KLMS - Key Loading Management System

The system component Key Loading Management System (KLMS) is a key management system that enables flexible preparation of crypto material for various platforms and crypto hosts. KLMS is extendable to additional crypto hosts by using key header templates as well as to new platform types.

The system can provide both bulk and single-key preparation and comprises the high security embedded devices Key Processing Entity (KPE III) and Data Transfer Device (DTD II), as well as a robust laptop and a printer. Various Onboard Crypto Management Units (OCMUs) with different key safes can be supported on demand.

For key management services concerning generation, distribution, loading and Public Key Infrastructures (PKI) features please refer to our Cybels Key Management Centre Defence (Cybels KMC Defence) solutions.

© Thales

• Preparation of crypto material based on defined key header templates for dedicated crypto hosts delivered by the DTD II
• Bulk generation for various platforms equipped with an OCMU such as Automatic Crypto Variable Management Unit (ACVMU) for helicopters and Centralized Crypto Management Unit (CCMU) for aircrafts
• Bulk encryption capabilities for confidential transport of mission data structures to related platforms
• Secured hardware based crypto material storage
• Role based user management
• Mission based key management
• Crypto material lifetime limitation and revocation
• Audits and notifications
• Archiving and backup
• Flexible offline crypto material
• Modular software architecture in terms of core functions, user interface, editors
• Two-factor authentication based on passwords and KPE II Crypto Ignition Key (CIK) adaptable to new standards

• Imports crypto material from DTD or DVD
• Stores crypto material encrypted by KPE II
• Assigns validity to crypto material segments
• Assembles crypto key segments according to mission scenarios and checks their availability in KLMS
• Prepares crypto material segments with crypto host specific header data
• Exports prepared crypto material segments to DTD II for direct loading - single port loading, or for different OCMU types - bulk format
• Imports, views and archives, OCMU accountings or DTD II audits
• Security features such as role-based user access, audit of key operations and service updates
• Hardened platform in accordance with the basic protection catalogue of the German Federal Office for Information Security (BSI)

© Thales

Ports

• FILL port  for crypto hosts

• Power supply port with 12 Volt DC 150mA

• Power supply port with 9 Volt DC 150mA

• Optical control connector providing 1 Gbit/s LAN, LC-Connector

• Crypto Ignition Key (CIK) slot for removable user access token

Protocols

• DS-101 crypto material transfer, in accordance with EKMS 308 Rev F
• DS-102 Common Fill Device Interface (CFDI), in accordance with EKMS 308 Rev F
• RS-232 crypto host loading, in accordance with EKMS 603

Human-Machine Interface (HMI)

• Simplified status display
• Battery status indicator
• Keypad: 43 keys
• Display: 6 x 20 characters

*Exemplary for the KPE III and DTD II

© Thales

Classification

• NATO Cosmic Top Secret
• STRENG GEHEIM (German Federal Office for Information Security (BSI))

Accredited to

• TEMPEST: SDIP 27 Level A
• COMSEC: ZDv A-960/1, BSI-Grundschutz, IT-Grundschutzerweiterung Bundeswehr
• BSI-VSA-10420

Export limitations

• Controlled Cryptographic Item (CCI)

Operational security

• Removable user access token, Crypto Ignition Key (CIK)
• Role privileges for user, administrator and maintenance
• Enhanced security measures
• Tamper protection and detection
• Emergency erasure (zeroization)

*Exemplary for the KPE III and DTD II

• Crypto Material Generation (ESE)
• Crypto Material Distribution and Management (VESUV)
• Key Processing Entity (KPE III)
• Data Transfer Device (DTD II)
• Onboard Crypto Management Unit (OCMU)