|
|
|
|
Phone USA NSA STU-III → STU-II/B → ← STU-I
Second generation secure telephone unit
The STU-II was the second generation
Secure Telephone Unit (STU)
introduced by the NSA in the 1980s.
It was the successor to the STU-I,
and replaced older systems like the extremely bulky KY-3.
The STU-II is also known as the KY-71 or TSEC/KY-71.
It uses an LPC/APC vocoder and the GCHQ/NSA-developed
SAVILLE encryption algorithm.
It came as a two-piece system.
In the 1990s, STU-II was replaced by the much smaller
STU-III
and for NATO by the STU-II/B (KY-71D).
|
STU-II was built by ITT, using Northern Telecom as a sub-contractor.
A complete terminal (endpoint) consisted of a large metal cabinet
with the electronics
(the actual KY-71) and a telephone-style desktop unit, known as the HYX-71,
that was used to control it (i.e. the user interface).
The image on the right shows the HYX-71 desktop unit, that was connected to
the KY-71 cabinet by means of a 9-way cable.
It's a fairly large desktop phone, with a special handset,
a regular numeric keypad, several
indicator LEDs and three extra MODE-buttons at the bottom.
|
|
|
Once a call had been established in CLEAR mode, the user had to press the
SEC-button
to 'go secure'.
As the STU-II uses the same LPC-10 vocoder as the later
STU-III, there is always a 10 to 15 second delay
before secure mode is activated. During this stage, the keys are exchanged.
In addition, it was also possible for the calling party to initiate a call
directly in encrypted mode.
Voice data was transferred at 2400 baud, resulting in a very synthetic sound.
Although speech was relatively clear, it was impossible to recognize the speaker
at the other end. Certain versions of the STU-II were able to use 9600 baud,
but given the rather poor quality of telephone lines, 2400 baud was used in
most cases. When in half-duplex secure mode (simplex), the user had to press the
so-called Push-To-Talk switch (PTT), inside the grip of the receiver, when speaking.
Key material was handled by a so-called Key Distribution Center (KDC), which
was NSA-operated. Alternatively, net keys could be transferred to the STU-II
by means of a KOI-18 or KYK-13
key transfer device.
Approximately 10,000 STU-II units were built [1].
Over the years, a number of STU-II compatible devices were introduced,
including the Dutch Spendex 40.
In the US, the STU-II was replaced in the
1990s by the much smaller, far cheaper and more capable
STU-III.
For use by the Army and for NATO, it was replaced by a special version
of the STU-III,
known as STU-II/B.
|
Although the STU-II was much smaller than its predecessor, the
STU-I,
it was still too large to be placed on a desktop. For this reason, the unit
was housed in a separate enclosure (KY-71), whilst special telephone sets were
used to operate it (HYX-71). The drawing below shows the basic setup of
the STU-II. The reason for the strange sloped design of the KY-71 case is
unknown.
The sloped front panel of the KY-71 holds a control panel that is used for
selecting the mode of operation and for loading the key variables. It also
has a 2-digit 7-segment display that shows the current state of the device
and a slot (at the bottom left) for the Crypto Ignition Key (CIK).
The right half of the control panel holds the 9-position MODE selector
and the INITIATE button. The latter is used to initiate a KEY-loading
operation or for selecting the appropriate key variable. During normal
operation, the MODE-selector is either set to KDC or NET. In KDC mode,
the unit relies on the presence of an external
Key Distribution Center that is called for activation of the keys.
This KDC is no longer in operation today.
At the far right are two slide-switches. The upper one
is used to set the data transfer speed of the terminal at 2400 baud (24)
or 9600 baud (96). The lower switch is used to select between
Half-duplex (HDX) and Full-duplex (FDX).
|
By using an (optional) expansion unit, the so-called J-BOX or Junction Box,
it was possible to connect up to five additional HYX-71 telephone sets to the
KY-71. The J-BOX consisted of a rectangular metal case with 7 sub-D
sockets (2 x 25-way and 5 x 15-way female sockets). It had no controls
or indicators and was usually built inside a 19" rack, together with the KY-71.
The image above shows the layout of the connector panel of the KY-71 J-BOX.
The 25-way socket at the left connects the J-BOX to the KY-71 terminal.
