Homepage
Crypto
Index
Glossary
Enigma
Hagelin
Fialka
Nema
AT&T
Datotek
Gretag
HELL
ITT
Motorola
Mils
OMI
Philips
Racal
Siemens
STK
Tadiran
Telsy
Teltron
Transvertex
TST
USA
USSR
UK
Yugoslavia
Voice
Hand
OTP
EMU
Mixers
Phones
FILL
Codebooks
Algorithms
Spy radio
Burst encoders
Intercept
Covert
Radio
PC
Telex
People
Agencies
Manufacturers
• • • Donate • • •
Kits
Shop
News
Events
Wanted
Contact
About
Links
   Logo (click for homepage)
KW-7   Orestes
Electronic cipher machine

KW-7 was a highly secure on-line cipher machine, developed by the US National Security Agency (NSA) around 1960, and built by Honeywell in Tampa (Florida, USA). The device was used for low-level tactical offline teleprinter traffic and was the main cipher machine of the US Navy until the 1990s. It is officially known as TSEC/KW-7 and as ORESTES and NSN 5810-12-149-8282. The machine was also used aboard aircraft and by the Foreign Office of several European countries.
 
The KW-7 was housed in a rather heavy cubical metal enclosure, with all connections at the rear, and all controls at the front. The cryptographic key had to be set by wiring a plugboard that was installed behind the bulged door at the front.

In the early 1960s, the machine was one of the first fully-electronic cipher machines that were used by NATO. Although it was cryptographically more secure than the earlier wheel-based KL-7, the latter remained in service with many army units and with NATO. Despite its better security, the KW-7 was compromised for many years.
  
KW-7 with open door

The machine was part of a new generation of machines, consisting of the KW-26, that was used for high-speed point-to-point traffic at the higher echelons, the KW-37 for broadcast traffic, and the KW-7 for multi-holder tactical operations. Within the navy, the machine was used for ship-to-shore, shore-to-ship and ship-to-ship traffic. It was also used by other NATO countries and by Australia and New-Zealand, for military and governmental teleprinter communications [8].

Aboard US Navy ships, the KW-7 was generally connected to a Teletype Model 28 teleprinter, or to a tape reader (T-D) to send a pre-recorded message. When sending a KW-7 over radio, the KW-7 was usually connected to a UHF radio transmitting in AM. The KW-7 was also used aboard aircraft such as the EC/RC-135, in which case the red and yellow push-buttons at the front panel were sometimes modified to prevent them from being pressed accidently. The KW-7 does not provide traffic flow security (TFS), meaning that it didn't send data when there was no message.

The KW-7 was introduced in the early 1960s at a unit price of US$ 4500. Over the next 20 years, an estimated 38,000 units were built [12]. During its operational life, the machine was modified and upgraded several times. The machine was in service until the early 1990s, with some units still being in service as late as 1992 [16]. They were largely replaced by the smaller KG-84, which in turn was replaced in the mid-1990s by the much smaller and backwards compatible KIV-7.
 
KW-7 cipher machine KW-7 cipher machine KW-7 with open door KW7 with open door Rear view Rear view with top panel removed Honeywell Tampa Inside the spares kit

 
Controls
All controls of the KW-7 are at the lower edge of the front of the machine, below the large metal door. At the left is the MODE selector that has to be pushed-in before its setting can be changed. Next is a red indicator that is lit when the machine is in PLAINTEXT mode. Towards the centre is the POWER switch that is used to select between AC (mains) and DC (24V battery) operation. When the machine is ON, a green indicator will be lit. The large selector at the right is for testing.

Control panel at the front of the KW-7

In some situations, the KW-7 was not installed close to the teleprinter unit, but in a separate CRYPTO room, sometimes mounted in a 19" rack. In that case, an external remote control unit (RCU) could be connected at the rear of the machine, to allow it to be controlled from the position of the teleprinter. When the RCU is connected, the MODE selector should be set to REMOTE.

The KW-7 was suitable for half-duplex traffic only. Before sending a message, the operator had to press the SEND button and keep it depressed for a few seconds, until the machine at the other end was synchronised. During this time the P&I lamp at the front panel was lit. Once the unit was 'in sync', the SEND button was released and the machine was ready to send a teleprinter message.

When the operator at the other end wanted to answer the message, he too had to press the SEND button in order to send a random stream of synchronisation characters, before sending the actual message. A 'glitch' on the line or interference on the radio channel could cause the machines to lose synchronisation. The KW-7 does not provide Traffic Flow Security (TFS), which means that no characters are sent between messages. This means that an eavesdropper can detect the start and end of a message and derive traffic analysis from that. Some operators reportedly solved this by putting a rubber band over the SEND button, to keep it depressed when the machine was in rest.

At the Air Force, the front panel of the machine was modified shortly after its introduction in airborne command post aircraft. As the machines were mounted close to the floor, the SEND and BREAK buttons were sometimes accidently 'pressed' by the boots of the person sitting at the desk. To avoid this, a 'collar' was mounted around the buttons. As the aircraft personnel had a hard time keeping the KW-7 in sync whilst airborne, some of them jammed the cap of a BIC ballpoint between the SEND button and its collar, to keep it resyncing when not in use [16].
 
Versions
The following versions of the KW-7 are known:
 
  1. Wire-cord version
    The original version of the KW-7 had a plugboard behind the door at the front. Each day, the key had to be set by patching the plugboard according to the daily keylist. This was a tedious job, as the machine had to be taken out-of-service for several minutes whilst a new key was being 'programmed', and even longer if the operator had made a mistake. This version had a 'flat' front door.

