Information that is owned by, produced for or by, or is subject to the control of the United States Government and supporting agencies.
Official Information
Official information and materials are broken down into what two broad categories?
Classified and Unclassified
Information that must be safeguarded in the interest of National Defense and that of our allies.
Classified Information.
What are three classification levels assigned by the NSA to classified information?
Top Secret, Secret, and Confidential
Information and material that is expected to cause exceptionally grave damage to the national security if it were to fall into the wrong hands.
Top Secret
Top Secret information requires what degree of protection?
The highest degree of protection.
Information and material that is expected to cause a serious level of damage to national security if revealed to our enemies.
Secret
Secret information requires what degree of protection?
A substantial degree of protection.
Information and material that is expected to cause "damage" or identifiable damage to national security if revealed to our enemies.
Confidential
Confidential information requires what degree of protection?
A less stringent degree of protection.
Information that can also be official information that requires a limited degree of control and protection.
Unclassified Information
Any information that requires minimum safeguards to prevent widespread distribution to the public.
For Official Use Only (FOUO)
or Sensitive but Unclassified information (SBU)
What are two examples of unclassified FOUO information?
Privacy Act and Critical Information
Information the Air Force collects and maintains that is required to accomplish a mission and requires protection from unwarranted invasion to protect your privacy. Cann include SSN, name, DOB, etc.
Privacy Act
Any unclassified information providing clues in regards to US and friendly forces' activities, capabilities, intentions, or limitations that an adversary might need to gain a military, diplomatic, or technological advantage.
Critical Information (CI)
Measures and controls taken to deny unauthorized persons information derived from information systems of the United States Government related to national security and to ensure the authenticity of such information systems.
Communications Security (COMSEC)
COMSEC has been subdivided into what four manageable security programs?
Transmission Security (TRANSEC)
Cryptographic Security (CRYPTOSEC)
Emission Security (EMSEC)
Physical Security
The component of COMSEC resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis, or complex code-breaking techniques used to reveal encrypted information.
TRANSEC
True or False: TRANSEC techniques are used to protect or secure transmitted classified or sensitive information.
False
What are examples of authorized TRANSEC methods?
Change radio frequencies
Cancel or alter communication patterns
Implement radio silence
Use frequency hopping systems
Use directional antennas
The component of COMSEC resulting from the provision and proper use of technically sound crypto systems.
CRYPTOSEC
Provides protective measures that will deny unauthorized personnel access to classified information and intelligence that might be derived from the interception and analysis of unintentionally emitted electrical signals from systems processing classified information.
EMSEC
The part of COMSEC that results from using all physical measures necessary to safeguard COMSEC material from access by unauthorized persons.
Physical Security
The transformation of ordinary text data (plaintext) into coded form (ciphertext) and then recovering the plaintext data from its ciphertext form.
Cryptography
Cryptography relies on what two basic components?
An algorithm and a Crypto-Key.
Turning ordinary data (plaintext) into a coded form (ciphertext).
Encryption
The authorized use of cryptographic systems to return encrypted information to its original, readable form.
Decryption
The mathematical function or formula used in encryption or decryption.
Algorithm
The parameter or numeric value used in encryption and decryption.
Crypto-Key
What is another name for the Crypto-Key?
key-variable
The act or science of deciphering a code or coded message without prior knowledge of the key.
Cryptanalysis
Points in the program where people break the security provided.
Vulnerabilities
Actual or perceived actions that may cause harm to information or equipment.
Threats
The organization that approves all cryptographic systems and techniques used by or on behalf of DOD activities to encrypt classified and certain sensitive information.
The National Security Agency (NSA)
The organization that approves all techniques and systems used to encrypt unclassified sensitive information.
The National Institute of Standards and Technology (NIST)
What are the two basic types of approved cryptographic systems?
Secret-Key and Public-Key systems
What is another name for Secret-Key system?
Symmetric cryptography
System of cryptography in which the key used by the receiver to decrypt the message must be a mirror image of the key that was used to encrypt the message by the transmitter.
Secret-Key System
What are the advantages of secret-key cryptography?
It allows for a very secure means of telecommunication and is approved by the NSA for classified use.
It has the ability to achieve high encryption/decryption speeds using hi-tech crypto systems, significantly faster than public-key sytems.
