×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA: Self-Encrypting USB Hard Drives for all Operating Systems (Video)

Roblimo posted about a year ago | from the the-mysteries-of-the-crypt-on-a-portable-hard-drive dept.

Security 154

Tim Lord met Jay Kim at the RSA Conference in an Francisco. Kim's background is in manufacturing, but he's got an interest in security that has manifested itself in hardware with an emphasis on ease of use. His company, DataLocker, has come up with a fully cross-platform, driver independent portable system that mates a touch-pad input device with an AES-encrypted drive. It doesn't look much different from typical external USB drives, except for being a little beefier and bulkier than the current average, to account for both a touchpad and the additional electronics for performing encryption and decryption in hardware. Because authentication is done on the face of the drive itself, it can be used with any USB-equipped computer available to the user, and works fine as a bootable device, so you can -- for instance -- run a complete Linux system from it. (For that, though, you might want one of the smaller-capacity, solid-state versions of this drive, for speed.) Kim talked about the drive, and painted a rosy picture of what it's like to be a high-tech entrepreneur in Kansas.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

154 comments

NEAT (5, Funny)

masternerdguy (2468142) | about a year ago | (#43027435)

Shut up and take my money!

Not new? (3, Interesting)

Kenja (541830) | about a year ago | (#43027447)

How is this different then all the simular systems on the market right now? I use Apricorn drives myself, but there are others using keypads, fingerprint scanners, RFID tokens, etc.

Requires no drivers (4, Informative)

tepples (727027) | about a year ago | (#43027467)

I didn't watch the video, but I did read the transcript. It's a USB hard drive enclosure that handles all the password entry and encryption in the enclosure. It requires no specialized drivers at all, other than the ubiquitous class drivers for USB hard drives and USB CD drives.

Re:Requires no drivers (2)

Kenja (541830) | about a year ago | (#43027491)

Yes, just like all the other products on the market including the ones I mentioned. No drivers needed. So what does this do that the others do not? I'm truly interested as I use these products and am always open to alternatives or better options.

Re:Requires no drivers (5, Informative)

tlhIngan (30335) | about a year ago | (#43027881)

Yes, just like all the other products on the market including the ones I mentioned. No drivers needed. So what does this do that the others do not? I'm truly interested as I use these products and am always open to alternatives or better options.

No, most of the other drives do not do that. Most are simply an HID device coupled with a hard drive. On some, you enter the code and the USB port gets activated (rip out the drive to bypass). Actually, an alarming number of these are this kind.

On others, the drive is encrypted, and the keypad or fingerprint reader is used in conjunction with software running on the host PC to decrypt it.

This one looks to do all the encryption and decryption on the device - enter the code to unlock, and it decrypts the drive. Rip the drive out and you can't bypass it as it's still encrypted. OS agnostic and everything.

Re:Requires no drivers (2)

Kenja (541830) | about a year ago | (#43027927)

This one looks to do all the encryption and decryption on the device - enter the code to unlock, and it decrypts the drive. Rip the drive out and you can't bypass it as it's still encrypted. OS agnostic and everything.

Again, others, including the ones I listed, do the same thing. Go look at the Apricorn products (not an endorsement, just what I currently use).

Re:Requires no drivers (1)

the_B0fh (208483) | about a year ago | (#43027987)

Most people can't read. Sounds like he just slapped a keypad on an OPAL drive.

Re:Requires no drivers (3, Interesting)

AliasMarlowe (1042386) | about a year ago | (#43028177)

Yep. I'll also give a nod to the Apricorn devices [apricorn.com], which we use quite a bit. They are OS-independent (we're Linux-only at home) and require no drivers beyond basic USB, with all of the AES encryption and authorization being internal to the device[*]. They have SSD and spinning disk and USB stick devices, with fingerprint or passcode authorization.

[*] Unlike the crappy Buffalo "encrypted" drives which need OSX or Windows drivers to decrypt. Hence they might be vulnerable to simpler attacks than the Apricorn devices (e.g. getting passwords via IEEE1394). And their encryption won't work on Linux or BSD.

Re:Requires no drivers (0)

Anonymous Coward | about a year ago | (#43028203)

It's hardware encryption, can work as bootable drive even with iso image

Re:Requires no drivers (5, Interesting)

mlts (1038732) | about a year ago | (#43028051)

I have an Apricorn drive that handles the USB password entry with a keypad, and uses the PIN to unlock a 128 bit AES key that is randomly generated.

