×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encryption Cracked On NIST-Certified Flash Drives

timothy posted more than 4 years ago | from the whoopsie-daisy dept.

Security 252

An anonymous reader writes "USB Flash drives with hardware based AES 256-bit encryption manufactured by Kingston, SanDisk and Verbatim have reportedly been cracked by security firm SySS. These drives are advertised to meet security standards suitable for use with sensitive US Government data (unclassified, of course) as emphasized by the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST). It looks likes the Windows-based password entry program always sends the same character string to the drive after performing various crypto operations."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

252 comments

It's not just the algorithm (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30658430)

One weakness in the entire crypto-system can bring the whole thing down.

Re:It's not just the algorithm (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30658448)

This morning I was awoken by my alarm clock powered by electricity generated by the public power monopoly regulated by the US Department of Energy.
I then took a shower in the clean water provided by the municipal water utility.
After that, I turned on the TV to one of the FCC regulated channels to see what the National Weather Service of the National Oceanographic and Atmospheric Administration determined the weather was going to be like using satellites designed, built, and launched by the National Aeronautics and Space Administration. I watched this while eating my breakfast of US Department of Agriculture inspected food and taking the drugs which have been determined as safe by the Food and Drug Administration.
At the appropriate time as regulated by the US Congress and kept accurate by the National Institute of Standards and Technology and the US Naval Observatory, I get into my National Highway Traffic Safety Administration approved automobile and set out to work on the roads built by the local, state, and federal Departments of Transportation, possibly stopping to purchase additional fuel of a quality level determined by the Environmental Protection Agency, using legal tender issued by the Federal Reserve Bank. On the way out the door I deposit any mail I have to be sent out via the US Postal Service and drop the kids off at the public school.
Then, after spending another day not being maimed or killed at work thanks to the workplace regulations imposed by the Department of Labor and the Occupational Safety and Health Administration, I drive back to my house which has not burned down in my absence because of the state and local building codes and the fire marshal's inspection, and which has not been plundered of all its valuables thanks to the local police department.
I then log onto the Internet which was developed by the Defense Advanced Research Projects Administration and post on freerepublic and fox news forums about how SOCIALISM in medicine is BAD because the government can't do anything right.

Re:It's not just the algorithm (-1, Troll)

dokhebi (89124) | more than 4 years ago | (#30658642)

And what does this have to do with breaking an encryption scheme that was possible because Microsoft is just bad software?

As always, just my $0.02 worth.

Re:It's not just the algorithm (4, Informative)

plover (150551) | more than 4 years ago | (#30658848)

This has nothing whatsoever to do with Microsoft, you troll. RTFA.

The "password" software just sent the "it's OK, decrypt this" to the dongle.

Re:It's not just the algorithm (0)

Anonymous Coward | more than 4 years ago | (#30658708)

Govt regulation != socialism, it is what regulation were imposed and how they were imposed that matter. Any way why do i bother replying to a troll.

Re:It's not just the algorithm (5, Insightful)

hey! (33014) | more than 4 years ago | (#30659020)

Only? It's *mainly* defects in the rest of the system that tend to bring things down.

Algorithms, once they get to the point where the experts trust them, are very seldom broken in the everything-laid-completely-bare way that faulty system design gets you. It's usually more like "could be broken with a week of supercomputing time ten years from now" or "can calculate a hash collision for certain specially constructed messages" variety of crack.

Of course once you get to that point, you have to assume that some really bright people will find a way to generalize the fault in the algorithm. If they'd broken AES, or even found an unexpected weakness in it, that'd be *huge* news. Instead, what they've found appears to be a classic case of plain old brain damaged design.

If the article is to be believed, the researchers found a really, really stupid flaw, the kind a non-expert like I could understand and probably exploit with not much effort. I would paraphrase this way: all these drives *effectively* have exactly the same key, but that fact is obscured by the software.

Truecrypt (0, Interesting)

Anonymous Coward | more than 4 years ago | (#30658458)

Does this affect Truecrypt using the same encryption mode?

Re:Truecrypt (4, Insightful)

sakdoctor (1087155) | more than 4 years ago | (#30658542)

Didn't you even read TFS?

The moral of the story is to buy a normal flash drive and encrypt it using Truecrypt, then you are not at the whims of Kingston/SanDisk/Verbatim, keeping their closed source, windows only software patched.

Re:Truecrypt (4, Insightful)

plover (150551) | more than 4 years ago | (#30658874)

This problem is only that of "closed source" and not one of "Windows only". It would be equally insecure on any OS.

Re:Truecrypt (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30658956)

Enjoy your keylogger.

Re:Truecrypt (5, Informative)

Anonymous Coward | more than 4 years ago | (#30658760)

What I got from the article was the following scenario:
1. Drive asks for a password
2. User enters a password
3a. The password is incorrect -> "DO NOT OPEN" message is sent to the drive
3b. The password is correct -> "OPEN" message is sent to the drive
4. User gains access to the drive

The "crackers" simply bypassed steps 1 and 2 and went straight to 3b. You'd of course have to be a complete idiot to design an authenticating mechanism in this manner. TrueCrypt does not share this design.

