The Always-Encrypted Firewire Hard Drive

ducman points to the announcement of an encrypted hard drive running on the MacNN website. The drive features a DES 64-bit/ 40bit key strength and "is intended for use by banks, insurance providers, government agencies, and those individuals with sensitive digital intellectual property. It supports the IEEE 1394a connectivity standard, in addition to USB 1.1 and 2.0. It offers data transfer rates over FireWire 400 of 100, 200, or 400 Mbps. The SuperGuard is expected to be available February 7." Sounds great -- but the USB key stuck in the back looks like a likely point of failure.

worthless

the key length is too short.

Re:worthless

the key length is too short?

is that a masculinity problem?

Re:worthless

exactly what I was going to say

concept is nice, but short keylengths render the security virtually useless -- thank the U.S. government for that

Re:worthless

don't really care, but how is this redundant when it's the first post saying this?

Re:worthless

[Haroldo]

This can be useful for hard disk disposal. A previous slashdot story informed about old disks being bought on ebay to be scanned for deleted data. With this encription approach, at least data will be disposed deleted and encripted. For sure, making the work much more difficult.

Re:worthless

Well, it is enough to keep your porno protected from a spouse - but not your kids.

Re:worthless

[Alsee]

the key length is too short.

40 bits too short? Bah!

My external harddrive has a 1 bit key. It's a rocker switch on the back with a 0 and a 1. If you don't enter the right key the entire drive shuts down.

-

Re:worthless

[CapnFreedom]

So what if the key can be cracked by groups of people with clusters of machines, lots of memory, and no day job, within a few months (or less)?
What matters, is that someone who steals the hard drive cannot read it, and will most likely not have the CPU cycles to crack it. Meaning, the thief that steals your bag can't go browsing through your credit card numbers, or your wife can't see that you plan on filing for divorce.
Of course, if you're want to transport extremely sensitive information (i.e., information that these people with the means to crack the key might want) you shouldn't depend on this hard drive, but that's obvious.

Re:worthless

[some+guy+I+know]

the key length is too short.

64 bits should be enough for anybody.

Re:worthless

[h4x0r-3l337]

Do you even know the difference between symmetric and asymmetric encryption, or are you just trolling?

Re:worthless

[DaveHowe]

Single DES can be cracked by a specialised machine in under a day.
DES is computationally expensive - you could, for little extra design effort, use a *decent* encryption algo (CAST, or the new AES) that at todays level of technology could not be broken in the expected lifetime of the earth. DES was designed weak enough for TLAs to crack...

first post!

40-bit is worse than a joke. This product is worthless.

Re:first post!

"40-bit is worse than a joke. This product is worthless."

Uh, that was 40-bit symmetric encryption.

Re:first post!

[Nogami_Saeko]

I agree.

It costs next to nothing to implement GOOD encryption these days, and it would've been extremely simple to implement something extremely fast and secure like blowfish with a 256/448 bit password.

Implementing DES (slow in software, probably slow in their hardware) with a 40 bit password (VASTLY INSECURE) is basically saying upfront that they're more interested in preserving an easy attack on the system than ensuring that users' data is secure.

As other posters have mentioned, products like DriveCrypt (for the PC), can encrypt your partitions (or removable drives) with encryption that is for all intents and purposes absolutely unbreakable with a good passkey. Move up to something like DriveCrypt Pluspack and it will even encrypt the boot partition so the drive doesn't even get to the OS until a proper password has been entered (no software keyloggers possible).

There's simply no excuse for the kind of sloppy security that this company is trying to sell. Either they are trying to preserve access to their product for law enforcement purposes (hunt down them terrorists!), or trying to preserve access incase dumb users lock themselves out so their tech support can save the day.

Regardless, it's a waste of money.

Re:first post!

[aoteoroa]

40-bit is worse than a joke. This product is worthless.

So what if the security system on this harddrive is crackable? It doesn't mean this product is worthless.

I am sure that there are some situations where a product like this could be usefull.

In small towns smash and grab attacks happen all the time. Some petty thief steals a truck, drives it through a small business' store front, grabs the first 5 computers he can find, then drives away before the police arrive. A friend of mine who has an accounting practice was the victom of such a theft. He was a little upset that his last backup was 7 days ago but was more concerned about his clients data.

A smash-and-grabber might attempt to profit from information on a stolen harddrive if it is easily accessible but more likely than not he just wants to resell the merchandise and get rid of it.

While a 40bit encryption system is childsplay for some crackers it is most likely well beyond the ability of the local thieves in my neighborhood, and therefore is enough security to protect against some circumstances. If my friend had used a hard-drive like this he would probably have felt more secure about his lost hardware and data.

This sounds useful

I recently switched from Mac OS 8 to OS X. The one thing I miss is PGPdisk (the most recent freely available version doesn't run on OS X). I've been using Disk Copy encrypted images which use AES 128-bit encryption but I don't know quite how that compares to PGPdisk. So all in all I could definitely use a better encrypted drive solution.

One of these puppies would be a neat alternative. Probably a bit costly though.

Re:This sounds useful

I bought PGP8 the other day to run under OS X and it works beautifully. The integration with Mail is fantastic.

Re:This sounds useful

[afidel]

Actually this is downright cheap, the site lists the enclosure at $139 US which is almost exactly what all the other 1394/USB2 enclsures cost. From my perspective you get the encryption for at most a couple of dollars, pretty cheap investment to me =) As to the security, it's not terribly large, and it's single pass which pretty much no one does for DES anymore but it's better than nothing. It also does it at line speed with no CPU overhead which is cool. Now if they could offer a model that would do 128bit AES at line speed I would definitly purchase one (I may anyways as I find myself in need of a firewire enclosure)

Re:This sounds useful

PGPdisk exists for Mac OS X. I use it myself. Go to PGP.com and download PGP for the Mac OsX, pay and register your software and you'll be back in business.

Re:This sounds useful

[Cainam]

You say that single-pass DES is better than nothing. I disagree. This product could very well provide some suit somewhere with a false sense of security that might cost him dearly.

Re:This sounds useful

[afidel]

And I say bulpuppies, if you look at all the HDD's with no encryption out there holding sensitive data this is obviously leaps and bounds above that so it DOES have some value. I would imagine that it would be orders of magnitude harder to recover data from this drive after it is wiped then the millions of drives that are thrown out every year.

3rd post!

Encrypted loopback devices on linux and bsd (and MacOS) are easier and cheaper.

And more secure IMHO.

Re:3rd post!

[Skapare]

Loopback devices are a silly hack. It was nice to add a quick feature. But what is really needed is a smooth, seamless, truly integrated solution which works at the virtual device layer, above individual device drivers, but below filesystems and direct device opening. The reasons for this include the fact that you can't partition loopback devices (that's another issue) and the number of loopback devices being limited. This needs to be made totally transparent except for the fact of enabling it and setting the key (probably an integrated ioctl() and/or /proc operation). Every device (and partitions count) need to be able to have their own separate key and encryption state.

with sensitive digital intellectual property...

[simeonbeta2]

Does my mp3 collection count?

Re:with sensitive digital intellectual property...

[SoSueMe]

Sure it does. Anything you want "secured" is a good candidate.
I enclosed secured in quotation marks because nothing is truely secure.

On a more "On Topic' note, I bet the Co-operators insurance company wishes they were using a similasr technology last week as this article
exemplifies.

Guelph-based Co-operators Life has warned more than 180,000 customers about possible identity theft after the disappearance of a computer hard drive containing sensitive personal information....

"Vital information such as name, date of birth, social insurance number and mother's maiden name" can be used to access financial accounts, transfer bank balances and apply for loans and credit cards, Co-operators CEO Kathy Bardswick said in the letter this week.

Re:with sensitive digital intellectual property...

[simeonbeta2]

Well I was trying to be funny... But I am sorta serious.

I don't know about anybody else, but I keep my "work" mp3 collection on a ide hd that belongs to me and isn't actually screwed to the frame... My case is kept unscrewed and I figure if my boss ever gets audited by the IRS or BSA, my mp3 hd would come free and get tucked in my jacket in approx. 15 seconds. Course, if it was all encrypted on the drive (and something better than 64 bit DES) I might not have to bother...

Wow super secure

And it only took 6.4 seconds to crack into once the harddrive was hooked up to a standard PC.

Anyone in here actually read Applied Cryptography? This was 1995 when it was published, and especially for bank use, you'd NEVER use anything less than a 128 bit key.

Also, did they say DES or 3DES? Hasn't DES been cracked?

Re:Wow super secure

[Bishop]

DES has not been cracked. It has been bruted forced in a short ammount of time. There is a difference.

That said DES and possibly even 3DES should no longer be used.

Re:Wow super secure

[necromaedian]

better then nothing

Re:Wow super secure

[tweakt]

Hasn't DES been cracked?

DES hasn't been cracked per-se but the 40bit keyspace can be scanned very efficiently now with distributed computing and specialized hardware.

