Click for homepage
USA
STU-III
Phone
  
RCA STU-III
Third generation secure telephone unit

GE/RCA STU-III/LCT is a third generation Secure Telephone Unit, introduced in 1987 by RCA 1 (later: GE) in the USA, and based on the STU-III standard, developed by the US National Security Agency (NSA) in 1986. It is interoperable with the STU-III terminals of the other manufacturers - Motorola and AT&T – and uses a KSD-64A for key distribution and as Crypto Ignition Key (CIK).

The RCA STU-III resembles a regular telephone set, but is about twice the size of a competing desktop set, making it the largest STU-III set on the market. It measures approx. 343 x 310 x 135 mm and weights 7264 grams (without
PSU
).

The device is an NSA Type 1 encryption product, which makes it suitable for use by the American Government for traffic at the highest level of classification. Speech is digitized with an
LPC-10E
or
CELP
vocoder, encrypted with a secret NSA algorithm and sent through a regular
POTS
analogue telephone line at 2400 or 4800 baud.
  
GE/RCA STU-III terminal with CIK installed

At the top right is a socket, or receptacle, for a KSD-64A key that is used as the Crypto Ignition Key (CIK). It has to be inserted and then turned 90° clockwise, before encrypted calls are possible. Once the keys are loaded, the CIK is paired with the terminal. Without the matching CIK, the keys inside the terminal have no meaning. Likewise, the CIK has no meaning when used with another STU-III terminal. In 2005, the GE/RCA STU-III was available for the modest price of USD 2200 [3].

When development of the STU-III was started in 1986, RCA was in the process of being taken over by General Electric. The unit show above was manufactured in 1990 and carries both the RCA and the GE logo. A new – smaller – model was later introduced under the GE brand. The GE/RCA STU-III was phased out over the course of 2009, along with all other STU-III terminals, with the last keys expiring on 31 December 2009. It was succeeded by the Secure Terminal Equipment (STE).

  1. RCA was later taken over by General Electric (GE), who kept selling the device under the RCA brandname, probably because of the international approval status of the device. The responsible GE business unit was later sold to Lockheed Martin, and eventually spun-off as L-3 Communications East.

RCA STU-III Front view GE/RCA STU-III terminal with CIK installed RCA STU-III seen from the rear left Rear view GE/RCA STU-III terminal (left) aside an AT&T STU-III CIK installed GE and RCA logos
A
×
A
1 / 8
RCA STU-III
A
2 / 8
Front view
A
3 / 8
GE/RCA STU-III terminal with CIK installed
A
4 / 8
RCA STU-III seen from the rear left
A
5 / 8
Rear view
A
6 / 8
GE/RCA STU-III terminal (left) aside an AT&T STU-III
A
7 / 8
CIK installed
A
8 / 8
GE and RCA logos

Features
The diagram below gives a quick overview of the controls and features of the GE/RCA STU-III terminal. At the left is a regular handset, which is connected to the RJ-10 socket at the left side. Below the handset is a speaker for handsfree operation. At the centre is a regular keypad with numbers (0-9) and the * and # buttons. Above the keypad are three buttons for selection of the desired MODE of operation. At the right are two memory banks for 10 direct-dial numbers each.


At the upper edge is the Liquid Crystal Display (LCD) for interaction with the user. At the top right is a receptacle for a physical black plastic KSD-64A key, which has a built-in 64Kb EEPROM. The key can be used for several applications, but its most common use is as Crypto Ignition Key (CIK).


All connections of the device are at the rear, as show in the diagram above. At the right is the DC INPUT socket for connection of the external power supply unit (PSU). To its left is an RJ-11 socket for connection to a regular 2-wire analogue public switched telephone network (PSTN), plus an RJ-11 socket for connection to a 4-wire military AUTOVON network. At the far left is a 25-pin female D-type socket with a V.24 data interface, also known as an RS-232 interface or serial port.

ZEROIZE
As with all high-end encryption products used by the goverment and the department of defense, the device can be ZEROIZED in case of an emergency. For this purpose, a momentary slide switch is present at the far left of the rear side, just behind the handset. Pushing this switch to the right (i.e. away from the side), purges all cryptographic keys. This can be done with or without the CIK installed. Once ZEROIZED, it can no longer be used for secure traffic, until new keys are loaded.

Multi-line extension
The RCA/STU-III could optionally be expanded with the so-called multi-line adapter shown in the image below, which allows up to five external regular analogue PSTN lines to be accessed. It has a bracket at its left side, which allows it to be affixed to the right side of the RCA/STU-III terminal.

