|
|
|
|
|
|
NSA Type 1 cryptographic algorithm
SAVILLE is a cryptographic algorithm, that is widely used by the US Army and
by NATO in high level encryption devices.
It was developed by the NSA, probably in the late 1960s,
and is categorized as an NSA Type 1 encryption product.
It is mainly used for voice encryption in military equipment, such as
the KY-57,
KY-68
and KY-99.
The cryptographic keys for devices using SAVILLE were generally transferred
with a universal key fill device,
such as the KYK-13.
The algorithm itself is secret and is often implemented in NSA-developed
microchips such as Crypris, Windster and Indictor (SAVILLE I).
Below is a technical description that sheds some light on
SAVILLE without revealing the actual algorithm itself [4].
The following SAVILLE-based devices are described in detail on this website:
|
|
The SAVILLE Cryptographic Algorithm 
|
 |
|
|
Contribution by a former cryptographer
[4]
The SAVILLE cryptographic algorithm (these were called crypto logics in the
old days) is a stream cipher algorithm widely used in cryptographic equipment
of NATO and NATO countries. SAVILLE is an NSA development and its origin
probably dates back to end of the 1960s, beginning of the seventies, considering
the early implementations in devices such as the US VINSON (KY-57)
and the UK Lamberton (BID 250).
This note serves to shed some light on the characteristics of this cipher.
It should be clear however, that no secret information is revealed.
Rather, information was used from old unclassified documents and websites
(many of which are no longer available on the web today).
|
SAVILLE is a stream cipher. More precisely, it is a bit-stream cipher and
not a block cipher in some stream cipher mode, like OFB
or CFB.
SAVILLE has two modes-of-use:
|
- Autonomous mode
One mode is the autonomous mode,
denoted by KAK
(Key Auto Key, comparable to OFB),
where it behaves as an autonomous finite
state machine generating a pseudo-random key stream.
- Autoclave mode
A second mode is the autoclave mode denoted by CTAK
(Cipher Text Auto Key, comparable to CFB),
in which mode there is dependency on the cipher text.
|
As with most OFB (KAK) stream ciphers SAVILLE lacks a driving
function that guarantees a large minimum period of the keystream,
hence, there is a probability of the cipher being in a short cycle.
Means exist however, to check and prevent this short cycling.
|
SAVILLE is based on a nonlinear finite state machine,
that has an internal cycle of iterations.
This accounts for its low performance in many implementations,
for example in MOTOROLA's Advanced Infosec Machine (AIM),
where SAVILLE is basically a software implementation,
running at 3% performance as compared to a standard block cipher.
SAVILLE uses a secret key of 120 bits length. In those days,
key loading devices such as KYK-13,
KOI-18
and KYX-15 were used.
From documentation of these devices, one can conclude that an
eight-bit error detecting code was used to protect keys against
bit-errors and device malfunctioning, and therefore the
keylength was given as 128 bits.
Also an Initial Vector (IV) has to be loaded to achieve cryptographic
synchronisation, although the CTAK-mode is self synchronising,
but also gives rise to error extension.
The finite state machine can be operated in 4 different configurations,
the so called Rules of Motion, for various cryptographic purposes.
|
In the Early 1980s, Philips Usfa in Eindhoven
(Netherlands) received a first description of SAVILLE,
because it was developing its
Spendex-40
and Spendex-50 narrow band and wide band
secure voice equipment.
Unlike before with Aroflex,
that used a Philips Usfa designed crypto logic,
this time it was decided to implement an existing and already approved
NATO crypto logic.
|
Clearly, this had a number of advantages.
First of all interoperability with existing NATO equipment like
STU II
and VINSON.
Secondly, it was anticipated that the NATO approval by SECAN
would take much less time, by not having to evaluate the crypto logic.
Rumour had it in those days, that there was a third reason.
By implementing SAVILLE in a new national development,
the NLNCSA would automatically receive all baseline documentation regarding
the crypto logic, which would otherwise not be obvious at all.
|
|
|
Still, to Philips Usfa and its cryptography aware employees
it seemed quite peculiar that cryptographic equipment using a foreign,
NSA-developed crypto logic, was used to protect top secret information.
SAVILLE was implemented in hardware,
more precisely in circuits comprising a custom gate array
and standard integrated circuits,
by Philips Usfa in the first half of the 1980s.
|
|
CFB
|
|
Cipher Feedback
A block cipher mode that enhanced ECB mode by chaining together
blocks of cipher text it produces, and operating on plaintext segments
of variable length, less than or equal to the block length.
|
|
CTAK
|
|
Cipher Text Auto-Key
Cryptographic logic that uses previous cipher text to generate a key stream.
(Depricated terminology, superceeded by CFB)
|
|
ECB
|
|
Electronic Codebook
A block cipher mode in which a plaintext block is used directly as input
to the encryption algorithm and the resultant output block is used directly
as cipher text.
|
|
KAK
|
|
Key-auto-key
Cryptographic logic using a previous key to produce a key.
(Depricated terminology, superceeded by OFB)
|
|
NATO
|
|
North Atlantic Treaty Organization
(Wikipedia)
(Website)
|
|
NLNCSA
|
|
Netherlands National Communications Security Agency
Dutch: Nationaal Bureau voor de Verbindingsbeveiliging.
(More...)
|
|
OFB
|
|
Output feedback
a block cipher mode that modifies ECB mode to operate on
plaintext segments of variable length lesss than or equal to the
block length.
|
|
SECAN
|
|
Military Committee Communications Security & Evaluation Agency (Washington)
|
|
|
|
Any links shown in red are currently unavailable.
If you like this website, why not make a donation?
© Copyright 2009-2011, Paul Reuvers & Marc Simons. Last changed: Tue,10 Jan 2012.08:30:47
|
 |
|
|