Should I want to erase all contents, I plug the device in with the "cancel" button in, watch for the flashing lights, then hold down "cancel" + "2" + "unlock" for ten seconds... and it will generate a new key, render all data inaccessible on it, and use the password 123456 until that gets changed.

Zero software needed in Windows whatsoever to unlock it.

Just like the parent, I like the idea of a drive performing its own authentication separate from the computer, but this isn't new territory.

Re:Requires no drivers (1)

LordLimecat (1103839) | about a year ago | (#43028313)

Just an fyi, a system using biometrics, RFID, or tokens is going to be insecure: unless they are using the fingerprint itself as the encryption key (highly inadvisable as you would have to get the same image every time), they are storing the key in the USB device itself, which will be terribly convenient for any attacker.

The only proper way is to have the key derived from the "unlock code", so that the USB device has no knowledge of what the key actually is; "access" is granted merely by providing a decryption key that actually returns data.

Re:Requires no drivers (1)

godel_56 (1287256) | about a year ago | (#43028781)

Just an fyi, a system using biometrics, RFID, or tokens is going to be insecure: unless they are using the fingerprint itself as the encryption key (highly inadvisable as you would have to get the same image every time), they are storing the key in the USB device itself, which will be terribly convenient for any attacker.

The only proper way is to have the key derived from the "unlock code", so that the USB device has no knowledge of what the key actually is; "access" is granted merely by providing a decryption key that actually returns data.

It also adds "meat cleaver decryption" as an alternative to "rubber hose decryption".

Re:Not new? (0)

Anonymous Coward | about a year ago | (#43027685)

How is this different...

It's on Slashdot, that's how! Duh!

Re:Not new? (1)

elucido (870205) | about a year ago | (#43027865)

How is this different then all the simular systems on the market right now? I use Apricorn drives myself, but there are others using keypads, fingerprint scanners, RFID tokens, etc.

Let me guess, you have the padlock pro? The cool feature of the Padlock pro is it self destructs if the bad guys get access to it and give 30 wrong password attempts.

Re:Not new? (0)

Anonymous Coward | about a year ago | (#43028067)

The cool feature of the Padlock pro is it self destructs if the bad guys get access to it and give 30 wrong password attempts.

LOL. I thought you were making that up so I found a product review. And it's true! Another bonus feature is that it supports multiple PINs, strongly implying that the AES encryption key isn't itself encrypted, thus making the encryption pointless. A drive that just needed a PIN to power up would be equally secure. And for all we know, that's exactly what it is!

Re:Not new? (0)

Anonymous Coward | about a year ago | (#43028761)

I'd suggest it makes it like the Apple filevault FDE whereby the AES key is encrypted for each passcode in turn such that each passcode can then unlock the drive. Encryption then being only as strong as the weakest passcode.

Re:Not new? (1)

MichaelBall (41354) | about a year ago | (#43028073)

I've also used the Apricorn Aegis Padlock for quite some time now to securely transfer media between my Windows 7, Ubuntu, and OSX machines... No drivers required... Just a nice little keypad...

No. (5, Interesting)

bill_mcgonigle (4333) | about a year ago | (#43027479)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting. Closed-source software burned into the firmware of a USB drive does not meet that requirement.

That said, somebody make a programmable USB drive with open source encryption that can be flashed to it (probably with a fused write protect) and *that* would be a compelling product.

Re:No. (2, Interesting)

Anonymous Coward | about a year ago | (#43027533)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting. Closed-source software burned into the firmware of a USB drive does not meet that requirement.

That said, somebody make a programmable USB drive with open source encryption that can be flashed to it (probably with a fused write protect) and *that* would be a compelling product.

Use TrueCrypt [truecrypt.org] to create an encrypted volume within the USB drive.
Best Case Scenario: USB drive provides an additional layer of cryptographic protection.
Worst Case Scenario: Attackers find out easy-to-break USB drive was only the start of their headaches.

Seems like a win-win to me.

Re:No. (1)

Anonymous Coward | about a year ago | (#43027839)

Use TrueCrypt [truecrypt.org] to create an encrypted volume within the USB drive.

The advantage to a system like the parent mentions is that you don't have to install TrueCrypt on the machine you're plugging the USB drive into.

