Click for homepage
National Security Agency

The US National Security Agency (NSA) is the cryptologic intelligence and security agency of the United States Government, based in Fort Meade (Maryland, USA). The NSA is part of the American Department of Defence (DoD) and is responsible for the collection (interception) and analysis of foreign communications and foreign signals intelligence (signals intelligence and cryptanalysis).

source: wikipedia

The NSA is also responsible for the protection of US government communication and information systems against evesdropping by similar agencies from other nations. For this, the NSA has (co) developed a range of cryptographic algorithms and encryption devices. Most of these products were initially developed for use by the US military and the US government, but some have been made available to restricted commercial users as well – often as commercial off-the-shelf (COTS) products via a range of suppliers – and also to the governments of allied and friendly nations.

Below is a non-exhaustive overview of the various types of encryption products developed and/or endorsed by the NSA. As most of the NSA's work is classified, there may be omissions or errors. The information below is based on publicly available information about NSA products, algorithms and protocols. We also show the evolution of the NSA encryption products, along with examples of devices that contain NSA algorithms. Finally, we show cases in which the NSA has intervened in order to create a so-called backdoor. If you find any omissions or mistakes, please let us know.

NSA devices on this website
HY-2 narrow-band secure voice system (with KG-13 key generator)
Secure Telehone Unit STU-I (KY-70)
Secure Telephone Unit
Secure Telephone Unit
Secure Terminal Equipment
vIPer Universal Secure Phone
KL-7 rotor-based cipher machine (USA)
TSEC/KW-7 (Orestes)
Online TTY cipher machine KW-9
KG-13 key generator
KW-26 (Romulus) cipher machine
KG-81 digital high-speed trunk encryption device
KG-84 data encryptor
Key Storage Device KSD-64 (and others)
Fortezza Crypto Card
Enhanced Crypto Card
Functional electronic circuits
NSA-developed covert listening devices (bugs)
NSA operations on this website
Gentleman's Agreement between Hagelin (Crypto AG) and Friedman (NSA)
Operation RUBICON (THESAURUS) - the secret purchase of Crypto AG
Known NSA-friendly backdoors
Hand-held consumer communication terminal with crypto facilities
Short-Burst Message Terminal with encryption (Modified Nokia SANLA)
Short-Burst Message Terminal with encryption (Modified Nokia PARSA)
CX-52 with removable wheels and irregular stepping
H-460, the first electronic Hagelin cipher machine based on shift-registers
HC-520 CRYPTOMATIC portable off-line cipher machine
Hagelin CSE-280 voice encryption device
Crypto AG (Hagelin) bulk encryption device
 What is a backdoor?

The NSA headquarters is located at Fort Meade in Maryland (USA), just north-east of Washington DC. As part of its Center for Cryptologic History, the agency has its own museum, known as the National Cryptologic Museum (NCM), just outside the main gates. NCM is open to the public, and serves as the agency's principal public gateway. It has a fine collection of cryptographic artefacts.

NSA headquarters in For Meade (Maryland, USA)

The NSA headquarters in Fort Meade (Maryland, USA) [2]

Cryptologic history
The cryptologic history of the NSA is layed out in several (internal) publications that have been written over the years by NSA historians. In recent years, the NSA has (partly) declassified some of these publications, in particular the ones regarding WWII, the Cold War and some other historical events. These documents are available for download from the NSA website [1].

 Visit the NSA website

NSA Product Types   depricated
In the past, the NSA used to rank cryptographic products and algorithms by a certification known as Product Types, ranging from Type 1 to Type 4. The lower the number, the higher the security level. For example Type 1 products were for use by the US government for TOP SECRET material [3]. This classification is now depricated [5]. The following Product Types are known:

  1. Classified or sensitive US Government information - TOP SECRET
    This includes algorithms such as AES(256), BATON, FIREFLY, HAVEQUICK, and SAVILLE, tused in products like STU-II, STU-III and many military communication products, like KG-84, KIV-7, KY-57 and KY-99. Type 1 products were only used by the US Government, their contractors, and federally sponsored non-US Government activities, in accordance with the International Traffic in Arms Regulations (ITAR). Type 1 algorithms were also used by NATO and by the administrations of some NATO countries.  More 

  2. National Security Information
    Includes products like CORDOBA, KEA and SKIPJACK used in equipment like the Cypris cypto chip and the Fortezza (Plus) crypto cards. It was used for sensitive national security information. The equipment is unclassified, but the algorithms and keys are. Type 2 products are subject to International Traffic in Arms Regulations (ITAR).  More 

