Fips Transec Module; Traffic Encryption And Decryption Keys And Key Generation - Comtech EF Data DMD1050TS Installation And Operation Manual

3.20

FIPS TRANSEC Module

The DMD1050TS FIPS Security Module provides bulk encryption and decryption of traffic over
the satellite that conforms to Security Level 2 as defined in FIPS PUB 140-2 using National
Institute of Standards and Technology (NIST) approved 256-bit Advanced Encryption Standard
(AES) encryption. Bulk Encryption includes all data coming from the baseband user ports
(baseband serial port, overhead channel port and the embedded channel). Bulk Decryption
decrypts all of the data coming from the baseband demodulator going to the baseband user ports
and the embedded channel. Bulk Encryption and Bulk Decryption are supported by independent
AES engines, AES keys and counters.
3.20.1

Traffic Encryption and Decryption Keys and Key Generation

The AES key and the initial counter value of the counter are negotiated using the key negotiation
algorithm and messages. The resulting key and initial counter value are then loaded into the AES
engine.
3.20.1.1 Key Agreement
The Encryption application has the responsibility for negotiating the TEKs used on the link. To
accomplish this, the Encryption application utilizes Initiator and Responder roles. The initiator
starts the key agreement protocol with the goal of negotiating a TEK used to encrypt the data
transmitted on the link by the initiator. The responding end responds to the messages in the key
agreement protocol, using the Traffic Decryption Key (TDK) to decrypt the data received on the
link. The Initiator is synonymous with Transmitter (modulator) of a link while Responder is
synonymous with Receiver (demodulator) of the same link.
Theory of Operation
DMD1050TS Satellite Modem Board
3–39
Revision 1
MN-DMD1050TS