  2. Plug-block version
    At some point the KW-7 was modified with a removable plug-block at the front. The plug-block assembly was constructed in such a manner, that it could be slotted into the existing patch sockets, e.g. as a field-upgrade. The advantage of a removable plug-block is that several blocks can be prepared (i.e. wired) well in advance of changing the key. This version can be recognized by a front door which has a small square bulge at the center. The machine featured on this page is of that type. NSN 5810-12-149-8282.

  3. Card-reader version
    Between 1977 and 1979, the machine was improved by adding a card reader, which replaced the plug-block mentioned above. This version has a front door with a wide rectangular bulge. The advantage of using punched cards is that it avoids mistakes when wiring the plug-blocks. This version is also known as NSN 5810-00-998-5760. Note that the card-reader version is not compatible with the other two versions.




 
Plug-block version   KWK-7
The diagram above shows the various features of the plug-block variant of the KW-7. It has a protective door at the front that is locked with a physical key. It is bulged to accomodate the plug-block, and is sealed with a metal gasket for TEMPEST reasons. The door should be locked.
 
At the centre is the plug-block which is used for setting the cryptographic key. It consists of 30 patch cables, each with two wires and a two-pin plug at either end. One end of each patch cable is hidden behind a metal panel at the lower half, lined up in sequential order (1-30) as engraved.

The other end of each patch cable is wired to the top half, spread over three rows. The plugs are numbered 1-30, and the sockets 1-31. Note that socket 31 should be left empty. Three metal rods are shifted down in order to keep the plugs in place. The plug-block is now ready for use.
  
Plug-block removed from the machine

The plug-block is then installed into the large socket at the center of the front panel, and is kept in place by a metal bracket with a lock. The daily key is now loaded and the TEMPEST door can be closed again. The machine is now ready for use. Whilst the machine is in use, a second (spare) plug-block can be wired up for the next day's key, so it can be swapped in just a few seconds. Note that the patch cables are wired straight through (i.e. 1-to-1 and not cross-connected like on the Enigma-I). This version of the machine is compatible with the earlier wire-cord version.

When the machine was installed nearby the teleprinter, the black control panel at the lower edge of the front was used to control its operation. In some cases, when the machine was installed in another room or in a 19" rack, the external KWX-7 Remote Control Unit (RCU) was used.
 
KW7 with open door KW-7 front view with door closed KW-7 front view with door open Rear panel Close-up of the installed plug-block Physical lock Straightening tool Plug-block removed from the machine
The plug-block at the front of the machine Locked plug-block Unlocking the plug-block Releasing the bracket Removing the plug-block Plug-block removed from the KW-7 Rear view of the plug-block Another view of the backside of the plug-block
Rear view of the plug-block Empty plug-block socket at the front of the machine Plug-block receptacle Unlocking the plugs Plug 22 removed from the plug-block One plug removed from the plug-block Engraved numbers on the plug-block Spare patch cord

 
Wire-cord version
This was the initial version of the KW-7, which can be recognised by a flat (i.e. non-bulged) front door. In principle, the later plug-block and card-reader versions are identical, but are extended with the extra facilities that are plugged straight into the existing sockets. If you look closely at the plug-block version above, you will see that the plug-block assembly is actually a separate metal panel that is bolted onto the front of the machine, mounted over the existing plug sockets.
 
The plug-block assembly can easily be removed by taking out five bolts along the edges. The assembly can now be tilted forward as shown in the image, exposing the original plug sockets.

The are four groups of sockets: two at the upper half and two at the lower half. The upper two sections are marked 1-31, whilst the lower two sections are marked 1-30. Short patch cables were then connected between the lower sockets (1-30) and the upper sockets (1-30) as per key list. Each patch cable had two wires and was terminated with a coaxial plug at either end.
  
Plug-block partly removed

Once all 30 patch cables had been installed according to the daily key, the machine was ready for use and the front door had to be closed again, which could be quite cumbersome with all the patch cables being strangled, which is why setting the key was also known as basket weaving.

Note that socket 31, at the upper half, remained unsused. The machine was compatible with the later plug-block version. According to some former users, there might have been two variants: one with plugs at either end of each patch cable, and one where the patch cables were fitted permanently at the lower half [11]. It is believed that most wire-cord machines were eventually converted to plug-block versions, by mounting the plug-board assembly and fitting a new door.
 
Removing the plug-block assembly Plug-block partly removed Plug-block partly removed One of the plugs removed Close-up of a plug Close-up of a socket

 
Card-reader version   KWX-10
Although the plug-block had great advantages over the original plug board, and allowed quick swapping of the keys at midnight, it was still prone to mistakes. According to some users, wiring errors frequently caused the key to be wrong, causing long delays before getting it going again.
 
For this reason, a third variant was introduced, that had a card-reader at the front instead of the plug-block. A date-coded card was installed into the card-reader and the machine was ready to go. As the cards were supplied readily punched, this ruled out any operator mistakes.

The reader was known as the KWX-10 extension and the complete machine was identified as the KW-7/TSEC with TSEC/KWX-10. Like with the plug-block version, existing machines could be converted by swapping the assembly and replacing the door by one with a larger bulge. 1
  
Photograph by Jerry Proc [11]. Reproduced here by kind permission.