What are the two type categories of algorithms utilized by secret-key cryptography?
Block and Stream ciphers.
Symmetric algorithms that operate by encrypting/decrypting one chunk of data at a time. The most common type of symmetric algorithm.
Block ciphers
Symmetric algorithms that encrypt/decrypt varying lengths of data in a continuous stream instead of a fixed chunk one at a time.
Stream ciphers
A stream of pseudo-random digits that are combined with plaintext to generate ciphertext in stream ciphers.
key-stream
What is the key-stream determined by?
the crypto-key
What is the problem with secret-key systems?
The key must be distributed to all sides to establish a mirror image and if it is compromised, then messages encrypted with any copies of that key can easily be decrypted.
A publicly known block cipher cryptographic algorithm that converts plaintext into ciphertext using a key that consists of 64 binary digits.
It is considered unsecure and insufficient for classified use.
Data Encryption Standard (DES)
A block cipher secret-key algorithm that implements a three-fold compound operation for encryption/decryption.
Triple Data Encryption Standard (3DES)
A previously classified symmetric encryption/decryption block cipher algorithm developed by the U.S. Government that not only encrypts the message, but also the key to the encrypted message by means of a key combined from two escrowed key which is itself encrypted by a "family key."
-Widely used in Fortezza card technology for voice encryption systems.
-consists of a 64-bit codebook using a 80-bit crypto-variable session key.
SKIPJACK
The National Institute of Standards and Technology (NIST) chose the new symmetric Advanced Encryption Standard (AES) on what basis?
A combination of security, performance, efficiency and ease of implementation.
What algorithm was chosen by NIST as the new symmetric block cipher AES and is the most popular in both the commercial and government sectors?
RIJNDAEL
What's another name for Public-Key Systems?
Asymmetric cryptographic systems
System of cryptography that uses two different keys (a public-key for encryption and the private-key for decryption.)
Public-key system
What is the advantage of asymmetric key cryptography?
It uses keys that are so different that it would be possible to publicize one without danger of anyone being able to derive or compute the other.
What determines the strength of an encryption device?
The larger the key length, the more possible keys there will be to search through to break the code, and the information will be more secure.
Telecommunication encryption systems have been divided into what four general applications?
Data, Voice, Bulk, and Network
Encryption systems that secure data transmission to and from various types of terminal equipment, such as desktop computers, servers, teletypes, and etc.
Data Encryption
What are some hardware devices approved by the NSA for data encryption?
KG-84, KG-84A, KG-84C, and KIV-7HS
KG-84 A and C can handle data at what levels of security?
All levels of security, they will assume the classification level equal to that of the keying material used.
The KIV-7HS can handle data at what levels of security?
The KIV-7HS can provide security protection up to TOP SECRET.
What are some encryption systems commonly used to secure classified voice transmissions?
KY-57, KY-58, KY-68, and the Secure Terminal Equipment (STE)
The KY-57 and KY-58 are approved by the NSA for voice encryption up to what security level?
TOP SECRET
The KY-68 is approved by the NSA for voice encryption up to what security level?
SECRET
The U.S. Government's current, encrypted telephone communications system for wired or "landline" communications.
Secure Terminal Equipment (STE)
What are bulk encryption systems also known as?
Trunk encryption devices (TEDS)
A high-speed pipeline of aggregated frequencies created by using a device called a multiplexer to combine multiple signals from various data and/or voice sources into one T1, T3, or optical link.
A trunk.
What are some examples of TEDs (bulk encryption systems)?
KG-194, KG-194A, KIV-19 and KG-175
KG-194 and KG-194A TEDS can secure bulk traffic up to what security level?
Top Secret
A miniaturized KG-194 that is functionally equivalent and interoperable with the KG-194 and KG-194A.
KIV-19 TED
Products that protect classified data while in transit over Internet Protocol (IP) networks.
Network encryption systems
What is the most common network encryption system used in our field?
The KG-250 IP Network Encryptor
The material and information that deals with COMSEC is handled and controlled to a very high level because it involves what controlled cryptographic items (CCI)?
Keying systems, code books, cryptographic operating instructions, and other materials used to military voice and data communication systems.
What are the three management roles that the COMSEC authority has been locally delegated to bear the responsibility of ensuring the integrity and proper application of the program?
