Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
SIG 220 Communications Security and Digital Discipline
Lesson 3 of 10SIG 220

Authentication and Recognising Intrusion

Lesson Overview

Lesson 01 named the threats to our communications, and among them was the one a careful operator fears most: deception. An enemy who can imitate a friendly station can do far more harm than one who merely listens. A listener learns what we say; an imitator makes us act on what we never said. They can pass a false order, recall a section that should hold its ground, send a patrol into danger, or simply ask innocent-sounding questions until they have built a picture of our strength and our plans. This lesson teaches the discipline that defeats them: proving that a station is genuine before you trust it, and recognising the signs that a station is not.

The tool at the heart of this lesson is authentication: a short challenge-and-reply that a genuine station can answer and an imposter cannot. It costs seconds and it is fully lawful on amateur and licence-free radio, because it hides nothing; it only proves identity. Around it sits a set of habits, call-sign discipline, alertness to odd procedure, and a clear drill for the moment you suspect an intruder, that together make our net hard to fool. None of this requires gadgets. It requires attention and method, which is the spirit of the whole course.

This is the knowledge layer. Reading it will teach you what authentication is and how to recognise an imposter, but the skill is built by doing. Operating an authentication table on the net, challenging under time pressure, and running the intruder drill are practised and signed off in person and on airsoft milsim exercises, where radio is actually transmitted only by licensed members or on licence-free and low-power sets. By the end you will be able to explain why authentication matters and how a simple challenge-and-reply table works; decide when to challenge and when to authenticate before acting; recognise the signs of spoofing, intrusion, and deception; keep call-sign discipline that gives an enemy no readable pattern; and carry out the correct drill, do not comply, authenticate, report, when you suspect an intruder on the net.

Key Terms

  • Authentication: the act of proving a station is genuine by a challenge it can answer and an imposter cannot; on lawful radio it confirms identity without hiding meaning.
  • Challenge-and-reply: the method of authentication in which one station transmits a challenge (usually two letters) and the genuine station returns the matching reply read from a shared table.
  • Authentication table: a sheet, held only by genuine stations and changed regularly, that gives the reply for every possible challenge; the shared secret that makes authentication work.
  • Spoofing (intrusion): a hostile station imitating a friendly one, joining the net under a false call sign to inject false traffic or gather information.
  • Deception: the wider effort to make us believe something untrue over the air, of which spoofing is one method.
  • Imposter: the hostile operator pretending to be a friendly station.
  • Challenge: the transmission, "AUTHENTICATE Charlie Foxtrot", that demands proof of identity.
  • Reply (response): the answer the challenged station reads from the table; correct means genuine, wrong or absent means treat as hostile.
  • Two-way (mutual) authentication: each station challenging the other, so both prove themselves; used when neither is sure of the other.
  • Call-sign discipline: using call signs correctly and sparingly, and changing them when ordered, so the net gives an enemy no readable pattern of who is who.
  • NCS (Net Control Station): the station that directs the net; often the one that challenges joiners and rules on a suspected intruder.

Why we authenticate, and why it is lawful

Radio is broadcast. Anyone with a receiver can hear our net, learn our call signs, and study how we speak. From that, a capable enemy can build a station that sounds exactly like one of ours: the right call sign, the right prowords, the right manner. Nothing about hearing a familiar call sign proves the station behind it is friendly. This is the gap authentication closes. A call sign says who a station claims to be; authentication makes it prove the claim.

It is worth being plain about what authentication is not. It is not encryption, and it does not hide the meaning of your message. That distinction matters because, as Lesson 04 sets out in full, amateur and licence-free radio licences forbid encryption or any code meant to obscure meaning. Authentication is lawful on those bearers precisely because it obscures nothing. The challenge "AUTHENTICATE Charlie Foxtrot" and the reply read back are spoken in clear; an eavesdropper hears every letter. What they cannot do is produce the correct reply, because they do not hold the table. Authentication proves identity without keeping any secret about the message, which is exactly why it is the comsec tool you can use freely on the open net.