The operation of the card reader is currently unknown, but according to some reports, it allowed more permutations than the plug-block, making it more secure but incompatible with the earlier versions of the machine [11]. Can anyone explain to us how the card-reader works?
 
  1. Although the card-reader had many advantages over the plug-block, not all machines were converted. Within NATO, many customers kept using the plug-block version.

KW-7 in use
Although generally speaking only a couple of KW-7 machines would be installed on a single ship, the naval communications centers that were responsible for the ship-to-shore traffic, had large rooms full of them, all linked to teleprinters, punchers and readers elsewhere in the building.
 
As an example, the image on the right shows the CRYPTO room of NAVCOMMSTA in Stockton (CA, USA). In the image we see at least fourty KW-7 machines of the plug-block variant, mounted in an array of 19" racks, each holding four of them.

NAVCOMMSTA Stockton was part of the Naval Computer and Telecommunications System (NCTS) and was responsible for maintaining communications for command, operational control, and support of administrative functions within the Department of the Navy (DoN). It was an active 3rd Echelon shore command unit [15].
  
CRYPTO room with KW-7 machines at NAVCOMMSTA in Stockton (CA, USA). Photograph via Nick England [14].

When examining the above photograph more closely, it becomes evident that there is another array of KW-7 machines at the right hand side of the room as well. This means that the room probably accomodated 80 such machines, or even more. Try to imagine how much power they must have used and how much heat was produced by them. It required special air conditioning.
 
In the above image a vertical 2U-space is clearly visible between each of the four machines in a single rack, to provide sufficient ventilation.

The image on the right shows the rear side of the above array of KW-7 units. In this case, each machine is fitted inside a KWX-11 rackmount slide frame, that allows it to be pulled forward without breaking any of the existing connections at the rear. The machine is wired to the slide-out frame by means of flexible cables, whilst the KWX-11 frame is permanently wired to the facility's red/black signal distribution frames.
  
Rear side of the KW-7 machines at NAVCOMMSTA in Stockton (CA, USA). Photograph via Nick England [14].

The use of slide-out assemblies greatly improved the serviceability of the machines, as they could be pulled forward, opened and repaired without physically removing them from the rack.
 
An alternative to the KWX-11 rackmount slide-frame, was the KWF-1 which had a similar function. The image on the right shows a KW-7 mounted inside a KWF-1 frame at the top of the leftmost 19" rack. Click it for a better view.   

 
Parts
Part Description NSN
TSEC/KW-7 Main KW-7 cipher machine ?
KWK-7/TSEC Plug-block ?
KWX-7/TSEC Remote control unit ?
KWX-8/TSEC Function Remote Unit ?
KWX-10/TSEC Card reader NSN 5810-00-998-5760
KWX-11/TSEC Rackmount slide frame ?
KWF-1 Slide mount ?
KWL-4A Loop adapter ?
KWQ-8 KW-7 spare parts for KW-7 ?
ONO 8757 Stop switch ?

 
Cryptographic algorithm
It is known that the KW-7 is a stream cipher and that it has to be synchronised at the start of each message by means of a preamble. Although its cryptographic principle has not yet been published, and is probably still classified, there are a few hints that can be found in declassified NSA material, such as the Pueblo damage assessment [8], where it is described on page 12 as:

...the tetrahedral key combining logic and Fibonacci shift register stages...

This indicates that the machine uses a Pseudo Random Number Generator (PRNG) to generate the key stream, and that this PRNG consists of several Fibonacci Linear Shift Registers (LFSRs) [13], each of which probably has a different length. It is likely that some element of non-linearity was introduced, as this would make the system more resistant to cryptanalytic attacks. In this type of encryption system, the initial state of the LFSRs is generally derived from the cryptographic KEY.


Other hints can be found in David Boak's internal NSA lectures of 1966, that have recently been declassified by the NSA [12 p.50]. According to Boak, the KW-7 uses the same Fibonacci principle as the KW-26, but that an extra random stream, created by a noisy diode, was added to the key at the start of each message, thereby generating a unique and truely random message key.

It is currently unknown how the other side was informed of the message key, but this may have been done as part of the preamble that was sent at the beginning of each message. It is also possible however, that the system was self-synchronising (autoclave), which would explain why some users have reported that they had to send a synchronisation stream of arbitrary length. In the latter case a random stream of characters of a certain minimum length would be sent until the LFSRs at both sides were in the same state (i.e. synchronised). Something like this:


In any case, the KW-7 did not have traffic flow security (TFS), which means that it didn't send any data when there was no message to be sent. Before sending out the next message, the user first had to send out a synchronisation sequence, by pressing the SEND button 'for some time'.

Some former users have indicated the use of a rubber band [11], or a BIC ballpoint cap [16], to keep the SEND button depressed between two messages. This kept the machines in-sync and also obscured the beginning and the end of the actual message from a potential eavesdropper. Again, this might indicate that the machine was a self-synchronising autoclave.
 
Compromise
During its lifetime, KW-7 was compromised several times. Based on publicly available research [1], it seems most probable that the Russians were able to break and read messages encrypted with a number of high-level US cipher machines, including the KL-7, the KL-47 and the KW-7.
 
The Walker Spy Ring
The most famous spying case is that of John Anthony Walker, born 1937, who worked for the US Navy and successfully spied for the Russians for nearly 17 years [2]. Walker joined the US Navy in 1955 and started spying for the Soviets in December 1967, when he had financial difficulties [3].
 
