Part III: Army Key Management System

Army Communicator, Summer, 2006 by Allen Walton

Currently, electronic key management is provided by the Electronic Key Management System, a Department of Defense initiative, operated by the National Security Agency, which was developed to enhance security and modernize the management and distribution of communications security material. EKMS provides an integrated end-to-end key management, COMSEC material generation and distribution, and logistics support capability for the DoD and civil agencies. The EKMS is a distributed system developed and deployed in multiple tiers using a multi-phased approach. The Army's implementation of the EKMS is through the AKMS program.

AKMS Operational Requirements Document

A DA Form 2028 was submitted in July 2005 to clarify requirements for the AKMS to support benign fill and black key processing. The ORD was approved by the Army Requirements Oversight Council and is pending Joint Certification. The TSM office continues working with all the program managers to capture key management requirements and ensure that these requirements will either be supported by AKMS and/or the planned Key Management Initiative.

System Subcomponents:

Simple Key Loader

The AN/PYQ-10 SKL is a mission essential system that provides the Army communications network planner and end user with the means to handle, view, manage, store and load Signal Operating Instructions/Electronic Protection data, and COMSEC keys. The SKL replaces the AN/CYZ-10 within the AKMS. The SKL fielding is currently ongoing IAW the CY06 fielding schedule. The SKL is designed to complement the functionality of workstation products from ACES, LMD, and Key Processors.

Automated Communications Engineering Software

The PdM NETOPS-CF has completed the certification of the new ACES workstations with version 1.7 software. Approximately 520 workstations have been purchased and a fielding plan has been initiated. The PM is also developing ACES version 1.8 software which adds the following capabilities: Black Key Load, Word of the Day, Identification Friend or Foe, Key Tag Screen, GP Module Name, Simplify GP HMI, GP New Equipment Support, and Master Net List General Net Key Tags.

Local COMSEC Management Software

Since the last update, the Army has fielded 368 new workstations with LCMS version 4.0.3.2 software. LCMS software version 5.1 will be fielded when available but still needs to complete government testing (the Army will not field LCMS version 5.0 except to pilot accounts). The anticipated release date is late 2006. The new workstations support the following new applications:

* LCMS upgrades version 5.1

* Common User Application Software version 5.1

* Card Loader User Application Software

The LCMS version 5.1 software provides the following capabilities:

* Multi-User/Single accounts

* Increased account line item capacity for a Single User account

* Virtual Private Network Capability

* Incorporates Audit Reduction Analysis tool

The transition plan is to use LCMS pilot accounts to evaluate VPN and LCMS version 5.0. The Communications Security Logistics Activity will conduct a traffic analysis to determine VPN/INE requirement for long term transition to version 5.1. CSLA will use existing Authority to Operate and Defense Information Systems Agency authorization and documentation for connection to SIPRNET in support of the pilot study.

LCMS 5.1 will not be released without the simultaneous release of CUAS 5.1. CUAS 5.1 will be bundled (for distribution) with LCMS 5.1 but must be separately installed. Once LCMS 5.1 is released, there will be a yearly patch until the transition to KMI. No other versions are planned to be developed.

Key Management Infrastructure

The DoD Global Information Grid and Crytpgraphic Modernization will require that many End Crypotpgraphic Units be able to autonomously request key updates or re-keying over Internet Protocol networks to support real-time operations, or receive software and crypto algorithm updates over those networks.

Future military systems will also require an infrastructure that can create and distribute many more keys than the EKMS infrastructure can handle. The technology of EKMS systems is at least two generations behind current technology, which makes it difficult and expensive to improve, or to implement new requirements. To overcome these capability gaps, EKMS/ AKMS (LMD/KP) will begin a transition to the Department of Defense Key Management Infrastructure beginning in the FY 2008 timeframe. These two systems will co-exist as parallel systems with the actual transition from EKMS components to KMI components occurring beyond the FY 2008-2011 timeframe.

EKMS/AKMS also cannot support newer, more sophisticated security measures, such as the new signature and key exchange algorithms needed to support planned improvements in crypto algorithms. CI-2 is the first increment for KMI and is projected to begin deployment in late FY 2008 with a projected Full Operational Capability of May 2011.

In preparation for the migration from EKMS to KMI, NSA (I5) is hosting KMI transition meetings to help the user community map the transition from the EKMS to the future KMI system. The purpose of these meetings is to begin to validate roles and work toward joint agreement on consolidation of roles. After an overview of the effort, each Service group has worked independently to identify EKMS tasks and determine which KMI role would be responsible to perform that function. The eventual, hoped for, outcome is to be able to possibly combine roles and to have identified capability gaps in the transition from EKMS to KMI. The final product is to be provided to a contractor to finalize the system.