NSA encryption systems
Encyclopedia
The National Security Agency
took over responsibility for all U.S. Government encryption
systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified
, but much more about its early systems has become known and its most modern systems share at least some features with commercial products.
Rotor machine
s from the 1940s and 1950s were mechanical marvels. The first generation electronic systems were quirky devices with cantankerous punched card
readers for loading keys
and failure-prone, tricky-to-maintain vacuum tube
circuitry. Late 20th century systems are just black boxes, often literally. In fact they are called blackers in NSA parlance because they convert classified signals (red) into unclassified signals (black). They typically have electrical connector
s for the red signals, the black signals, electrical power, and a port for loading keys. Controls can be limited to selecting between key fill
, normal operation and diagnostic modes and an all important zeroize
button that erases classified information including keys and perhaps the encryption algorithms. 21st century systems often contain all the sensitive cryptographic functions on a single, tamper-resistant integrated circuit that supports multiple algorithms and allows over-the-air or network rekeying, so that a single hand-held field radio
can interoperate with most current NSA cryptosystems.http://www.rfcomm.harris.com/products/tactical-radio-communications/an-prc-152.pdf
in NSA jargon):
predecessors and used rotor machines derived from the SIGABA
design for most high level encryption; for example, the KL-7
. Key distribution involved distribution of paper key lists that described the rotor arrangements, to be changed each day (the cryptoperiod
) at midnight, GMT. The highest level traffic was sent using one-time tape systems, including the British 5-UCO
, that required vast amounts of paper tape keying material.
s and transformer logic. Algorithms appear to be based on linear feedback shift register
s, perhaps with some non-linear elements thrown in to make them more difficult to cryptanalyze. Keys were loaded by placing a punched card
in a locked reader on the front panel. The cryptoperiod was still usually one day. These systems were introduced in the late 1960s and stayed in use until the mid-1980s. They required a great deal of care and maintenance, but were not vulnerable to EMP. The discovery of the Walker spy ring provided an impetus for their retirement, along with remaining first generation systems.
s and likely used stronger algorithms. They were smaller and more reliable. Field maintenance was often limited to running a diagnostic mode and replacing a complete bad unit with a spare, the defective box being sent to a depot for repair. Keys were loaded through a connector on the front panel. NSA adopted the same type of connector that the military used for field radio handsets as its fill connector. Keys were initially distributed as strips of punched paper tape
that could be pulled through a hand held reader (KOI-18
) connected to the fill port. Other, portable electronic fill device
s (KYK-13
, etc.) were available as well.
s, such as the KSD-64
crypto ignition key (CIK) were introduced. Secret splitting technology allows encryptors and CIKs to be treated as unclassified when they were separated. Later the Fortezza
card, originally introduced as part of the controversial Clipper chip
proposal, were employed as tokens. Cryptoperiods were much longer, at least as far as the user was concerned. Users of secure telephones like the STU-III
only have to call a special phone number once a year to have their encryption updated. Public key methods (FIREFLY
) were introduced for electronic key management (EKMS
). Keys can now be generated by individual commands instead of coming from NSA by courier. A common handheld fill device (the AN/CYZ-10
) was introduced to replace the plethora of devices used to load keys on the many third generation systems that were still widely used. Encryption support was provided for commercial standards such as Ethernet
, IP
(originally developed by DOD's
ARPA), and optical fiber multiplexing. Classified networks, such as SIPRNet
(Secret Internet Protocol Router Network) and JWICS (Joint Worldwide Intelligence Communications System), were built using commercial Internet
technology with secure communications links between "enclaves" where classified data was processed. Care had to be taken to ensure that there were no insecure connections between the classified networks and the public Internet
.
algorithm for classified use "in NSA approved systems" suggests that, in the future, NSA may use more non-classified algorithms. The KG-245A and KG-250 use both classified and unclassified algorithms. The NSA Information Assurance Directorate is leading the Department of Defense Cryptographic Modernization Program
, an effort to transform and modernize Information Assurance capabilities for the 21st century. It has three phases:
NSA has helped develop several major standards for secure communication: the Future Narrow Band Digital Terminal (FNBDT) for voice communications, High Assurance Internet Protocol Interoperability Encryption- Interoperability Specification (HAIPE
) for computer networking and Suite B encryption algorithms.
, written messages (known as record traffic) were encrypted off line on special, and highly secret, rotor machine
s and then transmitted in five letter code groups using Morse code
or teletypewriter
circuits, to be decrypted off-line by similar machines at the other end. The SIGABA
rotor machine, developed during this era continued to be used until the mid-1950s, when it was replaced by the KL-7
, which had more rotors.
