Slashdot Mirror
Lexar JumpDrive Password Scheme Cracked
Saint Aardvark writes "Lexar describes the
JumpDrive Secure as "loaded with software that lets you password-protect
your data. If lost or stolen, you can rest assured that what you've
saved there remains there with 256-bit AES encryption." @stake
has a different take: The password can be observed in memory or
read directly from the device, without evidence of tampering." And
best of all, the punch line: "[The password] is stored in an XOR
encrypted form and can be read directly from the device without any
authentication." That's why I use ROT-13 for my encryption needs."
Why go through all the trouble of attaching a debugger to the process when you can bribe the user to tell you the password with a chocolate bar! Best of all, this trick will still work long after Lexar fixes their security issue.
Doesn't that violate DMCA?
ELOI, ELOI, LAMA SABACHTHANI!?
Three years to get .01% of the way done cracking this before someone realized it was ROT13. ;)
The password is in XOR'd form? Yeah. That's encryption.
Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?
From the article:
Vendor Response:
08-05-2004 Vendor contacted via email to support@lexarmedia.com
No response.
08-12-2004 Vendor contacted again via email to support, sales
Public Relations, Investor Relations, and general
inquiry email addresses.
08-12-2004 Automated response from support received
09-13-2004 No further response from vendor, advisory released
Vendor has not acknowledged issue or produced a fix.
This is a pretty embarassing non-response.
The product is only about 5 or 6 months old, and the password was just sitting there. AES is a perfectly fine standard for encryption, but this is an embarassing implementation. Thankfully, I don't know anyone who owns this.
EVERYTHING violates the DMCA. Everything. Even talking about violating the DMCA violates the DMCA.
"I'm just here to regulate funkiness."
That's what happens when you get your security developers from the Cue::Cat Development team. Wasnt' their 'encryption' just XOR or something similar?
It allows those who forget their passwords to quickly access the 'lostpaswd?' file, saving on support calls.
XOR'ed with what? XOR is just a method of encryption, not a cypher or anything... it's the basis for the one-time-pad, the strongest encryption method next to quantum encryption.
"That's why I use ROT-13 for my encryption needs."
I swear I've seen this somewhere around here lately.
If ever there was an example of why we need product liability laws, this is it. Unlease the attack lawyers on these bums.
Democrat delenda est
I use MD5. Not one collision ever found in the wild.
You will be legally liable for the legal consequences of any attempt to break through this advanced encryption technology.
"It is a greater offense to steal men's labor, than their clothes"
The number one rule of talking about the DMCA and archiving the results, encrypted, on a Lexar JumpDrive.
You do NOT talk about DMCA and archive the results, encrypted, on a Lexar Jumpdrive!
That's why I use DriveCrypt. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).
I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?
I had one of those things. I'm glad that I always manually encrypted sensitive information instead of relying on their tool. That is until the drive mysteriously stopped working at all after about 6 months.
No way am I buying anything they make again.
Seriously, who would really trust important data to lexar, anyway? CEO's? AFAIK lexar is a cheap walmart-like brand. also, if your data is THAT important, you should probably just keep track of the drive
... as my fav, Leonard Cohen wrote long ago: "there is a crack, there is a crack in everything, that's where the light gets in."
And Mr. Cohen is not even a hacker.
Why does the password need to be 'stored' anyway? Isn't that kinda the point?
Is this some sort of 'encrypted session key' thing where one long, secure password decrypts another shorted one that's used to do the dirty work? Is it stored for key recovery by tech support droids?
Why store the password? Is this just the worst implementation in the whole world or am I missing something?
I was always forgetting important things, like the meaning of the word "redundant." But thanks to the Joe Johnson memory system, I can now remember things like the meaning of the word "redundant." Thanks, Jack!
Copyright 2004, Jake Johannson Memory systems.
"I'm just here to regulate funkiness."
That's why I use ROT-13 for my encryption needs
Pshaw...That's real secure! You really should be using double, or better yet, quadruple Rot-13...
Check out this enigma machine for sale. How cool is this.
& ca tegory=4721&item=2269717995&rd=1&ssPageName=WD VW
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem
ahhh good 'ol @stake.. not to be confused with l0pht heavy industries and their ill tempered sibling the CDC ;) i guess this is what happens when old school hackers realize they need to make a living somehow.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
"That's why I use ROT-13 for my encryption needs."
Igpa atinla oobna!
-Arliecha
...that the best encryption algorithm is worth nothing if you fuck up the implementation...
Geeze... This is probably the first /. story I've read that ACTUALLY applies to me...
But seriously, I own one of these... In fact, they're pretty popular in my area just because their cheap and sold at Wal-Mart... I don't personally use the password protection because I always felt it was just an extra step and I didn't really need that much security on my Flash Drive anyways...
(It's not like I was storing all of my server's passwords on it or anything..... Honest...)
Thank you @stake and people like you for making sure products are as secure as they say they are...
Re-check that ip address.
[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication.
That's not much of a punchline when you realize that XORing something to something unknon (and presumibly unknowable) is unbreakable excryption.
I use ROT-26.
-
That's why I store and transmit all my data as plain text.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Sure, ROT13 is secure. But why not give potential crackers something to cry about: encrypt it twice!
This sig is only here so people stop skipping the last lines of my posts.
