Lexar JumpDrive Password Scheme Cracked

Saint Aardvark writes "Lexar describes the JumpDrive Secure as "loaded with software that lets you password-protect your data. If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." @stake has a different take: The password can be observed in memory or read directly from the device, without evidence of tampering." And best of all, the punch line: "[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication." That's why I use ROT-13 for my encryption needs."

Even worse...

Why go through all the trouble of attaching a debugger to the process when you can bribe the user to tell you the password with a chocolate bar! Best of all, this trick will still work long after Lexar fixes their security issue.

Re:Even worse...

[Minwee]

And more importantly, do you even know what "redundant" means?

Re:Even worse...

[Marxist+Hacker+42]

I like those people. They're so stupid. I can get chocolate out of them simply by saying "I use the 9 billion names of God for my passwords. I'm up to Shiva".

DMCA

[Lead+Butthead]

Doesn't that violate DMCA?

Re:DMCA

[kelnos]

This may sound silly, but how is the "first post" redundant? I mean... first. Mods, you do know what the word "first" means, right?

Re:DMCA

[Alizarin+Erythrosin]

Hopefully Lexar doesn't take the path I'm afraid they will and bust out the DMCA against @stake. That is just a horrible excuse for "security" and it needs to be fixed. Security through obscurity just leaves more opportunity for the evil-minded to steal information (or spread viruses or whatever) by keeping the public unaware of the security flaws.

Re:DMCA

[micromoog]

Yep, the new watchword in American 'security': "Who needs respectable technology when you've got the DMCA?"

Re:DMCA

[Wubby]

Doesn't that violate DMCA?

I don't think so. The DMCA pertains to the encryption of copyrighted works. What's the "works" in this case? The "encryption" is on someones personal documents, not Lexar code or works.

This is just encryption here, not "encrypted works". Circumventing for research is legal under the DMCA, but I'm pretty sure that it doesn't apply here.

And it only took the guys at distributed.net

[PrimeWaveZ]

Three years to get .01% of the way done cracking this before someone realized it was ROT13. ;)

An embarassment of security.

[michael+path]

The password is in XOR'd form? Yeah. That's encryption.

Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?

From the article:


Vendor Response:

08-05-2004 Vendor contacted via email to support@lexarmedia.com
No response.
08-12-2004 Vendor contacted again via email to support, sales
Public Relations, Investor Relations, and general
inquiry email addresses.
08-12-2004 Automated response from support received
09-13-2004 No further response from vendor, advisory released

Vendor has not acknowledged issue or produced a fix.


This is a pretty embarassing non-response.

The product is only about 5 or 6 months old, and the password was just sitting there. AES is a perfectly fine standard for encryption, but this is an embarassing implementation. Thankfully, I don't know anyone who owns this.

Re:An embarassment of security.

[mcpres]

Well it's good to know because I own one. On the bright side if I had ever forgotten my password, I can now retrieve the data. Another point to @stake.

Re:An embarassment of security.

[pete-classic]

Horseshit. All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

-Peter

Re:An embarassment of security.

[Alizarin+Erythrosin]

The password is in XOR'd form? Yeah. That's encryption.

Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?

Aside from storing the password in XOR'd form, the software checking the password is flawed. It unencrypts the password first, then compared the password entered. Rather then encrypting the password entered and comparing it to the device?

There may even be better ways than that. I'm not a cryptography person, but that's the first thing that comes to mind.

Re:An embarassment of security.

[benchbri]

I've got one of these, so now you do know someone with one.

If you're carrying around secure documents/files on a jumpdrive using only the included encryption scheme, you may need a lobotomy. I took one look at the security program that came on the drive, and threw it out. I knew I'd never need it. It wasn't a program that looked like it reeked of security, either. I'm acutally surprized this is the first report of the JumpDrive being cracked.

Since there are dozens of USB drives on the market, and the're basically the same price (my JumpDrive was the same price as the other 128Mb offerings in Circut City), I wouldn't think a consumer to expect a fairly decent encryption system for free. On top of that, if you're carrying around sensitive documents on your keys, just think: when's the last time you lost your keys?

Re:An embarassment of security.

I don't get why they store (and check) the password in any way. The password becomes the encryption key for the data. If you enter the correct key you can access the files, if you don't you get garbage...

So what's the purpose of the stored password?

