28 October 1997
The DOE Crypto Equipment Guide is published as an information source and guideline for DOE and DOE contractors in selecting or using crypto equipment. This guide contains general information about NSA approved cryptographic devices that are currently available through the Commercial COMSEC Equipment Program (CCEP) or by direct purchase from NSA. Contractors for DOE must have a properly executed Controlled Cryptographic Item agreement with NSA. This guide is not intended to be a complete source of information but rather a summary. The information herein is only in sufficient detail to familiarize the reader with the basic capabilities of the equipment. Please note that the purchase and use of any product identified as "embeddable" requires prior DOE headquarters approval. A Memorandum of Agreement (MOA) with NSA must be properly executed in cases where a DOE or DOE contractor/ supplier proposes to use embedded products for classified operations.
Technical information and points of contact are available from Sharon L. Shank of the Architecture, Standards and Engineering Group, Office of Information Management, at Sharon.Shank@hq.doe.gov or by telephone at (301) 903-3047.
CANEWARE is a host-to-host network encryption system designed to provide multi-level security on a packet switched network. It is compatible with Secure Data Network System (SDNS) standards and is transparent to network operations. The CANEWARE system consists of a CANEWARE Front End (CFE) unit, a CANEWARE Control Processor (CCP) unit, and an Auxiliary Vector Management System (AVMS). The AVMS augments the SDNS Electronic Key Management System (EKMS) Mandator Access Control (MAC) information by distributing additional security attributes. The EKMS information and additional security attributes from the AVMS along with Discretionary Access Controls (DAC) from the CCP are used by the CFEs to enforce access controls to the network. The CFE also provides data encryption on communication links. A CFE is required at each network point. The CCP is used to provide DAC information to the CFEs. DAC information is used by the CFE to limit access to each host based on need-to-know information provided by the host to the CCP. A single CCP can control up to 5000 CFEs, which is the maximum number for a single domain. Up to 1000 domains can be supported by the CANEWARE system.
CANEWARE is capable of encrypting and decrypting at through put rates from 1200 bps to 750 kbps full duplex and supports I/O rates up to the T1 rate (1.544 Mbps). It supports standard protocols such as GOSIP X.25, DDN X.25 and CCITT 1984 X.25. The standard KSD-64A is used for loading configuration information and initial keying material. It also serves as a crypto ignition key for the CFE. A multi-level security host encryption system functions on X.25, IEEE 802.3, and Ethernet packets switched networks.
The CANEWARE system is approved for use at all classification levels.. The development program is complete. They are currently establishing production requirements. The approximate cost is $19,500.
The Motorola Network Encryption System (NES) provides encryption security to local area networks (LANs) and Wide Area Networks (WANs). The NES is designed for system high data encryption and can accomodate multiple security communities through network partitioning into separate domains. It provides data confidentiality, data integrity, peer identification and authentication, and mandatory/discretionary access control services. The NES is configured at start up by a configuration disk created by the product server. A product server can be any IBM compatible personal computer. Each product server is capable of serving a maximum of 2000 NES platforms. The configuration disk created by the product server contains application software, discretionary access control (DAC) tables, static routing tables and other configuration information. This information is used to control access to the network protected by a NES platform. The NES can provide secure connections between 802.3/Ethernet and other 802.2/Ethernet networks with a speed up to 1.3 Mbps (half duplex, 1400 byte packets) or 320 packets per second (64 byte packets).
Key distribution can be provided from the Electornic Key Management System (EKMS) or the NES may be physically keyed using a KSD-64A. Up to 250 Traffic Encryption Keys (TEKs) can be supported at one time by the NES. A security battery allows key retention when primary power to the NES is interrupted.
DOE users should contact HR-433 if NES is being considered for any application. The authorized vendor for NES is Motorola Government Electronics Gr., 8201 E. McDowell Road., Scottsdale, AZ 85252-1417. Additional information may be obtained by accessing their web site, http://www.mot.com/GSS/SSTG/ged/iso/nes.html".
