Narrowband secure voice terminal
Spendex 40 was a narrowband secure voice terminal,
developed by Philips Usfa around 1980.
It allowed secure transmission of voice, fax and computer data
over standard PSTN telephone lines,
using the high-grade GCHQ/NSA-developed
It was used by NATO, the Dutch Army, the Dutch Government and the
Dutch PTT 1 (now: KPN), until it became obsolete in the early 2000s.
Within NATO, the Spendex-40 is known as the Spendex 40 M,
or by the Usfa designator UA-8251.
As of 2009, approval for Spendex 40 has been withdrawn .
Spendex 40 was the first product developed outside the USA that implemented
the highly secret SAVILLE algorithm,
which made it inter-operable with the NSA's
military STU-II phone.
The image on the right shows a typical Spendex-40 unit. It is housed in
a robust military-grade die-cast aluminium case that is completely
The handset is placed on top of the unit and connects to the telephone
with a metal DIN connector on the left. Just below that connector is
a 25-way D-type connector
for the connection of an external fax unit or computer.
At the rear of the unit are the connections
for mains power and the telephone line (9-pin sub-D).
Also present at the rear is a 25-way sub-D for the
connection of an external analog modem that can be used instead of the internal one.
A backup battery, used to retain the current keys,
is hidden behind a small panel at the right.
Spendex 40 was gradually phased out in the 2000s.
At the time, the PTT was the Dutch state-owned telecom operator
(Staatsbedrijf der Posterijen, Telegrafie en Telefonie). It was later
privatized and renamed KPN (Koninklijke PTT Nederland).
Spendex 40 is connected permanently to the mains
and to a standard 2-wire analogue PSTN telephone line.
Optionally it could be made to work with 4-wire lines as well.
Basic operation of the unit is rather straightforward and is
comparable to using a standard telephone set.
Lifting the handset activates the unit and connects it to the line or PABX.
Telephone numbers are entered on the black keypad, located at the bottom right.
When dialling a number, it is displayed on the red 8-digit numerical LED
display, just above the keypad.
When the connection with the required party has been established,
the conversation is started en clair (clear speech).
When it is agreed to switch to encrypted mode (go secure)
one of the parties presses the SECURE button.
After an initial delay of approx. 10 seconds the connection is secure.
The SECURE button is located to the left of the keypad. It can be used
to toggle between SECURE and PLAIN.
The 10 second delay when going secure is typical for encryption systems
using an LPC-10 vocoder. Please note that in order to setup a secure
connection, a Crypto Ignition Key (CIK)
should be present and valid keys should be loaded
into the Spendex 40 and the CIK first.
A typical side effect of narrow-band LPC-10 encoding is that speech is
carried accross relatively clear, but that it is impossible to recognise
the person at the other end. This is the result of the fact that speech
is first analysed, sent to the other end (encrypted) at 2400 baud and
then reconstructed or synthesized,
resulting in a rather artificial or synthetic sound.
Spendex 40 is a full-duplex device, but it can also be used in half-duplex
mode. This was used for example when the quality of the line was too poor, or
when the signal path was (partly) over radio links.
In half-duplex mode the Push-To-Talk switch (PTT)
on the handset would be used.
This mode was also used when communicating with an American
STU-II phone at the other end.
The SAVILLE crypto-algorithm uses a 128 bits key.
For enhanced security this key is split in two parts that are stored
separetely. Each part is also 128 bits long and must be XOR-ed with the
other one in order to obtain the actual key. One half is stored in
battery-backed RAM inside the Spendex 40, whilst the other half is stored
in an EEPROM inside the Crypto Ignition Key (CIK).
Splitting the key in two parts makes it easier to render the machine
useless when security is compromised. Whenever a user temporarily leaves
the Spendex 40, he can leave the key loaded as long as he takes the
CIK with him.
Without the CIK, the key inside the Spendex 40 has no value.
Likewise, a loaded CIK can not be used on another Spendex 40 device.
Trying the CIK on another Spendex 40 causes the message ILL. CIK
(illegal CIK) to be displayed.
