Click for homepage
← USA
Crypto
FILL
  
STU-III →
  
KSD-64 A   PK-64KC
Key Storage Device

KSD-64 is a Key Storage Device (KSD) developed by/for the US National Security Agency (NSA) and manufactured by Datakey Electronics in Savage (Minnesota, USA), for use with electronic cryptographic equipment like the STU-III series of secure telephones. It is typically used as a Crypto Ignition Key (CIK) in key-splitting applications, but can also be used for other purposes.

The image on the right shows a typical KSD-64 key, which looks like a plastic toy key. Hidden inside the device, is a custom-made parallel EEPROM with 64 Kbits of storage capacity. The 28 contacts of the EEPROM are located between the plastic teeth at either side of the key shaft.

Devices supporting the KSD, have a so-called keyceptacle in which the key can be inserted. Once inserted, the key is activated by rotating it (90°) like a domestic key, until it clicks. In that position, the 28 contacts along the key shaft are connected to 28 contacts inside the keyceptacle.
  
KSD-64 Key Storage Device

When used as CIK, the key contains a random number (generated internally by the phone when the keys are loaded) that is used for encryption of the actual cryptographic keys stored inside the phone. This way, a phone without the CIK, or a lost CIK alone, have no meaning whatsoever and will not reveal any information about the cryptographic keys. Only when the CIK is entered into the phone it is paired to, can the original keys be recovered and can the phone be operated.

The KSD-64 was used for many years with the STU-III range of secure telephones and survived at least four US Presidents. One famous example of the use of a KSD-64 is a photograph of US President George W. Bush who makes a secure call immediately after the first attack on 9/11.

The image on the right shows a close-up from that image, in which he uses a Motorola SECTEL STU-III phone, with a KSD-64 installed in the phone. The white label indicates that this KSD-64 is used as a Crypto Ignition Key (CIK). Click the image for the complete picture.  More
  
Click to see more

With the STU-III telephones phased-out, the KSD-64 is no longer in production and is replaced by the compatible PK-64KC which has meanwhile been phased-out as well (2014) [3]. The images below show a typical KSD-64A key, used with a Motorola SECTEL 2500 secure telephone. Other types of Key Storage Devices — also manufactured by Datakey — are used with later encryption devices, such as the KIV-7. Such KSD's generally contain a serial EEPROM with some intelligence.

KSD-64 Key Storage Device
A KSD-64 with a Motorola tag
Inserting the KSD-64 into a Motorola SECTEL phone
Turning it clockwise for security activation
The KSD-64 used as a FILL key for the Motorola SECTEL
PK-64KC Key Storage Device
PK-64KC with a Motorola Tag
KSD-64A and PK-64KC on a single key chain
A
×
A
1 / 8
KSD-64 Key Storage Device
A
2 / 8
A KSD-64 with a Motorola tag
A
3 / 8
Inserting the KSD-64 into a Motorola SECTEL phone
A
4 / 8
Turning it clockwise for security activation
A
5 / 8
The KSD-64 used as a FILL key for the Motorola SECTEL
A
6 / 8
PK-64KC Key Storage Device
A
7 / 8
PK-64KC with a Motorola Tag
A
8 / 8
KSD-64A and PK-64KC on a single key chain

Possible uses
The KSD-64A can be used for the following applications:

  • CIK - Crypto Ignition Key
  • FK - Fill Key
  • TAK - Terminal Activation Key
  • SAK - Security Activation Key
  • TAK - Traffic Activation Key
  • Master CIK
  • Simple firmware updates and patches
Interior
The x-ray image 1 below shows what is inside the KSD-64. At the centre is the actual EEPROM chip, which is wire-bonded to a leadframe, which itself is mounted onto a PCB with gold-plated contacts along both of its long sides. These contacts mate with the contacts in the keyceptacle.

Click to see more

The complete assembly (chip, leadframe and PCB) are cast in a durable chemical-resistant plastic key-shaped body, which can be carried on a keychain, just like a regular key. The structures of the silicon EEPROM chip itself are not visible, as the x-rays are absorbed by the rectangular part of the frame, onto which the chip is glued. In the close-up, the bonded wiring is clearly visible however. Further x-ray images, including images of the replacing PK-64KC, are available below.

  1. Images made with Creative Electron TruView Prime.  More

KSD-64 interior
PK-64 KC interior
Close-up of the KSD-64
Close-up of the PK-64KC
Close-up of the chip inside the KSD-64
Close-up of the chip inside the PK-64KC
B
×
B
1 / 6
KSD-64 interior
B
2 / 6
PK-64 KC interior
B
3 / 6
Close-up of the KSD-64
B
4 / 6
Close-up of the PK-64KC
B
5 / 6
Close-up of the chip inside the KSD-64
B
6 / 6
Close-up of the chip inside the PK-64KC

Replacement   PK-64KC
The KSD-64 has been superceeded by the compatible PK-64KC, that is shown here, and more recently by the PKA-64KC. These devices have the same storage capacity as the earlier KSD-64 and fit the same keyceptacle.