It has a thin wire that is connected to the PSTN socket of the terminal, and a thick cable with a standard wide multi-line connector that should be connected to the telephone wall socket. 1

By default, the STU-III is disconnected from the line, and a ringer circuit inside the adapter will signal an incoming call. At the same time, a lamp (inside the push-button) will indicate which line is ringing. By pressing the corresponding push-button, the STU-III is connected to that line, after which the handset should be lifted from the cradle to answer the incoming call.
  
Multiline extender attached to the right side

Once the call has ended, the handset is placed in the cradle again so that the line is disconnected. The frontmost button on the multiline adapter is then pressed to reset the device to its default state. For outgoing calls, the user selects the desired line, lifts the handset and dials the number.

15 second delay
A STU-III phone can be connected to any standard analog telephone line (
POTS
). A call is always initiated in non-secure mode. In order to go secure, both parties have to insert and activate their unique Crypto Ignition Key (CIK), after which one of the parties initiates the secure conversation by pressing the SECURE VOICE button. After a delay of 15 seconds, during which the internal modems are synchronised and the CODEC and KEYs are negotiated, secure traffic is possible.

The 10 to 15 second delay is typical for all STU-III phones and was considered a nuisance to the user. Furthermore, valuable intelligence is often given away in the clear voice conversation that takes place before secure mode is entered. The 10 second delay did not occur with the later STE.

Until today, there have been no reports of STU-III units being broken. That does not mean, however, that foreign intelligence services did not gather valuable information from intercepted lines, directly before and after the secure part of the conversation.

  1. Note that there is also a thin ground wire at the bottom, that should be connected to a screw at the bottom of the STU-III terminal.

Front view Rear view Inserting a CIK CIK installed CIK installed Ringer volume, SETUP button and ZEROIZE switch Thin wire connected to the PSTN socket ZEROIZE, SETUP-button and RINGER volume
Control panel of the RCA/STU-III Multiline adapter with cables Multiline adapter with mounting bracket Wide connector for multiline connection Cables at the rear of the multiline adapter Bottom view of the multiline adapter (note the ground wire and the ringer volume switch) RCA/STU-III with multiline extender Multiline extender attached to the right side
B
×
B
1 / 16
Front view
B
2 / 16
Rear view
B
3 / 16
Inserting a CIK
B
4 / 16
CIK installed
B
5 / 16
CIK installed
B
6 / 16
Ringer volume, SETUP button and ZEROIZE switch
B
7 / 16
Thin wire connected to the PSTN socket
B
8 / 16
ZEROIZE, SETUP-button and RINGER volume
B
9 / 16
Control panel of the RCA/STU-III
B
10 / 16
Multiline adapter with cables
B
11 / 16
Multiline adapter with mounting bracket
B
12 / 16
Wide connector for multiline connection
B
13 / 16
Cables at the rear of the multiline adapter
B
14 / 16
Bottom view of the multiline adapter (note the ground wire and the ringer volume switch)
B
15 / 16
RCA/STU-III with multiline extender
B
16 / 16
Multiline extender attached to the right side

Key storage device   KSD-64A
All key material is usually generated by an external
EKMS
and loaded into the STU-III by means of a so-called Key Storage Device (KSD), such as the KSD-64A or the later PK-64KC, manufactured by Datakey Inc. (USA). The KSD looks like a plastic toy key, and acts like the ignition key of a car.

The KSD is entered into a so-called keyceptacle at the top right of the RCA/STU-III unit, to the right of the display. Once inserted, it should be rotated 90° clockwise, in order to unlock the secure features of the phone.

The KSD can be used for a variety of purposes, such as: Crypto Ignition Key (CIK), Master CIK, FILL Key (FK), Terminal Activation Key (TAK), Security Activation Key (SAC) and Traffic Encryption Key (TEK).

 More about the KSD-64

  
Inserting a CIK

Interior
The GE/RCA STU-III is housed in a heavy die-cast aluminium enclosure, with several internal die-cast aluminium shieldings, and a plastic top case shell that holds the controls. The control panel can be removed by releasing three small screws at the rear and disconnecting a 50-way header.

The control panel of the device is the only part that is not TEMPEST shielded. In fact, it is not shielded at all. Although the wiring between the control panel and the main unit is extremely well filtered, the radiation from the control panel it­self might be exploitable by a malicious party.

