|
|
|
|
|
|
The device is housed in a green rugged die-cast aluminium enclosure that
measures 280 x 215 x 88 mm and weights 2.7 kg.
All connections and controls are at the front panel, with a hinged
keypad covering the Liquid Crystal Display (LCD).
The device is available in a number of variants, such as a base station,
a handset and as an embeddable module, and could be modified for a wide variety
of military HF transceivers. The device shown here is the base station
variant, which in this case is suitable for connection to the
Transworld RT-7000 HF transceiver.
|
|
|
|
DSP-9000 units were typically used in South-American countries, but also in
(neutral) Austria.
In 2007, 2009 and 2013 it was announced that Afganistan's military had
placed large orders
for DSP-9000 equipment for its radio networks. The order consisted of
handsets and implant boards, that would be supplied
through Datron World Communications Inc., which also supplied the radio
equipment itself to the Afgan forces [1][2].
The DSP-9000 was still available for sale in 2022 [1].
|
 |
The image below provides an overview of the controls and connections at
the front panel of the DSP-9000. At the top left is a regular US/NATO
receptacle for connection of a handset, headset or other type of
microphone/speaker combination. To its right is a 19-pin receptacle that
carries the red and black interfaces plus the interface for an (optional)
remove control unit. It should be connected to the external military
transceiver, which in this case was a Transworld RF-7000.
At the right are two rotary MODE selectors. The upper one acts as the power
switch. It has four positions and selects between PLAIN, Secure (CIPH) and
Command (CMD) modes. The other one has three positions, one of which (SYNC)
is momentary. It is used to synchronise the equipment at the beginning of a transmission. At the centre are the Liquid Crystal Display (LCD), which can
be covered by a hinged 24-button keypad. To the left of the LCD is a 9-pin
D-sub socket for connection of a key loader. Above the socket is an LED
indicator for the audio level.
|
DSP-9000 Base Base station (shown here) DSP-9000 HS Handset DSP-9000 Implant board
|
TCC is particularly vague about the
exact technology it uses for securing speech.
In the brochure it is
claimed that the device features an
Enhanced Domain Transform (EDT) algorithm, controlled by
a highly non-linear digital key stream generator [A].
Each group of devices has a fixed internal System Key,
which is different for each customer. In addition,
TCC also offers tools for algorithm customisation, suggesting
that the customer has some control over the algorithm.
Unfortunately, the manufacturer does not explain what EDT is
and gives no details about the key generator.
Although the device is digitally controlled — the key stream is
generated digitally, and processing is done in the digital domain —
the nature of the device is analogue. Voice data
is digitised and then transformed using three different
DSP-based techniques, after which it is converted back to the analogue domain (audio).
The resulting signal has the same 3 kHz bandwidth as the orginal voice signal
which means that it can be transmitted over existing
narrow-band radio channels.
The 6 patent applications listed at the
back of the device are not
very helpful either. They all refer to older techniques of which it is
doubtful that they are used in the DSP-9000.
Furthermore, one of them (3,691,414) is clearly a misprint as it refers
to an unrelated subject.
The last one is from 1981 and describes
a two-dimensional scrambler that operates in the
frequency and time domain (F/T).
This technology is also used by
other manufacturers and is known to
be vulnerable.
As with any voice scrambler,
the fact that the keystream is highly non-linear
and that digital processing techniques are used in the scrambling
process, doesn't mean that it is secure.
|
PLEASE HELP —
If anyone has further information about the processing techniques and/or the
key generator used in the DSP-9000, we would be delighted to hear from you.
We would also like to know whether (and if so, how) this device has been broken.
➤ Contact us
The interior of the device can be accessed by loosening the four long bolts
at the corners of the rear panel, after which the case shell can be removed.
This reveals the interior, which consists of a front panel and one or two
printed circuit boards (PCBs) that are plugged into the front panel.
It is currently unknown whether the second board is mission or optional
(e.g. for duplex operation).