From that moment, until his retirement from the navy in 1983, he supplied the Russians with the key lists and other critical cipher material of the KL-47, the KW-7 and other encryption systems.

For his information he received several thousand dollars from the Soviets each month. In 1969 he began searching for assistance and befriended Jerry Whitworth, a student who would become a Senior Petty Officer in the US Navy. In 1973, he was able to enlist Whitworth in his spy-ring.

In 1976, Walker left the Navy to become a Private Investigator (PI) but kept spying for the Russians. By 1984, he had enlisted his son Michael and his older brother Arthur, who kept the endless flow of classified documents going for another year.

He also tried to recruit his youngest daughter who had started to work for the US Army, but this attempt failed when she became pregnant and abandoned her military career. By that time, his wife Barbara had already left him after a history of physical abuse and alcohol [3]. The two were divorced and he had to pay alimony.
  
Photograph showing John Anthony Walker during his trial. Taken from www.sodahead.com

When he refused to pay alimony in 1985, she tipped-off the FBI, which eventually led to Walker's arrest. After his arrest, Walker cooperated with the authorities and made a plea bargain in order to lower the sentence of his son Michael. Suffering from Diabetes and throat cancer, Walker died in prison on 28 August 2014. His son Michael was released on parole in February 2000.

According to Walker's KGB handler Boris Solomatin, John Walker and Jerry Whitworth provided the KGB with the technical drawings that allowed them to construct a working replica of the KW-7 and other machines. Walker admitted to the FBI that they had done this [10]. There are also indications that Walker's spying activities induced the capture of the USS Pueblo (see below) [1].
 
USS Pueblo
Among the documents that John Walker supplied to the Russians on his first contact in December 1967, were detailed descriptions of the KW-7, along with active key lists. According to former KGB general Oleg Kalugin, the Russians wanted to get access to the actual machine and asked the North Koreans to capture the USS Pueblo; an American intelligence gathering ship or spy ship [7].
 
At that time, the USS Pueblo was operating in the waters off the North Korean coast, 1 disguised as an environmental research vessel. The boat was captured by North Korean forces on 23 January 1968 along with its 83 crew members, one of whom, Duane Hodges, was killed in the attack.

Aboard the spy ship was a wealth of operational cipher machines and active crypto key material, some of which was destroyed by the crew before they were boarded by the North Koreans. Of the two KW-7 machines in the CRYPTO room, one was believed to be destroyed beyond repair.
  

From the other machine, the circuit boards had been removed and were smashed against the far wall, but the crew doubted that this had damaged them. As the ship was already being boarded by the North Koreans at that time, there was no time to fully carry out the destruction orders.

In a damage assessment that was carried out in February 1969 [8], the US Navy assumed that the North Koreans had been able to get the second KW-7 working again, and that they had shared their knowledge with the USSR (i.e. the Russians). This was thought not to be a COMSEC problem, as the KW-7 was designed as a tactical forward cipher machine that could fall into enemy hands. Although it would give the enemy a good insight of the cryptographic abilities of the Americans, it could not be used to break any messages as long as they did not have access to the keys [8].

Unknown to the Americans at the time however, John Walker had been supplying KW-7 key lists to the Russians and kept doing so until his retirement from the Navy in 1983, after which the flow of classified material was kept going by his son Michael and his brother Arthur. With the capture of the actual machine and the continuing supply of key material, the Russians were able to read sensitive US traffic for many years. It is believed that the intelligence derived from this was shared with the North Koreans, which gave them advance warnings of any US B-52 bomb raids. 2

 More about the USS Pueblo
 
  1. According to the North Koreans, the Pueblo had entered Korean waters illegally several times, but the US maintains that the ship was operating in international waters at the time of the incident.
  2. This is contradicted by some sources that state that Walker only provided the Russians with keys that were at least two months old and were supposed to have been destroyed. Furthermore, intact KW-7 machines had been lost before in Vietnam and had almost certainly been supplied to the Russians [9].

Tehran 1979
US Embassies all over the world used KW-7 and other cipher machines for secure communication with the Home Office back in the US. Cipher personnel were trained in the operation of the KW-7, but also in its demolition in case of an emergency. They were instructed not to let any working machines fall into enemy hands, and had to destroy all critical components in such an event.

Following the Iranian Revolution, after which Persia became an Islamic Republic on 1 April 1979 [4], a group of angry students supporting the revoluton, raided the US Embassy in Tehran (Iran) on 4 November 1979, taking 52 of the US Embassy staff hostage for more than a year.

Demolished KW-7 units in the US Embassy in Tehran (Iran) in 1979 (source unknown, photograph via The Memory Hole [6])

As the raid came rather unexpectedly, communications personnel had to rush in order to get all crypto gear destroyed in time. The image above shows part of the communications room in the embassy, with a KW-7 unit clearly visible at the front. It has been pulled out of the 19" rack, the top has been removed and the critical cipher boards have been taken out and destroyed.

At the right, on the floor, are the destructed key card readers of the KW-7. In the same way, all technical documentation and key lists had to be destroyed as well. In this case, no critical components fell into enemy hands and the KW-7 was not compromised. Eventually, after long negotiations, the hostages were released on 20 January 1981, after being held for 444 days [5].
 
