Aroflex II →
Rapid offline encryption device
Aroflex was an electronic off-line cipher machine,
developed between 1976 and 1982
by Philips Usfa in Eindhoven (Netherlands)
and government organisations.
Aroflex is also known as UA-8116 and
BID/1100, and features a highly secure dedicated
A less-secure version was known as
In all, more than 4500 machines were produced.
The device consists of a
Siemens T-1000 teleprinter,
with a Crypto Module mounted at the bottom.
In the image on the right, the crypto unit is visible
as a low-profile black cabinet, with a red push-button and two
physical locks. One lock is used for the INSERT key whilst
the other one is for the SPECAT key (both inserted here).
The red push-button,
in between the keys, is the so-called
It should be pressed when security is compromised,
and ensures that all cryptographic keys are purged. It renders
the machine useless until new keys are loaded.
Aroflex was a highly automated encryption/decryption machine for
rapid, reliable and efficient off-line operation. It could also
be used as a stand-alone message tape preparation unit.
Some machines were equiped with appropriate interfaces to allow
them to be connected directly to the line.
could be operated at 50, 75 and 100 baud on-line,
and 100 baud off-line.
The NATO version of Aroflex
is crypto compatible with other NATO
such as RACE
It complies with the the symmetrical
The plaintext is converted into 5-letter groups, with 10 such
groups on each line. Aroflex can store upto 6 pages
(with 120 lines of 10 crypto groups each) in its internal RAM.
The name Aroflex is derived from Automatic Rapid
Offline Encryption Device.
In 1993, it was succeeded by
Aroflex II (T-1285/CA).
The diagram below provides an overview of the features of the Aroflex.
The machine is based on a standard
Siemens T-1000 teleprinter,
which is used here as an input/output device, and for
connection to the teleprinter line. The actual Crypto Module that was
added by Philips, is housed in the black tray at the bottom.
It is powered by, and interfaced directly to, the T-1000 circuitry.
The Crypto Module has only one switch – the red ZEROISE button –
that should be pressed in case of an emergency. It purges all keys
and renders the machine useless until new keys are loaded.
In addition there are two physical
locks that protect the cryptographic key compartments.
All other functions of the Crypto Module are controlled via the
function buttons above the keyboard.
The primary version of the machine is known as Aroflex. It was developed
especially for NATO and offers the highest possible security. This version
was marketed by Philips.
This is the same device as Aroflex, but with a lower security grade
and has a different cryptoheart.
It was intended for diplomatic traffic, and was marketed by Philips.
With the right means, it was possible to break this version.
This version the same as Beroflex, but intended for the civil market.
This version was marketed by Siemens as the T-1000/CA.
Like Beroflex, it is exploitable.
This is basically a Beroflex, but with enhanced security. It was made by
Philips, especially for Turkish diplomatic traffic. It was exploitable
with a special device.
This version was made expecially for China. It is basically a Beroflex,
but has the signature of an Aroflex. It was never taken into production.
Furthermore, there were numerous variants of some versions
(Aroflex, Beroflex and T-1000/CA). For example: each country received a
slightly different cryptographic algorithm for its diplomatic traffic.
This way, a country could not read the traffic from another country, even
when the keys were known. Within NATO, all members had access to the same
The differences are determined by the choice of
the mixer board
and the firmware
In addition to the variants, there were also a number of options, such
as line-connected mode (online), customer-unique key generators and
variations in operation. Such options were mostly software-based and
required swapping of some of the EPROMs on the
Some versions of the machine were readable 1 by the intelligence
services. This means that, with the appropriate amount of processing power,
the cipher could be broken. Generally speaking, all Aroflex models were
unreadable, which means they were secure. As far as we know, there
are no documentated cases of broken Aroflex traffic. In principle, all
Beroflex models were readable.
There were two basic types of cryptoheart:
Aroflex and Beroflex.
In the Aroflex one, the secure Philips
OQ4406 encryption chip is used.
But in the Beroflex cryptoheart, the
exploitable OQ4407 is used. The algorithm of
the latter is substantially weaker than that of the OQ4406 and could be broken
with the right means, exploiting redundancy in the encyphered
message preamble .
