Homepage
Crypto
Index
Enigma
Hagelin
Fialka
Siemens
Philips
Nema
Racal
Motorola
STK
Transvertex
Gretag
HELL
Telsy
TST
Mils
AT&T
Tadiran
USA
USSR
UK
Voice
Hand
Mixers
Phones
Spy sets
Burst encoders
Intercept
Covert
Radio
PC
Telex
Agencies
Manufacturers
Donate
Kits
Shop
News
Events
Wanted
Contact
About
Links
Logo (click for homepage)
Spendex-40 (UA 8251)
Military-grade secure phone

Spendex 40 was a secure narrow-band crypto phone, developed by Philips Usfa around 1980. It allowed secure transmission of voice, fax and computer data over standard telephone lines, using the high-grade GCHQ/NSA-developed SAVILLE crypto-algorithm. It was used by NATO, the Dutch Army, the Dutch Government and the Dutch PTT (now KPN), until it became obsolete in the 2000s. Within NATO, the Spendex-40 is known as the Spendex 40 M, NBSV-45 [4], or by the factory designator UA-8251. As of 2009 approval for Spendex 40 has been withdrawn [1].
 
Spendex 40 was the first product developed outside the USA that implemented the highly secret SAVILLE algorithm and that was inter-operable with the NSA's military STU-II.

The image on the right shows a typical Spendex-40 unit. It is housed in a robust military-grade die-cast aluminium case that is completely TEMPEST-proof. The handset is placed on top of the unit and connects to the telephone with a metal DIN connector on the left. Just below that connector is a 25-way D-type connector for the connection of an external fax unit or computer. 		  
Spendex 40 Crypto Phone

At the rear of the unit are the connections for mains power and the telephone line (9-pin sub-D). Also present at the rear is a 25-way sub-D for the connection of an external analog modem that can be used instead of the internal one. A backup battery, used to retain the current keys, is hidden behind a small panel at the right. Spendex 40 was gradually phased out in the 2000s.
 
Spendex 40 Crypto Phone Spendex 40 with the handset off-hook Connections at the left: handset and printer/fax Pressing the ZEROIZE button Spendex 40 with Philips UP-2001 key filler After switching on, the Spendex 40 performs a self-test Rear view of Spendex 40 Long telephone cable for connection to the PTT

 
Operation
Spendex 40 is connected permanently to the mains and to a standard 2-wire analogue PSTN telephone line. Optionally it was also suitable for connection to a 4-wire line. Basic operation of the unit is rather straightforward and is comparable to using a standard telephone set.
 
Lifting the handset activates the unit and connects it to the line or PABX. Telephone numbers are entered on the black keypad, located on the bottom right. When dialling the number, it is displayed on the red 8-digit numerical LED display, just above the keypad.

When the connection with the required party has been established, the conversation is started en clair (clear speech). When it is agreed to switch to encrypted mode (go secure) one of the party presses the SECURE button. After an initial delay of approx. 10 seconds the connection is secure. 		  
Spendex 40 with the handset off-hook

The SECURE button is located to the left of the keypad. It can be used to toggle between SECURE and PLAIN. The 10 second delay when going secure is typical for encryption systems using an LPC-10 vocoder. Please note that in order to setup a secure connection, a Crypto Ignition Key (CIK) should be present and valid keys should be loaded into the Spendex 40 and the CIK.

A typical side effect of narrow-band LPC-10 encoding is that speech is carried accross relatively clear, but that it is impossible to recognise the person at the other end. This is the result of the fact that speech is first analysed, sent to the other end (encrypted) at 2400 baud and then reconstructed, resulting in a rather synthetic sound.

Spendex 40 is a full-duplex device, but it can also be used in half-duplex mode. This was used for example when the quality of the line was too poor or when the signal path was (partly) over radio links. In half-duplex mode the Push-To-Talk switch (PTT) on the handset would be used. This mode was also used when communicating with an American STU-II at the other end.
 
Spendex 40 with the handset off-hook Using the PTT switch After switching on, the Spendex 40 performs a self-test Normal operation showing 'X' in the display

 
Crypto Ignition Key
The SAVILLE crypto-algorithm uses a 128 bits key. For enhanced security this key is split in two parts that are stored separetely. Each part is also 128 bits long and must be XOR-ed with the other one in order to obtain the actual key. One half is stored in battery-backed RAM inside the Spendex 40, whilst the other half is stored in an EEPROM inside the Crypto Ignition Key (CIK).
 
Splitting the key in two parts makes it easier to render the machine useless when security is compromised. Whenever a user temporarily leaves the Spendex 40, he can leave the key loaded as long as he takes the CIK with him.