The board is built around a Motorola DSP56001 digital signal processor (DSP)
with 8KB of static RAM (SRAM) and firmware in three EPROMs. In addition
there is a custom chip made by Actel, which is actually a one-time programmable
(OTP) Field Programmable Gate Array (FPGA). The unit is controlled by a
Z80 microprocessor with 32KB SRAM and firmware in a single
EPROM. As timing is critical, a highly accurate 4 MHz temperature
compensated crystal oscillator (TCXO) is present.
The cryptographic keys for the internal key generator, and several other
parameters are kept in SRAM memory and are retained by a lithium battery
that is located at one of the corners of the board (the part with the yellow
label). Next to this backup battery is a so-called tamper switch,
which ensures that the keys are purged as soon as the case is opened.
|
|
At present we are unable to test this device as we have insufficient information
about the connections at the front panel. Furthermore, we do not know
whether or not a second PCB is required in the upper
slot of the front panel PCB.
Any further information would be appreciated.
|
1992 First development of DSP-9000 1993 Introduction of DSP-9000 line 2007 Embedded in radio equipment for Afgan forces 2009 $10 million order for Afgan forces 2013 Order for DSP-9000 equipment for Afgan forces
|
|
The DSP-9000 has a standard 6-pin socket, located at the top left of the
front panel, for connection of a handset or headset. It is wired to the
American U-229 standard.
|
- GND
- Speaker
- PTT
- Microphone
- Unused
- Unknown
|
|
|
Also at the left of the front panel is a 19-pin receptacle for connection
of the radio equipment. It contains the wiring for the red interface
(unencrypted) and the black interface (encrypted). This receptacle also
allows the connection of a remote control unit.
The wiring is currently unknown.
|
|
To the left of the display, behind the hinged keyboard, is a 9-pin female
DE-9S receptacle for connection of a
proprietary key fill device. The wiring of this connector is currently unknown.
|
Device Voice scrambler Model DSP-9000 Manufacturer TCC Years 1992 - 2022+ Country USA Users Argentina, Austria, Afganistan Scrambling Enhanced Domain Transform (EDT) Response 200 - 2800 Hz (400 to 2500 Hz minimum) Key types Local key, Network key, System key, Initialization Vector (IV) Key space 1.54 1099 (~ 329 bits) Including IV 1.01 10104 (~ 346 bits) Key storage Two EEPROM banks of 400 keys each Key fill SmartModule Reference TCXO crystal oscillator Data mode 1200 baud Sync In-band frequency shift keying (FSK) 74-bit sync burst Temperature -20°C to +60°C Storage -40°C to +85°C
|
Local keys EEPROM Network key EEPROM System key EPROM IV Generated automatically at each PTT-press
|
|
|
Enhanced Domain Transform
EDT
|
|
|
- Cryptographically controlled
- Three distinct DSP-based audio manipulations
- Retains 3 kHz bandwidth
|
- US Patent 3,610,828, Privacy Communication System
Alfred L. Girard for TCC. Filed 23 May 1967.
- US Patent 3,691,464, Asynchronous swept frequency communication system 1
David S. Dayton for TCC. Filed 25 November 1968.
- US Patent 3,723,878, Voice Privacy Device
Charles K. Miller for TCC. Filed 30 July 1970.
- US Patent 4,195,202, Voice privacy system with amplitude masking
Arnold M. McCalmont for TCC. Filed 3 January 1978.
- US Patent 4,276,652, Secure communication system with improved frequency-hopping arrangement
Arnold M. McCalmont for TCC. Filed 2 October 1978.
- US Patent 4,392,021, Secure facsimile transmission system using time-delay modulation
Matthew W. Slate for TCC. Filed 28 July 1980.
- US Patent 4,433,211, Privacy communication system employing time/frequency transformation
Arnold M. McCalmont for TCC. Filed 4 November 1981.
|
-
On the rear of the device,
this patent is listed as 3,691,414
but this is probably a misprint as it refers to a Siemens patent for
a stepper motor.
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Thursday 04 August 2022. Last changed: Monday, 06 March 2023 - 09:01 CET.
|
|
|
|
|
