denbeste@BBN.COM (Steven Den Beste) (12/23/89)
From: Steven Den Beste <denbeste@BBN.COM>
I would appreciate it if someone would post a description of how the "IFF"
system works. Every way I can think of that it could work provides a way for an
enemy to abuse the system. For instance, in a jet with such
a system:
1. IFF broadcasts its signature continuously. In that case an enemy missile
could home in on the broadcast.
2. IFF answers with its signature whenever someone else broadcasts a query.
A missile could be equipped with a query-broadcaster and then
home in on the answer.
3. A missile refuses to hit an enemy target because it identifies itself as
friendly, even though it isn't.
#1 and #2 are particularly a problem because Electronic Counter Measures can't
be used to prevent this without nullifying the IFF system entirely. (That is,
if a friendly system can use IFF to abort an attack, an enemy system can
equally use it to complete an attack.)
There were rumors after the Falklands war that HMS Sheffield didn't try to
stop the incoming Exocet because IFF had identified it as friendly (French).
This was denied, and then the whole subject was hushed up. I still wonder about
this.
Steven C. Den Beste denbeste@spdcc.com
harvard!spdcc!denbeste
THE ACCOUNT FROM WHICH THIS WAS POSTED (denbeste@bbn.com) IS GOING AWAY
ON 12/29/89. USE THE ADDRESS GIVEN ABOVE FOR ALL MAIL, EFFECTIVE IMMEDIATELY.terryr@ogicse.ogc.edu (Terry Rooker) (12/27/89)
From: terryr@ogicse.ogc.edu (Terry Rooker) In article <12566@cbnews.ATT.COM> denbeste@BBN.COM (Steven Den Beste) writes: > > >I would appreciate it if someone would post a description of how the "IFF" >system works. Every way I can think of that it could work provides a way for an >enemy to abuse the system. For instance, in a jet with such >a system: > >2. IFF answers with its signature whenever someone else broadcasts a query. > A missile could be equipped with a query-broadcaster and then > home in on the answer. > This is the method used by current systems. You are right about an enemy interrogating the IFF to determine your position. You hear about an "unofficial" policy that all IFF will be turned off in a shooting war for just this reason. At least the operators sincerely wish that the IFF will be turned off. I believe that in operations over Vietnam, the US aircraft turned their IFF off. In some studies of pilot workload, it seems that pilots ignore IFF anyway because they already have too much information to process. Considering all of this, the question is why spend all that money on something that people don't want to use? -- Terry Rooker terryr@cse.ogi.edu
sampson@attctc.Dallas.TX.US (Steve Sampson) (12/27/89)
From: sampson@attctc.Dallas.TX.US (Steve Sampson) > I would appreciate it if someone would post a description of how the "IFF" > system works. Every way I can think of that it could work provides a way for an > enemy to abuse the system. For instance, in a jet with such > a system: > > 1. IFF broadcasts its signature continuously. In that case an enemy missile > could home in on the broadcast. You're confusing IFF with SIF (Selective Identification Feature). IFF is not used 360 deg in war or even peacetime for that matter. It is used only on a particular azimuth. The operator must aim his Stinger or hook a computer track or push a button when the sweep gets near a radar target. "Full Scan" is an option, but you better be overwelmed when you use it. For the reasons you outlined above. Even "Full Scan" only works for one scan. An aircraft only replies when interrogated. > 2. IFF answers with its signature whenever someone else broadcasts a query. > A missile could be equipped with a query-broadcaster and then > home in on the answer. The subject is classified. > 3. A missile refuses to hit an enemy target because it identifies itself as > friendly, even though it isn't. Would the military contractors give us a system that didn't work :-) Actually I don't think missles are that intelligent. They merely are guided or track on some feature. The operator decides to abort. With the speed of missles though - there's not much chance of this. > #1 and #2 are particularly a problem because Electronic Counter Measures can't > be used to prevent this without nullifying the IFF system entirely. (That is, > if a friendly system can use IFF to abort an attack, an enemy system can > equally use it to complete an attack.) If I was going to start a war I'd be jamming the piss out of the IFF frequency. Say, send a data train of random alternating ones-n-zeros. IFF is a tool, the bottom line is anything airborne in "my" area better be on the Frag or it dies. This expains why alot of body bags come home marked "friendly fire". If you don't understand the rules, you better not get airborne. > There were rumors after the Falklands war that HMS Sheffield didn't try to > stop the incoming Exocet because IFF had identified it as friendly (French). > This was denied, and then the whole subject was hushed up. I still wonder about > this. I've seen Exocets flying in the Gulf and never have seen them reply to IFF or SIF, also, identification isn't confirmed with a squawk. IFF is a crypto secure system. How would the Argentines know what the current code was? The British weren't equipped to handle incomming Exocets so they tried to kill targets before they got close enough to launch. You might comment on what the Sheffield had for defense systems for Exocets (either enroute or terminal)? I saw an interesting video that showed most battles at or below 500 feet in the Falklands. My only comment would be - if the launch vehicle got close enough to launch an Exocet, someone already screwed up, and the Argentines scored a tactical victory.