The KW-26
ROMULUS was a second generation encryption system in wide use that could be inserted into teletypewriter circuits so traffic was encrypted and decrypted automatically. It used electronic shift registers
instead of rotors and became very popular (for a COMSEC device of its era), with over 14,000 units produced. It was replaced in the 1980s by the more compact KG-84
, which in turn was superseded by the KG-84-interoperable KIV-7
.
. The Navy also needs to maintain traffic security, so it has radio stations constantly broadcasting a stream of coded messages. During and after World War II, Navy ships copied these fleet broadcasts and used specialized call sign
encryption devices to figure out which messages were intended for them. The messages would then be decoded off line using SIGABA
or KL-7
equipment.
The second generation KW-37
automated monitoring of the fleet broadcast by connecting in line between the radio receiver and a teleprinter
. It, in turn, was replaced by the more compact and reliable third generation KW-46.
s with KOV-17 circuit modules incorporated in new long-wave receivers, based on commercial VME
packaging. In 2004, the U.S. Air Force awarded contracts for the initial system development and demonstration (SDD) phase of a program to update these legacy generation systems used on aircraft.
many signals into wideband data streams that are transmitted over optical fiber
, coaxial cable
, microwave
relay, and communication satellites. These wide-band circuits require very fast encryption systems.
The WALBURN family (KG-81, KG-94/194, KG-94A/194A, KG-95) of equipment consists of high-speed bulk encryption devices used primarily for microwave trunks, high-speed land-line circuits, video teleconferencing, and T-1
satellite channels. Another example is the KG-189, which support SONET
optical standards up to 2.5 Gb/s.
Digital Data encryptors such as KG-84
family which includes the TSEC/KG-84
, TSEC/KG-84
A and TSEC/KG-82, TSEC/KG-84
A and TSEC/KG-84
C, also the KIV-7
.
technology) was pioneered during World War II with the 50-ton SIGSALY
, used to protect the very highest level communications. It did not become practical for widespread use until reasonable compact speech encoder
s became possible in the 1970s.
The operational complexity of secure voice played a role in the September 11, 2001 attacks
on the United States. According to the 911 Commission, an effective U.S. response was hindered by an inability to set up a secure phone link between the National Military Command Center and the Federal Aviation Administration
personnel who were dealing with the hijackings. See Communication during the September 11, 2001 attacks
.
communications. These have been used to secure the Secret Internet Protocol Router Network (SIPRNet
), among other uses.
.
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
took over responsibility for all U.S. Government encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified
Classified information in the United States
The United States government classification system is currently established under Executive Order 13526, the latest in a long series of executive orders on the topic. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the...
, but much more about its early systems has become known and its most modern systems share at least some features with commercial products.
Rotor machine
Rotor machine
In cryptography, a rotor machine is an electro-mechanical device used for encrypting and decrypting secret messages. Rotor machines were the cryptographic state-of-the-art for a prominent period of history; they were in widespread use in the 1920s–1970s...
s from the 1940s and 1950s were mechanical marvels. The first generation electronic systems were quirky devices with cantankerous punched card
Punched card
A punched card, punch card, IBM card, or Hollerith card is a piece of stiff paper that contains digital information represented by the presence or absence of holes in predefined positions...
readers for loading keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
and failure-prone, tricky-to-maintain vacuum tube
Vacuum tube
In electronics, a vacuum tube, electron tube , or thermionic valve , reduced to simply "tube" or "valve" in everyday parlance, is a device that relies on the flow of electric current through a vacuum...
circuitry. Late 20th century systems are just black boxes, often literally. In fact they are called blackers in NSA parlance because they convert classified signals (red) into unclassified signals (black). They typically have electrical connector
Electrical connector
An electrical connector is an electro-mechanical device for joining electrical circuits as an interface using a mechanical assembly. The connection may be temporary, as for portable equipment, require a tool for assembly and removal, or serve as a permanent electrical joint between two wires or...
s for the red signals, the black signals, electrical power, and a port for loading keys. Controls can be limited to selecting between key fill
Fill device
A fill device is an electronic module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and battery operated....