Re:Truecrypt (5, Informative)

von_rick (944421) | more than 4 years ago | (#30659002)

If you were to check the flash drives partitioning, you'll see that it has two separate partitions. The section with encryption program is on the primary partition of the flash drive. When the program executes, you get access to the other partition.

Now I've mounted those drives under Linux by bypassing the login process. Instead of mounting sdc1 (assuming sdc is your encrypted flash drive), you mount sdc2. What I've learnt is that the drive isn't encrypted at all - nor password protected. If you can find a way to format the first partition, you pretty much kill the password protection that comes with the flash drive. The "protected" partition just becomes the default partition when the primary one is unavailable.

TrueCrypt or any other data encryption method is the right way to actually secure your data

Re:Truecrypt (2, Informative)

geekmux (1040042) | more than 4 years ago | (#30659534)

If you were to check the flash drives partitioning, you'll see that it has two separate partitions. The section with encryption program is on the primary partition of the flash drive. When the program executes, you get access to the other partition.

Now I've mounted those drives under Linux by bypassing the login process. Instead of mounting sdc1 (assuming sdc is your encrypted flash drive), you mount sdc2. What I've learnt is that the drive isn't encrypted at all - nor password protected. If you can find a way to format the first partition, you pretty much kill the password protection that comes with the flash drive. The "protected" partition just becomes the default partition when the primary one is unavailable.

TrueCrypt or any other data encryption method is the right way to actually secure your data

IF in fact what you've discovered is true across several vendors "FIPS certified" flash drives, then I'm not sure what is more disturbing; The idiot who designed this "encryption" scheme, or the idiot in charge of rubber stamping the FIPS certification on it.

I knew there was more than one reason I use TrueCrypt everywhere...

Re:Truecrypt (1)

mick232 (1610795) | more than 4 years ago | (#30659338)

Similarly, you'd have to be a complete idiot to give such devices any kind of certification. We all know that companies can sell any junk they want, that's why we rely on certification agencies. But now we know that certification agencies really work as marketing agencies, boosting the sale of junk hardware by sticking their logo on it.

Re:Truecrypt (1)

interval1066 (668936) | more than 4 years ago | (#30659344)

Yeah, that's my understanding as well. Its not an issue with Windows, per se. I would use TrueCrypt as well. (Which I do.)

How does this differ from Truecrypt? (2, Insightful)

NeutronCowboy (896098) | more than 4 years ago | (#30658462)

Can anyone explain to me why the disk manufacturers chose to reinvent the wheel, instead of using Truecrypt? As far as I know, Truecrypt encryption hasn't been broken yet.

Re:How does this differ from Truecrypt? (0)

Anonymous Coward | more than 4 years ago | (#30658522)

So that they can claim their encryption is better than the one competitors use?

Re:How does this differ from Truecrypt? (3, Informative)

jimbobborg (128330) | more than 4 years ago | (#30658532)

These aren't disks, they're USB thumb drives. The folks who "cracked" it just figured out a way to bypass the password and send a specific string that ALL of these devices use to access the data on these USB thumb drives. This seems to be endemic to these things. The info isn't encrypted, it's just locked with a password.

Re:How does this differ from Truecrypt? (2, Informative)

NeutronCowboy (896098) | more than 4 years ago | (#30658666)

No, it's actually encrypted. The problem is that the command to unencrypt the data is always the same. In other words, a small little widget can sit between the password program and the encrypted disk, and just send the right command string, regardless of what password was entered. Instant decryption.

But still - why do something like try to reinvent crypto, when there's an open format? The license for Truecrypt even allows for commercial use.

Re:How does this differ from Truecrypt? (2, Informative)

OscarGunther (96736) | more than 4 years ago | (#30658828)

Assuming your last comment wasn't a rhetorical question, you already know the answer to this: Because the perceived value-add of selling an encrypted drive allows them to charge more than simply bundling TrueCrypt with a bog-standard USB drive. The public justification would be that their software is easier to use (and, if they're feeling particularly full of themselves, more secure).

Re:How does this differ from Truecrypt? (2, Insightful)

ragethehotey (1304253) | more than 4 years ago | (#30658890)

Assuming your last comment wasn't a rhetorical question, you already know the answer to this: Because the perceived value-add of selling an encrypted drive allows them to charge more than simply bundling TrueCrypt with a bog-standard USB drive. The public justification would be that their software is easier to use (and, if they're feeling particularly full of themselves, more secure).

But with a minimal amount of work they could simply take the source, rename it and give it a pretty interface, and never have problems like this?

Re:How does this differ from Truecrypt? (1)

DavidTC (10147) | more than 4 years ago | (#30659430)

Yeah, that's what gets me. I mean, it's one thing if they were selling special software and didn't want to have to distribute it, which the GPL would make them.

But they're selling a drive. I mean, it's just as much work any other way.

Edit TrueCrypt's interface, put it to autostart from the tiny cleartext partition (Using that autorun U3 trick), have it only look for a specially marked partition on the other drive, and mount it, or prompt for password and format it if the partition is blank.