Um, I thought (correct me if I'm wrong, but the matrix is more like: if one or the other bit but not both is 1, return 1, else return 0
1 1 0 0
XOR 1 0 1 0
== 0 1 1 0
You can have it fast, accurate, or pretty. Pick any 2.
a DOS floppy disk, as straight text in a file, called COMMAND.COM. I have a a big red label on the disk, "BOOT".
Noone ever stole any of my passwords.
There we go.........my little brother won't keep his porn on one of these anymore. haha
-Randy
You mean I can't just hold down the Shift Key when I insert my JumpDrive?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Proof once again that this sign is appropriate. In this case we need to s/use the Internet/design secure hardware/, but you get the picture. :)
Make sure you check out 1201(g) which states that encryption research is a valid exemption. Of course I really think they should redefine the word encryption in this case.
While it does sound like their crytosystem is for show only, I'd just like to point out that XOR by itself is not the problem. It's a question of what you XOR the plaintext against. If its a truly random bit-stream that the attacker doesn't have access to, then you're OK. If it's the bitwise representation of the english alphabet, you're in trouble.
ROT13 ... oooohhhh! 13!!! Shit, I was using 11! No wonder it wasn't working.
I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.
Sounds awfully like a head-in-the-sand approach to security to me.
That's AND.
This is a page their engineers may find useful, and prevent further embarassment.
Of particular interest is the bottom section.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Idiot, or genius. I'd certainly like to meet the man (or woman) who successfully decrypts his (or her) MD5 encrypted files.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
that' AND, not XOR XOR is 0 if input bits are equal, 1 otherwise...
XOR means "exclusive or". A regular "or": if one of the inputs is 1, return 1. An "exclusive or": if one of the inputs is 1, but not both, return 1.
OR:
0101
0011
----
0111
XOR:
0101
0011
----
0110
AND:
0101
0011
----
0001
And I missed the preview button by *that* much. You are, of course, correct. Thanks.
Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.
MD5 *does* have something to do with cryptography (why else would Schneier devote the whole 14th chapter of Applied Cryptography to "One-way hash functions"), and the reason is simple: it is used to encrypt your *password*, not your data (Lexar was claiming that they use 256-bit AES encryption for the data itself).
For authentication you do not store the password in plaintext, only its MD5 hash, when user enters the password, MD5 of that is computed and compared to the stored MD5 string, if they match -- your user is authenticated. Of course XOR with a "magic number" could be used for the same purposes, but it would be much weaker. Thus, I think that the GP was not a troll and made a valid point: use MD5 to hash your passwords, and preferrable add some salt value to prevent against dictionary attack.
The other questiuon is why did Lexar had to store passwords on the drive at all, one does not need to authenticate users in their scenario (the drive itself is not a self-cointained computer to which a user needs to gain access) -- they could've just asked for the password, convert it to the key used in AES algorithm, decode the data and give the result: if password is incorrect, the decoded data is garbage.
Paul B.
Usually, when someone says it's "just XOR" and they're a security researcher, they mean that the programmer did a XOR against some known constant, which is probably hidden somewhere in the program.
In other words, what they did the XOR against is not secret, like it needs to be to be secure.
On the other hand, @stake "sold out" some time ago (I forget what all they've done just now, but I remember a slow decline in the quality of their work, until they were doing TCO studies for Microsoft or somesuch nonsense, whereas they used to be an outlet for realling interesting security news, back before they ditched HNN), so I have no idea if anyone still there knows anything whatsoever about security any more.
Still, I'd hazard a guess that they're right on this one--XOR against some constant has been used by programmers as a "security" measure for some time now, and I mean the case where the constant it known, not secret. Merely obscuring it somewhere in an executable or in memory does not make it a secret upon which you can rely for an encryption scheme. In other words, this is rather common as far as "stupid programmer tricks" goes.
I mention this lest someone misread your comment and think they can get away with this as being "perfectly secure" -- XOR only works if the secret key is secret, and it's positively amazing how many programmers forget that...
...because it must be twice as secure!
Hello? Did they think of running their design past a security specialist to get a sniff-test, and then just forget? Maybe it fell off their to-do list and nobody thought "oh wait! the product's name is 'Secure'! Let's see if it really is!" Nutz.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
You're right - I described it incorrectly. Looks like I should switch to decaf this afternoon...
Lexar got haxXORed?
Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.
Try telling that to Daniel Bernstein. His "Snuffle" code converts any hash into a cipher. To put it shorter: sampling the output of a well-designed hashing algorithm after every n bytes produces a suitably random bitstream; XORing that against the message produces a stream cipher.
I've seen a number of posts stating the XOR is unbreakable. Hopefully they're just joking and didn't get modded as such, because I've read in several places that XOR sucks. A quick Google revealed the following.
Hack-FAQ
And I quote: XOR encryption is trivially simply to implement and equally trivial to break. XOR encryption should not be utilized for any data which you would want to protect.
I could go grab my Applied Cryptography book and make sure, but it's out of arms reach right now.
What is rot-13 and what does Unscramble (ROT-13) do?
t ml
http://help.netscape.com/kb/consumer/19990114-1.h
all my passwords are on a yellow POST-IT(tm) which I crumble up and put in my pocket, just like Bruce http://www.schneier.com/crypto-gram.html.
After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.
The ostrich finally wakes up.
I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.
You can check out the commercial version at http://www.pgp.com/, but I would also seriously consider PGPckt 6.58, a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.
