peter@Cayman.COM (Peter Schmidt) (01/11/90)
From: peter@Cayman.COM (Peter Schmidt) Disclaimer: I have no knowledge of how IFF actually works outside of some survey articles and such. I am not connected to the military or any defense contractor. Mileage may vary. My chief reference for this is: Popek, Gerald J. and Charles S. Kline, "Encryption and Secure Computer Networks", Computing Surveys, Vol. 11, No. 4, ACM, December, 1979. The problem of IFF is fundamentally no different from the problem of secure communication on open networks. In both cases, a way must be provided for parties to mutually identify and talk to each other in the face of: traffic recording, disruption, introduction of spurious messages, and retransmission of previously trasmitted valid messages. In the case of IFF, traffic recording is a problem when squawks are used for things like intelligence (counting hostiles) or for guiding attacks more directly (i.e. as beacons). Disruption is of course always a problem in the age of ECM. Both of these need to be addressed by technology in the form of hardware and communication protocols which are hard to intercept, resistant to jamming, etc. (and I hope the current IFF schemes do adequately address these problems!). However, and more interestingly, the second two problems need to be addressed algorithmically through the authentication method used. The authentication method chosen needs to be able to disregard both spurious squawks, and any retransmitted proper ones. In their paper, Popek and Kline show how this can be done using public-key encrpytion. Public-key encryption makes use of a class of algorithms with a nice property: the key used to encrypt the data is different from the one used to decrypt the data, and it "is impractical to derive" one from the other (meaning that the only known ways involve looooong periods of Cray Y-MP activity - if you pick a long enough key, 32 bits, say, it is not hard to prove that every proton in universe acting as a Cray for 10 billion years would be unable to crack the key; it is rumored the DES key is 17 bits long because any longer and the NSA wouldn't be able to buy enough supercomputers to break it. 1/2 :-). Let us suppose we have two IFF stations, a Stinger operator (A) and an AH-58D (B), say. The authentication as friendlies would proceed as follows (cribbed almost verbatim from Popek and Kline, p. 339): Here is an outline of a simple, general authentication sequence between stations A and B. At the end of the sequence A has reliably identified itself to B. A similar sequence is needed for B to identify itself to A. Typically, (as in IFF) one expects to interleave the messages of both authentication sequences. Assume that in the authentication sequence A uses a secret key associated with itself. The reliability of the authentication depends only on the security of that key. Assume that B holds A's matching key (as well as the matching keys for all other stations to which B might talk - in practice, different keys might be assigned only to classes of stations, SAM, fighter, bomber, etc.). 1) B squawks to A, in clear, a random, unique data item, in this case the current time of day as know to B. 2) A encrypts the received time of day [this gets around the necessity of synchronization of clocks - the random number can be derived anyway you like, actually] using its authentication key and sends the result in a squawk to B. 3) B decrypts A's authentication method, using A's matched key, and compares it with the time of day which B had sent. If they match, then B is satisfied that A was the originator of the message. This simple protocol exposes neither A nor B if the encryption algorithm is strong, since it should not be possible for a hostile to be able to deduce the key from the encoded time of day. This is true even if he knows the cleartext time of day. Further, since the authentication message changes rapidly, recording an old message and retransmitting is not effective. (end quote) I hope this establishes that it is possible to reliably determine if someone is a friend. Use of this method will prevent hostiles from pretending to be friendly. Note, however, that it can't guarantee that someone is *not* a friend. If A's antenna gets shot off halfway through his reply, that doesn't make him an enemy. Additions to this scheme would need to be developed to deal with Den Beste constant-challenge-broadcasting missiles (maybe just not answering the second challenge from an unauthenticated source). I'll leave it to others with experience to go into how key assignment should be done to minimize the risks when keys get captured, what the doctrine should be for handling unsuccessful IFF exchanges, etc, since this message is long enough. Regards -- Peter -- Cayman Systems Inc. | peter@cayman.com 26 Landsdowne St. | ...harvard!mit-nc!winter!pschmidt Cambridge, MA 02139 | (617) 494-1999 | -- Speaking for myself.