• Distributed.net (40 days)
• Deep Crack(56 hrs)
• EFF(22 hrs)

Re:Wow super secure

The question is: Have *you* read Applied Cryptography? (Really? Did you
catch the mistakes?).

You seem to be missing symmetric
and assymetric keys.

In fact, AES allows you to use a
variable key size, less than 128 bit.

In point of fact, 56 bit DES keys (they are
actually 64 bits, but every 8th bit is so-called
'parity', as requested by the NSA) can be broken
in under 22 hours, using technology from 1999.

There are near-real-time cracks available
if you have the money for the hardware.

If the device did use 3DES, it would have two
keys (not three, like most people assume with
3DES).

This is an extremely weak device, using very
old, easily broken technology. But it does
stop the average thief.

Re:Wow super secure

[Jeff+DeMaagd]

Still, a fact of the matter is that this company is touting "military grade" security, but in some ways the milititary _is_ as insecure as DES. :)

At least there is a review on that firewire product that correctly points out that the encryption needs work.

Re:Wow super secure

[Halo1]

Actually, the Deep Crack effort was in combination with Distributed.net. Deep Crack was just a "super client" of dnet in that contest (and the machine that did find the key).

Re:Wow super secure

[Nogami_Saeko]

The "military grade" security phrase is always one of those "key points" which always seems to mean that the product being advertised is smoke and mirrors...

Re:Wow super secure

define 'smoke and mirrors' in your statement?

perhaps at the manufacturing location, which is most likely offshore, it is.

Unfortunately the US places so many restrictions on security standards it is difficult to meet those requirements or stay under the umbrella placed on companies dealing with security related stuff. Also, as an initial release of a product the specs seem fairly good and definately usable, and as with any product, the first release leads to a second release which leads to a third release, etc.....

Re:Wow super secure

[j3ss]

It would be stupid for a bank, law office, etc. to use this. But I think that this does have sort of a novelty value. I could keep all my importent pr0n.. er.. documents on one of these and not have to worry about my non-techie sister/mother/roommate/whoever getting into it and snooping.
I would kind of equate these drives to the diarys that little girls use. Those diaries have locks on them to keep prying eyes out. Those locks are flimsy and could be busted with your bare hands but they might keep a younger brother out. These hard drives are the same, just a novelty for geeks and wanna be double nought spys.

Re:Wow super secure

I had some communications with FireWire Depot and they told me that they will also be offering the following software to bundle with the drive for those who want to add a deeper level of security: the software allows you to take files/folders and convert them to an encrypted secure archives that can be stored on your computer or sent to a friend without worrying about prying eyes. personal data gets translated into a secure format using either the well-known BlowFish algorithm or the proprietary encryption engine. a shredder allows you to securely erase files from your computer. dragging your files into the trash-can and emptying will not remove your files completely. The files can still be recovered with software or hardware. Much like the common office shredder this will take any document you throw awayand turn it into pulp. When it goes to work, it overwrites the entire contents of the files with an industry recognized secure pattern, thereby reducing the chance of recovering the deleted files to zero. Built to Support Bullet proof 128-bit and rolling derivative keys encryption. Industy acclaimed BlowFish Encryption algorithm. "Drag and Drop" encryption and shredding. Supports both file/Folder encryption Multi-pass overwrite file/folder shredding

Re:Wow super secure

[Twylite]

Why is everyone concentrating on the key length? The method in which they are using DES here is far more relevant.

If you take an entire hard drive and encrypt it sector by sector under a DES key, you've got a problem. There's plenty of plaintext and matching ciphertext available by virtue of known disk structures, and the possibility of constructing a birthday attack is high. Worse, there are parallel attack mechanisms that allow you to break such a scheme in 2^40 tries instead of 2^56. That's under a day for someone with serious money.

But most HDD encryption schemes don't work like that. At work you use a key variant for every sector -- xor the sector number onto the key, so that you effectively have a different key per sector. This helps to reduce the effectiveness of some attacks (e.g. the parallal attack), but suffers a critical problem: break the key for one sector, and you've got the drive.

A far more secure scheme involves key derivatives: encrypt the sector number with the key to find a derived key, then encrypt the sector with that key. Breaking a single sector still doesn't break the master key. This mostly limits you to a known plaintext attach, and raises the complexity to 2^57 (you have to break two keys, the second being the one you want).

Other schemes include the use of multiple keys over a disk, so that breaking a single key only compromises and area (say 1/4) of the disk.

As for the security of DES; it hasn't been cracked. There are some ways to reduce its strength in particular circumstances (see above), but not generally.

Like it or not the banking world still uses DES (yes, 56 bit keys) and will continue to do so for some time to come. Check out the ANSI financial services standards (which govern interbank electronic standards, like ATM networks). Is this a problem? Not really. Intelligent use of protocols ensures that cracking the key is a waste of time because at best you can recover a single PIN ... which is more easily brute forced at 10^5 than a DES key at 2^56.

Re:Wow super secure

[Dave2+Wickham]

You need to specifically hide your pr0n from your "non-techie sister/mother/roommate/whoever"? I just keep mine in ~/pr0n/ (or ~/.pr0n/) and C:\Downloads\Videos depending on OS ;).

Use encrypted loopback

OS/X can be made to support it ... AFAIK Darwin does.

- Make a big file image, format it, mount it via loopback, encrypt everything that goes on it.

DES?!!?

[patrik]

DES has been replaced by Rijndael (AES)in the govt. Or at least that's what's supposed to happen, DeS is no longer secure enough. I would bet that with the huge ammounts of data stored on a disk differential techniques would make it a snap to get the key. What's worse is an easy to crack crypto system that you believe in is worse than no crypto system at all since you're likely to store data on it that you might not store otherwise.

Patrik

Re:DES?!!?

[God!+Awful+2]

AES really hasn't been deployed that much in practice, however 3DES has been standard for quite some time. Cracking DES by differential techniques is non-trivial. The biggest problem is that it can be cracked by dedicated hardware costing only a few million dollars, or by a group of computers in a distributed system. And if you're using 40 bit DES then that's just completely worthless.

-a

Re:DES?!!?

Differential cryptanalysis? Don't think so. It's usually a chosen plaintext attack. I don't think anyone did any analysis of differential cryptanalysis of DES under a known plaintext of ciphertext only attack model.

With a 56-bit key (or even worse, 40) you don't need any tricks. Trying all keys can be done really fast as a lot of other posters have pointed out.

Re:DES?!!?

[patrik]

I didn't make any reference to the size of the key just at the joke that DES is, just the joke that DES has become. Independent of the size (except for small values), differential analysis should allow you to reach a key faster than trying all of the possibilites. There's plenty of known plaintext if you know the FS being used which makes things that much easier.

Patrik

Re:DES?!!?

So, I post this again and hope someone mod it up for the world (and Patrik) to see.

Do you have any idea of the best known attacks on DES? Read Biham & Shamirs papers on differential cryptanalysis - it's a _chosen_ plaintext attack.

Read Matsuis papers on linear cryptanalysis. That is a known plaintext attack requiring 2^43 (IIRC) blocks of known plaintext. 2^43 blocks is 2^46 bytes which is 64 Terabytes.

Re:DES?!!?

[patrik]

I might be wrong but the way I understand it is you can narrow down the keyspace with less blocks then it takes to solve? I admit I haven't read the papers only short bits from a textbook by Trappe & Washington (it tends to focus more on the number theoretical systems). I know airsnort takes a huge ammount information but 64 terrabytes is a bit much.

(by your calculations it should take around 56 Tb, since the plaintext is not 8 bytes but 7 (1 byte of parity bits), though that's just me being picky

Please feel free to drop me a line and let me know the errors of my ways or send me links to these papers since I could only find references to Matsuis's paper

Patrik

Re:DES?!!?

http://citeseer.nj.nec.com/35491.html is the paper by Biham & Shamir on the differential attack on full DES.

I don't think you could narrow the keyspace in this way - you really need a right pair and then you find the key.

The plaintext is actually 8 bytes - it's the key that is 64 bits with 8 parity bits giving 56 bits effective.

Re:DES?!!?

[patrik]

Yup you're right, looked over my notes again and it's 8 byte plaintext (it's only been 6 months :( I think I am getting forgetful in my old age ). Can you find a link to Matsui's paper?

Patrik

Re:DES?!!?

I don't think Matsuis paper is available for free online. If you have access to a good (university) library you can find "Linear cryptanalysis method for DES cipher" by Matsui in Advances in Cryptology, Eurocrypt '93. The results were improved in "The first experimental cryptanalysis of the Data Encryption Standard", published in Crypto '94 by Springer Verlag in the "Lecture Notes in Computer Science" series.

Biham wrote "On Matsuis linear cryptanalysis", available at http://citeseer.nj.nec.com/biham94matsuis.html which contains a nice overview.

Terry Ritter has a literature survey at http://www.ciphersbyritter.com/RES/LINANA.HTM

He does this already

[Millennium]

Make a big file image, format it, mount it via loopback, encrypt everything that goes on it.