s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)) (01/04/90)
From: s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)) In article <12598@cbnews.ATT.COM> sampson@attctc.Dallas.TX.US (Steve Sampson) writes: > >> 2. IFF answers with its signature whenever someone else broadcasts a query. >> A missile could be equipped with a query-broadcaster and then >> home in on the answer. > >The subject is classified. > (Several paragraphs deleted) > >... IFF is a crypto secure system. ... > This is to say that in a crisis situation the military is going to switch from the present system outlined above to a system where queries and responses have some kind of cryptographic authentication. At least that is how I read it and how I'd do it. Yours, AJJ.
denbeste@spdcc.com (Steven Den Beste) (01/05/90)
From: denbeste@spdcc.com (Steven Den Beste) In article <12758@cbnews.ATT.COM> s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)) writes: > > Various people have said, starting with yours truly: >>> A missile could be equipped with a query-broadcaster and then >>> home in on the answer. >> >>The subject is classified. >> > >This is to say that in a crisis situation the military is going to switch >from the present system outlined above to a system where queries and responses >have some kind of cryptographic authentication. At least that is how I read >it and how I'd do it. > The problem with this is that it wouldn't work for long. Whatever the query is could be taped (since queries will be getting broadcast constantly) and fed to the missile. Encryption of the query is meaningless unless it uses some sort of running-time algorithm (so that a legal query changes from minute to minute, or something like that). Then your logistics problems get really messy: What happens if everyone's clocks aren't synchronized? There is a level of complexity of the system above which it becomes useless because of reliability and maintenance problems - and a level of complexity below which the system isn't secure. Unfortunately, these appear to overlap so that the middle ground has it both unreliable and insecure.
davidb@inmet.inmet.com (01/08/90)
From: davidb@inmet.inmet.com Taping an IFF sequence between ground and air is not sufficient. The theoretical algorithm (I talk from a cryptological point of view; the extent of the implementation of this scheme is beyond my knowledge. It may be classified) is as follows. A random sequence of bits is beamed from ground. Air encrypts this and beams it back; the ground encrypts and compares. Identification as friend occurs if the sequences are identical. It is this sequence that is the root of the "known plaintext" attack against encryption systems. For recording to work, the broadcast would have to have been seen previously, and the response recorded, by the ``unfriendly'' bird.
major@beaver.cs.washington.edu (Mike Schmitt) (01/08/90)
From: ssc-vax!shuksan!major@beaver.cs.washington.edu (Mike Schmitt) In article <12758@cbnews.ATT.COM>, s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)): > From: s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)) "IFF" is an old term. It's interchangeable with SIF (Selective Identification Feature). A more accurate term today would be "Identification of Some Friends". I don't believe any current "Foe" carry an IFF/SIF system - nor would they be 'squawking' any if they had. All commercial aircraft, I believe, do have an IFF/SIF system. Friendly Military Aircraft have their own - but may not want to 'squawk' during 'hostilities'. So, since 'bad guys' don't, and good guys won't, and commercial may or may not - hence it really becomes "Identification of Some Friends". mms
erc@khijol.UUCP (Edwin R. Carp) (01/09/90)
From: erc@khijol.UUCP (Edwin R. Carp) In article <12758@cbnews.ATT.COM> s32822l@kaira.hut.fi (Ari J. Joki (OH6DJ)) writes: > >This is to say that in a crisis situation the military is going to switch >from the present system outlined above to a system where queries and responses >have some kind of cryptographic authentication. At least that is how I read >it and how I'd do it. But what would prevent an enemy from sending out a query, then if it got a response that it couldn't decrypt, using that to home in on a ship and zap it? Unless a friendly wouldn't respond unless the query was encrypted - but that would cause problems, too, wouldn't it? -- Ed Carp N7EKG/5 (28.3-28.5) uunet!cs.utexas.edu!khijol!erc Austin, Texas (512) 832-5884 "Good tea. Nice house." - Worf *** Did you know that Barbie Benton PLAYS THE PIANO?? Quite well, too! ***
denbeste@spdcc.com (Steven Den Beste) (01/10/90)
From: denbeste@spdcc.com (Steven Den Beste)
I've gone through this in private with someone, and apparently everyone
has misunderstood my question, so I'd like to go through it in public.
I am not contending that an enemy SAM could easily make itself look
friendly (and therefore be ignored by the jet) by simple recording.
