Secure Systems Trusted Interface Unit
Fiber Optic and AUI Trusted Interface Units
Note: Only organizations with active NSA COMSEC(1) accounts can purchase, handle, and use the Wang TIU and its keying material.

The Wang Trusted Interface Unit (TIU) is a high-performance 802.3/Ethernet local area network (LAN) data encryption product. It is capable of encrypting DTE device data frames sizes up to 1518 bytes in length. The TIU's throughput is dependent on size of the data frames. For large frames sizes, the throughput can exceed 1 million bits per second.

The TIU complies with NSA COMSEC Type I product requirements for:


Note: Only organizations with active NSA COMSEC1 accounts can purchase, handle, and use the Wang TIU and its keying material.

(1) COMSEC is an acronym established by the U.S. National Security Agency (NSA) for "Communications Security", as defined under the NSA's Commercial COMSEC Endorsement Program.

The TIU enables you to attach RED DTE devices to a BLACK local area network or a wide area network. In this configuration, the TIU converts outbound plain text into encrypted data. It also converts encrypted data into inbound plain text. RED DTE and BLACK DTE devices can share use of the same BLACK network. The TIU can serve individual, clustered, or networked minicomputers, engineering workstations, personal computers, and other Ethernet-/802.3-compatible DTE devices. Local and remote devices served by TIUs can be in the same building, in different towns, or in different countries.

Secure Communications
As a Type 1 cryptographic device, the TIU supports

A network administrator assigns users and TIUs to a specific group and security level. TIUs maintain the integrity of their assigned security level by means of a unique (pairwise or shared) keying relationship.

Security Administration Control
As a cryptographic device requiring secure network administration methods prescribed by the U.S. Government, the TIU supports:

Industry Standard Protocols
As a device that employs industry-standard network protocols and physical-layer connectivity, the TIU supports the following protocols:

The TIU operates primarily in the data link and physical layers of an 802.3 or Ethernet LAN. Under user configuration control, the TIU can also operate in IP network layer mode. With this design, TIU operation is transparent to locally attached Wang and non-Wang DTE devices and LAN/WAN routers running IP at the network layer.

Configuration Flexibility
The RED device side of a TIU can accommodate one (standalone), several (clustered), or many (LAN-based) user devices. The BLACK network side of a TIU can accommodate an Ethernet-compliant transceiver, or an 802.3-compliant Medium Attachment Unit (MAU).

Note that the transceiver or MAU on the BLACK network side of a TIU can be part of a cable plant or integrated within the design of some other suitable connectivity device such as a multi-port repeater. Note also that host devices running a multilevel secure operating system and equipped with multiple Ethernet/802.3 communications ports can have some ports with, and some without a locally attached TIU. The greater the number of DTE devices communicating through a TIU, the lower the cost per DTE device connection. You can decide on a TIU configuration that helps your organization to achieve specific goals for data security, system performances, and budget.

Ease of Use
The front panel of the TIU provides an uncomplicated interface that includes the following features:

SmartKeys and SmartLocks
For proper operation, each TIU requires Key Fill Devices (KFDs), that is, cryptographic SmartKeys. The SmartKey is a data storage device, packaged in a shape similar to an automobile key. The user inserts a SmartKey into its corresponding SmartLock receptacle, which, in turn, can read the stored contents of the SmartKey. SmartKeys enable the user to:

When you purchase TIUs, you specify the maximum number of units in your network. NSA supplies the necessary classified keying material for that network.

On-Site Keyfill Requirements
To load BLACK Key Fill Devices at your network site, you can use the Wang Key Manager Loader System (KMLS). The KMLS is not included with the TIU. You can purchase KMLS software and hardware components through your local Wang sales representative.

Dynamic Learning
The TIU is flexible in regard to the identity of the red hosts that the TIU protects. It can be configured in one of two ways: static or dynamic. When statically configured, the addresses of the red hosts are entered manually using the Smart Keys. LAN traffic originating from theses hosts is encrypted and forwarded to the appropriate destination TIU. Traffic originating from any other source is blocked. In dynamic mode, the TIU "learns" the identity of its red host DTEs.
Static mode is suitable when access to the TIU is to be restricted to a selected group of DTEs. Dynamic mode is suitable when all connected red DTEs are to have access to the encryption services of the TIU.

Comprehensive Diagnostics
The TIU provides the following internal diagnostic test capabilities:

These tests reside permanently in TIU Programmable Read-Only Memory (PROM).

Additional Features
The Wang TIU provides the following additional design features:

Refer to the "Specifications" section for more detailed information on these features of the TIU.

You can order standard non-TEMPEST AUI cables, fiber optic cables, and blank unclassified SmartKeys for the TIU through your local Wang sales representative. Table 1 describes 16 kilobit (kb) or 64 kb SmartKey packages.

Each TIU requires a minimum of one 16 kb and two 64 kb Black Key Fill Device (BKFD) SmartKeys to place it into operation. Additional 64 kb BKFDs will be required for TIUs that are installed in large networks of 50 or more nodes. Wang Laboratories, Inc., recommends that you maintain at least one backup set of SmartKeys for each TIU.

Wang offers a Maintenance Plan M, which is a mail-in maintenance program that covers all repair material and labor costs for the TIU. You pay a fixed monthly contract fee that covers an unlimited number of return-for-repair incidents for a single TIU. The exception is for TIU battery replacement for which there is a fee. For any TIU not covered by Maintenance Plan M, you pay a flat fee for each return-for-repair incident. The fee covers all repair material and labor costs.