STU-III

STU-III (Secure Telephone Unit - third generation) is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user (with such calls receiving no special protection, however). When a call is placed to another STU-III unit that is properly set up, one caller can ask the other to initiate secure transmission. They then press a button on their telephones and, after a 15-second delay, their call is encrypted to prevent eavesdropping. There are portable and militarized versions and most STU-IIIs contained an internal modem and RS-232 port for data and fax transmission. Vendors were AT&T (later transferred to Lucent Technologies), RCA (now L-3 Communications, East) and Motorola.

STU-III are no longer in service with the U.S. Government, with the last cryptographic keys for the units expiring on December 31, 2009. It has been replaced by the STE (Secure Terminal Equipment) and other equipment using the more modern Secure Communications Interoperability Protocol (SCIP).

Versions

 * STU-III/Low Cost Terminal (LCT) designed for use in office environment by all types of users. (Motorola Sectel 1500, Lucent Technologies/GD 1100 and 1150)
 * STU-III/Cellular Telephone (CT) is interoperable with all STU-III versions. Works in all continental US mobile network and in most of the foreign cellular networks.
 * STU-III/Allied (A) specialized version of the STU-III/LCT that is compatible with the STU-II. It retains all basic STU-III functions and capabilities and incorporates STU-II BELLFIELD KDC, STU-II net, and STU-II multipoint modes of operation.
 * STU-III/Remote Control Interface (R or RCU)
 * STU-III/MultiMedia Terminal (MMT)
 * STU-III/Inter Working Function (IWF)
 * STU-III/Secure Data Device (SDD)
 * STU-III/CipherTAC 2000 (CTAC)

Security
Most STU-III units were built for use with what NSA calls Type 1 encryption. This allows them to protect conversations at all security classification levels up to Top Secret, with the maximum level permitted on a call being the lower clearance level of the two persons talking. At the height of the Commercial COMSEC Endorsement Program, Type 2, 3, and 4 STU-IIIs were manufactured, but they saw little commercial success.

Two major factors in the STU-III's success were the Electronic Key Management System (EKMS) and the use of a removable memory module in a plastic package in the shape of a house key, called a KSD-64A. The EKMS is believed to be one of the first widespread applications of asymmetric cryptography. It greatly reduced the complex logistics and bookkeeping associated with ensuring each encryption device has the right keys and that all keying material is protected and accounted for.

The KSD-64A contains a 64 kbit EEPROM chip that can be used to store various types of keying and other information. A new (or zeroized) STU-III must first have a "seed key" installed. This key is shipped from NSA by registered mail or Defense Courier Service. Once the STU-III has its seed key, the user calls a toll-free number at NSA to have the seed key converted into an operational key. A list of compromised keys is downloaded to the STU-III at this time. The operational key is supposed to be renewed at least once a year.

The operational key is then split into two components, one of which replaces the information on the KSD-64A, at which point it becomes a Crypto Ignition Key or CIK. When the CIK is removed from the STU-III telephone neither unit is considered classified. Only when the CIK is inserted into the STU-III on which it was created can classified information be received and sent.

When a call "goes secure", the two STU-III's create a unique key that will be used to encrypt just the call being placed. Each unit first makes sure that the other is not using a revoked key and if one has a more up-to-date key revocation list, it transmits it to the other. Presumably the revocation lists are protected by a digital signature generated by NSA.

While there have been no reports of STU-III encryption being broken, there have been claims that foreign intelligence services can recognize the lines on which STU-IIIs are installed and that un-encrypted calls on these lines, particularly what was said while waiting for the "go secure" command to complete, have provided valuable information.

Use
Hundreds of thousands of STU-III sets were produced and many were still in use as of 2004. STU-III replaced earlier voice encryption devices, including the KY-3 (1960s), the STU-I (1970) and the STU-II (1975). The STU-II had some 10,000 users. These, in turn, replaced less secure voice scramblers. Unlike earlier systems, the STU-III's encryption electronics are completely contained in the desk set. Further, the reduced bandwidth required by a STU-III permitted it to be used for encrypted voice communications even over limited conduits such as the commercial maritime communication satellites of the day. The STU-III is no longer in use, having been replaced by the STE (Secure Terminal Equipment) or OMNI, more modern, all digital systems that overcome many of the STU-III's problems, including the 15 second delay.

Operational difficulties in using STU-III phones hindered coordination between the Federal Aviation Administration and NORAD during the September 11, 2001 attacks on New York and Washington. See Communication during the September 11 attacks.

STE succeeded STU-III in the 1990s. Similar to STU-III, an STE unit physically resembles an ordinary telephone. Besides connecting to a regular wall phone jack (Public Switched Telephone Network), the STE was originally designed to be connected to Integrated Services Digital Network (ISDN) lines. As a result, in addition to having secured voice conversations, users can also use an STE unit for classified data and fax transmissions. Transfer rate of an STE is also considerably higher (STU-III: up to 9 kbit/s; STE: up to 128 kbit/s). Lastly, an STE unit is backward compatible with an STU-III unit when both units are connected to the PSTN.

The heart of an STE unit is the Fortezza Plus (KOV-14) Crypto Card, which is a PCMCIA card. It contains both the cryptographic algorithms as well as the key(s) used for encryption. Cryptographic algorithms include BATON, FIREFLY, and SDNS signature algorithm. When the Crypto Card is removed from the STE unit, neither the phone or the card is considered classified. BATON is a block cipher developed by the NSA with a block size of 128 bits and key size of 320 bits. FIREFLY, on the other hand, is a key distribution protocol developed by the NSA. The FIREFLY protocol uses public key cryptography to exchange keys between two participants of a secured call.

Both STU-III and STE are built on technologies that are proprietary, and details of the cryptographic algorithms (BATON and FIREFLY) are classified. Although the secrecy of the algorithms does not make the device less secure, it does limit the usage to within the U.S. government and its allies. Within the Department of Defense, Voice over IP (VoIP) has slowly emerged as an alternative solution to STU-III and STE. The high bandwidth of IP networks makes VoIP attractive because it results in voice quality superior to STU-III and STE. To secure VoIP calls, VoIP phones are connected to classified IP networks (e.g. Secret Internet Protocol Router Network – SIPRNET).

Both allies and adversaries of the United States are interested in STU-III, STE, and other secured voice technologies developed by the NSA. To date, there has not been any reported cryptanalysis on the encryption algorithms used by the STU-III and STE. Any breaks in these algorithms could jeopardize national security.

Information about STU-III is very limited despite the fact that it is out of production. Because of the sensitive nature of the subject, there are few relevant documents available. The majority of the information available originates from the manufacturers (e.g. L-3 Communications) of STU-III and STE.