The National Security Agency
took over responsibility for all U.S. Government encryption
systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified
, but much more about its early systems has become known and its most modern systems share at least some features with commercial products.
Rotor machines from the 1940s and 1950s were mechanical marvels. The first generation electronic systems were quirky devices with cantankerous punch card readers for loading keys and failure-prone, tricky-to-maintain vacuum tube circuitry. Late 20th century systems are just black boxes, often literally. In fact they are called blackers in NSA parlance because they convert classified signals (red) into unclassified signals (black). They typically have electrical connectors for the red signals, the black signals, electrical power, and a port for loading keys. Controls can be limited to selecting between key fill, normal operation and diagnostic modes and an all important zeroize button that erases classified information including keys and perhaps the encryption algorithms. 21st century systems often contain all the sensitive cryptographic functions on a single, tamper-resistant integrated circuit that supports multiple algorithms and allows over-the-air or network rekeying, so that a single hand-held field radio can interoperate with most current NSA cryptosystems.
NSA has to deal with many factors in ensuring the security of communication and information (COMSEC and INFOSEC in NSA jargon):
- Confidentiality and authentication - making sure messages cannot be read by unauthorized people and that they cannot be forged (nonrepudiation). Little is publicly known about the algorithms NSA has developed for protecting classified information, what NSA calls Type 1 algorithms. In 2003, for the first time in its history, NSA approved two published algorithms, Skipjack and AES for Type 1 use in NSA approved systems.
- Traffic flow security - making sure an adversary cannot obtain information from traffic analysis, often accomplished by link encryption.
- Key management - getting keys securely to thousands of crypto boxes in the field, perhaps the most challenging part of any encryption system. One NSA goal is benign fill (technology for distributing keys in a way that the humans never have access to plaintext key).
- Investigative access - making sure encrypted communications are accessible to the U.S. Government. While few would argue with the need for the government to access its own internal communications, the NSA Clipper chip proposal to extend this key escrow requirement to public use of cryptography was highly controversial.
- TEMPEST - protecting plaintext from compromise by electronic, acoustic or other emanations.
- Tamper resistance, tamper-evident, self-destruct - ensuring security even if encryption systems are physically accessed without authorization or are captured.
- Meeting military specifications for size, weight, power consumption, MTBF and ruggedness to fit in mobile platforms.
- Electromagnetic pulse hardening - protecting against nuclear explosion effects, particularly electromagnetic pulse.
- Ensuring compatibility with military and commercial communication standards.
- Controlling cost - making sure encryption is affordable so units that need it have it. There are many costs beyond the initial purchase price, including the manpower to operate and maintain the systems and to ensure their security and the cost of key distribution.
- Enabling secure communication with NATO, allied and coalition forces without compromising secret methods.
Five generations of NSA encryption
The large number of encryption systems that NSA has developed in its half century of operation can be grouped into five generations (decades given are very approximate):
First generation: electromechanical
First generation NSA systems were introduced in the 1950s and were built on the legacy of NSA's World War II
predecessors and used rotor machines derived from the SIGABA
design for most high level encryption; for example, the KL-7
. Key distribution involved distribution of paper key lists that described the rotor arrangements, to be changed each day (the cryptoperiod
) at midnight, GMT
. The highest level traffic was sent using one time tape systems, including the British 5-UCO
, that required vast amounts of paper tape keying material.
Second generation: vacuum tubes
Second generation systems (1970s) were all electronic designs based on vacuum tubes
and transformer logic. Algorithms appear to be based on linear feedback shift registers
, perhaps with some non-linear elements thrown in to make them more difficult to cryptanalyze. Keys were loaded by placing a punch card
in a locked reader on the front panel. The cryptoperiod was still usually one day. These systems were introduced in the late 1960s and stayed in use until the mid-1980s. They required a great deal of care and maintenance, but were not vulnerable to EMP. The discovery of the Walker spy ring
provided an impetus for their retirement, along with remaining first generation systems.
