Lexar JumpDrive Password Scheme Cracked

Saint Aardvark writes "Lexar describes the JumpDrive Secure as "loaded with software that lets you password-protect your data. If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." @stake has a different take: The password can be observed in memory or read directly from the device, without evidence of tampering." And best of all, the punch line: "[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication." That's why I use ROT-13 for my encryption needs."

Drive Crypt

[xombo]

That's why I use DriveCrypt. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).

Re:Cue::Cat

[AKAImBatman]

It was Base64 "encryption" (*snicker*)

Re:For my encryption needs

[Aardpig]

I use MD5. Not one collision ever found in the wild.

On the off chance that this isn't a joke, and you're one of the genii on /. who thinks that MD5 has anything to do with cryptography, let's reiterate:

MD5 is a hashing algorithm. All hashing algorithms are guaranteed to collide, since hashing is the process of reducing an N-fold dataset to an M-fold one, where M<N.

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

Re:Almost...

XOR means "exclusive or". A regular "or": if one of the inputs is 1, return 1. An "exclusive or": if one of the inputs is 1, but not both, return 1.

OR:
0101
0011
----
0111

XOR:
0101
0011
----
0110

AND:
0101
0011
----
0001

Not so fast!

[PaulBu]

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

MD5 *does* have something to do with cryptography (why else would Schneier devote the whole 14th chapter of Applied Cryptography to "One-way hash functions"), and the reason is simple: it is used to encrypt your *password*, not your data (Lexar was claiming that they use 256-bit AES encryption for the data itself).

For authentication you do not store the password in plaintext, only its MD5 hash, when user enters the password, MD5 of that is computed and compared to the stored MD5 string, if they match -- your user is authenticated. Of course XOR with a "magic number" could be used for the same purposes, but it would be much weaker. Thus, I think that the GP was not a troll and made a valid point: use MD5 to hash your passwords, and preferrable add some salt value to prevent against dictionary attack.

The other questiuon is why did Lexar had to store passwords on the drive at all, one does not need to authenticate users in their scenario (the drive itself is not a self-cointained computer to which a user needs to gain access) -- they could've just asked for the password, convert it to the key used in AES algorithm, decode the data and give the result: if password is incorrect, the decoded data is garbage.

Paul B.

Re:Not so fast!

[Piquan]

Reading your post is like one of those "How Many Mistakes Are In This Picture" things you see in Highlights.

The salt doesn't have anything to with protecting against dictionary attacks,

The salt is exactly to prevent against dictionary attacks. A dictionary attack (using the term old-school) is where I prepare, in advance, a dictionary of passwords and their hash values, indexed by the latter. Then, when you're making your attack, you look up the hashed password and voila! you know the password. In a world without salts, I expect that many security folks would be able to recognize many common passwords' hash values on sight.

it is used to make the algorithm computationaly harder to break.

The salt does nothing (or rather an insignificant amount) to make the computation harder. It's specifically used to prevent a dictionary attack.

The salt is simply the first two characters in your hash,

The salt is a randomly-generated sequence. It's stored as the first two characters of the encrypted password in traditional crypt() passwords, and is followed by the hash. But it's not the first two characters of the hash.

all of the subsequent characters are based from the salt.

They're based off of both the salt and the password. Your post makes it sound like the password is hashed, the first two characters of the hash are the salt, and the rest of the password entry are generated from that. This is not at all what happens.

The salt is generated randomly (from the time of day, number of processes running, etc), to get 12 bits of randomness (note that the salt is isomorphic with the space [A-Za-z0-9/.]{2}). The password is hashed using a DES, with the password as the key and a string of 0s as the plaintext. Partway through the DES operation (specifically, after the E-box), some of the bits are swapped based on the salt.

After DES outputs the hash value (its ciphertext), it is appended to the salt. This concatenated value is stored in the passwd field of your passwd file. So the salt is the first two characters of that output, but it's not the first two characters of the hash. It's used to perturb the hash in one of 2^12 ways.

Note that the specifics I gave (length of salt, use of DES) only applies to traditional Unix passwords. Most modern Unixes use a different hash scheme by default, such as MD5. The role of the salt still applies: it's used to perturb the hash function to prevent dictionary attacks. There are differences in how it's stored and how it perturbs the hash.

For further study, I recommend reading Password Security: A Case History by Robert Morris and Ken Thompson.

UPDATE from conversation with Lexar...

[Vexler]

After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.

The ostrich finally wakes up.

A better way to make "secure zones"

[g_adams27]

I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.

You can check out the commercial version at http://www.pgp.com/, but I would also seriously consider PGPckt 6.58, a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.

Grrrr

[c++]

This kind of thing just burns me up. Clueless companies hire clueless developers who think they can make software or hardware relatively secure by mearly applying encryption in whatever way they think is convenient. Never mind the plain-text password behind the curtain. Never mind that xor is equivalent to plain text (Lexor). Never mind that supporting multiple decription keys reduces the effective key length (DVD). Never mind that if you somehow store the decryption keys in a way that the software retreive (DVD again) that anyone can extract them. Never mind that storing a strongly-encoded password along with a weakly-encoded one buys you nothing (Microsoft). Never mind that encryption can't prevent copying (DRM). Never mind that this list can go on forever...

I own a JumpDrive Secure. Don't laugh; I only got it because Wally World didn't have the regular 256MB one. I plugged it in and the first thing it did was install their security software *without asking me*. Yes, Windows XP. Yes, I had turned AutoRun off on my CD. No, I have no idea how to disable AutoRun on a device that has never been plugged in before. Grrrr.