The WANG Trusted LAN Interface Unit (TIU-1), which serves as an Ethernet (IEEE 802.3), is a data security device that encrypts LAN data traffic. The TIU-1 secures internetted and individual LANs because it implements Internet Protocols (Ips). Internet Protocols will allow communications over wide area networks (WANs) through Gateways. The TIU-1 can be used for single level system high LAN encryption. The TIU-1 allows encryption of more than one host through a single TIU-1. Encryption is accomplished at a data rate in excess of 200 packets per second full-duplex, (1500 byte packets). Keying is accompished using a KOI-18 or a DS-102 signal converter.
This unit is used for LAN encryption (Ethernet, IEEE 802.3). It is approved for use at all classification levels. The authorized vendor is Wang Laboratories, Inc. The cost of a TIU with AUI interface is $19,995, fiber interface is $12,995, key management software is $1,500 and hardware is $7,995.
FASTLANE is a high speed ATM encryptor for local and wide area network multimedia applications (i.e., voice, video, data, and imagery). FASTLANE supports permanent and switched virtual circuits, point-to-point and point-to-multi-point, simplex and duplex connections. It provides authentication and end-to-end protection of user information to the Top Secret/ Sensitive Compartmented Information. Security levels may be user selected for each communications session. The FASTLANE encryptors may be nested, allowing for the creation of cryptographically isolated networks to operate at different security levels. FASTLANE may support an individual user, a multi-user computer based group or a Local Area Network. Rekeying can be accomplished either electronically or through traditional means.
It is approved for use at all classification levels. The limited capability FASTLANE Release 1 (FR) system became available in June 1996. The full capability FASTLANE Release 2 (FR) system will be available in September 1997.
Release 1 (FR1) can no longer be ordered. NSA is currently accepting orders for Release 2 (FR2) with scheduled deliveries beginning in October 1997. DS-1 $25,000, DS-3 $26,000, OC-3 $28,000, and OC-12 Price is based on requirements.
The authorized vendor is GTE Goverment Systems Corporation, 77 "A" Street, Needham, MA 02194-2892, phone: (410) 859-4060. Additional information on FASTLANE may be obtained by accessing their web site http://www.gte.com/Cando/Govt/Docs/Software/fastlane.html".
The FASCINATOR is a line of embedded cryptographic devices that can be installed in existing Motorola digital capable radio products and other compatible radios. The proper installation of the FASCINATOR enables a radio to be used for classified voice transmissions. The design provides for secure voice communications, while maintaining a plain text capability. The manufacturer produces the FASCINATOR as a product line of eight secure voice modules capable of being direct plug-in replacements for the DES module. The FASCINATOR devices are half duplex (12 kbps serial encryption devices that operate in the synchronous mode) providing an operating range similar to plain text. Installation of this device in compatible Motorola radios will require the use of a Security Interface Box and a KOI-18 or KYK-13 for keying. Other radio configuration may have different keying requirements.
The FASCINATOR can be used for non-tactical communication nets. It is approved for use at all classification levels. the MCX-100, NX 300, Portable Repeater, SABER, SPECTRA, SYNTOR X-9000, SYNTO X-9000 E, Console Interface Unit, and SPECTRA Mobile SVMS have been endorsed. This product is available from Motorola, Inc. The price ranges from $495 for hand-held to $1200 for portable repeaters.
The KGV-69/69A is an embeddable COMSEC chip developed at NSA. It is designed to be a "bare bones" encryptor for use in very high risk applications. The single-chip design contains the encryption algorithm, appropriate controls, alarm, and I/O circuitry suitable for drop-in solutions to secure data requirements. The KGV 69/69A will encrypt and decrypt serial data up to 50 Mbps.
The KGV-69/69A is approved up to Top Secret data with special configuration required. This equipment is available in limited quantities through the NSA program management office. It is intended for special applications.
The KGV-135 is a high-speed, general purpose encryptor/decryptor under development at Motorola. It is the solution for tactical and space users who need wide-band data encryption embedded into high performance systems. The KGV-135 is an upgrade of the KG-135. It has increased bandwidth and COMSEC operating modes in a compact multi-chip module. The KGV-135 operates at speeds of 2 Kbps to 700 Mbps and uses standard interface logic levels and key protocols.
The KGV-135 may be used in tactical military ground, aircraft, or space. The approximate cost is $8,000. Additional information may be obtained by accessing their web site, http://www.mot.com/GSS/SSTG/ged/iso/kgv135.html.