That's what encrypted DiskCopy images essentially are, just wrapped in a nice interface. It's actually a pretty neat system.

Somebody mod up the ACs...

[aardvarkjoe]

The ACs in this thread are correct. 40 bit encryption isn't going to keep anyone but a casual snooper out of your data.

Re:Somebody mod up the ACs...

It's worse than bad, since it'll give people a false sense of security. The Dep't of Homeland Security'll be able to crack it faster than you can say "Get the fuck off my civil liberties, you Fascists!"

Not that I have an axe to grind or anything :--)

Re:Uh.. who cares? Columbia is gone.

[Sgs-Cruz]

Come on man, you could do better than that (from September 15th 2001). At least put some creativity into pretending that people aren't allowed to talk about anything else just because a tragedy happened.

Re:Uh.. who cares? Columbia is gone.

Yeah, but the space shuttle costs a lot more to replace than a car.

Re:Uh.. who cares? Columbia is gone.

Hell 4 soldiers died when a Blackhawk went down just the other day. The loss of the shuttle is tragic from a human perspective, but really the greater loss is the space progress (i.e. the space station will likely be mothballed for a while), not mention the billions that this accident will cost (to those who pooh-pooh about considering money when lives were lost: It is ALWAYS a balance between lives/money--The NASA budget could save tens or hundreds of thousands of low income people yearly through nutritional supplements and health card...).

People die all the time. Get used to it.

What's their definition of OS independent

[BrianUofR]

From the article:

*Device driver free, operating system independent

*Microsoft Windows98 SE, Windows ME, Windows 2000, Windows XP and Mac OS compatible

First off, how can it be OS independent and have a list of compatible OS's? If it's a hardware-based solution, then how can some OS's not work with it?

Re:What's their definition of OS independent

[nomadic]

First off, how can it be OS independent and have a list of compatible OS's? If it's a hardware-based solution, then how can some OS's not work with it?

Maybe because those OSes don't support USB.

Re:What's their definition of OS independent

[BrianUofR]

Good point, but then why isn't linux or solaris on the list? I've used USB with both.

Re:What's their definition of OS independent

[spazoid12]

First off, how can it be OS independent and have a list of compatible OS's?

It's just a marketing phrase. It doesn't necessarily mean anything. It's like Sally Struthers saying "earn your degree in almost anything" and then she lists stuff like "dog grooming". The list serves as a set of ideas for people unwilling to believe the word "anything" and who only click when they hear the one word important to them.

That's not a contradiction, it's just annoying ad copy. Keep in mind the kind of people writing ads. Watch TV for a few minutes and see that while broadcasters are upset over ad-skipping Tivos we might have a strong case to sue them for cruel and unusual punishment.

More annoying ad copy is the advertising which says "up to 10, or more!". How can it be more?? They just said it's up to 10!

Truly annoying (and common) are the ads that say "Sugar...because cookies would be bland without it.", or "Diamonds...because we've got everyone duped." Well, actually, I never asked why!

Re:What's their definition of OS independent

[damiam]

Because they don't want to have to support them.

Re:What's their definition of OS independent

[blibbleblobble]

"Because they don't want to have to support them [linux and BSD]"

Well, if they don't support *nix, they're going to have a damned hard time selling to banks and insurance companies.

Seriously, if someone cared enough about security to want a hardware encryption device, why would they still be using Windows??

Re:What's their definition of OS independent

[damiam]

banks and insurance companies.

How many use unix as a major desktop OS? Servers don't count - they generally don't use FireWire or need 40-bit encryption.

Re:What's their definition of OS independent

NOBODY needs 40 bit encryption. I wouldn't use it to encrypt a pizza order.

Re:What's their definition of OS independent

great - than dont order pizza asshole

Encrypted?

[SirCrashALot]

# Real-time 64-bit/ 40-bit DES (Data Encryption Standard)

I hope this is a joke.... DES is no longer secure, hence the creation of AES. Why build a device that uses DES when there are machines that can crack it in a few days that cost only $25,000. The more money you have to spend, the faster you can crack it. DES Cracking machine
An encrypted drive is a cool idea, but i would much rather use CFS (crypted file system) on a regular drive than this. DES offers no security to the people who want your data.

Re:Encrypted?

[cheezedawg]

Who cares? This is a great proof-of-concept. Once it has been implemented using DES, it is pretty trivial to switch to another block cipher like AES.

I have a cheaper solution

[t0rnt0pieces]

If you want to prevent someone from getting your data, just buy a Western Digital drive. No one will be able to recover it!

Re:I have a cheaper solution

you mispelled western digital

let me help

I - B - M

no biggie

Re:I have a cheaper solution

If you want to prevent someone from getting your data, just buy a Western Digital drive. No one will be able to recover it!

Since when does Western Digital make encrypting hard drives? Even if the physical mechanism broke you could still recover data off the platters if you want it bad enough. I don't understand your question. You weren't just trolling for were you, because that would be pretty pathetic.

Re:I have a cheaper solution

No, it's called being funny...Some people like to laugh every so often :)

Re:I have a cheaper solution

Wow ... You must not have any friends.

Try this ... put your two pointer-fingers on either side of your mouth, and push up. That's called smiling. It usually accompanies actions or statements of humor. For humor, I suggest you take a look at a picture of yourself.

Re:I have a cheaper solution

stupid ass moderators it's a joke who modded this as a troll!!!!!!!!!

Re:I have a cheaper solution

That was hilarious - perhaps even funnier is the next dumbass' reply!

Re:I have a cheaper solution

[_xeno_]

Try M-A-X-T-O-R.

Or at least that's been my experience - I've had no problems with my Western Digitals or my (one) IBM drive.

Bruce, put this one in your doghouse listing

[Kiwi]

Why do I get the feeling this product will end up in the doghouse section of Bruce's next Crypto Gram newslatter?

The people who designed this hard disk are confused about how DES works. First of all, DES has a 56-bit, not a 64-bit key. Second of all, the days of being forced to use 40-bit encryption are, thankfully, over.

If one is going to all of the effort to encrypt a hard disk, why will they encrypt it using only Single DES? It is possible to build a single-DES cracker for under $10,000 US; the 56-bit key which single DES has to offer is just not long enough.

They would have been much better off encrypting this unit with AES, which uses Rijndael to encrypt files. Rijndael has a key size between 128 and 256 bits long, which can not be brute forced with current technology. Rijndael is also more efficient than DES when implemented in software.

Also, security is only as strong as its weakest link. If the hard disk is always readable when the key card is attached, then great care must be taken to detatch and hide the key card. Far better security can be obtained by a system which asks for a passphrase. Ideally, have a system which needs both the key card and the passphrase.

While I think this is a good idea, I think one is better off with the kernel patches which allow one to encrypt filesystems in Linux.

(For windows and Mac users, sorry, I use neither so can not help you)

- Sam

Re:Bruce, put this one in your doghouse listing

[Monkelectric]

In that vein, does anyone know of a product like this that *is* secure (or atleast has the hope of being secure?)? The only thing I've seen are extremely crappy software modules that end up dumping your data right quick :)

Re:Bruce, put this one in your doghouse listing

[silverhalide]

Win2000 and XP have filesytem encryption support on a per-folder or entire disk basis (I believe). Anyone familiar with the strength of the encryption and speed?

Re:Bruce, put this one in your doghouse listing

[FireBook]

have you looked into bestcrypt? www.bestcrypt.com

Re:Bruce, put this one in your doghouse listing

From what I understand the speed hit when employing it isn't much at all(If that's what your wondering about), and you won't be breaking it anytime soon. Sorry I don't have numbers(I think 3DES), but I heard you won't be brute forcing it with anything anytime soon. EFS "technically" is very secure but the system and network has to be set up properly as well.

Re:Bruce, put this one in your doghouse listing

While I think this is a good idea, I think one is better off with the kernel patches which allow one to encrypt [sourceforge.net] filesystems [kernel.org] in Linux.

(For windows and Mac users, sorry, I use neither so can not help you)

Hey! What about if I used OpenBSD or FreeBSD? Can you help there?

Re:Bruce, put this one in your doghouse listing

[Gyorg_Lavode]

One thing that strikes me is that the usb decription key reader is mounted in the BACK of the unit. It would make more sense to mount the key reader on the front of the unit where the key could be plugged in while attached to a teather clipped to the person using the computer.

Placing the key reader in the back only encourages people to leave the key in the unit which provides even less security, (read none), than the DES encryption provides.

Re:Bruce, put this one in your doghouse listing

[afidel]

Win2k and above use DESX, an extension of DES that allows for an effective 120bit keylength when compared to plain DES. This allows reasonable security without the overhead of say 3DES. Encryption is accomplished though use of a public key in combination with a salt value that is stored in the files description.

