********************************************************************** DDN MGT Bulletin 69 DCA DDN Defense Communications System 16 Mar 90 Published by: DDN Network Info Center (NIC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the NIC.DDN.MIL host [26.0.0.73] using login="anonymous" and password="guest". The pathname for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the bulletin number). ********************************************************************** Improved Key Management for DDN KG-84A Secured Circuits 1. The following information was transmitted to a wide variety of addressees in a Military (AUTODIN) message form. To ensure widest possible dissemination of the information, it is being distributed in this DDN Management Bulletin as well. 2. The Defense Communications Agency (DCA) is constantly looking for ways to improve the Defense Data Network (DDN) and reduce any burdens on the Node Site Coordinators (NSCs) and the Host Administrators (HAs). Since release of the Joint Staff mandate to provide encryption devices on all our trunks and host access lines, we have been extremely concerned with the current method of doing daily crypto key changes or updates in the DDN networks. The existing procedures for changing or updating the communications security (COMSEC) key are burdensome, time consuming, and manpower intensive. The whole process is underscored by the extensive circuit downtimes that are attributed to key management. However, there are two relatively new ways of doing key changes or updates that vastly improve on existing procedures. One method uses Over-the-Air Rekey (OTAR) and the other uses the DCA-procured Enhanced Fixed Plant Adapter (EFPA). 3. The first method takes advantage of recent National Security Agency (NSA) changes to COMSEC key management doctrine and policy. These changes permit additional keying options and provide new procedures for performing daily key changes or updates. The doctrinal changes take advantage of features in the KG-84A that permit "Over-the-Air Rekey" or OTAR for short. OTAR has been applied in other networks and tested at selected sites in the DDN. It has proven to be effective and efficient. DCA supports and encourages the use of OTAR on DDN circuits. 3. The second method of doing key management requires the DCA-procured EFPA. DCA will select some Packet Switching Nodes (PSNs) to install the DCA-procured EFPA in support of key update functions. PSNs selected for EFPA installation will be contacted at a later date and provided all the particulars. In the meantime, DCA recommends OTAR implementation since it will not impact on site selection for EFPA installation. 4. DCA will be providing you additional guidance and information describing OTAR and on how to apply it on your DDN circuit. We must emphasize the word "guidance" because COMSEC key management responsibility and authority rests with the COMSEC Controlling Authority (CCA) of the key. It is for this reason that we strongly encourage all NSCs, HAs, and Remote TAC Custodians to contact their local COMSEC Custodian (or provider of the key) to discuss all the guidance and information that we are going to provide you. In some instances, you will find that the COMSEC Custodian already knows about OTAR. 5. Agency and Service Points of Contact (POCs) are: A. DCA - Mr. Carlos Castro, Code: DDOS, DSN: 356-5032, Comml: (703) 285-5032, email: CASTROC@IMO-UVAX.DCA.MIL; B. NSA - Mr. Joseph W. Maguire, Code: S13T, DSN/STU-III: 235-6098, Comml: (301) 688-6098; C. Navy - Mr. Charles L. Latimer, Code: COMNAVTELCOM/N322C, DSN: 292-0400, Comml: (202) 282-0400; D. Air Force - MSgt Gary H. Wigner, Code: AFCC/DSSC, DSN: 576-3451, Comml: (618) 256-3451. E. Army - CDRUSAISC/ASOP-OI, Fort Huachuca, AZ 85613-5300, DSN: 879-8084.