No, the article come *before* the first post so repeating something that was evident from the artice is redundant.
Encryption is precisely the technology of keeping something away form an unauthorised person that gets their hands on it. You can sniff my SSH traffic and capture it all, but since it's encrpyted (properly, unlike this) you can get any usable information out of it.
That woul dbe the idea for a jump drive, you encrypt it such that if it is stolen, there is no way the person can get at your data.
Shades of Digital Convergence and CueCats...
...between my ears. Nobody would ever think to look for anything of use there!
I immediately returned the iBook to MicroCenter and demanded (and received) a complete refund without having to pay a restocking fee.
I am writing this from my new iBook G4 -- which has never seen a Lexar JumpDrive and never shall.
-- @rjamestaylor on Ello
This kind of thing just burns me up. Clueless companies hire clueless developers who think they can make software or hardware relatively secure by mearly applying encryption in whatever way they think is convenient. Never mind the plain-text password behind the curtain. Never mind that xor is equivalent to plain text (Lexor). Never mind that supporting multiple decription keys reduces the effective key length (DVD). Never mind that if you somehow store the decryption keys in a way that the software retreive (DVD again) that anyone can extract them. Never mind that storing a strongly-encoded password along with a weakly-encoded one buys you nothing (Microsoft). Never mind that encryption can't prevent copying (DRM). Never mind that this list can go on forever...
I own a JumpDrive Secure. Don't laugh; I only got it because Wally World didn't have the regular 256MB one. I plugged it in and the first thing it did was install their security software *without asking me*. Yes, Windows XP. Yes, I had turned AutoRun off on my CD. No, I have no idea how to disable AutoRun on a device that has never been plugged in before. Grrrr.
What did I do? I used Linux to reformat the JumpDrive then uninstalled the software it added without my permission. Now I have a perfectly usable device. (This was 4 months ago)
The OTP is ~unbreakable if used right, but there's technically the possibility (if you have 10^99 years and alien supercomputers) to find cracks in the armor of randomness of the OTP. Don't forget that randomness is not a trivial resource to come by and "anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." Whereas QE is just flat-out un-f***ing-breakable 'cause you can't get the whole message without setting off the "alarm".
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
dad once bought.
It had no keyhole, just a bunch of magnectic "reeds" that would line up when a special magnetic key was put along side of it. My dad had just purchased it that day and was explaining to me how it worked. I asked, "couldn't you just shake it until the reeds lined up?". He tosses the lock to me and says, "here...try it then". I shook the lock for a couple of seconds and, sure enough, it popped right open.
my dad was pretty grumpy for the rest of the day...
A goal is a dream with a deadline
ROT-13 is a an "encryption" method that is fairly simple. You assign each letter a number. A=1, B=2, C=3.... You then take that number, add 13, and put the resultant letter in it's place. So.... A would become N, B would become O, etc. It's simple, and it's a joke, and it's not supposed to be used for encryption. As you can imagine, if you used double ROT-13, you'll have the same letters as you started with.
Ha! I use the stronger ROT-26 encryption.
If it's not Consolidated Lint, it's just fuzz!
Bah, my encryption scheme is way better than that.
I XOR all my data *TWICE*. Try and read that!
By reading this sig, you agree to be bound by all terms and conditions I choose.
Yeah yeah I haven't RTFA but who really does. I don't belive this.
I use gpg on everything I put on my jump drive. It's not like the software to "secure" the data runs on linux anyway.
irc.enterthegame.com #linux
For some bizarre reason, this reminded me of a story I once heard somewhere (no longer rememeber where).
Some guy was living with a bunch of others and always had a problem with them drinking up his milk. So one day he simply wrote "Milk Experiment" in big letters on the carton and never had another issue.
PlEaSeDoNtHaCkMe xor ${PASSWORD}?
You have backups, right? [Sounds of repressed snorting and manical laughter here].
A better solution might be to seperate the disks from the computer. After all, your hardware value drops 50% a year (wild assed guess), so the loss of hardware is sort of inconsequential (except for that Sony Monitor ).
Your data is really what you care about. New hardware comes from Newegg.
So why not seperate the disks from the system.
Using Fiber Channel , you can bury the disks in a waterproof cavern under the fake outhouse behind the barn.
Only a cable connects your disks to the PC, and no casual thief is going to even know what a fiberchannel cable looks like, much less go looking for where the other end goes.
The downside is the cost, of course, but the upside is that very few people are going to be able to steal your data by carting away your system before you can recover it, or whatever you need to do with it.
How's this for ROT-13?
Bu abrf! Yrkne = shknerq!
did you know you can open a bicycle lock with a bick pen?
I post the Post-It(tm) with the psswds to my monitor, nobody can read my handwriting anyway...
I'm on holday, I have a shiny new camera, and the SD card that came with it is fast running out. So, I visit a few computer shops, and one place has a Maxell card (best value) and a Lexar card (not best value)
What's the difference? I ask.
Nothing, I'm told. The Lexar one costs more, that's it.
I'm certain if the Lexar provided any advantage, the sales monkey would have said so, and gone for the extra cash in till.
Conclusion: Lexar kit is overhyped and overpriced. Avoid it.
Give this a whirl. Cross platform (afaik). Send feedback to: jlcooke@certainkey.com
Encryption of files using AES128-CBC, no MACing sorry.