Re:An embarassment of security.

[michael+path]

Dude, *storing* a password that is XORd and using a one time pad are two VERY different things - even if XOR is a common function.

One Time Pads are as close to a perfect means as is out there. This, well, isn't.

Re:An embarassment of security.

[alienw]

Rather then encrypting the password entered and comparing it to the device?

That would not be any better than it is now.

The right way to do this would be to use the password to generate an encryption key and encrypt the data with it. Then, the only possible vulnerabilities are the password itself and various known-plaintext attacks.

Re:An embarassment of security.

[steveha]

All my data is XORed against itself before it is written to disk.

What a waste of valuable CPU cycles! Here's a speedup that does the same thing much faster:

/* implement "XOR data with itself" security algorithm */
/* but cleverly don't actually use XOR */
/* don't forget to null-terminate encrypted data! */

int
CopyWithL337XORSecurity(char *in, char *out)
{
int length;

length = strlen(in);

memset(out, 0, length + 1); /* length + 1 for null termination */

return length;
}

That should run much faster -- standard library functions are always well-optimized.

Just doing my part for data security.

steveha

Re:An embarassment of security.

[Chris+Mattern]

> Thankfully, I don't know anyone who owns this.

I do, and I keep fairly sensitive information on it (in fact, I bought it in order to keep that information handy but secure). But I don't use Lexar's software--never even occured to me to try to use it, as I want to access it in Solaris and Linux. I use GPG; downloaded a GPG for Windows and put it right on the key so that I can use it in any Windows machine as well.

Chris Mattern

Re:An embarassment of security.

[Alizarin+Erythrosin]

The right way to do this would be to use the password to generate an encryption key and encrypt the data with it. Then, the only possible vulnerabilities are the password itself and various known-plaintext attacks.

No, there's one more... the user forgetting that password. Not exactly a compromise situation, but a support nightmare.

Re:An embarassment of security.

[clambake]

I don't get why they store (and check) the password in any way. The password becomes the encryption key for the data. If you enter the correct key you can access the files, if you don't you get garbage...

Makes me think there si NO encryption on any of the data... Just a funny driver hack that stops you from reading a certian sector of the drive.

Re:An embarassment of security.

[spellraiser]

Good point. This is quite true. XOR is unbreakable provided that your key is random, and is as long as the data you are encrypting. Like you said, this would be a One time pad, and thus perfectly secure. The downside is, of course, that you need a very long key, and can never reuse it.

However, using a small key and XOR-ing it periodically with the data is very insecure and can be broken easily.

When one wants security coupled with a (relatively) small, fixed-length, reusable key, block ciphers such as AES are the way to go. The JumpDrive people got this right.

The article under discussion is short on details, but I can guess from what's said that the JumpDrive software probably generates an AES key from a user-supplied password. This is fine, but the mistake seems to lie in storing the password on the drive itself, 'in an XOR encrypted form'. Now, this probably means that the XOR key that is used to attempt to hide the password is known; i.e. can be gotten from the software.

Even though the XOR key is as long as the password, this is of course very insecure in this case. It's very easy to recover the password, generate the AES key, and decrypt.

This only goes to show that any cryptographic method is only as strong as the weakest link.

Re:An embarassment of security.

[SamNmaX]

Horseshit. All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

That joke sure was cryptic.

Re:An embarassment of security.

[lynx_user_abroad]

Infact it [XOR] is unbreakable when used for encryption. Ever heard of an one time pad.

Never use the work "unbreakable" when describing an encryption protocol. Every encryption system (including OTP) is vulnerable to the Karnak attack.

Re:An embarassment of security.

[SnakeJG]

What an embarassingly easy system to crack. All I need to do is XOR the result with your data...

Re:An embarassment of security.

[alienw]

If the device actually encrypts the files, it is not necessary to store the password in any form, hashed or otherwise. You can just decrypt the data with the given password and check if the CRC matches to find out if the password is correct or not.

Re:An embarassment of security.

[lildogie]

> All my data is XORed against itself before it is written to disk.

I think they call that a one-time pad. ;-)

"One-time" 'cause that's how many times you'll try it.

Re:An embarassment of security.

[Pig+Hogger]

All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

I not only do that, but I also BZIP2 the result, and I get fantastic compression!!!

Re:An embarassment of security.

[null+etc.]