Re:No. (1)

Githaron (2462596) | about a year ago | (#43028021)

Now if we only had a open filesystem specification that is implemented by all operating systems natively ...

UDF (3, Interesting)

DrYak (748999) | about a year ago | (#43028299)

UDF - Universal Disk Format [wikipedia.org]

Is widely supported, but unlike FAT, it was not designed half a century ago.
So it supports long file name (including UTF8) without the need of extensions.
It supports files with size which don't fit in 32-bits integers.
It supports all POSIX attribs.
Isn't organised around a brain-fucking stupid file allocation table.
etc.

It's the same format as DVDs and Bluerays, so virtually any device able to read them can at least read (or is only a firmware update away from being able to read) USB devices using UDF.

It's of course supported on Linux, on Mac OS-X (sarting from 10.4) and Windows (though on XP it requires 3rd party software for writing, only Windows Vista and up support read/write out of the box).

But of course, because UDF is a strong concurrent to all the proprietary and/or heavily patented alternative that current OS maker push forward (Apple's HFS+ or the worst contender Microsoft's exFAT), everybody is silent about this.
So strangely, you won't see it frequently in the wild *EVEN IF* nothing prevents it now already.

Re:UDF (0)

Anonymous Coward | about a year ago | (#43029063)

But of course, because UDF is a strong concurrent to all the proprietary and/or heavily patented alternative that current OS maker push forward (Apple's HFS+ or the worst contender Microsoft's exFAT), everybody is silent about this.

UDF was designed by an optical media industry consortium for use on optical disks, and was carefully tailored for their unique characteristics (e.g. it can provide the illusion of overwriting files even on optical media types which can only be written to by appending, never by overwriting). Had you never considered the possibility that UDF might not be the best possible choice for other media types? On technical grounds? Because it wasn't designed for them?

That might be a thing you want to think about (HINT HINT HINT).

Also... Apple makes it pretty easy to implement HFS+ if you want to. They've published both specifications and Darwin kernel source code for over a decade now, and as far as I know they hold no patents or other IP which get in the way of others implementing HFS+. Furthermore, they support FAT and ExFAT (for which they pay licensing fees to Microsoft).

In other words, judging by observable actions, they're primarily interested in letting their users read and write the de facto standard interchange FS formats (FAT/ExFAT) without pushing their own FS as an interchange format (yet still being very open to others implementing it).

Re:No. (1)

mlts (1038732) | about a year ago | (#43028391)

Not just an open filesystem, but a LVM layer that has encryption built in. Of course, the ideal would be everyone moving to ZFS, but it would be nice to at least have a common filesystem and disk level encryption standard across platforms... preferably a FS that was made this century.

Hell no (1)

elucido (870205) | about a year ago | (#43027989)

Truecrypt is a software encryption implementation. Hardware encryption is superior to software encryption because at least with hardware encryption there is less room for error. Software usually has bugs, one bug in any implementation and its broken. Side channels also can defeat software trivially. Software also isn't usually good at generating entropy so you wont have a good source of that either. Unless you compiled it yourself you can't trust the person who compiled it or the compiler itself not to have a bug or backdoor.

Re:Hell no (1)

ultrasawblade (2105922) | about a year ago | (#43028107)

Your statement "with hardware encryption there is less room for error" doesn't jive. Hardware can have bugs too. I would say the hardware errors are worse as they require device replacement. Hardware implementations cannot be trivially inspected.

If your data is extremely (i.e. NSA level) important, never trust device-side encryption unless indeed you did compile and upload the firmware yourself. I'm not sure about how modern SSDs allow custom firmwares to be uploaded but it'd be really cool if they did. Could roll your own if you are super paranoid - I can't remember who makes but I did see one time an "SSD development kit" - it was a larger-than-a-2.5-SSD board that had a SATA port on one side and a serial port on the other - this is where you would upload firmware. You also had to purchase and install your own NAND modules which resembled DIMMs from what I could tell. It was really cool.

For 95% for use cases it's likely better than nothing.

Software is not good at generating entropy but there is no reason why software should do that. There's many physical sources of good entropy, your soundcard for one.

Truecrypt at least I can look at and compile myself if I so wanted. That says a lot to me.