Tada.

Instead, they use a dumbass hardware encryption with a single key.

I slightly understand the idea of hardware decryption on flash drives, although I still contend there is almost no possible sequence of events where hardware decryption would help vs. a truecrypt file on a flash drive. It doesn't help against keystoke loggers, it doesn't help against mirroring programs, I'll be damned if I can see what it defends against.

But this is just stupidity on top of that.

That said, hardware decryption is cool because it doesn't need admin privs...in theory. Although they could just as easily have a user-level version of truecrypt loop back to an installed driver.

I.e., the drive would have two partitions on it, but actually have three. (Or appear as two entirely separate devices.) Attempts to access the third one would, by the hardware, send a request to a user-space program running on the computer. Which would be Truecrypt, which would read the encrypted data off the drive, decrypt it, and pass it back to the hardware, which would pass it back again.

Sounds slow, but , hell, it's decryption, and no USB flash drive can keep up with the USB 2.0 standard anyway. Such a loopback chip, which could be some serial interface the hacked truecrypt connects to to get commands and send data, would certainly be cheaper than a hardware decryption chip, although who knows if they're just going to fake it with a single key. (Which is, strictly speaking, not even 'encryption'. It's just a goofy media encoding scheme.)

Oh, and, tada. Unpatentable for the win!

Re:How does this differ from Truecrypt? (2, Interesting)

jimicus (737525) | more than 4 years ago | (#30658864)

No, it's actually encrypted. The problem is that the command to unencrypt the data is always the same. In other words, a small little widget can sit between the password program and the encrypted disk, and just send the right command string, regardless of what password was entered. Instant decryption.

But still - why do something like try to reinvent crypto, when there's an open format? The license for Truecrypt even allows for commercial use.

If it was properly encrypted, the decryption would be carried out on the device using a key supplied by the host PC and the device wouldn't be physically capable of decrypting it without the key. As it stands, the most charitable reading of this is that it IS using AES encryption, but it always uses the exact same key regardless of what the enduser does in the software.

Re:How does this differ from Truecrypt? (0)

Anonymous Coward | more than 4 years ago | (#30659140)

The whole point of this is to put a bullet point on the box. Uses AES Encryption!!!! It is true, they do use it, however its not really useful, and a full hardware encrypt/decrypt package would cost more...

Re:How does this differ from Truecrypt? (1)

mick232 (1610795) | more than 4 years ago | (#30659438)

What's more: because they "use" AES (no matter how they use it), they can also put one more bullet point on the box: FIPS-140 certified by the NIST. This certification is misleading and should no longer be given.

Re:How does this differ from Truecrypt? (2, Insightful)

Archangel Michael (180766) | more than 4 years ago | (#30659420)

If what you are saying is true, that it uses the same encryption key for all devices, that would have to be by "Design", or worse, negligence. I seriously doubt that the engineers for this thing thought one key to rule them all would be acceptable, which leaves us with "Design".

However, I'm reminded of the old addage, "Any sufficient level of incompetence is indistinguishable from malice".

My view is that sufficient levels of incompetence should be treated exactly like malice. And in this case the company(companies?) should be held responsible on a criminal level. Criminally incompetent, or Fraud.

Why don't we have a corporate death penalty?

Re:How does this differ from Truecrypt? (1)

vlm (69642) | more than 4 years ago | (#30659452)

But still - why do something like try to reinvent crypto, when there's an open format? The license for Truecrypt even allows for commercial use.

Certain corporations want to "poison the well" of encrypted USB drives. Doesn't really matter why and thats not the point of this post. The end result of this incident is every clueless PHB now "knows" that its "impossible" to make a properly encrypted USB drive, and somehow the corps that are intentionally poisoning the well believe they will profit off that incorrect belief. Maybe they want to drive (bad pun) a competitor out, maybe they lack the patents their competitors have, who knows. Maybe they are just don't want to expand the product line to include "secure" devices and want to stick to insecure only.

I could imagine a situation where a drive manufacturer could not be a profitable concern as long as the competitors can get the high profit of selling secure drives. So, eliminate their ability to sell the profitable ones, by poisoning the whole market.

Re:How does this differ from Truecrypt? (1)

vlm (69642) | more than 4 years ago | (#30659536)

Oh, bad of me to reply to one of my own posts, but maybe they need to poison the market for encrypted USB drives because they're about to release a different kind of competing product, like maybe a USB hub that encrypts the traffic flowing thru it to any brand or model of USB drive. Or maybe coincidentally only works with same manufacturers drives.

Maybe they may want to ruin the sub market of encrypted USB drives because contract terms are getting unfavorable for them in that sub market, and coincidentally they plan to release a different kind of encrypted storage product.

The cloud encryptor. The combined USB hub/encryptor. Some expensive SW thing. Who knows.

Re:How does this differ from Truecrypt? (1)

geekmux (1040042) | more than 4 years ago | (#30659630)

No, it's actually encrypted. The problem is that the command to unencrypt the data is always the same. In other words, a small little widget can sit between the password program and the encrypted disk, and just send the right command string, regardless of what password was entered. Instant decryption.