Actually, CHR$(13)+CHR$(10) is used to terminate lines of text (carriage return/linefeed), not character strings.

Re:An embarassment of security.

[Carnildo]

You don't know what the Karnak attack is, do you? I belive it's related to rubber-hose cryptography.

Re:An embarassment of security.

[DrSkwid]

you, like he, and like I should just not have posted *anything*

Dude,

[2names]

EVERYTHING violates the DMCA. Everything. Even talking about violating the DMCA violates the DMCA.

Re:Dude,

[Ignominious+Cow+Herd]

So, all we have to do is prove that the DMCA violates the DMCA and it will disappear in a puff of illogic, right?

Re:Dude,

[MalaclypseTheYounger]

Ane then it will be replaced with an even larger piece of illogical rubbish.

Some say this has already happened.

Re:Dude,

[grassy_knoll]

Even talking about violating the DMCA violates the DMCA.

When did the DCMA become Fight Club?

[Badum-ching]

Re:Dude,

[Caseyscrib]

When did the DCMA become Fight Club?

August.

Re:Dude,

[CMRichar]

I thought this was covered in the first meeting...

The first rule of the DMCA is You do NOT talk about the DMCA.
The second rule of the DMCA is YOU DO NOT TALK about the DMCA.
The third rule of the DMCA, someone yells "Stop!", goes limp, taps out, is violating the DMCA.
Fourth Rule, Two attorneys to a case.
Fifth rule, No limits to the number of cases, fellas.
Sixth rule, No Shirt, No Shoes. They are officially circumvention devices under DMCA law.
Seventh Rule, cases will go on as long as they have to.
And eighth and final rule, If this is your first night at the DMCA, you have to be sued.

Cue::Cat

[althalus]

That's what happens when you get your security developers from the Cue::Cat Development team. Wasnt' their 'encryption' just XOR or something similar?

Re:Cue::Cat

[AKAImBatman]

It was Base64 "encryption" (*snicker*)

Re:Cue::Cat

[artemis67]

that, and their password was "PASSWORD"

It's a "feature"

[grunt107]

It allows those who forget their passwords to quickly access the 'lostpaswd?' file, saving on support calls.

Not much detail?

XOR'ed with what? XOR is just a method of encryption, not a cypher or anything... it's the basis for the one-time-pad, the strongest encryption method next to quantum encryption.

Re:Not much detail?

[PhilipPeake]

This is actually a clever sales gimmick.

You can find the "what with" part by simply XORing again with you key. So to find out what the magic string is, simply buy one of these devices, encrypt some data to it, then locate the encrypted key and XOR you original password with the "encrypted" version.

Doing this with your own device means you are not violating DMCA - trying this out with someone elses device will subject you to the possibility of 57 consecutive life sentences.

Re:Not much detail?

[nkh]

Without a doubt it's a xor used with a key length of a few bytes.
xor + small_key = cypher for dummies, it's an old standard for those who don't care about security.

OK, don't kill ALL the lawyers yet

[jmorris42]

If ever there was an example of why we need product liability laws, this is it. Unlease the attack lawyers on these bums.

Seriously

[Alien54]

This is up to the highest standards of the RIAA and MPA. Really.

You will be legally liable for the legal consequences of any attempt to break through this advanced encryption technology.

The #1 DMCA Rule

[Tackhead]

> EVERYTHING violates the DMCA. Everything. Even talking about violating the DMCA violates the DMCA.

The number one rule of talking about the DMCA and archiving the results, encrypted, on a Lexar JumpDrive.

You do NOT talk about DMCA and archive the results, encrypted, on a Lexar Jumpdrive!

Re:The #1 DMCA Rule

[mothz]

But if you did talk about the DMCA and encrypt the results, it would require someone else to violate the DMCA to decrypt the results to prove your guilt. Furthermore, it would take someone to even think about violating the DMCA, thereby being in automatic violation of the DMCA, to even suspect that you violated the DMCA.

Tin-foil hats work, I tell you!

Re:The #1 DMCA Rule

[mattyrobinson69]

i use a uranium hat - it protects the data in my brain, like file shredding, except better

Re:The #1 DMCA Rule

[ScrewMaster]

Tin-foil hats work, I tell you!