The image on the right shows the inside of the control panel. At the bottom left is the pre-assembled keypad. At the top is the EPSON LCD display. At the right is the speaker and – towards the rear – the hook switch and a small PCB with extra controls that are accessible from the rear.
  
Control panel interior

The large black 50-way connector at the left, connects the control panel to the main unit. The remainder of the set consists of a die-cast aluminium chassis, with two large PCBs: one fitted at the top and one fitted at the bottom, each TEMPEST shielded by an aluminium die-cast shell.

The bottom of the device acts as the shield for the bottom PCB. After removing the bottom case shell, this
PCB
becomes visible, as shown in the image on the right. The nicely compartmented design, consists of several sub-circuits: the PSU at the right, the telephone interface at the rear, with the A/D converter (digitizer) in front of it.

At the front left corner is the speech coder and decoder (CODEC), which supports the
LPC-10E
and
CELP
standards. It is built around a TMS320 digital signal processor (DSP), which had just been released by Texas Instruments (TI) [4]. 1
  
Telephone board fitted at the bottom of the chassis

Note that this part of the device does not handle the actual encryption. It only handles the speech circuits and provides the necessary voltages for the rest of the device. The board has a large 34-way header at the rear right corner, by which it is connected to the main board at the other side.

At the center of the board is a small rectangular space that accomodates a backup battery, which can be installed via a small lid at the bottom of the unit. The battery is used for retaining the keys in the device's internal CMOS RAM. Pressing the ZEROIZE button at the rear of the control panel, has the same effect as cutting the battery.

The top side of the black chassis holds the main
PCB
, which is shielded by another large die-cast aluminium shell that is held in place by a large number of bolts, two of which are hidden below the key receptacle (which must be removed first).
  
Main board with crypto-logic on daughter card

The key receptacle is connected to the main board by means of a 30-way ribbon cable header that should be disconnected. After removing the shield, the main board becomes visible, as shown in the image above. It consists of a large PCB, with a smaller daughter card fitted on top.

The larger
PCB
is the main board that holds various microcontrollers. It is connected to the telephone board at the bottom side of the chassis, by means of a 34-way ribbon cable in the rear left corner. This cable carries the necessary voltages for the digital circuits, plus the digital lines to the telephone interface.

The main board also holds a TI TMS320 DSP, similar to the one on the telephone board, which is probably used as the other half of the
LPC-10
CODEC. One half is usually the speech analyser, whilst the other half forms a speech synthesizer.
  
LPC-10 CODEC with TMS320 digital signal processor (DSP)

The rest of the board holds a microcontroller for handling the user interface (i.e. the display and the keypad), and two further microcontrollers for handling the input/output data streams. It also holds a V.24 synchronous/asynchronous serial RS232 port, which is available at the rear (DATA). At the centre of the board is a so-called TAMPER-switch that is activated by a spring inside the die-cast shell. It ensures that the cryptographic keys are purged when the unit is disassembled. 2

The actual encryption and decryption is handled by a separate PCB that is fitted as a smaller card on top of the main board. It is the secret part of the phone, and carries a red CCI label to indicate that this part is a controlled cryptographic item.

The board carries various 8051 microcontrollers, several 16 x 16 bit multipliers and CMOS RAM, and also holds the secret NSA Type 1 encryption algorithm, part of which is implemented in the special custom chip shown in the image on the right. The chip is marked as CCI and carries a manufacturing date code of week 37 of 1989.
  
Controlled Cryptographic Item (CCI) chip

By implementing the cryptographic encoder/decoder as a separate daughter card, it was possible to swap it for a less secure Type 2, Type 3 or Type 4 variant, so that the device could be sold to (controlled) customers outside of the US Government. The device is extremely well-built, and it is hard to imagine that it could be manufactured for an end-user price of USD 2200, even in 1990.

  1. It is also possible that the TMS320 DSP on the telephone board was used for the implementation of the MODEM, and that the
    LPC-10
    and
    CELP
    features were handled by another TMS320 on the main board.
  2. The TAMPER-switch basically cuts the power from the backup battery to the CMOS RAM.

