Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Net Reconstruction in Traffic Analysis

Net Reconstruction in Traffic Analysis

Ratings: (0)|Views: 3|Likes:
Published by Ken Connor

More info:

Published by: Ken Connor on May 16, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

12/04/2013

pdf

text

original

 
DOCID
3838665
C O I ~ F l a E I ~ f 1 A L
NetReconstruction-ABasicStepinTrafficAnalysis
Byl
(b)
(3)
F.L'186-36
GOltjis8'H!itil
An
explanation,for
those
unfamiliarwith
the
subject,of
the
natureofnetreconstructionand
the
techniquesnormallyused
to
accomplishit.
Communicationsintelligence
is
possiblebecauseanyorganization,particularlyamilitaryorganizationinbattle,must
carryon
rapidcommunicationsinorder
to
achieveplanned,coordinated,andeffectiveaction.Moreoften
than
not,radio
is
used;sinceradio
is
susceptible
to
interception,disguisesbecomenecessarytoconcealthecontentof
the
messagetrafficandthestructureof
the
organization;Trafficanalysisutilizesallaspectsof
the
interceptedtraffictopene
trate
thesedisguises,
toattempt
reconstructionofthecommunicationsnetwork,
andto
ascertain
the
system
of
signaloperationsinuse.Moreover,when
the
messageportionof
the
trafficissodisguisedastodenytheintelligenceofitscontentstotheintercepting
party
for
an
interminableperiodoftime,
the
roleoftrafficanalysisbecomesevenmoreimportant.Indeed,trafficanalysisbecomestheonlysourceofcommunicationsintelligenceand,insomecases,maybe
the
onlysourceof
any
intelligence.Thisis
not
torestrict
the
importanceoftrafficanalysissolelytotrafficwithunreadablemessagecryptosystems.Whencryptanalysis
is
"yielding,"
the
trafficanalystusestheresultsofhis
studyto
guideinterceptactivities,
to
fill
theintelligencegapsleft
bythe
cryptanalyticresults,andtogiveassistance
tothe
cryptanalyst.Suchassistanceincludessearchingforisologs-messagesencryptedbydifferentmethods
but
having
the
sameplain
text
so
that
aknowledgeofonesystemfurnishesacribfor
the
other-but
consistsprincipallyinascertainingwhooriginatedamessage,"where"
it
originated,and"who"
is
receiving
it
"where."Withoutthisinformationevenacompletedecryptwouldbeoflimitedvalue
toan
intelligenceexpert.Reconstructionoftheenemycommunicationssystem
may
be
consideredasabasicstepintrafficanalysis.Specifically,suchreconstructionwillyieldvaluableorder-of-battleintelligence,exposing
the
disposition,intent,
and
capabilitiesof
the
hostileforces.
Of
course,
to
31
cmmSEWV,L
pprovedforReleaseby
NSA
on
06-16-2008,OIA
Case
#
51505
 
