Homepage
Crypto
Index
Glossary
Enigma
Hagelin
Fialka
Nema
AT&T
Datotek
Gretag
HELL
ITT
Motorola
Mils
OMI
Philips
Racal
Siemens
STK
Tadiran
Telsy
Teltron
Transvertex
TST
USA
USSR
UK
Yugoslavia
Voice
Hand
OTP
EMU
Mixers
Phones
FILL
Codebooks
Algorithms
Spy radio
Burst encoders
Intercept
Covert
Radio
PC
Telex
People
Agencies
Manufacturers
• • • Donate • • •
Kits
Shop
News
Events
Wanted
Contact
About
Links
   Logo (click for homepage)
KzU-63
Voice encryptor

The KzU-63 is a wide-band speech encryption device developed in the former Yugoslavia in 1985 and built by the Rudi Čajavec factory in Banja Luka (Bosnia and Herzegovina) to replace the less secure KzU-61 voice scrambler unit. It was used in combination with the RUP-12 and RU-2 VHF infantry radio by the Yugoslav National Army (JNA) [1]. It has a period of approx. 1060. The KzU-63 is also known as Digital Voice Protection module (DVP) and as NSN 3215-1083-15822.
 
The abbreviation KzU stands for Kripto-zaštitni Uređaj (crypto protective device). It is housed in an extruded aluminium enclosure that measures 30 x 15 x 7 cm and can easily be mounted aside the radio to which it is connected by means of a short U-shaped cable. Unlike its pre­decessor, the insecure KzU-61 voice scrambler, the KzU-63 offers secure - digital - voice encryption.

The image on the right shows a typical KzU-63 voice encryption unit. At least two variants are known to exist. The one shown here and one with the front panel texts printed upside down.
  
Front panel controls and connections

The KzU-63 was designed especially for use with radio stations that operate in the lower VHF band (30-90 MHz) with a channel spacing of 50 kHz. Such devices generally offer wide-band FM modulation, making them ideal for uncompressed voice/data encryption. In order to obtain the maximum bandwidth needed by the encryption device, the radio has to be able to bypass any input and output filters, which is the case for example with the RU-2/2K semi-portable radio.

The KzU-63 played an important role during the Yugoslav Wars (1991-2001) [3] in which they were used to protect certain important radio communication channels. It was thought to be unbreakable at the time [2]. A narrow band version of the KzU-63 is available as the KzU-64, which is suitable for narrow-band VHF/UHF FM radios, offering a data transfer rate of 9600 bps. Despite its high age (30+ years), the KzU-63 was still in use with the Serbian Army in 2015.
 
KzU-63 KzU-63 front view Front panel controls and connections Radio connection socket Handset connection socket Key selection (1 or 2) U-shape cable connected to the radio socket U-shape cable for connection to the radio

 
Controls
All controls and connections of the KzU-63 are at the front panel as show in the image below. The device is usually mounted aside or on top of the RU-2/2K wide-band VHF FM radio and is connected to it by means of a fixed U-shaped cable, via the socket marked RUP at the top right. The unit is powered by a 12V DC source, which is also supplied via the large RUP connector.

KzU-63 front panel controls and connections

A standard handset (speaker/microphone) is connected to the 7-pin socket at the bottom left. Although this is not the standard (US) U-299 connector, it is the same one that is used on many NATO devices throughout the last decades. An external FILL device is used to load the crypto­graphic keys into the device. Two Traffic Encryption Keys (TEKs) can be stored and a toggle switch at the bottom right is used to selection between them. At the top left is a three-position MODE-selector. The following settings are available:
 
  • O - Clear (otvoren)
  • Z - Encrypted (zastita)
  • R - Zeroise (resetovanje) press Activate
The meaning of each of these settings is currently unknown, so the above is an educated guess. If you know more about the operation of the KzU-63, please contact us.
 