Re:Hell no (1)

hawguy (1600213) | about a year ago | (#43028123)

Truecrypt is a software encryption implementation. Hardware encryption is superior to software encryption because at least with hardware encryption there is less room for error. Software usually has bugs, one bug in any implementation and its broken. Side channels also can defeat software trivially. Software also isn't usually good at generating entropy so you wont have a good source of that either. Unless you compiled it yourself you can't trust the person who compiled it or the compiler itself not to have a bug or backdoor.

Just because it looks like "hardware" doesn't mean that it's not software - I'm certain that this device isn't running on a hardwired FPGA, so it's running software. Why don't you trust software compiled by someone else, but you trust software hidden away in a hardware device that's been compiled by someone else?

The difference between hardware and software is that when the software embedded hardware is broken, it's not always possible to fix it - not all devices allow firmware updates.

You keep mentioning entropy as a big weakness of software, but there's no evidence that this device has a hardware random number generator (and why would it for an event that takes place maybe once in its lifetime), so it gets entropy the same way your computer does. By combining data from a number of "random" sources (hardware clock, timing hardware interrupts, etc).

Re:Hell no (3, Insightful)

n7ytd (230708) | about a year ago | (#43028213)

Hardware encryption is superior to software encryption because at least with hardware encryption there is less room for error. Software usually has bugs, one bug in any implementation and its broken.

I'm not sure what you're saying here... hardware encryption has less room for error because you can implicitly trust the company baking the algorithm into the hardware? Hardware can have all of the implementation errors that a software approach might have.

Unless you compiled it yourself you can't trust the person who compiled it or the compiler itself not to have a bug or backdoor.

But at least someone versed in the art can inspect the software to look for these bugs. With hardware, it's just a black box that you have to trust or reverse engineer at a much higher cost.

Re:Hell no (1)

LordLimecat (1103839) | about a year ago | (#43028389)

Side-channels have historically hit hardware encryption harder than software, as it is easy to do something dumb like storing the encryption key in a rom chip or something. Hey look, we have hardware AES, and you dont even have to provide the password!

The distinction between "software" and "hardware" implementations of an algorithm are irrelevant when looking at the quality of the implementation; all it really indicates is that the hardware one will not use any host resources, and will be easier to port across systems. It doesnt tell you whether its faster (will usually be SLOWER), or more secure, or anything else.

Re:No. (1)

LordLimecat (1103839) | about a year ago | (#43028357)

Truecrypt is closed-source, which seems to defeat GP's (incorrect) point.

Why not simply have someone analyze whether the USB drive is, in fact, using AES, and that the key is not stored in a decrypted state anywhere? That can all be done without the manufacturer's help.

Re:No. (0)

elucido (870205) | about a year ago | (#43027879)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting. Closed-source software burned into the firmware of a USB drive does not meet that requirement.

That said, somebody make a programmable USB drive with open source encryption that can be flashed to it (probably with a fused write protect) and *that* would be a compelling product.

Hardware encryption offers superior security to software encryption. That said it's not easy to generate entropy so if you do use software encryption you better have a source of entropy.

Re:No. (2)

hawguy (1600213) | about a year ago | (#43027975)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting. Closed-source software burned into the firmware of a USB drive does not meet that requirement.

That said, somebody make a programmable USB drive with open source encryption that can be flashed to it (probably with a fused write protect) and *that* would be a compelling product.

Hardware encryption offers superior security to software encryption. That said it's not easy to generate entropy so if you do use software encryption you better have a source of entropy.

Hardware encryption is only superior if you (or someone you trust) can inspect the software.

For all you know, they use your passphrase to decrypt an hardcoded decryption key that's the same on all drives, so if you put your hard drive into someone else's enclosure, their passphrase will decrypt your data.

While I don't think they are doing anything so blatantly stupid, unless you can see the software, you don't know. A number of big-name "secure" USB drives had a big security flaw that was almost exactly [theprivacyblog.com] like that.

Re:No. (0)

elucido (870205) | about a year ago | (#43028031)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting. Closed-source software burned into the firmware of a USB drive does not meet that requirement.

That said, somebody make a programmable USB drive with open source encryption that can be flashed to it (probably with a fused write protect) and *that* would be a compelling product.

Hardware encryption offers superior security to software encryption. That said it's not easy to generate entropy so if you do use software encryption you better have a source of entropy.

Hardware encryption is only superior if you (or someone you trust) can inspect the software.