US Embassy in Tehran (Iran) on 4 November 1979. Photograph via The Memory Hole [6]. US Embassy in Tehran (Iran) on 4 November 1979. Photograph via The Memory Hole [6]. Radio room in the US Embassy in Tehran (Iran) in 1979. Photograph via The Memory Hole [6]. Teleprinter room in the US Embassy in Tehran in 1979. Photograph via The Memory Hole [6]. US Embassy in Tehran (Iran) on 4 November 1979. Photograph via The Memory Hole [6].

 
Soviet breaking of KW-7
Although there is no direct proof that confirms that the Russians were able to break the KW-7 cipher, there is sufficient circumstantial evidence to suggest that they did. In her 2001 thesis, Major Laura Heath comes to this conclusion after weighting all publicly available evidence [1].

The Russians got interested in the KW-7 after receiving valuable documents from American spy John Walker in December 1967, and possibly some time before that, after receiving documents from his brother Arthur [1]. Although Walker provided the Russians with service manuals and key lists, he could not give them the actual machines. Eventually, they obtained a working KW-7 after the North Korean forces had captured the USS Pueblo, and were able to complete the puzzle.

In the beginning of his contacts with the Soviets in December 1967, the Russians were pushing him hard to deliver key material to them on a regular basis (which was probably every two or three months). But that changed in 1970, when his handlers began pushing him to hand off his material less frequently. This could indicate that, after two years of studying the documents and the seized KW-7 device(s), they were able to read (part of) the traffic without having the keys.

Although the US probably modified the KW-7 after the Pueblo Incident, and possibly also after other incidents, Walker would have received any Modification Work Orders (MWO) and passed them on to the Soviets. This enabled the Russians to reverse engineer any new KW-7 variants that appeared and examine their design for possible flaws [1].
 
Power Supply
The KW-7 can be powered from a 24V DC source, such as the battery of a vehicle, or directly from the AC mains. In order to be able to use the machine anywhere in the world, the Power Supply Unit (PSU) is a separate unit that is installed into a cut-out space at the rear right.

Initially, the KW-7 was supplied with a 110V/60Hz AC PSU that was suitable for use in the USA and other countries with 110V mains. When the machine was also used in Europe, as one of the main NATO cipher machines, it was usually supplied with an external step-down transformer, that converted 220V to 110V. The PSU was later replaced by a universal one that was suitable for both 115V and 230V. A switch at the rear panel of the KW-7 allows selection between the two.

In operation, the machine could be powered either by the AC mains, or by a 24V DC source, or both. The POWER switch at the front panel is then used to select between the two sources, with a green indicator lamp being lit when the machine is operational. If only one power source is connected, this switch acts as the ON/OFF switch. According to most former users and service engineers, the PSU was of very good quality. Most of them never had to replace a faulty one [11].
 
Accessories
Mains power cable 24V DC cable
24V
Vehicle battery adapter Line connection Teleprinter connection box Remote control unit
RCU
Spare parts box

 
Mains AC power cable
The KW-7 could be powered from any mains AC source with a voltage of 115 or 230V AC, 50/60Hz. A suitable cable for this was supplied with the machine and should be connected at the rear to the 4-pin socket marked AC POWER.

The image on the right shows an example of a suitable mains cable that is fitted with a mains wall plug for continental Europe. Note that the voltage selector at the rear panel has to be set to the correct voltage.
  
AC Mains power cable

 
24V DC power cable
The machine could also be powered by a 24V DC source, such as the battery of a (military) vehicle, selectable by a switch at the front panel.

A suitable cable for this was supplied with the machine and should be connected at the rear to the 4-pin socket marked 24 VDC. The image on the right shows an example of such a cable, which ends in a rather uncommon vehicle plug.
  
24V DC power cable

 
Vehicle battery adapter
The KW-7 could also be powered directly from a car battery, by using the adapter shown here. It consists of two clamps that should be mounted to the (+) and (-) terminals of the battery, and a socket that accepts the 24V cable shown above.   
Car battery adapter

 
Line cable
As the KW-7 was intended for the encryption and decription of teleprinter signals, it was inserted between a regular teleprinter and the line to the teleprinter exchange (i.e. telex line).

The cable shown here was used to connect the machine to the external telex line. It is provided here with a 4-contact circular plug, known as a Walzenstecker or ADoS ZB 27.
  
Line connection cable

 
Teleprinter box
This small breakout box was usually connected to one pair of LOOP IN and LOOP OUT sockets at the rear. It allows a teleprinter unit (telex) with a Walzenstecker or an 8-pin ADo 8 plug, to be connected directly to the KW-7.

The circular Walzenstecker was used in the early days of the telex, whilst the 8-pin ADo 8 plug became the defacto standard in Europe in later years. The box is suitable for both standards.
  
Teleprinter connection box

 
Remote Control Unit   KWX-7
Althoug the KW-7 can be controlled completely from its front panel, the machine was often mounted in a 19" rack, together with other equipment, or even in a different room. In order to control the machine from the terminal (teletype), a separate remote control box was used.
 
The image on the right shows a KWX-7/TSEC remote control panel. It connects to the KW-7 by means of a thick 32-pin cable and has the same controls and connections 1 as the device itself.

At the top of the control panel are four indicator lamps: a red one that indicates Plain Text mode, a green one that shows that the device is in Cipher mode (secure), a red ALARM lamp that lights in case of a failure and an orange lamp marked P&I. The mode of operation is selected with the rotary knob at the bottom left. At the bottom right is the SEND button.
  
