Does IFF-ing a bandit give away your own stealthiness in any way?

[Cmptohocah]

6 hours ago, GGTharos said:

 

It would look like this:  Clocks are reasonably precise onboard the aircraft.  They will be hacked on the ground and in the air they can be hacked still using GPS.   You don't have to imagine it, it's something that has been done for decades.  The methods, distribution of keys and other fun things have been figured out in terms of logistics as well a long time ago.

 

You don't have to imagine it, it's something that's simply done.

 

Any documentation supporting this? Would be great to find answer to my questions I guess. I am very skeptical in taking "just trust me on this one" answers, not because of lack of trust or anything, but simply 'cause I prefer "teach me how to fish" approach.

[Cmptohocah]

6 hours ago, Frederf said:

Mode 3/A can do ranging. It's a call and response just like TACAN. Speed of light, time, distance.

Ok this makes sense. So I guess all friendly transponders need to send an answer with uniform latency in order for the distance to be properly calculated.

 

6 hours ago, Frederf said:

 

The F-16 AIFF system for example makes no attempt to correlate FCR and transponder returns. Both are displayed on the same display simultaneously but it is the pilot's judgment which interrogations belong to which radar targets.

 

How does this look like from the pilot's perspective? Are the contacts positioned by their radial position? I am trying to visualize it, but can't really manage to do so. What does FCR  stand for?

[Frederf]

Yup, IFF gear is calibrated to respond with a universal delay which factors into the calculation.

 

Fire control radar (FCR) or simply the radar. It's a "B" scope which is common to air-to-air fighter radar displays in F-18, F-15, F-16, F-5, etc. Every horizontal position corresponds to an azimuth and every vertical position corresponds to a range. Thus the bottom edge of the screen represents all azimuth at zero range, i.e. the nose of your airplane is smeared out over the whole bottom line.

 

The IFF returns are displayed exactly the same as primary radar contacts positionally, azimuth and range. In a perfect world they would be displayed exactly on top of each other.

That's a B-52, just a plain normal radar contact, the white square and the little line below it showing that it has some positive radial velocity. He's directly ahead slightly less than 80nm range.

And that's after a M4 interrogation and reply. The green circle with the "4" in the middle is the IFF return. When DCS models it, all modes can be interrogated. The display would cycle M4, M3, M2, M1 symbols every second or so. You can pick what modes and codes you scan and target may respond to all, none, or some.

Now I've moved the radar aimed below the B-52 so primary radar can't see it (he's 30kft alt) and scanned again. The AIFF antennas are separate with a different pattern than the radar so it's possible to interrogate things the radar can't see (or radar is off).

 

The AIFF antennas and post processing is not infinitely precise, especially above/below the nose but also left and right and perfect overlay of IFF responses with radar targets should not be expected. Usually the symbols are at least touching but could have as much as 1-2 symbol size gaps separating.

Edited September 22, 2021 by Frederf

[GGTharos]

16 hours ago, Cmptohocah said:

Any documentation supporting this? Would be great to find answer to my questions I guess. I am very skeptical in taking "just trust me on this one" answers, not because of lack of trust or anything, but simply 'cause I prefer "teach me how to fish" approach.

 

Nope, you don't need to trust me on this one.  I have no direct links to share and no time to look for them right now, but you will certainly be able to find information to make the inference for this.

 

* Clocks are synced for coordinating attacks, and being precisely on time is a valued skill

* There are described or written procedures for changing the IFF keys every day.

 

So you may want to look into this sort of thing by searching for IFF key change procedures, aircraft clock sync and possibly the USAF PKI infrastructure.  The IFF key is crypto so it would fall under crypto distribution I believe.

[okopanja]

On 9/22/2021 at 3:44 PM, GGTharos said:

So you may want to look into this sort of thing by searching for IFF key change procedures, aircraft clock sync and possibly the USAF PKI infrastructure.  The IFF key is crypto so it would fall under crypto distribution I believe.

Please be careful when using terms such as PKI which stands for public key infrastructure. I firmly believe we are not talking about PKI here, but a rather of some system based on preshared keys.

 

In general crypto systems are divided into 2 major groups:

- symmetric crypto systems, e.g. DES, 3DES, AES

- asymmetric crypto systems. e.g. RSA

 

Both have pros and cons, and are often combined (e.g. https link here indicates TLS being used, with asymmetric keys beings used to derive session keys for symmetric algorithm which is actually used to encrypt the content).

