|
|
|
|
The portable device is housed in an
aluminium Halliburton transport case,
with a grey plastic carrying handle at center of
the top lid. Controls and connections are located behind the
top lid, as shown in the image on the right, with a red handset prominently
visible at the lower edge.
The DV-505 features a 5-band
frequency-and-time-domain scrambler (F/T)
with a continuously changing rolling code key generator 1 that has
two million key combinations per key-family. In addition 16,000,000
key families are available, selectable by means of an internal module [3].
|
|
|
The key generator has a very long cryptographic period 2 and is based
on multiple non-linear feedback shift registers 3 (NLFSR). As a result,
it is very difficult to predict its sequence. When used in combination
with a real digital voice encryption system, it would have been very
difficult to break the cipher. Voice scramblers however, are inherently
insecure, as the transmitted signal consists of a series of short
(transposed) audio samples that still bear the properties of human speech.
As a result, voice scramblers offer very limited security and
were never very popular.
The advantage of a voice scrambler is that it does not use more bandwidth
than the plain text voice channel, which means that it can be used with
existing narrow band equipment, such as a short wave radio set.
A similar and compatible device, known as the DV-505ATR, was available for
airborne applications.
Many third world countries in Africa and South America, used voice scramblers
like the DV-505 for many years, often advised and subsidised by the
American Government. Needless to say that such systems were easily broken
by the American agencies.
|
 |
-
The key generator is identical to the one used in Datotek's teleprinter
encryption device DC-105. Its operation is described in
US Patent 3,781,473 by George Goode and Kenneth
Branscome of Datotek.
-
A long cryptographic period means that it takes a long time before
the key sequence repeats itself.
-
The use of multiple Feedback Shift Registers (FSR) with non-linear
combining logic (NLFSR) in encryption systems and key generators,
was very common, even in 1974, and was used by many other manufacturers
well before it was claimed by Datotek in
US Patent 3,781,473.
|
PLEASE HELP —
At present, no further information about the DV-505 is available to
us. As the company (Datotek) no longer exists, it is very difficult
to find information about them or any of their products.
If you can provide additional information, please contact us.
Also, if you have the operator's manual of the DV-505, we would like
to hear from you. We are currently looking for
several missing items.
The diagram below shows the front panel of the DV-505, which holds the
controls, a red handset and all connections.
Power and communication lines (e.g. telephone
or radio) are connected to the two military sockets at the top centre.
The unit is switched ON with the power switch at the left centre.
A valid encryption KEY should be installed in the (locked)
KEY compartment at the left.
Once a connection is establed (externally), the handset is lifted from the
cable and the parties can begin their conversation.
In half-duplex mode (e.g. when using a
two-way shortwave radio), the
push-to-talk switch (PTT) in the handset's grip
is used to toggle between transmit and receive. If necessary,
the built-in speaker can be turned ON to allow others to listen to the
conversation as well. Once the conversation is started (in clear), the
CLEAR/PRIVATE
switch at the right is placed in the PVT
position in order to enable the scrambler, whilst a red LED
indicates a 'safe' channel.
|
DV-505 Standard version (shown above) DV-505R Rackmount version DV-505ATR Aircraft version
|
Although all DV-505 units are more or less identical, there are some
small (cosmetic) manufacturing differences [5]. The following variations
have been recorded:
|
- Front panel language (English or Spanish)
- Speaker and fan cover (aluminium panel or perforated grid)
- Datotek badge (Dallas Texas USA, or Buenos Aires Argentina)
- Portable or rackmount
|
The DV-505 features a five-band
frequency and time (F/T) domain voice scrambler.
For the time domain this means that speech is sampled and stored in a
temporary memory, which is divided into a finite number of time
segments that are then mixed (scrambled) in an ever changing order.
|
Furthermore, the audio signal is split into five sharply-separated frequency
bands, that are also mixed in an ever changing order. The order in which
the frequency and time components are mixed, is determined by an
internal generator that produces a pseudo-random KEY stream.
The KEY-generator is initialised by means of 7 thumbwheel switches that are
hidden behind a locked panel at the bottom left of the control panel. Each of
the thumbwheels can be set from 0 to 7, giving a total of 2,097,152
combinations for each of the 16 million possible key families. 1
|
|
|
The 8th thumbwheel at the far right has three settings (A-C). The function
of this setting is currently unknown.
The oval hole below the thumbwheels — used to accomodate the lock —
gives access to a recessed AC voltage selector, that offers a choice
between 115V and 250V AC.
Note the tamper switch that is located to the right of the oval hole.
Opening the compartment whilst the system is in use, is detected by this
switch and will abort abort the current session.
|
-
Each device has a single fixed key family, which is determined by an
internally installed module.
|
According to Wayne Madsen in his book National Security Agency Surveillance [2],
the DV-505 was used by the Argentine
Armed Forces at the time of the Falklands War in 1982 [6]. The system was
reportedly broken by GCHQ —
the British Intelligence Service — probably with help from the US
National Security Agency (NSA).
Recent research however, has meanwhile revealed that it was not
the United States but The Netherlands who helped GCHQ break the Argentine ciphers [7].
In his book [2] Madsen suggests that the NSA had made a secret deal with
manufacturer Datotek,
similar to the deal
they made with Swiss crypto manufacturer
Boris Hagelin/Crypto AG.
The latter offered the NSA a way in by means of a built-in
weakness of the cryptographic algorithm. Such a weakness is also
known as a backdoor.