The image on the right shows a typical CIK being connected to the CIK
socket on the Spendex 40 front panel.
Secure operation is only possible with
a valid (loaded) CIK present on the
socket marked 'CIK'.
When security is compromised, the user presses the
that is behind a metal flap at the front panel.
Pressing the button destroys all keys that are present in the
internal RAM of the Spendex 40. It also clears the CIK (when connected).
The display will then show
the message ZEROISED (British spelling).
If the CIK was not present when the ZEROIZE button was pressed,
the internal RAM is still cleared, rendering the keys useless.
The CIK was also used with Spendex 50.
Although the CIK is marked with the word
CONFIDENTIAL on its serial number plate,
un unloaded CIK is an unclassified device.
Whenever a valid key is loaded to both the Spendex 40 and the CIK,
the CIK is classified to the level of the loaded key.
Deleting the key makes it unclassified again.
The CIK only contains a memory chip (EEPROM) that can hold a randomly-generated
number that is part of the key.
There is no additional intelligence or other protective or secret circuitry
Key material for the Spendex-40 was produced by an external
key management system. This was usually a piece of suitable software
running on a dedicated PC.
The keys were then distributed by means of a
key filler or
key-fill device such as
the military KYK-13 fill gun.
In the case of NATO, a government agency acting as a Key Distribution Center (KDC)
could also be used for this.
Key are normally loaded into the Spendex 40 by means of a
When it is connected to the FILL socket on the front panel,
the display will show
the message COMSEC ?.
The user then selects the required key compartment,
sets the selector to WRITE and
presses the ACTIVATE button in order
to initiate a key transfer.
As the American KYK-13
key loader was in short supply, Philips
developed its own equivalent devices such as the
UP-2001 shown here.
It had the advantage of having 40 key compartments rather
than just 6 as on the original KYK-13.
A larger number of key compartments in a fill device
allows keys for different devices
or for more days in advance to be carried.
As soon as the keys were loaded, the key loader was removed and both
the Spendex 40 and the CIK had become a
Classified Cryptographic Item (CCI) 1 .
Note that the original key was not stored inside the Spendex 40.
It was reconstructed when needed by adding (by means of an XOR operation)
the internally stored key with the one stored in the CIK.
CCI is sometimes defined as Controlled COMSEC Item, which has the same
Apart from voice communication, the Spendex 40 was also capable of
encrypting and decrypting digital (computer) data through the internal
modem, or an externally connected modem at speeds up to 4800 baud.
For this, the DB25 connector at the left side
of the front panel is available.
The data port has a serial (RS-232) interface that can be used for the
connection of a personal computer or a similar data device such as a fax.
The image on the right shows a standard Canon fax unit of the
early 1980s connected to the DB25 socket on the left side of the
Spendex-40. The image was taken from a stock photo 
that appeared in a 6-page brochure at the time .
As an alternative, the NSA-approved fax unit Cryptek TS-40
could also be used .
It was a plain paper laser fax that complied with NSA TEMPEST
Level I standards. Neither of the fax units discussed here are
A facsimile machine (fax) was a popular means of sending hand-written
documents and images over telephone lines during the 1980s and 90s.
Since the internet-revolution, it has gradually been replaced by e-mail.
As the Spendex 40 allowed secure transmission of fax-documents, it was
also used for the distribution of cryptographic keys, simply by printing
them onto an A4-sheet as barcodes. The keys were then transferred to
a key loader by means
of a barcode reader.
The keys, stored in the memory (RAM) of the Spendex 40, are
retained by a backup battery. For this purpose,
a long-life 3.6V Lithium cell is used.
It has the shape of a standard penlight
battery and is accessible from the rear of the device, by removing
a small panel at the right.
The battery compartment can be opened by removing 4 hex-bolts,
as shown in the image on the right.
The battery itself can be removed by
pulling its white cloth jacket
Suitable replacement batteries are available
from a variety of sources, such as Tadiran (TL-5104) and Conrad
Elektronik in Germany. The latter offers batteries from manufacturer EVE
(Energy Very Endure) for about EUR 4.99
(order number 650773-89) and Emmerich (651244-89).