The cryptograms produced by the T-1000/CA machines,
typically exhibit bias in the enciphered message preamble, an unnecessary
shortcoming by design. This was certainly known by the intelligence agencies
of other (friendly) countries. It would typically involve solving a set of
binary equations, an exponentially large number of times, a task that was
not trivial at the time .
In 1977, under the direction of Vice Admiral Frits Kruimink, and with help from
Philips Research (NatLab), the Dutch Naval Intelligence Service (MARID)
developed a special chip that was capable of solving the binary equations
approx. 2500 × faster than a regular computer, by using parallel processing.
It allowed them to break the
cryptologic of the T-1000/CA (Beroflex) in minutes rather than
It typically took around 30 minutes to break a message .
The special chip was placed inside a (confidential) special purpose device,
that was supplied to a number of partner intelligence organisations,
including the United States and the members of the
the UK, Sweden, Denmark, Germany, France and the Netherlands.
It allowed them to monitor the diplomatic traffic of several
non-NATO countries for many years.
The Turkish Foreign Office
After Aroflex had been fielded to all NATO countries — around 1983 —
the Turkish Government wanted to use the same machines for its
Foreign Office — in particular for communication with its embassies —
as a replacement for its vulnerable SAGEM CPPM systems.
This was not allowed, as Aroflex was a NATO-only machine, so the
Siemens T-1000/CA civil version was
offered as an alternative. The Turks rejected it as they probably knew (or
guessed) that it was weaker.
The CIA asked
Siemens – which marketed the
T-1000/CA – to create a special
version for Türkiye that was stronger (but still exploitable), but Siemens
declined as they had no control over the cryptologic — that was Philips'
CIA then turned to Philips and
Dutch intelligence, who agreed to cooperate.
A special variant of T-1000/CA (Beroflex) was made,
that had the signature of a real Aroflex, but was in reality just
as weak as any other T-1000/CA (Beroflex).
The Turkish machines were fielded from mid-1988 onwards.
Although they could not be
exploited with the special purpose device,
the increased computing power of the late 1980s allowed it to be
solved by other means, as a result of which they were
fully readable .
CIA arranged that this information was kept from
the German intelligence service BND, probably to 'punish' them for
not cooperating with their earlier request. For the remainder of the
Cold War, the German cipher authority
unable to ready the Turkish diplomatic traffic .
In this context, readable means that the cipher can be broken with
the right means. Also known as friendly or exploitable. In
contrast: a cipher that can not be broken, is known as unreadable,
unfriendly or secure.
The basic version of Aroflex was developed especially for NATO,
as a replacement for the ageing American
It was introduced in 1982, and offers the highest level of security.
It was regarded as unbrekable.
The core cryptographic alogorithm is housed in a so-called cryptoheart
that contains custom chips that had been developed by Philips especially
for this purpose. A genuine Aroflex cryptoheart
has a single 16-pin
DIL connector at the edge, by which it is connected to the
Beroflex is basically an Aroflex with reduced security. It features
the same basic hardware, but has a different cryptoheart and mixer
board. A Beroflex cryptoheart can be recognised by the two
16-pin DIL connectors at the edge of the card, whereas a real
Aroflex cryptoheart has one.
The interior of the cryptoheart are different – it uses a different
type of chip – but this is invisible to the naked eye, as the cryptoheart
is cast in a strong two-component substance.
T-1000/CA is the civil version of Aroflex. It has a Beroflex cryptoheart
with matching mixer board, and suitable firmware in EPROMs.
This version was marketed exclusively by Siemens in München (Germany).
It was approved for export.
With the right means – a special chip that was made by Philips –
this version was readable.
The name T-1000/CA is derived from the name of the
on which it is built,
suffixed by 'Cryptographic Application' (CA).
Around mid-1988, Türkiye started using a special version of the machine
for its diplomatic traffic. Although they wanted a genuine Aroflex,
this was refused, as Aroflex was for NATO only.
The only option was Beroflex, but Beroflex was readable. At the request
of the US intelligence services (CIA,
NSA), Philips then made a special
variant of the Beroflex cryptoheart that could not be broken by other
To read the Turkish traffic, a special device was needed.
In 1989 the Chinese became interested, and wanted to order Aroflex
machines from Philips. But Aroflex was NATO-only, so Philips offered
them a Beroflex variant, which was demonstrated to them at the
Philips offices in Hong Kong.