Key used for encryption is:
key = SHA256(pswd)
Password verification is stored as: {pswdEnc, pswdHashEnc}
Where pswdEnc = AESEncrypt(key, key)
pswdHashEnc = AESEncrypt(key, HASH(key))
Provided password "test" is considerd to be the orginal "pswd" if:
key' = SHA256(test)
t1 = AESDecrypt(key', pswdEnc)
t2 = AESDecrypt(key', pswdHashEnc)
t2 == SHA256(t1)
It's written in Java, so no promises about memory attacks (I did my best). But at least file-based attacks are much more difficult.
JLC
Who needs encryption on flash drives. I just format mine to ext2, knowing that whoever is stupid enough to steal a lousy flash drive probably uses Windows and won't have a clue how to read my data. Best protection evar.
My SanDisk came with "CruzerLock" software. I wrote the company some time ago and they couldn't tell me about the encryption used. Now a search turns up a page by the authoring company on the software. Here's what they say about the algorithm:
The CruzerLock(TM) 2 software uses the powerful and fast Blowfish encryption algorithm with a 448-bit key length. Blowfish is a symmetric block cipher that has been analyzed considerably and approved by the United States government. It was a finalist in the Advanced Encryption Standard (AES) competition.
I wonder if the software has the same flaws as the JumpDrive software. You can download the software here, though I don't know if it will work with non-SanDisk drives.
The one-time pad is provably unbreakable. Your fancy quantum cryptography isn't as strong. The great thing is that the one-time pad only needs a pencil and paper.
As to your query, the article implied pretty clearly that the password was xor'd with some string or constant that was present as plaintext in the software.
I sent an email to Lexar support demanding a refund for my "Secure" Jumpdrive. While I never used the "security" feature that they offer (I bought this because it was cheep at Sam's Club), this is still deceptive advertising. I don't think you can claim a product as "secure" when it is trivial for someone to bypass security.
As one poster commented, "Why not just use ROT-13 to hide the password?"
If Lexar replies, I'll post a follow up. If they don't, then it is off to the BBB to get things fixed.
Truecrypt (mirror 1, mirror 2) does the same as PGPdisk but is open-source and seems to still be actively developed, unlike PGP658ckt. It also doesn't have the drive size limitations of some competing commercial products.
Damien
Unfortunately any message sent to me decrypts to read "Drink More Bosco."
RS
Shoes for Industry. Shoes for the Dead.
Underloved Movies and Pub Quiz: donotquestionme.org
symetric figlet encryption... never defeated.
Oh, and sure, I use tcsh- wanna make somethin' of it?
Stop beating up on XOR. One time pad combined with XOR is one of those "perfect" encryption scemes. Of course, bad implementations are still garbage if debuggers can get at the information.
busy little bees over there2 .txt
Advisory Name: Pingtel Xpressa Denial of Service
Release Date: 09-13-2004
Device: Xpressa phone (Model PX-1)
Firmware: Core Apps: 2.1.11.24 Kernel: 2.1.11.24
Severity: An attacker can cause the phone to fail. A power
cycle is required to restore functionality.
Author(s): James Vaughan
Vendor Status: Vendor has halted sales of device
CVE Candidate: CVE Candidate number applied for
Reference: www.atstake.com/research/advisories/2004/a091304-
- Format your pen drive to MS-DOS
- Create an encrypted, password protected disk image roughly the size of your pen drive (also in MS-DOS format)
- Store the disk image on your pen drive
The reason I recommend using MS-DOS format for both the disk and disk image is two-fold. First off, you can use the extra space not taken up by the disk image to grab files from a PC (since both the Mac and PC can read the MS-DOS file system), and because if you use HFS+, the Mac will store all sorts of file extras on the disk, giving you much less usable space (same reason you can't get the full 654 or 700 MB when you burn an HFS+ CD).I would also recommend storing a fake
Ack!
I use rot13 to create simple cryptograms.
I'm not a doctor, but I play one in bed.
Truecrypt (mirror 1 [freewebtown.com], mirror 2) does the same as PGPdisk but is open-source and seems to still be actively developed, unlike PGP658ckt. It also doesn't have the drive size limitations of some competing commercial products.
Damien
... but I found that the decryption key was inconveniently large, being the same size as the original data.
... not warm and fuzzy feelings towards an average user! ;-)
If software would verify user's password immediately without actually spending the time to decrypt the data it will increase the chances of successful dictionary attack on the password. If you were trying to login into a remote system it can disable the account you are trying to use after small number of unsuccessful attempts, but here the software runs not on the drive itself, but on the computer which is completely controlled by the attacker and he can try as many times as he wishes.
Thus, it makes sense to perform full "decryption" on every attempt and return just garbage, or, to make it a bit more user-friendly, run 'file' command on the decrypted file afterwards and verify that it has meaningful signature.
Paul B.
"256 bit AES encryption" must indicate a 256 bit key size, since the block size is fixed at 128 bits. Why a 256 bit key? Because it's a large number and looks good in the marketing material. It is inconceivable that any brute force search effort could find a 128 bit key, at least before the sun dies.
So, we really only need 128 bits of entropy to make a "good enough" AES key. There are about 1.3 bits of entropy per character of English text, so around 20 words will give us a decent pass phrase. We need a standard size, so we take the SHA-1 of the pass phrase, and append a constant padding value to get us up to 256 bits. This is ok, because we really only have a 128 bit key, but marketing wants 256 bits, and AES has no known weak keys.
