A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated.
Older mechanical encryption systems, such as rotor machines, were keyed by setting the positions of wheels and plugs from a printed keying list. Electronic systems required some way to load the necessary cryptovariable data. In the 1950s and 1960s, systems such as the U.S. National Security Agency KW-26 and the Soviet Union's Fialka used punched cards for this purpose. Later NSA encryption systems incorporated a serial port fill connector and developed several common fill devices (CFDs) that could be used with multiple systems. A CFD was plugged in when new keys were to be loaded. Newer NSA systems allow "over the air rekeying" (OTAR), but a master key often must still be loaded using a fill device.
NSA uses two serial protocols for key fill, DS-101 and DS-102. Both employ the same U-229 6-pin connector type used for U.S. military audio handsets, with the DS-101 being the newer of the two serial fill protocols. The DS-101 protocol can also be used to load cryptographic algorithms and software updates for crypto modules.
Besides encryption devices, systems that can require key fill include IFF, GPS and frequency hopping radios such as Have Quick and SINCGARS.
Common fill devices employed by NSA include:
- KYK-28 pin gun used with the NESTOR (encryption) system
- KYK-13 Electronic Transfer Device
- KYX-15 Net Control Device[1]
- MX-10579 ECCM Fill Device (SINCGARS)[2]
- KOI-18 paper tape reader. Can read 8-level paper or PET tape, which is manually pulled through the reader slot by the operator. It is battery powered and has no internal storage, so it can load keys of different lengths, including the 128-bit keys used by more modern systems. The KOI-18 can also be used to load keys into other fill devices that do have internal storage, such as the KYK-13 and AN/CYZ-10. The KOI-18 only supports the DS-102 interface.
- AN/CYZ-10 Data Transfer Device (DTD) - a small PDA-like unit that can store up to 1000 keys, maintains an automatic internal audit trail of all security-relevant events that can be uploaded to the LMD/KP, encrypts key for storage, and is programmable. It is capable of keying multiple information systems security (INFOSEC) devices and is compatible with such COMSEC equipment as SINCGARS radios, KY-57 VINSON, KG-84, and others that are keyed by common fill devices (CFDs). The AN/CYZ-10 supports both the DS-101 and DS-102 interfaces. It was developed in the early 1990s, weighs about 4 lb (1.8 kg), and was designed to be fully compatible with future INFOSEC equipment meeting DS-101 signaling and benign fill standards. It will eventually replace the legacy family of CFDs, including the KYK-13, KYX-15 electronic storage devices, and the KOI-18 paper tape reader. Only the DTD and the KOI-18 support newer, 128-bit keys.
- Secure DTD2000 System (SDS) - Named KIK-20, this was the next generation common fill device replacement for the DTD when it started production in 2006. It employs the Windows CE operating system.[3]
- AN/PYQ-10 Simple Key Loader (SKL) - a simpler replacement for the DTD.
- KSD-64 Crypto ignition key (CIK)
- KIK-30, a more recent fill device, is trademarked as the "Really Simple Key Loader" (RASKL) with "single button key-squirt." It supports a wide variety of devices and keys.[4]
The older KYK-13,[5] KYX-15 and MX-10579 are limited to certain key types.