The reason it works is the shared table. Genuine stations hold the same authentication table; the imposter does not. So a genuine station, asked any challenge, finds the matching reply in seconds, and the imposter is left guessing. The table is therefore protected like a key. It is issued only to genuine stations, kept secure, changed on a set schedule and immediately if it may have been lost or captured, and never read aloud or photographed. A table in the wrong hands lets the enemy authenticate as freely as we do, so its security is the security of the whole net.

How a simple authentication table works

The everyday method is a two-letter challenge-and-reply table. Picture a grid: every pair of letters, the challenge, maps to one reply. The challenger picks a pair, transmits it as the challenge, and the genuine station looks it up and transmits the matching reply. Because only genuine stations hold the grid, only they can answer.

   TWO-LETTER AUTHENTICATION TABLE  (extract, EXAMPLE ONLY)
   Effective DTG 120600Z JUN 26 to 130600Z JUN 26

   CHALLENGE -> REPLY        CHALLENGE -> REPLY
   -------------------       -------------------
      A F   ->  T            C F   ->  R
      B K   ->  M            D Q   ->  E
      B R   ->  W            G H   ->  L
      C C   ->  P            J V   ->  X

   Challenge is read as letters:  "AUTHENTICATE Charlie Foxtrot"
   Reply is the single matching letter:  "I AUTHENTICATE Romeo"
   Pick the challenge pair at random each time; never re-use one
   on the same net.  Table is changed daily and on any compromise.

Note three rules built into that extract. First, the table is in force only for a stated period and then replaced; a captured table is worthless once the schedule rolls over, and changing it daily is cheap insurance. Second, the challenger picks the challenge pair at random and does not re-use it on the same net, so an enemy who overhears one good exchange cannot replay it. Third, the figures shown are an example for teaching only; the real table is issued separately, held securely, and never printed in a lesson. Learn the method here; draw the live table from your signals plan.

The exchange on the air is short. To challenge, the proword is AUTHENTICATE followed by the challenge letters spoken phonetically. The genuine station answers with I AUTHENTICATE followed by the reply letter. If you want the other station to prove itself before you answer its question, you challenge first; if a station challenges you, you reply, and you may then challenge in return. That is all the procedure there is. Its power lies not in complexity but in the table behind it.

   CHALLENGE-AND-REPLY EXCHANGE  (a join request, authenticated)

   UNKNOWN STN  "Hello CHARLIE TWO ZERO, this is CHARLIE TWO FIVE,
                 request to join your net, OVER."

       NCS      [does not yet trust the caller; challenges first]
                "CHARLIE TWO FIVE, this is CHARLIE TWO ZERO,
                 AUTHENTICATE Charlie Foxtrot, OVER."

   CHARLIE 25   [genuine: looks up C F in today's table = R]
                "CHARLIE TWO ZERO, this is CHARLIE TWO FIVE,
                 I AUTHENTICATE Romeo, OVER."

       NCS      [reply matches the table -> station is genuine]
                "CHARLIE TWO FIVE, this is CHARLIE TWO ZERO,
                 ROGER, you are netted in, OUT."

   --- but if the caller had answered with the WRONG letter,
       or with WAIT, or with silence (NOTHING HEARD), the NCS
       treats it as a suspected intruder: do not comply, report.

When to challenge and when to authenticate before acting

You do not authenticate every transmission; that would clog the net for no gain. You authenticate when identity matters, and a disciplined operator knows the moments that call for it. The simplest guide is this: challenge before you act on traffic that is important or unusual, and challenge any station whose identity you cannot otherwise trust.

