|
|
|
|
|
|
|
← Spendex 30 Philips Phone Spendex 50 →
Narrowband secure voice terminal
Spendex 40 is a narrowband secure voice terminal,
developed in the mid-1980s by Philips Usfa,
for use by the Dutch Government and by NATO.
It enables secure transmission of voice, fax and computer data
over standard PSTN telephone lines,
using the high-grade GCHQ/NSA-developed
SAVILLE crypto-algorithm.
Also known as Spendex 40 M, NBSV-45 (non-NATO) and UA-8251.
|
Spendex 40 was the first product developed outside the USA that implemented
the highly secret SAVILLE encryption algorithm,
making it inter-operable with the NSA's
STU-II phone.
The image on the right shows a typical Spendex-40 unit. It is housed in
a robust military-grade die-cast aluminium enclosure that is completely
TEMPEST-proof.
The handset is placed on top of the unit and connects to the telephone
with a metal DIN socket on the left. Just below that socket is
a 25-way D-type socket
for connection of an external fax unit or personal computer.
|
|
|
At the rear of the unit are sockets
for mains power (EURO) and the telephone line (DB9/F).
Also present at the rear is a DB25/M socket for the
connection of an external analog modem that can be used instead of the internal one.
A backup battery, accessible via a panel at the rear, is used to
retain the cryptographic keys in CMOS memory. The most prominent users of the
Spendex 40 were NATO, the Dutch Army and the Dutch PTT 1 (now: KPN).
The device was gradually phased out in the 2000s, until approval
in the Netherlands was finally withdrawn by the
NBV
in 2009 [1].
|
-
At the time, the PTT was the Dutch state-owned telecom operator
(Staatsbedrijf der Posterijen, Telegrafie en Telefonie). It was later
privatized and renamed KPN (Koninklijke PTT Nederland).
|
|
Spendex 40 is connected permanently to the mains
and to a standard 2-wire analogue PSTN telephone line.
Optionally it could be made to work with 4-wire lines as well.
Basic operation of the unit is rather straightforward and is
comparable to using a standard telephone set.
|
Lifting the handset activates the unit and connects it to the line or PABX.
Telephone numbers are entered on the black keypad, located at the bottom right.
When dialling a number, it is displayed on the red 8-digit numerical LED
display, just above the keypad.
When the connection with the required party has been established,
the conversation is started en clair (clear speech).
When it is agreed to switch to encrypted mode (go secure)
one of the parties presses the SECURE button.
After an initial delay of approx. 10 seconds the connection is secure.
|
|
|
The SECURE button is located to the left of the keypad. It can be used
to toggle between SECURE and PLAIN.
The 10 second delay when going secure is typical for encryption systems
using an LPC-10 vocoder. Please note that in order to setup a secure
connection, a Crypto Ignition Key (CIK)
should be present and valid keys should be loaded
into the Spendex 40 and the CIK first.
A typical side effect of narrow-band LPC-10 encoding is that speech is
carried accross relatively clear, but that it is impossible to recognise
the person at the other end. This is the result of the fact that speech
is first analysed, sent to the other end (in encrypted form) at a speed of
2400 baud, and then reconstructed or synthesized,
resulting in a rather artificial or synthetic sound.
Spendex 40 is a full-duplex system, that can also be used in half-duplex
mode. This was used for example when the quality of the line was too poor, or
when the signal path was (partly) over radio links.
In half-duplex mode the Push-To-Talk switch (PTT)
on the handset would be used.
This mode was also used when communicating with an American
STU-II phone at the other end.
|
|
Depending on he situation and securoty requirements, Spendex 40 supports
the following key management procedures:
|
- Key distribution center (KDC)
In this situation, a validated Spendex 40 automatically dials the
(secret) telephone number of an external Key Distribution Center (KDC),
which assigns it a temporary key. In this situation, the contact between
all parties runs via the KDC, which in most cases was an
NSA facility. It allowed the
NSA to monitor, log and control all
calls and keys.
The main advantage of this method is that it provides full authentication.
- Net KEY
In this situation, a common key is issued to multiple parties,
allowing group conversations. A terminal can not communicate with
a party outside the group.
- Individual KEY
In this case, a single KEY is issued to multiple parties, allowing
each of them to communicate with each other. In practice, this option
was used most of the time, as it avoided the use of a KDC. The drawback
of this method is that there is no authentication.
|
|
The SAVILLE crypto-algorithm uses a 128 bits key.