WINDSTER consists of a PC board containing several custom LSIs and discrete devices. This module incorporates the SAVILLE I and PADSTONE algorithms to provide security for classified traffic. It also contains the CORDOBA algorithm which provides security for sensitive unclassified traffic. The CORDOBA provides interoperability with many inventory SAVILLE-based equipment. WINDSTER is a 500 Kbps full/half duplex embeddable COMSEC module used to secure digital voice or data traffic. It provides cryptographic interoperable traffic operation with KY-57/58, E-DRZ, KYV-2, KYV-5, KG-84, RAILMAN, INDICTOR, and STU-III. It also provides re-key operations interoperable with the KY-57/58, KYV-5, INDICTOR, and RAILMAN equipment.
This embeddable module may be used with various voice/data equipment such as mobile or desk top telephones, modems, or man-pack radios. It is approved for use at all classification levels. The authorized vendor is Harris, RF Communications. The approximate cost is $2700 each for quantities of 1 to 249 and $1600 each for quantities over 250.
The KIV-7 is a compact, embeddable, COMSEC device that encrypts classified and sensitive national security data transmissions. The KIV-7 secures data communication links among users of personal computers (PCs), workstations, and facsimile equipment. Utilizing the NSA WINDSTER key generator, the KIV-7 is interoperable with the KG-84, KG-84A and KG-84C equipment in both the secure data and Over-The-Air-Rekey (OTAR) modes. It is similar to a universal half-height disk drive in design. This allows it to be embedded in desk top PCs, or it can be installed in a specially designed multi-unit rack. Standard EIA-530 and RS-232 data interfaces simplify system integration. An integrated remote control interface permits the management of up to 31 remote units from a single KIV-7 via an independent secure link. The KIV-7 is available in a high speed version called the KIV-7HS. The KIV-7HS incorporates the WINDSTER T1 module. Data transmission for the KIV-7 lists rates up to 228 Kbps. The KIV-7HS lists rates up to 1.544 Mbps. The KIV-7 accepts electronic key from the Data Transfer Device, KYK-13 or KOI-18. It has a battery for loading key without primary power and retaining key when primary power is interrupted.
The KIV-7 may be used on point-to-point, netted and broadcast data link applications. It is approved for use at all classification levels. The authorized vendor is Allied Signal Aerospace Company. The cost for a KIV-7 is $3,542.35, KIV-7HS is $3960 (Qty. 1-3000), KIV-7HS is $3632 (Qty. 3001-7000) and KIV-7HS Upgrade is $1433.
INDICTOR is a half duplex embeddable COMSEC device used to secure digital voice or data traffic. It consists of a single custom CMOS LLSI chip. The INDICTOR module incorporates the SAVILLE I and PADSTONE algorithms. It also contains the CORDOBA algorithm which provides security for sensitive but unclassified traffic. INDICTOR is cryptographically interoperable with the KY-57/58, KYV-2, KYV-5, KG-84, WINDSTER, and STU-III. It is presently being embedded into the SUNBURST II and PRC-112 radios, and several other tactical equipment. INDICTOR also provides "receive-only" re-key operations interoperable with KY-57/58, KYV-5, WINDSTER, and RAILMAN equipment. It operates at speeds up to 1 Mbps.
This embeddable module may be used with voice/data equipment, such as mobile telephones, modems, and/or hand-held radios. It is approved for use at all classification levels. The authorized vendor is Motorola, Government Equipment Corporation. Allow 8 to 10 weeks for delivery. The cost is $250 each (Qty. 1-100) (full compliance with Mil-Spec 80-83) and $180 each any quantities over 100.
The Crypto Engine is a self-contained, redundant cryptpgraphic module designed to be integrated into devices as an alternative to box and board-level cryptographic devices. This module consists of two chips, an algorithm data path chip, and a control processor chip, combined in a common carrier. The chip designed provides an encryption/decryption rate using a 12 Mhz clock of 20 Mbs half duplex.
The Crypto Engine may be used with digital link encryption, telecommunications, microwave, fiber optics, voice and video transmission, LAN and embedded computer applications. It is approved for use at all classification levels. The authorized vendor is Tractor Aerospace, Inc. The cost is not available at this time.