COMSEC Manager
COMSEC Responsible Officer (CRO)
Authorized User
Person who is usually the wing-level manager for the base COMSEC account and all COMSEC programs and materials on base as well as the local point of contact for all matters pertaining to COMSEC.
COMSEC Manager
The squadron or flight liasons between the base COMSEC manager and authorized users.
COMSEC Responsible Officer (CRO)
What are some of the responsibilities of the CRO?
Administering the physical security procedures for his/her responsible sub-account.
Validating access to materials and training/certifying all authorized COMSEC users.
Ensuring that COMSEC users of his/her responsible sub-account have the materials (keys, manuals, equipment, etc.) needed to support mission requirements and that they are aware of all COMSEC policies and procedures in safeguarding, handling, and controlling the material.
Individual designated by the CRO to use COMSEC materials and equipment to perform his/her mission and who must safeguard these assets at all times.
COMSEC Authorized User
All questions the authorized user has regarding COMSEC policies and procedures, the safeguarding and handling of materials, and account discrepancies will be directed to who?
The CRO
What are the three requirements must be verified and valid in order to be granted unrestricted (unescorted) access to areas containing COMSEC materials?
Need-to-Know
Proper Security Clearance
Proper Identification
What are two areas protected by physical security?
Controlled areas and restricted areas
Facilities containing military resources, which could be targets for theft, compromise, or destruction and to which entry must be limited in order to provide protection.
Controlled Areas
Any areas under military jurisdiction in which special security measures are employed to prevent unauthorized entry.
Restricted Areas
A restricted area, room, group of rooms, buildings, or installation where sensitive compartmented information (SCI) may be stored, used, discussed, and/or electronically processed.
Sensitive Compartmented Information Facility (SCIF)
Information that refers to protecting materials and information from unwanted access, sometimes known as a breach.
Safeguarding information
A government agency that has worked to establish standards for storage containers used to safeguard materials classified under each of the three classifications.
The General Services Administration (GSA)
Top Secret information can be stored in what class of vault?
Class "A" vault
Classification of material that must be stored in an area that is alarmed and under continuous surveillance by armed guards.
Top Secret
GSA safes and vaults securing Top Secret material must be equipped with a lock with what capability?
Dual-combo capability to ensure Two-Person Integrity
Secret material must be stored in a GSA-approved safe or what class of vault?
Class "B" vault (or Class "A" vault with TS)
What must any approved GSA container have attached to it?
A Standard Form 702, Security Container Check Sheet(SF 702)
What is the SF 702 (Standard Form 702, Security Container Check Sheet) used to record?
Who opened/closed the container
What time it was opened/closed
Who checked the container to ensure it was secured properly
How often are combinations changed for combination locks and how often for cipher locks?
Annually for combination locks
Monthly for cipher locks
When must be combinations be changed immediately?
When:
a person who knows the combination no longer requires access to the container for any reason other than death.
a container certified as locked is found open.
the combination is compromised.
any repair work as been performed on the combination lock
An access list should contain what information?
The names, social security numbers, and security clearances of only those personnel who have a a sufficient need-to-know, therefore a need to access the area of information or material.
Who signs the authorized access list for an individual user's area?
The COMSEC manager or the CRO
The arrival and departure of all personnel not named on authorized access lists is recorded on what?
Visitor's Register Log or AF Form 1109
A system of storage and handling required when dealing with Top Secret information and material that is designed to prohibit individual access to certain COMSEC keying material.
Two-Person Integrity (TPI)
What are the three goals of COMSEC inventory?
Personnel should know what materials they have,
where those materials are, and
that the materials are properly protected and accounted for
Form used to record daily, shift, or local inventories of accountable COMSEC material.
AFCOMSEC Form 16
What are the four areas recorded on AFCOMSEC Form 16?
Short Title
Quantity
Edition
Registry/"Reg" Number
Used to identify the level of accountability of a particular COMSEC item.
Accounting Legend Codes (ALCs)
ALC material that must be inventoried every day the storage container is opened.
ALC-1
ALC material that are inventoried by short title and quantity rather than accounting control number.
ALC-2
ALC material that does not require inventory unless the local COMSEC Manager directs it.
ALC-4
ALC material that is reserved for Electronic Keys
ALC-6
When must you perform page checks of classified COMSEC publications?