For all you know, they use your passphrase to decrypt an hardcoded decryption key that's the same on all drives, so if you put your hard drive into someone else's enclosure, their passphrase will decrypt your data.

While I don't think they are doing anything so blatantly stupid, unless you can see the software, you don't know. A number of big-name "secure" USB drives had a big security flaw that was almost exactly [theprivacyblog.com] like that.

Anologue is better than digital. Hardware is better than software. Also you have to read about and study the hardware fairly well before choosing the product. Those products you list all suck. The Aegis Padlock Pro does not have those problems by design.

Re:No. (2)

hawguy (1600213) | about a year ago | (#43028215)

Hardware encryption offers superior security to software encryption. That said it's not easy to generate entropy so if you do use software encryption you better have a source of entropy.

Hardware encryption is only superior if you (or someone you trust) can inspect the software.

For all you know, they use your passphrase to decrypt an hardcoded decryption key that's the same on all drives, so if you put your hard drive into someone else's enclosure, their passphrase will decrypt your data.

While I don't think they are doing anything so blatantly stupid, unless you can see the software, you don't know. A number of big-name "secure" USB drives had a big security flaw that was almost exactly [theprivacyblog.com] like that.

Anologue is better than digital. Hardware is better than software. Also you have to read about and study the hardware fairly well before choosing the product. Those products you list all suck. The Aegis Padlock Pro does not have those problems by design.

But how do you know that? Were you sitting in on the design meetings?

For all you know, Aegis gave a list of back-door decryption keys to the Department of Homeland Security, just in case they need to access a terrorists drive. Maybe next year you'll be saying "Aegis products suck, their drives were full of back doors". Maybe Aegis is just a shell company run by the NSA to make people think that they are buying "secure" drives, but in actuality they are easily read by the government.

I have more faith in open source software because even though I'm not a security expert and can't validate the software myself, I trust that there's no global coalition of open source security software experts that are are all conspiring to steal my data - if there's a vulnerability in the code, it will be found and can't be kept secret.

Re:No. (2)

LordLimecat (1103839) | about a year ago | (#43028399)

Anologue is better than digital. Hardware is better than software.

Most recent hardware is digital. The reason software tends to be digital is because the underlying hardware is digital.

Re:No. (1)

fa2k (881632) | about a year ago | (#43028847)

Hardware encryption offers superior security to software encryption.

What, so AES magically becomes more secure if it's implemented on an embedded processor instead of an x86 processor? Where do I sign up?

Re:No. (1)

LordLimecat (1103839) | about a year ago | (#43028343)

Encryption software needs to be inspectable and verifiable in order to be trusted with anything worth protecting.

Truecrypt is close-sourced. Its also one of the most popular and trusted encryption solutions.

Your statement is simply not correct, as regardless you can verify the software's output in many cases. Provide test input, provide test key, verify that you can decrypt the output on your own.

All that matters is that the encryption algorithm is open, vetted, and trusted; and that you can confirm that the software is, in fact, using that encryption algorithm.

Re: No. (2)

Urza9814 (883915) | about a year ago | (#43028631)

Where the hell are you getting this information about truecrypt being closed-source? Go look at their website; the code is there.

"TrueCrypt is open-source and free software. The complete source code of TrueCrypt (written in C, C++, and assembly) is freely available for peer review..."

www.truecrypt.org/docs/?s=source-code

Re:No. (0)

Anonymous Coward | about a year ago | (#43028835)

it is FIPS 140-2 [wikipedia.org] validated. What more do you want.

High-tech entrepreneur in Kansas (-1, Offtopic)

h4rr4r (612664) | about a year ago | (#43027507)

I wonder what sort of advantages there are to being a high-tech anything in Kansas.

First of his neighbors to get Electricity?

Every invention is prototyped in corn first?

Re:High-tech entrepreneur in Kansas (0)

Anonymous Coward | about a year ago | (#43027625)

I wonder what sort of advantages there are to being a high-tech anything in Kansas.

First of his neighbors to get Electricity?

Every invention is prototyped in corn first?

You sir, are a clueless moron.

Re:High-tech entrepreneur in Kansas (-1)

Anonymous Coward | about a year ago | (#43027637)

I honestly didn't even know that Kansas had internet access yet.

