,
http://www.mot.com/GSS/SSTG/ged/iso/nes.html".
----------------------------------------------------------------------------
----
WANG TRUSTED LAN INTERFACE UNIT (TIU-1)
The WANG Trusted LAN Interface Unit (TIU-1), which serves as an Ethernet (IEEE
802.3), is a data security device that encrypts LAN data traffic. The TIU-1
secures internetted and individual LANs because it implements Internet
Protocols (Ips). Internet Protocols will allow communications over wide area
networks (WANs) through Gateways. The TIU-1 can be used for single level system
high LAN encryption. The TIU-1 allows encryption of more than one host through
a single TIU-1. Encryption is accomplished at a data rate in excess of 200
packets per second full-duplex, (1500 byte packets). Keying is accompished
using a KOI-18 or a DS-102 signal converter.
This unit is used for LAN encryption (Ethernet, IEEE 802.3). It is approved for
use at all classification levels. The authorized vendor is Wang Laboratories,
Inc. The cost of a TIU with AUI interface is $19,995, fiber interface is
$12,995, key management software is $1,500 and hardware is $7,995.
----------------------------------------------------------------------------
----
FASTLANE ATM ENCRYPTOR
KG-75
FASTLANE is a high speed ATM encryptor for local and wide area network
multimedia applications (i.e., voice, video, data, and imagery). FASTLANE
supports permanent and switched virtual circuits, point-to-point and
point-to-multi-point, simplex and duplex connections. It provides
authentication and end-to-end protection of user information to the Top Secret/
Sensitive Compartmented Information. Security levels may be user selected for
each communications session. The FASTLANE encryptors may be nested, allowing
for the creation of cryptographically isolated networks to operate at different
security levels. FASTLANE may support an individual user, a multi-user computer
based group or a Local Area Network. Rekeying can be accomplished either
electronically or through traditional means.
It is approved for use at all classification levels. The limited capability
FASTLANE Release 1 (FR) system became available in June 1996. The full
capability FASTLANE Release 2 (FR) system will be available in September 1997.
Release 1 (FR1) can no longer be ordered. NSA is currently accepting orders for
Release 2 (FR2) with scheduled deliveries beginning in October 1997. DS-1
$25,000, DS-3 $26,000, OC-3 $28,000, and OC-12 Price is based on requirements.
The authorized vendor is GTE Goverment Systems Corporation, 77 "A" Street,
Needham, MA 02194-2892, phone: (410) 859-4060. Additional information on
FASTLANE may be obtained by accessing their web site
http://www.gte.com/Cando/Govt/Docs/Software/fastlane.html".
----------------------------------------------------------------------------
----
Embedded Encryption Equipment
----------------------------------------------------------------------------
----
FASCINATOR
KGB-69/69A
KGV-135
EMBEDDABLE MODULE
KIV-7 EMBEDDABLE MODULE
INDICTOR STANDARD EMBEDDABLE MODULE
CRYPTO ENGINE
----------------------------------------------------------------------------
----
FASCINATOR
The FASCINATOR is a line of embedded cryptographic devices that can be
installed in existing Motorola digital capable radio products and other
compatible radios. The proper installation of the FASCINATOR enables a radio to
be used for classified voice transmissions. The design provides for secure
voice communications, while maintaining a plain text capability. The
manufacturer produces the FASCINATOR as a product line of eight secure voice
modules capable of being direct plug-in replacements for the DES module. The
FASCINATOR devices are half duplex (12 kbps serial encryption devices that
operate in the synchronous mode) providing an operating range similar to plain
text. Installation of this device in compatible Motorola radios will require
the use of a Security Interface Box and a KOI-18 or KYK-13 for keying. Other
radio configuration may have different keying requirements.
The FASCINATOR can be used for non-tactical communication nets. It is approved
for use at all classification levels. the MCX-100, NX 300, Portable Repeater,
SABER, SPECTRA, SYNTOR X-9000, SYNTO X-9000 E, Console Interface Unit, and
SPECTRA Mobile SVMS have been endorsed. This product is available from
Motorola, Inc. The price ranges from $495 for hand-held to $1200 for portable
repeaters.
----------------------------------------------------------------------------
----
KGV-69/69A
Embedded Key Generator Chip
The KGV-69/69A is an embeddable COMSEC chip developed at NSA. It is designed to
be a "bare bones" encryptor for use in very high risk applications. The
single-chip design contains the encryption algorithm, appropriate controls,
alarm, and I/O circuitry suitable for drop-in solutions to secure data
requirements. The KGV 69/69A will encrypt and decrypt serial data up to 50
Mbps.
The KGV-69/69A is approved up to Top Secret data with special configuration
required. This equipment is available in limited quantities through the NSA
program management office. It is intended for special applications.
----------------------------------------------------------------------------
----
KGV-135
The KGV-135 is a high-speed, general purpose encryptor/decryptor under
development at Motorola. It is the solution for tactical and space users who
need wide-band data encryption embedded into high performance systems. The
KGV-135 is an upgrade of the KG-135. It has increased bandwidth and COMSEC
operating modes in a compact multi-chip module. The KGV-135 operates at speeds
of 2 Kbps to 700 Mbps and uses standard interface logic levels and key
protocols.
The KGV-135 may be used in tactical military ground, aircraft, or space. The
approximate cost is $8,000. Additional information may be obtained by accessing
their web site, http://www.mot.com/GSS/SSTG/ged/iso/kgv135.html.
