Spy radio
Burst encoders
• • • Donate • • •
   Logo (click for homepage)
Spendex-40   UA 8251
Narrowband secure voice terminal

Spendex 40 was a narrowband secure voice terminal, developed by Philips Usfa around 1980. It allowed secure transmission of voice, fax and computer data over standard PSTN telephone lines, using the high-grade GCHQ/NSA-developed SAVILLE crypto-algorithm. It was used by NATO, the Dutch Army, the Dutch Government and the Dutch PTT 1 (now: KPN), until it became obsolete in the early 2000s. Within NATO, the Spendex-40 is known as the Spendex 40 M, NBSV-45 [4], or by the Usfa designator UA-8251. As of 2009, approval for Spendex 40 has been withdrawn [1].
Spendex 40 was the first product developed outside the USA that implemented the highly secret SAVILLE algorithm, which made it inter-operable with the NSA's military STU-II phone.

The image on the right shows a typical Spendex-40 unit. It is housed in a robust military-grade die-cast aluminium case that is completely TEMPEST-proof. The handset is placed on top of the unit and connects to the telephone with a metal DIN connector on the left. Just below that connector is a 25-way D-type connector for the connection of an external fax unit or computer.
Spendex 40 Crypto Phone

At the rear of the unit are the connections for mains power and the telephone line (9-pin sub-D). Also present at the rear is a 25-way sub-D for the connection of an external analog modem that can be used instead of the internal one. A backup battery, used to retain the current keys, is hidden behind a small panel at the right. Spendex 40 was gradually phased out in the 2000s.
  1. At the time, the PTT was the Dutch state-owned telecom operator (Staatsbedrijf der Posterijen, Telegrafie en Telefonie). It was later privatized and renamed KPN (Koninklijke PTT Nederland).

Spendex 40 Crypto Phone Spendex 40 with the handset off-hook Connections at the left: handset and printer/fax Pressing the ZEROIZE button Spendex 40 with Philips UP-2001 key filler After switching on, the Spendex 40 performs a self-test Rear view of Spendex 40 Long telephone cable for connection to the PTT

Spendex 40 is connected permanently to the mains and to a standard 2-wire analogue PSTN telephone line. Optionally it could be made to work with 4-wire lines as well. Basic operation of the unit is rather straightforward and is comparable to using a standard telephone set.
Lifting the handset activates the unit and connects it to the line or PABX. Telephone numbers are entered on the black keypad, located at the bottom right. When dialling a number, it is displayed on the red 8-digit numerical LED display, just above the keypad.

When the connection with the required party has been established, the conversation is started en clair (clear speech). When it is agreed to switch to encrypted mode (go secure) one of the parties presses the SECURE button. After an initial delay of approx. 10 seconds the connection is secure.
Spendex 40 with the handset off-hook

The SECURE button is located to the left of the keypad. It can be used to toggle between SECURE and PLAIN. The 10 second delay when going secure is typical for encryption systems using an LPC-10 vocoder. Please note that in order to setup a secure connection, a Crypto Ignition Key (CIK) should be present and valid keys should be loaded into the Spendex 40 and the CIK first.

A typical side effect of narrow-band LPC-10 encoding is that speech is carried accross relatively clear, but that it is impossible to recognise the person at the other end. This is the result of the fact that speech is first analysed, sent to the other end (encrypted) at 2400 baud and then reconstructed or synthesized, resulting in a rather artificial or synthetic sound.

Spendex 40 is a full-duplex device, but it can also be used in half-duplex mode. This was used for example when the quality of the line was too poor, or when the signal path was (partly) over radio links. In half-duplex mode the Push-To-Talk switch (PTT) on the handset would be used. This mode was also used when communicating with an American STU-II phone at the other end.
Spendex 40 with the handset off-hook Using the PTT switch After switching on, the Spendex 40 performs a self-test Normal operation showing 'X' in the display

Crypto Ignition Key
The SAVILLE crypto-algorithm uses a 128 bits key. For enhanced security this key is split in two parts that are stored separetely. Each part is also 128 bits long and must be XOR-ed with the other one in order to obtain the actual key. One half is stored in battery-backed RAM inside the Spendex 40, whilst the other half is stored in an EEPROM inside the Crypto Ignition Key (CIK).
Splitting the key in two parts makes it easier to render the machine useless when security is compromised. Whenever a user temporarily leaves the Spendex 40, he can leave the key loaded as long as he takes the CIK with him.