The next five sockets are used for connecting the additional
HYX-71 telephone sets. A complete multi-user setup looks like this:
The KY-71 can handle only one call at a time. Any incoming call is routed
to the handset that is picked up first. When a handset is dialling out,
the other handsets can not be used to place a call. In a multi-user setup,
the KY-71 can be used as a mini-PABX and calls can be placed between
the extensions by dialling their single-digit number. They can also be used
for conference calls.
|
The KY-71 introduces the concept of a so-called Crypto Ignition Key (CIK).
The CIK-71 is a rectangular module that should be inserted into a special slot
to the left of the control panel. It contains a small non-volatile memory
unit that is used to store the Key Encryption Key (KEK).
The image above shows an educated guess of what the STU-II CIK looked like.
It had a metal enclosure with a connector at the bottom. The metal tag at
the top contains the product ID (CIK-71) and the serial number. When loading
key variables into the KY-71, the keys are encrypted with a so-called
Key Encryption Key (KEK) that is randomly generated by the terminal. The
KEK is then stored inside the CIK. This way, the KY-71 and the CIK are paired.
When the CIK is removed, the key variables
inside the KY-71 become meaningless. Likewise, a bare CIK is useless on
any other KY-71 terminal and does not reveal any information about the
actual keys.
|
The KY-71 has a standard (5-pin or 6-pin) U-229 socket
for the connecting
of a key distribution device or key filler,
such as the KOI-18
or the KYK-13.
Each KY-71 can hold two key variables: a NET variable (VN),
for keys that are shared between multiple parties,
and a UNIQUE variable (VU).
|
Key variables for the STU-II were supplied on 8-level paper
tape and read into the device with a KOI-18
or a similar device.
The KOI-18 was connected to the FILL socket of the KY-71 by means of a short
cable and the MODE selector on the KY-71 was set to LOAD.
After pressing the INITIATE button,
the tape was slowly pulled through the key filler at a constant speed.
It was also possible to use a KYK-13 key filler.
In that case, the KOI-18 was used to load the key variables into the
KYK-13 and the KYK-13 was then used to load the keys into the KY-71.
|
|
|
The advantage of using a KYK-13
is that it can hold up to 6 different
keys in its internal memory. The image above shows how the KYK was used
to load keys into a KY-71 terminal [17]. The KYK-13 is mounted directly
to the FILL socket of the KY-71. After selecting the required key variable
compartment on the KYK-13, the INITIATE button of the KY-71 is pressed.
During key loading, the ALARM light should briefly flash.
Once the key is loaded, the display should show '01'.
|
In case of an imergency, the crypto variables that are stored
inside the KY-71 should be purged immediately by executing the
ZEROIZE procedure. This should also be done when the loaded keys
are no longer needed. Zeroizing is a 2-step operation.
Press the ZEROIZE knob and rotate it to the
ZEROIZE position. Then turn the knob back to NORMAL
in order to resume normal operation.
|
The history of the STU-II starts with the development of the earlier and
bigger STU-I device in the late 1960s and early 1970s,
after the NSA had recognised telephone communication as one of
the major security threats.
Initially it was tried to solve this issue by setting up
AUTOSEVOCOM, a secure version of the existing Defence Communication
System (DCS), called AUTOVON.
This system appeared to be too expensive
and too cumbersome and was abandoned in the late 1960s, after some
1850 terminals had been installed [2].
Problems with existing systems had shown that speech quality was too bad
on narrowband systems, and that it was difficult to distribute
cryptographic key material to the users. As a result, many users were still
using standard (plaintext) telephones.
In the late 1960s, the NSA defined the design goals for a digital Secure
Telephone Unit (STU) that would solve the existing problems.
The problem of voice quality was solved by using a revolutionary technique
called Linear Predictive Coding (LPC), which greatly improved voice quality
in narrowband systems. The key distribution problem was solved by introducing
the concept of the Key Distribution Center (KDC).
In the light of the Vietnam War, GCHQ
and the NSA had developed a highly secure
light-weight high-quality encryption algorithm, known as
SAVILLE,
for use in COMSEC devices such as VINSON KY-57
and KY-58.
The same SAVILLE encryption algorithm was used in STU family [4].
The first generation of the new system was called STU-I
and was technically successful in that it allowed secure voice communication
in full-duplex over standard (analogue) telephone lines, with a relatively
good speech quality.
Other design goals, such as the size of the unit and the price tag,
had failed. So immediately after the introduction of the
STU-I,
the NSA started development of the 2nd generation, known as STU-II,
which should be much smaller and more affordable.
|
Development of the STU-II took from 1977 to 1980, and the units were in
production from 1982 to 1986 [3]. By 1986, some 10,000 units had
been delivered to a range of (approved) users world-wide. At US$ 13,000
per unit, the STU-II was much cheaper than its predecessor the STU-I
(at US$ 35,000 per unit), but still way above the initial target price of US$ 5000.