, normal operation and diagnostic modes and an all important zeroize
Zeroisation
In cryptography, zeroisation is the practice of erasing sensitive parameters from a cryptographic module to prevent their disclosure if the equipment is captured. This is generally accomplished by altering or deleting the contents to prevent recovery of the data...
button that erases classified information including keys and perhaps the encryption algorithms. 21st century systems often contain all the sensitive cryptographic functions on a single, tamper-resistant integrated circuit that supports multiple algorithms and allows over-the-air or network rekeying, so that a single hand-held field radio
AN/PRC-152
The AN/PRC-152 Multiband Handheld Radio is a portable, compact, tactical software-defined combat-net radio manufactured by Harris Corporation. It is compliant without waivers to the Joint Tactical Radio System Software Communications Architecture...
can interoperate with most current NSA cryptosystems.http://www.rfcomm.harris.com/products/tactical-radio-communications/an-prc-152.pdf
Security factors
NSA has to deal with many factors in ensuring the security of communication and information (COMSEC and INFOSECInformation security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
in NSA jargon):
- ConfidentialityConfidentialityConfidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
and authenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- making sure messages cannot be read by unauthorized people and that they cannot be forged (nonrepudiation). Little is publicly known about the algorithms NSA has developed for protecting classified informationClassified information in the United StatesThe United States government classification system is currently established under Executive Order 13526, the latest in a long series of executive orders on the topic. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the...
, what NSA calls Type 1Type 1 encryptionIn cryptography, a Type 1 product is a device or system certified by the National Security Agency for use in cryptographically securing classified U.S...
algorithms. In 2003, for the first time in its history, NSA approved two published algorithms, SkipjackSkipjack (cipher)In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency . Initially classified, it was originally intended for use in the controversial Clipper chip...
and AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
for Type 1 use in NSA approved systems. - Traffic flow security - making sure an adversary cannot obtain information from traffic analysisTraffic analysisTraffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
, often accomplished by link encryptionLink encryptionLink encryption is an approach to communications security that encrypts and decrypts all traffic at each end of a communications line . It contrasts with end-to-end encryption where messages are encrypted by the sender at the point of origin and only decrypted by the intended receiver...
. - Key managementKey managementKey management is the provisions made in a cryptography system design that are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.Key management concerns...
- getting keys securely to thousands of crypto boxes in the field, perhaps the most challenging part of any encryption system. One NSA goal is benign fill (technology for distributing keys in a way that the humans never have access to plaintext key). - Investigative access - making sure encrypted communications are accessible to the U.S. Government. While few would argue with the need for the government to access its own internal communications, the NSA Clipper chipClipper chipThe Clipper chip was a chipset that was developed and promoted by the U.S. National Security Agency as an encryption device to be adopted by telecommunications companies for voice transmission...
proposal to extend this key escrowKey escrowKey escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys...
requirement to public use of cryptography was highly controversial. - TEMPESTTEMPESTTEMPEST is a codename referring to investigations and studies of compromising emission . Compromising emanations are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any...
- protecting plaintextPlaintextIn cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
from compromise by electronic, acoustic or other emanations. - Tamper resistanceTamper resistanceTamper resistance is resistance to tampering by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance....
, tamper-evidentTamper-evidentTamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings or other techniques may be tamper indicating.-Tampering:...
, self-destructSelf-destructA self-destruct is a mechanism which causes a device to destroy itself under a predefined set of circumstances.Self-destruct mechanisms are also found on devices and systems where malfunction could endanger large numbers of people...
- ensuring security even if encryption systems are physically accessed without authorization or are captured. - Meeting military specifications for size, weight, power consumption, MTBF and ruggedness to fit in mobile platforms.
- Electromagnetic pulseElectromagnetic pulseAn electromagnetic pulse is a burst of electromagnetic radiation. The abrupt pulse of electromagnetic radiation usually results from certain types of high energy explosions, especially a nuclear explosion, or from a suddenly fluctuating magnetic field...
hardening - protecting against nuclear explosionNuclear explosionA nuclear explosion occurs as a result of the rapid release of energy from an intentionally high-speed nuclear reaction. The driving reaction may be nuclear fission, nuclear fusion or a multistage cascading combination of the two, though to date all fusion based weapons have used a fission device...
effects, particularly electromagnetic pulseElectromagnetic pulseAn electromagnetic pulse is a burst of electromagnetic radiation. The abrupt pulse of electromagnetic radiation usually results from certain types of high energy explosions, especially a nuclear explosion, or from a suddenly fluctuating magnetic field...
. - Ensuring compatibility with military and commercial communication standards.
- Controlling cost - making sure encryption is affordable so units that need it have it. There are many costs beyond the initial purchase price, including the manpower to operate and maintain the systems and to ensure their security and the cost of key distribution.
- Enabling secure communication with NATO, allied and coalition forces without compromising secret methods.
Five generations of NSA encryption
The large number of encryption systems that NSA has developed in its half century of operation can be grouped into five generations (decades given are very approximate):First generation: electromechanical
First generation NSA systems were introduced in the 1950s and were built on the legacy of NSA's World War IIWorld War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
predecessors and used rotor machines derived from the SIGABA
SIGABA
In the history of cryptography, the ECM Mark II was a cipher machine used by the United States for message encryption from World War II until the 1950s...
design for most high level encryption; for example, the KL-7
KL-7
The TSEC/KL-7, code named ADONIS and POLLUX, was an off-line non-reciprocal rotor encryption machine. The KL-7 had eight rotors to encrypt the text, seven of which moved in a complex pattern, controlled by notched rings. The non-moving rotor was in fourth from the left of the stack. The encrypted...