  3. Unclassified sensitive US Government or commercial information
    Also known as Sensitive, But Unclassified (SBU); used on non-national security systems. Approved (unclassified) algorithms include DES, Tripple DES 1 , AES, DSA and SHA. A good example of a Type 3 product is the CVAS III secure phone.  More 

  4. Unevaluated commercial cryptographic equipment
    The algorithms have been registered with NIST but are not Federal Information Processing Standard (FIPS). They may not be used for classified information and are not intended for use by the US Government. A good example is the Motorola SECTEL 9600.
  1. DES has meanwhile been withdrawn as an official FIPS standard.

Type 1 algorithms
  • AES 256
  • Mark XII IFF
Type 2 algorithms
Type 3 algorithms
  • DES
  • AES
  • DSA
  • SHA
Type 4 algorithms
Another way of categorizing the encryption systems developed by or on behalf of the NSA, is by looking at the evolution of their development. This can be divided into several generations that are listed below. More detailed information is available on Wikipedia [4].

  1. Electro-mechanical
    One of the first NSA products to be developed after WWII was the KL-7. It was introduced in the 1950s and was partly based on the war-time SIGABA. The KL-7 was used by the US Military and its NATO allies. The daily keys were distributed on paper key lists.

  2. Vacuum tubes
    In the 1960s and 1970s, electronic cipher machines with vacuum tubes (valves) were developed. Punched cards were used for key distribution. Some of these systems remained in use until the mid-1980s. An example of a cipher machine based on vacuum tubes is the KW-26 of the US Navy.

  3. Integrated Circuits (ICs)
    The next generation was developed during the 1980s and was based on transistor logic, using integrated circuits (ICs). This made devices significantly smaller and allowed for faster and stronger cryptographic algorithms. Keys were loaded through a standardized connector at the front panel of each device. Initially they were distributed on punched paper tape that was pulled though a reader (e.g. the KOI-18) but these were eventually replaced by electronic devices such as the KYK-13.

  4. Electronic Key Distribution
    During the 1990s, more modern (commercial) electronics were introduced. This allowed even smaller systems to be developed and introduced electronic methods for key distribution. At this stage, the electronic security token or Crypto Ignition Key (CIK) was introduced, protecting the electronically stored keys and allowing for easier key distribution. An example of a CIK is the KSD-64 that was developed by the NSA for products like the STU-III and STU-II/B. Traffic Encryption Keys (TEKs) were distributed with a new generation of electronic Data Transfer Devices (DTD) such as the AN/CYZ-10.

  5. Network-centric systems
    From 2000 onwards, communication is increasingly based on digital computer networks, such as the internet. The NSA has developed an interoperable standard, called HAIPE, to allow government, agencies and others to securely exchange data over unsecure networks and satellite links. An example of such a product is the KIV-7 family of embeddable KG-84 encryption devices.
Transfer protocols
Over the years, the NSA has developed and endorsed a common standard for transferring keys (and other material) from a key distribution center (KDC) to a supporting radio or encryption device, by means of an external FILL or transfer device. Two versions of this standard are known:

  • DS-101 — EKMS 603
    This is the most recent transfer protocol that is used with the current generation of FILL devices, radio sets and encryption equipment. It superceedes DS-102 and can be used for transferring crypto keys, frequency hopping data, software updates, etc.  More

  • DS-102 — EKMS 608
    This is a synchronous serial protocol that was used with the first generation of Key Fill Devices, such as the KYK-13. It is the predecessor of the DS-101 protocol, and can be used for the distribution of key material and frequency hopping tables.  More
Algorithm Suites
  • Suite A
    Unpublished NSA algorithms intended for highly sensitive communication and critical authentication systems. Generally used in combination with Type 1 and 2 equipment.

  • Suite B
    NSA endorsed cryptographic algorithms for use as an interoperable base for both unclassified and most-classified information. Introduced on 16 February 2005.
Although most of the NSA's work on encryption is secret, some information has been published in the past, either as part of the NSA's participation in standards processes, or after an algorithm has been declassified. Below is an (incomplete) overview of NSA-developed approved algorithms.

Type 1
    Cryptographic algorithm used in products like AIM, SafeXcel-3340 and PSIAM.

  • AES (256)
    256-bit block cipher algorithm, used in numerous products. Specified in FIPS 197.