Third generation: integrated circuits
Third generation systems (1980s) were transistorized and based on integrated circuits
and likely used stronger algorithms. They were smaller and more reliable. Field maintenance was often limited to running a diagnostic mode and replacing a complete bad unit with a spare, the defective box being sent to a depot for repair. Keys were loaded through a connector on the front panel. NSA adopted the same type of connector that the military used for field radio handsets as its fill connector. Keys were initially distributed as strips of paper tape that could be pulled through a hand held reader (KOI-18
) connected to the fill port. Other, portable electronic fill devices
, etc.) were available as well.
Fourth generation: electronic key distribution
Fourth generation systems (1990s) use more commercial packaging and electronic key distribution. Integrated circuit technology allowed backward compatibility with third generation systems. Security tokens
, such as the KSD-64
crypto ignition key (CIK
) were introduced. Secret splitting technology allows encryptors and CIKs to be treated as unclassified when they were separated. Later the Fortezza
card, originally introduced as part of the controversial Clipper chip
proposal, were employed as tokens. Cryptoperiods were much longer, at least as far as the user was concerned. Users of secure telephones like the STU-III
only have to call a special phone number once a year to have their encryption updated. Public key methods (FIREFLY
) were introduced for electronic key management (EKMS
). Keys can now be generated by individual commands instead of coming from NSA by courier. A common handheld fill device (the AN/CYZ-10
) was introduced to replace the plethora of devices used to load keys on the many third generation systems that were still widely used. Encryption support was provided for commercial standards such as Ethernet
(originally developed by DOD's ARPA
), and optical fiber multiplexing. Classified networks, such as SIPRNet
(Secret Internet Protocol Router Network) and JWICS
(Joint Worldwide Intelligence Communications System), were built using commercial Internet
technology with secure communications links between "enclaves" where classified data was processed. Care had to be taken to ensure that there were no insecure connections between the classified networks and the public Internet
Fifth generation: network-centric systems
In the twenty-first century, communication is increasingly based on computer networking. Encryption is just one aspect of protecting sensitive information on such systems, and far from the most challenging aspect. NSA's role will increasingly be to provide guidance to commercial firms designing systems for government use. HAIPE solutions are examples of this type of product (e.g., KG-245A
). Other agencies, particularly NIST
, have taken on the role of supporting security for commercial and sensitive but unclassified applications. NSA's certification of the NIST-selected AES
algorithm for classified use "in NSA approved systems" suggests the future path. The KG-245A and KG-250 use both classified and unclassified algorithms. The NSA Information Assurance Directorate is leading the Department of Defense Cryptographic Modernization Program
, an effort to transform and modernize Information Assurance capabilities for the 21st century. It has three phases:
- Replacement- All at risk devices to be replaced.
- Modernization- Integrate modular programmable/embedded crypto solutions.
- Transformation- Be compliant to Global Information Grid/ NetCentric requirements.
NSA has helped develop several major standards for secure communication: the Future Narrow Band Digital Terminal (FNBDT) for voice communications, High Assurance Internet Protocol Interoperability Encryption- Interoperability Specification (HAIPE) for computer networking and Suite B encryption algorithms.
NSA encryption by type of application
The large number of encryption systems that NSA has developed can be grouped by application:
Record traffic encryption
During World War II
, written messages (known as record traffic
) were encrypted off line on special, and highly secret, rotor machines
and then transmitted in five letter code groups using Morse code
circuits, to be decrypted off-line by similar machines at the other end. The SIGABA
rotor machine, developed during this era continued to be used until the mid-1950s, when it was replaced by the KL-7
, which had more rotors.
The KW-26 ROMULUS was a second generation encryption system in wide use that could be inserted into teletype circuits so traffic was encrypted and decrypted automatically. It used electronic shift registers instead of rotors and became very popular (for a COMSEC device of its era), with over 14,000 units produced. It was replaced in the 1980s by the more compact KG-84, which in turn was superseded by the KG-84-interoperable KIV-7.
U.S. Navy ships traditionally avoid using their radios to prevent adversaries from locating them by direction finding
. The Navy also needs to maintain traffic security, so it has radio stations constantly broadcasting a stream of coded messages. During and after World War II, Navy ships copied these fleet broadcasts
and used specialized call sign encryption
devices to figure out which messages were intended for them. The messages would then be decoded off line using SIGABA
The second generation KW-37 automated monitoring of the fleet broadcast by connecting in line between the radio receiver and a teleprinter. It, in turn, was replaced by the more compact and reliable third generation KW-46.