 

Asymmetric systems typically eliminate the need to exchange the keying material, except for the common trust anchor. However the main operation principle to have 2 independent keys (public which can be shared publicly, which others use to encrypt messages sent to you and private kept for yourself, which allows you to decrypt incoming messages) were it is assumed that it is computationally difficult to derive private key from public one. The problem with this is that these systems typically do not have a formal proof of correctness. E.g. in case of RSA it was never proved that it is actually safe algorithm. The practice has shown that there are such keys considered vulnerable, where it is possible to calculate the private key with relative ease. Therefore it can be assumed that sooner or later someone will (or has already) find(found) the method to this for just about any key pair. Obviously such knowledge will not be shared for obvious reasons.

 

While this still works nicely for internet and banks (as balance of convenience vs security), it is totally unacceptable for the military purposes.

 

The only proved crypto system considered safe is one-time-pad (not quantum computing may change this in many ways), where you have to ensure that the keying material is fully random and it has to be as long as the message itself, and must not be reused with a different clear text. Clearly this complicates N-N communication, and while the crypto system may be safe, the keying material can be compromised.

 

Typically symmetric systems will be used with keys schedule providing the frequency at which the stored keys are applied (I am not talking about key distribution, but rather about key scheduling).

 

Furthermore the need for N:N validation, means that these keys are provided to all participants. Note that the same shared key can be used in the process called key diversification and have different key per each pair in communication.

 

The following links gives some glimpse into the actual reality (I stopped at providing my own details to obtain the brochure):

 

https://www.thalesgroup.com/en/markets/defence-and-security/radio-communications/land-communications/IFF-Crypto-Components

 

You will notice a description of 3 devices:

1. Cryptographic Computer. I gather this device is what goes into the airplane. It is likely it also offers some key protection in case of attempts of key extraction

2. Electronic Transfer Device: basically used to transfer the already prepared keying material in "secure" out-of-band way

3. Key Generation System: I gather this is the central component of this crypto system. No 2s are used to distribute keys to number of 1s

 

Note about distribution: in reality it may not be possible to do this every day for various reasons (e.g. unit was cut off, links down/jammed, etc), therefore the system is likely based on generation of keys in advance for a given time.

 

Bottom line: every crypto system can be compromised one way or another. When this happens the remaining part is trivial.

Edited October 3, 2021 by okopanja

[Ourorborus]

On 9/21/2021 at 9:39 AM, Frederf said:

Civ ATC systems call the radar the primary and the transponder the secondary. The secondary surveillance radar is similar to a primary radar but it only works with transponders. Both primary and SSR get positional plots. Transponder can be resolved in both azimuth and range. At the moment of transponder reply the antenna is pointed in a direction = azimuth. Time round trip = range. Correlation is accomplished automatically or manually and works well on Mode A systems.

 

Mode C or S data is nice but not required.

Actually Primary and Secondary are different types of RADAR.

 

Primary is the traditional form of radar where the signal is bounced off the target. In your jet this is the RWS/TWS etc. In ATC this is known as a PSR (Primary Surveillence RADAR).

 

Secondary is the system that requires an active response. I.e the interregator and the transponder. In your jet this is the IFF. In ATC it is known as SSR (secondary surveillance RADAR). The SSR is the RADAR head, whereas the Transponder is the aircraft's component. 

 

A surveillence RADAR is one that has a wide (normally 360deg) but relatively slow scan rate, and can be PSR or SSR (often with both colocated). An attack RADAR is a form of primary radar but often has a secondary interrogotor added to use as IFF.

 

Azimuth for both types is gained from where the head is pointing when the reflection/response is received. 

Distance is gained for both as a calculation of the round trip time for the reflection/response. It is possible to spoof and increased distance with secondary by introducing a delay to the response time.

 

SSR does not normal return an altitude. Primary attack RADARs get altitude by using lobe interference and scan bars. PSR get altitude by the Mode 3C/S return.

 

Secondary/IFF modes are:

       1  and 2. Military use only. Numbers to be set will be in the ATO.

       3 ATC (both civil and military). 3A returns four digit ID only. 3C returns a four digit ID plus barometric altitude. This is a pressure altitude and the SSR display needs to correct for QNH. 3C has been the standard for several decades.

       S ATC (both civil and military but mostly civil). Returns an aircraft iD and lot of information fom the aircraft FMS. This includes bank angle, autopilot settings, current altitude, IAS, TAS and  whole lot more...

       4 and 5. Military use only. Can be used for challenge and response by Anti Air weapon systems.

 

To answer the original question. SSR/IFF is transmitted on 1030MHz and the response is transmitted on 1090MHz so yes it can be detected. (Some militaries can vary these freqs.)

Edited October 7, 2021 by Ourorborus