But still - why do something like try to reinvent crypto, when there's an open format? The license for Truecrypt even allows for commercial use.

If it's not yet that obvious, let me sum up the definition of "regardless of what password was entered" in two words: Big Brother.

Perhaps this is the fine print part of "FIPS" certification we never heard about...the master key.

Re:How does this differ from Truecrypt? (1)

PylonHead (61401) | more than 4 years ago | (#30658768)

The info isn't encrypted, it's just locked with a password.

Yeah, that's what the story seems to say. But that makes no sense... Why have an AES 256-bit hardware encryption system if you're going to store the data unencrypted? I mean.. it's all just bits as far as the memory chips are concerned.

Re:How does this differ from Truecrypt? (2, Interesting)

silent_artichoke (973182) | more than 4 years ago | (#30659008)

This makes it very easy for them to charge $large_chunk_of_money for "data recovery services" in the event you forget your password.

Re:How does this differ from Truecrypt? (1)

vlm (69642) | more than 4 years ago | (#30659348)

This makes it very easy for them to charge $large_chunk_of_money for "data recovery services" in the event you forget your password.

Far more likely: makes it very easy for them to charge $large_chunk_of_money for "data recovery services" in the event law enforcement/military/courts would like to see whats on your drive.

Re:How does this differ from Truecrypt? (0)

Anonymous Coward | more than 4 years ago | (#30659450)

In that event, you can still provision it relatively securely. Using the manufacturer's public key, encrypt the user's key and store that on the drive. Then the drive could be decrypted by the manufacturer, but no one who lacks the manufacturer's private key should have access other than the user.

It's a helluva back door, but it doesn't have to be a wide open hole that just anyone can waltz on through.

Re:How does this differ from Truecrypt? (1)

JaWiB (963739) | more than 4 years ago | (#30659298)

If they aren't encrypted, I assume that means that these devices don't actually meet the NIST standard. Couldn't there be a lawsuit for advertising the drives as such?

Re:How does this differ from Truecrypt? (0)

Anonymous Coward | more than 4 years ago | (#30658566)

young skywalker, you mustn't forget that people said the same of md5 when john the ripper came out!

Re:How does this differ from Truecrypt? (4, Informative)

bamf (212) | more than 4 years ago | (#30658742)

If you set up Truecrypt in portable-mode on a USB key so it acts like these off-the-shelf keys, then it needs administrator privileges to work. That's a big problem for a lot of people.

Re:How does this differ from Truecrypt? (3, Interesting)

gad_zuki! (70830) | more than 4 years ago | (#30659122)

Portable Truecrypt has problems. The user will import their private key or at least have it somewhere they can get to it or use conventional cryptography. So there's a lot of security vulnerabilities right there. Oh, forgot to delete your private key? Now Im cracking the conventional encryption that protects it. TrueCrypt portable requierd admin privs:

Also note that, as regards personal privacy, in most cases, it is not safe to work with sensitive data under systems where you do not have administrator privileges, because the administrator can easily capture and copy the sensitive data, including the passwords and keys.

However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.

The idea with these drives is that the app can be run from the drive itself, so no extra software or training is needed. No key management. So that really just leaves us conventional cryptography, not public/private key. The problem of having security on your USB drive that gets plugged into various computers that you might not have control over and may be running trojans is tough to solve. Application level encryption is probably the best way to go but it requires standard installs and trust of the host computer.

Youre better off just carrying a netbook or other trusted security device with an encrypted drive and sharing the files via conventional methods with the host without giving the host all your data - email, ftp, web, plaintext transfers, etc.

Re:How does this differ from Truecrypt? (0)

Anonymous Coward | more than 4 years ago | (#30659126)

Can anyone explain to me why the disk manufacturers chose to reinvent the wheel,

Because then it will be their wheel, which they do not need to pay a hefty(?) licence-fee for every created stick.

Also, companies in general do not make their product for you (who mistakingly thinks he can expect a decent product, working as advertised), but just as the twenty-eth century equivalent of the old beads and mirrors. The cheaper they can produce their trinkets, the better.

Its your money they're after, and their product is just a means to the goal.

Hence laptops (even from well-known brands) with a failure-rate of over 40% in the first year. :(

Always sends the same character string (2, Funny)

Anonymous Coward | more than 4 years ago | (#30658466)

"12345"

Re:Always sends the same character string (3, Funny)

pushf popf (741049) | more than 4 years ago | (#30659062)

"12345"

That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Always sends the same character string (1, Redundant)

plover (150551) | more than 4 years ago | (#30659296)

"12345"

That reminds me that I have to change the combination on my luggage.

IronKey? (1)

bsDaemon (87307) | more than 4 years ago | (#30658504)

I got an IronKey from my parents for Christmas. I haven't used it on a Windows machine yet, just my MacBook Pro and Linux EeePC at home and my iMac at work. The article doesn't mention whether or not that platform is affected by a similar type of issue or not -- is anyone more familiar with this that can weigh in on that? I'd be kind of pissed if my brand new toy turns out to just be a toy after all, but IronKey is also FIPS 140-2 certified. Do the tree products noted just use the same original vender for the encryption?