Although the STU-II was about half the size of the STU-I, it still wouldn't
fit on a desktop and was commonly installed in large cabinet similar to the
one used with the STU-I. The image on the right shows a photograph [9] of an
STU-II unit that is on display at the NCM [10].
It is currently unknown whether any complete STU-II units (apart from
the handset) have survived.
|
|
|
The STU-II was in operation during the Reagan Administration (1981-1989) [12]
and was used on several occasions (see below).
Being keen on secure communications, President Reagan strongly supported
the wide-spread use the STU-II, and in 1982 Deputy Secretary of Defense Frank
Carlucci, decided to buy 5,000 STU-II sets and allocated US$ 120 million
for the program [13].
In 1982, at an evaluation meeting at the DoD/DARPA [7], Joel Feldman of
MIT Lincoln Laboratory demonstrated a single board LPC coder that was
built around three NEC µPD7720 first-generation DSP chips.
Around the same time, Philips Usfa
in the Netherlands, introduced the
STU-II compatible Spendex 40 unit,
that had a
nearly identical implementation
of the LPC vocoder.
This proved that it was possible to implement the entire STU-II system
as a desktop unit, and convinced the director of the NSA to initiate
the development of the STU-III
[3].
|
From an anonymous contributor we received the following two instruction
videos about the use of the STU-II [16][17]. They were issued in 1984 by
the NSA and are marked For Official Use Only.
|
The above video is titled 'Using your STU-II'
[16] and contains
a brief introduction in the various components of the STU-II
and its use. It shows how to enter the Crypto Ignition Key (CIK),
how to place a call in initial clear or initial secure
mode, and how to connect multiple telephone sets.
|
For the more technically minded, the above video,
titled 'STU-II rekeying'
[17] shows how keys were entered
into the KY-71 by means of KOI-18
or KYK-13 key fill device.
It also shows how the keys, distributed on punched paper tape,
could be transferred from a KOI-18 to a KYK-13.
|
Whenever an American president is travelling or is on holidays, he
needs to be able to speak with his advisors and staff at the
White House and the Pentagon within seconds whenever emergency strikes.
A the time of the STU-II, it would be installed in a room in the
vicinity of the president.
|
In 1983, the Caribbean Island of Grenada with its 91,000 population,
lost its revolutionary government to a bloody military coup.
Grenada is a former UK colony that became independent in 1974.
As it is located south of the United States (and east of Cuba),
the Organization of American States (OAS) asked the US to intervene.
The US started planning Operation Urgent Fury on 22 October 1983
and started the invasion of Grenada just a few days later on 25 October
1983 [14].
Around the time of the coup, US President Ronald Reagan was staying
at the Augusta National Golf Course in
Georgia (US). As the invasion would take place less than three days
later, it was important to have secure conversations with the Pentagon.
The image above shows former US President Ronald Reagan at the
Eisenhower Cabin at the Augusta National Golf Course where, late
in the evening of 22 October 1983, he uses a STU-II.
Please note that the telephone set on the table aside him is just the
terminal; the actual STU-II itself is located in the adjacent room [15].
The image above is taken around the same time as the previous one.
It shows National Security Advisor Bud McFairlane (left), Secretary
of State George Schultz (center) and President Ronald Reagan (right)
in the Eisenhower Cabin at the Augusta National Golf Course in
Georgia (US) on the evening of 22 October 1983. The STU-II is still
visible on the table at the right of the image [13].
|
As we do not have a complete STU-II in our collection (terminal and mainframe),
we are unable to show its interior. It is known however that it is built around
a Quintrel processor that handles the modem and the
LPC-10 CODEC.
The device contains three crypto engines — two encryptors and one decryptor —
one of which is handled by the Quintrel processor as well [18].
|
Shortly after the development of the STU-II had been completed (1980),
Dutch Defense contractor Philips Usfa started
development of a STU-II compatible crypto phone that would fit on a desktop
whilst meeting the (TEMPEST) requirements of the Department of Defence (DoD)
and NATO.
|
The new unit was called Spendex 40
and was introduced around 1983, shortly after the STU-II had gone into
production. Although relatively large and heavy, the Spendex 40
was much smaller than the STU-II and was a truely portable device.
