Click for homepage
USA
NSA
Phone
  
STE →
  
Fortezza Crypto Card   KOV-8/12/14
NSA-approved PCMCIA Type 1 crypto card

Fortezza is a Hardware Security Module (HSM) that is implemented as a PCMCIA card. It was used as a plug-in unit for a variety of devices, such as the NSA's Secure Terminal Equipment (STE) and various PC applications. The primary application was for digital signatures and confidentiality in the US Defense Message System (DMS), the primary mail system of the US Department of Defense.

The initial Fortezza card contains the Capstone MYK-80 chip, an NSA-approved cryptographic processor that uses the Skipjack algorithm. It was developed for US Government's ill-fated Clipper Chip project and has been used in a variety of applications. The card is also known as KOV-8 and is classified as a Type 2 product, making it unsuitable for classified information.

It was followed by the KOV-12, which is a true Type 1 product that was cleared for use by the US Government up to the level of Top Secret. It was available in 2012 for approximately $240.
  

The image above shows a FORTEZZA-II (Plus) card, also known as KOV-14, which uses the later Mykotronx MYK-82 crypto processor. The version shown here was built by Spyrus (USA) around 1997, and was decommissioned in 2007. Fortessa Plus was used extensively for the Defense Messaging System (DMS), the primary mail system used by the US Department of Defense (DoD).

The Fortezza Card was introduced in 1993 [2] and was manufactured by Mykotronx and Spyrus [1]. After various improved versions, such as the Fortezza Plus, it was discontinued in 2007 [3]. It has since been succeeded by the KSV-21, which is backward compatible with the Fortezza cards and offers enhanced security. The KSV-21 is manufactured by SafeNet (formerly: Mykotronx). 1

  1. Now: Raytheon.

FORTEZZA-II Crypto Card (PCMCIA)
FORTEZZA-II Crypto Card
FORTEZZA-II Crypto Card, rear side.
FORTEZZA-II Crypto Card with storage wallet
The Fortezza Crypto Card stored in a protective black pouch
STE phone with Fortezza Crypto Card half-way in
Inserting the Fortezza Crypto Card in the STE
A
×
A
1 / 8
FORTEZZA-II Crypto Card (PCMCIA)
A
2 / 8
FORTEZZA-II Crypto Card
A
3 / 8
FORTEZZA-II Crypto Card, rear side.
A
4 / 8
FORTEZZA-II Crypto Card with storage wallet
A
5 / 8
The Fortezza Crypto Card stored in a protective black pouch
A
6 / 8
6 / 8
A
7 / 8
STE phone with Fortezza Crypto Card half-way in
A
8 / 8
Inserting the Fortezza Crypto Card in the STE

Personal Identification Number — PIN
The Fortezza card does not contain complete cryptographic algorithms. Instead, it should be seen as a toolbox that contains the necessary building blocks for cryptographic algoritms. When a card is ordered from the manufacturer, it is programmed in a accordance with the security clearence level of the buyer. The crypto card contains an on-board real time clock (RTC) which is powered by an internal battery in order to prevent date-spoofing. The battery lasts approx. 7 years after which the card needs to be replaced. In practice, the battery might last even longer.

Each card comes with its own unique Personal Identification Number (PIN), that needs to be entered by the user before the card can be used. The PIN can not be retrieved from the card as it is not stored on it. Entering a wrong PIN consecutively 9 times, disables the card permanently.


Fortezza Plus   KOV-14
A later version of the card was called Fortezza Plus or KOV-14. It is based on a Krypton MYK-82 microprocessor that contains building blocks for stronger Type 1 encryption algorithms such as the secret BATON. Like the KOV-12 it is suitable for classified information up to Top Secret. It is also known as FORTEZZA-II. The MYK-82 crypto chip contains an ARM7-TDMI RISC processor-core licenced by ARM Ltd (UK). It was developed by Mykotronx (USA) and manufactured by VLSI.

Fortezza Plus (KOV-14) was also used with the NSA's Secure Terminal Equipment (STE) for voice and data transmission. STE is the successor to the STU-III secure telephone. The Fortezza Plus card is inserted into a PCMCIA slot at the front of the phone and should be activated with a PIN.

The image on the right shows the crypto card half-way inserted into the PCMCIA slot at the front of the terminal. The card shown here was manufactured by Spyrus, the 2nd manufacturer of the cards. Spyrus discontinued its range of Fortezza products in 2007.
  

The Fortezza Plus card is now succeeded by the backward compatible KSV-21 Enhanced Crypto Card, which contains more modern cryptographic algorithms and offers additional capabilities [4]. It is manufactured by SafeNet (formerly known as Mykotronx).


PCMCIA
All Fortezza cards were implemented as a PCMCIA card. At the time, this was the most common standard for removable cards in a Personal Computer. Many portable PCs in the 1990s had one or more PCMCIA slots, and desktop computers could easily be equipped with an internal PCMCIA card holder. Because of their small size, PCMCIA cards were also suitable for stand-alone devices, such as crypto phones and other secure data products.

A similar solution was adopted by Crypto AG (Hagelin) in Switzerland. They developed the HCM-2000 Security Module that is used in many of their security products, including the HC-2203 crypto phone that is still available today. Please note that the HC-2000 is in no way compatible with the Fortezza crypto cards. The only similarity is the fact that they are both PCMCIA cards.

Over time, the PCMCIA standard has become less popular and was dropped by most PC vendors in favour of the more versatile and compact USB standard. As a gap-fill solution, PCMCIA card readers for USB were introduced by various manufacturers, such as the one show here.