Re:IronKey? (1)

peragrin (659227) | more than 4 years ago | (#30658640)

While I have heard of lumber based hard hack decryption methods I haven't heard of anyone using a whole tree before.

Oh you meant three sorry. Just ignore the guy behind you with the 2x4.

Re:IronKey? (1)

Wingman 5 (551897) | more than 4 years ago | (#30658660)

No, IronKey uses a hardware crypto chip, these drives are all using software crypto. What this group did was bypass the software crypto.

Re:IronKey? (3, Insightful)

Andy Dodd (701) | more than 4 years ago | (#30658816)

Actually, the way I read it, these drives all do use hardware crypto... But they use the SAME DAMN KEY. Authentication is handled in software.

Key management FAIL.

Re:IronKey? (3, Interesting)

RemyBR (1158435) | more than 4 years ago | (#30658718)

The Ironkey should not be affected. It uses a different approach: first of all, the data on the drive is really encrypted, the drive is not only "locked" with a password. Secondly and most important, there's no validation of the password happening outside the drive (i.e. on a windows/linux/mac application). The application only lets you input your password, which is then validated by the drive itself via a ROM routine.

Re:IronKey? (1)

Andy Dodd (701) | more than 4 years ago | (#30658830)

I would expect that the same thing that makes it cross-platform (drive handles authentication and unlocking, not the software) would make this particular attack (some dumbass offloaded authentication to the software) irrelevant.

Article title misleading... (4, Insightful)

JazzyJ (1995) | more than 4 years ago | (#30658546)

The encryption hasn't been cracked, it's the program that unlocks it that's been compromised.

Re:Article title misleading... (1)

Anita Coney (648748) | more than 4 years ago | (#30658594)

I was going to say nearly the same thing. The encryption was not cracked, merely bypassed.

Re:Article title misleading... (1)

jandrese (485) | more than 4 years ago | (#30658812)

If it can be merely "bypassed" then it doesn't seem like it was encryption at all, just password protection. If this is the case, then they might be in trouble for misrepresenting their product in the advertising.

Re:Article title misleading... (1)

Anita Coney (648748) | more than 4 years ago | (#30658950)

As someone else pointed out, all of the USB drives use the same encryption key. SySS engineers discovered that through the Windows program. Now they can simply use that encryption key to bypass the encryption.

To me this would be like discovering that all Master Locks used the exact same key. So the validity of the lock would not have been compromised, but it would certainly be quite easy to bypass any protection it offers by using one of the widely availability other keys.

Re:Article title misleading... (0)

Anonymous Coward | more than 4 years ago | (#30658772)

If I RTFA correctly, the real problem is that all of these USB drives have the same encryption key. The Windows program that unlocks it is irrelevant. You could write your own program to send the fixed key directly to the USB drive, but apparently the researchers found it easier to ride on top of the existing program.

This reminds me of a web application that went through a sound password authentication system only to then "unlock" all the pages by appending "&AUTH=T" to all the query strings.

Not so much compromised as badly written. (1)

OmniGeek (72743) | more than 4 years ago | (#30659056)

If I understand the article correctly, the access application in effect ignores the entered password, and instead - probably as a result of miserable software design - uses a fixed-string password for the encryption/decryption. In that case, it's not so much a compromise as an own-goal by the fools who wrote and tested (?) the Windows access application. The encryption implementation itself is probably fine if it's given decent keys...

Re:Article title misleading... (1)

mick232 (1610795) | more than 4 years ago | (#30659142)

This "encryption" is just as effective as locking one's door with the most powerful locks available while leaving the window wide open... As someone else said: the unlock program is irrelevant. The security must be in the USB stick. But it obviously isn't, hence the device (if not the "encryption" per se) has been cracked.

I do that almost every day, actually (0)

Anonymous Coward | more than 4 years ago | (#30659448)

This "encryption" is just as effective as locking one's door with the most powerful locks available while leaving the window wide open

I actually have some of the best door-locks available (Abloy's higher-security residential locks), but habitually leave the bathroom window open, because we don't have a fan in there.

Fortunately, there are enough busy-body retirees in the neighborhood that I can count on one of them calling the police if they see anyone climbing into one of my house's windows. That's what I call "defense in depth".

Not completely hardware based encryption then? (2, Interesting)

tibman (623933) | more than 4 years ago | (#30658602)

Seems that they did in software what should have been done in the hardware. The USB hardware should consider itself safe and the host machine suspect.. atleast in my mind. ATMEL has some good chips like: http://atmel.com/products/securerf/cryptocompanion.asp?family=646 [atmel.com]

Re:Not completely hardware based encryption then? (2, Informative)

John Hasler (414242) | more than 4 years ago | (#30658722)

> Seems that they did in software what should have been done in the hardware.

Thereby shaving $.93 off their manufacturing costs.