Note that standard 1.5V penlight batteries can not be used as
they do not deliver the required voltage.
When the battery is fully exhausted, or when it has been removed from the
device for more than a few seconds, the internal settings of the phone
will be lost. This might render the phone useless, especially when
the internal modem is used (which is nearly always the case), as it
defaults to using an external modem.
In that case, the initial setup procedure should be carried out.
Spendex 40 was one of the first secure voice terminals that used a vodocer
based on the LPC-10 standard .
LPC or Linear Predictive Coding was a high-quality vocoder,
developed by the US Department of Defense for use by NATO. It is also known
Although LPC-10 encoding became rather common in later years, it was by no
means easy to implement it, at the time Spendex 40 was developed.
The vocoder used in the Spendex 40, was developed in collaboration with Philips
Research (NatLab) in Eindhoven (Netherlands). It needed five
NEC DSPs 1 of the first generation. Reliability and speech quality was
reported to be better than on comparable systems
like the much larger American
STU-II, which was also used by NATO.
As far as we know, Spendex 40 was the first non-US/UK device to
be licenced to implement the highly secure GCHQ/NSA-developed
SAVILLE cryptographic algorithm
As SAVILLE is an extremely complex algorithm, it was considered
too difficult to be implemented in software .
Philips therefore developed its own crypto-chip called the
It is shown in the image on the right. The same chip was also used
in the military Spendex 50 secure voice terminal.
Three of these crypto-chips are used in each Spendex device: 1 for
reception and 2 for transmission. 2
Spendex 40 was arguably the most secure voice and data terminal at the time.
It was approved for use by the US Government at the highest possible level
(NSA Type 1) and was also used by NATO and
by the German government.
It was one of the smallest Type 1 devices
at the time.
Rumour has it that NSA officials were 'shocked' when they saw the first
Spendex 40 prototype in action. It was so much smaller than the American
STU-II and yet its speech
quality was so much better .
Motorola later developed the STU-II/B, that
was intended as a replacement for all STU-II compatible devices, including
the Spendex 40. It was much smaller and had improved speech
quality (using Motorola's own DSP technology) but came nearly 10 years
after the Spendex 40.
It is also rumoured that Spendex 40 played an important role
before, during and after the fall of the Berlin Wall in 1989, when
West-German Authorities used it for secure voice communication .
It was assumed that foreign secret services were unable to break the
Two NEC DSPs were used for the speech analyzer, whilst three were
needed for the speech synthesizer.
Two crypto units are used for transmission in order to provide a fail-safe
solution. The output of the two units is constantly being compared and as
soon as a difference occurs, an alarm is raised.
The Spendex 40 is an extremely robust device that was clearly intended for
military use. The unit is hermetically sealed with a large number of hex
bolts in order to prevent unwanted emission of signals (TEMPEST). The interior
can be access from the rear (PSU) and from the top (crypto).
The die-cast aluminium case consist of several compartment that are
interconnected by means of filtered lines.
There are compartments at the rear, the front the side and at the top.
The front panel contains the user controls and connections
and is bolted to the front of the main case.
The compartments at the rear can
be accessed by removing 14 hex bolts from the rear panel,
as shown in the image on the right.
At the left is the power supply (PSU) with the transformer just visible.
The (telephone) line interface is at the right.
The filters are mounted to the rear panel.
The filters are necessary to prevent unwanted leakage of information.
For the same reason, a metal gasket is present in between the main case
and the rear panel. The block at the bottom right contains the
backup battery (see below). The most interesting compartment is at the top.
It can be accessed by
removing the handset assembly and the
(sealed) top lid.
The image on the right shows the contents of the crypto compartment
as seen from the top.
There are 7 PCBs which are slotted into a backplane at the bottom.
A small microswitch on card number 3
acts as tamper-detection.
When the top panel is lifted, all cryptographic
keys will be cleared.
