Electronic Key Management System
   HOME

TheInfoList



Click Here for Items Related To - Electronic Key Management System
OR:
Electronic Key Management System on:   [Wikipedia]   [Google]   [Amazon]

The Electronic Key Management System (EKMS) is a United States
National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
led program responsible for Communications Security (
COMSEC Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the North Atlantic Treaty Organization c ...
)
key management Key management refers to management of Key (cryptography), cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic ...
, accounting, and distribution. Specifically, EKMS generates and distributes electronic key material for all
NSA encryption systems The National Security Agency took over responsibility for all US government encryption systems when it was formed in 1952. The technical details of most NSA-approved systems are still Classified information in the United States, classified, but m ...
whose keys are loaded using standard fill devices, and directs the distribution of
NSA The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
produced key material. Additionally, EKMS performs account registration, privilege management, ordering, distribution, and accounting to direct the management and distribution of physical COMSEC material for the services. The common EKMS components and standards facilitate interoperability and commonality among the armed services and civilian agencies. Key Management Infrastructure (KMI) replaces EKMS.


Reasons for development

The primary reason for the development of EKMS centers on the security and logistics problems that plagued the COMSEC Material Control System (CMCS),{{cite web, url=http://apps.dtic.mil/dtic/tr/fulltext/u2/a271771.pdf , archive-url=https://web.archive.org/web/20120916173743/http://www.dtic.mil/dtic/tr/fulltext/u2/a271771.pdf , url-status=live , archive-date=September 16, 2012 , title=The Communications Security Material System , date= , accessdate=2013-08-17 which replaced the Registered Publications System (RPS) in the 1970s. The CMCS was a very labor-intensive operation that had been stretched to capacity. The most serious, immediate concern was the human threat associated with access to and exploitation of paper key throughout its life cycle. The disclosure of the
Walker spy ring Walker or The Walker may refer to: People *Walker (given name) * Walker (surname) * Walker (Brazilian footballer) (born 1982), Brazilian footballer Places In the United States * Walker, Arizona, in Yavapai County *Walker, Mono County, Californi ...
was clear justification of this concern. Although eliminating the majority of paper keys will greatly reduce this human threat, the long-term goal of EKMS to minimize human access to keys will not be realized until benign fill key is fully implemented. Benign fill permits the encrypted distribution of electronic keying material directly to the COMSEC device without human access to the key itself. The need for joint interoperability led to the Defense Reorganization Act of 1986, under which the
Joint Chiefs of Staff The Joint Chiefs of Staff (JCS) is the body of the most senior uniformed leaders within the United States Department of Defense, which advises the president of the United States, the secretary of defense, the Homeland Security Council and ...
(JCS) tasked NSA, the Defense Information Systems Agency (
DISA Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes. It was elaborated by Johannes Messenius in his drama ''Disa'', which was th ...
), and the Joint Tactical Command, Control and Communications Agency (JTC3A) to develop a Key Management Goal Architecture (KMGA). Subsequent difficulties in coordinating COMSEC distribution and support during joint military operations, e.g.,
Desert Storm , combatant2 = , commander1 = , commander2 = , strength1 = Over 950,000 soldiers3,113 tanks1,800 aircraft2,200 artillery systems , page = https://www.govinfo.gov/content/pkg/GAOREPORTS-PEMD-96- ...
,
Urgent Fury The United States and a coalition of Caribbean countries invaded the small island nation of Grenada, north of Venezuela, at dawn on 25 October 1983. Codenamed Operation Urgent Fury by the U.S. military, it resulted in military occupation with ...
, and
Operation Just Cause Operation or Operations may refer to: Arts, entertainment and media * ''Operation'' (game), a battery-operated board game that challenges dexterity * Operation (music), a term used in musical set theory * ''Operations'' (magazine), Multi-Man ...
, have further emphasized the need for a system capable of interoperability between the Services.


Central facility (Tier 0)