Re:Not completely hardware based encryption then? (1)

zippthorne (748122) | more than 4 years ago | (#30658804)

What difference does it make? As long as the data is really encrypted on the drive, either way the cpu is going to have access to the plain text, and in some ways it's better to do the encryption on the cpu: no plaintext over USB foils usb-attached listening devices. Depending on how it's implemented and what you need the data for, it's even possible to never have plaintext in RAM.

The article seems to imply that the data is not, in fact, stored on the drive using the claimed AES cipher, or if it is, the password that the user enters is not used to generate the key, but instead used to authorize use of a stored key, which may in fact be exactly the same for all affected devices.

Re:Not completely hardware based encryption then? (1)

tibman (623933) | more than 4 years ago | (#30659274)

Yeah, the article didn't really explain the technical details. From what i got the device needs the software to authenticate (hash matching?) then decrypts the drive's contents with a generic key. But they seem to still require the use of the authentication program? Which means they can't just decrypt the contents with a default key.

Doing decryption on the host is good for the reasons you listed but that would only be for symmetric keys. I would rather not transfer a private a-symmetric key to the host for decryption. If the host is hostile you would not only lose control of your data but your key as well.

Re:Not completely hardware based encryption then? (1)

DavidTC (10147) | more than 4 years ago | (#30659618)

That's the thing that gets me about USB hardware encryption. I can't figure out the damn point.

The only possible advantage is that hardware encryption could maybe work without admin privs.

some data (4, Informative)

HBI (604924) | more than 4 years ago | (#30658626)

First, here's the NIST list of approved 140-1 and 140-2 modules [nist.gov] .

Note that they approve the module and not the access software. The flaw is in the access software. Therefore, 140-2 compliance or approval isn't proof that your data is safe. It just means that some approved form of encryption is implemented by the crypto module. It appears that the modules in question were given some form of TEMPEST examination as well, but once again, that means nothing in terms of the access software.

Sigh, no (3, Informative)

Anonymous Coward | more than 4 years ago | (#30659124)

Correct stuff was already explained above by someone else:

http://it.slashdot.org/comments.pl?sid=1498504&cid=30658760 [slashdot.org]

The flaw is in the hardware, at least according to TFA. It works like this:

1) SW: OK, let's decrypt the drive, HW, you gives me dat0rz
2) HW: not so fast SW, you have to confirm if I should give the dat0rz
3) SW: Oh, right silly me, you give me challenge hash then
4) HW: Here u go
5) SW: kthx
6) SW: User, I need pass to verify challenge hash
7) US: here's pass, now give me dat0rz!
8) SW: Working ... OK pass hashes to correct value
9) SW: Hey, HW! Guess what? I got correct pass, so it's cool for you to give me dat0rz!
10) HW: cool, here u go!

What these guys did was just make some rogueware

1) RW: OK, let's decrypt the drive, HW, you gives me dat0rz
2) HW: not so fast SW, you have to confirm if I should give the dat0rz
3) RW: Hey, HW! Guess what? I got correct pass, so it's cool for you to give me dat0rz!
4) HW: cool, here u go!

So yes, the problem is that the hardware is not conducting the challenge itself, but depending on software to do it. Also mentioned above, some clueless people were saying that the data on the drive isn't hardware encrypted. No, I assure (again, according to TFA) you, the data is hardware encrypted. But if it's using this scheme, then it isn't encrypted with the hashed key of your password. Your password is only hashed and stored on the drive, but the data must use the same key(set) on all drives. Even without the crappy auth design, this would still be a problem because it dramatically reduces the keyspace if you have physical access. This is most definitely a hardware flaw.

Next class, we're going to go over substitution ciphers! Remember, you have a pop quiz tomorrow on SQL parameterization and validation!

Re:some data (4, Insightful)

mick232 (1610795) | more than 4 years ago | (#30659258)

The flaw clearly is in the device! The access software is irrelevant because anyone can copy or modify such software. The device must protect the data regardless whether the access software has been compromised. If the FIPS approval does not consider this, then it's nothing more than a marketing gag.

Re:some data (1)

Lord Ender (156273) | more than 4 years ago | (#30659586)

The flaw is in the access software.

No, it's not. If the hardware gives up the data without requiring the encryption key, the hardware is flawed.

Re:some data (0)

Anonymous Coward | more than 4 years ago | (#30659634)

Hi, I'm AC from above, sorry about the dickish post. I must have Greater Internet Fuckwad Syndrome today.

So instead of challenge response... (2, Interesting)

calmofthestorm (1344385) | more than 4 years ago | (#30658636)

It involves a predictable post with the same predictable replies all the time...sort of like Fox news, or slashdot;)

Alternatively, instead of challenge-response it's greeting-response.

Standards urgently required.... (1)

Manip (656104) | more than 4 years ago | (#30658674)

Does anyone else feel like standard ways of encrypting USB Drivers are urgently requires so we no longer need to depend on third party vendor software to do the job [badly]?

Unfortunately only Microsoft or to a lesser degree Apple could roll out such a standard since nobody else have the leverage.