. Key distribution involved distribution of paper key lists that described the rotor arrangements, to be changed each day (the cryptoperiod
Cryptoperiod
A cryptoperiod is the time span during which a specific cryptographic key is authorized for use. Common government guidelines range from 1 to 3 years for asymmetric cryptography, and 1 day to 7 days for symmetric cipher traffic keys....
) at midnight, GMT. The highest level traffic was sent using one-time tape systems, including the British 5-UCO
5-UCO
The 5-UCO was an on-line one-time tape Vernam cipher encryption system developed by the UK during World War II for use on teleprinter circuits. During the 1950s, it was used by the UK and US for liaison on cryptanalysis....
, that required vast amounts of paper tape keying material.
Second generation: vacuum tubes
Second generation systems (1970s) were all electronic designs based on vacuum tubeVacuum tube
In electronics, a vacuum tube, electron tube , or thermionic valve , reduced to simply "tube" or "valve" in everyday parlance, is a device that relies on the flow of electric current through a vacuum...
s and transformer logic. Algorithms appear to be based on linear feedback shift register
Linear feedback shift register
A linear feedback shift register is a shift register whose input bit is a linear function of its previous state.The most commonly used linear function of single bits is XOR...
s, perhaps with some non-linear elements thrown in to make them more difficult to cryptanalyze. Keys were loaded by placing a punched card
Punched card
A punched card, punch card, IBM card, or Hollerith card is a piece of stiff paper that contains digital information represented by the presence or absence of holes in predefined positions...
in a locked reader on the front panel. The cryptoperiod was still usually one day. These systems were introduced in the late 1960s and stayed in use until the mid-1980s. They required a great deal of care and maintenance, but were not vulnerable to EMP. The discovery of the Walker spy ring provided an impetus for their retirement, along with remaining first generation systems.
Third generation: integrated circuits
Third generation systems (1980s) were transistorized and based on integrated circuitIntegrated circuit
An integrated circuit or monolithic integrated circuit is an electronic circuit manufactured by the patterned diffusion of trace elements into the surface of a thin substrate of semiconductor material...
s and likely used stronger algorithms. They were smaller and more reliable. Field maintenance was often limited to running a diagnostic mode and replacing a complete bad unit with a spare, the defective box being sent to a depot for repair. Keys were loaded through a connector on the front panel. NSA adopted the same type of connector that the military used for field radio handsets as its fill connector. Keys were initially distributed as strips of punched paper tape
Punched tape
Punched tape or paper tape is an obsolete form of data storage, consisting of a long strip of paper in which holes are punched to store data...
that could be pulled through a hand held reader (KOI-18
KOI-18
The KOI-18 is a hand-held paper tape reader developed by the U.S. National Security Agency as a fill device for loading cryptographic keys, or "crypto variables," into security devices, such as encryption systems. It can read 8-level paper or PET tape, which is manually pulled through the reader...
) connected to the fill port. Other, portable electronic fill device
Fill device
A fill device is an electronic module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and battery operated....
s (KYK-13
KYK-13
The KYK-13 Electronic Transfer Device is a common fill device designed by the United States National Security Agency for the transfer and loading of cryptographic keys with their corresponding check word....
, etc.) were available as well.
Fourth generation: electronic key distribution
Fourth generation systems (1990s) use more commercial packaging and electronic key distribution. Integrated circuit technology allowed backward compatibility with third generation systems. Security tokenSecurity token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
s, such as the KSD-64
KSD-64
The KSD-64[A] Crypto Ignition Key is an NSA-developed EEPROM chip packed in a plastic case that looks like a toy key. The model number is due to its storage capacity — 64 kB , enough to store multiple encryption keys...
crypto ignition key (CIK) were introduced. Secret splitting technology allows encryptors and CIKs to be treated as unclassified when they were separated. Later the Fortezza
Fortezza
Fortezza is an information security system based on a PC Card security token. Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access...
card, originally introduced as part of the controversial Clipper chip
Clipper chip
The Clipper chip was a chipset that was developed and promoted by the U.S. National Security Agency as an encryption device to be adopted by telecommunications companies for voice transmission...
proposal, were employed as tokens. Cryptoperiods were much longer, at least as far as the user was concerned. Users of secure telephones like the STU-III
STU-III
STU-III is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user...
only have to call a special phone number once a year to have their encryption updated. Public key methods (FIREFLY
Firefly
Lampyridae is a family of insects in the beetle order Coleoptera. They are winged beetles, and commonly called fireflies or lightning bugs for their conspicuous crepuscular use of bioluminescence to attract mates or prey. Fireflies produce a "cold light", with no infrared or ultraviolet frequencies...