Control panel Control panel interior Keypad and display wiring Speaker and hook-switch Microphone LCD Display Approval labels at the bottom of the device Die-cast aluminium bottom case shell
Telephone board fitted at the bottom of the chassis Telephone board Telephone interface and digitiser LPC-10 CODEC PSU Space for backup battery LPC-10 CODEC Power and telephone sockets
RCA STU-III interior after removing the control panel CIK receptacle Main board with crypto-logic on daughter card Main board CCI board (crypto logic) CCI board (crypto logic) Controlled Cryptographic Item (CCI) chip LPC-10 CODEC with TMS320 digital signal processor (DSP)
Tamper switch on the main board Tamper switch on the main board Bare keypad CIK receptacle (interior) Line selector - interior Line selector - interior
C
×
C
1 / 32
Control panel
C
2 / 32
Control panel interior
C
3 / 32
Keypad and display wiring
C
4 / 32
Speaker and hook-switch
C
5 / 32
Microphone
C
6 / 32
LCD Display
C
7 / 32
Approval labels at the bottom of the device
C
8 / 32
Die-cast aluminium bottom case shell
C
9 / 32
Telephone board fitted at the bottom of the chassis
C
10 / 32
Telephone board
C
11 / 32
Telephone interface and digitiser
C
12 / 32
LPC-10 CODEC
C
13 / 32
PSU
C
14 / 32
Space for backup battery
C
15 / 32
LPC-10 CODEC
C
16 / 32
Power and telephone sockets
C
17 / 32
RCA STU-III interior after removing the control panel
C
18 / 32
CIK receptacle
C
19 / 32
Main board with crypto-logic on daughter card
C
20 / 32
Main board
C
21 / 32
CCI board (crypto logic)
C
22 / 32
CCI board (crypto logic)
C
23 / 32
Controlled Cryptographic Item (CCI) chip
C
24 / 32
LPC-10 CODEC with TMS320 digital signal processor (DSP)
C
25 / 32
Tamper switch on the main board
C
26 / 32
Tamper switch on the main board
C
27 / 32
Bare keypad
C
28 / 32
CIK receptacle (interior)
C
29 / 32
Line selector - interior
C
30 / 32
Line selector - interior
C
31 / 32
31 / 32
C
32 / 32
32 / 32

Restoration
The GE/RCA STU-III featured on this page, was found on eBay. It had recently been (re)discovered in a former Cold War hideout in the US. The writings aside the quick-dial buttons, may reveal its former purpose. It came with an RCA multiline extension, but the original DC PSU was missing.

Although the item had been packed well, it got damaged in transit when it was shipped to the Netherlands, probably due to improper handling by the carrier. The large weight of the die-cast chassis and case shells, had caused two serious cracks in the yellow plastic control panel; one at the front corner, and a larger one at the rear.

Both cracks were repaired by firmly pressing the parts together, and then melting the plastic from the rear (i.e. the inside) with a soldering iron at 150°C. After repeating this process a number of times, the cracks are now practically invisible.
  
Crack at the front right corner

The front panel of the multiline adapter also had a crack and two of its mounting stubs were broken off. They were melted back in place with a soldering iron and reinforced with a strong 2-component adhesive. The crack was repaired with a soldering iron at 150°C, as described above.

Crack at the front right corner Crack at the rear right corner of the plastic upper case shell Control panel interior
D
×
D
1 / 3
Crack at the front right corner
D
2 / 3
Crack at the rear right corner of the plastic upper case shell
D
3 / 3
Control panel interior

Connections
PSU
At present, the original power supply unit for our RCA/STU-III is missing. The connections shown below have been assumed (by studing the PCB layout), but the voltages are currently unknown. Any help in this area will be much appreciated. Below is the pinout when looking into the socket.

  1. GND
  2. V-
  3. not connected
  4. V+ 
Designators
The GE/RCA STU-III is known under the following names and designators:

  • RCA STU-III/LCT
  • GE STU-III/LCT
  • GE/RCA STU-III
  • STU-III/LCT TYPE1/RCA-CCI-EC
  • NSN 5810-01-230-1486
  1. LCT = Low Cost Terminal.

Documentation
  1. Operational Guide for RCA/STU-III - WANTED
    RCA, General Electric. ON416007-1.
References
  1. Wikipedia, STU-III
    Retrieved, February 2019.

  2. STU-III Phase Out
    L3 Communication Systems-East.

  3. TSG, Approved Telephones
    TSG Standard 6, July 2005.

  4. Texas Instruments, TMS320 Second-Generation Digital Signal Processors
    May 1987. Revised November 1990. Retrieved May 2012.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Saturday 10 February 2018. Last changed: Wednesday, 27 February 2019 - 10:53 CET.
Click for homepage