Re:Bruce, put this one in your doghouse listing

[j3ss]

What about you, have you tried this product? I followed the link you provided and the product looks really cool but I have one question, does it slow down your computer? It seems like it would use up CPU cycles and your hard drive would constantly be thrashing away.

Re:Bruce, put this one in your doghouse listing

[user32.ExitWindowsEx]

If I recall correctly, the salt value may be your password - that's why you lose your encrypted files if you forcibly change your password and forget to decrypt them beforehand.

Re:Bruce, put this one in your doghouse listing

I've used this product. It works really well (in GNU/Linux and Windows XP anyway.) It doesn't thrash the drive anymore than anything else. I always encrypt my swap file (under Windows)now using a new random key each time and that hasn't (noticeably) slowed down my machine.

Reading a file from a "mounted" file is fast and seems to hit the hard drive little more than reading the same file in the clear. There's a free 30 day demo, after than you can only mount files in read-only mode.

Re:Bruce, put this one in your doghouse listing

[karlm]

You're right, it does use 40-bit or 120-bit (MS likes to count the 8 parity bits in addition) DESX.

I hadn't heard of any salt being used. Salts are completely useless if you're using a seperate strongly (pseudo-)random key for each file. If you're not very very careful, the salting may also very slightly reduce your key space.

If you're using an encrypted fielsystem, make sure your password is stored only using the NT hash. By default, both the LM hash and the NT hash of your password are stored in the registry. In the absolute best case, the work foactor is somewhere aroudn 2 ** 56 to break a 14-character strong password. If you password doesn't require you to hold down the alt key while using the nueric keypad, you're most likely looking at a work factor of about 2 ** 37 to crack your password. (Your password is borken into 7-character halves and converted into upper case, then something like an unsalted UNIX crypt algorithm is applied seperately to each half.) Once they have your password, they can decrypt your SK and get all of your files. Game over man, game over.

Microsoft should be applauded for making a default install crypto-filesysm capable. However, per-file encryption falls to some attacks and information leakage that volume-level encryption doesn't suffer from. Swap space and temp files are still a big problem without third-party add-ons.

It's also important to note that RSA Labs designed DESX explicitly as a stop-gap measure until the Advanced Encryption Standard (AES) was decided upon.

MS could also have done the world a great service by including 40-yaer old password salting technology instead of using unsalted password hashes.

Re:Bruce, put this one in your doghouse listing

[FireBook]

yes i have, i use it all the time, it obviously does use more cpu cycles, but anything above ~1ghz should easily cope, and no it doesnt cause disk thrashing. grab the trial and test it?

Purple thingy!

[superspoon]

Wow. Not only does it have a silvery case, and and the blue stripe, but it comes with a pretty purple keychain! Now if only I could figure out why it came with the drive, and what it is for...

Re:Purple thingy!

The site said it was for authentication...I'm assuming it's what is used to store the key for decryption.

Why 400?

[sean23007]

Why would they just release a hard drive based on Firewire 400 when the 800 just came out? Wouldn't it be better to embrace the new tech?

On the other hand, they probably don't want to force people to buy Apple's high end stuff to use their drive: they aren't Apple, after all.

Re:Why 400?

because 1394b devices are still a few months away from release, there are no 1394b pci cards available yet, and you have to start somewhere....

all they need to do is, when available, swap out the 1394a bridgeboard for a 1394b bridgeboard

Re:Why 400?

Why would they just release a hard drive based on Firewire 400 when the 800 just came out?

Besides the fact that a single hard disk isn't going to saturate a Firewire 400 bus, you've answered your own question: it just came out. So it'd be useless unless you owned one of the newest 17" PowerBooks, which won't ship for "6-8 weeks".

I'm all for embracing new technologies, but why release a hard disk enclosure that supports a standard nobody's even using yet? (Maybe if they also sold Firewire-800 PCI cards...)

Re:Why 400?

[SiMac]

My guess is it wouldn't matter. The chip they're using here can't be as fast as, say, the Oxford 911 chipset even. It won't be able to saturate a 400mbps interconnect, much less an 800mbps interconnect....

Re:Why 400?

[lookersam]

guess what - the chip inside the enclosure (for FireWire) is an Oxford 911 chip, and the USB2 chip is a Cypress/ISD chip

Re:Why 400?

Besides the fact that a single hard disk isn't going to saturate a Firewire 400 bus

Yes it will. There are disks that will do 55MB/s: about 14MB/s more than FW400 can do.

Re:Why 400?

[lookersam]

there is no such animal....

where are you getting your information from???

a 7200 rpm drive is going to do around 30-38Mbs with the Oxford 911 chip

a 10K rpm drive may do in the 40-50 range

dual channel will do in the 80 range

what type of math are you doing?

wern't 40-bit keys obsolete

[the_2nd_coming]

back in 93?

There are more parts to the security here...

[mageben]

Part of the security of this device is the fact that you shouldn't let it get into unwanted hands. Yes, I agree the encryption standard is weak as hell. This is a first generation technology, so give it a break. I think the weak encrypion was compromise since, as many have pointed out, the hard drive is rather slow and it has to encrypt things...

I'll bet there are other companies working on a similar technology, I won't purchase one until I get variable key length and some decent speed specs.

-Code

Re:There are more parts to the security here...

IF you wanted speed, wtf would you choose DES?

This drive is probably about 5 years old in design and flawed from the outset.

Go directly to AES-128. Do not pass go.

Re:There are more parts to the security here...

what world do you live in? 5 years in design? we can see you have spent a lot of time designing hardware or software..... based on your statement, * why do cars still get shitty gas mileage (they've had a lot longer than 5 years to design) * why is dsl not in every home on the planet? * why do people still die of starvation? * why do updates to every OS or computer system come out about every 6 months etc, etc, etc

Re:There are more parts to the security here...

[wirelessbuzzers]

I think the weak encrypion was compromise since, as many have pointed out, the hard drive is rather slow and it has to encrypt things...

All the AES candidates (Rjindael, Twofish, Serpent, MARS, etc) were engineered to be as fast as possible in software and in hardware. Encryption chips are already available for Rjindael and IIRC Twofish as well; even if not, they could make an ASIC for it on such a big project. Speed is not an issue here.

Encrypted disk images rock.

[marmoset]

Encrypted disk images are really easy to use on OS X. They're encrypted using AES-128 (much more secure than the above hardware solution) and the performance is really quite good (fast enough to playback Quicktime movies from, even on a G3.) The Apple KBase entry on how to use them is here.

Re:Encrypted disk images rock.

[JohnsonWax]

I use them all the time. I have a 40GB 2.5" firewire drive that I shuttle back and forth from the office. It has 3 encrypted images on it that I use for offsite backups of our most important data.

Performance isn't bad at all. I don't even notice it in my application since my bottleneck is the 100T connection to the server rather than the 400Mb Firewire bus or the encryption speed, but even with local copies, a G4 should do a fine job of keeping up with the Firewire bus.

The FW 800 bus will be a little different matter. Maybe the dual 1.42 G4 can do it, but I doubt my lowly PB could.

Re:Encrypted disk images rock.

[ignorant_newbie]

>Performance isn't bad at all. I don't even notice it in my >application since my bottleneck is the 100T connection
>to the server rather than the 400Mb Firewire bus or the
>encryption speed, but even with local copies, a G4
>should do a fine job of keeping up with the Firewire bus.

>The FW 800 bus will be a little different matter. Maybe
>the dual 1.42 G4 can do it, but I doubt my lowly PB
>could.

While it's fine to get excited about fast busses, it's important to remember that they're that fast because they're designed to support a bunch of drives, not because each drive is actually capable of pushing that much data. If you're luicky, the drive inside the enclosure is a 7200 rpm ata drive, which isn't capable of filling the ata100 bus on it's own, let alone a firewire 800 bus.

would be nice

[jkfresh]

I really wish I could get a scsi version of this. Internal or external, external would be a lot easier, but some kind of internal addon board would be really good. I don't want to start an ide/scsi debate, but if I had data that was so important it needs that kind of security I would spend more than $200 on the drive.

Re:would be nice

what the market needs is a scsi encrypting interface. eg, a box that goes between your hdd and regular controller card. run a dedicated encryption processor in it to encrypt the datastream, and a usb or flash card interface to take the key.

eg

PC---SCSI---EncBox---HDD
|
key

Not so crap

[maroberts]

Those who've criticised it for it's key length have missed a perhaps an important point, which its that it encrypts without consuming the processor power of the host machine and supports full bus transfer rates whilst encrypting. If your system processor load is a bit hairy, you perhaps don't want to add to it by trying to encrypt on the CPU.

Still, the same device with AES, 3DES or similar would be much better....maybe next time!!

Re:Not so crap

Those who've criticised it for it's key length have missed a perhaps an important point, which its that it encrypts without consuming the processor power of the host machine and supports full bus transfer rates whilst encrypting. If your system processor load is a bit hairy, you perhaps don't want to add to it by trying to encrypt on the CPU.