KW-7 remote control panel

At the center is a red button marked BREAK. It should be pressed in case of an emergency. It disables all output and prevents any further data (clear or cipher) from being sent. A break condition can only be reset by pressing the black BREAK RESTORE button. Note that this box can only be used when the MODE selector on the control panel of the machine is set to REMOTE.
 
  1. All connections, with the exception of the power sockets, are available on the remote control unit.

KW-7 remote control panel Rear side of control panel Close-up of the connectors

 
Spare parts
In Europe, Each KW-7 machine was supplied with a small aluminium box with spare parts and supplies, such as spare lamps, fuses, lamp caps, dummy connectors, spare wires and tools.

Below is a complete list of the items that were present in the European version of the spare parts box. Note the five sheets of self-adhesives with the numbers 1 to 30 on them. They could be used to mark one of the unnumbered patch cables when it was used as a replacement for a broken one.
  
Spares kit contents

 
Spares kit Spares kit contents Inside the spares kit Spare patch cord Male and female terminator plugs Tool Pin-straightening tool Straightening-tool detail

 
Qty Description Part No
1 Dummy, connector, plug (female) 0N008082
1 Dummy, connector, plug (male) 0N008083
2 Lamp type 345 0N008392
1 Lens, indicator light 'send' 0N008399-1
1 Lens, indicator light 'break' 0N008399-2
5 Markers (self-adhesive labels 1-30) 0N008736
5 Cable assembly (spare) 0N008739-31
1 Tine, expander 0N008811
1 Tool, maintenance 0N008820
20 Guide, contact 0N008842
20 Clip, retaining 0N008859
5 Fuse, 2A (30 mm) MS 90078-11-1
5 Fuse, 5A (30 mm) MS 90078-14-1

 
Interior
The KW-7 consists of two parts: a Power Supply Unit (PSU) at the rear right and the actual cipher machine which is housed in an L-shaped body. The interior can be accessed by removing the L-shaped top cover, after which 14 plug-in circuit boards and the clock unit become visible.


The diagram above shows the interior of the KW-7 as seen from the top after the top cover has been removed. At the rear right is the removable PSU that can be swapped for an alternative one, allowing the machine to be used virtually anywhere in the world. At the rear left is the connection panel, with a small grey unit (the temperature compensated 1 MHz clock) mounted in front of it.
 
The rest of the space is taken by the 14 plug-in cards that hold the crypto logic, the key stream generator and the combining logic. Some boards are marked with red labels marked with the text:

CONFIDENTIAL - XGDS-2 COMSEC

These boards contain the secret crypto logic and are the first ones to be removed and destroyed when security is compromised. Note that the two frontmost boards can only be extracted after all plugs are removed from the plugboard, which is also mandatory in case of a compromise.
  
Releasing a board

All other boards have black labels. They hold the less secret logic. These boards should also be destroyed when the machine is compromised, but with a lower priority than the red ones. Each board has 16 horizontally aligned test points that are accessible from the top of the machine.
 
Each board holds a series of large integrated building blocks that can be regarded as the forerunners of the Integrated Circuit (IC). They are known as FLYBALL Modules, each of which contains a digital function, such as an AND, OR or XOR circuit, identified by a unique colour.

As an example, the image on the right shows the E-AJV board that is populated with yellow, blue, orange, green and red LEGO-style circuit blocks. The contents of the blocks is currently unknown and the ONO-numbers on their body show that they are uncommon custom-built OEM-parts.
  
E-AJV module (COMSEC)

Some of the boards hold other parts as well, such as a relay, a diode or a switch. The boards themselves are high-quality double-sided pre-tinned epoxy PCBs, each of which is slotted into a socket at the bottom of the machine and locked by two metal retaining brackets at the top.
 
In the late 1980s, the E-AJM board of the KW-7 machine shown here was replaced by a modern alternative that was manufactured in Germany in December 1987. Rather than the LEGO-style building blocks, it contains standard Motorola CMOS ICs like the MC14015 and the MC14025, which provide a nearly identical functionality.

Contrary to the earlier boards, the replacement PCB does not provide the 16 test points along the edge of the PCB (under the metal bracket). Furthermore, its label is black, but is marked COMSEC just like the boards with the red labels.
  
Modern replacement of the E-AJM board

Apparently, the replacement boards were drop-in replacements for the existing boards that were no longer available, as production of the brightly coloured circuit blocks had meanswhile been discontinued. It is also possible that the new board was issued as part of a field upgrade as a result of a compromise. The replacement boards effectively gave the machine an extended life.
 
Of the 14 plug-in cards, 12 can be extracted easily, simply moving the metal levers at the top of each board sideways. The two cards at the front are a little bit more difficult to remove as they hold the plugboard sockets. They can only be extracted after all plugs have been removed.

For the original plugboard version that was a simple job, for the two other versions, which were far more common, this involved removing the plug-block or card-reader sub-assembly and its cabling. The image on the right shows the first two cards, A1 and A2, still in place.
  
KW-7 case seen from the rear, after removing 12 of the 14 cards

In practice, these two board were often left behind in the machine after a security compromise, simply because it took to much time. Nevertheless, the boards are marked CONFIDENTIAL, as they contain the secret tetrahedral key combining logic and the Fibonacci shift register stages [8].
 
At the bottom of the machine is the backplane, its wiring and a removable teletype interface (TTY). The bottom can be accessed by removing all screws from the bottom panel and taking it away. This exposes the wiring of the front panel and the wiring of the remote panel connector.