Re:High-tech entrepreneur in Kansas (0)

h4rr4r (612664) | about a year ago | (#43027673)

Wow, I guess Kansas residents got lots of mod points today.

Way not to be able to take a joke. I guess I must have struck too close to home.
 

Re:High-tech entrepreneur in Kansas (1)

Darkness404 (1287218) | about a year ago | (#43027993)

Eastern KS/Western MO are actually pretty good places for high-tech companies. You've got pretty good infrastructure (Google Fiber anyone?) , a good base of educated workers and a much, much friendlier business environment when compared to silicon valley.

does it have a FBI unlock code? (5, Interesting)

Joe_Dragon (2206452) | about a year ago | (#43027531)

does it have a FBI unlock code?

Re:does it have a FBI unlock code? (1)

Kenja (541830) | about a year ago | (#43027583)

They dont need an unlock code, they have prisons, guns and court orders to turn over the key code.

Re:does it have a FBI unlock code? (1)

glittermage (650813) | about a year ago | (#43027767)

Court orders won't work in the USA as you can always plead the fifth in the United States. [cybercrimereview.com]

Re:does it have a FBI unlock code? (2)

Midnight_Falcon (2432802) | about a year ago | (#43027829)

This is not true -- in many circumstances, a judge can hold you in contempt of court for not revealing an encryption key, and you can sit in jail indefinitely until you cooperate. This is especially true if the encrypted information you have the password to gives evidence against someone else, not yourself, which the 5th amendment does not protect against.

Re:does it have a FBI unlock code? (1)

elucido (870205) | about a year ago | (#43027935)

This is not true -- in many circumstances, a judge can hold you in contempt of court for not revealing an encryption key, and you can sit in jail indefinitely until you cooperate. This is especially true if the encrypted information you have the password to gives evidence against someone else, not yourself, which the 5th amendment does not protect against.

That is exactly right. But if you don't give up the key they can call you a terrorist and not have to deal with that.

Re:does it have a FBI unlock code? (1)

Golddess (1361003) | about a year ago | (#43028543)

This is not true -- in many circumstances, a judge can hold you in contempt of court for not revealing an encryption key, and you can sit in jail indefinitely until you cooperate.

Which is a most unfortunate situation. If I had a physical, paper notebook with a bunch of 1's and 0's written on it, it is perfectly fine for me to shut the hell up regarding saying anything about it. So why should that change just because the 1's and 0's are stored on an HDD?

This is especially true if the encrypted information you have the password to gives evidence against someone else, not yourself, which the 5th amendment does not protect against.

That is an interesting scenario.. but as far as I am aware, it is not illegal for me to refuse to testify against someone.

Re:does it have a FBI unlock code? (0)

Anonymous Coward | about a year ago | (#43029107)

It's not illegal to forget your passphrase, or to not know it in the first place. If someone called upon me to supply the password to my online banking I truthfully couldn't comply without access to my keepass safe. If that's on a seized machine, I can't comply.

Re:does it have a FBI unlock code? (1)

CSMoran (1577071) | about a year ago | (#43027793)

But that's not equivalent to having a backdoor to the device. If I catch a courier, who never knew the key code, no prison, gun or court order will do me any good. With a backdoor, however...

Re:does it have a FBI unlock code? (1)

elucido (870205) | about a year ago | (#43027945)

But that's not equivalent to having a backdoor to the device. If I catch a courier, who never knew the key code, no prison, gun or court order will do me any good. With a backdoor, however...

What about fake back doors? How do you determine which back door is the real door?

Re:does it have a FBI unlock code? (1)

Antipater (2053064) | about a year ago | (#43028255)

But that's not equivalent to having a backdoor to the device. If I catch a courier, who never knew the key code, no prison, gun or court order will do me any good. With a backdoor, however...

What about fake back doors? How do you determine which back door is the real door?

The unsafe ones often have tramp stamps above them.

Re:does it have a FBI unlock code? (1)

CSMoran (1577071) | about a year ago | (#43029047)

What about fake back doors? How do you determine which back door is the real door?

By looking at the entropy of the result.

Re:does it have a FBI unlock code? (0)

Anonymous Coward | about a year ago | (#43028149)

Not even. It's set up as a PIN system. How many people will use a 4-digit pin?

Even if they use a 10-digit pin, there's still only 10 billion combinations.

Even with an expensive KDF (assuming they can build one properly), it's likely still very crackable.