Authenticate before acting on important or unusual traffic. If a station passes an order that moves people, changes the plan, recalls a section, sends a patrol somewhere new, stands the net down, or commits resources, prove the station before you obey. The more consequential the instruction, the more an enemy would gain by faking it, and so the more it must be authenticated. The same applies to anything out of the ordinary: an order that does not fit the plan you were briefed on, a sudden change with no explanation, a request for information you would not normally pass in clear. Unusual traffic is exactly what an imposter sends, so unusual traffic earns a challenge.

Authenticate a station whose identity is in doubt. Challenge any station joining the net, as the NCS did above. Challenge a station whose voice, manner, or procedure has changed in a way you cannot explain. Challenge when you are entering or resuming contact after a break and cannot be sure who holds the frequency now. And use two-way authentication, each station challenging the other, when neither side is sure of the other, for instance when two elements meet on the air for the first time. When in doubt, challenge; the seconds it costs are nothing against the cost of obeying an enemy.

There is one ironclad rule that turns this from advice into drill: never act on important or unusual traffic from an unauthenticated station. If a station will not authenticate, you do not comply, whatever it claims, however urgent it sounds, and however senior the appointment it names. Urgency and authority are exactly what an imposter will fake to rush you past your own discipline. The genuine station can always authenticate; the one that cannot is the one you must not trust.

Recognising spoofing, intrusion, and deception

Authentication is the test you apply on purpose. Alongside it you need the alertness that tells you when to apply it, the ability to notice that something about a station is wrong before you have even challenged. An intruder gives himself away in small ways, and a trained ear catches them.

Watch for a station that will not authenticate. This is the clearest sign of all. A genuine station can always answer the challenge; one that stalls, that says WAIT and never comes back, that gives a wrong letter, that claims its table is lost, or that talks over the challenge to avoid it, is to be treated as hostile until proven otherwise. An imposter's whole problem is that he cannot pass the test, so evasion of the test is itself the tell.

Watch for odd procedure. An operator trained on a different net, or improvising, betrays himself by getting our procedure subtly wrong: prowords used incorrectly or in the wrong order, "over and out" said together, call signs spoken in a form we do not use, a pace or phrasing that is not ours, hesitation where a real operator would be fluent, or over-eagerness where a real operator would be brief. None of these alone proves an intruder, but they raise your guard and tell you to challenge.

Watch for traffic that does not fit. Deception is content as well as voice. Be suspicious of an order that contradicts what you were briefed, a request to do something that makes no operational sense, a station fishing for information, exact numbers, names, locations, plans, that it has no need to know, or a message that conveniently serves an enemy's interest. Ask the simple question: who benefits if I believe this? Watch too for the impossible, a station reporting from a place it cannot be, or a second voice using a call sign you know is held by someone else on the net right now. When the traffic does not fit the picture, the station behind it may not be friendly.

   IS THIS STATION GENUINE?  -  a decision flow

   Traffic arrives, or a station calls in
            |
            v
   Is it IMPORTANT or UNUSUAL, or is the identity in DOUBT?
            |
       NO --+-- routine, identity not in question
       |    |        -> handle normally, stay alert
       |   YES
       |    |
       |    v
       |   CHALLENGE:  "AUTHENTICATE <two letters>, OVER"
       |    |
       |    +------------------+------------------+
       |    |                  |                  |
       |  REPLY CORRECT     REPLY WRONG        NO REPLY / evades /
       |  (matches table)   (or refuses)       "table lost" / WAIT
       |    |                  |                  |
       |    v                  v                  v
       |  GENUINE            SUSPECTED INTRUDER  SUSPECTED INTRUDER
       |  -> proceed           |                  |
       |                       v                  v
       +----------------->  DO NOT COMPLY  --  AUTHENTICATE no further
                              with its traffic;  on its terms;
                              keep using yours;  REPORT to NCS / chain;
                              note time + detail in the LOG.

   When in doubt, CHALLENGE.  The genuine station can always answer.