Without the CIK, the key inside the Spendex 40 has no value. Likewise, a loaded CIK can not be used on another Spendex 40 device. Trying the CIK on another Spendex 40 causes the message ILL. CIK (illegal CIK) to be displayed. The image on the right shows a typical CIK being connected to the CIK socket on the Spendex 40 front panel. 		  
Placing the CIK

Secure operation is only possible with a valid (loaded) CIK present on the socket marked 'CIK'. When security is compromised, the user presses the ZEROIZE button that is behind a metal flap at the front panel. Pressing the button destroys all keys that are present in the internal RAM of the Spendex 40. It also clears the CIK (when connected). The display will then show the message ZEROISED (British spelling). If the CIK was not present when the ZEROIZE button was pressed, the internal RAM is still cleared, rendering the keys useless. The CIK was also used with Spendex 50.

Although the CIK is marked with the word CONFIDENTIAL on its serial number plate, un unloaded CIK is an unclassified device. Whenever a valid key is loaded to both the Spendex 40 and the CIK, the CIK is classified to the level of the loaded key. Deleting the key makes it unclassified again. The CIK only contains a memory chip (EEPROM) that can hold a randomly-generated number that is part of the key. There is no additional intelligence or other protective or secret circuitry inside.
 
Typical Spendex 40 CIK Spendex 40 CIK Spendex 40 CIK Placing the CIK Crypto Ignition Key (CIK) present on Spendex 40 Display showing 'NUL. CIK', indicating that the CIK is empty. Pressing the ZEROIZE button Pressing the ZEROIZE button causes all internal keys and the CIK to be cleared

 
Loading the crypto keys
Key material for the Spendex-40 was produced by an external key management system. This was usually a piece of suitable software running on a dedicated PC. The keys were then distributed by means of a key filler or key-fill device such as the military KYK-13 fill gun. In the case of NATO, a government agency acting as a Key Distribution Center (KDC) could also be used for this.
 
Key are normally loaded into the Spendex 40 by means of a fill gun. When it is connected to the FILL socket on the front panel, the display will show the message COMSEC ?. The user would then select the required key compartment, set the selector to WRITE and press the ACTIVATE button in order to initiate a key transfer.

As the American KYK-13 key loader was in short supply, Philips developed its own equivalent devices such as the UP-2001 shown here. It had the advantage of having 40 key compartments rather than just 6 as on the original KYK-13. 		  
Initiating a key fill

A larger number of key compartments in a fill device allows keys for different devices or for more days in advance to be carried. As soon as the keys were loaded, the key loader was removed and both the Spendex 40 and the CIK had become a Classified Cryptographic Items (CCI). Note that the original key was not stored inside the Spendex 40. It was reconstructed when needed by adding (by means of an XOR operation) the internally stored key with the one stored in the CIK.
 
Spendex 40 with Philips UP-2001 key filler Loading the cryptographic keys with a Philips UP-2001 key filler (KYK-13 compatible) Initiating a key fill When the key filler is connected, the display reads 'COMSEC ?'.

 
Connecting a fax
Apart from voice communication, the Spendex 40 was also capable of encrypting and decrypting digital (computer) data through the internal modem, or an externally connected modem at speeds up to 4800 baud. For this, the DB25 connector at the left side of the front panel is available.
 
The data port has a serial (RS-232) interface that can be used for the connection of a personal computer or a similar data device such as a fax.

This image on the right shows a standard Canon fax unit of the early 1980s connected to the DB25 socket on the left of the Spendex-40. The image was taken from a stock photo [7] that appeared in the 6-page brochure [10].

As an alternative, the NSA-approved fax unit Cryptek TS-40 could also be used [2]. It was a plain paper laser fax that complied with NSA TEMPEST Level I standards. Neither of the fax units discussed here are available anymore. 		  

A facsimile machine (fax) was a popular means of sending hand-written documents and images over telephone lines during the 1980s and 90s. Since the internet-revolution it has gradually been replaced by e-mail. As the Spendex 40 allowed secure transmission of fax-documents, it was also used for the distribution of cryptographic keys, simply by printing them onto an A4-sheet as barcodes. The keys were then transferred to a key loader by means of a barcode reader.
 
Spendex-40 with a fax connected and the handset off-hook Connections at the left: handset and printer/fax Key-fill device with barcode pen

 
Backup battery
The keys, stored in the memory (RAM) of the Spendex 40, are retained by a backup battery. For this purpose, a long-life 3.6V Lithium cell is used. It has the shape of a standard penlight battery and is accessible from the rear of the device, by removing a small panel at the right.
 
The battery compartment can be opened by removing 4 hex-bolts, as shown in the image on the right. The battery itself can be removed by pulling its white cloth jacket (images below).