Re:does it have a FBI unlock code? (1)

godel_56 (1287256) | about a year ago | (#43028931)

Not even. It's set up as a PIN system. How many people will use a 4-digit pin?

Even if they use a 10-digit pin, there's still only 10 billion combinations.

The answer would be to form a hash from your input key, then feed that back through itself for several million rounds. Only the final result would be used as the decryption key. This is the same sort of setup used by KeePass and other password managers. A device specific salt would also be a help.

Re:does it have a FBI unlock code? (1)

Sloppy (14984) | about a year ago | (#43028225)

The nice thing about prisons, guns and court orders, is that those things never secretly happen to you without your knowledge. Go ahead, try to sneak-and-peek interrogate someone.

Re:does it have a FBI unlock code? (1)

Jeremi (14640) | about a year ago | (#43028365)

Go ahead, try to sneak-and-peek interrogate someone.

Hmm. Might be possible using rohypnol?

Re:does it have a FBI unlock code? (0)

Anonymous Coward | about a year ago | (#43027611)

Of course it does. And the combo is probably 1-2-3-4-5. You won't know this until it's too late since it is closed source.

Re:does it have a FBI unlock code? (0)

Anonymous Coward | about a year ago | (#43027635)

That's amazing! I've got the same combination on my luggage!

Universal FBI unlock code = LIFE IN PRISON (1)

elucido (870205) | about a year ago | (#43027907)

does it have a FBI unlock code?

When offered the chance to unlock your shit or be charged with something producing a life sentence which would you choose?

Re:does it have a FBI unlock code? (0)

Anonymous Coward | about a year ago | (#43028195)

We need a device with two passwords, one that reveals and one that destroys!

Somebody build it, please!

Oops, I guess I gave you the wrong one.

Re:does it have a FBI unlock code? (1)

CSMoran (1577071) | about a year ago | (#43029075)

The system for destroying anything cannot be provably secure. Nevermind cloning the device and working on a copy.

Flash drive with finger print reader? (1)

Dwedit (232252) | about a year ago | (#43027551)

How about just a flash drive with a capacitive finger print reader, so it needs to be unlocked before it functions as a flash drive?

Re:Flash drive with finger print reader? (1)

archshade (1276436) | about a year ago | (#43027765)

I'm not sure what your suggesting here. Are you suggesting having an encrption system in the flash drive using you finger scan as the key or do you mean a flash drive that will not access the memory chip without first having you scan (i.e. the storage is in the clear but you need to swipe to connect the storage chip to the USB bus).

The first is sensible if the scanner can accuratley remake the key from the thumb print. Which may be possible but would require some tricks to get over the fact that thumb prints can change over a matter of hours. - I don't want to give myself a paper cut and find that I cant access my data until it's fully healed (if it fully heals and I get an identicle finger print).

The second just smacks of being a bad idea it seems to suggest that there is no possible way to access infomation on the flash chip than to use the pre-packaged connector. - This is just plain false if the NAND flash chip is seperate (as most are) then it is a reletivley simple matter for some one skilled in the art of soldering to remove it and put it on a new carrier board, possible the same model as it came from. There are things you can do (wipe on case open, SiP, SoC) but these can usually be circumvented with a little thought. OK this solution will stop your wife/girlfriend mother finding thos file you don't want them to see but not any determind attacker. Which makes it little more than a toy solution.

I have not watched the video but judging by other comments this product seems sensible in that it encrypts the data passed on a keyed entry key. I'm sure I have seen this tech before though just not sure where, maybe I dreemed it, it seems obviouse now someone says it.

Re:Flash drive with finger print reader? (2)

ArhcAngel (247594) | about a year ago | (#43027885)

you mean like this [imation.com] or this? [amazon.com]

Re:Flash drive with finger print reader? (0)

Anonymous Coward | about a year ago | (#43028143)

It's bad practice to put just the text "this" into hyperlinks. Now each of us have to hover over them or visit the websites to know what you mean.

Re:Flash drive with finger print reader? (0)

Anonymous Coward | about a year ago | (#43029119)

Now each of us have to hover over them or visit the websites to know what you mean.

Each of those who give a shit, you mean.

Let's hope the product is more reliable than MySQL (0)

drinkypoo (153816) | about a year ago | (#43027623)

Or I should say, Let's hope the product is more reliable than their MySQL server, which has given up and gone home.