At the center of the bottom section is the sub-assembly that holds the TTY interface. It is held in place by five recessed screws and connects to the wiring of the machine via a 25-way sub-D connector at its rear right. The image on the right shows the partly removed TTY interface.
  
TTY interface removed

The fact that the TTY interface is easily removable, make the machine more service friendly. Note the two cylindrical teleprinter relays at the left. They are the only mechanical parts in the machine and may have to be serviced or replaced at some point. This was done, either by replacing the entire TTY interface, or by opening the individual relays and cleaning its contacts. After the TTY interface is removed, the bottom side of the backplane is exposed, along with its wiring.

 More about the FLYBALL modules
 
Top of the machine after removing the top lid Top view of the interior Releasing a board Removing one of the boards E-AJV module (COMSEC) E-AJO board (COMSEC) Internal clock generator
KW-7 case seen from the rear, after removing 12 of the 14 cards The backplate (board A15) at the bottom of the machine Plugboard mounted directly to the A1 and A2 cards Bottom view (panel removed) TTY interface removed Teleprinter relays Transistors mounted directly to the frame Backplane wiring

 
Maintenance
According to former users, the KW-7 was a reliable machine with very few electronic problems, and an extremely robust power supply unit (PSU). The only 'problems' that were frequently faced were broken contacts and wires on the plug-block, generally caused by (mis)handling them.
 
The other problem was caused by the only two (electro)mechanical components in the machine: the TTY relays. These relays are responsible for switching the line current ON and OFF in order to send digital data as a stream of 1s and 0s.

The relays are part of the TTY interface at the bottom of the machine. Getting access to them was quite a bit of work, as it involved removing the bottom panel, removing the TTY interface and finally removing the two relays. The image on the right shows the two relays mounted in a bracket that is part of the TTY sub-assembly.
  
Teleprinter relays

Although the relays were not easily accessible, and were not supposed to be dismantled, it would pay off to clean their contacts regularly in order to avoid data loss. At some point, a small device with a cathode ray tube (CRT) was introduced to test the relays. Whilst driving the relays with a multivibrator, the CRT was used to check the quality of the signal. Dirty contacts would appear on the screen as 'noise', indicating that the contact had to be cleaned. This was generally done with a piece of perforated tape, sprayed with contact cleaner, that was moved between the contacts.

On machines where the SEND button was permanently engaged by means of a rubber band or a BIC ballpoint cap, in order to keep it synchronised between data sessions, the problem of the relay contacts would appear more often, as these machines were continuously sending data.
 
Circuit boards
The KW-7 has 14 circuit boards or plug-in cards that are slotted from the top of the machine into a so-called backplane at the bottom. Each card is composed from a different arrangement of the FLYBALL modules shown above. Although the function of each board is currently unknown, there are unique markings on each of them, which we have listed in the table below. Any help with the identification of the cards and their function would be much appreciated. → contact us

The two cards that are closest to the front of the machine are the 1A1 and 1A2 boards. They are marked as confidential and should be removed in case of a compromised, but as the plugs of the plugboard are slotted directly into these cards they are difficult to remove. In the Pueblo Incident, these cards were left behind in the machine. According to the damage assessment, these boards contain the tetrahedral key combining logic and the Fibonacci shift register stages [8].
 
ID 1 PCB 2 Part No Cnf 3 Description
E-AJJ A2 0N007901 Plugboard, key combining logic, Fibonacci shift registers
E-AJK A1 0N007902 Plugboard, key combining logic, Fibonacci shift registers
E-AJL A4 0N007903 ?
E-AKM A3 0N007904 ?
E-AJN A6 0N007905 - ?
E-AJO A5 0N007906 Board with relay and diode
E-AJP A8 0N007907 - ?
E-AJQ A7 0N007908 - ?
E-AJR A10 0N007909 - ?
E-AJS A9 0N007910 - ?
E-AJT A12 0N007911 - ?
E-AJU A11 0N007912 - ?
E-AJV A14 0N007913 Board with 20/60 switch and 2 metal modules
E-AJW A13 0N007914 - ?
- A15 0N040927 - Backplane (bottom)
E-AJX - ? - PSU, 115/230V AC
E-AJY - ? - 1 MHz clock oscillator with oven
E-BAT - 0N142777 - TTY board (bottom)

 
  1. This is the ID number printed on the label, and aside the card slot.
  2. The is the number printed on the underside of the PCB.
  3. When ticked, this board is marked as CONFIDENTIAL.

Connections
All connections to KW-7 are at the rear side of the machine. At present, most of the connections are unknown, but we hope to be able to complete the diagrams below in due course. Any help would be much appreciated. If you have additional information, please contact us. The pin-out is given when looking into the sockets from the rear of the machine.
 
AC Power   J1
  1. 220V AC
  2. GND
  3. n.c.
  4. 220V AC
    4-pin AC socket (male)
  
24V DC Power   J2
  1. +24V
  2. n.c.
  3. 0V
  4. n.c.
    4-pin DC socket (male)
  
Loop in 1   J3
Information about this socket is conflicting. According to some documents [F], the current loop is at pins C and D rather than pins B and C, but these documents show a different layout of the rear panel of the KW-7.
 
  1. GND
  2. Current loop (a) - via 270 ohm
  3. Current loop (b)
  4. n.c.
  5. n.c.
  6. n.c.
    6-pin TTY loop-in socket (male)
  
Loop in 2   J4
In most installations, a loop wire is installed between B and C.
 