    Block cipher algorithm, used with products like PKCS#11, CDSA/CSSM, AIM, Cypris, APCO Project 25, MYK-85, Fortezza Plus, SecNet-11, Sierra, SafeXcel-3340, PSIAM and the Philips GCD-Φ.

    NSA-developed cooperative key generation scheme, used for exchanging EKMS public keys. Used in products like AIM, SafeXcel-3340, PSIAM, STU-III, STE and SCIP.

    Interoperability Specification (IS) for the High Assurance Internet Protocol Encryptor (HAIPE). Based on Internet Protocol Security (IPsec), with additional restrictions and enhancements. Used in products like KOV-26 (Talon), KIV-7M, KG-175 (TACLANE), KG-240A, KG-245, KG-250 and KG-255.

    Frequency Hopping System used for ECCM. Implemented in the Cypris crypto chip.

    Joint development of GCHQ (UK) and NSA (USA). Used for narrowband voice and data encryption in radio and telephone communication. Used in products like AIM, CYPRIS, WINDSTER, INDICTOR, VINSON (KY-57), Spendex 40, Spendex 50 and Cougar radios. Also used for data encryption in products like KG-84 and KIV-7  More

    Used for TTY broadcasts to submarines by AIM (2004).

    High-speed link encryption. Used in products like KG-81, KG-94, KG-194, KG-95 and AIM (2004). Generally used for Trunk Encryption Devices (TED).  More

    Cryptographic algorithm used in products like Cypris (2 modes), Windster and INDICTOR.

    Cryptographic algorithm used in SafeXcel-3340.
Type 2
    Cryptographic algorithm used in NSA-developed crypto chips, such as Cypris, Windster and Indictor.

  • KEA
    Asymmetric-key algorithm used in products like Fortezza, Fortezza Plus and the Palladium Secure Modem. KEA was declassified by the NSA on 24 June 1998.  More...

    Block cipher algorithm used in products like Fortezza, Fortezza Plus and the Palladium Secure Modem. It was also used in the so-called Clipper Chip that was featured in products like the AT&T TSD-3600 telephone encryptor. The Skipjack algorithm was declassified by the NSA on 24 June 1998.
Type 3
  • DES - Data Encryption Standard
    Block cipher. Used in many NSA Type 3 products, such as the Motorola SECTEL 2500 (in Type 3 mode). Specified in FIPS 46-3 and withdrawn in 2004.

  • AES - Advanced Encryption Standard
    Block cipher. Specified in FIPS 197 and released in 2001.

  • DSA - Digital Signature Algorithm
    Used for digital signatures. Specified in FIPS 186.

  • SHA - Secure Hash Algorithm
    Cryptographic hash function. Specified in FIPS 180-2.
The following (non-exhaustive) list shows which products are believed to have been (partly) developed by or for the NSA. Some of these products are covered on this website.

Equipment with an NSA-friendly backdoor

Although NSA does not publish information about its methods or targets, it is known that in the past the agency has regularly tried to covertly get access to classified information by weakening or replacing encryption algorithms, or by persuading other parties to do so on their behalf. This is commonly known as a backdoor. Below are documented cases that were initiated by the NSA.

Clipper chip   Key Escrow

In the early 1990s, NSA attempted to control the availability of strong encryption to the general public, by developeding a special chip that was intended for the implementation in secure voice equipment. It required users to give the crypto­graphic keys in escrow to the government.

The device used the Skipjack algorithm, but was was not embraced by the public. Furthermore it appreared to be seriously flawed, as a result of which it was already defunct by 1996.

 More information


Philips PX-1000
PX-1000 was a small pocket terminal, developed around 1980 by Text-Lite in the Netherlands and marketed worldwide by Philips. Messages were encrypted with DES and could be sent over a regular telephone line via the built-in modem.

In 1983, the NSA expressed its concern about the availability of DES to the general public — in an affordable consumer device — and persuaded Philips to implement an alternative stream cipher that they (the NSA) had developed. This NSA-supplied algorithm has since been broken.

 More information
 NSA algorithm broken


Philips UA-8295   Nokia Sanla
Around 1983, the Finnish company Nokia produced the SANLA message terminal for the Finnish Ministry of Defence. It used Data Encryption Standard (DES) and was able to send text-based messages at high speed (burst).

To prevent the use of DES outside NATO, the NSA asked the Dutch company Philips Usfa to sell the device under its own brand, using an NSA-developed drop-in replacement for DES.

