NSA encryption systems

The first generation electronic systems were quirky devices with cantankerous punched card readers for loading keys and failure-prone, tricky-to-maintain vacuum tube circuitry.

Algorithms appear to be based on linear-feedback shift registers, perhaps with some non-linear elements thrown in to make them more difficult to cryptanalyze.

Field maintenance was often limited to running a diagnostic mode and replacing a complete bad unit with a spare, the defective cipher device being sent to a depot for repair.

Keys were initially distributed as strips of punched paper tape that could be pulled through a hand held reader (KOI-18) connected to the fill port.

Later the Fortezza card, originally introduced as part of the controversial Clipper chip proposal, were employed as tokens.

Users of secure telephones like the STU-III only have to call a special phone number once a year to have their encryption updated.

Encryption support was provided for commercial standards such as Ethernet, IP (originally developed by DOD's ARPA), and optical fiber multiplexing.

Classified networks, such as SIPRNet (Secret Internet Protocol Router Network) and JWICS (Joint Worldwide Intelligence Communications System), were built using commercial Internet technology with secure communications links between "enclaves" where classified data was processed.

It has three phases: NSA has helped develop several major standards for secure communication: the Future Narrow Band Digital Terminal (FNBDT) for voice communications, High Assurance Internet Protocol Interoperability Encryption- Interoperability Specification (HAIPE) for computer networking and Suite B encryption algorithms.

The large number of cipher devices that NSA has developed can be grouped by application: During World War II, written messages (known as record traffic) were encrypted off line on special, and highly secret, rotor machines and then transmitted in five-letter code groups using Morse code or teletypewriter circuits, to be decrypted off-line by similar cipher devices at the other end.

The KW-26 ROMULUS was a second generation cipher device in wide use that could be inserted into teletypewriter circuits so traffic was encrypted and decrypted automatically.

The Navy also needs to maintain traffic security, so it has radio stations constantly broadcasting a stream of coded messages.

During and after World War II, Navy ships copied these fleet broadcasts and used specialized call sign encryption devices to figure out which messages were intended for them.

The Navy is replacing the KG-38 used in nuclear submarines with KOV-17 circuit modules incorporated in new long-wave receivers, based on commercial VME packaging.

True voice encryption (as opposed to less secure scrambler technology) was pioneered during World War II with the 50-ton SIGSALY, used to protect the very highest level communications.

The first tactical secure voice equipment was the NESTOR family, used with limited success during the Vietnam war.

According to the 9/11 Commission, an effective US response was hindered by an inability to set up a secure phone link between the National Military Command Center and the Federal Aviation Administration personnel who were dealing with the hijackings.

The NES was built in a three part architecture that used a small cryptographic security kernel to separate the trusted and untrusted network protocol stacks.

The BBN Safekeeper provided a high degree of tamper resistance and was one of the first devices used by commercial PKI companies.

KL-7 at NSA Museum
An array of KW-26 cipher devices
KOI-18 field paper tape reader
STU-III phones with crypto-ignition keys
Hand-held microprocessor-controlled radios like this AN/PRC-148 have multiple encryption modes.
KY-68 tactical secure telephone
NSA KAL-55B Tactical Authentication System used during the Vietnam War National Cryptologic Museum