For enhanced security this key is split in two parts that are stored
separetely. Each part is also 128 bits long and must be XOR-ed with the
other one in order to obtain the actual key. One half is stored in
battery-backed RAM inside the Spendex 40, whilst the other half is stored
in an EEPROM inside the Crypto Ignition Key (CIK).
|
Splitting the key makes it easier to render the machine
useless when security is compromised. Whenever a user temporarily leaves
the Spendex 40 unattended, he can leave the key loaded as long
as he takes the removable CIK with him.
Without the CIK, the key inside the Spendex 40 has no value.
Likewise, a loaded CIK can not be used on another Spendex 40 device.
Trying the CIK on another Spendex 40 causes the message ILL. CIK
(illegal CIK) to be displayed.
The image on the right shows a typical CIK being connected to the CIK
socket on the Spendex 40 front panel.
|
|
|
Secure operation is only possible with
a valid (loaded) CIK present on the
socket marked 'CIK'.
When security is compromised, the user presses the
ZEROIZE button
that is behind a metal flap at the front panel.
Pressing the button destroys all keys that are present in the
internal RAM of the Spendex 40. It also clears the CIK (when connected).
The display will then show
the message ZEROISED (British spelling).
If the CIK was not present when the ZEROIZE button was pressed,
the internal RAM is still cleared, rendering the CIK useless.
The same CIK was used with Spendex 50.
Although the CIK is marked with the word
CONFIDENTIAL on its serial number plate,
un unloaded CIK is an unclassified device.
Whenever a valid key is loaded to both the Spendex 40 and the CIK,
the CIK is classified to the level of the loaded key.
Deleting the key makes it unclassified again.
The CIK only contains a memory chip (EEPROM) that can hold a randomly-generated
number that is part of the key.
There is no additional intelligence or other protective or secret circuitry
inside.
|
|
Key material for the Spendex-40 was produced by an external
key management system. This was usually a piece of proprietary software
running on a dedicated PC.
The keys were then distributed by means of a
key filler or
key transfer device such as
the military KYK-13 fill gun.
In the case of NATO, a government agency acting as a Key Distribution Center (KDC)
could also be used for this.
|
Keys are normally loaded into the Spendex 40 by means of a
fill gun.
As soon as it is connected to the FILL socket on the front panel,
the display shows
the message COMSEC ?.
The user then selects the desired key compartment,
sets the selector to WRITE and
presses the ACTIVATE button, in order
to initiate a key transfer.
As the American KYK-13
key loader was in short supply, Philips
developed equivalent devices like the
UP-2001 shown on the right.
It had 40 key compartments which was a great improvement
over the KYK-13, which had just six of them.
|
|
|
A larger number of key compartments in a fill device
allows keys for different devices
or for more days in advance to be carried.
As soon as the keys were loaded, the key loader was removed and both
the Spendex 40 and the CIK had become a
Classified Cryptographic Item (CCI) 1 .
Note that the original key was not stored inside the Spendex 40.
It was reconstructed when needed by adding the internally stored key
to the one stored in the CIK (by means of an XOR operation).
|
-
CCI is sometimes defined as Controlled COMSEC Item, which has the same
meaning.
|
|
Apart from voice communication, the Spendex 40 was also capable of
encrypting and decrypting digital (computer) data through the internal
modem, or an externally connected modem at speeds up to 4800 baud.
For this, the DB25/F connector at the left side
of the front panel is available.
|
The data port has a serial (RS-232) interface that can be used for the
connection of a personal computer or a similar data device such as a fax.
The image on the right shows a standard Canon fax unit of the
early 1980s connected to the DB25 socket on the left side of the
Spendex-40. The image was taken from a stock photo [7]
that appeared in a 6-page brochure at the time [10].
As an alternative, the NSA-approved fax unit Cryptek TS-40
could also be used [2].
It was a plain paper laser fax that complied with NSA TEMPEST
Level I standards. Neither of the fax units discussed here are
available anymore.
|
|
|
|
A facsimile machine (fax) was a popular means of sending hand-written
documents and images over telephone lines during the 1980s and 90s.
Since the internet-revolution, it has gradually been replaced by e-mail.
As the Spendex 40 allowed secure transmission of fax-documents, it was
also used for the distribution of cryptographic keys, simply by printing
them onto an A4-sheet as barcodes. The keys were then transferred to
a key loader by means
of a barcode reader.
|
|
The keys, stored in the memory (CMOS RAM) of the Spendex 40, are
retained by a backup battery. For this purpose,
a long-life 3.6V Lithium cell is used.
