Spy radio
Burst encoders
• • • Donate • • •
   Click for homepage
Fortezza Crypto Card
NSA-approved PCMCIA card

Fortezza is a Hardware Security Module (HSM) that is implemented as a PCMCIA card. It was used as a plug-in unit for a variety of devices, such as the NSA's Secure Terminal Equipment (STE) and various PC applications. The primary application was for digital signatures and confidentiality in the US Defense Message System (DMS), the primary mail system of the US Department of Defense.

The initial Fortezza card contains the Capstone MYK-80 chip, an NSA-approved cryptographic processor that uses the Skipjack algorithm. It was developed for US Government's ill-fated Clipper Chip project and has been used in a variety of applications. The card is also known as KOV-8 and is classified as a Type 2 product, making it unsuitable for classified information.

The image on the right shows the FORTEZZA-II (Plus) card, which uses the later Mykotronx MYK-82 crypto processor. The version shown here was built by Spyrus (USA) around 1997.

The KOV-8 was followed by the KOV-12, which is a true Type 1 product that was cleared for use by the US Government up to the level of Top Secret. It was used extensively for the Defense Messaging System (DMS), the primary mail system used by the US Department of Defense (DoD). In 2012, the price of a single Fortezza Crypto Card was approx. $240.

The Fortezza Card was introduced in 1993 [2] and was manufactured by Mykotronx and Spyrus [1]. After various improved versions, such as the Fortezza Plus, it was discontinued in 2007 [3]. It has since been succeeded by the KSV-21, which is backwards compatible with the Fortezza cards and offers enhanced security. The KSV-21 is manufactured by SafeNet (formerly: Mykotronx).

FORTEZZA-II Crypto Card (PCMCIA) FORTEZZA-II Crypto Card FORTEZZA-II Crypto Card, rear side. FORTEZZA-II Crypto Card with storage wallet The Fortezza Crypto Card stored in a protective black pouch STE phone with Fortezza Crypto Card half-way in Inserting the Fortezza Crypto Card in the STE

Personal Identification Number
The Fortezza card does not contain complete cryptographic algorithms. Instead, it should be seen as a toolbox that contains the necessary building blocks for cryptographic algoritms. When a card is ordered from the manufacturer, it is programmed in a accordance with the security clearence level of the buyer. The crypto card contains an on-board real time clock (RTC) which is powered by an internal battery in order to prevent date-spoofing. The battery lasts approx. 7 years after which the card needs to be replaced. In practice, the battery might last even longer.

Each card comes with its own unique Personal Identification Number (PIN), that needs to be entered by the user before the card can be used. The PIN can not be retrieved from the card as it is not stored on it. Entering a wrong PIN consecutively 9 times, disables the card permanently.

Fortezza Plus
A later version of the card was called Fortezza Plus or KOV-14. It is based on a Krypton MYK-82 microprocessor that contains building blocks for stronger Type 1 encryption algorithms such as the secret BATON. Like the KOV-12 it is suitable for classified information up to Top Secret. It is also known as FORTEZZA-II. The MYK-82 crypto chip contains an ARM7-TDMI RISC processor-core licenced by ARM Ltd (UK). It was developed by Mykotronx (USA) and manufactured by VLSI.

Fortezza Plus (KOV-14) was also used with the NSA's Secure Terminal Equipment (STE) for voice and data transmission. STE is the successor to the STU-III secure telephone. The Fortezza Plus card is inserted into a PCMCIA slot at the front of the phone and should be activated with a PIN.

The image on the right shows the crypto card half-way inserted into the PCMCIA slot at the front of the terminal. The card shown here was manufactured by Spyrus, the 2nd manufacturer of the cards. Spyrus discontinued its range of Fortezza products in 2007.
STE phone with Fortezza Crypto Card. Click the image for more information.

The Fortezza Plus card is now succeeded by the backwards compatible KSV-21 Enhanced Crypto Card, which contains more modern cryptographic algorithms and offers additional capabilities [4]. It is manufactured by SafeNet (formerly known as Mykotronx).

All Fortezza cards were implemented as a PCMCIA card. At the time, this was the most common standard for removable cards in a Personal Computer. Many portable PCs in the 1990s had one or more PCMCIA slots, and desktop computers could easily be equipped with an internal PCMCIA card holder. Because of their small size, PCMCIA cards were also suitable for stand-alone devices, such as crypto phones and other secure data products.