But the Chinese immediately recognised, from the signature of its
output, that this was not Aroflex, and pressed for the real deal.
Engineers at Philips then modified a Beroflex cryptoheart in such
a way that it appeared to be a real Aroflex.
More information will be revealed later.
In 1974, NATO wanted to replace the ageing American
TSEC/KL-7 cipher machine,
also known as AFSAM-7
and by the procedure names ADONIS and POLLUX.
Under the evaluation name CEROFF, several manufacturers were invited
to enter the bidding contest.
Aroflex was Philips' contribution.
Another entry was RACE
— later: KL-51 —
from the Norwegian manufacturer STK
When designing Aroflex, Philips chose to use an existing teletype
machine (telex) as its basis, and expand it with a cryptographic add-on.
After dismissing AEG
and PTI as possible partners in the project,
they finally settled for the
It was a modern telex machine which offered unparalleled expansion
The disadvantage of the T-1000
was the open construction, which caused unwanted emission of radio
signals (EMC). It took an enormous
effort by both Siemens
and Philips, to make the combined machine
The outcome of the NATO CEROFF bidding match was inconclusive and
ended in a remittance between Aroflex
and the Norwegian RACE.
NATO chose for a split-procurement and left it to
the end-user to decide what equipment to order.
As a result, Philips allowed RACE to use
the Aroflex algorithm, making the machines interoperable .
Eventually, Aroflex turned out to be the more popular machine in
Europe and Canada , whilst the more robust
RACE was adopted by the US.
During the Cold War, Aroflex, or actually the Siemens T-1000CA,
was researched extensively
by the Russian KGB
and the East-German
Ministerium für Staatssicherheit (MfS, Stasi).
In 1982 or 1983 they managed to get hold of a machine that had
mysteriously disappeared from a show.
In 1986/1987, Department XI of the Stasi
spent 30% of its capacity on targetting the machine.
They tried to exploit the machine's unwanted emanations
but were not successful .
Although they didn't manage to break the machine, they had a constant
supply of keylists from someone at NATO. It was the same person who had
supplied them with the ELCROTEL
keylists from 1972 onwards .
Although this means that the key was compromised,
it does not mean that the machine was compromised as well.
As far as we know, Aroflex was never broken.
This small unit was used by Philips and Siemens to quickly test
the voltages inside the Aroflex. The unit consists of a small PCB
that is potted in epoxy inside a black plastic enclosure, with
six red LEDs at one side.
Each LED represents a voltage or a signal.
The other side has a 16-pin header
that plugs into an internal socket.
The diagnostics unit was known by its National Stock Number
NSN 6625-12-179-5010. The Siemens designator was S22711-P105 GS1.
When unused, it was stored in a wooden box.
For a more comprehensive diagnosis, a large aluminium storage case with
a number of tools and spares was avilable.
The most important part of the kit, was the
special UA-8494/0x Aroflex Tester, shown in the image on the right.
It can be installed on the die-cast frame of the Aroflex Crypto Module,
and is connected to all circuit boards by means of short ribbon cables.
➤ More information
For maintenance and repair, a series of test tapes was available.
It allowed recurring tests, such as printing the alphabet or entering
a test key, to be automated.
To ensure that the tapes would not wear out after a while,
the were commonly made of mylar
rather than paper. The image on the
right shows examples of an original Aroflex test tapes.
Aroflex can store upto 26 keys:
A new key is easily entered and takes the following steps:
- 23 keys for 'ordinary' traffic.
- 2 SPECAT (Special Category) keys (see note below).
- 1 for encryption/decryption of the system indicators (i.e. the serial numbers of each key).
The two SPECAT keys can only be entered and/or used if the physical
SPECAT-key is entered in the rightmost lock and turned clockwise.
- Place the INSERT-key in the leftmost lock and turn it clockwise.
- Enter the number of the required key store (address).
- Enter (from key list): serial number of the key, keying variables and
- Remove the INSERT-key.
As an alternative to the above procedure, it was also possible to
enter the keys via a paper tape that was read by the built-in tape reader.
In addition, the crypto unit has a special connector through which
the keys can be entered using a 'key filler' or a 'key gun'.