Without the CIK, the key inside the Spendex 40 has no value. Likewise, a loaded CIK can not be used on another Spendex 40 device. Trying the CIK on another Spendex 40 causes the message ILL. CIK (illegal CIK) to be displayed. The image on the right shows a typical CIK being connected to the CIK socket on the Spendex 40 front panel.
Placing the CIK

Secure operation is only possible with a valid (loaded) CIK present on the socket marked 'CIK'. When security is compromised, the user presses the ZEROIZE button that is behind a metal flap at the front panel. Pressing the button destroys all keys that are present in the internal RAM of the Spendex 40. It also clears the CIK (when connected). The display will then show the message ZEROISED (British spelling). If the CIK was not present when the ZEROIZE button was pressed, the internal RAM is still cleared, rendering the keys useless. The CIK was also used with Spendex 50.

Although the CIK is marked with the word CONFIDENTIAL on its serial number plate, un unloaded CIK is an unclassified device. Whenever a valid key is loaded to both the Spendex 40 and the CIK, the CIK is classified to the level of the loaded key. Deleting the key makes it unclassified again. The CIK only contains a memory chip (EEPROM) that can hold a randomly-generated number that is part of the key. There is no additional intelligence or other protective or secret circuitry inside.
Typical Spendex 40 CIK Spendex 40 CIK Spendex 40 CIK Placing the CIK Crypto Ignition Key (CIK) present on Spendex 40 Display showing 'NUL. CIK', indicating that the CIK is empty. Pressing the ZEROIZE button Pressing the ZEROIZE button causes all internal keys and the CIK to be cleared

Loading the crypto keys
Key material for the Spendex-40 was produced by an external key management system. This was usually a piece of suitable software running on a dedicated PC. The keys were then distributed by means of a key filler or key-fill device such as the military KYK-13 fill gun. In the case of NATO, a government agency acting as a Key Distribution Center (KDC) could also be used for this.
Key are normally loaded into the Spendex 40 by means of a fill gun. When it is connected to the FILL socket on the front panel, the display will show the message COMSEC ?. The user then selects the required key compartment, sets the selector to WRITE and presses the ACTIVATE button in order to initiate a key transfer.

As the American KYK-13 key loader was in short supply, Philips developed its own equivalent devices such as the UP-2001 shown here. It had the advantage of having 40 key compartments rather than just 6 as on the original KYK-13.
Initiating a key fill

A larger number of key compartments in a fill device allows keys for different devices or for more days in advance to be carried. As soon as the keys were loaded, the key loader was removed and both the Spendex 40 and the CIK had become a Classified Cryptographic Item (CCI) 1 . Note that the original key was not stored inside the Spendex 40. It was reconstructed when needed by adding (by means of an XOR operation) the internally stored key with the one stored in the CIK.
  1. CCI is sometimes defined as Controlled COMSEC Item, which has the same meaning.

Spendex 40 with Philips UP-2001 key filler Loading the cryptographic keys with a Philips UP-2001 key filler (KYK-13 compatible) Initiating a key fill When the key filler is connected, the display reads 'COMSEC ?'.

Connecting a fax
Apart from voice communication, the Spendex 40 was also capable of encrypting and decrypting digital (computer) data through the internal modem, or an externally connected modem at speeds up to 4800 baud. For this, the DB25 connector at the left side of the front panel is available.
The data port has a serial (RS-232) interface that can be used for the connection of a personal computer or a similar data device such as a fax.

The image on the right shows a standard Canon fax unit of the early 1980s connected to the DB25 socket on the left side of the Spendex-40. The image was taken from a stock photo [7] that appeared in a 6-page brochure at the time [10].

As an alternative, the NSA-approved fax unit Cryptek TS-40 could also be used [2]. It was a plain paper laser fax that complied with NSA TEMPEST Level I standards. Neither of the fax units discussed here are available anymore.

A facsimile machine (fax) was a popular means of sending hand-written documents and images over telephone lines during the 1980s and 90s. Since the internet-revolution, it has gradually been replaced by e-mail. As the Spendex 40 allowed secure transmission of fax-documents, it was also used for the distribution of cryptographic keys, simply by printing them onto an A4-sheet as barcodes. The keys were then transferred to a key loader by means of a barcode reader.
Spendex-40 with a fax connected and the handset off-hook Connections at the left: handset and printer/fax Key-fill device with barcode pen

Backup battery
The keys, stored in the memory (RAM) of the Spendex 40, are retained by a backup battery. For this purpose, a long-life 3.6V Lithium cell is used. It has the shape of a standard penlight battery and is accessible from the rear of the device, by removing a small panel at the right.
The battery compartment can be opened by removing 4 hex-bolts, as shown in the image on the right. The battery itself can be removed by pulling its white cloth jacket (images below).