Perhaps you have missed the point. This is a security product - it's designed to keep your data secure. Suggesting that choosing a weak encryption is okay because it is faster is just ludicrous. It's like manufacturing a removalists truck, but not including space for any items because you could make it go faster that way. It kinda defeats the point. 'It's faster this way' isn't an excuse for not doing what it is advertised to do.

I don't trust the little USB dongle

[abirdman]

It looks like as long as you've got the little dongle-thingy your drive will work; without it you're toast. So aside from any concern about the (only) 40-bit encryption, it seems like you'd have to make sure you hid the key (and not forget where you hid it). And if the key or its socket were to, ummmm... break or something (it's an external enclosure, so it could fall and the wires break), well you wouldn't have any data at all. And if the key got stolen, well then the thief only has to stick the thing into the drive and voila, there's your data.

I know a lot of corporate IT types will think this is exciting, especially as new data security laws keep hitting the books. Full time encryption seems pretty secure. And the price seems fair, especially since it seems to take any EIDE drive and secure it, and (quoted from the article), "capable of maneuvering 66MByte/ sec throughput without taking any system resources." Just don't lose that darn key! And maybe they'll develop an internal version that would be more secure from bumps, knocks, and falls.

Now, I've gotta get one of them new-fangled firewire (or USB 2.0) ports. And a hook to hang the little dongle from.

Re:I don't trust the little USB dongle

[phillymjs]

It looks like as long as you've got the little dongle-thingy your drive will work; without it you're toast.

I imagine in places that deal with a lot of data that must be secured, it would be a lot easier to lock all the USB keys in a safe than to do so with the drives themselves.

~Philly

Re: Portable Drive Standard

[puto]

Starting with Win 2000 there is some sort of portable drive standard. I know the OS 10 has built in support as well.

I have a portable drive that when plugged into XP,2000, and OSX, it recognizes and mounts.

I have a driver disk for 98.

The company I bought it from told me that Linux didn't have built in support for it yet.

Puto

False advertising

[Bishop]

From FireWire Depot page:

"...offers the military grade protection for your classified data."

Calling DES "military grade protection" is pretty close to a blatant lie.

Re:False advertising

marketing fluff - picky picky picky

Re:False advertising

[isorox]

Sure it's military grade. Pitcairn Island military though, not U.S.

Re:False advertising

[Detritus]

The last time I checked, DES was only authorized for the protection of SBU (Sensitive But Unclassified) data. This would include things like personnel and medical records. Classified information requires protection by NSA approved algorithms and hardware. As far as I know, Skipjack is the only published algorithm that has been approved for the protection of classified information, and that is only for the lower levels of classification.

Re:False advertising

Hey- it doesn't say "US Military Grade". I'm sure it holds up quite well to the Haitian or Cuban military standards of encryption.

Re:False advertising

You'd think so, but that's actually not true (at least for many non-US armies). At least not if you consider "being used by armies around the world" to be close enough for claiming "military grade".

FWIW, when I served in the army signal troops (in Europe, early 90s), we had these nifty little terminals that encrypt messages sent over digital radio frequencies (either links or direct broadcast). And from the manuals I noticed that encryption method was DES, albeit 3-DES (which makes enough different, close to doubling its effective key size). Of course the officer that taught the classes had no idea what I was talking about when I asked about encryption algorithm, and checksum used for verifying keys (that were changed daily)... I soon learnt to keep my mouth shut when I knew more than higher-ranking people did. :-)
Using (3)DES probably made lots of sense, as hardware chips for doing it were available even back then.

That said, single DES certainly hasn't been viable for some time now, and there are some doubts about 3DES as well. For non-US-govt - proof (but good enough against individual enemies or companies) 3DES is likely to work ok, for now... but there's no point in relying on that, as there are better alternatives like others have pointed out.

Re:False advertising

Agreed. For the higher level secrets the algorithm must be classified too. And no, this is not security through obscurity.

Re:False advertising

That said, single DES certainly hasn't been viable for some time now, and there are some doubts about 3DES as well. For non-US-govt - proof (but good enough against individual enemies or companies) 3DES is likely to work ok, for now... but there's no point in relying on that, as there are better alternatives like others have pointed out.

Doubts about 3DES? Apart from the fact that it's slow I haven't heard anyone raise any concerns. Not anyone I'd listen to, anyways. Care to give the source for this claim?

Re:False advertising

[AIXadmin]

Someone forgot to tell them that AES has replaced DES as the SBU standard.

Re:False advertising

[wirelessbuzzers]

And no, this is not security through obscurity.

Yes it is. At least, it's security partly through obscurity. It just doesn't make so much of a difference when you have the NSA to analyze the algorithm.

However, it is speculated that the real reason the NSA keeps their algorithms secret is because they don't want super-good crypto to fall into "the wrong hands."

Re:False advertising

[ElGanzoLoco]

Well... Maybe the military in Albania still use it.

Drive Failure

[po8]

...the USB key stuck in the back looks like a likely point of failure.

Conceivably. Anyone who is running one of these drives without backups somewhere is even more insane than the folks running un-encrypted drives without backups. The backups themselves can easily be encrypted, so there's no need for major security risk. If your key dongles stop working or your drive fries, you'd better have some way of getting the bits back from outside, 'cause they're not coming from the platter.

OTOH, what is "64-bit/ 40-bit DES" supposed to be? Presumably this means the drive supports "40-bit watered-down DES keys" and "64-bit normal DES blocks". So I guess I'm wrong: this drive is designed to be break-inable in an emergency. Great. I'll wait until they offer 3DES or AES-128 options, thanks.

In the meantime, check out the BSD Cryptographic disk driver cgd: SW on-disk encryption at the block level.

Re:Drive Failure

[geniusj]

or in 5.0, gbde (GEOM Based Disk Encryption)

Re:Drive Failure

The USB dongle is (as far as I understand) only silicon. This will not get fried unless you put it in your microwave. Hard drive failure is the only risk here. But then the risk of mechanical failure of hard drives has always been around. We all do have backups of all our data, don't we? :-)

is this any more secure than NT/2000/XP ??

NTFS file system encryption ?

Re:is this any more secure than NT/2000/XP ??

Well, when you consider that NTFS is something produced by Microsoft, I'd have to say "Yes!" or "Duh!"

min 128 bit needed

working for a government contracter, we are required to have more than 40 bits....if my bank has any of these, I'm taking my money out...

Don't worry about losing the key.

[Dthoma]

'Cuz if you lose it, you can always bruteforce the encryption key anyway!

*ducks*

usb keys

[martinflack]

I recently wrote a silly little pam module and edited some files in gdm so I can login at my Red Hat linux terminal just by walking up and sticking in my Trek Thumbdrive.

One of the problems I've been wrestling with is that if anyone copies the file from the thumbdrive that it looks for, they can access my system as easily as I can. This hard drive would seem to suffer the same problem.

So, you say, protect the usb key just as a regular door key - you don't let people copy those. When I get my car serviced I even make a point to only hand them the car key alone, and not my apartment keys, etc.

But the small usb drives are so damn convenient as a replacement for floppies, and in fact I bought mine so I could throw files on it and take them to people's computers. But if I've got a login file on mine, the second I insert it into someone's computer I've theoretically lost security, because they could have a background process that copied off the file.

Now of course I'm not in the habit of trading files with miscreants and criminals, but you get the idea. If I'm building a process that's ostensibly for security it might as well be good.

But I haven't been able to find a way to reconcile the login issue with using the usb key elsewhere. As far as I can see, a perfect copy of my login file is as good as the original.

Re:usb keys

[AKnightCowboy]

Why don't you just encrypt the key with a password? Any decent authentication system requires at least two factors. Stealing a Securid card, for instance, without knowing the pin is pretty worthless since it'll lock out by the time you guess the pin.

Re:usb keys

[afidel]

I assume the USB key is like a smartcard where the key is programmed at the factory and can not be accessed without the proper matching key which is probably flashed to the drive controller and not easily accessible.

Re:usb keys

[topham]

Use a key generator and generate new keys whenever a key is used. This way, if someone gets a copy they would have to use the key before you used yours, or their key would no longer be valid.

This reduces, but does not eliminate the risk.

Re:usb keys

[user32.ExitWindowsEx]

Just get another larger capacity one...use the smaller one exclusively for logging in and the larger one for data. That's the only totally secure way to do it.

Re:usb keys

The problem is that you should not use your device as a storage for the keys. Instead you need something that can respond to a challenge without revelaing the key inside.

If you're stuck with a device that can only function as a storage device, you might want to reduce your vulnerabilities by storing multiple non reusable auth-files(like s-keys). So if anyone steals your files you are only vulnerable for a limited number of attempts. It does not close the vulnerability, but it reduces it a bit.

Re:usb keys

[shumacher]

Does the key have a serial number? If so, you may launch a script that authenticates off that as well.
Of course, usb keys are for storage. There is hardware designed for what you want to do.

Why not just use Scramdisk or Drivecrypt??!