) were introduced for electronic key management (EKMS
EKMS
The Electronic Key Management System system is a United States National Security Agency led program responsible for Communications Security key management, accounting and distribution...
). Keys can now be generated by individual commands instead of coming from NSA by courier. A common handheld fill device (the AN/CYZ-10
AN/CYZ-10
The AN/CYZ-10 Data Transfer Device, often called a Filler, Crazy 10, ANCD or DTD, is a United States National Security Agency-developed, portable, hand-held fill device, for securely receiving, storing, and transferring data between compatible cryptographic and communications equipment...
) was introduced to replace the plethora of devices used to load keys on the many third generation systems that were still widely used. Encryption support was provided for commercial standards such as Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
, IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
(originally developed by DOD's
United States Department of Defense
The United States Department of Defense is the U.S...
ARPA), and optical fiber multiplexing. Classified networks, such as SIPRNet
SIPRNet
The Secret Internet Protocol Router Network is "a system of interconnected computer networks used by the United States Department of Defense and the U.S. Department of State to transmit classified information by packet switching over the TCP/IP protocols in a 'completely secure' environment"...
(Secret Internet Protocol Router Network) and JWICS (Joint Worldwide Intelligence Communications System), were built using commercial Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
technology with secure communications links between "enclaves" where classified data was processed. Care had to be taken to ensure that there were no insecure connections between the classified networks and the public Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
.
Fifth generation: network-centric systems
In the twenty-first century, communication is increasingly based on computer networking. Encryption is just one aspect of protecting sensitive information on such systems, and far from the most challenging aspect. NSA's role will increasingly be to provide guidance to commercial firms designing systems for government use. HAIPE solutions are examples of this type of product (e.g., KG-245A and KG-250 ). Other agencies, particularly NIST, have taken on the role of supporting security for commercial and sensitive but unclassified applications. NSA's certification of the unclassified NIST-selected AESAdvanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
algorithm for classified use "in NSA approved systems" suggests that, in the future, NSA may use more non-classified algorithms. The KG-245A and KG-250 use both classified and unclassified algorithms. The NSA Information Assurance Directorate is leading the Department of Defense Cryptographic Modernization Program
Cryptographic Modernization Program
The Cryptographic Modernization Program is a Department of Defense directed, NSA Information Assurance Directorate led effort to transform and modernize Information Assurance capabilities for the 21st century...
, an effort to transform and modernize Information Assurance capabilities for the 21st century. It has three phases:
- Replacement- All at risk devices to be replaced.
- Modernization- Integrate modular programmable/embedded crypto solutions.
- Transformation- Be compliant to Global Information Grid/NetCentric requirements.
NSA has helped develop several major standards for secure communication: the Future Narrow Band Digital Terminal (FNBDT) for voice communications, High Assurance Internet Protocol Interoperability Encryption- Interoperability Specification (HAIPE
HAIPE
A HAIPE is a Type 1 encryption device that complies with the National Security Agency's HAIPE IS . The cryptography used is Suite A and Suite B, also specified by the NSA as part of the Cryptographic Modernization Program...
) for computer networking and Suite B encryption algorithms.
NSA encryption by type of application
The large number of encryption systems that NSA has developed can be grouped by application:Record traffic encryption
During World War IIWorld War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
, written messages (known as record traffic) were encrypted off line on special, and highly secret, rotor machine
Rotor machine
In cryptography, a rotor machine is an electro-mechanical device used for encrypting and decrypting secret messages. Rotor machines were the cryptographic state-of-the-art for a prominent period of history; they were in widespread use in the 1920s–1970s...
s and then transmitted in five letter code groups using Morse code
Morse code
Morse code is a method of transmitting textual information as a series of on-off tones, lights, or clicks that can be directly understood by a skilled listener or observer without special equipment...
or teletypewriter
Teletype Corporation
The Teletype Corporation, a part of American Telephone and Telegraph Company's Western Electric manufacturing arm since 1930, came into being in 1928 when the Morkrum-Kleinschmidt Company changed its name to the name of its trademark equipment...
circuits, to be decrypted off-line by similar machines at the other end. The SIGABA
SIGABA
In the history of cryptography, the ECM Mark II was a cipher machine used by the United States for message encryption from World War II until the 1950s...
rotor machine, developed during this era continued to be used until the mid-1950s, when it was replaced by the KL-7
KL-7
The TSEC/KL-7, code named ADONIS and POLLUX, was an off-line non-reciprocal rotor encryption machine. The KL-7 had eight rotors to encrypt the text, seven of which moved in a complex pattern, controlled by notched rings. The non-moving rotor was in fourth from the left of the stack. The encrypted...