Key loading
The KzU-63 offers true cryptographic protection by digitizing the speech and then using a self-synchronising stream cipher (autoclave) for the encryption. The stream cipher itself is purely built in hardware comprising a range of nonlinear feedback shift-registers in CMOS technology. The initial state of these registers is set by means of an external KEY or Initialisation Vector (IV).

The KEY consists of a (currently unknown) series of digits that are entered into the device by means of an external device (key loader) that is connected to the socket marked 'PU'. The device used for loading the keys into the KzU-63 (i.e. the fill gun) is the PK-1, which is house in a case that is similar to the one of the KzU-63 itself, with a keypad that can be extracted from the front panel, like the drawer of a desk. PK the abbreviation of Punjac Kljuceva (Key loader).

The PK-1 was modified twice. Once in 1991 when the war with Croatia started, and once more in 2006 after Montenegro declared independence. Two cryptographic keys can be stored in the KzU-63. Once loaded, the keys are retained by a small 3.6V Tadiran battery, mounted behind the front panel. The desired key is selected with the toggle switch (1 or 2). In 2015, both the KzU-63 and the PK-1 were still in use in Serbia. If you have more information, please contact us.
 
Variants ?
Apparently there are two variants of the KzU-63, or at least of its front panel. In addition to the one shown here, there is also a photograph circulating on the internet of a version on which all text on the front panel is printed upside down [1]. This image is shown here (click to enlarge):

It is uncertain however, whether this actually is a KzU-63. Apart from the front panel being orientated upside-down, it has a different socket for connection of the handset (marked SI rather than MTK) and the MODE-selector (which should be at the bottom right) seems to be missing.
  
Picture of a KzU-63 circulating on the internet. Is this really a KzU-63? Copyright Radista Website [1].

 
Interior
The KzU-63 is housed in a water-resistant extruded aluminium enclosure, consisting of a single-piece body that is open at one end only, and a front panel that holds the controls and connectors. The front panel is mounted at the open end of the enclosure and is held by 4 bolts at the corners.
 
After releasing the 4 recessed bolts from the corners of the front panel, the entire interior can be extracted from the case. The electronics are held inside an extruded aluminium frame that is mounted to the front panel. At the bottom is a small aluminium panel that secures the PCBs.

Inside the unit are three printed circuit boards that contain the modulator the demodulator and the cipher unit. A metal frame mounted to the front panel acts as the backplane for these PCBs. It can be removed without removing the PCBs first, so that the backup battery can be replaced.
  
Front panel assembly

The backup battery is mounted inside the frame of the front panel and is used for retaining the cryptographic keys. Removing the front panel, cuts the backup power to the PCBs and destroys the keys. The 3.6V AA-size Tadiran lithium battery was sufficient for many years of operation, which is why the wires are directly soldered to it. The battery was probably never swapped during the lifetime of the device. The one shown here was installed in 1989 and still has 3.6V (in 2015).
 
Considering the age of the device, the circuits are surprisingly modern and well-designed. The KzU-63 consists of three eurocard-size PCBs (10 x 16 cm) with a single-row DIN connector at one of the short sides. These DIN connectors are slotted directly into one of the three sockets that form the backplane which connects the boards to each other and to the front panel controls.

The upper PCB is the logic board and contains a wide variety of CMOS logic chips. The lower board is the (de)modulator which contains a mixture of analogue and digital components.
  
PCB 3 (lower board) Crystal

The middle board contains the actual cipher unit that is built around seven MC14557 chips, each of which is a 1-64 bit variable length shift register [4]. Together they form a complex network of configurable Non-Linear Shift Registers (NLFSRs), which are known to be more resistant to crypt­analytic attacks than Linear Feedback Shift Registers (LFSRs) [5]. The configuration and the initial state of the NLFSRs it determined by the cryptographic Key, which is why the Key is also known as the Initialisation Vector (IV). A similar approach is used, for example, in the Philips Spendex 10.
 