In the book "The Threat: Inside the Soviet Military Machine" (much
recommended, by the way) Andrew Cockburn describes how a U.S. SAM was
tested against a drone in front of several congresspersons. The test
was quite successful. Of course, what the congresspersons were NOT told
was that the drone carried a radio transponder, and the missiles homed
in on that. Needless to say, this made the success rate much higher
than if the drone was trying to evade, or if the SAMs had to find it on their
own..
>From an operational point of view, a jet's IFF-receiver is precisely
such a transponder. Whenver it receives a challenge, it answers. If a
SAM can figure out how to send a challenge, it can then home in on the
jet's answer. It doesn't know what the answer means, and it doesn't
care. At the lowest level, it is just a radio beacon towards which
the missile can aim.
The jet will, of course, also challenge the missile and it won't get
the correct answer back. The jet will, therefore, correctly identify the
missile as a foe, and try to evade, destroy or confuse the missile
through a legion of interesting techniques. But if the missile can
record a valid challenge, no matter from where it came and whatever it
means and keep sending it, then the jet will keep answering and the
missile can home in on the answer.
Anything which prevents the jet from answering also risks having the
jet fail to answer a missile which IS friendly. Thus long tailpipes or
dropped flares or ECM radar fuzz have no important effect on this
missile, since it is only homing in on the IFF answer, which it can
locate even though it doesn't understand it and can't decipher it.
I've come up with three ways the system could be made to work, and none
of them is practical:
1. All friendly units have a time-of-day clock with a fast tick-rate
(no more than a few seconds per tick) which are very closely
synchronized. Part of a legal challenge contains the time-of-day. Any
challenge which contains the wrong time-of-day is ignored. Thus, by the
time the missile has taped the challenge and repeated it back, the
challenge is already obsolete. Since the missile doesn't actually know
the enciphering algorithm, it cannot synthesize its own non-obsolete
challenges.
Just how do you make sure that all the friendly time-of-day clocks
are synchronized within a fraction of a second? I don't see how this
could be done in practice.
2. A legal challenge contains the type of unit from which the challenge
was received. When avionics on a jet receives a challenge, it makes an
independent identification of the type of unit, and if the challenge
makes no sense from that type of unit, then it is ignored. In other
words, a missile broadcasting a jet-challenge must be an enemy.
My private correspondent said that this might be possible by
monitoring the kind of forward radar the unit was using, since this
seems to vary substantially by kind of unit. It seems to me that all
this means is that the enemy who designs this SAM must figure out how
to broadcast a jet-like radar signature (even though it isn't actually
using radar to find its target - remember, it is ONLY homing in on the IFF
response).
This becomes an arms-race, where the jet-building side tries to get
smarter and smarter about identifying bogies and the SAM-building side
tries to get cagier and cagier about looking like a friendly jet.
3. A sequence number is used theater-wide and is included as part of
the challenge. Once any unit in the theater uses a challenge with a
given sequence number, that sequence-number never gets used again by
anyone. Perhaps this could be made to work if every individual IFF has its own
range of use-once-and-never-use-again numbers. (Good thing numbers are cheap!
We're going to need a lot of them!) In that case, seeing a message which uses
a number that has been used before, or is in the jet's own number range,
would be ignored.
Again I think this is a logistics nightmare. It also requires all the IFF
systems to contain enormous memories to store which sequence numbers they've
seen before.
So my point is this: As long as one of our jets has IFF onboard and
operating, there should be a relatively unsubtle way that a SAM can home in on
that IFF system so as to destroy said jet. The jet's IFF will correctly identify
the SAM as a foe, but this is irrelevant. (Except that it means the pilot can
try somehow to evade the thing.)