, which had more rotors.
The KW-26
KW-26
The TSEC/KW-26, code named ROMULUS, was an encryption system used by the U.S. Government and, later, by NATO countries. It was developed in the 1950s by the National Security Agency to secure fixed teleprinter circuits that operated 24 hours a day...
ROMULUS was a second generation encryption system in wide use that could be inserted into teletypewriter circuits so traffic was encrypted and decrypted automatically. It used electronic shift registers
Linear feedback shift register
A linear feedback shift register is a shift register whose input bit is a linear function of its previous state.The most commonly used linear function of single bits is XOR...
instead of rotors and became very popular (for a COMSEC device of its era), with over 14,000 units produced. It was replaced in the 1980s by the more compact KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
, which in turn was superseded by the KG-84-interoperable KIV-7
KIV-7
The KIV-7 is a National Security Agency Type-1, single-channel encryptor originally designed in the mid 1990s by AlliedSignal Corporation to meet the demand for secure data communications from personal computers , workstations, and FAXs...
.
Fleet broadcast
U.S. Navy ships traditionally avoid using their radios to prevent adversaries from locating them by direction findingDirection finding
Direction finding refers to the establishment of the direction from which a received signal was transmitted. This can refer to radio or other forms of wireless communication...
. The Navy also needs to maintain traffic security, so it has radio stations constantly broadcasting a stream of coded messages. During and after World War II, Navy ships copied these fleet broadcasts and used specialized call sign
Call sign
In broadcasting and radio communications, a call sign is a unique designation for a transmitting station. In North America they are used as names for broadcasting stations...
encryption devices to figure out which messages were intended for them. The messages would then be decoded off line using SIGABA
SIGABA
In the history of cryptography, the ECM Mark II was a cipher machine used by the United States for message encryption from World War II until the 1950s...
or KL-7
KL-7
The TSEC/KL-7, code named ADONIS and POLLUX, was an off-line non-reciprocal rotor encryption machine. The KL-7 had eight rotors to encrypt the text, seven of which moved in a complex pattern, controlled by notched rings. The non-moving rotor was in fourth from the left of the stack. The encrypted...
equipment.
The second generation KW-37
KW-37
The KW-37, code named JASON, was an encryption system developed In the 1950s by the U.S. National Security Agency to protect fleet broadcasts of the U.S. Navy. Naval doctrine calls for warships at sea to maintain radio silence to the maximum extent possible to prevent ships from being located by...
automated monitoring of the fleet broadcast by connecting in line between the radio receiver and a teleprinter
Teleprinter
A teleprinter is a electromechanical typewriter that can be used to communicate typed messages from point to point and point to multipoint over a variety of communication channels that range from a simple electrical connection, such as a pair of wires, to the use of radio and microwave as the...
. It, in turn, was replaced by the more compact and reliable third generation KW-46.
Strategic forces
NSA has no graver responsibility than protecting the command and control systems for nuclear forces. The KG-3X series is used in the U.S. government's Minimum Essential Emergency Communications Network and the Fixed Submarine Broadcast System used for transmission of emergency action messages for nuclear and national command and control of U.S. strategic forces. The Navy is replacing the KG-38 used in nuclear submarineNuclear submarine
A nuclear submarine is a submarine powered by a nuclear reactor . The performance advantages of nuclear submarines over "conventional" submarines are considerable: nuclear propulsion, being completely independent of air, frees the submarine from the need to surface frequently, as is necessary for...
s with KOV-17 circuit modules incorporated in new long-wave receivers, based on commercial VME
VMEbus
VMEbus is a computer bus standard, originally developed for the Motorola 68000 line of CPUs, but later widely used for many applications and standardized by the IEC as ANSI/IEEE 1014-1987. It is physically based on Eurocard sizes, mechanicals and connectors , but uses its own signalling system,...
packaging. In 2004, the U.S. Air Force awarded contracts for the initial system development and demonstration (SDD) phase of a program to update these legacy generation systems used on aircraft.
Trunk encryption
Modern communication systems multiplexMultiplexing
The multiplexed signal is transmitted over a communication channel, which may be a physical transmission medium. The multiplexing divides the capacity of the low-level communication channel into several higher-level logical channels, one for each message signal or data stream to be transferred...
many signals into wideband data streams that are transmitted over optical fiber
Optical fiber
An optical fiber is a flexible, transparent fiber made of a pure glass not much wider than a human hair. It functions as a waveguide, or "light pipe", to transmit light between the two ends of the fiber. The field of applied science and engineering concerned with the design and application of...