[HEbGb]

Look, I don't know why people make this more complicated than it needs to be.

Scramdisk (free) and Drivecrypt (cheap) both do on-the-fly en/decryption on regular hard drives. 1024 (and I think 2048) bit keys are available, with your choice of algorithm, and it's incredibly easy to use. For the truly paranoid, you can even use a fully encrypted disk on the fly for your entire OS.

I don't at all understand what the benefit of special hardware in the drive would be.

Re:Why not just use Scramdisk or Drivecrypt??!

[ashkar]

Well, it appears in this particular case there is less than an advantage to going the hardware route, but theoretically, hardware could could provide a much faster and secure solution.

For instance, encrypting and decrypting the data via software would cause cpu and memory overhead on the host machine. The encryption software would also need to be installed on all machines that you want to use it on, and this is looking to be a portable drive. Also, using an external encrypter, it's less likely that a keygrabber or trojan can grab your password.

IBM could use them

[Neophytus]

Perhaps IBM could put them to use next time an insurance company comes to them for colocation.

IBM has lost a hard drive containing the records of 180,000 clients of an insurance company. Details include "names, addresses, beneficiaries, social insurance numbers, pension values, pre-authorized checking information and mothers' maiden names", according to wire reports. Anything else? Oh yes, their bank account details.

Re:IBM could use them

Yeah, if I know IBM it's really lost. Like installed into a different server as a scrap replacement part and shipped out to some innocent company reformatted lost. While the data's still sort of there in some residual magnetic NSA bunny suit lab recoverable type of way. In the time that's passed since then, if it's had decent usage, it's been partially wiped a few times anyway.

"Firewire Encrypt" sounds much more interesting

[Jeremy+Erwin]

A few days ago, I read in MacCentral that Weibetech had developed a AES based system to encrypt hard drives.

Re:"Firewire Encrypt" sounds much more interesting

they announced but did not deliver......

Re:"Firewire Encrypt" sounds much more interesting

even if they do deliver, they will charge you way too much for it like they do with most of their products

Re:"Firewire Encrypt" sounds much more interesting

[Jeremy+Erwin]

Quite. It is vapourware.

Nevertheless, firewire has always included a facility for encrption and key exchange-- it is a little dissapointing that the first "encrypted firewire drive" to market supports an obsolete standard
firewire encrypt "Designers notes"

Re:"Firewire Encrypt" sounds much more interesting

just like when uncle Steve demonstrates stuff - one 'working' sample does not make for a real product.........

Ablabla.org is slashdotted.

LOL!

DMG images work great

[SHEENmaster]

with 128-bit encryption and such.

Is there an encrypted filesystem I could use in Linux?

Re:DMG images work great

[kill-hup]

Try loop-aes for a quick, non-kernel-dependent implementation.
CryptoAPI isn't bad either, but loop-aes is quicker to set up, IMHO.

Re:Get your Columbia Tragedy domains here...

Minor nitpick (and off topic from the main discussion too) is that they don't appear to be in the whois data base...

I Don't Get It

[istartedi]

Yeah, the encryption is weak, blah, blah, but that's beside the point. Isn't the data only as secure as the application that can access it? I guess these things are only used behind a firewall then, and they are just encrypted to protect against physical theft. They can't provide any security if the server is net facing can they? I mean, if Apache can access the data then just crack Apache above the level of drive access.

Interesting

Actually, I agree with early comments that the key is very small. I've been considering using a IDE->1394 casing for some time for my back ups. Other possibilities that I've drummed up include giving the backup program access to a public PGP key, and make use of it.

However for up to the minute encryption, it seems perhaps loop-aes would be a good standard to use. It's password dependent though, so that's a draw back. I think the USB key in the back wouldn't be the week point if the key were A) given heavy physical protection and B) be hard to spoof multiple times (which is the impression I get).

When the tek gets fast enought to do better keys, well, heheh, better keys will mean less... so I guess it's almost a catch 22 as far as getting a much higher key. Personally I wouldn't buy it as the encryption on it is inflexible, so if standards change, or a bug is found your just screwed.

True... but....

[tweakt]

DES is obsolete and would not be used for sensitive information by the US Military.

But they didn't say who's military ;-)

Encrypted file system for mac users

[jos3000]

OS X users can use Disk Copy

http://www.apple.com/macosx/technologies/securit y. html

Already being done?and with better encryption, too

[scrod]

WiebeTech is going to do the exact same thing, only with AES instead. http://www.kuro5hin.org/story/2003/1/6/234015/4753

DES weaknesses

[billstewart]

3DES is just fine - as you say, DES hasn't been cracked, it's just been brute-forced, and 3DES increases the brute-force work by 2**56, which means it'd take about 2**56 days to brute-force instead of about 1 day. The only reasons not to use 3DES are that it's 3 times slower than DES (no big deal here), or that you trust AES well enough to use it instead (about 10 times faster than 3DES), or that you don't have enough room in some existing protocol to store a 112-bit or 168-bit key, in which case you should probably fix your protocol instead.

"40-bit DES", on the other hand, is either a well-designed crock or poorly-designed crock, which is pretty trivial to crack. The only reason to use such any 40-bit key is to comply with anti-Communist US export regulations that got dropped a few years ago, largely due to the EFF's DES-cracker machine and the internet distributed DES crack effort, both of which emphasized the weakness of 16-bit DES.

On a technical note, cracking well-designed 40-bit DES subsets is not 2**16 times faster than cracking 56-bit DES, or John Gilmore could do it in 3 minutes in his basement. DES has two main phases, a key-scheduling phase and an S-box phase, and the DES cracking efforts took advantage of some interesting work by Peter Trei on key scheduling, which found a search order that makes each key-schedule a simple modification of the previous one, instead if its normal relatively slow calculation. So a 40-bit DES crack might take 5-10 times as long per key as a 56-bit DES crack, unless the 40-bit subset was designed to avoid that. On the other hand, the EFF and Internet DES cracks were in 1998, and computers have gotten about 8-10 times faster since then...

Re:DES weaknesses

Do you have a reference for the claim that cracking DES with a 40-bit key wouldn't be 2^16 times faster than cracking DES with a 56 bit key? I've never heard anything remotely like that...

Re:DES weaknesses

[kasperd]

3DES is just fine

No it is not. though the 3DES key is three times as long as the DES key, the 3DES block is still exactly the same size as the DES block. A 64 bit block is simply too short, you will get vulnurable to the so called birthday attack.

With a reasonable security margin you can encrypt no more than 512KB with the same key. If you encrypt 35GB with the same key you can be almost sure, that your data is no longer safe.

I'm also wondering if this product even uses a safe mode of operation. It is easy to use a per sector CBC mode with block number as IV (like cryptoloop for Linux), but that is just not secure. A secure solution has to offer some of your disk space and access speed, I think a 10% cost would be likely.

Re:DES weaknesses

[billstewart]

Longer blocks are good, but birthday attacks only matter when someone can construct a problem where they let the attacker do something useful; that's highly unlikely for most disk encryption algorithms, which are used to haul around large sectors of disk space, e.g. 512-8192 bytes. 35GB may be enough that you'd have two 64-bit blocks of disk that have identical cyphertext and different plaintext, but it's not useful to anybody.

As fast as safe operation modes goes, the nice thing about 40/56/64-bit encryption is that you scarcely have to worry about whether something else is the Weakest Link instead :-(.

Re:DES weaknesses

[billstewart]

It's straightforward - if you're talking about brute-force search, a 56-bit key takes 2**56 attempts to cover all the possible values, which a 40-bit key only takes 2**40, so thats 1/2**16 times as many. There are some subtleties; it's easy to get by with 2**55 tests for DES, and on the average either method hits the jackpot after trying about half the keys. Depending on how you get from 40-bit keys to 56-bit, e.g. using a strong slow hash, or setting the low or high or non-middle 16 bits to some constant like 0s, or using some fixed 16 extra bits that you'll happlily give the cops, or 16 bits from the serial number, you may require some extra computation, and you'll probably annoy the keysearch order that otherwise makes keyscheduling efficient, but even then it's not a huge impact compared to dropping the keysize to 40 bits.

40 + 128 = 168

[yerricde]

working for a government contracter, we are required to have more than 40 bits

Not all your bits have to come from the same source. For example, you can use 128 bit AES on the CPU followed by 40 bit DES on the drive, and you get 168 bit cipher strength barring any meet-in-the-middle[1] attacks.

[1] "Meet in the middle" in symmetric cryptanalysis has absolutely nothing to do with "man in the middle" in public-key infrastructure analysis.

Re:40 + 128 = 168

[Halo1]

No, for the same reason that 2^40 + 2^128 != 2^168. You're not combining the keys, you're just using them after eachother. In the end, the 40 bits DES encryption doesn't even really matter, since the 128 AES key dwarfs its complexity (like in efficiency analysis, O(n) + O(n^2) = O(n^2)).