Suitable replacement batteries are available from a variety of sources, such as Tadiran (TL-5104) and Conrad Elektronik in Germany. The latter offers batteries from manufacturer EVE (Energy Very Endure) for about EUR 4.99 (order number 650773-89) and Emmerich (651244-89). Note that standard 1.5V penlight batteries can not be used as they do not deliver the required voltage.
Open battery compartment

When the battery is fully exhausted, or when it has been removed from the device for more than a few seconds, the internal settings of the phone will be lost. This might render the phone useless, especially when the internal modem is used (which is nearly always the case), as it defaults to using an external modem. In that case, the initial setup procedure should be carried out.
Open battery compartment Pulling the battery Removing the battery 3.6V Lithium backup battery 3.6V Lithium backup battery

Spendex 40 was one of the first secure voice terminals that used a vodocer based on the LPC-10 standard [6]. LPC or Linear Predictive Coding was a high-quality vocoder, developed by the US Department of Defense for use by NATO. It is also known as FS-1015 or STANAG-4198.

Although LPC-10 encoding became rather common in later years, it was by no means easy to implement it, at the time Spendex 40 was developed. The vocoder used in the Spendex 40, was developed in collaboration with Philips Research (NatLab) in Eindhoven (Netherlands). It needed five NEC DSPs 1 of the first generation. Reliability and speech quality was reported to be better than on comparable systems like the much larger American STU-II, which was also used by NATO.
As far as we know, Spendex 40 was the first non-US/UK device to be licenced to implement the highly secure GCHQ/NSA-developed SAVILLE cryptographic algorithm [3]. As SAVILLE is an extremely complex algorithm, it was considered too difficult to be implemented in software [8].

Philips therefore developed its own crypto-chip called the OQ4430. It is shown in the image on the right. The same chip was also used in the military Spendex 50 secure voice terminal. Three of these crypto-chips are used in each Spendex device: 1 for reception and 2 for transmission. 2
Click for more information about the SAVILLE algorithm

Spendex 40 was arguably the most secure voice and data terminal at the time. It was approved for use by the US Government at the highest possible level (NSA Type 1) and was also used by NATO and by the German government. It was one of the smallest Type 1 devices at the time.

Rumour has it that NSA officials were 'shocked' when they saw the first Spendex 40 prototype in action. It was so much smaller than the American STU-II and yet its speech quality was so much better [5]. Motorola later developed the STU-II/B, that was intended as a replacement for all STU-II compatible devices, including the Spendex 40. It was much smaller and had improved speech quality (using Motorola's own DSP technology) but came nearly 10 years after the Spendex 40.

It is also rumoured that Spendex 40 played an important role before, during and after the fall of the Berlin Wall in 1989, when West-German Authorities used it for secure voice communication [5]. It was assumed that foreign secret services were unable to break the SAVILLE encryption.
  1. Two NEC DSPs were used for the speech analyzer, whilst three were needed for the speech synthesizer.
  2. Two crypto units are used for transmission in order to provide a fail-safe solution. The output of the two units is constantly being compared and as soon as a difference occurs, an alarm is raised.

The Spendex 40 is an extremely robust device that was clearly intended for military use. The unit is hermetically sealed with a large number of hex bolts in order to prevent unwanted emission of signals (TEMPEST). The interior can be access from the rear (PSU) and from the top (crypto).
The die-cast aluminium case consist of several compartment that are interconnected by means of filtered lines. There are compartments at the rear, the front the side and at the top. The front panel contains the user controls and connections and is bolted to the front of the main case.

The compartments at the rear can be accessed by removing 14 hex bolts from the rear panel, as shown in the image on the right. At the left is the power supply (PSU) with the transformer just visible. The (telephone) line interface is at the right. The filters are mounted to the rear panel.
Looking into the rear compartment of the Spendex 40

The filters are necessary to prevent unwanted leakage of information. For the same reason, a metal gasket is present in between the main case and the rear panel. The block at the bottom right contains the backup battery (see below). The most interesting compartment is at the top.
It can be accessed by removing the handset assembly and the (sealed) top lid. The image on the right shows the contents of the crypto compartment as seen from the top. There are 7 PCBs which are slotted into a backplane at the bottom. A small microswitch on card number 3 acts as tamper-detection. When the top panel is lifted, all cryptographic keys will be cleared.