For information about the
Siemens T-1000 teleprinter,
please refer to the section on
telegraphy equipment (telex),
elsewhere on this website. The following is about the
Aroflex Crypto Module, which is bolted to the
bottom of the basic T-1000 teleprinter, by means of eight hex bolts.
Put the Aroflex machine on its left side.
Loosen the hex bolts (do not removed them), so that the hinged
Crypto Module can be lowered, as shown in the image on the right.
The Crypto Module consists of a die-cast aluminium frame
with two compartments and an unused square cut-out.
The small compartment
at the front left contains the key-locks,
the ZEROISE button, an indicator LED
and three DIN sockets. It is connected to the large
compartment at the rear, by means of a 16-way ribbon cable.
This compartment also holds the backup battery and a
The tamper switch is located at the front right corner of the compartment.
It is activated when the Crypto Module is lowered (as
shown in the image above) and causes any keys that are held in the machine's
RAM, to be purged — actually it cuts the power from the backup
battery to the RAM.
The large compartment at the rear, holds the actual encryptor. It consists
of 4 printed circuit boards (PCBs) plus a confidential cryptoheart.
At the left is the interface board,
part of which is for processing analogue
signals. It is connected to the T-1000.
At the right is the memory board,
which contains 8 EPROMs that
hold the firmware. The contents of the EPROMs are confidential.
At the centre is the mixer board.
It adds each letter from the plaintext
with a letter produced by the internal – pseudo – random number generator,
using modulo-2 addition, also known as XOR.
At the far end is the CPU board,
which is built around an 8080 microprocessor.
It is interfaced to the other boards by means of six short ribbon cables; two
for each of the other boards. These cables carry the 8-bit data bus and the
16-bit address bus of the
Intel 8080 microprocessor
At the centre of the Crypto Module, just in front of the mixer board,
is the actual cryptoheart,
or cryptologic. It contains several custom-made
chips that together form the cryptographic algorithm. Depending on the
version of the machine, the cryptoheart is connected to the mixer board
via one ribbon cable (Aroflex) or two (Beroflex).
The cryptoheart is in reality a PCB of which the chips have been cast
in a strong two-component substance, to hide them from prying eyes.
The cryptoheart of a genuine Aroflex contains 12 chips, eight of which
are of the type OQ-4406.
The cryptoheart of a Beroflex (and T-1000/CA) contains 10 chips,
eight of which are of the type OQ-4407.
The prefix 'OQ' indicates that these are custom-made chips for
internal Philips-use only. They were not available to other
customers. The two chips are pin-compatible, but the internal
circuits are completely different. The OQ4407 is exploitable,
whilst the OQ4406 is not.
But even with the OQ4407 in place (Beroflex), breaking was not
straightforward. The exploit was designed in such a way that it
was difficult to handle in software, but easier with
dedicated hardware. So, Philips developed another special chip
that was needed when breaking the cipher.
The functionality of the Aroflex machine, i.e. the firmware,
was contained in 8 Erasable Programmable Read-Only
Memory chips, or EPROMs, that are located on the memory board.
They are visible in the image on the right. The customer-specific
variant is also defined in these EPROMs.
The Crypto Module is powered directly by the T-1000 teleprinter,
via one of the ribbon cables
on the interface board. These ribbon
cables also pass data from the teleprinter to the encryptor and
vice versa. No other connections are needed. The T-1000 teleprinter
itself has a rather 'open' design. Due to the lack of shielding,
it was difficult to suppress unwanted emanations (TEMPEST).
As discussed in the previous section, there were two basic versions of
the cryptoheart — the part that contains the cryptographic algorithm in hardware.
Note that in some documents, this part is referred to as
or key generator.
As the contents of this unit are normally invisible — the cryptoheart is potted in
a strong cream substance — we have provided some x-ray images:
The Aroflex cryptoheart can be recognised by the single 16-pin
DIL socket at the upper edge. Via a short ribbon cable, this socket
is connected to the mixer board at the centre of the device.
Inside the potted section, are 12 integrated circuits (ICs).
The rightmost eight of these (the ones with the dark centre) 1
are the OQ4406.
At the time, this chip was assumed to be secure (unreadable).