It has the shape of a common AA-size
battery and is accessible from the rear of the device, by removing
a small panel at the right.
|
The battery compartment can be opened by removing 4 hex-bolts,
as shown in the image on the right.
The battery itself can be removed by
pulling its white cloth jacket
(images below).
Suitable replacement batteries are available
from a variety of sources, such as Tadiran (TL-5104) and Conrad
Elektronik in Germany. The latter offers batteries from manufacturer EVE
(Energy Very Endure) for about EUR 4.99
(order number 650773-89) and Emmerich (651244-89).
Note that standard 1.5V penlight batteries can not be used as
they do not deliver the required voltage.
|
|
|
When the battery is fully exhausted, or when it has been removed from the
device for more than a few seconds, the internal settings of the phone
will be lost. This might render the phone useless, especially when
the internal modem is used (which is nearly always the case), as it
defaults to using an external modem.
Should that happen, the initial setup procedure must be carried out.
|
Spendex 40 was one of the first secure voice terminals that used an LPC-10 vocoder
for speech digitization [6].
LPC or Linear Predictive Coding was a high-quality vocoder,
developed by the US Department of Defense for use by NATO. It is also known
as FS-1015
or STANAG-4198.
Although LPC-10 encoding became rather common in later years, its implementation
was by no means easy at the time Spendex 40 was developed.
The LPC-10 unit inside the Spendex 40, was developed in collaboration with Philips
Research (NatLab) in Eindhoven (Netherlands). It needed five
NEC DSPs 1 of the first generation. Reliability and speech quality was
reported to be better than on comparable systems
like the much larger
American STU-II, which was also used by NATO.
|
As far as we know, Spendex 40 was the first non-US/UK device to
be licenced to implement the highly secure GCHQ/NSA-developed
SAVILLE cryptographic algorithm
[3].
As SAVILLE is an extremely complex algorithm, it was considered
too difficult for implementation in software [8].
Philips therefore developed its own crypto-chip called the
OQ4430.
It is shown in the image on the right. The same chip was also used
in the military Spendex 50 secure voice terminal.
Three of these crypto-chips are used in each Spendex device: 1 for
reception and 2 for transmission. 2
|
|
|
Spendex 40 was arguably the most secure voice and data terminal at the time.
It was approved for use by the US Government at the highest possible level
(NSA Type 1) and was also used by NATO and
by the German government.
It was one of the smallest Type 1 devices
at the time.
Rumour has it that NSA officials were 'shocked' when they saw the first
Spendex 40 prototype in action. It was so much smaller than the American
STU-II and yet its speech
quality was so much better [5].
Motorola later developed the STU-II/B, that
was intended as a replacement for all STU-II compatible devices, including
the Spendex 40. It was much smaller and had improved speech
quality (using Motorola's own DSP technology) but came nearly 10 years
after the Spendex 40.
It is also rumoured that Spendex 40 played an important role
before, during and after the fall of the Berlin Wall in 1989, when
West-German Authorities used it for secure voice communication [5].
It was assumed that foreign secret services were unable to break the
SAVILLE encryption.
|
 |
-
Two NEC DSPs were used for the speech analyzer, whilst three were
needed for the speech synthesizer.
-
Two crypto units are used for transmission in order to provide a fail-safe
system. The output of the two units is constantly monitored and compared,
raising an alarm when they are no longer identical.
|
|
The Spendex 40 is an extremely robust device that was clearly intended for
military use. The unit is hermetically sealed with a large number of hex
bolts in order to prevent unwanted emission of RF signals (TEMPEST). The interior
can be access from the rear (PSU) and from the top (crypto).
|
The die-cast aluminium case consist of several compartments that are
interconnected by means of filtered lines.
There are compartments at the rear, the front the side and at the top.
The front panel contains the user controls and connections
and is bolted to the front of the main enclosure.
The compartments at the rear can
be accessed by removing 14 hex bolts from the rear panel,
as shown in the image on the right.
At the left is the power supply (PSU) with the transformer just visible.
The (telephone) line interface is at the right, with
the filters mounted to the rear panel.
|
|
|
The filters are necessary to prevent unwanted leakage of information.
For the same reason, a metal gasket is present in between the main case
and the rear panel. The block at the bottom right contains the
backup battery (see below). The most interesting compartment is at the top.
|
It can be accessed by
removing the handset assembly and the
(sealed) top lid.
The image on the right shows the contents of the crypto compartment
as seen from the top.
There are 7 PCBs that are slotted into a backplane at the bottom.
A microswitch on card number 3
acts as tamper-detection.