Indeed they do. When the government's orbiting atomic-powered microwave mind-beam satellites are activated to make sure the election goes off without a hitch this time, that tinfoil crisper up there will help turn your head a nice golden brown. Important safety tip: tinfoil hats are not for use in a conventional oven.

Drive Crypt

[xombo]

That's why I use DriveCrypt. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).

Re:Drive Crypt

OK, "1024 bit" encryption for something like this seems absurd to the point of snake oil. If this were public key encryption, 1024 bit wouldn't be that impressive. But for something like this, it would be symmetric encryption, in which case 1024 bit is stupidly high. 256 bit AES would be more than sufficient, or since it's older, maybe Blowfish.

Larger key sizes doesn't magically mean better encryption. It's just a marketing tool that you bought into hook, line and sinker.

Re:Drive Crypt

[xombo]

That's why I use the 256 bit blowfish on my encrypted drives. Not only is it sufficiently secure but it runs at a decent speed on all my systems (even the 400mhz Cellery I keep in my car). It scales all the way down to 4bit if I remember correctly.

Re:Drive Crypt

[D.+Book]

Just an obligatory mention of the Free / Open Source alternative: CrossCrypt, and the graphical version, CrossCryptGUI. Actually, I don't think I could've picked a worse time to mention them. The CrossCrypt site is down, and for some reason, the CrossCryptGUI site now displays a black background (so you can't see the text).

Nevertheless, I've used CrossCryptGUI 0.75 for some months now with a 20GB encrypted volume, and haven't had a problem (though backups are essential in case of corruption). As far as I'm aware, it's the only PGPdisk-like program on the Windows platform that is Free / Open Source and in active development.

Actually, on doing a search it appears another program called TrueCrypt, which I'd tested before CrossCrypt, has been resurrected. It had a more polished interface and documentation, and support for USB flash drives, but development was halted after Securstar (the makers of DriveCrypt) made legal threats.

Inevitable?

[xanthines-R-yummy]

Isn't this in line with the whole "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

Re:Inevitable?

[Minna+Kirai]

"No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

That's not true. If my harddrive contains an encrypted filesystem, it does a "hacker" no good to steal my PC. He's mathmatically less likely to brute force that encryption than if he sniffed encypted email or SSL sessions.

If the hacker installs a keylogger, and I don't detect the intrusion when I return, then a second trip to physical access could break the security... but getting his hands on it once won't help.

That famous saying only applies if the machine gets some ongoing use after the hacker has physical access. (Thus it demonstrates a core flaw of DRM, etc)

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

No. There is no reason a device like this needs to store the password at all.

Properly, it shouldn't be a "password" at all, but a decryption-key you type before accessing the files. Type in the wrong key, and the files appear scrambled.

Re:Inevitable?

[Erpo]

Isn't this in line with the whole "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

Nope. The jumpdrive is just a data storage device and if it only contains encrypted data, an attacker can only read the (probably useless) encrypted data it stores. You can't decrypt it unless you have the decryption key, or you can break the encryption algorithm.

The problem here is that the password necessary to decrypt the data is stored inside the drive itself. An ideal secure portable data storage device would only store the encrypted data and a program to decrypt the data with a user-supplied passphrase. Lexar made a stupid mistake--that's all.

However, the whole "No machine [usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal." rule still applies. In this case, it means that there's no way the owner of a jumpdrive can prevent a thief from erasing the drive or reading any of its memory.

Re:Inevitable?

[merlin_jim]

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

No. It is absolutely possible to implement a symmetric encryption scheme that does not expose any details of the password and requires the password to be correct in order to decrypt the data.

For instance, instead of saving an xored version of the password (I'm assuming you need the cleartext of the password to run through your decryption algorithm), you can save a hash of the password. Then when the user enters their password, you compare hashes for correctness, and if there's a match, you use the cleartext they just entered.

Assuming all your math is done right and you're using strong crypto, there's nothing anyone could do to decrypt that data without a) knowing the password or b) having more computing power at their disposal than is currently available to any private citizen or group.

wow

I had one of those things. I'm glad that I always manually encrypted sensitive information instead of relying on their tool. That is until the drive mysteriously stopped working at all after about 6 months.

No way am I buying anything they make again.

Re:wow

[sbowles]

I'm glad that I always manually encrypted sensitive information instead of relying on their tool.