How secure is it? (0)

Anonymous Coward | about a year ago | (#43027689)

Is the passphrase hashing into a decryption key to decrypt the data from the drive, or does the controller hold a randomly generated encryption key and when decrypted by the users's passphrase, that is the key used to decypt the data? The latter would be much more secure, especially given that passwords are limited to 31 characaters and apparently alpha + numeric only, no special characters, limiting the key space.

Depending on how computationally expensive the algorithm is, a 31 number-only passphrase could be cracked in a few hours by a GPU accelerated hacking cluster.

Even a 16 character alpha-numeric passphrase could be cracked in a few hours.

half a factor auth (no username, just password)? (0)

Anonymous Coward | about a year ago | (#43027799)

"if the touchscreen is broken, you can take out the drive, put it into a new enclosure and access data using the same password"

1. not salted with any hardware IDs, I take it?
2. sounds like bruteforce can be done on the removed disk, bypassing the whole "wipe after 10 failed attempts" measure in place.

Slashdot is offering covert ads now? (1)

elucido (870205) | about a year ago | (#43027855)

The Aegis Padlock Pro works just fine, it supports over 1TB and it has a SSD version. http://www.newegg.com/Product/Product.aspx?Item=N82E16822161085 [newegg.com]

Re:Slashdot is offering covert ads now? (0)

Anonymous Coward | about a year ago | (#43028027)

Datalocker also offers SSD models... How about you do some research....

Not revolutionary (2)

carvell (764574) | about a year ago | (#43028125)

I've been using one of these [lok-it.co.uk] at work for a while, which looks to be pretty much the same thing as the article, except the storage is smaller. The article reads like the new drive is revolutionary!

Fail: crackable in just two days w desktop PC (0)

Anonymous Coward | about a year ago | (#43028147)

These devices have a numeric keypad and a limit to the number of digits which means a 15 digit password can be cracked by anybody with a typical desktop computer in about two days.

Re:Fail: crackable in just two days w desktop PC (1)

carvell (764574) | about a year ago | (#43028173)

Not really...

I have something similar and as you would expect, the encryption key is wiped after 10 PIN attempts, rendering the data useless.

Re:Fail: crackable in just two days w desktop PC (1)

dgatwood (11270) | about a year ago | (#43028767)

Only if the attacker is clueless enough to actually use the hardware to do the decryption without adding a SATA write blocker inline between the device and the drive.

Re:Fail: crackable in just two days w desktop PC (1)

carvell (764574) | about a year ago | (#43028851)

I think you may have misinterpreted how the device works.

Certainly with the FIPS device I use, there are 6 factory programmed 256 bit encryption keys stored in the device. All the pin code does is unlock the factory code that is currently in use in the encryption hardware. The encryption keys are not derived in any way from the pin code.

If you get the pin wrong 10 times then one of the encryption keys is erased and you move onto the next one. Once 6 have been erased, the device is permanently useless. This all happens well before any attempt to access the data via sata or any other means.

SSD for speed, with USB? (1)

cpghost (719344) | about a year ago | (#43028557)

Pardon my ignorance, but does it really matter if it is SSD or HDD, when used via USB (3.0)? Isn't the USB bus itself the bottleneck in this case?

Re: SSD for speed, with USB? (1)

Urza9814 (883915) | about a year ago | (#43028735)

Primary advantage of SSDs is latency...and that's going to improve no matter how fast the connection is. But USB 3.0 is pretty Damn fast, with a theoretical max around 5 Gbps. SATA couldn't hit that until fairly recently. Of course, neither could USB...but they're nearly on par now.

Re:SSD for speed, with USB? (1)

ckthorp (1255134) | about a year ago | (#43028741)

With a spinning disk, the non-sequential access pattern will make the moving heads (and rotation rate) the limiting factor in throughput.

Re:SSD for speed, with USB? (1)

fa2k (881632) | about a year ago | (#43028887)

A 7200 RPM drive can only do about 100 read or write operations per second at random locations. In the worst case, where you need to read 100 different files of size 4K scattered across the drive, you only get 400kB/s, which would fit over an USB1.0 connection. For reading long files (sequential reads), HDDs do less than 200 MB/s, but that's not as important for loading the OS and applications. SSDs are much better at random access (IOPS).

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...