We have now derived an encryption key from a pass phrase. We use this key to encrypt the files on the device, and we never store it anywhere.
If, for support reasons, we need to be able to recover the encrypted data for a user, then we could set up a voluntary (opt-in) key escrow service using a secret splitting algorithm.
This problem is fixable. What remains to be seen is whether Lexar will stand behind their product and get serious about security, or whether they will take the easy out and back down on their claims.
vi is my shepard, I shall not font.
Why is the password there at all? Can't they just have the user provide the AES key to save/read data? Why does there need to be a password stored in the device at all?
Doesn't this constitute fradulent advertising? To advertise the device stores data with AES encryption, and then store something (the password) using something else is clearly at odds with their advertising.
For that matter, why is the freakin' password stored on the device at all? The password should be used as the key to the AES encryption/decription ONLY and not stored on the device at all. What reason is there for that?
With all the heated debate about XOR I thought I'd point to one of my favorite posts about this topic. One quote in particular I like is "Xor encryption is not inherently breakable by it's nature, however it is easy to use incorrectly, leading to breaks in the encryption scheme. In fact, xor can be unbreakable if used correctly. "
given that the key is seen decrypted in the debugger one can easily say that Lexar's did NOT use it correctly.
For test purposes, you see. I wanted to be able to verify that the encryption algorithm was correctly negotiated and hooked into the data stream while being able to detect missing or added bytes. The actual product used your choice of AES or 3DES, but ROT-13 actually makes a pretty good "nearly null" algorithm for testing.
And no, we didn't store the password anywhere, clear or XORed. I can't confidently swear our product was perfectly secure, but I'm reasonably confident we didn't design in any really boneheaded errors.
I think.
I bought it for the following reasons:
- Good cost per MB
- Fast
- Great rebate offer at the time
- DURABLE! This thing looks a little bulky, but it's rock solid. Thick plastic, really solid. Unlike any other I've seen so far.
I never used the security stuff. IMHO not worth it. But having such a durable, fast, cheap device was more than worth it to me.
I don't regret my purchase. It's a solid product. I'd still recommend it.
Or is it a legal requirement?
I thought that in the USA, land of the free, home of the brave, it was a requirement that any commercial encryption system be breakable by the government?
And given how stupid the government of the USA seems to be, lexar probably thought it best to use something that even they would be able to crack, ie xor.
Yeah yeah troll, flamebait, *whatever*.
In the free world the media isn't government run; the government is media run.
I read the article it didnt explain much, people keep talking crap and speculating, can anyone explain.. when they say the password is stored on the device in XOR form do they mean XOR'd with some obvious key or just binary-flipped? Does this thing have its own CPU to do authentication/decrypting etc or does it install something on Windows etc? (im guessing it installs something on Windows and they just used a debugger to see what was going on?) if so why doesnt it have its own hardware to handle everything? that way theres nothing to sniff.. im sure you can get cheap enough hardware that would be small enough and powerful enough to pass all the data in time?
This comment does not represent the views or opinions of the user.
Not content with duping stories weeks or even days later, now /. is duping stories within the same story!
I have seen people do stuff like this all the time. MD5 is almost useless in cryptography if I can see the hash I can just use that hash in the funciton you where going to use it for. If the location of the hash was secured then just store the data in plan text in that location.
Just about the only use is an Server that uses an MD5 hash of the passward to see if it should decript the data using some other hash of the passward as the key, which helps with ease of use not security.
...the password can be seen in plain text within memory when the software does a compare between the stored password and the supplied password.
Are these guys stupid or what? It boggles my mind that such a scheme ever made it to the marketplace. I have this strong urge to go over there and whack them with a big clue stick. They deserve all the flack they get over this.
Don't blame me, I didn't vote for either of them!
Cracking stuff like this will NEVER get you laid. EVER.
Try creating something instead of just trying to invalidate the work of others.
P.S. Spare me your 'white-hat' 'for-the-good-of-all-involved' pablum.
"me" is too short for a decent password :)
karma capped
Since no one else is stupid enough to use that pad, it's a one time pad.
Another milestone in encryption technology - One time Pad CRACKED!
Emergency patch: Now they use the Pad "000000000...."
I initially thought that they can simply use PGP or similar encryption (like pgpdisk as mentioned in a post), but then to decrypt the data, we would need the private key on the machine. I will have the private key on my own machine, but would not like to have it on some other machine where i want to get data off the drive. Any (insightful) comments ??
That's not your password...
The first rule of DMCA is you do not talk about DMCA.
The second rule of DMCA is you do not talk about DMCA.
If someone cracks your security, you send a cease and desist and pretend it never happened.
I think you just killed Schrodinger's Cat.
Look, XORing is how a lot of encryption works, the deal is you need to make the sequence of bytes you XOR with unique, unknown and difficult to determine/guess. Hashing functions do this by producing the long XOR sequence from a smaller key.
So what is it XOR'd with? If it is some common or repeating sequence then obviously this is about as pathetic as it gets. Unfortunately the advisory is completely devoid of details on he password storage other than saying it is XOR encrypted.
The password may be XOR'd with it's own hash function output in which case this isn't as bad as it looks. Looking at the paper it seems that the real flaw is the software in memory decryption of this XOR'd password to reveal it plain text in memory, however again it is still not entirely clear how flawed this is.