When I bought mine, it came down to a basic business decision:

• pay a premium to get a JumpDrive with some unknown proprietary security program that was developed by people who's focus is hardware; or
• get a basic JumpDrive and use free PGP that I could allow me to seemlessly copy/store/read data between multiple applications on multiple systems protected for/by multiple users.

The decision didn't require much thought.

That is until the drive mysteriously stopped working at all after about 6 months.

Could be the luck of the draw. I've had mine for over a year and it's still going strong.

I'm fuzzy on something...

[ALecs]

Why does the password need to be 'stored' anyway? Isn't that kinda the point?

Is this some sort of 'encrypted session key' thing where one long, secure password decrypts another shorted one that's used to do the dirty work? Is it stored for key recovery by tech support droids?

Why store the password? Is this just the worst implementation in the whole world or am I missing something?

Re:I'm fuzzy on something...

[savagedome]

Why does the password need to be 'stored' anyway?

One word: support.

Ideally, they should not be storing the password on the disk itself at all for it to be a secure drive. But I've seen a lot of these decisions that seem boneheaded because a *lot* of people will forget their passwords and come back *demanding* that you decrypt their shit. If this is someone that even remotely knows the CEO of the company or somebody higher up and if you try to explain them one-way math functions, you will be getting the pink slip in no time.

Although what these guys did is unpardonable. I mean XOR? Jeez.

Re:I'm fuzzy on something...

[Marxist+Hacker+42]

You're not the one missing something. The lexar software engineer who came up with this one obviously never read The Cookoo's Egg or the Linux Source Code- or he'd know how to do a password right (yes, the password does need to be stored someplace, NO, it does not need to be in it's original form, and ideally it should be either hashed beyond mathematical recognition or part of the encryption key for the rest of the data or ideally both).

Re:I'm fuzzy on something...

[dpilot]

To give them a little (very little) slack... Some form of the password has to be stored away, so you can validate the user-input password. But this shouldn't be rocket science, since SSH, PGP, GPG, and even PasswordSafe have done exactly this type of thing for aeons. All Lexar has done is put it on a little piece of solid-state removable storage.

Either they're horribly naive about this stuff, and could/should have done a better job;
Or the constraints of the device wouldn't let (How can this be on a multi-MB device, I dunno.) do a better job, in which case they shouldn't have brought it to market.

Re:I'm fuzzy on something...

[pclminion]

Although what these guys did is unpardonable. I mean XOR? Jeez.

What's wrong with XOR? Example. I've encrypted a short message of ten bytes, by XORing it with a random sequence of ten bytes. Here's the ciphertext:

26 6B F1 2C 2E 1E 71 12 A9 68

Since XOR encryption is so weak, this should be no sweat to crack, right?

Unfortunately, you'll never be able to crack it, because you don't know what the key was. Even if you found a key that would decrypt this sequence to a meaningful series of bytes, you still don't know if that's the correct answer. More than one valid message can fit into 10 bytes, and you have no way of telling which one of those valid messages was the one I intended. It is literally unbreakable. This is called a one-time pad. Now, if I used the same key repeatedly to encrypt lots and lots of data, you could apply statistical techniques to attack it. But the weakness is not inherent in the XOR operation.

The weakness is in the key security. If you cannot protect the key properly, not even the most complicated cipher in the world can help you.

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

Re:I'm fuzzy on something...

[JazzHarper]

I suppose that the engineers who did this knew how to properly encrypt the passwords, but some product manager told them that they absolutely had to make the password retrievable.
Okay, boss, you got it.
-

Re:I'm fuzzy on something...

[Lost+Race]

There's only one thing you need to make encryption work, and that's the key (or key pair for asymmetric encryption). Where you store the key is the trick. Ideally you want to keep the key separate from the data at all times -- in a separate medium, in the user's brain, whatever. Unfortunately that would mean either carrying around a separate physical key storage device to unlock your storage device (and of course being able to lose them together since you would naturally keep them both on the same keychain) or memorizing a 50-digit number and typing it correctly every time you want to access the device.

So what we usually do in these situations is store the main key in the device itself, encrypted with a smaller key which can be generated from a user-selected password. Why not just use the password-generated key as your main key? Because easily-remembered passwords don't have enough entropy to generate a key strong enough to protect megabytes of data, but they are good enough to protect something small like an encryption key.