Suitable replacement batteries are available from a variety of sources, such as Tadiran (TL-5104) and Conrad Elektronik in Germany. The latter offers batteries from manufacturer EVE (Energy Very Endure) for about EUR 4.99 (order number 650773-89) and Emmerich (651244-89). Note that standard 1.5V penlight batteries can not be used. They do not produce the required voltage. 		  
Open battery compartment

When the battery is fully exhausted, or when it has been removed from the device for more than a few seconds, the internal settings of the phone might have been lost. This might render the phone unusable, especially when the internal modem is used (which is nearly always the case), as it defaults to using an external modem. In that case, the setup procedure should be carried out.
 
Open battery compartment Pulling the battery Removing the battery 3.6V Lithium backup battery 3.6V Lithium backup battery

 
Development
Spendex 40 was one of the first secure voice terminals that used a vodocer based on the LPC-10 standard [6]. LPC or Linear Predictive Coding was a high-quality vocoder, developed by the US Department of Defense for use by NATO. It is also known as FS-1015 or STANAG-4198.

Although LPC-10 encoding became rather common in later years, it was by no means easy to implement it, at the time Spendex 40 was developed. The vocoder used in the Spendex 40, was developed in collaboration with Philips Research (NatLab) in Eindhoven (Netherlands). It needed two NEC DSPs of the first generation. Reliability and speech quality was higher than on comparable systems like the much larger American STU-II that was also used by NATO.
 
As far as we know, Spendex 40 was the first non-US/UK device to be licenced to implement the highly secure GCHQ/NSA-developed SAVILLE cryptographic algorithm [3]. As SAVILLE is a very complex algorithm, it was (and still is) too difficult to be implemented in software [8].

Philips therefore developed its own crypto-chip called the OQ4430. It is shown in the image on the right. The same chip was also used in the military Spendex 50 secure voice terminal. Three of these crypto-chips are used in each Spendex device; 1 for reception and 2 for transmission. 		  
Click for more information about the SAVILLE algorithm

Spendex 40 was arguably the most secure voice and data terminal at the time. It was approved for use by the US Government at the highest possible level (NSA Type 1) and was also used by NATO and the German government. It was one of the smallest Type 1 crypto phones at the time.

Rumour has it that NSA officials were 'shocked' when they saw the first Spendex 40 prototype in action. It was so much smaller than the American STU-II and yet its speech quality was so much better [5]. Motorola later developed the STU-II/B, that was intended as a replacement for all STU-II compatible devices, including the Spendex 40. It was much smaller and had improved speech quality (using Motorola's own DSP technology) but came nearly 10 years after the Spendex 40.

It is also rumoured that it played an important role before, during and after the fall of the Berlin Wall in 1989, when it was used by the West-German Authorities for secure communication [5]. It was believed that foreign secret services were unable to break the SAVILLE encryption algorithm.
 
Interior
The Spendex 40 is an extremely robust device that was clearly intended for military use. The unit is hermetically sealed with a large number of hex bolts in order to prevent unwanted emission of signals (TEMPEST). The interior can be access from the rear (PSU) and from the top (crypto).
 
The die-cast aluminium case consist of several compartment that are interconnected by means of filtered lines. There are compartments at the rear, the front the side and at the top. The front panel contains the user controls and connections and is bolted to the front of the main case.

The compartments at the rear can be accessed by removing 14 hex bolts from the rear panel, as shown in the image on the right. At the left is the power supply (PSU) with the transformer just visible. The (telephone) line interface is at the right. The filters are mounted to the rear panel. 		  
Looking into the rear compartment of the Spendex 40

The filters are necessary to prevent unwanted leakage of information. For the same reason, a metal gasket is present in between the main case and the rear panel. The block at the bottom right contains the backup battery (see below). The most interesting compartment is at the top.
 
It can be accessed by removing the handset assembly and the (sealed) top lid. The image on the right shows the contents of the crypto compartment as seen from the top. There are 7 PCBs which are slotted into a backplane at the bottom. A small microswitch on card number 3 acts as tamper-detection. When the top panel is lifted, all cryptographic keys will be cleared.

The two flying wires at the left are normally connected to a reed-switch that is mounted to the top panel. It acts as the off-hook switch and is activated by a magnet in the handset holder. 		  
Crypto compartment. Each PCB is identified with a white label (in Dutch)

The boards are listed below. Six of the seven PCBs are mounted together in pairs. Although each PCB has is own connection to the backplace, they should always be removed together. The first two PCBs at the front are 'locked' in between metal panels in order to provide sufficient cooling for the special chips that are used for speech analysis and synthesis. Parts of these two boards were developed in close collaboration between Philips Usfa and Philips' NatLab (Philips Research).
 
