MPM-1000A Operator Manual
1000-7075 Rev E
15-2
15.2 Key Establishment
Modem NCW seed keys are provided by the Army Key Management System (AKMS),
or other authorized Government key generation facility.
At the seed key generating location (AKMS workstation), a random Message Seed Key
(MSK) is generated using a cryptographically strong randomizer. The MSK is
unclassified but sensitive, and therefore must be distributed to the Modem Terminals
using secure channels. An unclassified but sensitive TRANSEC Passphrase must also
provided to the Modem Terminal operator. The TRANSEC Passphrase may be any
word or phrase consisting of at least ten, but not more than 32 alphanumeric characters.
At the Modem Terminals, you enter the MSK along with the TRANSEC Passphrase.
MSKs may be manually entered into a network Terminal or received over-the-air using
the network OTAR protocol. If manually entered, the MSK may be loaded onto the
Modem control computer using the keyboard, USB flash device, CD ROM or compatible
key fill device.
Once loaded, the MSK and TRANSEC Passphrase are both applied to the Key
Derivation Function (KDF) defined in Linkabit document 1000-7124 to produce 32
operational TRANSEC keys, herein referred to as Message Encryption Keys (MEKs).
15.3 Access Control
The Modem employs the Secure Shell (SSH) cryptographic network security protocol to
communicate security sensitive commands and parameters from the control computer
to the Modem Controller (MC) CCA within the Modem chassis. SSH is a client/server
protocol. In the Modem system, the SSH client resides in the control computer and the
SSH server resides in the MC as shown in Figure 15-2 SSH Network Connection.
The NCW Message Seed Key and TRANSEC Passphrase are entered into the Modem
Terminal at the control computer. Both parameters are sensitive-but-unclassified and
are transported across the Ethernet link using the SSH protocol.
In addition to the two (2) keying parameters, the SSH connection transports the
following security-sensitive operator commands from the control computer to the
Modem:
MSK Notification Command
Over-The-Air Zeroize Command