A similar solution was adopted by Crypto AG (Hagelin) in Switzerland. They developed the HCM-2000 Security Module that is used in many of their security products, including the HC-2203 crypto phone that is still available today. Please note that the HC-2000 is in no way compatible with the Fortezza crypto cards. The only similarity is the fact that they are both PCMCIA cards.

Over time, the PCMCIA standard has become less popular and was dropped by most PC vendors in favour of the more versatile and compact USB standard. As a gap-fill solution, PCMCIA card readers for USB were introduced by various manufacturers, such as the one show here.

The image on the right shows the Argus 2600 that was manufactured around 2002 by SSP Litronic. It was approved for use in combination with the Fortezza card and provided an alegant solution for current PCs and laptops without the need to replace the cards and/or the software.

In combination with a personal computer, the Fortezza card was used for high-speed authentication, secure mail, CD-ROM encryption, fax encryption, data encryption, etc. It was supported by a range of operating systems and computers, including DOS, Windows, SCO UNIX, Sun OS, Solaris, HP UX and Macintosh [6].

Spyrus, one of the manufacturers of the Fortezza card, later integrated the functionality of the Fortezza Plus into their LYNKS Series II Hardware Security Modules (HSM), together with a range of other crypto algorithms. They also developed an all-USB version of the Fortezza, which was no larger than the avarage memory stick. It contained all the functionality of the original Fortezza Plus card, whithout the need to add an internal or external PCMCIA interface to the PC. All Spyrus Fortezza products were discontinued in 2007 [3].

Fortezza II/FIPS 140-1 cards were used with:

  • US Defense Message System (DMS)
  • Microsoft Outlook
  • Lotus Notes
FORTEZZA cards were developed by Mykotronx and were manufactured by both Mykotronx and competitor Spyrus. The latter discontinued its FORTEZZA product range in 2007. The cards were implemented as a compact PCMCIA card, which contained only a few chips and a real-time clock.

The image on the right shows the Krypton Crypto Chip (MYK-82). It is an Application Specific Integrated Circuit (ASIC) which contains the cryptographic 'toolbox' plus an ARM processor core [5]. It was developed by Mykotronx and manufactured in 1997 by VLSI.

The main processor is driven by a small 20 MHz crystal that is mounted in a cut-out space of the PCB (right). The small chip to the right of the main processor is a DALLAS 1302 real-time clock. It is driven by a tiny 32 kHz crystal with is mounted to the right of the main 20 MHz crystal.
MYK-82 Krypton Crypto Processor, developed by Mykotronx.

The entire card contains just 5 chips. Apart from te main processor and the RTC, there are two RAM chips, giving a total of 64KB om memory, and a ROM which contains the firmware (software). At the rear of the board is the 3V flat-pack Lithium battery with its 7-year life span. The battery is used to power the Dallas real-time clock and prevents data-spoofing.

Opening the card The opened Fortezza card Front view of the PCB inside the PCMCIA card, showing the 5 chips. Rear view of the PCB, showing the 3V Lithium battery with a life-span of 7 years. MYK-82 Krypton Crypto Processor, developed by Mykotronx. Close-up of the crystals and the RTC Close-up of the RTC Memory

  1. Wikipedia, Fortezza
    Retrieved September 2011.

  2. Spyrus, Continued Support for FORTEZZA HSMs
    Announcement of Fortezza II as part of its 10 years continued support.
    Spyris website, 14 November 2005.

  3. Spyrus, End of Life for SPYRUS FORTEZZA Crypto Cards
    Spyrus announces end-of-life (EOL) support for Fortezza Suite of Services.
    Spyrus website, 2 April 2007.

  4. SafeNet, Enhanced Crypto Card
    SafeNet website, brief description of the Enhanced Crypto Card.

  5. Secons Ltd., ARM-Development.com, ARM Devices
    Overview of processors containing ARM processor cores.
    Secons Ltd. 2006-2007. Retrieved February 2012.

  6. Jane's Military Communications, Fortezza Crypto Card
    Jane's Information Group, 10 August 2009.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Friday 02 September 2011. Last changed: Saturday, 26 November 2016 - 17:48 CET.
Click for homepage