National Security Agency
The US National Security Agency (NSA) is the cryptologic intelligence
and security agency of the United States Government, based
in Fort Meade (Maryland, USA). The NSA is part of
the American Department of Defence (DoD), and is responsible
for the collection (interception) and analysis of foreign communications
and foreign signals intelligence (signals intelligence and cryptanalysis).
The NSA is also responsible for the protection of US government communications and information systems from evesdropping by similar agencies from other
As such, the NSA has (co) developed a range of
cryptographic algorithms and
Most of these products were initially developed for use by the US military
and the US government, but some have been made available to restricted
commercial users as well, often as commercial off-the-shelf (COTS) products,
via various suppliers.
As part of the NSA's Center for Cryptologic History, the agency has its
own museum, called the National Cryptologic Museum (NCM),
just outside the main gates. The NCM is open to the public,
and serves as the agency's principal public gateway.
Below is a non-exhaustive overview of the various types of
encryption products developed and/or endorsed by the NSA.
As most of the NSA's work is classified,
there may be omissions or errors.
The information below is based on publicly available information about NSA
products, algorithms and protocols. We also show the evolution of the
NSA encryption products, along with examples of devices that contain
NSA algorithms. Finally, we show cases in which the NSA has intervened
in order to weaken an existing algorithm.
If you find any omissions or mistakes,
please contact us.
The NSA headquarters in Fort Meade (Maryland, USA) 
The cryptologic history of the NSA is layed out in several (internal)
publications that have been written over the years by NSA historians.
In recent years, the NSA has (partly) declassified some of these
publications, in particular the ones regarding WWII, the Cold War
and some other events.
These documents are available for download from the
Depending on the required (and allowed) level of security, the NSA has
defined various Types of encryption. The lower the number, the
higher the security level. E.g. Type 1 products are for use by the US
government for top secret material .
The following Product Types are known:
- Classified or sensitive US Government information - TOP SECRET
This includes algorithms such as AES(256),
that are used in products like the
STU-III secure phone
and many military communication products, like the
Type 1 products are only used by the US Government, their contractors, and
federally sponsored non-US Government activities, in accordance with the
International Traffic in Arms Regulations (ITAR).
Type 1 algorithms are also used by NATO
and by the administrations of some NATO countries.
- National Security Information
Includes products like CORDOBA, KEA and
SKIPJACK used in equipment
like the Cypris cypto chip and the
Fortezza (Plus) crypto cards.
It may be used for unclassified national security information.
The equipment is unclassified, but the algorithms and keys are.
Type 2 products are subject to International Traffic in Arms Regulations
- Unclassified sensitive US Government or commercial information
Also known as Sensitive, But Unclassified (SBU); used on non-national
Approved (unclassified) algorithms include
Tripple DES 1 ,
DSA and SHA.
A good example of a Type 3 product is the
CVAS III secure phone.
- Unevaluated commercial cryptographic equipment; not for government usage
The algorithms have been registered with
but are not
Federal Information Processing Standard (FIPS).
They may not be used for classified information.
DES has meanwhile been withdrawn as an official FIPS standard.
- Suite A
Unpublished NSA algorithms intended for highly sensitive communication and
critical authentication systems. Generally used in combination with Type 1
and 2 equipment.
- Suite B
NSA endorsed cryptographic algorithms for use as an interoperable base
for both unclassified and most-classified information.
Introduced on 16 February 2005.
(More on the NSA website...)
Another way of categorizing the encryption systems developed by or on
behalf of the NSA, is by looking at the evolution of their development.
This can be divided into several generations that are listed below.
More detailed information is available on
One of the first NSA products to be developed after WWII was the
It was introduced in the 1950s and was partly based
on the war-time SIGABA.
The KL-7 was used by the US Military and its NATO allies.
The daily keys were distributed on paper key lists.
- Vacuum tubes
In the 1960s and 1970s, electronic cipher machines with vacuum tubes (valves)
were developed. Punched cards were used for key distribution.
Some of these systems remained in use until the mid-1980s.
An example of a cipher machine based on vacuum tubes is the
KW-26 that was used by the US Navy.
- Integrated Circuits (ICs)
The next generation was developed during the 1980s and was
based on transistor logic, using integrated circuits
(ICs). This made devices significantly smaller and allowed for faster and
stronger cryptographic algorithms.
Keys were loaded through a standardized connector at the front panel of
each device. Initially they were distributed on punched paper tape that was
pulled though a reader (e.g. the
KOI-18) but these
were eventually replaced by
such as the KYK-13.
- Electronic Key Distribution
During the 1990s, more modern (commercial) electronics were introduced.
This allowed even smaller systems to be developed and introduced electronic
methods for key distribution.
At this stage, the electronic security token or Crypto Ignition Key (CIK)
was introduced, protecting the electronically stored keys and allowing for
easier key distribution.
An example of a CIK is the KSD-64
that was developed by the NSA for products like the
Motorola SECTEL 2500
secure telephone (STU-III).
Traffic Encryption Keys (TEKs) were distributed with a new generation of
electronic Data Transfer Devices
(DTD) such as the AN/CYZ-10.
- Network-centric systems
From 2000 onwards, communication is increasingly based on digital computer
networks, such as the internet. The NSA has developed an interoperable standard
called HAIPE to allow government, agencies and others to securely exchange
data over unsecure networks and satellite links.
An example of such a product is the
of embeddable KG-84 encryption devices.
Over the years, the NSA has developed and endorsed a common standard for
transferring keys (and other material) from a key distribution
center (KDC) to a supporting radio
or encryption device,
by means of an external FILL device.