The two flying wires at the left are normally connected to a reed-switch that is mounted to the top panel. It acts as the off-hook switch and is activated by a magnet in the handset holder.
Crypto compartment. Each PCB is identified with a white label (in Dutch)

The boards are listed below. Six of the seven PCBs are mounted together in pairs. Although each PCB has is own connection to the backplace, they should always be removed together. The first two PCBs at the front are 'locked' in between metal panels in order to provide sufficient cooling for the special chips that are used for speech analysis and synthesis. Parts of these two boards were developed in close collaboration between Philips Usfa and Philips' NatLab (Philips Research).
Rear view of Spendex 40 Spendex 40 interior (rear view) Looking into the rear compartment of the Spendex 40 Top lid of crypto compartment Sealed crypto compartment Crypto compartment. Each PCB is identified with a white label (in Dutch) Three custom crypto processors Display showing 'ALARM' as the crypto compartment has been opened

Crypto heart
Inside the crypto compartment are the following PCBs. Detailed photographs of each board at the bottom of this section.
  1. UA-8323/00 Speech synthesis board
  2. UA-8322/00 Speech analysis board
  3. UA-8321/00 Key memory board
  4. UA-8320/00 Key generator
  5. UA-8319/00 Control board
  6. UA-8318/00 Timing board
  7. UA-8317/00 Telephony board
Three custom crypto processors

Board number 4 (key generator) is the actual crypto heart. It contains three OQ4430 crypto processors that were developed by Philips especially for this purpose. They are used for the implementation of the SAVILLE protocol. The same crypto chips are used in the Spendex 50. As it is a full-duplex system, three crypto chips were necessary, one of which was used for reception. The other two were used for transmission, raising an alarm if their outputs were not identical.
Boards (1) and (2) are technically the most advanced for the era. For development of the speech analyzer and the speech synthesizer, a number of first-generation DSPs have been used. Spendex 40 was one of the very first devices to use the NEC µPD77P20D DSP.

The speech analyzer contains two such DSPs, whilst the speech synthesizer uses three of them, plus a OQ4422 custom chip. The two boards are sandwiched together and clamped in between a series of copper springs that prevent the socketed ICs from coming loose.

The springs also provide some level of cooling for the DSPs and possibly provide extra ground for some of the chips as well. The speech synthesis board further contains an Intel 8085 processor with firmware in a 32K EPROM. The function of the OQ4422 custom chip is currently unknown.
Crypto compartment. Each PCB is identified with a white label (in Dutch) Speech synthesis board Speech analysis board Key memory Key generator (crypto board) Control board Timing card Line interface card

The Spendex 40 is known under different names. Spendex 40 was the name that was internally given to the device. In official correspondence, the machine was referred to as the UA-8251 and in the 1985 edition of Jane's Military Communication [3] it is presented as the NBSV-45, which was the non-NATO variant. At present, the following names are known:
  • Spendex 40
  • UA-8251
  • NBSV-45
  • Spendex-40-M
As far as we currently know, the Spendex 40 was available in two different models that can be identified by an extension to the model number that takes the shape of /XX. The extension number identifies the type of (internal) modem that is present in the phone's rear compartment. Please note that the (soft) settings of the device have to be configured accordingly.
  • UA-8251/00 - all modes except 2-wire full-duplex
  • UA-8251/01 - 2-wire full-duplex only
Spendex-40 was interoperable with the following devices:
Will are still looking for a Crypto Ignition Key (CIK) for our Spendex 40. Although the serial number plate on the CIK indicates that it is CONFIDENTIAL, it is in fact an unclassified item as long as it is unloaded (see above). It just contains a memory chip (EEPROM) that can hold part of the key. There is no additional intelligence or other protective or secret circuitry inside. If you have any of these available or if you have additional information, please contact us.
  1. Nationaal Bureau voor Verbindingsbeveiliging (NBV, part of the AIVD),
    List of approved crypto products (Dutch)

    Retrieved March 2009.

  2. NSA, Cryptek TS-40 secure facsimile unit
    Fax unit approved for use with Spendex 40.

  3. Jane's Military Communications 1986
    ISBN: 0-7106-0824-1

  4. Philips Usfa BV, NBSV 45, Provisional Data Sheet
    Simple black & white leaflet about the NBSV-45 (Spendex 40 M).
    9922 154 12401. Date unknown.

  5. Anonymous, Using the Spendex 40
    Interview at Crypto Museum. Eindhoven, June 2011.

  6. Wikipedia, LPC-10 Vocoder
    FS-1015 standard. Retrieved July 2011.

  7. Philips Usfa/Crypto, Spendex 40 stock photographs
    Crypto Museum Photo Archive.

  8. Crypto Museum, The SAVILLE Algorithm
    Interview with former cryptographer at Crypto Museum, December 2011.

  9. NEC Electronics Inc., µPD77C20, 7720A, 77P20 Digital Signal Processors
    First commercial DSP chip used in Spendex 40. 1980. Retrieved March 2012.

  10. Philips Usfa BV, Narrow Band Secure Voice Equipment Spendex 40
    Spendex 40 Brochure (copy) 9922 154 12443. 1987.

Further information

Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Saturday 06 February 2010. Last changed: Monday, 23 November 2015 - 08:22 CET.
Click for homepage