I'm hoping that there is some other approach besides the ones I've dreamed
up which overcome this problem. Would anyone care to take a crack at explaining
it to me?terryr@ogicse.ogc.edu (Terry Rooker) (01/10/90)
From: terryr@ogicse.ogc.edu (Terry Rooker) In article <12931@cbnews.ATT.COM> erc@khijol.UUCP (Edwin R. Carp) writes: > [stuff deleted about IFF] >But what would prevent an enemy from sending out a query, then if it got a >response that it couldn't decrypt, using that to home in on a ship and zap >it? Unless a friendly wouldn't respond unless the query was encrypted - but >that would cause problems, too, wouldn't it? This is exactly why many are not too crazy about turning on IFF during a shooting war. It is also why aircrews turned IFF off over North Vietnam. -- Terry Rooker terryr@cse.ogi.edu
duncan@rti.rti.org (Stephen Duncan) (01/11/90)
From: rti.uucp!duncan@rti.rti.org (Stephen Duncan) In article <12972@cbnews.ATT.COM> denbeste@spdcc.com (Steven Den Beste) writes: > >From: denbeste@spdcc.com (Steven Den Beste) > > [ . . . ] > > So my point is this: As long as one of our jets has IFF onboard and >operating, there should be a relatively unsubtle way that a SAM can home in >on that IFF system so as to destroy said jet. The jet's IFF will correctly >identify the SAM as a foe, but this is irrelevant. (Except that it means the >pilot can try somehow to evade the thing.) > > I'm hoping that there is some other approach besides the ones I've >dreamed up which overcome this problem. Would anyone care to take a crack >at explaining it to me? How heavy and expensive is an IFF? If neither is very great, then just attach some to flares and eject them. This should confuse any missile. If there are codes one doesn't want recovered in the IFF, then attaching a bomblet to it should suffice, in case the missile malfunctions. This would work particulary well if the plane turned off its IFF momentarily. The missle would never know the difference. Add a radar reflector, and the flare/IFF could fool radar and IR that the missle might use as secondary sensors. Steve Duncan duncan@rti.rti.org
tek@CS.UCLA.EDU (Ted Kim (Random Dude)) (01/11/90)
From: tek@CS.UCLA.EDU (Ted Kim (Random Dude)) In article <12972@cbnews.ATT.COM> denbeste@spdcc.com (Steven Den Beste) writes: > ... > > So my point is this: As long as one of our jets has IFF onboard and >operating, there should be a relatively unsubtle way that a SAM can home in on >that IFF system so as to destroy said jet. > > ... I will leave the theory discussion to others, but here is a summary of some current IFF standards. The current NATO IFF standard is Mk 10 (or Mk 10A). It is the standard interrogate-response type setup. The response can be in one of a few modes (civil/military/combined). In the military mode, the response can include additional (encrypted) verification information. This type of system has precisely the problem you mention. An enemy can send a legal challenge and use the response (whether he understands it or not) to track the target. Mk 10A expands the set of identifiers. The US standard is Mk 12. The change here is that the interrogator must send a coded sequence to get the transponder to respond. So, in principle, unless the enemy knows the code, it can't use our transponders to track our forces. (I don't know the nature of the code and how keys and sequence numbers are distributed.) The Europeans did not want to accept this standard due to cost. A few years ago, the NATO IFF working group is said to have come up with some new system which has the equivalent of Mk 12 capabilities in it, though I don't know when systems using the new standard will come out. Also the new standard allows interrogation in certain radar bands also. In principle, this allows one to modify your radar to send IFF interrogations (and not buy another transmitter). The response comes back on the Mk 10 response frequency (backwards compatability). So you still have to buy a separate receiver. -ted Ted Kim UCLA Computer Science Department Internet: tek@penzance.cs.ucla.edu 3804C Boelter Hall UUCP: ...!{uunet|ucbvax}!cs.ucla.edu!tek Los Angeles, CA 90024 Phone: (213) 206-8696
grue@lance.hss.bu.oz (Frobozz) (01/12/90)
From: grue@lance.hss.bu.oz (Frobozz) In article <12822@cbnews.ATT.COM> denbeste@spdcc.com (Steven Den Beste) writes: >>This is to say that in a crisis situation the military is going to switch >>from the present system outlined above to a system where queries and responses >>have some kind of cryptographic authentication. At least that is how I read >>it and how I'd do it. >> > >The problem with this is that it wouldn't work for long. Whatever the >query is could be taped (since queries will be getting broadcast >constantly) and fed to the missile. Encryption of the query >is meaningless unless it uses some sort of running-time algorithm (so >that a legal query changes from minute to minute, or something like >that). Then your logistics problems get really messy: What happens if >everyone's clocks aren't synchronized? > >There is a level of complexity of the system above which it becomes >useless because of reliability and maintenance problems - and a level >of complexity below which the system isn't secure. Unfortunately, >these appear to overlap so that the middle ground has it both >unreliable and insecure. I don't know how the real system works but I can suggest one that might be workable you base the system on a query reply sequence but the query contains a randomly generated piece of information and the reply must contain a function of the information. If the reply isn't correct (i.e. the wrong function was used), then whatever was queried is unfriendly. If the reply is correct then assume it is friendly. Taping a query won't have any effect. Just because I sent a query to something doesn't mean the that thing assumes I am a friend. It must query me to find that out. Taping a reply won't be of any use either since the reply is only valid for the specific query that created it. Maintaining a table of query/reply pairs will also be of no use since the random piece of information may be as large as desired (50 bits -> 1,000,000,000,000,000 lines in the table) and no table could be that large. This system does require that the mapping function be unknown and hard to deduce. If multiple query/counter-query/response sequences are allowed then a system such as the above can be made reasonably secure. I suspect that a long exchange of messages would be impossible in reality. Paul Dale seeya SNIF Language Centre internet : grue@lance.hss.bu.oz{.au} Bond University JANET : grue%lance.hss.bu.oz@uk.ac.ukc Gold Coast, Qld 4229 ARPA, bitnet: grue%lance.hss.bu.oz.au@uunet.uu.net Australia UUCP : ..!uunet!munnari!lance.hss.bu.oz!grue