For it to decode that password it would have to know what the encryption key was in software so that would be a *huge* flaw, however plain text comparrisons could work if the password itself was used for the encryption/decryption.
For example you could encrypt the password with the hash output then store it and decrypt it with the candidate hash output for any new password attempted. Only if it was the correct hash password would this produce a match and only with the correct password typed in in memory could you ever see a correct plaintext password in memory.
It must be that the software has a fixed key in software which is used for the comparrison for this to be an issue. That would be spectacularly incompetent, either that or this advisory is spectacularly inept. It is actually difficult to tell from the info we have so don't jump to conclusions.
If it is a bug a simple fix would be to use the password itself to encrypt the password on the disk instead of some fixed key, but I can't believe that this isn't done already.
Don't talk about the DMCA.
xor is easily broken for most filesystems without the password... Just look for a repeating string of characters in the raw file which appear where you would normally expect a series of binary 0's to appear in a filesystem of a particular type. I broke someone's loopback encrypted filesystem this way in 30 seconds flat, by just trying his 8 characters in sequence one after the other until I hit the correct starting character.....
would be jetico's bestcrypt.
http://www.jetico.com/
supports twofish and blowfish too and even GOST too, all the way up to 446bit of keylength.
a must have for any paranoid nut
Online backup with Mozy, sounds like Ozzie, but more!
Bestcrypt http://www.jetico.com/ encrypts swap files too, so all you can get with your grepping is just @(#*)$#)$*)#*(#*^0
Online backup with Mozy, sounds like Ozzie, but more!
This is exactly what I thought of first -- why encrypt the password when you can hash it? You store the hash, you don't store the password (and it's impossible to generate the password from a hash, which is basically a one-way encryption).
This is pretty standard procedure for storing passwords -- even if an attacker sees the hash you stored, the password is still safe. When the user logs in, you hash the pw they type, and compare it to the hash you have stored.
Even more secure (if an attacker might be able to edit the hash stored on the drive) is the parent post's suggestion; don't store the hash, use it as a basis for the key you encrypt the data with. Bingo, secure.
So why wouldn't they do this? Well, what options do they offer if you lose your password? I can't find much at all on their website, but my bet is that they are sacrificing security in the name of customer support. Maybe they're worried about customers who misremember their password (and didn't bother with the hint mechanism) who send back the drive and say "fix it"... and they can! That's just good customer support! Maybe it designed like that originally for debugging purposes, and then the ship date arrived.
My bet is that at least one of the developers knew full well about the security issue, and either didn't care enough about the company to insist it was fixed, was pressured by a boss, or had "that good, lucky feeling" that the curious techies of the world wouldn't notice the flaw and, say, get it onto the Slashdot front page.
By the way, feel free to ask Lexar about it: here's the page for talking to a real live customer service rep.
Who cares, this message is typed in ROT-17576
Strong huh? =)
Online backup with Mozy, sounds like Ozzie, but more!
As long as you didn't leave the ROT-13 routine as the default in your shipped product. (Man, that was embarassing...)
John
You mean the lawyers are leased?
At a large UK cash-and-carry store, which I won't name, the tills use a key system to restrict access to various till functions, with the more 'admin' functions needing different keys. For example, to manually enter the prices of items scanned through the till you need a key which will allow you to turn the control to setting 2. Alternatively, the lid from a bic pen will suffice (but only up to setting 2) - no brute force required, just insert and twist like a normal key.
On a similar note, my brother once owned an old motorbike with modern keyless ignition. A screwdriver did the job. Again, no force required.
I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.
Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678 When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)
Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.
At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.
I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.
John
Long ago, it was commonly used in news groups to mask dirty, racist, or otherwise offensive jokes, or to hide the answer to a riddle or something. The idea was that if it was nasty, you could give the person fair warning not to "decrypt" the message because they might not like the contents. The news readers I used to use had ROT-13 en/decryption built right in -- hit X and it ROT-13'd the message revealing the joke, and hit it again and it rotated it right back to the original text.
I also vaguely remember binding a ksh alias to rot13 that looked something like this:
rot13=tr A-MN-Za-mn-z N-ZA-Mn-za-m
so I could translate things from a shell, but that was a long time ago. I may have gotten it wrong.
John
Nobody ever pointed out the main problem with that study- I bet 99% of the people played along to a)find out who it was to report it to their employer/the cops or b)to get a chocolate bar out of it.
I'm sure the same 99% had absolutely no intention of actually giving the person their REAL password. "For a candy bar? Sure, "uRaSucker".
Please help metamoderate.
We have a bunch of these kinds of drives, because someone got a great deal on them. They're not the Lexar ones, but it hardly matters, we don't use the encryption... but just having all that extra software seems to make them fragile. They have a tendency to corrupt themselves when someone inevitably pulls one out without dismounting it, and unlike normal flash drives which we can reformat, these need a special application to do it.
And of course the vendor won't provide a copy of that application, because then we would know how the encryption (which we don't use) works...
Ancrypt files at the application level, using an open encryption standard that you can run on any platform. Anything else is just asking for the f***up fairy to pay a call.
Though it's currently in alpha, GnuPG 1.3.6 is stable enough for general use, and supports SHA-256, SHA-384 and SHA-512 -- important now that MD5 and SHA1 may be flawed.