What did I do? I used Linux to reformat the JumpDrive then uninstalled the software it added without my permission. Now I have a perfectly usable device. (This was 4 months ago)

Re:I'm fuzzy on something...

[pclminion]

Although what these guys did is unpardonable. I mean XOR? Jeez.

What's wrong with XOR? Example. I've encrypted a short message of ten bytes, by XORing it with a random sequence of ten bytes. Here's the ciphertext:

26 6B F1 2C 2E 1E 71 12 A9 68

Since XOR encryption is so weak, this should be no sweat to crack, right?

Unfortunately, you'll never be able to crack it, because you don't know what the key was. Even if you found a key that would decrypt this sequence to a meaningful series of bytes, you still don't know if that's the correct answer. More than one valid message can fit into 10 bytes, and you have no way of telling which one of those valid messages was the one I intended. It is literally unbreakable. This is called a one-time pad. Now, if I used the same key repeatedly to encrypt lots and lots of data, you could apply statistical techniques to attack it. But the weakness is not inherent in the XOR operation.

The weakness is in the key security. If you cannot protect the key properly, not even the most complicated cipher in the world can help you.

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

Re:the punchline

[hymie!]

Um...

If A XOR B = C , then A XOR C = B and B XOR C = A.

So if MYPASSWD XOR SECRET = ENCRYPTEDCODE, and I know both MYPASSWD and ENCRYPTEDCODE, then I can find SECRET.

I don't know if all of the drives have the same SECRET or not, but, having determined what SECRET is on my drive, I can give the drive to you, or I can try my SECRET on another drive and see if it works.

--hymie!

Re:I'm fuzzy on something...

[Lost+Race]

There's only one thing you need to make encryption work, and that's the key (or key pair for asymmetric encryption). Where you store the key is the trick. Ideally you want to keep the key separate from the data at all times -- in a separate medium, in the user's brain, whatever. Unfortunately that would mean either carrying around a separate physical key storage device to unlock your storage device (and of course being able to lose them together since you would naturally keep them both on the same keychain) or memorizing a 50-digit number and typing it correctly every time you want to access the device.

So what we usually do in these situations is store the main key in the device itself, encrypted with a smaller key which can be generated from a user-selected password. Why not just use the password-generated key as your main key? Because easily-remembered passwords don't have enough entropy to generate a key strong enough to protect megabytes of data, but they are good enough to protect something small like an encryption key.

Usually such schemes fail when the encryption of the main key is too weak for whatever reason, such that the main key can be recovered without knowing the password. It is indeed bizarre that they would store the password itself on the device in any form, though as we all know the world is full of crappy software "designed" by idiots.

Re:For my encryption needs

[Sheepdot]

Oh really?
------------------
#!/usr/bin/perl -w

use strict;
use Digest::MD5 qw(md5_hex);

# Create a stream of bytes from hex.
my $bytes1 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70
);

# Create a second stream of bytes from hex.
my $bytes2 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
);

# Print MD5 hashes
print md5_hex($bytes1), "\n";
print md5_hex($bytes2), "\n";
------------------

What do I win?

Re:This reminds me of an "un-pickable" lock my ...

[bhny]

did you know you can open a bicycle lock with a bick pen?

Re:I'm fuzzy on something...

[josquin00]

From Encryption Matters:

Here's how to perform an attack that will break the trivial XOR encryption in a few minutes:

* Determine how long the key is

This is done by XORing the encrypted data with itself shifted various numbers of places, and examining how many bytes are the same. If the bytes that are equal are greater than a certain percentage (6% accoridng to Bruce Schneier's Applied Cryptography second edition), then you have shifted the data by a multiple of the keylength. By finding the smallest amount of shifting that results in a large amount of equal bytes, you find the keylength.

* Shift the cipher text by the keylength, and XOR against itself.

This removes the key and leaves you with the plaintext XORed with the plaintext shifted the length of the key. There should be enough plaintext to determine the message content.

Your example works, because your key and plain text are the same length. I think the point is that all Jumpdrives either use the same key, or use one short enough to apply the above to, etc. Short of including (and inventing) a one time pad generator that is truly random, and with the availability of other password encryption methods, why use XOR?

(fixed) A better solution

[DamienMcKenna]

Truecrypt (mirror 1 [freewebtown.com], mirror 2) does the same as PGPdisk but is open-source and seems to still be actively developed, unlike PGP658ckt. It also doesn't have the drive size limitations of some competing commercial products.

Damien

Re:I'm fuzzy on something...

[Piquan]

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

If you're using the key, it has to be an OTP. As soon as you repeat your message using the same key, your cipher's busted.

In the case of key-generated data, that's pretty much what a stream cipher does. But then you don't refer to the cipher as XOR, you refer to it as a stream cipher. You could just as easily use mod-256 addition as XOR if you wanted; the point of the cipher isn't the combination technique, but the stream generator.

The grandparent was referring to XOR as the only cipher method. In the case of an OTP (like you used), it's okay, but that's the only case. This is clearly not an OTP we're dealing with here.

What's worse (and aside from your point), it's open to a chosen-plaintext attack: buy another JumpDrive, set the password, observe. A chosen-plaintext attack can reveal the key of a simple XOR cipher in a single attack (assuming you can ascertain the maximum key length, which is probably something that the password entry dialog gives you). Even without chosen-plaintext, it doesn't take many samples to reveal the key of an XOR cipher, but with chosen-plaintext it's just too trivial.