Re:40 + 128 = 168

[afidel]

Bitstength does not increase like that, in fact using multiple forms of encryption blindly can (actually it usually will) weaken the overall strength of the system because tell-tale signatures are left behind by the weakest form of encryption.

Re:40 + 128 = 168

[mlyle]

This really depends.

It probably doesn't because there's probably good known plaintext that's only encrypted by the 40 bit encryption, like the boot blocks. In this case, your statement is true.

But if it was all encrypted in AES, and then in DES with a completely different key-- I don't see how you can say that the DES doesn't provide proportionally more strength by the relative keylengths. Just like TEMK doesn't provide 2* 2^56, but more like 2^112 of brute force complexity.

Re:40 + 128 = 168

No, for the same reason that 2^40 + 2^128 != 2^168. You're not combining the keys, you're just using them after eachother. In the end, the 40 bits DES encryption doesn't even really matter, since the 128 AES key dwarfs its complexity (like in efficiency analysis, O(n) + O(n^2) = O(n^2)).

You are wrong and the OP is right. However, brute forcing a 128 bit key is impossible with the technology of today (and tomorrow) so there is little reason to use any more. With keys longer than, say, 100 bits the weakest point of the system is _very_ unlikely to be the key length.

Re:40 + 128 = 168

You are dumb.

Re:40 + 128 = 168

Multiple encryption can indeed create weaknesses, but if well-designed it can effectively add the key length. Certainly one should not simply run data through all one's favorite algorithms in sequence.

Speed

[yerricde]

I don't at all understand what the benefit of special hardware in the drive would be.

Perhaps an extra speed boost for those files that are sensitive but less sensitive than some other files? Crypto in the drive controller takes some load off the CPU.

Re:Get your Columbia Tragedy domains here...

they don't appear to be in the whois data base

Whois lags by at least 24 hours.

Security trough obscurity

[MtZ]

I thought NTFS, was a encryptet FS as standard,
That would explain the difficaulties of making a driver to read it... ;)

Re:Security trough obscurity

[Dave2+Wickham]

Reading is supported just fine ATM... Writing, on the other hand...

Doh!

[Duncan3]

*walks by table while geek is getting caffeene*

*ZOINK*

This is more secure how exactly? It's even external so you don't hurt you back carrying it out the door.

Re:Doh!

get a life.....

It was demonstrated at the MacWorld Expo

[MichaelCrawford]

WiebeTech demonstrated FireWire Encrypt working at the MacWorld Expo.

It uses software to allow the user to enter their passphrase from the keyboard. By the time of the expo, I had got the AES encryption working in the FireWire/IDE bridge but had only done the passphrase application for Mac OS X.

I've since got it working for Mac OS 9 (and earlier Mac OS versions). Windows and Linux remain before the product can ship. I don't expect either to be hard to do but they do require some work because they have to do some raw FireWire I/O.

I think it is best that I not comment any beyond this until FireWire Encrypt ships. But I think users will like what they see.

Re: Portable Drive Standard

[TeddyR]

Dont always believe what the manufacturer is saying. They most probably meant that THEY dont support it in linux....

for ieee1394a its called sbp2...

and linux DOES have support for it (the standard)... the problem is drives that DONT follow the standard....
http://www.linux1394.org/sbp2.html

for usb it called the mass-storage class... and same issue applies. Linux supports the STANDARD... which some manufacturers may not fully follow....

http://www2.one-eyed-alien.net/~mdharm/linux-usb /

Re:Uh.. who cares? Columbia is gone.

They risked their lives so that you can even have one

What utter bullshit.

It Depends...

[fidget42]

on your taste in music. I doubt that Britney Spears could be classified as "intellectual."

Re:Conflicting feature listings

apparently the folks at FireWire Depot read your posts because they have removed the 'redundant' decription information

because you need drivers, genius

[t0ny]

if you need it to work with something else, write an f'ing driver for it. Thats called platform independence.

Re:Conflicting feature listings

[topham]

The first is for the techies, the second confirms that it works with your operating system.

Somepeople will always ask for confirmation.

Re:CFS on Linux etc.

Is there an encrypted filesystem I could use in Linux?

hmm it been supported since 1995/6 so it quite robust and mature but there's several variants:

- cfs
- tcfs
- the encrypted loopback trick
- etc etc

Do this:

1) dd if=/dev/urandom of=.secret_crypto.fs bs=1024k count=10

2) losetup -e DES /dev/loop0 .secret_crypto.fs

3) mke2fs /dev/loop0

4) mount .secret_crypto.fs ~/cfs -o encryption=DES

You'll have to give users thhe right to mount the resulting image etc if they are going to mount in $HOME ... mount will prompt for the passphrase.

Since on a laptop (the logical place for CFS) you're root anyway you could just mount on /mnt/crypto or something and make it RW for your user account. You can encrypt the whole damn thing if you want but that overkill.

Mandrake has had a clicky GUI thingy for setting this up since around 8.0 I think.

You are not allowed to do that in the USA

you'll need "kerneli" ("i" for international - i.e. outside of the USA, land of the free) kerneli gives oss the abilities to do things the US government only allows Microsoft to do ... this is because OSS encryption is usually just a weapon used by terrorists.

Why do you want a CFS ??? What have you got to hide Mr. OSS communist?

Military Security and Key Length

[wordisms]

Read this paper to see why 40-bit keys are so bad.

However, to point to where the "military grade" security claim is coming from is the fact that in many military situations information is only needed to remain secure for minutes or a few hours. Unfortunately for FW Depot, that generally applies to wireless communications, not data stored on hard drives.

Maybe they are hoping that people will use it to courier sensitive data...but then they could just hire Johnny Mnemonic.

Yeah, bad product trying to meet ITAR regulations so they can export.

caching?

[harlan]

How does caching work anymore with an encrypted harddrive? One of the ideas behind caching is that if you access a piece of data, you will access nearby data as well. If your data is encrypted, one would hope that one could no longer ascertain what data is "nearby" to it.

Features:

[caluml]

From the features page:

# Microsoft Windows98 SE, Windows ME, Windows 2000, Windows XP and Mac OS compatible

Is that a feature? Or a limitation?


All I need for my "secure" alternative:

128 bytes of storage for some random data, to which I then append a password to and use as the encryption key in my crypto-loopback software implementation.

What do those "artistic" MAC users have that they need to keep secret anyway? This? Also mirrored (aka stolen) here

Never safe enough. . . .

[havardi]

The only way you can really be safe is to have your data stored offshore in a country ala Kazaa with AES loopback encryption served over a vpn/coda connection routed to your friends server in Australia or Estonia, but which is actually sitting in the vacant house next door and accessing the internet through a nearby insecure 802.11 network and routing the traffic over vpn back to your own anonymous wireless connection.

Actually I'm sure you'd still get busted for you anime pron. There really is no feasible way to protect your information from everyone. If the government or a thief wants your information; they are going to throw you in jail or put a knife to your throat (respectively?).

So use encryption but don't count on it saving your ass.

DES and 64-bit keys

[rjh]

Technically, DES does have a 64-bit key; it's just that eight of the key bits are used for parity checking and contribute nothing to the security of the algorithm, leaving the key with 56 bits of entropy. Many software implementations do away with the parity bits altogether and just use a raw 56-bit key, but the original spec called for 64-bit keys.

All this is, of course, IIRC.

It doesn't come with the drive :-)

[billstewart]

It's just an enclosure for the drive, with a controller. Bring your own IDE.

P2P encrypted backups?

[cpeterso]

I've recently been brainstorming about a P2P encrypted backup system. It would create automatic, encrypted backups using something like FreeNet or OceanStore to distribute redundant, encrypted backup fragments on other people's computers (and vice versa). I know P2P and security are almost oxymorons, but I think it could work securely.

Are there projects like this already? Or applications like it built on top of existing "overlay networks" like FreeNet?

Re:P2P encrypted backups?

[karlm]

Freenet retrieval is too unreliable unless the documents are very popular. Hope that your encrypted data is not a hugely popular download.

P2P can be done securely, depending on your threat model. DOS attacks against P2P systems is still a largely unsolved problem. However you could easily make a system that is for all practical purposes immune to data disclosure. (GPG encrypt your data to yourself befre distributing it, for instance.) I have a nice little perl script that makes a nightly tarball of my CVS repository and GPG-encrypts it, then puts the encrypted tarballup on the web under a filename that contains 64-bits of the md5sum of the unencrrypted tarball. (taken pre-compression). On the backup storage machine, there's a perl script to chck if the md5sum fragment has changed, and if so, use wget to backup the tar ball. (This most defintely isn't P2P, but it deonstrates a simple example of a backup system that lets thee entire world see the backup, yet is for all practical purposes immune to data disclosure.)

If you had a distributed cooperative file system, you could use my perl scripts do do your backups, and the only notable attack (aside from compromise of your machine) would be a DOS/deletion attack against the cooperative filesystem. Of course, you need to chack signatures on the tarballs when you decrypt them.

