Cryptographic system for secure command and control of remotely controlled devices

What is claimed is: 1. A system for managing encryption keys and secure communications for a mission for a remotely controlled device (RCD), wherein the remotely controlled device is stored unkeyed and is keyed at the time of deployment, the system comprising: a primary control element (PCE); a forward observer control element (FO); and a remotely controlled device (RCD), wherein: the primary control element (PCE) is configured to (a) obtain indicia from the remotely controlled device; (b) obtain an RCD public key associated with the remotely controlled device based on the indicia; (c) generate a first operational keyset including a first single-mission encryption key for the remotely controlled device; (d) encrypt at least a portion of the first operational keyset using the RCD public key to form an encrypted first operational keyset; (e) transmit the encrypted first operational keyset to the remotely controlled device over a key load interface; (f) generate a second operational keyset including a second single-mission encryption key for the remotely controlled device; (g) encrypt at least a portion of the second operational keyset using an FO public key associated with the FO and transmit such encrypted second operational keyset to the FO; and (h) encrypt at least a portion of the second operational keyset using the RCD public key associated with the RCD and transmit such encrypted second operational keyset to the RCD; (i) encrypt a first command for the remotely controlled device using a PCE in-use encryption key derived from the first single-mission encryption key; and (j) transmit the encrypted first command to the remotely controlled device along with an authentication tag over a first wireless communication link; the FO is configured to (a) receive the encrypted second operational keyset from the PCE; (b) decrypt the encrypted second operational keyset using an FO private key associated with the FO public key in order to obtain the second single-mission encryption key; and (c) encrypt a second command for the RCD using an FO in-use key derived from the second single-mission encryption key; and (d) transmit the encrypted second command to the RCD over a second wireless communication link; and the RCD includes said indicia and is configured to (a) receive the encrypted first operational keyset over the key load interface; (b) decrypt the encrypted first operational keyset using an RCD private key associated with the RCD public key in order to obtain the first single-mission encryption key; (c) receive the encrypted first command over the first wireless communication link; (d) authenticate the encrypted first command using the authentication tag and a pre-loaded hash key; and (e) decrypt the encrypted first command using a first RCD in-use encryption key derived from the obtained first single-mission encryption key; (f) receive the encrypted second operational keyset from the PCE; (g) decrypt the encrypted second operational keyset using the RCD private key associated with the RCD public key in order to obtain the second single-mission encryption key; (h) receive the encrypted second command from the FO over the second wireless communication link; and (i) decrypt the encrypted second command using a second RCD in-use key derived from the second single-mission encryption key. 2. A system according to claim 1 , wherein the indicia includes an identifier of the RCD. 3. A system according to claim 1 , wherein the indicia includes the public key associated with the RCD. 4. A system according to claim 1 , wherein the indicia is placed on an outer surface of the RCD, and wherein the PCE includes an optical reader for reading the indicia from the outer surface of the RCD. 5. A system according to claim 1 , wherein the indicia is included in a near-field readable device of the RCD, and wherein the PCE includes a near-field reader for reading the indicia from the near-field readable device of the RCD. 6. A system according to claim 1 , wherein the PCE and the RCD are configured to respectively change the PCE in-use key and the RCD in-use key every N messages between the PCE and the RCD, where N is greater than or equal to one. 7. A system according to claim 6 , wherein the PCE includes a message counter in messages sent by the PCE to the RCD, and wherein the PCE and the RCD are configured to respectively change the PCE in-use key and the RCD in-use key based on the message counter. 8. A system according to claim 1 , wherein the RCD is configured to move at least a portion of the operational keysets from a non-volatile memory into a volatile memory and erase such portion from the non-volatile memory during the mission. 9. A system according to claim 1 , wherein the PCE is further configured to digitally sign the encrypted first operational keyset transmitted to the remotely controlled device over the key load interface. 10. A system according to claim 1 , wherein the PCE and the RCD include identical hardware cryptographic modules. 11. A system according to claim 10 , wherein each cryptographic module comprises: at least one first microprocessor configured to encrypt data using a single-mission cryptographic key; a second microprocessor, configured to transmit and receive encrypted data using a public data communications medium; and a third microprocessor, coupled to the at least one first microprocessor and to the second microprocessor, the third microprocessor configured (a) to determine whether encrypted data received from the at least one first microprocessor are correctly encrypted, and if so, to provide these data to the second microprocessor for transmission, and (b) to determine whether a command received from the second microprocessor is authentic, and if so, to decrypt the received command using the single-mission cryptographic key. 12. A system according to claim 1 , wherein the PCE is configured to perform a secure hand-off procedure to allow the FO to send the second command to the RCD. 13. A system according to claim 1 , wherein the encrypted second command includes an indicator associated with the second operational keyset, the indicator allowing the RCD to select the second operational keyset from among a plurality of operational keysets for use in decrypting the encrypted second command. 14. A system according to claim 1 , wherein the PCE, the FO, and the RCD include identical hardware cryptographic modules. 15. A system according to claim 14 , wherein each cryptographic module comprises: at least one first microprocessor configured to encrypt data using a single-mission cryptographic key; a second microprocessor, configured to transmit and receive encrypted data using a public data communications medium; and a third microprocessor, coupled to the at least one first microprocessor and to the second microprocessor, the third microprocessor configured (a) to determine whether encrypted data received from the at least one first microprocessor are correctly encrypted, and if so, to provide these data to the second microprocessor for transmission, and (b) to determine whether a command received from the second microprocessor is authentic, and if so, to decrypt the received command using the single-mission cryptographic key. 16. A system according to claim 1 , wherein the primary control element is configured for controlling multiple remotely controlled devices simultaneously including, for each remotely controlled device, (a) obtaining indicia from the remotely controlled device; (b) obtaining an RCD public key associated with the remotely controlled device based on the indicia; (c) generating