The only visible difference is the smaller grip. The replacement keys are also manufactured by Datakey Electronics [A] and and are fully compatible with the old KSD-64A.

 Datasheet

  
PK-64KC Key Storage Device

Keyloader   PKS-703
The cryptographic key or other sensitive key material is loaded into the KSD-64 and PK-64 by means of a PKS-703 keyloader, connected to a PC with appropriate software. It can be used to clear a key, to write new data into a key, and the read (or clone) an existing KSD-64 key.

The PKS-703 consists of a small plastic box with a Keyceptacle for a KSD-64 key at the front. An internal 8051 microcontroller, with a simple data protocol allows the key to be accessed from any computer with the appropriate software.

The image on the right shows a typical PKS-703 keyloader as part of a key distribution system. It can be placed on a desktop, aside or on top of a PC, connectes to the standard COM-port (RS-232) by means of a 9-pin sub-D plug (DE9). An optional (heavy) metal cradle was available to prevent the interface from slipping of the desk.
  
PKS-703 Datakey keyloader (reader/writer)

The PKS-703 can be used to write each individual byte of the 8KB EEPROM inside the KSD-64 (64 Kbit) individually, or write the entire memory at once. There is no intelligence inside the KSD-64; it is just a plain Electrically Erasable Programmable Read Only Memory (EEPROM). Creating a valid cryptographic key for a certain purpose and/or security level, is subject to the software driving it, which commonly takes the form of some kind of Electronic Key Management System (EKMS).

Datakey PKS-703 keyloader
Entering a KSD-64
Key fully inserted
Rotate 90 degrees to activate
KSD-64 installed in the PKS-703 keyloader
PKS-703 Datakey keyloader (reader/writer)
Close-up of the Keyceptacle inside the PKS-703
Bare Keyceptacle
C
×
C
1 / 8
Datakey PKS-703 keyloader
C
2 / 8
Entering a KSD-64
C
3 / 8
Key fully inserted
C
4 / 8
Rotate 90 degrees to activate
C
5 / 8
KSD-64 installed in the PKS-703 keyloader
C
6 / 8
PKS-703 Datakey keyloader (reader/writer)
C
7 / 8
Close-up of the Keyceptacle inside the PKS-703
C
8 / 8
Bare Keyceptacle

STU-III
The KSD-64 and KD-64 devices were typically used with the STU-III secure telehone units, from various manufactuers, such as Motorola and AT&T (Lucent). They were also used for the Motorola SECTEL range of secure civil phones. Click any of the thumbails below for further information.

 More about the STU-III

  
Motorola SECTEL 2500 with CIK

×
D
1 / 4
Motorola STU-III phones with Type 1 and Type 2 encryption
D
2 / 4
AT&T (later: Lucent) STU-III phones
D
3 / 4
Motorola SECTEL range of secure phones
D
4 / 4
GE/RCA STU-III third generation secure telephone unit

Other Key Storage Devices
The manufacturer of the KSD-64, Datakey Electronics, produces a wide range of different key storage devices, ranging from simple unique identifiers, to CryptoMemory storage devices.

Most keys are available in a variety of different enclosures and a choice of interfaces [1], such as the DK-series that was used with early versions of the KIV-7.

 Datakey product overview
 KIV-7 and DK-series key

  
Click here to download the complete product overview

Video
In 2019 — being short of spare KSD-64 keys — US crypto collector John McMaster started a project to duplicate the keys by means of 3D printing and alternative hardware. On 3 August 2019 he presented the intermediate results of his efforts in this 3½ minute video on YouTube:

Glossary
Below, some expressions and acronyms related to the KSD-64 are explained. For additional explanations, please refer to the Crypto Glossary.

CIK   Crypto Ignition Key
A physical token (usually an electronic device) used to store, transport and activate the cryptographic keys of electronic cipher machines. (Wikipedia)
FK   Fill Key
KC   Keyceptacle
Registered trademark of Datakey for a Key Receptacle.
SAK   Security Activation Key
TAK   Terminal Activation Key
Documentation
  1. Datakey Electronics, PK Series Datasheet
    Retrieved December 2010.
References
  1. Datakey Electronics, Memory available and standard form factors
    Retrieved December 2010.

  2. Datakey Electronics, Lowering the high cost of security - STU-III
    July 2006. Retrieved March 2013.

  3. Datakey Electronics, Parallel Keys End-of_Life (EOL) Notice
    Product Change Notice (PCN) 20141103. 14 November 2014.

  4. Paul Plitzuweit, A 30-Year Run for the Parallel Key Line
    Datakey Electronics website. 4 December 2014.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Friday 03 December 2010. Last changed: Monday, 05 August 2019 - 06:54 CET.
Click for homepage