, coaxial cable
Coaxial cable
Coaxial cable, or coax, has an inner conductor surrounded by a flexible, tubular insulating layer, surrounded by a tubular conducting shield. The term coaxial comes from the inner conductor and the outer shield sharing the same geometric axis...
, microwave
Microwave
Microwaves, a subset of radio waves, have wavelengths ranging from as long as one meter to as short as one millimeter, or equivalently, with frequencies between 300 MHz and 300 GHz. This broad definition includes both UHF and EHF , and various sources use different boundaries...
relay, and communication satellites. These wide-band circuits require very fast encryption systems.
The WALBURN family (KG-81, KG-94/194, KG-94A/194A, KG-95) of equipment consists of high-speed bulk encryption devices used primarily for microwave trunks, high-speed land-line circuits, video teleconferencing, and T-1
Digital Signal 1
Digital signal 1 is a T-carrier signaling scheme devised by Bell Labs. DS1 is a widely used standard in telecommunications in North America and Japan to transmit voice and data between devices. E1 is used in place of T1 outside North America, Japan, and South Korea...
satellite channels. Another example is the KG-189, which support SONET
Sonet
Sonet may refer to:* Sonet Records, European record label* Synchronous optical networking * Saab Sonett...
optical standards up to 2.5 Gb/s.
Digital Data encryptors such as KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
family which includes the TSEC/KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
, TSEC/KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
A and TSEC/KG-82, TSEC/KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
A and TSEC/KG-84
KG-84
The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device , and both devices are General-Purpose Telegraph Encryption Equipment...
C, also the KIV-7
KIV-7
The KIV-7 is a National Security Agency Type-1, single-channel encryptor originally designed in the mid 1990s by AlliedSignal Corporation to meet the demand for secure data communications from personal computers , workstations, and FAXs...
.
Voice encryption
True voice encryption (as opposed to less secure scramblerScrambler
In telecommunications, a scrambler is a device that transposes or inverts signals or otherwise encodes a message at the transmitter to make the message unintelligible at a receiver not equipped with an appropriately set descrambling device...
technology) was pioneered during World War II with the 50-ton SIGSALY
SIGSALY
In cryptography, SIGSALY was a secure speech system used in World War II for the highest-level Allied communications....
, used to protect the very highest level communications. It did not become practical for widespread use until reasonable compact speech encoder
Speech encoding
Speech coding is the application of data compression of digital audio signals containing speech. Speech coding uses speech-specific parameter estimation using audio signal processing techniques to model the speech signal, combined with generic data compression algorithms to represent the resulting...
s became possible in the 1970s.
- STU I and STU II - These systems were expensive and cumbersome and were generally limited to the highest levels of command
- STU-IIISTU-IIISTU-III is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user...
- These telephone sets operated over ordinary telephone lines and featured the use of security tokens and public key cryptography, making them much more user friendly. They were very popular as a result. Used since the 1980s, this device is rapidly being phased out, and will no longer be supported in the near future. - 1910 Terminal - Made by a multiple of manufacturers, this device is mostly used as a secure modem. Like the STU-III, new technology has largely eclipsed this device, and it is no longer widely used.
- Secure Terminal EquipmentSecure Terminal EquipmentSecure Terminal Equipment is the U.S. Government's current , encrypted telephone communications system for wired or "landline" communications. STE is designed to use ISDN telephone lines which offer higher speeds of up to 128k bits per second and are all digital...
(STE) - This system is intended to replace STU-III. It uses wide-bandwidth voice transmitted over ISDNIntegrated Services Digital NetworkIntegrated Services Digital Network is a set of communications standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network...
lines. It can communicate with STU-III phones and can be upgraded for FNBDT compatibility. - Sectéra Secure ModuleSectéra Secure ModuleSectéra is a family of secure voice and data communications products made by General Dynamics C4 Systems which are approved by the United States National Security Agency...
- A module that connects to the back of a commercial off the shelf cellular phone. It uses AES or SCIP for encryption. - OMNIOMNI (SCIP)The OMNI adds Type 1 secure voice and secure data to any standard analog telephone or modem connected computer. SCIP signalling allows interoperability with other SCIP devices such as the Secure Terminal Equipment phone...
- The OMNI terminal, made by L3 Communications, is another replacement for STU-IIIs. This device uses the FNBDT key and is used to securely send voice and data over the PSTN and ISDN communication systems. - Secure Iridium - The US Government got a real bargain when it rescued the bankrupt Iridium commercial mobile phone venture. NSA helped add encryption to the Iridium phones.
- KY-57KY-57The Speech Security Equipment , TSEC/KY-57, is a portable, tactical cryptographic device in the VINSON family, designed to provide voice encryption for a range of military communication devices such as radio or telephone....