 More information

Philips UA-8296   Nokia Parsa
Around 1983, the Finnish company Nokia produced the PARSA message terminal for the Finnish Ministry of Defence. It used Data Encryption Standard (DES) and was able to send text-based messages at high speed (burst).

To prevent the use of DES outside NATO, the NSA asked the Dutch company Philips Usfa to sell the device under its own brand, using an NSA-developed drop-in replacement for DES.

 More information

The Gentleman's Agreement
During WWII, the Swede Boris Hagelin became a rich man by selling the M-209 cipher machine to the US Army. After the war, it was frequently speculated that the equipment sold by his company – Crypto AG – contained backdoors.

It has since became known that there was indeed a so-called Gentleman's Agreement between Hagelin and the NSA from 1952 to 1970.

 The Gentleman's Agreement


Operation Rubicon
From the mid-1960s on, when the Swiss firm Crypto AG (Hagelin) made the move from mechanical to electronic cipher machines, the NSA designed some of their cryptologics.

Eventually, when Crypto AG was bought in 1970 by the CIA and its German counterpart the BND, the NSA had full control over the readability of the equipment. This project – internally known as Operation RUBICON – lasted until 2018.

 More information

Tailored Access Operations · TAO
The Office of Tailored Access Operations (TAO) is a cyber-warfare intelligence gathering unit of the NSA. The unit is active since approx. 1998 and identifies, monitors, infiltrates and gathers information from target computer systems, using a wide variety of hardware and software tools.

The hardware and software tools that are used to eavesdrop on target computers, on offices and on private homes — sometimes referred to as the NSA toolbox — are developed by the NSA's Advanced Network Technology division (ANT), sometimes in cooperation with the British GCHQ, and are listed in the ANT product catalog.

An good example of an ANT bugging tool, is the LOUDAUTO audio bug shown on the right, that was developed around 2007. Although it was supposed to be secret until 2032, it was publicly disclosed in 2013 by an unknown party. 1

The ANT Product Catalog reveals some technical details of approx. 50 devices and software products that illustrate the state-of-the-art at the NSA around 2008 - 2009. Most (if not all) products are made from Commercial Off-The-Shelf (COTS) components, as a result of which the clandestine devices can not be attributed to the NSA when they are accidentally discovered.

 ANT Product Catalog

  1. Leaking of the ANT Product Catalog is often attributed to NSA whistleblower Edward Snowden, but that was not the case.

  1. European Axis Signal Intelligence in WWII - in nine volumes
    NSA (see below), 1 May 1946. TOP SECRET CREAM. 1

  2. David G. Boak, A History of U.S. Communications Security
    Lectures, 1966. Revised July 1973. 2

  3. David G. Boak, A History of U.S. Communications, Volume II Security
    Lectures, July 1981. 3

  4. Ed Fitzgerald, A History of US Communications Security Post WWII
    NSA, undated. Obtained via the Government Attic.

  5. NSA, Field Generation and Over-the-Air Distribution of COMSEC key... support of Tactical Operations and Excercises. Handling Instructions.
    NAG-16F. May 2001. Unclassified (U) — For Official Use Only (FOUO).
European Axis Signal Intelligence in WWII 1
  1. Synopsis
  2. Notes on German High Level Cryptography and Cryptanalysis
  3. The Signal Intelligence Agency of the Supreme Command, Armed Forces
  4. The Signal Intelligence Service of the Army High Command
  5. The German Air Force Signal Intelligence Service
  6. The Foreign Office Cryptanalytic Section
  7. Goering's 'Research' Bureau
  8. Miscellaneous
  9. German Traffic Analysis of Russian Communications
  1. Declassified and approved for release by NSA on 1 June 2009. EO 12958, Declass 58017.
  2. Declassified by Interagency Security Classification Appeals Panel, 14 October 2015.
    EO 13526, section 5.3(b)(3).
  3. Declassified by NSA 11 December 2008. EO 12958.

  1. National Security Agency (NSA), Cryptologic Histories
    NSA website. Downloadable documents. Retrieved February 2013.

  2. Wikimedia Commons, Photograph of NSA headquarters in Fort Meade, Maryland, USA
    Obtained from NSA website. Retrieved August 2013.

  3. Wikipedia, NSA cryptography
    Retrieved February 2013.

  4. Wikipedia, NSA encryption systems
    Retrieved February 2013.

  5. Wikipedia, NSA product types
    Retrieved February 2013, last visited 14 January 2023.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Sunday 12 August 2012. Last changed: Tuesday, 14 May 2024 - 08:04 CET.
Click for homepage