I was actually talking with one of the Freene developers about his efforts provide distributed encrypted anonymous storage. Unfortunately, the DOS/deletion problem is still unslved, so he was forced to go with storage only on his machines, which means it's not P2P. Most P2P stems are also so transient that you'd need a very high level of replication.

Of course, there's a simple modification to my perl script system that you could make... have it scan random IP addresses for open SMB shares... that would be "non-cooperative distributed filesystems" :-P

Still crap.

[billstewart]

The encryption isn't strong enough to keep out a skilled professional or a medium-sized group of annoyed amateurs. Therefore it offers no benefit over simply using its authentication token device as a password substitute, which is good enough to keep out unskilled amateurs. Meanwhile, the fact that they're even bothering to use 40-bit encryption, and that they're claiming it's military-grade security, and that it's good enough for several sets of users who might have actual security needs that this clearly isn't good enough for is a strong indication that these guys are at best technically clueless, or else blatantly dishonest. So you could buy one of these as a n IDE-to-Firewire/USB2 adapter, but I'd be worried about the thing losing my data as well as not keeping it secure when the CIA spooks sneak through my windows at night to steal the evidence I've collected about the Roswell aliens. Also, it's not subpoena-proof, because the key is (at least apparently) kept in the little key-frob, rather than being something you enter yourself, so any court that can force you to turn over the drive can force you to turn over the key-frob (as opposed to forcing you to tell them a password, which you can argue about.)

Re:Still crap.

calling a company clueless or dishonest is a real nice thing to do - so perhaps you would like to tell us all what you have created lately -- and if you are worried about the CIA spooks coming to your house you probably shouldnt be sending emails or posts cause they are watching you right now

Re:Still crap.

so tell us, what have you developed lately? do you work with siskel and ehbert reviewing movies also?

as far as being supoena-proof, guess what, nothing is other than flat out refusal to give something up. if the court wants something, you should turn it over to them unless you have something to hide, or smash the usb key......

do you?

Re:Still crap.

Password? What password? And where am I, anyways? What are all these people doing here. My head hurts and I want to go to bed. Does anyone know where my teddy bear went? I had it here somewhere this morning. Mom always gives me a glass of milk before bedtime ... where's my milk?

Likely point of Failure? Not the USB key!

[jkbull]

If you look at the actual specs, and the fact that the enclosure provides "Real-time... Encryption/ Decryption" all this enclosure does is to encrypt the data going out, and decrypt traffic coming in. The data on the actual hard drive does not seem to be encrypted. This enclosure is not going to stop anyone who bothers to actually open the case, remove the hard drive and put in their own enclosure/install it in their own computers. Nobody in their right mind should use this case, unless potential data thieves are going to nicely agree to keep the hard drive in its pretty enclosure, or the manufacturer adds a lock to the case.

Re:Likely point of Failure? Not the USB key!

the encryption/decryption appears to be done in real time both directions. where do you see that it is only doing it one way?

another arm chair quarterback heard from......

Re:Likely point of Failure? Not the USB key!

[MntlChaos]

If you look at the actual specs [fwdepot.com], and the fact that the enclosure provides "Real-time... Encryption/ Decryption" all this enclosure does is to encrypt the data going out, and decrypt traffic coming in.

wrong. it encrypts stuff going to the drive (in), and decrypts the stuff going from the drive (out) iff you have a dongle. Otherwise it blocks access. Of course the encrypted drive is needed because otherwise the drive is removable.

Above should be modded up.

[Fao]

The data on the actual hard drive does not seem to be encrypted. This enclosure is not going to stop anyone who bothers to actually open the case

This should be modded up. This thing is useless if it doesn't encrypt the data on the hard drive itself.

Re:Above should be modded up.

where do you see that it doesnt encrypt data on the drive

as they state on the fwdepot.com site

Even if the entire drive was stolen, no one can read your data. SuperGuard 3 is a cutting edge technology product that offers protection for your classified and personal data. Unlike those software only password or smart card solutions, SuperGuard 3 provides a silicon based real-time encryption/ dencryption solution, capable of maneuvering 66MByte/sec+ throughput without taking any system resources.

seems to me like the data is being encrypted on the disk otherwise what would be getting decrypted???

Military grade LOL

Military grade == snake oil

I never believe anyone that claims "military grade" on commercial applications. It's either "commercial grade" or "snake oil".

In this case DES w/40 bit key is too weak to be good, it'll protect you from the casual cracker but nothing else.

It's a bad thing, considering the probably could have used AES or even 3DES. It's not the first time I've seen weak crypto on the commercial world, or even worse, good crpyto offered as a premium service, as if key space was some very expensive commodity that few people can make.

Same goes for SSL certificates or vpn services. Certificates for use with 40 bit symmetric algorithms are everywhere and 128 bit certificates are always a "premium" (and more expensive) service. As is the procedure for signing data was different.

It's awful to know that we're using crap when things could be made the right way with no aditional effort,

Re:Military grade LOL

how is it that everyone is an expert? everyone knows the right way to do things because everyone else does them wrong? if you know the right way to do it why not do it?

Yes, DES has been cracked... sort of...

[wirelessbuzzers]

As other posters have noted, DES hcan easily be brute-forced because its key length is too short. It is also academically "broken," meaning that there is an attack faster than brute force.

A linear attack breaks DES in 2^40-something encryptions and 2^40-something known plaintexts (compare 1 known plaintext and 2^53 work for brute force). This means order of 10 terabytes of data, though, so we don't have to worry about it. Nobody will be using DES by the time anyone will be lazy enough to encrypt 10TB of data with a weak code.

Speed of DES

[wirelessbuzzers]

IF you wanted speed, wtf would you choose DES?


DES is bitching fast in hardware. What makes it slow in software is a bunch of switching bits around that doesn't really increase the security much. Easy to do in hardware: just cross the wires.

Parent is correct

[wirelessbuzzers]

This is a very important point. People don't usually haul around big hard drives, especially in bigger cases. Getting such hard drives stolen is rarely a point of failure (yeah, Canadian blah IBM blah blah). Much more of a risk is someone hacking it while it sits there connected to a computer with the dongle in.

Maybe something like this would be useful on a laptop, but encrypted loopback devices probably solve the problem better because the dongle could get lost, stolen etc. The only thing you have to worry about there is speed.

The biggest problem seems to be how to get the password into such a device. The next disk format / drive type spec should have optional encryption (of the whole drive) built into the spec to allow the password to be entered in a user-friendly manner. This would allow, say, encryption on CDs that is transparent to userland processes (not for copy protection, but for data protection).

Take a look at WiebeTech for an AES version

WICHITA, KS - January 7, 2003 - WiebeTech announces a new patent pending encrypting storage technology entitled "FireWire Encrypt." This technology allows a storage device to be a self-contained encryption/decryption system.
"FireWire Encrypt represents a breakthrough in data security and storage technology," said James Wiebe, CEO of WiebeTech. "We will publicly demonstrate the technology for the first time from WiebeTech's booth #1651 at MacWorld San Francisco January 7 through January 10.
"This patent pending technology provides important benefits to the user which improve portability of encrypted data while simultaneously increasing the security of the data. First and foremost, the encryption and decryption occurs 'on the fly' within the storage enclosure, not in the host computer. As a result, the encrypted volume is much easier to use compared to software host based encrypting/decrypting programs. The technology is also very robust, because it is based on the the United States National Institute of Standards and Technology Advanced Encryption Standard (AES), which in turn is based on highly unbreakable Rijndael encryption techniques.
"While first versions of this product require the user to supply a pass phrase to the encrypted storage device through a user installed applet, we expect to eventually see integration of the technology directly into the operating system so that pass key prompting occurs by the operating system whenever an encrypted drive is attached to the host computer."
The technology is not yet available for sale, but will be offered as a licensable technology to interested parties. WiebeTech will also make the technology available as an embedded feature in future product offerings.

Physical Key is a Flaw

[Positive+Charge]

If there's a physical key, a judge can make you give it up. I'll stick with software based encrypted disks, thanks anyway.

DESX is broken

[wirelessbuzzers]

Win2k and above use DESX, an extension of DES that allows for an effective 120bit keylength when compared to plain DES. This allows reasonable security without the overhead of say 3DES.

DESX is broken, and not just academically. See Applied Cryptography for details (it's by Bruce, btw). Any instance of DESX that is as fast as DES is no more secure. It is only slightly better in strength vs performance than 3DES. It was a nice idea, but it didn't work out.

exports are illegal

but imports are no problem when it comes to crypto.

Communists really do suck shit.

I realise that my government sucks shit, but the communists suck more shit.

Last Post!

[alpg]

The spirit of Plato dies hard. We have been unable to escape the philosophical
tradition that what we can see and measure in the world is merely the
superficial and imperfect representation of an underlying reality.
-- S.J. Gould, "The Mismeasure of Man"

- this post brought to you by the Automated Last Post Generator...