The two flying wires at the left are normally connected to a reed-switch
that is mounted to the top panel. It acts as the off-hook switch and is
activated by a magnet in the handset holder.
The boards are listed below.
Six of the seven PCBs are mounted together in pairs. Although each PCB has
is own connection to the backplace, they should always be removed together.
The first two PCBs at the front are 'locked' in between metal panels in order
to provide sufficient cooling for the special chips that are used for speech
analysis and synthesis. Parts of these two boards were developed in
close collaboration between Philips Usfa and Philips' NatLab (Philips Research).
Board number 4 (key generator)
is the actual crypto heart. It contains three OQ4430 crypto
processors that were developed by Philips especially for this purpose.
They are used for the implementation of the
The same crypto chips are used in the
As it is a full-duplex system, three crypto chips were necessary,
one of which was used for reception. The other two were used for
transmission, raising an alarm if their outputs were not identical.
Boards (1) and (2) are technically the most advanced for the era.
For development of the speech analyzer
and the speech synthesizer,
a number of first-generation DSPs have been used. Spendex 40 was
one of the very first devices to use the
NEC µPD77P20D DSP.
The speech analyzer
contains two such DSPs,
whilst the speech synthesizer
uses three of them, plus a OQ4422 custom chip.
The two boards are sandwiched together and clamped in between
a series of copper springs that prevent the socketed ICs from
The springs also provide some level of cooling for the DSPs and possibly
provide extra ground for some of the chips as well.
The speech synthesis board
further contains an Intel 8085 processor with firmware in a 32K EPROM.
The function of the OQ4422 custom chip is currently unknown.
The Spendex 40 is known under different names. Spendex 40 was the
name that was internally given to the device. In official correspondence,
the machine was referred to as the UA-8251 and in the 1985 edition of Jane's
Military Communication 
it is presented as the NBSV-45, which was the
non-NATO variant. At present, the following names are known:
- Spendex 40
As far as we currently know, the Spendex 40 was available in two different
models that can be identified by an extension to the model number that takes
the shape of /XX. The extension number identifies the type of (internal)
modem that is present in the phone's rear compartment. Please note that
the (soft) settings of the device have to be configured accordingly.
- UA-8251/00 - all modes except 2-wire full-duplex
- UA-8251/01 - 2-wire full-duplex only
Spendex-40 was interoperable with the following devices:
Will are still looking for a Crypto Ignition Key (CIK) for our Spendex 40.
Although the serial number plate on the CIK indicates that it is
CONFIDENTIAL, it is in fact an unclassified item as long as it is
unloaded (see above).
It just contains a memory chip (EEPROM) that can hold part of the key.
There is no additional intelligence or other protective or secret circuitry
If you have any of these available or if you have additional information,
please contact us.
- Nationaal Bureau voor Verbindingsbeveiliging (NBV, part of the AIVD),
List of approved crypto products (Dutch)
Retrieved March 2009.
- NSA, Cryptek TS-40 secure facsimile unit
Fax unit approved for use with Spendex 40.
- Jane's Military Communications 1986
- Philips Usfa BV, NBSV 45, Provisional Data Sheet
Simple black & white leaflet about the NBSV-45 (Spendex 40 M).
9922 154 12401. Date unknown.
- Anonymous, Using the Spendex 40
Interview at Crypto Museum. Eindhoven, June 2011.
- Wikipedia, LPC-10 Vocoder
FS-1015 standard. Retrieved July 2011.
- Philips Usfa/Crypto, Spendex 40 stock photographs
Crypto Museum Photo Archive.
- Crypto Museum, The SAVILLE Algorithm
Interview with former cryptographer at Crypto Museum, December 2011.
- NEC Electronics Inc., µPD77C20, 7720A, 77P20 Digital Signal Processors
First commercial DSP chip used in Spendex 40.
1980. Retrieved March 2012.
- Philips Usfa BV, Narrow Band Secure Voice Equipment Spendex 40
Spendex 40 Brochure (copy) 9922 154 12443. 1987.
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Saturday 06 February 2010. Last changed: Monday, 23 November 2015 - 08:22 CET.