Call-sign discipline and avoiding readable patterns

An enemy listens long before he intrudes. Traffic analysis, met in Lesson 01, lets him learn our net from the outside: who our stations are, who talks to whom, who is clearly in charge, and when our traffic surges. The more readable our call-sign habits, the easier we make that study, and the easier we make it for him to imitate us convincingly later. Call-sign discipline denies him the pattern.

Use call signs correctly and sparingly. Identify your station as the procedure requires, no more. Idle chatter, repeated unnecessary calls, and naming individuals all add to the pattern an enemy is building. Use the appointment title or the assigned call sign, never personal names over the air; naming people hands the enemy a roster for free and, as Lesson 04 explains, brevity here is for protection, not for secrecy. The quieter and more uniform the net sounds, the less an analyst can pull from it.

Change call signs when ordered, and do not let your station become a fixed signature. A call sign held by the same operator, on the same schedule, talking to the same other stations, is a thread an enemy can follow and eventually impersonate. Signals plans therefore rotate call signs on a schedule; learn the new allocation, use it cleanly from the changeover time, and do not keep slipping back to the old one. Above all, avoid readable patterns of life on the net: the same station calling the same other station at the same time every day, a recognisable surge of traffic before every activity, one unmistakable voice that always speaks for the commander. These patterns tell an enemy what is about to happen and exactly whom to imitate, even though no secret was ever spoken. Discipline that varies timing, spreads traffic, and keeps the net uniform is the countermeasure, and it ties directly into the traffic-analysis work in Lesson 06 and the OPSEC and patterns-of-life work in Lesson 10.

What to do when you suspect an intruder

When the signs add up, or a station simply fails to authenticate, you follow a fixed drill. It is short on purpose, because the moment you suspect an intruder is the moment an imposter is trying to rush you. The drill is three steps, in order: do not comply, authenticate, report.

Do not comply. Take no action on the suspect station's traffic. Do not move, do not change the plan, do not send the requested information, do not stand down, do not do anything its message asks of you. This is the step that defeats the whole attack, because the imposter's aim is to make you act. Refusing to act on unauthenticated important traffic costs you nothing if the station turns out genuine, since a genuine station will authenticate in seconds and you can act then; but it saves you everything if the station is hostile. Hold your discipline against urgency and against named authority alike.

Authenticate. Challenge the station and put the question beyond doubt. A genuine station answers correctly and the matter is settled. A station that gives a wrong reply, refuses, evades, claims a lost table, or goes silent has identified itself as hostile. Do not let it draw you into long exchanges or feed it information while you probe; one clean challenge is enough. Do not authenticate to the enemy by passing him anything useful in the course of testing him.

Report. Tell the Net Control Station and your chain of command at once: an intruder is suspected on the net. Pass the time, the call sign used, what the station tried to do, and how it failed authentication, and write the same in the signals log. The report matters beyond your own station, because the NCS can warn every other station, the net can change call signs or frequency on the signals plan, and the chain can decide what the intrusion was probing for. Your one alert protects the whole net. Keep the report itself disciplined: brief, factual, and giving the enemy nothing further to learn. Then carry on under whatever instructions the NCS gives, ready to challenge again, because a force that authenticates by habit and reports without hesitation is a force an imposter cannot use.

In Practice: a recall that did not fit

Corporal Adesh leads a section providing communications cover for a community flood-relief exercise, working a licence-free low-power net under the call sign CHARLIE THREE ONE, with the Net Control Station as CHARLIE THREE ZERO. The afternoon has been routine: position checks, a logistics request, nothing unusual. Then a station calls.

"CHARLIE THREE ONE, this is CHARLIE THREE ZERO, recall your section to the assembly area immediately, the exercise is suspended, OVER."

It is the right call sign and the right manner, and it sounds urgent. But Adesh notices what does not fit. The voice is a shade quick and the phrasing is not quite how his NCS talks; and more to the point, a sudden suspension with no reason, ordering his section off ground they were briefed to hold, is exactly the kind of important and unusual traffic the course tells him to authenticate before he acts on. He does not move his section. He keys up and challenges.