The image on the right shows the Argus 2600 that was manufactured around 2002 by SSP Litronic. It was approved for use in combination with the Fortezza card and provided an alegant solution for current PCs and laptops without the need to replace the cards and/or the software.
  

In combination with a personal computer, the Fortezza card was used for high-speed authentication, secure mail, CD-ROM encryption, fax encryption, data encryption, etc. It was supported by a range of operating systems and computers, including DOS, Windows, SCO UNIX, Sun OS, Solaris, HP UX and Macintosh [6].

Spyrus, one of the manufacturers of the Fortezza card, later integrated the functionality of the Fortezza Plus into their LYNKS Series II Hardware Security Modules (HSM), together with a range of other crypto algorithms. They also developed an all-USB version of the Fortezza, which was no larger than the avarage memory stick. It contained all the functionality of the original Fortezza Plus card, whithout the need to add an internal or external PCMCIA interface to the PC. All Spyrus Fortezza products were discontinued in 2007 [3].

Fortezza II/FIPS 140-1 cards were used with:

  • US Defense Message System (DMS)
  • Microsoft Outlook
  • Lotus Notes
Interior
FORTEZZA cards were developed by Mykotronx and were manufactured by both Mykotronx and competitor Spyrus. The latter discontinued its FORTEZZA product range in 2007. The cards were implemented as a compact PCMCIA card, which contained only a few chips and a real-time clock.

The image on the right shows the Krypton Crypto Chip (MYK-82). It is an Application Specific Integrated Circuit (ASIC) which contains the cryptographic 'toolbox' plus an ARM processor core [5]. It was developed by Mykotronx and manufactured in 1997 by VLSI.

The main processor is driven by a small 20 MHz crystal that is mounted in a cut-out space of the PCB (right). The small chip to the right of the main processor is a DALLAS 1302 real-time clock. It is driven by a tiny 32 kHz crystal with is mounted to the right of the main 20 MHz crystal.
  

The entire card contains just 5 chips. Besides the main processor and the RTC, there are two RAM chips, giving a total of 64KB om memory, and a ROM which contains the firmware (software). At the rear of the board is the 3V flat-pack Lithium battery with its 7-year life span. The battery is used to power the Dallas real-time clock and prevents data-spoofing.

Opening the card
The opened Fortezza card
Front view of the PCB inside the PCMCIA card, showing the 5 chips.
Rear view of the PCB, showing the 3V Lithium battery with a life-span of 7 years.
MYK-82 Krypton Crypto Processor, developed by Mykotronx.
Close-up of the crystals and the RTC
Close-up of the RTC
Memory
B
×
B
1 / 8
Opening the card
B
2 / 8
The opened Fortezza card
B
3 / 8
Front view of the PCB inside the PCMCIA card, showing the 5 chips.
B
4 / 8
Rear view of the PCB, showing the 3V Lithium battery with a life-span of 7 years.
B
5 / 8
MYK-82 Krypton Crypto Processor, developed by Mykotronx.
B
6 / 8
Close-up of the crystals and the RTC
B
7 / 8
Close-up of the RTC
B
8 / 8
Memory

Features
  • Hardware-based cryptography
  • Tamper evident case
  • Industry standard cryptography
  • Advanced power management
  • On-card Real Time Clock (RTC)
  • FPGA for field firmware upgrades
  • WHQL XP certified cryptographic features
  • SKIPJACK encryption algorithm
  • Generate and load initialisation vectors (IV)
  • Hardware-based random number generator (RNG)
  • NIST SHA-1 hash codes (FIPS Pub 180-1)
  • NIST DSA signatures (FIPS Pub 186)
  • Set cryptographic mode (for temporary algorithm and mode switching)
  • Load, retrieve and delete certificates
  • Generate, use and delete data encryption keys
  • Set algorithms and modes associated with each user
  • Save and restore hash, encryption/decryption cryptographic states
  • Generate, load, install and extract public/private keys - DSA, KEA
  • Wrap and unwrap keys - SKIPJACK
  • Card management functions
  • Card configuration, status, cryptographic state
  • List keys and certificate registers status
  • Check and change user and administrator (4-12 byte) PINs
  • Initialize, reset and zeroize the card
Acknowlegements
  • Fortezza® is a Registered Trademark of the National Security Agency (NSA).
  • LYNKS® is a Registered Trademark of Spyrus Inc. (USA).
  • Powerdex is a Registered Trademarkt of Gould Electronics, Inc.
  • BATON is an NSA Type 1 cryptographic algorithm
References
  1. Wikipedia, Fortezza
    Retrieved September 2011.

  2. Spyrus, Continued Support for FORTEZZA HSMs 1
    Announcement of Fortezza II as part of its 10 years continued support.
    Spyris website, 14 November 2005.

  3. Spyrus, End of Life for SPYRUS FORTEZZA Crypto Cards
    Spyrus announces end-of-life (EOL) support for Fortezza Suite of Services.
    Spyrus website, 2 April 2007.

  4. SafeNet, Enhanced Crypto Card
    SafeNet website, brief description of the Enhanced Crypto Card.

  5. Secons Ltd., ARM-Development.com, ARM Devices
    Overview of processors containing ARM processor cores.
    Secons Ltd. 2006-2007. Retrieved February 2012.

  6. Jane's Military Communications, Fortezza Crypto Card
    Jane's Information Group, 10 August 2009.
  1. Page no longer available from the original website in 2018.

Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Friday 02 September 2011. Last changed: Wednesday, 24 August 2022 - 20:13 CET.
Click for homepage