[Cryptography] Mark XIIa Mode 5 IFF
John Denker
jsd at av8n.com
Sun Mar 5 17:41:24 EST 2017
On 03/04/2017 11:39 PM, Rui Paulo wrote:
> Speaking of IFF, is the US/NATO developed mode 5 transponder a black
> box? Is there anyone explaining the crypto behind it?
>
> Long shot, I know.
Some interesting bits are explicitly known and/or easy to figure
out, even by someone (like me) who has no special knowledge.
Two crucial elements of the threat model are the active attacks,
namely exploitation and spoofing.
It is often emphatically alleged that IFF is a misnomer. A positive
response indicates a friend, but foes are not explicitly identified,
and some subset of the friends might go unidentified.
However, that is only true /when IFF is working properly/. Beware
that sometimes team A can exploit team B's IFF and thereby locate
and identify the foes of A. For example, the British were able to
exploit the German FuG 25a during WWII.
To say almost the same thing in crypto terminology: an IFF system
needs to worry about replay attacks. A replay of the interrogation
pulse could result in exploitation; a replay of the reply could
result in spoofing.
The zeroth-order WWII-era defense is to send a coded interrogation
pulse, based on a code that changes daily. However, you still need
to worry about intra-day replay attacks. The current Mark XIIa Mode
5 uses a very short-term key based on the time of day (in conjunction
with the longer-term key).
This by itself makes it difficult to replay the interrogation pulse.
The interrogation contains a nonce that makes it doubly difficult
to replay the reply. That is, replies are not portable from one
interrogator to another.
Another wrinkle is that the pulses can encode GPS location info.
A pulse where the encoded info is inconsistent with the primary
radar fix is probably either an echo or a replay attack.
A major complication is that the pulses are rather short. There
are not enough bits to do everything you might like to do using
standard crypto primitives. I suspect there is some bespoke
crypto involved.
The following argument is not entirely convincing, but I will
mention it anyway, as a possible topic of discussion:
-- If the bad guys can break into your IFF reply and read the
current X,Y,Z position of your stealth aircraft, that is a
very very bad thing.
-- If they can only read it 40 hours later, that's bad but not
quite so bad. So maybe the crypto doesn't need to be absolutely,
formally unbreakable.
There are also passive attacks. The pulses in both directions can
be picked up by the adversary and subjected to direction-finding.
To alleviate (but not eliminate) this threat, spread spectrum is
used. This is analogous to the CDMA (code-division multiple access)
used in cell phones, with one exception. CDMA and the bar codes on
retail products are examples of non-secret coding that can be used
to illustrate the concept to laypersons. Military spread spectrum
uses secret codewords. If you don't know the code, the pulse will
look like random noise, and from far away you won't even recognize
it as a pulse. Mark XIIa changes the codewords on a very short
timescale.
>From not so far away the pulses will stand out above the background
noise. There's not much anybody can do to prevent that.
Crypto has never fitted very well into the OSI layer model. For
example, PGP misfits on top of layer 7 email, and IPsec misfits
slightly above and slightly below layer 3. Meanwhile, spread
spectrum coding misfits somewhere around layer 2.
Of course the IFF system has nonces and message authenticators
on top of that, at higher layers.
http://www.globalsecurity.org/military/library/budget/fy2014/dot-e/navy/2014mkxiiaiffmode5.pdf
https://www.linkedin.com/pulse/everything-you-wanted-know-iff-mark-xii-were-afraid-ask-raman-sopory
More information about the cryptography
mailing list