This version of the cryptoheart is used in all NATO machines
and in some country-specific versions. It was also used in the
Aroflex machines of the Dutch police and of the German
intelligence service BND.
The Beroflex cryptoheart can be recognised by the two
16-pin DIL sockets at the upper edge. It is connected to the
mixer board by means of two short ribbon cables, which implies
that the mixer board is different from the Aroflex one.
Inside the potted section are 10 ICs, the leftmost eight of
which (the dark ones) 1 are the OQ4407.
This is the exploitable version of the chip.
The Beroflex cryptoheart is used in machines that were listed in
internal Philips documents as 'Beroflex machines'.
It is also used in the civil
The cryptohearts of the Turkish and Chinese machines,
are also based on a (modified) Beroflex cryptoheart.
Note that the substrate of the special crypto chips can not be
penetrated by x-rays, which is why they are darker than the rest.
This was done to make it less easy to explore (and compare) their
In 2009 we discovered a series of black & white photographs that were
considered to have been lost when Philips Crypto BV
was dissolved in 2003. The pictures show detailed images of the various
assembly stages of the Aroflex. They were probably created for the
The image on the right shows an exploded view of the Aroflex' crypto
add-on. It consists of four PCBs and a crypto-unit. The narrow board
at the top left is the processor board. It contains an 8080 microprocessor
and connects to the other boards via 6 flat-cables with 16 lines each.
The three boards in the middle are (from top to bottom) the memory-board,
the mixer-board and the interface-board. The latter also contains the
switched-mode power supply unit. All the voltages needed for the electronics
are derived from a single 24V source inside the T-1000.
The small grey rectangle at the right is the crypto-module,
also known as the crypto-heart. It contains a number of custom chips
and was classified as confidential at the time.
All units are connected together by means of a series of short flatcables,
with plugs that fit into an IC socket.
Aroflex was not the only machine that took part in the NATO bidding
for CEROFF. In fact, the evaluation was inconclusive and listed both
Aroflex and the Norwegian RACE as winners.
As a result, Philips made the Aroflex algorithm available to
who subsequently implemented it in RACE. Although in practice Aroflex
was the real winner, with most machine sold, RACE was adopted by the
US as the KL-51.
➤ More information
For other NATO bidding races in 1976, known as MERCS
and CALL SIGN, Philips developed the portable and modular
Picoflex in co-operation with Telefunken.
It was crypto compatible with Aroflex and could be used
over standard PSTN telephone lines and via radio.
Picoflex was introduced in 1982, but only modest quantities were
built over the years.
➤ More information
The Siemens T-1000 teleprinter that was used as the basis for the
Aroflex design, was arguably one of the most popular and flexible
teleprinters ever. Compared to contemporary competitors, it was
relatively compact and service-friendly. Furthermore, it had provision
for using it as an input/output (I/O) device for other systems.
Apart from Aroflex, it was used as the basis for:
In 1983, shortly after the introduction of the Aroflex,
allowed Crypto AG (Hagelin)
in Switzerland to use the
as the basis for their new cipher machine,
Like with Aroflex, the cipher unit is added as a black tray
at the bottom. It is not compatible with Aroflex however.
At that time, Crypto AG was jointly owned
by the CIA
and the machine was aimed at diplomatic users .
➤ More information
Around 1984, the small German company
TeleSecurity Timmann (TST),
came up with a simpler solution that did not require a cipher unit to
be bolted to the bottom of the T-1000 telex.
TST used an adapted version of its
universal encryptor TST-9669,
to replace the Leitungs-Anpassungs-Teil board
(LAT or line adapter) inside the T-1000 teleprinter .
At the time, TST
was under control of the German BND
The device is not compatible with Aroflex.
➤ More information
Customer versions and variants
To keep track of the various (incompatible) Aroflex and T-1000/CA
versions and variants,
Philips used a complex scheme of model numbers, version designators and
internal 12NC numbers. Generally speaking, most Aroflex machines were identified
as model UA-8116, and the version designator (e.g. '/02') denoted the
actual variant and, hence, the crypto-logic. In addition, some machine
were given a completely different model number.
These models are currently known:
Cryptologic (cryptoheart). A = Aroflex, B = Beroflex, C = Chinaflex, T = Türkiye.
Special Aroflex variant for the Dutch Police. Not compatible with
the NATO version.