(1)
Carthage
to
theCarthaginianSupremeHQinItaly.
(2)
CarthaginianSupreme
HQ
in
Italyto
armiesandinfantrydivisions.
(3)
Infantrydivisionsdowntoregiments.
(4)
Communicationsamongorbetweeninfantrydivisions.
(5)
CarthaginianSupremeHQin
Italy
(orArmyHQ)
to
artillerydivisions.
(6)
Communicationsamongorbetweeninfantryandartillerydivisions.
(7)
Communicationsservingthelogisticcommand,possiblyfromCarthaginianSupremeHQin
Italyto
regionallogisticcommandsand/orfromsuchregionalcommandstoarmies,infantryand/orartillerydivisionswithinsuchregions.ToattackthisMorsephase
of
theproblem,thefollowingexternalfeatures
of
CMEFI
trafficarestudied:
a.
Circular
Messages:
Messagesdestinedfortwoormoredifferentrecipients,encryptedinakeywhichtheyholdincommon.Usually,circularmessagespassfromsuperior
to
subordinate.
b.
Isowgs:
Cryptograms
in
which
the
plaintext
is
identicalornearlyidenticalwith
that
of
amessageencrypted
in
anothersystem,key,code,etc.
c.
Schedules:
Times
fixed
beforehandduringwhichlinks,groups,ornetsoperate.These
may
beconstantormay
be
set
by
one-timeprearrangement,thetime
of
eachperiodbeingannounced
at
theend
of
theonebefore.
d.
CQ
Schedule:
Themethodbywhichacontroltransmitsa
m e s ~ g e
toalloutstations
of
aradionetsimultaneously
at
apredetermmedtime.Duringa
CQ
schedule,outstationsanswer,requestservicing,andreceiptforthetransmittedmessageormessages.
e.
StationSerialNumbers(N
R's):Referencenumbersassigned
by
astationinserialorder
to
allmessages
that
it
transmits.
f.
CaU-upOrders:
Afixedsequence
of
sets
of
signals.Thesesets
of
signalsareemployed
by
aradiostationtoestablishcontactwithotherstationsand
to
prepareforthetransmission
of
traffic.
g.
Relay
Messages:
Relays,forthepurpose
of
thisdiscussion,aremessagesrequiringmorethanonetransmissiontoeffectproperdelivery,
but
carryingthe
original
enciphermentin
all
t r a ~ s ­
missionsandusuallybearingamessage
NR
fromthe
NR
seriesestablishedbetweentheoriginatorandtheaddressee.
h.Procedure
Signs:
Oneormorelettersorcharacters,orboth,
used
to
facilitatecommunication
by
conveying,inacondensedstand
ard
form,certainfrequently
used
orders,instructions,requests,
~
3 8 ' j ' E ¥ l ; ~ g R U C T l O N
acb.ievetheseresuits,
cammunicationscontinuity'
mustbemaintained
at
alltimes,
but
forthepurpose
of
thisdiscussion,letusassume
that
thishasbeendone.
Net
reconstructioncanbeillustratedbestbyapurelyfancifulexample;therefore,letus,theRomans,projectthecampaigns
of
Hannibalin
Italy
duringtheSecondPunicWarsintotheTwentiethCenturyand
attempt
to
reconstructandidentifyhiscommunications.Abody
of
traffic,interceptedfromanumber
of
interceptsitessouth
of
Rome,hasbeententativelyisolatedandidentifiedasthecommunicationsservingtheCarthaginianMilitaryExpeditionaryForcein
Italy
(CMEFI).
Thisgeneralidentificationhasbeenmade
by
associatingthecharacteristics
of
the
CMEFI
withthoseofknownCarthaginianmilitarycommunicationspreviouslyinterceptedbymeansofgeneralsearchmissions.However,beyond
this
tentativeidentification,littleisknown,fromthestand-point
of
COMINT,
of
the
CMEFI
order-of-battle,thelogisticstructuresupportingit,ortheintentions
of
Hannibalinthecampaignssuretofollow.Ithasbeenascertained
that
thisbody
of
traffic
is
composedofthefollowing:
Low-levelradiotelephone
(Voice):
Exploitablecryptanalyticallyorsentintheclear,thisvoicetrafficcontainsbasictacticalintelligenceconcerningtheactivities
of
Carthaginianinfantryunitsfromplatoon
to
regiment
size.
Voice/Morse:
Exploitablecryptanalyticallyorsentintheclear,thisvoice/Morsetrafficconsists
of
voicetransmissionsinterspersedwithmessagessentbymeansofmanuallykeyedMorse.ThistrafficcontainstacticalintelligenceconcerningCarthaginianartilleryunitsfromdivisiondown.
Morse:
Thistraffic
is,
asyet,unexploitablecryptanalyticallyandnoplaintexthasbeenintercepted.
It
is
believed
to
containintelligencestrategicinnature.Noothertype
of
signalcommunications,suchasradioprinter,hasbeeninterceptedorisknown
to
exist.LetusconcernourselveswithMorsecommunications.Onthebasis
of
whatisknownaboutCarthaginianlow-levelradiotelephoneandvoice/Morse,
we
mayassume,
by
theprocess
of
elimination,
that
Morsecommunicationsservethefollowing:
,
In
trafficanalysis,communicationscontinuitymay
be
definedas
the
equationof
callsigns,
frequencies,schedules,andothervariableelementsassignedtoagivenradiostation,
link,
or
net
beforeandafterachange.Foradetailedexplanation
see
I
1··ChatterPattems:'NS4
..
r ~ " " ; c a l J o u r n a l ,
Vol
II,
No.4,
pp.
63
and64.
.
...
····················1
__
CmlflQHlllAb
~ e e l ~ f I B E l o 4 T l " ' L
32
33
COUfIBEl04ltAL
 