EKMS starts with the Central Facility (CF), run by NSA, which provides a broad range of capabilities to the Services and other government agencies. The CF, also referred to as Tier 0, is the foundation of EKMS. Traditional paper-based keys, and keys for Secure Telephone Unit – Third Generation (
STU-III STU-III (Secure Telephone Unit - third generation) is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephon ...
), STE,
FNBDT The Secure Communications Interoperability Protocol (SCIP) is a US standard for secure voice and data communication, focircuit-switchedone-to-one connections, not packet-switched networks. SCIP derived from the US Government Future Narrowband Di ...
,
Iridium Iridium is a chemical element; it has the symbol Ir and atomic number 77. This very hard, brittle, silvery-white transition metal of the platinum group, is considered the second-densest naturally occurring metal (after osmium) with a density ...
, Secure Data Network System (SDNS), and other electronic key are managed from an underground building in
Finksburg, Maryland Finksburg is an unincorporated community in Carroll County, Maryland, United States. It is the location of the National Security Agency's EKMS Central Facility. Finksburg is located at the intersection of Maryland Routes 91 and 140, on the bor ...
which is capable of the following: * processing orders for both physical and electronic keys * electronically generating and distributing keys * generating key material for
FIREFLY The Lampyridae are a family of elateroid beetles with more than 2,000 described species, many of which are light-emitting. They are soft-bodied beetles commonly called fireflies, lightning bugs, or glowworms for their conspicuous production ...
(an NSA algorithm) * performing seed conversion and rekey * maintaining compromise recovery and management of FIREFLY material * support for over-the-air rekeying (OTAR) The CF talks to other EKMS elements through a variety of media, communication devices, and networks, either through direct distance dialing using
STU-III STU-III (Secure Telephone Unit - third generation) is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephon ...
(data mode) or dedicated link access using
KG-84 The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency (NSA) to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device (DLED), and both devices are General-Purpose Telegra ...
devices. During the transition to full electronic key, the 3.5-inch floppy disk and 9-track magnetic tape are also supported. A common user interface, the
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are ...
-based message service, is the primary method of communication with the CF. The message service permits EKMS elements to store EKMS messages that include electronic key for later retrieval by another EKMS element.


Tier 1

Under CMCS, each service maintained a central office of record (COR) that performed basic key and COMSEC management functions, such as key ordering, distribution, inventory control, etc. Under EKMS, each service operates its own key management system using EKMS Tier 1 software that supports physical and electronic key distribution, traditional electronic key generation, management of material distribution, ordering, and other related accounting and COR functions. Common Tier 1 is based on the
U.S. Navy The United States Navy (USN) is the maritime service branch of the United States Department of Defense. It is the world's most powerful navy with the largest displacement, at 4.5 million tons in 2021. It has the world's largest aircraft ...
's key distribution system (NKDS) software developed by the
Naval Research Laboratory The United States Naval Research Laboratory (NRL) is the corporate research laboratory for the United States Navy and the United States Marine Corps. Located in Washington, DC, it was founded in 1923 and conducts basic scientific research, appl ...
and further developed by SAIC in San Diego.


Tier 2

EKMS Tier 2, the Local Management Device (LMD), is composed of a commercial off-the-shelf (COTS)
personal computer A personal computer, commonly referred to as PC or computer, is a computer designed for individual use. It is typically used for tasks such as Word processor, word processing, web browser, internet browsing, email, multimedia playback, and PC ...
(PC) running the
Santa Cruz Operation The Santa Cruz Operation, Inc. (usually known as SCO, pronounced either as individual letters or as a word) was an American software company, based in Santa Cruz, California, that was best known for selling three Unix operating system variants ...
's SCO
UNIX Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...
operating system, and an NSA KOK-22A Key Processor (KP). The KP is a trusted component of EKMS. It performs cryptographic functions, including
encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
and decryption functions for the account, as well as key generation, and electronic signature operations. The KP is capable of secure field generation of traditional keys. Locally generated keys can be employed in crypto-net communications, transmission security (TRANSEC) applications, point-to-point circuits, and virtually anywhere that paper-based keys were used. Electronic keys can be downloaded directly to a
fill device A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated. Older mechanical encryption systems, such as rotor machine ...
, such as the
KYK-13 The KYK-13 Electronic Transfer Device is a common fill device designed by the United States National Security Agency for the transfer and loading of cryptographic keys with their corresponding check word. The KYK-13 is battery powered and uses the ...
, KYX-15, or the more modern AN/CYZ-10 Data Transfer Device (DTD) for further transfer (or fill) into the end cryptographic unit.


Tier 3

The lowest tier or layer of the EKMS architecture which includes the AN/CYZ-10 (Data Transfer Device (DTD)), the SKL (Simple Key Loader)
AN/PYQ-10 The AN/PYQ-10 Simple Key Loader (SKL) is a ruggedized, portable, hand-held fill device, for securely receiving, storing, and transferring data between compatible cryptographic and communications equipment. The SKL was designed and built by Ralph ...
, and all other means used to fill keys to End Cryptographic Units (ECUs); hard copy material holdings only; and STU-III/STE material only using Key Management Entities (KMEs) (i.e., Local Elements (LEs)). Unlike LMD/KP Tier 2 accounts, Tier 3 using entities never receive electronic key directly from a COR or Tier 0.


References


External links


Central Facility web site

Link 16 Joint Key Management Plan, CJCSM 6520.01A, 2011


National Security Agency