Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Encrypted storage : Encrypted storage Server Time
29 Jul 2024 14:14:21 EDT (-0400)
  Encrypted storage  
From: Invisible
Date: 17 Aug 2011 11:57:31
Message: <4e4be4eb@news.povray.org>
 
I ordered some office supplied, and as usual they arrived with a flyer 
telling me about all the fabulous stuff I could be buying. (E.g., 

is impressive...)

One thing that caught my eye was a USB flash drivewith "AES 256-bit 
hardware encryption" and "high strength password enforcement".

Obviously, my first assumption was that this is snake oil. For example, 
I read a while back about a HD with "hardware AES-256 encryption", where 
all it actually did was XOR all the data with a fixed 32-bit mask, and 
then AES-encrypt that mask. So the /mask/ is encrypted with powerful 
encryption, but the actual /data/ is trivially XOR-encrypted.

The little "FIPS 140-2" tag is a nice touch. Presumably that's just the 
code number of the document that formally specifies the AES algorithm or 
something.

Obviously the supplier's website contains no technical data at all. Like 
most products, it's quite clearly been copied and pasted from somewhere 
else (complete with mis-encoded special symbols). Eventually I tracked 
down the product on the manufacturer's website. Apparently it /really 
has/ been sent to an independent lab for conformance testing, and 
there's actually a FIPS certificate number. I was eventually able to dig 
this up on the FIPS website.

It's unclear to me what was actually tested. (E.g., I'm almost certain 
they /didn't/ get professional cryptographers to try to crack the 
encryption and retried data out of it.) Probably they just tested that 
it implements AES correctly or something by comparing it against some 
known test vectors.

 From what technical details I can find, it appears that it stores the 
SHA-1 hash of a user-supplied password, and uses that for 
authentication. The AES encryption keys are apparently stored 
unencrypted inside the unit. Actual data is encrypted with these keys, 
running the cipher in CBC mode. (Not the strongest, but not the weakest 
either.) It uses a hardware RNG together with the ANSI X9.31 PRNG 
algorithm. And it sounds like physically it's fairly hard to get into 
the device.

The documents confirm that the device is certified to FIPS 140-2 level 2 
compliance. (The highest level is level 4, and it looks like it wouldn't 
be applicable to portable devices, only to complete systems.) It's using 
a sensible-looking set of algorithms, and it's been through some kind of 
verification process. So I'm reasonably confident that this device isn't 
/trivially/ hackable.

(I was, however, amused by the manufacturer's product advert. "This 
product is routinely used by the hospitals, banks, the police and the 
armed forces." Well, yes, technically that's probably true. And 
unencrypted floppy disks are also almost certainly used by the same 
people. Does that make unencrypted floppy disks count as "secure"? For 
that appears to be what they're trying to imply...)



My next step was to go to my supplier of choice and see what kinds of 
encrypted USB devices they could sell me, at what prices.



password protection for added security". No word on how it's 
implemented. I imagine it isn't especially secure, it just stops curious 
individuals nosing through your files.

All of the cheapest "secure" drives mention the keyword "software". In 
other words, it's a normal USB drive, with some [probably Windows-only] 
software on it which asks you for a password, and won't let you access 
any files unless you type in the correct password. I severely doubt that 
any data is actually encrypted; instead, the supplied software merely 
refuses to let you look without the password. It's probably trivially 
easy to defeat such software. (Perhaps it's as simple as installing 
Linux...)


(which is by no means "expensive" compared to the other products in the 
list). The fact that the system requirements claim that "2 unused drive 
letters" are required suggests that once again, this is a software 
solution. In other words, when you insert the thing, it runs some 
[Windows] software that transparently encrypts and decrypts data as it 
is transferred. Still, that's a small step up in security. Even if the 
software doesn't function, you can't get at the data. (Assuming it does 
something sensible with the encryption keys.)

Going up the price list, all the "secured" devices still talk about 
hardware (although they gradually shout louder and louder about AES). 
The cheapest product I could find which is definitely using /hardware/ 

other big-brand devices.) "Includes XYZ software to access the encrypted 
data." So you still need Windows to access it.


on the casing that allows you to enter a PIN (from 4 to 10 digits). 
Apparently the LEDs change colour after you've unlocked it. When you 
unplug it from the PC, it locks again. It definitely uses AES-256, and 
it's probably implemented in hardware. 5^10 is roughly 10 million, and 
hence the PIN must be entered by hand, you aren't going to crack this 
too easily. (No word on whether the device disables itself given a 
number of access attempts.)

The cheapest device I could find that is actually FIPS 140-2 certified 


cheapest 4GB drive. On the other hand, it's not drastically more than 

lot more expensive. But it's not /drastically/ expensive, really. I 

encryption.

It's not so much that the encrypted drives are "expensive", more than 
the unencrypted ones are jaw-droppingly cheap. If you actually /needed/ 



encrypt all your files before putting them onto an external storage 
device. Then you know /exactly/ which way it's been encrypted, and 
further more you can arrange it so that (for example) it's protected by 
a certificate rather than a password...


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.