Algemeine Elektricitäts Gesellschaft
Former German manufacturer of electronic equipment and components.
Started co-operation with Telefunken in 1967 and with Siemens in 1969,
trading as AEG Telefunken.
Cipher Equipment Rapid Off-Line
Code name of a NATO evaluation in 1974 to find a replacement for the ageing
KL-7 cipher machine. Examples of CEROFF compatible
equipment are Aroflex,
RACE (KL-51) and
North Atlantic Treaty Organization
Philips Telecommunicatie Industrie
Former Philips subsidary specializing in telecomminication solutions.
Rapid Automatic Cryptographic Equipment
Acronym used for the NATO KL-51 cipher machine that was used for
NATO CEROFF communication alongside the Philips Aroflex.
RACE was manufactured by
Standard Telefon og Kabelfabrik A/S
Supreme Headquarters Allied Powers Europe
Headquarters of the Allied Command Operations (ACO), one of NATO's
two strategic military commands.
General expression for deleting the cryptographic keys and other variables
from an encryption device in case of a compromise or seizure.
- Aroflex Brochure
Philips Usfa. April 1979. 4 pages.
- Aroflex Operating Instructions
Philips Usfa. 13929-E-0581. May 1981. 50 pages. Restricted.
- Aroflex Operating Instructions
AMSO-762(A). September 1987. 66 pages. NATO Confidential.
- Aroflex Crypto Equipment UA8116 series. Narrative Description Part 1: Text
13928-E-0381. March 1983. 33 pages. Confidential.
- Aroflex Illustrated Parts List
AMSM 765. August 1985. NATO Restricted.
- Aroflex Illustrated Parts List for Crypto Module UA-8486/02
Philips Usfa. January 1987. 56 pages. NATO Restricted.
- Algemene beschrijving Aroflex (Global description, Dutch)
Philips Usfa. Document 13813-N-1182. Date unknown. 10 pages.
- Aroflex Extended Functional Test
Shape Contract SHNMO 80-9017. November 1980. 41 pages. Restricted.
- Aroflex, Description of Key Generator
13928-E-0381. March 1981. 22 pages. Secret.
- Aroflex Key Generator description
Information for interfacing key generator UA-8485/00 as used in UA-8116/02 and UA-8116/06.
July 1982. 36 pages. NATO Confidential.
- Aroflex Key-Manufacturing Program UA-8510
Operating instructions. October 1981. Confidential.
- Goedkeuringsdocument AROFLEX
Approval document Aroflex (Dutch). Ongerubriceerd. 1
CM-303266. VBV 92002(A), Nummer 2.
- Philips Usfa BV, Aroflex promotional photograph
Crypto Museum Archive.
- Philips Usfa BV, Aroflex internal assembly photographs
Crypto Museum Archive.
- Jane's Military Communication 1986
- Philips Usfa, Internal Memo L/5636/AvdP/JG
23 August 1982, page 5.
- Museum pages of Canada's Foreign Service Communicators
RACE: Rapid Automatic Cryptographic Equipment
- Jörg Drobick, KGB and MfS research of the Siemens T-1000-CA ELCROTEL.
Website: Der SAS- und Chiffrierdienst (SCD). German. Retreived Augus 2011.
- Bode Wegman, Militäraufklärung der NVA, der Geheimdienst der NVA
ISBN 3-89574-580-4. p. 217-218.
- Combined Communication-Electronics Board, Tape Relay Procedures
ACP-127(G) Standard. November 1988.
- Helmut 'Jim' Meyer, HS0ZHK, My way to Ham - Radio and beyond
Website QRZ.COM. Personal correspondence.
- H.P. Kraan, Overzicht Aroflex
Aroflex Overview (Dutch).
Internal Memo UNB 20-23- 5180. 7 April 1986.
- Wikipedia, Intel 8080
Retrieved january 2020.
- Crypto Museum, Operation RUBICON
- Cees Jansen, Former Philips Cryptographer - Interview at Crypto Museum
- Huib Modderkolk, Nederland luisterde dankzij superchip jarenlang landen af
De Volkskrant, 20 February 2020.
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Wednesday 05 August 2009. Last changed: Saturday, 04 June 2022 - 07:58 CET.