  1. GND
  2. Current loop (a) - via 270 ohm
  3. Current loop (b)
  4. n.c.
  5. n.c.
  6. n.c.
    6-pin TTY loop-in socket (male)
  
Loop out 1   J7
Information about this socket is conflicting. According to some documents [F], the current loop is at pins C and D rather than pins B and C, but these documents show a different layout of the rear panel of the KW-7.
 
  1. GND
  2. Current loop (a)
  3. Current loop (b)
  4. n.c.
  5. n.c.
  6. n.c.
    6-pin TTY loop-out socket (female)
  
Loop out 2   J8
In most installations, a loop wire is installed between B and C.
 
  1. GND
  2. Current loop (a)
  3. Current loop (b)
  4. n.c.
  5. n.c.
  6. n.c.
    6-pin TTY loop-out socket (female)
  
TD Step   J5
  1. GND
  2. Step
  3. Step
  4. Bridge to E
  5. Bridge to D
  6. -
    6-pin TS STEP socket (female)
  
PTS   J6
  1. ?
  2. ?
  3. ?
  4. ?
  5. ?
  6. ?
    6-pin PTS socket (male)
  
Rear panel sockets Rear panel connections Power sockets Line sockets Remote connector at the bottom of the rear side

 
Wanted items
We are still looking for the following items:
 
  • 32-wire cable for connection between KW-7 and the remote control unit (KWX-7).
  • Any documentation of the KW-7, such as the manuals marked in red below.
  • Stories about using the KW-7.
Documentation
  1. TM 11-5810-221-12P - Operator's and Organizational Maintenance Repair...
    ...Parts and Special Tools Lists and Maintenance Allocation Chart:
    Communications Security Equipment TSEC/KW-7, TSEC/KW-7 with KWX-10/TSEC.
    NSN 5810-00-998-5760.

  2. KAO-83D - Operating Instructions for KW-7

  3. KAM-143B/TSEC - Repair and Maintenance Instructions for TSEC/KW-7
    Volume I - Description, Installation & Theory of Operation.

  4. KAM-144B/TSEC - Repair and Maintenance Instructions for TSEC/KW-7
    Volume II - Preventive Maintenance Troubleshooting and Diagrams.

  5. KAM-145C/TSEC - Repair and Maintenance Instructions for TSEC/KW-7
    Volume III - Illustrated Parts List.

  6. TSEC/KW-7 Installation requirements, cable diagram and connection details
    Technical Manual for Radio Communications and Teletype Equipment Installation by Forces Afloat. Navships 0967-306-1010. Section 6 - Security Equipment. Unclassified. 1

  7. TSEC/KW-7 Installation in a communications van
    Date unknown. 1

  1. Document retrieved October 2016 via Nick England. Reproduced here by kind permission.
    Note that this document shows a different layout of the connectors at the rear.

References
  1. Laura H. Heath, Analysis of Systematic Security Weaknesses of the US Navy...
    M.S., Georgia Institute of Technology, 2001. Fort Leavensworth, Kansas (USA), 2005. Thesis of Major Laura Heath, detailing how John Walker exploited weaknesses in the US Navy Broadcasting System between 1967 and 1974.

  2. Pete Earley, Family of Spies: The John Walker Jr. Spy Case
    TruTV website, crime library. Date unknown.

  3. Wikipedia, John Anthony Walker
    Retrieved November 2010.

  4. Wikipedia, Iranian Revolution
    Retrieved October 2013.

  5. Wikipedia, Iran hostage crisis
    Retrieved October 2013.

  6. Russ Kick, The Memory Hole (website)
    Author unknown. Retrieved October 2013 via WayBack Machine. 1

  7. Oleg Kalugin, Spymaster
    2008. ISBN 1-85685-101-X.

  8. NSA, USS Pueblo, AGER-2, Section V, Cryptographic Damage Assessment
    28 February 1968. 106 pages. 2

  9. Commander Bucher, The KW-7 and John Walker
    23 February 2001. Obtained from the USS Pueblo Veteran's Association.

  10. Pete Earley, Boris Solomatin Interview
    1995. Obtained from the USS Pueblo Veteran's Association.

  11. Jerry Proc and contributors, KW-7 (Orestes)
    Retrieved October 2013.

  12. David G. Boak, A History of U.S. Communications Security
    Fifth Lecture - KW-26, KW-37, CRIB, KW7. p. 50.
    Lectures, 1966. Revised July 1973. 3

  13. Wikipedia, Linear feedback shift register
    Retrieved May 2016.

  14. Anonymouse contributor, Photograph of CRYPTO room at NAVCOMMSTA Stockton
    Retrieved May 2016 via Nick England. Reproduced here by kind permission.

  15. Global Security, Military Facility Stockton
    Retrieved May 2016.

  16. Jerry Kemp, Use of KW-7 at HQ PACAF
    US Pacific Air Force HQ 1990-1993. Personal correspondence.

  1. Website with lost US Government files obtained via the FOIA.
    Active from 10 July 2002 until June 2009. On-line again since June 2016.  Wikipedia
  2. Released by NSA on 14 September 2012, FOIA case 40722.
  3. Declassified by Interagency Security Classification Appeals Panel 14 October 2015.
    EO 13526, section 5.3(b)(3).

Further information

Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Monday 09 May 2016. Last changed: Monday, 07 November 2016 - 16:36 CET.
Click for homepage