"CHARLIE THREE ZERO, this is CHARLIE THREE ONE, AUTHENTICATE Bravo Romeo, OVER."

A pause. Then: "CHARLIE THREE ONE, this is CHARLIE THREE ZERO, WAIT, my authentication table is not to hand, just carry out the recall, OVER."

That is the answer of an imposter. A genuine NCS holds the table and answers in seconds; a station that cannot authenticate and presses him to comply anyway has failed the test. Adesh runs the drill. He does not comply, his section stays exactly where it was briefed to be. He does not authenticate to the intruder by passing him anything, and he does not argue on the air. He reports: shifting to the alternate contact in his PACE plan to reach the real NCS directly, he passes a short factual alert, the time, the call sign used, the false recall, and the failed challenge, and logs it. The real NCS, now warned, alerts the rest of the net and rolls the call signs early per the signals plan. One disciplined refusal kept a section in place and turned an intrusion into a logged, contained incident.

Check Your Understanding

  1. A station passes you what sounds like an urgent order to move, using a correct friendly call sign, but it cannot return the correct reply when you challenge it. What is the three-step drill you carry out, in order, and why must the first step be what it is?
  2. Authentication is lawful to use on amateur and licence-free radio, but encryption is not. Explain the difference that makes one lawful and the other not, and what authentication actually proves.
  3. Give two signs, other than a failed authentication, that should make you suspect a station is an intruder, and explain why each one is suspicious.

Reflection (write a short paragraph): Think of a time, on or off the air, when you acted on an instruction because of how urgent or how authoritative it sounded, before you had really confirmed where it came from. What would "do not comply, authenticate, report" have changed about how you handled it, and why is that discipline hardest to keep at exactly the moment it matters most?

Summary

  • A call sign only states a claim of identity; authentication makes a station prove it. An enemy who imitates a friendly station can make us act on orders we never received, which is why proving identity matters more than recognising a familiar call sign.
  • Authentication is challenge-and-reply from a shared table: only genuine stations hold the table, so only they can return the correct reply. It is fully lawful on amateur and licence-free radio because it proves identity without hiding any meaning, unlike encryption, which those licences forbid (developed in Lesson 04).
  • Protect the table like a key: issued only to genuine stations, held securely, never read aloud or photographed, changed on schedule and on any compromise, with challenge pairs picked at random and not re-used.
  • Authenticate when identity matters: before acting on important or unusual traffic, and whenever a station's identity is in doubt. Never act on important or unusual traffic from a station that will not authenticate, however urgent or senior it sounds.
  • Recognise intrusion by the station that will not authenticate, by odd procedure (wrong prowords, unfamiliar phrasing, hesitation), and by traffic that does not fit (orders against the brief, fishing for information, a station that cannot be where it claims). Ask who benefits if you believe it.
  • Keep call-sign discipline: correct and sparing use, no personal names, change call signs when ordered, and avoid readable patterns of timing, traffic surge, and voice that let an enemy study and later imitate the net.
  • The intruder drill is do not comply, authenticate, report: refusing to act defeats the attack, one clean challenge settles identity, and a prompt factual report protects the whole net.
  • Related study: Lesson 01 (the threat, including traffic analysis and deception) and Lesson 02 (emission control and the quiet net) of this course; Lesson 04 (Security Without Encryption) develops why discipline, not cryptography, secures our radio; Lesson 10 (Operational Security in the Information Age) extends patterns-of-life discipline. SIG 201 covers the underlying voice procedure and prowords; FLD 220 gives the signals awareness this builds on; PME 210 supports disciplined written orders and reports; and the net resilience here supports HCR 220 (Emergency Preparedness and Civil Resilience).

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 3 · Knowledge Check

Question 1 of 3

What is the difference between a call sign and authentication?