Re:Standards urgently required.... (1, Informative)

Anonymous Coward | more than 4 years ago | (#30659184)

There is a standard way under Linux, its called LUKS + DM-Crypt

I use it everywhere I go, the kernel (Linux) and a ram disk allow me to boot my own OS on any computer as long as the computer is allowed to boot from a USB key. The OS's partitions are encrypted and so is everything else.

Shouldn't trust the host computer AT ALL (5, Insightful)

georgewilliamherbert (211790) | more than 4 years ago | (#30658744)

I don't believe why any portable secure drive needs to or should trust its host computer. This is a particularly stupid implementation, with an obvious and blatant exploit. But the host computer could by definition be compromised, and could intercept or store / cache or misbehave generically with the password you enter to get in.

Put a thumb-key sized numeric or hex keypad on the device, and make the owner punch in the code on insertion into a host device. One could still physically break into and tap the keys somehow, if the device is stolen and then returned without the owner knowing, but the user interface moves to right next to the data...

Re:Shouldn't trust the host computer AT ALL (1)

maxume (22995) | more than 4 years ago | (#30658912)

What exactly do you mean by trust? Should there be fuses in case the host machine attempts to fry it, or should it run on batteries, or what (the digression into power isn't the point, the fact that trust implies many meanings is the point)?

This implementation was completely borked, but I don't see what problem there is with something like a truecrypt volume on the drive, that the user decrypts using software running on the host computer. That doesn't protect the user from an untrusted machine, but nothing can.

Re:Shouldn't trust the host computer AT ALL (1)

iammani (1392285) | more than 4 years ago | (#30659016)

Nope, it should simply refuse to supply the host with unencrypted data, no matter what the host tries to do. It doesnt matter if it is fried or dies in a struggle with a malicious host, it needs to stay stupid and open if the key has been given, if not do nothing.

Re:Shouldn't trust the host computer AT ALL (1)

lhunath (1280798) | more than 4 years ago | (#30658918)

Exactly why they are putting fingerprint readers on these devices now (more usable way of entering a passphrase than a tiny PIN-pad on a tiny thumbdrive).

Also the reason why you should be getting a smartcard reader with a PIN-pad on it instead of a smartcard reader that relies on "drivers" asking you for a pin code on your computer.

Re:Shouldn't trust the host computer AT ALL (1)

theJML (911853) | more than 4 years ago | (#30659160)

And I'll never get one of those because I've found here at work, were we use a fairly high end system for scanning fingerprints, that my index fingers cannot be reliably read, and my thumb prints apparently have changed over time... enough that it's had to be re-entered 3 times now, each after failing to recognize me reliably on numerous occasions. I don't want to be locked out of my own data because of something I have no control over (biometrics are horrible for this).

Re:Shouldn't trust the host computer AT ALL (1)

zippthorne (748122) | more than 4 years ago | (#30659592)

Saw it on mythbusters a few years ago. Your solution is at hand:

Scan your fingerprint and print it out on label paper. Whenever you have to use the fingerprint reader, just slap the printout of your own fingerprint onto the appropriate finger and use that. Since it worked better than 90% of the time on the show, it'll improve your scan rate, while simultaneously demonstrating the worthlessness of the system to your higher ups.

Note: do not do so if any of your boss, boss's boss, or their boss lacks a sense of humor, or is otherwise slow to wise to things.

Note to the GP: FINGERPRINTS AREN"T PASSWORD. They're username, at best.

Re:Shouldn't trust the host computer AT ALL (3, Informative)

tgd (2822) | more than 4 years ago | (#30658972)

If you don't trust the host computer, why would you unlock the device at all?

Once its unlocked and mounted, anything on the computer can access it anyway.

Re:Shouldn't trust the host computer AT ALL (1)

iammani (1392285) | more than 4 years ago | (#30659356)

If you don't trust the host computer, why would you unlock the device at all?

The GP talks about the device trusting the host. Not about the user trusting the device or the host. To clarify further, I always use my encrypted device on machines I trust, but it doesn't mean the device should assume any machine it is plugged into is my trusted machine and it can unlock right away.

Re:Shouldn't trust the host computer AT ALL (2, Insightful)

plover (150551) | more than 4 years ago | (#30659408)

While I agree that trust belongs on the device (via a device-based keyboard), you still have to trust the host computer to not abuse the trust by copying the now-unlocked data or otherwise tampering with it. You are still at risk if you unlock the device and plug it in to a coffee shop PC.

Who cares? (1)

static416 (1002522) | more than 4 years ago | (#30659068)

Every time anyone discovers some tiny vulnerability in any computer security system (WPA, TKIP, AES, etc) nerds everywhere leap into action, spreading FUD while shunning the now flawed protocol and anyone who still chooses to use it.

But the reality is that for almost everyone, the flawed protocol is still fine. Most people only need to protect their data from another average computer user, not a hacker, sophisticated encryption-cracking security firm or a government.

It's like locking your car or your house. It's really only designed to keep honest people honest.

So please don't go scaring the ignorant needlessly. I don't want to spend 30 minutes trying to explain to my mother how WEP is different than WPA and why she shouldn't be concerned. All I get out of that transaction is a confused and paranoid mother whose password is still her last name.

