-----BEGIN PGP SIGNED MESSAGE----- I browsed through the owner's manual for the AT&T STU-III secure phone unit today. It has no technical information whatsoever (security through obscurity?). It uses a so called CIK (Crypto Ignition Key), which resembles one of those electronic keys that hotels use. It must be inserted in a "lock" in the phone, and turned 90 degrees. This will enable one of the crypto keys that is stored in the phone's battery backed up memory (loaded previously by a "COMSEC custodian" through a data port on the phone. The manual warns the phone must be in a relatively secure location and points out an emergency erase button that wipes out the keys stored in memory. Then you call someone, say you want a secure channel, wait for them to insert their CIK (and tell you so), then touch the "secure voice" button on the panel. The manual then says it will go through an "authentication process", the results of which will be displayed on the STU-III's screen. It will show data such as the other stations ID number, the security level of the channel (secret, top secret, etc), and the baud rate. Does anyone know how this works technically? My speculation: It seems to be a public key system. The phone's memory seems to contain a secret keyring, and a CIK is a 'passphrase' to a secret key, to make an analogy to PGP. Then the authentication process includes exchanging a session key for a conventional crypto system - no doubt DES. Apparently the NSA issues the keys to authorized agencies and contractors. The public keys contain information such as the ID number of the key, possibly the authorized user's name, the security clearance level for that key, etc, which is exchanged during authentication. Am I on the right track? Comments and speculations welcome. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLOg+wDSSmvXojb+5AQEplQH+JdiaWbzgXiWPtqVaQcPIo4arzOI8Fl1Z 6ylkT9UL/Qh8BpoyVK9PqiEwazaLPxCxWYksOty7LlRy0zByVXqWHw== =8E4k -----END PGP SIGNATURE-----