Use ISO 8601 dates [YYYY-MM-DD]
I use linux at work and linux at home, so I can keep my files fairly secure like so: Make sure you have cryptoloop and cryptogoraphy APIs enabled in your kernel. mount /dev/sda1 /mnt/jumpdrive
dd if=/dev/urandom of=/mnt/jumpdrive/mycrypt.img bs=1k count=256000
losetup -e blowfish /dev/loop0 /mnt/jumpdrive/mycrpyt.img
Enter password:
mkreiserfs /dev/loop0
mount /dev/loop0 /mnt/my_crypt
Copy your files to /mnt/my_crypt, then unmount it and run:
losetup -d /dev/loop0
To remount it, use:
losetup -e blowfish /dev/loop0 /mnt/jumpdrive/mycrypt.img
mount /dev/loop0 /mnt/my_crypt
Pretty simple to use, but it's for linux only. The only caveat is really with the enter password: dialogue. There is no verification and you can't ever really enter the wrong password. The crypto APIs use the password you enter as the crypto key, so if you subsequently offer the wrong password, it will apply the specified algorithm (blowfish in this case) using the wrong key! That means the decrypted info will still be unreadable gibberish.
Be Safe! Sleep with a Marine. Semper Fi!
It comes with a detailed explanation of how, and the code used inside it (throw on whatever non-replication licence you like, as long as it can be observed and comments made on it).
Hence why I'd not vote on a machine, unless they start publishing code there's no way to tell that 1 vote in 10 is converted into a vote for bush.
Even if they wanted to recover the password in extremis (they could charge money for the service, and customers are very likely to forget the password...), they should have encrypted it using public key encryption- where the hard-drive *does* not have the decryption key.
Only the manufacturers would keep that in a locked safe; and would fix the harddrive for a high price, and with an agreed on process.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"I use bestcrypt...at least then u can write your own encryption module as well as the key-generation module yourself with the SDK (SDK is free but bestCrypt isn't).
www.jetico.com
speaking of which, does anyone know of an open source equivalent (maybe on sourceforge or something)?
I hope you mean that the original owner is included in the set of people who can't decrypt it.
NOTE: IF YOU MEANT THAT, OR UNDERSTOOD THE PARENT TO MEAN THAT, THEN DISREGARD THE BELOW.
MD5 is a one-way hashing alg, designed to be as unpredictible as one can get it, with about as much chance of a collision (hash(x) == hash(y)) as I have of getting a one-night stand with, say, Paris Hilton. That means, if you know md5_hash(x), you can't find x. Ever. Even if you can find some y where md5_hash(y) == md5_hash(x), you can only speculate if x == y or not (I suppose if you had infinate monkeys at infinate TI-92's, you might eventually find out).
Then how are your passwords encrypted via MD5? Easy. They're hashed, and the hash is stored. When you enter in your password to the computer, it hashes what you gave it. If md5_hash(what_I_typed) == my_hashed_password, then you're in.
Now, in the above example, remember when I said what a collision was (hash(x) == hash(y))? If an attacker finds a collision with x and y, and we're trying to safeguard x, no problem (moot anyway, because there is no way to find x given md5hash(x) to begin with). However, say your password knows the value y. Also say your password is x. If md5hash(y) == md5hash(x), then the attacker logs in to your computer, because the computer assumes no collisions (which were practically impossible until recently). And what good is keeping your password safe if the attacker can log in under his own? None. And then the intruder reset your account's password to something he knows and can remember. And now has access to all your private GPG keys, etc... This is why there was all that bru-ha-ha about it earlier.
Whew. Again, if you already knew that's how the world worked, I apologize. I honestly knew a kid who spent 2 hours trying to run "md5sum /", and when he finally got something (I don't know how, a tarball, perhaps?) he deleted everything else on his hard drive except for the sum. Yeah, I did an emergency reinstall of SuSE 8.2 that night.
I wish I could write clever and witty sigs.
This JumpDrive Secure product clearly shows how much they know about security. They claim it uses 256-bit AES encryption, but it uses XOR along with a DEcrypting authentication mechanism?! wtf? This "security" seems to have been made at the script-kiddie level. Why not just reverse the characters to encrypt it? lol
;)
Next they'll probably release the JumpDrive Secure II featuring their unbreakable OTP (One Time Pad) encryption system
-eventhorizon
#Secret Windows Source Code, in MS C% - if (uptime >= "24 hours") then bsod() else print "Windows License Violation!"
The Remarkable Lexar JumpDrive Secure
-Keep your data safe.
Lexar's JumpDrive Secure offers both the durability of the JumpDrive Sport with an important plus: security. The pre-loaded security software means that your information will be subject to DMCA^H^H^H^H password-protected XOR superencryption. Lost or stolen, your data is safe. Unless they know what XOR encryption is, which they probably won't. So don't worry, it's unlikely. Trust us. They aren't as smart as we are.
The Lexar(R) XOR Security System(TM). Patent Pending.
Lexar. We know security.
#Secret Windows Source Code, in MS C% - if (uptime >= "24 hours") then bsod() else print "Windows License Violation!"
Ha! all that's for the paranoid tinfoil hat people. I AND my data against itself. just try hacking my server!
In which case Shiva is the big reset button. Well, as John Carmack reluctantly acknowledged a few years ago, "it's a Win32 world". Thank Vishnu for Shiva !
:-)
Oh, and maybe Lexar should take a cue from my sig and encrypt it twice..