Re:Who cares? (1)

russotto (537200) | more than 4 years ago | (#30659182)

Every time anyone discovers some tiny vulnerability in any computer security system (WPA, TKIP, AES, etc) nerds everywhere leap into action, spreading FUD while shunning the now flawed protocol and anyone who still chooses to use it.

There's a difference between a "tiny vulnerability" and a "hole a blind man could drive an 18-wheeler through". This one is in the latter category.

Re:Who cares? (1)

static416 (1002522) | more than 4 years ago | (#30659440)

Every time anyone discovers some tiny vulnerability in any computer security system (WPA, TKIP, AES, etc) nerds everywhere leap into action, spreading FUD while shunning the now flawed protocol and anyone who still chooses to use it.

There's a difference between a "tiny vulnerability" and a "hole a blind man could drive an 18-wheeler through". This one is in the latter category.

Perhaps. But the chances of a truck-driving blind man, or even a relatively well-sighted one, finding my particular hole in the first place is virtually zero.

Practically every security system is vulnerable at some level. All that matters is it's good enough for your purposes.

Re:Who cares? (2, Interesting)

Improv (2467) | more than 4 years ago | (#30659186)

Some things really are like locking a house - windows passwords, normal unix passwords, etc. With those things, the user expects that someone has or can get access to things anyhow. However, there are many devices that are not so analogous - if there's sophisticated encryption in the hardware and they're selling it as a reasonably secure device, it's more like your neighbourhood bank, where you probably don't expect jane random to read a secret word on the internet to say to the guards that will have them open the vault.

Re:Who cares? (1)

bcmm (768152) | more than 4 years ago | (#30659360)

This isn't like "having a lock to keep honest people honest". It's like putting a lock on your bike which isn't actually attached to anything and hoping nobody looks too closely to keep honest people honest.

backdoor (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30659118)

so all their usb drives use a stored key to encrypt the data ( let me guess, it's the same for all the usb sticks ), but the user does use a password, therefore thinking that the key is unique. Alas, the password just authorizes access to the stored secret key. Sounds like a scam to me, or a backdoor on purpose ( .. cough N cough S cough A ).

Insider (3, Informative)

dbrez8 (999142) | more than 4 years ago | (#30659198)

As someone who works in the secure flash drive space, maybe I can shed a little light on some questions/comments I see above..

First and foremost the vulnerability described in this article is related to only the secure flash drives stated in TFA. There are several others available that do not have this vulnerability because instead of password matching in software, they match in Hardware of Firmware, run on the drive itself. Are there others within the industry that may be susceptible? Probably, but all secure flash drives certainly are not. Look to only use drives with password matching done on-chip (HW/FW).

How could a FIPS 140-2 certified flash drive have this vulnerability? Well FIPS is great to prove you use certified encryption algorithms, authentication methods, and so on, but FIPS does not certify the whole system. This is one of those very important security areas that fall outside of the FIPS umbrella. In the future look for additional certifications that will encompass the entire system rather than just the encryption like FIPS..

Why not just use TrueCrypt?? TrueCrypt is a great product, there is no doubt. But at its core, TrueCrypt is a software encryption container for your data. There are some inherent shortcomings with software encryption on USB flash drives.
1. Performance is sacrificed since your PC CPU needs to perform all security operations in software, rather than on the hardware of the flash drive.
2. Though it may work well for consumers that *want* to have their data secure, TrueCrypt would be a nightmare in an enterprise setting. Users could format the drive, or store files outside of the encrypted partition just to make things easier. This is not possible on secure flash drives with forced data encryption via hardware. with these drives an Admin knows that if he sees a drive by company X, that the data on it must be secure. Just to name a couple..

I hope this is helpful to some.

Re:Insider (1)

maxume (22995) | more than 4 years ago | (#30659370)

So if Joe Breacher walks out of the company with a hardware encrypted flash drive, the data is more secure than if he walks out of the company with an unencrypted drive?

I don't see it.

Re:Insider (1)

plover (150551) | more than 4 years ago | (#30659620)

You are looking at only a single risk factor. The most prevalent risk is actually that of accidental loss of the drive or laptop. If the lost data is securely encrypted, it might not be subject to data breach reporting laws.

I don't get it (0)

Anonymous Coward | more than 4 years ago | (#30659286)

Why are these self-encrypting thumbdrives so popular? I know I wouldn't trust any of them with my data because obviously they need Windows drivers to even access them reducing platform compatibility and, as has just been proven, reducing security. Why rely on some hardware vendor who might have cut corners?

Is it really so hard to run your data through an encryption application before dragging it around?

Even better. Why are people even allowed/able to access data in this manner? If people are working on some government database and need to take the data somewhere, why not encrypt the data before it leaves the system? This way people will not be able to access it in any way until it reaches the trusted destination where it can be decrypted. People could lose it in the commute or even share all their documents with p2p and it wouldn't matter, provided the encryption scheme and keys are strong enough.

-c0m (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30659374)

get tough. I hope Problems with
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...