It is shown in the image on the right.
Spendex 40 was available in a 2-wire and 4-wire version,
and introduced the concept of the CIK (Crypto Ignition Key),
a large blob connected at the front, that was used to protect the crypto
keys stored inside the device. Keys were loaded by means of a standard
fill device (e.g. KYK-13).
|
|
|
By special arrangement with the NSA, Philips was one of the
first companies to be allowed to implement the highly secret
SAVILLE algorithm
in their own custom-designed
crypto chip, the OQ4430. This enabled
Philips to sell the Spendex 40 to the Dutch Government and to NATO.
Philips had managed to implement a much smaller version of the LPC-10 vocoder,
by building it around three NEC µPD7720 first-generation DSP chips,
nearly identical to the LPC implementation of MIT Lincoln Laboratory
that was demonstrated to the director of the NSA on 3 June 1982 [7].
According to eye-witnesses at Philips Usfa in the early 1980s,
visiting NSA inspectors were very suprised by the higher speech quality
and the much smaller size, compared to the STU-II [8].
➤ More about the Spendex 40
|
In the light of a bi-lateral agreement between the USA and NATO,
some European countries were allowed to develop their own STU-II compatible
devices.
Following the Philips Spendex 40
in the early 1980s, Siemens
developed the Elcrovox 1/4 in the late 1980s.
The initial version implemented SAVILLE in firmware, but was turned
down by the NSA who insisted on a hardware implementation.
Siemens then developed a dedicated SAVILLE chip.
➤ More about the Elcrovox 1/4
|
|
|
Shortly after development of the STU-II was finished (1980), Joel Feldman
demonstrated a single-board implementation of the LPC vocoder at a DoD/DARPA
meeting on 3 June 1982 [7]. The new vocoder was based around three NEC
µPD7720 first-generation DSP chips and was developed at the Lincoln Laboratory
at MIT. It proved that a much smaller implementation of the LPC vocoder
was possible and that DSP-technology offered improved speech quality
at the same time.
|
Around the same time, engineers at Philips Usfa
(Netherlands) had already implemented a nearly
identical LPC vocoder in the STU-II compatible
Spendex 40 (see above)
which was much smaller and had improved speech quality as well [8].
These experiences proved that is was possible to create a single-unit STU
device that would fit on a desktop. In 1984 development was started
of the next generation STU-III devices that would be
even smaller.
Production of the STU-III started in 1987 and lasted well into the 2000s.
Most units were built by Motorola
(e.g. SECTEL).
|
|
|
In the early 1990s, the NSA introduced the STU-II/B.
It was built by Motorola and was intended to
replace all STU-II compatible devices, including the STU-II itself and the
Philips Spendex 40.
The design was based on the new STU-III hardware,
but for historical reasons the designator STU-II/B was used for the Army.
This was probably done to allow a smooth transition from the original STU-II.
The most significant difference with the STU-III,
was the presence of a standard U-229 socket
at the rear of the device, allowing a key filler,
such as the KYK-13, to be connected.
➤ More about the STU-II/B
|
Compared to a standard DTMF telephone set, the STU-I terminal has
an extra row of keys to the right of the usual keys. These keys
were provided for compatibility with the AUTOVON (and later: IVSN)
non-secure telephone network used world-wide by the Department
of Defence (DoD) [11].
|
AUTOVON (Automatic Voice Network) was a military phone system that was
designed in the US in 1963 to survive nuclear attacks.
It allowed non-secure voice calls with precedence (piority override).
In the late 1960s, the DoD started the roll-out of a secure version
of AUTOVON, called AUTOSEVOCOM, but this project was cancelled
a few years later due to problems and high cost.
The STU-I allowed secure
calls over the non-secure AUTOVON network.
Later crypto phones, like the STU-II,
the STU-II/B
and the Spendex-40,
featured the same AUTOVON compatibility.
|
|
|
IVSN was the Initial Voice Switched Network developed by NATO
in the mid-1970s for unclassified voice calls. It was designed to replace
the cumersome and expensive AUTOSEVOCOM network. Starting with 4 switches in
Europe in 1980, the system grew to 24 switches at the peak of its use in the
mid-1980s. The blue telephone set shown above was used with this network.
When IVSN was officially closed down on 30 November 2005 it still consisted
of 18 switches, some of which were still in use in 2011 [11].
IVSN had four levels of priority override:
|
FO Flash override F Flash I Immediate P Priority
|
The four extra keys generate DTMF-signals in the rarely used
1633Hz column. On some later keyboards, these keys are sometimes called
A, B, C and D.
