The US’s National Security Agency (NSA) has ended production of punched paper tape cryptographic keys after over 50 years’ use; making its final shift to an electronic cryptographic key production and distribution architecture.
An agency spokesman confirmed to Computer Business Review that the last NSA punched tape key had rolled off its machines on October 2, 2019. Such keys were used to encrypt military and other communications, and needed to be physically entered into devices that could store the key, then shipped around the world.
The technology, which uses paper-mylar-paper tape rolls punched with holes to store cryptographic keys (a hole represents a binary 1, and the absence of a hole a binary 0) remains in use in the UK, particularly by the Ministry of Defence.
The NSA only confirmed the end of the programme and declined to provide an image of the now obsolete kit.
Neal Ziring, technical director of the NSA’s Capabilities Directorate, told us earlier this year that the signals intelligence agency produced millions of the physical crypto keys per year during the 1980s but was now down to the hundreds annually.
He joked of the last production run: “We’ll probably have a party.”
Such cryptographic keys (used for symmetric algorithms widely deployed by the military) are physically shipped around the country in tamper-proof canisters.
Ziring attributed the longevity of the technology, despite digital alternatives, to slow military equipment replacement cycles: “Once the military gets a tactical radio or something that they like, they tend to use it for a long while.
“We’ve been working with our military partners to get them off key tape for, oh jeez, well over a decade; probably longer.”
NSA Punched Tape Programme Ends; UK Lags Behind
Physical keys remain in widespread use in the UK. In 2018 the UK Key Production Authority, which sits under the NCSC, processed [pdf] 3,800 orders for key material; or 145,000 physical keys for 170 customers across government.
Richard Flitton, managing director of L3 TRL; a Tewkesbury-based specialist in advanced electronic security systems, earlier told Computer Business Review that ongoing use of the technology was a security issue.
He said: “There’s two issues here: one is that you’ve got to distribute the key, so you’ve got to physically move the things around the country or even overseas. If you’re moving things they’re vulnerable to being intercepted or compromised. Then secondly there’s the cost and logistical burden of doing all that.
“The authority has a huge challenge to produce all those keys and then it’s got a challenge to distribute and install them all. I won’t describe what happens. But if Joe Public knew, you would think this was all a bit 1960s really.”
As Ziring explained earlier, digital cryptographic key management rendered comsec accounting and logistics a lot more straightforward.
In terms of how that works: “A base or a depot would have an outpost of the key management system – there are various form factors for that – right on base.
“If they’re trying to put keys into some military aircraft; they’d have ‘fill devices’ in the hanger, you fill up the key fill device from the KMS, you take it around the airplanes – you’re talking about walking a couple hundred meters… It’s not like trying to ship it [a punched tape key] from Maryland out to a base from the other side of the world.”
Such tape can either be used as a one-time key, roughly equivalent to a one-time pad to directly encipher a message (this was long ago phased out) or used to store a crypto variable; the key for a symmetric algorithm.
A blog by the NSA itself described the technology: “Each 5,000 foot roll of Paper-Mylar-Paper-tape moving through the production line at one foot per second represented the raw material on which the COMSEC key would be punched and printed.
“Keeping the punch and print operations moving with the necessary speed and precision presented a serious engineering challenge. Borrowing from the technology of magnetic tape drives, the development team came up with vacuum wells which were incorporated into the system to physically regulate the flow of the tape.
The software development engineer and crypto software programmer’s of such punch, verification, print (PVP) systems in the 1970s had to write the main system software for the DEC PDP-11 computer that would import cryptologic key and oversee the entire tape production process entirely in assembly language.
“This task was daunting and would be considered the equivalent of travelling from Baltimore to Los Angeles on hands and knees by today’s programmers.”