NSA has no graver responsibility than protecting the command and control systems for nuclear forces. The KG-3X
series is used in the U.S. government's Minimum Essential Emergency Communications Network
and the Fixed Submarine Broadcast System
used for transmission of emergency action messages for nuclear and national command and control of U.S. strategic forces. The Navy is replacing the KG-38
used in nuclear submarines
circuit modules incorporated in new long-wave receivers, based on commercial VME
packaging. In 2004, the U.S. Air Force awarded contracts for the initial system development and demonstration (SDD) phase of a program to update these legacy generation systems used on aircraft.
Modern communication systems multiplex
many signals into wideband data streams that are transmitted over optical fiber
, coaxial cable
relay, and communication satellites
. These wide-band circuits require very fast encryption systems.
The WALBURN family (KG-81, KG-94/194, KG-94A/194A, KG-95) of equipment consists of high-speed bulk encryption devices used primarily for microwave trunks, high-speed land-line circuits, video teleconferencing, and T-1 satellite channels. Another example is the KG-189, which support SONET optical standards up to 2.5 Gbit/s.
Digital Data encryptors such as KG-84 family which includes the TSEC/KG-84, TSEC/KG-84A and TSEC/KG-82, TSEC/KG-84A and TSEC/KG-84C, also the KIV-7.
True voice encryption (as opposed to less secure scrambler technology) was pioneered during World War II with the 50-ton SIGSALY, used to protect the very highest level communications. It did not become practical for wide spread use until reasonable compact speech encoders became possible in the 1970s.
- STU I and STU II - These systems were expensive and cumbersome and were generally limited to the highest levels of command
- STU-III - These telephone sets operated over ordinary telephone lines and featured the use of security tokens and public key cryptography, making them much more user friendly. They were very popular as a result. Used since the 1980s, this device is rapidly being phased out, and will no longer be supported in the near future.
- 1910 Terminal - Made by a multiple of manufacturers, this device is mostly used as a secure modem. Like the STU-III, new technology has largely eclipsed this device, and it is no longer widely used.
- Secure Terminal Equipment (STE) - This system is intended to replace STU-III. It uses wide-bandwidth voice transmitted over ISDN lines. It can communicate with STU-III phones and can be upgraded for FNBDT compatibility.
- GSM Secure module - The a secure cellular phone module that connects to the back of a commercial off the shelf cellular phone. It uses an FNBDT key for encryption.
- OMNI - The OMNI terminal, made by L3 Communications, is another replacement for STU-IIIs. This device uses the FNBDT key and is used to securely send voice and data over the PSTN and ISDN communication systems.
- secure Iridium - The US Government got a real bargain when it rescued the bankrupt Iridium commercial mobile phone venture. NSA helped add encryption to the Iridium phones.
- KY-57 (VINSON) - One of a series of systems for tactical voice encryption
- HAVE QUICK and SINCGARS use NSA-supplied sequence generators to provide secure frequency hopping
- Future Narrowband Digital Terminal (FNBDT) - Now referred to as the "Secure Communications Interoperability Protocol" (SCIP), the FNBDT is a replacement for the wide-band STE, which uses narrow-bandwidth communications channels like cellular telephone circuits, rather than ISDN lines. The FNBDT/SCIP operates on the application layer of the ISO/OSI Reference Model, meaning that it can be used on top of different types of connections, regardless of the establishment method. It negotiates with the unit at the other end, much like a dial-up modem.
The operational complexity of secure voice played a role in the September 11, 2001 attacks on the United States. According to the 911 Commission, an effective U.S. response was hindered by an inability to set up a secure phone link between the National Military Command Center and the Federal Aviation Administration personnel who were dealing with the hijackings. See Communication during the September 11, 2001 attacks.
NSA has approved a variety of devices for securing Internet Protocol
communications. These have been used to secure SIPRNet
, the Secret Internet Protocol Router Network, among other uses.
NSA still supports simple paper encryption and authentication systems for field use such as DRYAD
NSA has participated in the development of several encryption systems for public use. These include: