Red/black concept



The red/black concept, sometimes called the red–black architecture or red/black engineering, refers to the careful segregation in cryptographic systems of signals that contain sensitive or classified plaintext information (red signals) from those that carry encrypted information, or ciphertext (black signals). Therefore, the red side is usually considered the internal side, and the black side the more public side, with often some sort of guard, firewall or data-diode between the two.

In NSA jargon, encryption devices are often called blackers, because they convert red signals to black. TEMPEST standards spelled out in Tempest/2-95 specify shielding or a minimum physical distance between wires or equipment carrying or processing red and black signals.

Different organizations have differing requirements for the separation of red and black fiber-optic cables.

Red/black terminology is also applied to cryptographic keys. Black keys have themselves been encrypted with a "key encryption key" (KEK) and are therefore benign. Red keys are not encrypted and must be treated as highly sensitive material.

Red/Gray/Black
The NSA's Commercial Solutions for Classified (CSfC) program, which uses two layers of independent, commercial off-the-shelf cryptographic products to protect classified information, includes a red/gray/black concept. In this extension of the red/black concept, the separated gray compartment handles data that has been encrypted only once, which happens at the red/gray boundary. The gray/black interface adds or removes a second layer of encryption.