(VINSON) - One of a series of systems for tactical voice encryption - HAVE QUICKHAVE QUICKHAVE QUICK is a frequency-hopping system used to protect military UHF radio traffic.Since the end of World War II, U.S. and Allied military aircraft have used AM radios in the 225–400 MHz UHF band for short range air-to-air and ground-to-air communications...
and SINCGARSSINCGARSSINCGARS is a Combat Net Radio currently used by U.S. and allied military forces. The radios, which handle voice and data communications, are designed to be reliable, secure and easily maintained...
use NSA-supplied sequence generators to provide secure frequency hopping - Future Narrowband Digital Terminal (FNBDT) - Now referred to as the "Secure Communications Interoperability Protocol" (SCIP), the FNBDT is a replacement for the wide-band STE, which uses narrow-bandwidth communications channels like cellular telephone circuits, rather than ISDN lines. The FNBDT/SCIP operates on the application layer of the ISO/OSI Reference ModelOSI modelThe Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
, meaning that it can be used on top of different types of connections, regardless of the establishment method. It negotiates with the unit at the other end, much like a dial-up modemModemA modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
.
The operational complexity of secure voice played a role in the September 11, 2001 attacks
September 11, 2001 attacks
The September 11 attacks The September 11 attacks The September 11 attacks (also referred to as September 11, September 11th or 9/119/11 is pronounced "nine eleven". The slash is not part of the pronunciation...
on the United States. According to the 911 Commission, an effective U.S. response was hindered by an inability to set up a secure phone link between the National Military Command Center and the Federal Aviation Administration
Federal Aviation Administration
The Federal Aviation Administration is the national aviation authority of the United States. An agency of the United States Department of Transportation, it has authority to regulate and oversee all aspects of civil aviation in the U.S...
personnel who were dealing with the hijackings. See Communication during the September 11, 2001 attacks
Communication during the September 11, 2001 attacks
Communication problems and successes played an important role in the September 11, 2001 attacks and their aftermath.-Attackers:The organizers of the September 11, 2001 attacks apparently planned and coordinated their mission in face to face meetings and used little or no electronic communication...
.
Internet
NSA has approved a variety of devices for securing Internet ProtocolInternet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
communications. These have been used to secure the Secret Internet Protocol Router Network (SIPRNet
SIPRNet
The Secret Internet Protocol Router Network is "a system of interconnected computer networks used by the United States Department of Defense and the U.S. Department of State to transmit classified information by packet switching over the TCP/IP protocols in a 'completely secure' environment"...
), among other uses.
Field authentication
NSA still supports simple paper encryption and authentication systems for field use such as DRYADDRYAD
The DRYAD Numeral Cipher/Authentication System is a simple, paper cryptographic system currently in use by the U.S. military for authentication and for encryption of short, numerical messages. Every unit with a radio is given a set of DRYAD code sheets. A single sheet is valid for a limited time...
.
Public systems
NSA has participated in the development of several encryption systems for public use. These include:- Suite B - a set of public key algorithm standards based on elliptic curve cryptographyElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
. - Advanced Encryption StandardAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
(AES) - an encryption algorithm, selected by NIST after a public competition. In 2003, NSA certified AES for Type 1Type 1 encryptionIn cryptography, a Type 1 product is a device or system certified by the National Security Agency for use in cryptographically securing classified U.S...
use in some NSA-approved systems. - Secure Hash AlgorithmSecure Hash AlgorithmThe Secure Hash Algorithm is one of a number of cryptographic hash functions published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard :...
- a widely-used family of hash algorithmCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
s developed by NSA based on earlier designs by Ron RivestRon RivestRonald Linn Rivest is a cryptographer. He is the Andrew and Erna Viterbi Professor of Computer Science at MIT's Department of Electrical Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory...
. - Digital Signature AlgorithmDigital Signature AlgorithmThe Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
- Data Encryption StandardData Encryption StandardThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
(DES) - SkipjackSkipjack (cipher)In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency . Initially classified, it was originally intended for use in the controversial Clipper chip...
- the cipher developed for Clipper and finally published in 1998. - Clipper chipClipper chipThe Clipper chip was a chipset that was developed and promoted by the U.S. National Security Agency as an encryption device to be adopted by telecommunications companies for voice transmission...
- a controversial failure that convinced NSA that it was advisable to stay out of the public arena. - Security-Enhanced LinuxSecurity-Enhanced LinuxSecurity-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules in the Linux kernel...
- not strictly an encryption system, but a recognition that in the 21st century, operating systemOperating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
improvements are more vital to information security than better cipherCipherIn cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
s.