When the top panel is lifted, all cryptographic
keys are destroyed instantly.
The two flying wires at the left are normally connected to a reed-switch
that is mounted to the top panel. It acts as the off-hook switch and is
activated by a magnet in the handset cradle.
|
|
|
The boards are listed below.
Six of the seven PCBs are mounted together in pairs. Although each PCB has
is own connection to the backplane, they should always be removed together.
The first two PCBs at the front are 'locked' in between metal panels in order
to provide sufficient cooling for the special chips that are used for speech
analysis and synthesis. Parts of these two boards were developed in
close collaboration between Philips Usfa and Philips' NatLab (Philips Research).
|
Board number 4 — key generator —
is the actual crypto logic, or crypto heart.
It contains three OQ4430 crypto processors that were developed
by Philips especially for this purpose.
They are used for the implementation of the
SAVILLE algorithm.
The same chips are used in the
Spendex 50.
As it is a full-duplex system, three chips are necessary,
one of which was used for reception. The other two were used for
transmission, raising an alarm if their outputs were not identical.
|
Boards (1) and (2) are technically the most advanced for the era.
For development of the speech analyzer
and the speech synthesizer,
a number of first-generation DSPs have been used. Spendex 40 was
one of the very first devices to use the
NEC µPD77P20D DSP.
The speech analyzer
contains two such DSPs,
whilst the speech synthesizer
uses three of them, plus a OQ4422 custom chip.
The two circuit boards are sandwiched together and are clamped in between
a series of copper springs that keep them in place and provide cooling.
|
|
|
|
Apart from providing cooling and clamping, the springs probably provide
some extra shielding (ground) for the DSPs as well.
The speech synthesis board
also contains an Intel 8085 processor with firmware in a 32K EPROM.
The function of the OQ4422 custom chip is currently unknown.
|
|
The Spendex 40 is known under different names. Spendex 40 was the
name that was internally given to the device. In official correspondence,
the machine was referred to as the UA-8251 and in the 1985 edition of Jane's
Military Communication [3]
it is presented as the NBSV-45, which was the
non-NATO variant. At present, the following names are known:
|
- Spendex 40
- UA-8251
- NBSV-45
- Spendex-40-M
|
|
As far as we currently know, the Spendex 40 was available in two different
models that can be identified by an extension to the model number that takes
the shape of /XX. The extension number identifies the type of (internal)
modem that is present in the phone's rear compartment. Please note that
the (soft) settings of the device have to be configured accordingly.
|
UA-8251/00 all modes except 2-wire full-duplex
UA-8251/01 2-wire full-duplex only
|
|
Spendex-40 was interoperable with the following devices:
|
Will are still looking for a Crypto Ignition Key (CIK) for our Spendex 40.
Although the serial number plate on the CIK indicates that it is
CONFIDENTIAL, it is in fact an unclassified item as long as it is
unloaded (see above).
It just contains a memory chip (EEPROM) that can hold part of the key.
There is no additional intelligence or other protective or secret circuitry
inside.
If you have any of these available or if you have additional information,
please contact us.
|
- Nationaal Bureau voor Verbindingsbeveiliging (NBV, part of the AIVD),
List of approved crypto products (Dutch)
Retrieved March 2009.
- NSA, Cryptek TS-40 secure facsimile unit
Fax unit approved for use with Spendex 40.
- Jane's Military Communications 1986
ISBN: 0-7106-0824-1
- Philips Usfa BV, NBSV 45, Provisional Data Sheet
Simple black & white leaflet about the NBSV-45 (Spendex 40 M).
9922 154 12401. Date unknown.
- Anonymous, Using the Spendex 40
Interview at Crypto Museum. Eindhoven, June 2011.
- Wikipedia, LPC-10 Vocoder
FS-1015 standard. Retrieved July 2011.
- Philips Usfa/Crypto, Spendex 40 stock photographs
Crypto Museum Photo Archive.
- Crypto Museum, The SAVILLE Algorithm
Interview with former cryptographer at Crypto Museum, December 2011.
- NEC Electronics Inc., µPD77C20, 7720A, 77P20 Digital Signal Processors
First commercial DSP chip used in Spendex 40.
1980. Retrieved March 2012.
- Philips Usfa BV, Narrow Band Secure Voice Equipment Spendex 40
Spendex 40 Brochure (copy) 9922 154 12443. 1987.
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Saturday 06 February 2010. Last changed: Saturday, 24 February 2018 - 16:20 CET.
|
|
|
|
|