Two versions of this standard are known:
- DS-101 — EKMS 603
This is the most recent transfer protocol that is used with the
current generation of FILL devices, radio sets and encryption equipment.
It superceedes DS-102 and can be used for transferring crypto keys,
frequency hopping data, software updates, etc.
- DS-102 — EKMS 608
This is a synchronous serial protocol that was used with the first
generation of Key Fill Devices, such as the
It is the predecessor of the DS-101 protocol, and
can be used for the distribution of key material and frequency hopping
Although most of the NSA's work on encryption is secret, some information
has been published in the past, either as part of the NSA's participation in
standards processes, or after an algorithm has been declassified.
Below is an (incomplete) overview of NSA-developed approved algorithms.
Cryptographic algorithm used in products like
AIM, SafeXcel-3340 and PSIAM.
- AES (256)
256-bit block cipher algorithm, used in numerous products.
Specified in FIPS 197.
Block cipher algorithm, used with products like
PKCS#11, CDSA/CSSM, AIM, Cypris, APCO Project 25, MYK-85,
SecNet-11, Sierra, SafeXcel-3340, PSIAM and the
NSA-developed cooperative key generation scheme, used for exchanging
EKMS public keys. Used in products like AIM, SafeXcel-3340, PSIAM,
- HAIPE IS
Interoperability Specification (IS) for the High Assurance Internet
Protocol Encryptor (HAIPE). Based on Internet Protocol Security (IPsec),
with additional restrictions and enhancements.
Used in products like KOV-26 (Talon),
KG-175 (TACLANE), KG-240A, KG-245, KG-250 and KG-255.
System used for ECCM.
Implemented in the Cypris crypto chip.
Joint development of GCHQ (UK) and the NSA.
Used for narrow-band voice encryption in radio and telephone
Used in products like AIM,
Cypris (SAVILLE I and II), Windster (SAVILLE I),
INDICTOR (SAVILLE I),
and Cougar radios.
Also used for data encryption in products like
Used for TTY broadcasts to submarines by AIM (2004).
High-speed link encryption. Used in products like
Generally used for Trunk Encryption Devices (TED).
Cryptographic algorithm used in products like Cypris (2 modes),
Windster and INDICTOR.
Cryptographic algorithm used in SafeXcel-3340.
Cryptographic algorithm used in NSA-developed crypto chips, such as
Cypris, Windster and Indictor.
Asymmetric-key algorithm used in products like
and the Palladium Secure Modem.
KEA was declassified by the NSA on 24 June 1998.
Block cipher algorithm used in products like
and the Palladium Secure Modem. It was also used in the so-called
that was featured in products like the AT&T
TSD-3600 telephone encryptor.
The Skipjack algorithm was declassified by the NSA on 24 June 1998.
- DES - Data Encryption Standard
Block cipher. Used in many NSA Type 3 products, such as the
Motorola SECTEL 2500 (in Type 3 mode).
Specified in FIPS 46-3 and withdrawn in 2004.
- AES - Advanced Encryption Standard
Block cipher. Specified in FIPS 197 and released in 2001.
- DSA - Digital Signature Algorithm
Used for digital signatures. Specified in FIPS 186.
- SHA - Secure Hash Algorithm
Cryptographic hash function. Specified in FIPS 180-2.
The following (non-exhaustive) list shows which products are believed to
have been (partly) developed by or for the NSA. Some of these products
are covered on this website.
In the early 1990s, the NSA made an attempt to control the availability of
strong encryption to the general public. They developed a special chip
that was intended for the implementation in secure voice equipment
and required users to give the cryptographic keys in escrow
to the government.
This would allow law enforcement agencies to decrypt any traffic for
warranted surveillance and intelligence purposes.
The device became known as the Clipper Chip and was announced in 1993.
The device used the Skipjack algorithm,
but was was not embraced by the public.
Furthermore it appreared to be seriously flawed,
as a result of which it was already defunct by 1996.
➤ More information
Although the NSA does not publish information about its methods and/or
its targets, it is known that in the past the agency has regularly tried
to covertly get access to classified information by weakening or replacing
encryption algorithms, or persuade other parties to do so on their behalf.
Below are some examples of documented cases in which the NSA has been
During WWII, Boris Hagelin made fame by supplying the M-209 cipher machine
to the US Army. In the years following the war, it was frequently speculated
that Hagelin's company – Crypto AG – had created backdoors in its equipment,
to the benefit of the NSA.
➤ More information
PX-1000 was a small pocket terminal, developed around 1980 by
in the Netherlands and marketed worldwide by
Messages were encrypted with DES and could be sent over a regular
telephone line via the built-in modem.
In 1983, the NSA expressed its concern about the availability of DES
to the general public — in an affordable device — and persuaded
to implement an alternative stream cipher that they (the NSA)
➤ More information
Around 1983, the Finnish company Nokia
produced two message terminals
for the Ministry of Defence and NATO:
The terminals used DES encryption and were able to send the messages
at high speed (burst).
To prevent the use of DES outside NATO, the NSA asked the Dutch company
to implement an alternative algorithm, that would be supplied to
➤ More information
European Axis Signal Intelligence in WWII 1
Declassified and approved for release by NSA on 1 June 2009.
EO 12958, Declass 58017.
Declassified by Interagency Security Classification Appeals Panel,
14 October 2015.
EO 13526, section 5.3(b)(3).
Declassified by NSA 11 December 2008. EO 12958.
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Sunday 12 August 2012. Last changed: Sunday, 05 May 2019 - 13:59 CET.