After a nuclear attack, it would be very difficult for government officials
to obtain a free telephone line, as nearly everyone would try to make a
phone call.
By pressing the letter P, the user would signal the switch
to appoint a free line by priority. Higher ranking officials were allowed
to press I (Immediate) to get a higher priority.
Military users were allowed to press F (Flash) in order to get a free
line nearly instantly.
It was thought that only the president and his circle were allowed to
use FO (Flash Override) to give them the highest possible priority.
Note that not all levels of priority were available to each subscriber;
it had to be assigned to specific nodes first.
➤ More about AUTOVON
|
Device Encrypted telephone Purpose Confidential diplomatic and military voice traffic Model STU-II Designator KY-71 Developer NSA Manufacturer ITT, Northern Telecom Development 1977-1980 Production 1982-1986 Predecessor STU-I Successor STU-III Vocoder LPC-10 Encryption SAVILLE Modes Bellfield KDC, Net, Multipoint Key length 128 bits Quantity 10,000 Price USD 13,000
|
KY-71 Main STU-II terminal HYX-71 STU-II telephone set CIK-71 Crypto Ignition Key J-BOX Optional connection box for additional telephone sets
|
- Wikipedia, STU-II
Retrieved June 2011.
- Thomas R. Johnson, American Cryptology during the Cold War, 1945-1989
NSA 1998. Series VI, Volume 5, Book III: Retrenchment and Reform, 1972-1980.
Chapter 17, The New Targets and Techniques. pp. 142-144. 1
- Robert M. Gray, Linear Predictive Coding and the Internet Protocol
A survey of LPC and a History of Realtime Digital Speech on Packet Networks
Stanford University, 2010. Retrieved November 2012.
- Crypto Museum, The SAVILLE Encryption Algorithm
Interview with a former cryptographer at Crypto Museum, December 2011.
- Wikipedia, LPC-10 Vocoder
FS-1015 standard. Retrieved July 2011.
- Robert M. Gray, California Coding: Early LPC Speech in Santa Barbara,
University of California, Santa Barbara, 9 August 2004. Retrieved July 2011.
- Department of Defence, DARPA, et al., Packet Speech Program Review Meeting
3 June 1982. Department of Defense, Defense Advanced Research Projects Agency.
Massachusets Institute of Technology, Lincoln Laboratory.
- Anonymous, NSA inspection of Spendex 40 at Philips Usfa
Interview at Crypto Museum, Eindhoven, June 2011.
- Wikipedia, Image of STU-II Secure Phone
US Government photograph, photographed by Austin Mills (via Wikipedia).
Retrieved November 2012.
- National Cryptologic Museum (NCM), Display of an STU-II terminal
Retrieved June 2011.
- Wikipedia, AUTOVON
Retrieved November 2012.
- Wikipedia, Ronald Reagan
40th President of the United States (1981-1989). Retrieved February 2013.
- Thomas R. Johnson, American Cryptology during the Cold War, 1945-1989
NSA 1999. Series VI, Volume 5, Book IV: Cryptologic Rebirth, 1981-1989.
Chapter 21, The Reagan Revolution. pp. 295-296. 2
- Wikipedia, Invasion of Grenada
Retrieved February 2013.
- Reagan Library, Photographs of Ronald Reagan before the Invasion of Grenada
2nd photograph by Corbis. Retrieved February 2013. 3
- Instruction video, Using your STU-II
TVC-927. NSA, 1984. 4
- Instruction video, STU-II Rekeying
TVC-1027. NSA, 1984. 4
- Electrospaces.net, President Reagan using a STU-II telephone
19 February 2013. Comment by JC.
|
|
|
-
Declassified and approved for relase by NSA on 9 July 2007. Retrieved November 2012
-
Declassified and approved for relase by NSA on 14 January 2011. Retrieved February 2013.
-
Photographs kindly supplied by Peter Koop from his excellent blog.
-
This video has been donated by an anonymous contributor. At the start of
the video a caption 'For official Use Only' is displayed, followed by the
message: 'Reproduction of this program in whole or in part is prohibited
without written approval of the originating agency.'. Nevertheless, the name
of the originating agency appears neither in the video, nor on the tape.
We have therefore not been able to seek approval.
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Sunday 09 December 2012. Last changed: Saturday, 21 September 2024 - 21:23 CET.
|
|
|
|
|