Before initial issue to any aircrew
After a change or amendment
Prior to destruction
At the COMSEC manager's discretion
Who must ensure page checks of COMSEC publications are completed?
The COMSEC manager and CRO
How must you complete page checks?
Consulting the list of Effective & Sensitive Pages page or the document cover.
Checking that each page is exactly as described
Recording the check on the Record of Page Checks page or, if the publication has no Record of Page Checks page, on the Record of Amendments page or front cover
Annotate the date, signature, and command of the person making the check
Where do you record a page check?
On the Record of Page Checks page
The Record of Amendments page (if no Record of Page Checks page)
The front cover
What are the guidelines for making amendments of COMSEC material?
A first person must add the new pages, check the removed pages against the amendment instructions to make sure that only the obsolete pages are removed, and record the changes on the Record of Amendments page in the basic document.
A second person must check the pages of the basic document against the current list of effective pages and record the check on the Record of Page Checks page in the basic document.
What form is commonly used as a destruction certificate of COMSEC material?
(SF 153) Standard Form 153, COMSEC Destruction Report
How many people must be present before destroying COMSEC material?
Two; the individual performing the destruction and the witness
The date at which COMSEC material becomes outdated (or superseded)
The supersession date
Destruction that occurs when material is destroyed without proper authority or is destroyed before the supersession date.
Premature Destruction
Destruction that occurs when material is destroyed completely by accident.
Inadvertent Destruction
What are the three conditions of destruction that take place?
Normal, precautionary, and emergency
Destruction that occurs when classified material no longer serves a useful purpose.
Routine Destruction
What are approved methods for routine destruction for Paper COMSEC Aids?
Burning, (crosscut) shredding, and pulverizing/pulping
What are approved methods for routine destruction for non-paper COMSEC Aids?
burning, pulverizing or chopping, and chemical alteration
Destruction that is performed any time there is imminent danger of classified material being compromised when attack by an enemy force is probable.
Precautionary Destruction
Term referring to actions planned for use during various scenarios (for example, fire, evacuation, and destruction)
Emergency Action Plans (EAPs)
Classified COMSEC material to destroy in an emergency should be separated into what three categories?
Keying Material, COMSEC Documents, and Cryptographic Equipment
What are the emergency destruction priorities for keying material?
All superseded keying material will be destroyed first and then any current keying material.
What are the emergency destruction priorities for COMSEC documents?
Maintenance manuals will be destroyed first, then any other classified documents, and classified COMSEC files will be destroyed last.
What are the emergency destruction priorities for cryptographic equipment?
First destroy critical elements of the cryptographic equipment and if time permits, destroy specific cryptographic elements.
What are two methods of emergency destruction which are not suitable for routine destruction?
Sodium nitrate and thermite-incendiary devices
Determines protective measures that will deny unauthorized personnel access to classified information and intelligence that might be derived from the interception and analysis of unintentionally emitted electrical signals from systems processing classified information.
EMSEC
Unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any information-processing equipment.
Compromising emanations
A codename referring to investigations and studies of compromising emission (CE)
TEMPEST
What is the goal of TEMPEST?
To hinder an opponent's capability to collect information about the internal data flow of communications equipment.
What is the purpose of Red/Black separation?
It requires that electrical and electronic components, equipment, and systems processing plain text information (RED) be kept separate from those that process encrypted information (BLACK).
How far should Red and Black equipment be separated?
At least 3 feet
How far should Black voice equipment be separated from Red equipment?
At least 6 feet
What is the goal of EMSEC and the RED/BLACK concept?
To control compromising emanations and protect against Electromagnetic Pulse/High-altitude Electromagnetic Pulse (EMP/HEMP) by using proper grounding, bonding, and shielding methods as well as filtering and isolation techniques to create physical, electrical and electromagnetic barriers around equipment, aircraft and facilities.
What agency must approve modifications to CCI?
The NSA
What are unauthorized (non-approved) modifications to CCI considered?
Tampering
What is done to prevent unauthorized modifications in the case of corporate or government ciphering devices?
The equipment will normally be shipped right from the production line via courier directly to the customer who will then store it under lock-and-key.
What is done to prevent unauthorized modifications in the case of a military client?
The shipment goes right from the production line to a central COMSEC depot via a special courier, where it is checked out before being issued for use in the field.