----------------------------------------------------------------------------
----
WINDSTER STANDARD EMBEDDABLE MODULE
WINDSTER consists of a PC board containing several custom LSIs and discrete
devices. This module incorporates the SAVILLE I and PADSTONE algorithms to
provide security for classified traffic. It also contains the CORDOBA algorithm
which provides security for sensitive unclassified traffic. The CORDOBA
provides interoperability with many inventory SAVILLE-based equipment. WINDSTER
is a 500 Kbps full/half duplex embeddable COMSEC module used to secure digital
voice or data traffic. It provides cryptographic interoperable traffic
operation with KY-57/58, E-DRZ, KYV-2, KYV-5, KG-84, RAILMAN, INDICTOR, and
STU-III. It also provides re-key operations interoperable with the KY-57/58,
KYV-5, INDICTOR, and RAILMAN equipment.
This embeddable module may be used with various voice/data equipment such as
mobile or desk top telephones, modems, or man-pack radios. It is approved for
use at all classification levels. The authorized vendor is Harris, RF
Communications. The approximate cost is $2700 each for quantities of 1 to 249
and $1600 each for quantities over 250.
------------------------------------------------------------------------------
EMBEDDABLE KG-84 COMSEC MODULE
KIV-7
The KIV-7 is a compact, embeddable, COMSEC device that encrypts classified and
sensitive national security data transmissions. The KIV-7 secures data
communication links among users of personal computers (PCs), workstations, and
facsimile equipment. Utilizing the NSA WINDSTER key generator, the KIV-7 is
interoperable with the KG-84, KG-84A and KG-84C equipment in both the secure
data and Over-The-Air-Rekey (OTAR) modes. It is similar to a universal
half-height disk drive in design. This allows it to be embedded in desk top
PCs, or it can be installed in a specially designed multi-unit rack. Standard
EIA-530 and RS-232 data interfaces simplify system integration. An integrated
remote control interface permits the management of up to 31 remote units from a
single KIV-7 via an independent secure link. The KIV-7 is available in a high
speed version called the KIV-7HS. The KIV-7HS incorporates the WINDSTER T1
module. Data transmission for the KIV-7 lists rates up to 228 Kbps. The KIV-7HS
lists rates up to 1.544 Mbps. The KIV-7 accepts electronic key from the Data
Transfer Device, KYK-13 or KOI-18. It has a battery for loading key without
primary power and retaining key when primary power is interrupted.
The KIV-7 may be used on point-to-point, netted and broadcast data link
applications. It is approved for use at all classification levels. The
authorized vendor is Allied Signal Aerospace Company. The cost for a KIV-7 is
$3,542.35, KIV-7HS is $3960 (Qty. 1-3000), KIV-7HS is $3632 (Qty. 3001-7000)
and KIV-7HS Upgrade is $1433.
----------------------------------------------------------------------------
----
INDICTOR STANDARD EMBEDDABLE MODULE
INDICTOR is a half duplex embeddable COMSEC device used to secure digital voice
or data traffic. It consists of a single custom CMOS LLSI chip. The INDICTOR
module incorporates the SAVILLE I and PADSTONE algorithms. It also contains the
CORDOBA algorithm which provides security for sensitive but unclassified
traffic. INDICTOR is cryptographically interoperable with the KY-57/58, KYV-2,
KYV-5, KG-84, WINDSTER, and STU-III. It is presently being embedded into the
SUNBURST II and PRC-112 radios, and several other tactical equipment. INDICTOR
also provides "receive-only" re-key operations interoperable with KY-57/58,
KYV-5, WINDSTER, and RAILMAN equipment. It operates at speeds up to 1 Mbps.
This embeddable module may be used with voice/data equipment, such as mobile
telephones, modems, and/or hand-held radios. It is approved for use at all
classification levels. The authorized vendor is Motorola, Government Equipment
Corporation. Allow 8 to 10 weeks for delivery. The cost is $250 each (Qty.
1-100) (full compliance with Mil-Spec 80-83) and $180 each any quantities over
100.
----------------------------------------------------------------------------
----
CRYPTO ENGINE
The Crypto Engine is a self-contained, redundant cryptpgraphic module designed
to be integrated into devices as an alternative to box and board-level
cryptographic devices. This module consists of two chips, an algorithm data
path chip, and a control processor chip, combined in a common carrier. The chip
designed provides an encryption/decryption rate using a 12 Mhz clock of 20 Mbs
half duplex.
The Crypto Engine may be used with digital link encryption, telecommunications,
microwave, fiber optics, voice and video transmission, LAN and embedded
computer applications. It is approved for use at all classification levels. The
authorized vendor is Tractor Aerospace, Inc. The cost is not available at this
time.
----------------------------------------------------------------------------
----
Optical Encryption Equipment
----------------------------------------------------------------------------
----
KG-189
HIGH SPEED STRATEGIC TRUNK ENCRYPTOR
The KG-189 is the next generation of trunk encryptors designed to be compatible
with Synchronous Optical Network (SONET) standard interfaces. It provides
optical transport at both the RED and BLACK interfaces to communications
systems. The KG-189 program currently consists of models supporting two
standard SONET data rates. The OC-3 model operates at 155 Mb/s and the OC-12
model operates at 622 Mb/s. The development of a model supporting the SONET
OC-48 data rate of 2.5 Gigab/s has been terminated. The KG-189 is designed as a
single chassis with interchangeable cards allowing the KG-189 to upgrade from
OC-3 to OC-12 with minimal cost and no impact on installation. The KG-189
supports BENIGN fill capability, traditional key and remote loading of FIREFLY
vectors. It is approved for use at all classification levels.
Inital pre-qualification deliveries were scheduled for January, 1997.
Production of the KG-189 is scheduled to begin in March, 1997. The product was
developed by Motorola GSTG and Nortel. Production of the KG-189 is provided by
Motorola Sectel. The cost for the OC-3 model is $37,654, and the OC-12 model is
$62,664.
----------------------------------------------------------------------------
----