(Now back to our regularly scheduled topic)
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
can I get my money back?
I have something better than ROT-13. It's Triple-ROT-13!
now we need to go OSS in diesel cars
IneXORable
But, worse than that one word: Their board and exec staff, probably all highly paid, just might endure board-inflicted, ineXORable pain...
OUCH
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
the 9 billion names of God refers to an Arthur C. Clarke story in which [spoiler] this group of monks actually writes down all 9 billion names. In the story [spoilerish] a computer [SPOILER]
Sigh. Ok, so you don't have to karma-bomb the guy to oblivion, but for the love of god don't mod these kind of things up, its not polite to spoil stories for people. Especially good ones.
That short novelette, its a good read, don't spoil it for people for the sake of a joke.
You can't take the sky from me...
so how do i attach a debugger.. because. i forgot my password. really. there's not even any data in the private sector, but it's lost space.
My dad bought a similar lock, it was used to lock the shed for years, and we didn't discover the flaw for a whole. I needed a lock for my chain bike lock and I grabbed that one (long after it was no longer used) and quickly found out that shaking it would allow it to be unlocked.
A few years later at college the locker next to mine had the same lock on it, I laughed when I saw it and mentioned to a friend of mine that you could just shake it to unlock it. He didn't believe me, so I reached over and shook it for a couple seconds and it popped open.
My friend wrote a nice note and left it in the guys locker
Incidentally, there's an incident similar to Noah's Flood in Vedic mythology. A Maha- pralaya occured when Hayagriva The Asura stole the Vedas from the sleeping Lord Brahma. The world was rescued only when Lord Vishnu appeared as a fish (matsya avatara) and slew the asura, thus rescuing the Vedas. (There's also a sub-plot involving a boat and protecting the Sapta Rishis, but I'm too tired to narrate that).
More than mere navel gazing.
Breaking it all down:
Jumpdrive contains some form of software to perform the decryption of the encrypted data. It claims to use AES, so let's assume it does.
The right way to do this would be to make the user have the AES key. AES keys are a bit big to carry around though, so the second right way to do this would be to store the AES key on the drive in an encrypted form itself. This is quite common and usually called the keyring.
The keyring is encrypted with some symmetric cipher that uses a simple passphrase for decryption. DES used to be pretty common, but most people like Blowfish nowadays. Whatever, this is unimportant. What's important is the process at work:
A. Enter passphrase.
B. Passphrase decrypts keyring.
C. Key from keyring decrypts data.
This is generally considered secure enough because if the keyring is made right, then you can't usually be sure whether or not you guessed the right passphrase without actually attempting the data decryption itself. The key is a pretty random set of bits, in other words, and looking at it after decryption is usually not enough to be able to tell whether or not you sucessfully guessed the keyring's passphrase. This makes the attack computationally hard in that they still have a wide variety of keys to test.
What these morons appear to have done is to stored the passphrase to the keyring itself on the frickin' drive, XOR'd with some constant that's in the program. The reason for this is to make it more obvious when you enter the wrong passphrase. So their program does this:
1. Retrieves the XOR'd passphrase from disk.
2. XOR's it with the constant, leaving the damn password in memory in *plaintext*.
3. Compares the password to what you typed in (strcmp, probably), and spits out a "wrong password" message when it doesn't match.
4. Does A,B,C as listed above if the password was correct.
A slightly less dumb thing to do would have been to store a hash of the passphrase on the disk, then hashed the passphrase and compared the two hashes. This is only slightly less dumb though, because it still provides a shortcut to breaking the decryption, as you can do a dictionary attack on the hash, which is much faster than doing a dictionary attack where you must perform two actual decryptions on every possible passphrase.
But having the passphrase in memory in plaintext is just frickin' inexcusable from a security standpoint. Having, essentially, every single little thing that you need to decrypt the thing on the disk is even worse:
-The static XOR block is in the software, on the disk.
-The XOR'd password is on the disk.
-The keyring decrypted by the password is on the disk.
-The data encrypted by the key is on the disk.
I mean... that's just plain bad.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Reading your post is like one of those "How Many Mistakes Are In This Picture" things you see in Highlights.
;-)
In these quarters we call 'em "Trolls" and do not really bother responding. If you ever think that "Noone would be THAT stupid!", it is a good sign for a troll...
Otherwise, thanks for taking time to provide a great clarification to ones here who are actually curious about those things!
Reading that old Morris & Thompson paper was great fun though!
Regards,
Paul B.
Indeed, creation and destruction are two sides of the same coin. Aversion against either one, strong likes and dislikes, keeps you unfree and far away from the blissful state.
Notions like the devil are just illusions for people lost in dualistic mindstate.
What is interesting is that all this is actually true, and can be experienced by everybody wishing to let go of bondage. Funny enough though, most people seem to WANT bondage, mistaking it for pleasure.
Sony Puppy Fingerprint Identity Token
I think that tempting adam & eve to their destruction (and all mankind from then), requiring the death of Jesus to fix, kind of makes Naught an understatement.
On x86, xor reg, reg is often faster than mov reg, 0.
Pointy Haired Manager: My keyboard is broken. It only types asterisks for passwords.
Dogbert: Try changing your password to five asterisks.
Pointy Haired Manager: I hope I can remember it.
Because I'm not looking.
Ever heard of the Apocalypse? Which God do you think will be in charge of that one?