COI<lfleW:F1,A,L
NR
2314
GP
150
A2B
31M1014M30
BT,
whichmeans,"Thisisthe314thcircularmessage(sentthismonth);
it
contains150groups,hasa
Routine
(A2B)
precedence,andwasfiledfortransmission
at
mymessagecenteron
31
October
at
1430.".
(Note:
BT
means
"break"
orend-of-preambleandtheMisusedasaseparator).Afterreceipt
and
acknowledgmentofthismessage,eachofthefouroutstationsreencryptsandtransmits
it
to
its
outstations,maintainingtheoriginal
NR
inaddition
to
itsown
NR
series.Eachofthesefouroutstations,incommunicatingwithitssubordinatestations,becomesineffectacontrolofitsownnet(andas
part
of
that
net
hasadifferentcallsign).
As
control
it
maychoosetoretransmitthecircularmessagereceivedeithertoeachofitssubordinatestationsseparately,or,
by
meansofaseparateschedule,toallofitsoutstationssimultaneously.Letusassume
the
StandingSignalInstructionscallforapoint-to-pointtransmission.Thereencryptedandretransmittedmessagewouldbcarthetypicalpreamble,
NR
32/2314
GP
150
A2B
31MIO
16M15
HAN
BT,
whichmeans,"This
is
the32ndmessagesenttothisparticularstationonthisday.
It
wasreceivedasacircularmessage
NR
2314(the314th
sent
thismonth);
it
contains150groups,hasa
Routine
(A2B)
precedence,wasreceived
at
my
messagecenteron
31
October
at
1615,havingbeenrelayedfromCarthaginianSupreme
HQ
in
Italy
(asexpressed
by
thetrigraph
HAN)."
Previousanalysishasrevealed
that
Stations
Band
Chavethreeoutstationseach,StationDhassix,andStationEhastwo.Thus,thecloseassociation
and
relativesubordinationamongthesefivenets,whichpreviouslyseemedunrelated,
may
now
be
assumed.
As
illustratedin
the
exampleabove,thisassumption
is
basedon:
(1)
Theusageofcircularmessages,suchas
NR
2314fromStationAretransmittedeventuallytoOutstation1;
(2)
theincidenceofisologs
(i.
e.,
NR
2314isthesamemessage
text
as
NR
32/2314althoughthelatterhasbeenre-encrypted,andretransmittedtoOutstation1);
(3)
analysisoftheschedulesused
by
StationA(thescheduleswereintermeshedand
no
conflictswereevident);
(4)
thetimedifferences
(1430
fromStationAand1615fromtherecipienttohisoutstation);
(5)
theuse
of
NR's:afour-digit
NR
forcircularmessages
by
Station
A,
aone-up
NR
forpoint-to-pointtransmissions,andasplitNR,32/2314,fortheretransmittedcircularmessage;
(6)
the
peculiar
Al
group
AAAAA
.
(b)(
3)
P;L.·8
6:::36
OUTSTATIONS
CQ
StationAtoBCDESchedule
0600
0700080009001000120013001400150016001800190020002100Duringthese
CQ
schedules
at
1000
and
1600,themessagetrafficbearsthepeculiar
Al
(orfirsttextual)groupof
AAAAA
andusesaunique
NR
pattern
(2000
series),whereaspoint-to-pointcommunicationsutilizea"one-up"(1,2,3,4""etc)daily
NR
series
to
eachoutstationfromControl.Forexample:thecallsignforStationAon
31
Octoberhasbeenidentifiedas
PXLA.
Thecallsignsfortheoutstationson
31
Octoberhavebeenidentifiedas:OutstationB:
BPMC
OutstationC:
DGRD
Outstation
D:
SNTC
Outstation
E:
MCPL
Acircularmessagepassedduringoneofthesetwoschedulesbearsthetypicalpreamble,Thus,forthesetwo
CQ
scheduleson
31
October,thecall-upis,
BPMC
DGRD
SNTC
MCPL
DE
PXLA.
'See
L.D.Callimahos,
"Introductionto
TrafficAnalysis,"
NSA
TechnicalJournal,
Vol.
III,No.2,
p.
6.
~
3 8 ~ E r ~ ~ ~ R U C T I O N
andiniormationreiated
to
communications.
2
Proceduresignsarenormallyfoundinchatterbetweenoperatorsandarenotconsideredasmessages.
i.
CaUsigns:
Groupsofletters,numbers,orboth,servingasameansofidentificationforatelecommunicationsstation(orstations)whenstationsareestablishingandmaintainingcontactwitheachother.
It
is
ob,;erved
that
astation(StationA),located
by
meansofdirectionfinding(D/F)
in
theFlorencearea,sendscircularmessages
to
fouroutstationstwicedailyon
CQ
schedules.This
is
ascertained
by
meansofscheduleanalysis,call-ups,andmessagepreambles.Ascheduleanalysisreveals
that
StationAmaintainsstrictpoint-topointcontactwitheach
of
itsfouroutstationsinadefinitecall-uporderasfollows:
...
CONFleENlll'lL
3435
eOtm9EtHIAL

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->