Rear view of Spendex 40 Spendex 40 interior (rear view) Looking into the rear compartment of the Spendex 40 Top lid of crypto compartment Sealed crypto compartment Crypto compartment. Each PCB is identified with a white label (in Dutch) Three custom crypto processors Display showing 'ALARM' as the crypto compartment has been opened

 
Crypto heart
Inside the crypto compartment are the following PCBs. Detailed photographs of each board at the bottom of this section.
  1. UA-8323/00 Speech synthesis board
  2. UA-8322/00 Speech analysis board
  3. UA-8321/00 Key memory board
  4. UA-8320/00 Key generator
  5. UA-8319/00 Control board
  6. UA-8318/00 Timing board
  7. UA-8317/00 Telephony board
   
Three custom crypto processors

Board number 4 (key generator) is the actual crypto heart. It contains three OQ4430 crypto processors that were developed by Philips especially for this purpose. They are used for the implementation of the SAVILLE protocol. The same crypto chips are used in the Spendex 50. As it is a full-duplex system, three crypto chips were necessary, one of which was used for reception. The other two were used for transmission, raising an alarm if their outputs were not identical.
 
Boards (1) and (2) are technically the most advanced for the era. For development of the speech analyzer and the speech synthesizer, a number of first-generation DSPs have been used. Spendex 40 was one of the very first devices to use the NEC µPD77P20D DSP.

The speech analyzer contains two such DSPs, whilst the speech synthesizer uses three of them, plus a OQ4422 custom chip. The two boards are sandwiched together and clamped in between a series of copper springs that prevent the socketed ICs from coming loose. 		  

The springs also provide some level of cooling for the DSPs and possibly provide extra ground for some of the chips as well. The speech synthesis board further contains an Intel 8085 processor with firmware in a 32K EPROM. The function of the OQ4422 custom chip is currently unknown.
 
Crypto compartment. Each PCB is identified with a white label (in Dutch) Speech synthesis board Speech analysis board Key memory Key generator (crypto board) Control board Timing card Line interface card

 
Different names
The Spendex 40 is known under different names. Spendex 40 was the name that was internally given to the device. In official correspondence, the machine was referred to as the UA-8251 and in the 1985 edition of Jane's Military Communication [3] it is presented as the NBSV-45, which was the non-NATO variant. At present, the following names are known:
 
  • Spendex 40
  • UA 8251
  • NBSV 45
Models
As far as we currently know, the Spendex 40 was available in two different models that can be identified by an extension to the model number that takes the shape of /XX. The extension number identifies the type of (internal) modem that is present in the phone's rear compartment. Please note that the (soft) settings of the device have to be configured accordingly.
 
  • UA-8251/00 - all modes except 2-wire full-puplex
  • UA-8251/01 - 2-wire full-duplex only
Interoperability
Spendex-40 was interoperable with the following devices:
 
Wanted
Will are still looking for a Crypto Ignition Key (CIK) for our Spendex 40. Although the serial number plate on the CIK indicates that it is CONFIDENTIAL, it is in fact an unclassified item as long as it is unloaded (see above). It just contains a memory chip (EEPROM) that can hold part of the key. There is no additional intelligence or other protective or secret circuitry inside. If you have any of these available or if you have additional information, please contact us.
 
References
  1. Nationaal Bureau voor Verbindingsbeveiliging (NBV, part of the AIVD),
    List of approved crypto products (Dutch)
    Retrieved March 2009.

  2. NSA, Cryptek TS-40 secure facsimile unit
    Fax unit approved for use with Spendex 40.

  3. Jane's Military Communications 1986
    ISBN: 0-7106-0824-1

  4. Philips Usfa BV, NBSV 45, Provisional Data Sheet
    Simple black & white leaflet about the NBSV-45 (Spendex 40 M).
    9922 154 12401. Date unknown.

  5. Interview with anonymous source about the use of Spendex 40
    Crypto Museum. Eindhoven, June 2011.

  6. Wikipedia, LPC-10 Vocoder
    FS-1015 standard. Retrieved July 2011.

  7. Philips Usfa/Crypto, Spendex 40 stock photographs
    Crypto Museum Photo Archive.

  8. Crypto Museum, The SAVILLE Algorithm
    Interview with former cryptographer at Crypto Museum, December 2011.

  9. NEC Electronics Inc., µPD77C20, 7720A, 77P20 Digital Signal Processors
    First commercial DSP chip used in Spendex 40. 1980. Retrieved March 2012.

  10. Philips Usfa BV, Narrow Band Secure Voice Equipment Spendex 40
    Spendex 40 Brochure (copy) 9922 154 12443. 1987.

Further information

Any links shown in red are currently unavailable. If you like this website, why not make a donation?
© Copyright 2009-2013, Paul Reuvers & Marc Simons. Last changed: Thursday, 23 January 2014 - 08:22 CET
Click for homepage