Although it is perfectly possible that Datotek provided the NSA
with a hidden backdoor, it seems very unlikely in this case. The DV-505
is 'just' a 5-band rolling-code voice scrambler
which, like any voice scrambler system,
is inherently insecure.
|
Voice scramblers are known to have been broken with simple methods
as early as WWII, by the Allied codebreakers as well as by the Germans.
In 1974, GCHQ was perfectly capable of breaking a voice scrambler like the
DV-505 on its own, without help from the NSA or the manufacturer.
During the Falklands War, the Argentine Army also used equipment from
Swiss manufactuer Crypto AG (Hagelin),
such as the HC-520 and HC-570,
both of which contained a backdoor that had been inserted by the
actual company owners (CIA/BND) as part of
Operation RUBICON.
|
|
|
After the Argentines had lost the war, they discovered that the British
had been reading their ciphers and demanded an explanation from
Crypto AG. But when the company's expert
visited Argentina, he discovered that they had also been using
the Datotek DV-505 analogue voice scrambler,
and suggested that – being inherently insecure – it was certain that the
British had broken these, rather than the HC-520.
The Argentines accepted the explanation and kept using (backdoored)
equipment from Crypto AG
for many more years.
➤ More about Operation RUBICON
|
The DV-505 is housed in a typical Halliburton aluminium transport case
of the 1970s, and is extremely heavy. With 19 kg, it can hardly be called
a portable device. Nevertheless, it was transportable and was intended for
field use, with a special variant available for airborne use.
|
The device consists of a heavy metal frame with and integrated control panel,
that is located behind the top lid of the carrying case. The interior of
the device can only be accessed by unscrewing the two multi-turn tubular
locks at each of the short sides of the control panel.
Once the two locks are removed, the front panel — with the entire chassis —
can be lifted from the aluminium case. The chassis holds a heavy power supply
unit (PSU) that is mounted at the left side, as shown in the image on the right.
It is built around two heavy 115/250V transformers.
|
|
|
The PSU occupies about a quarter of the available space, whilst the center
half of the chassis holds 8 large PCBs that can be removed from the rear.
The right quarter of the chassis holds eight metal enclosures,
each of which probably contains a highly accurate audio filter.
|
When we received the DV-505, it was in excellent condition.
But when cleaning the device, we discovered some minor issues that needed
fixing. Although we are determined to restore every item in our collection
to working condition, this is not yet possible for the DV-505, as the
mains wiring can not be traced. The cable is missing and the
socket is embedded in a metal enclosure.
|
On the front panel, the speaker ON/OFF switch was broken, and the coloured
text of the CLEAR PRIVATE
selector had faded, up to the point when the green
letters PVT were
hardly readable.
The image on the right shows the affected part of the front panel
after restoration. The speaker switch has been replaced by an identical one
and the engraved letters have been repainted here.
However, replacing the switch required access to the interior of the unit,
which was not possible because the chassis was locked in the aluminium
carrying case and the original keys were missing.
|
|
|
As drilling the locks out was not considered an option, we called in the
help of our good friend and lock-picker Walter Belgers, who opened
both chassis locks in less than an hour.
Once the case was unlocked,
we were able to replace the speaker switch.
The lid over the KEY-setting switches
was also locked with a tubular lock, but this one offered far more resistance.
It is likely to be a more secure variant, probably featuring mushroom
shaped pins. We have not yet been able to pick this lock, but with a
trick we were able to remove it from the rear of the front panel.
|
- Exterior cleaned
- Speaker ON/OFF switch replaced
- PVT/CLEAR switch lettering restored
- Both case locks picked by lockpicker
- All three tubular locks replaced
|
- Manual (user instructions)
- Service documentation
- Sales brochures
- Power cable
- Interface cable
|
The mains power (115V AC or 250V AC) should be connected to the military
10-pin male receptacle at the front panel.
At present, the wiring of this socket is unknown.
|
A military 26-pin female receptacle is available on the front panel
for connection to the line, telephone or radio.
At present, the wiring of this socket is unknown.
|
A ? B ? C ? D ? E ? F ? G ? H ? J ? K ? L ? M ? N ? P ? Q ? R ? S ? T ? U ? V ? W ? X ? Y ? Z ? a ? b ?
|
According to the model/serial number tag on one of the surviving
Datotek DV-505 units, the following US patents are applicable to
this device:
|
In particular the first patent (US 3,781,473)
is an interesting one, as it describes the use of multiple
non-linear feedback shift registers (NLFSR), which were already
used in abundance by other many crypto manufacturers at the time.
It would therefore be invalid due to prior art.
|
- Richard P., Datotek DV-505 - THANKS !
Received November 2017.
- Wayne Madsen, National Security Agency Surveillance
Reflections and Revelations 2001-2013.
2013. ISBN: 978-1-304-27213-3. Page 46.
- George Sugar, Voice Privacy Equipment for Law Enforcement Communication Systems
US Department of Justice. LESP-RPT-0204.00. May 1974. Page 16.
- The Australian Computer Journal, Datotek Data and Voice Security Systems
Volume 7, No. 2, July 1975. Page v.
- Jerry Proc and contributors, Datotek DV-505
Retrieved October 2017.
- Wikipedia, Falklands War
Retrieved January 2020.
- Paul Reuvers and Marc Simons, Operation RUBICON
Crypto Museum, February 2020.
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Saturday 04 November 2017. Last changed: Saturday, 21 May 2022 - 15:48 CET.
|
 |
|
|
|