Removing the KzU-63 from its aluminium enclosure KzU-63 removed from its case Front panel removed from the electronics PCB retaining panel removed Front panel assembly Front panel assembly Backplane slots at the rear of the front panel Backup battery
Disassembled KzU-63 unti Three PCBs inside the KzU-63 PCB 1 (upper board) PCB 2 (middle board) PCB 3 (lower board) PCB 2 (middle board) detail PCB 3 (lower board) detail PCB 3 (lower board) Crystal

The block diagram below should explain the operation of the KzU-63. The upper half shows the receiving audio path, whilst the lower half represents the transmission path. The Crypto Logic is at the center. It is a symmetric stream cipher that is used for both encryption and decryption. In the transmission path, audio from the microphone is converted into a single-bit data stream with a so-called Delta Modulator. The Crypto Logic changes this data stream into an encrypted one which is then fed directly to the transmitter, bypassing any audio filtering in the transmitter.


When receiving, the unfiltered output from the demodulator is reshaped, so that a nice digital pulse-train is obtained. This data stream is then led through the Crypto Logic which converts it back into the original unencrypted stream. A Delta Demodulator is now used to convert the single-bit data stream into analogue audio again, which is passed to the speaker at the top right.

This method of adding encryption and decryption to an existing transceiver, can only work if the standard audio filtering in the receiver and transmitter is bypassed. For this reason, some radios used to have a so-called X-switch. In the RU-2 radio, such a switch was not present, which is why a special socket was added on the RU-2/2K, making it suitable for use with the KzU-63.

RU-2/2K with KzU-63 voice encryption unit


 
RUP-12 radio system
The RUP-12 was a solid state (i.e. built with transistors) VHF transceiver (30-70 MHz) that was built in 1966 by the Rudi Čajavec company in Banja Luka. It replaced the old valve-based RUP-1 and RUP-2 radios, which were actually Yugoslav copies of the American BC-1000 (which was supplied as military aid by the Americans in the period following WWII).
 
RU-2 radio system
The RU-2 radio was a family of low-band VHF transceivers (30-70 MHz), that were intended for communication between infantry companies and battalions. In practice however, it became the 'work horse' for the entire Yugoslav National Army (JNA) from the 1980s well into the 1990s.

There are three known variants of the RU-2, of which only the last one, the RU-2/2K, is suitable for connection of the KzU-63 voce encryptor.

 More information
  
RU-2/2K with KzU-63 voice encryptor connected

 
Connections
The image below shows the 6-pin male socket marked PU on the front panel. It is used for the connection of a KEY FILL device, but the wiring and protocol are currently unknown. The colours of the internal wiring are given when looking into the socket from the front panel of the device.


Connector PU - Fill Device


The drawing below shows the wiring of the 7-pin socket marked MTK at the bottom left. It is used for the connection of a handset, headset or another microphone/speaker combination. The colours are of the internal wiring when looking into the socket from the front panel of the device.


Connector MTK - Handset


The drawing below shows the identification of the pins of the socket marked RUP. It is used for connection to the RU-2/2K radio set and provides access to the unfiltered audio signals of the transmitter and the receiver. It also supplied 12V DC to the KzU-63. Wiring currently unknown.


Connector RUP - Radio

 
References
  1. Radista, VHF Radio RU-2 / 2K
    Website. Retrieved April 2015.

  2. Nedo Blagojevic, Witness account about the use of communications equipment
    Former Chief of Communications of the Army of the Republika Srpska (1992-1997).
    International Criminal Tribunal for the Former Yugoslavia. Case IT-05-88-T.
    Prosecutor versus Vujadin Popovic et al. 17 June 2008 (Transcript).

  3. Wikipedia, Yugoslav Wars
    Retrieved April 2015.

  4. ON Semiconductor, MC14557 Datasheet
    1-to-64 Bit Variable Length Shift Register. June 2011, Rev. 6.

  5. Wikipedia, Nonlinear feedback shift register
    Retrieved, April 2015.

Further information

Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Last changed: Tuesday, 22 September 2015 - 16:01 CET.
Click for homepage