Usually such schemes fail when the encryption of the main key is too weak for whatever reason, such that the main key can be recovered without knowing the password. It is indeed bizarre that they would store the password itself on the device in any form, though as we all know the world is full of crappy software "designed" by idiots.

Re:I'm fuzzy on something...

[pclminion]

The password doesn't have to be stored, in hashed form or otherwise.

Instead of hashing the PASSWORD, you can hash the DATA. If you decrypt with the wrong key, the hash of the corrupted data will certainly not match the corrupted hash of the original data. Maybe that isn't clear. Let me try again.

Suppose you have data D and the hash of that data, H(D). Now, encrypt them with key A:

Ciphertext = Encrypt_A(D . H(D))

Then ,decrypt with incorrect key B:

Plaintext_Incorrect = Decrypt_B(Ciphertext) = C . GarbageHash.

Now, since the incorrect key will produce garbage instead of meaningful data, we know that H(C) != GarbageHash if the key is incorrect. Thus, you can verify whether the key was correct without storing the key, or a hash of the key, anywhere.

Re:I'm fuzzy on something...

[josquin00]

From Encryption Matters:

Here's how to perform an attack that will break the trivial XOR encryption in a few minutes:

* Determine how long the key is

This is done by XORing the encrypted data with itself shifted various numbers of places, and examining how many bytes are the same. If the bytes that are equal are greater than a certain percentage (6% accoridng to Bruce Schneier's Applied Cryptography second edition), then you have shifted the data by a multiple of the keylength. By finding the smallest amount of shifting that results in a large amount of equal bytes, you find the keylength.

* Shift the cipher text by the keylength, and XOR against itself.

This removes the key and leaves you with the plaintext XORed with the plaintext shifted the length of the key. There should be enough plaintext to determine the message content.

Your example works, because your key and plain text are the same length. I think the point is that all Jumpdrives either use the same key, or use one short enough to apply the above to, etc. Short of including (and inventing) a one time pad generator that is truly random, and with the availability of other password encryption methods, why use XOR?

Re:I'm fuzzy on something...

[Tokerat]

Passwords can simply be stored by using a simple encryption method and encrypting the password, using the password itself as the key. That way, the only way to read the password to verify it is if you have the password. Works pretty well in the passwd/shadow file...

There isn't much excuse for this other than "we never thought anyone would try that", but then if that's the thinking, why do we even need security products or encryption?

Re:I'm fuzzy on something...

[Piquan]

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

If you're using the key, it has to be an OTP. As soon as you repeat your message using the same key, your cipher's busted.

In the case of key-generated data, that's pretty much what a stream cipher does. But then you don't refer to the cipher as XOR, you refer to it as a stream cipher. You could just as easily use mod-256 addition as XOR if you wanted; the point of the cipher isn't the combination technique, but the stream generator.

The grandparent was referring to XOR as the only cipher method. In the case of an OTP (like you used), it's okay, but that's the only case. This is clearly not an OTP we're dealing with here.

What's worse (and aside from your point), it's open to a chosen-plaintext attack: buy another JumpDrive, set the password, observe. A chosen-plaintext attack can reveal the key of a simple XOR cipher in a single attack (assuming you can ascertain the maximum key length, which is probably something that the password entry dialog gives you). Even without chosen-plaintext, it doesn't take many samples to reveal the key of an XOR cipher, but with chosen-plaintext it's just too trivial.

Re:I'm fuzzy on something...

[manWorkSucks]

10 bucks says the cleartext of

26 6B F1 2C 2E 1E 71 12 A9 68

is HELLOWORLD.

just a guess :)

Re:I'm fuzzy on something...

[Punto]

Unfortunately, you'll never be able to crack it, because you don't know what the key was.

But where do you store this key? do you XOR it with something else? (and what do you do with that something else?) If you use any other more sophisticated method to hide it, why not just use that for the password in the first place? Also, in this case you alredy know what the password is (after all, it's _your_ JumpDrive, whatever that is), so you can xor it and get the 'secret key'. With that, it should be easy to find out what happens to it (even if it's random).

Re:I'm fuzzy on something...

[pclminion]

But where do you store this key?

But that question has nothing to do with XOR, does it?

My point was simply that XOR is a key-combining operation. The fact that an algorithm uses XOR does not imply insecurity. There are, of course, plenty of bone-headed possible implementations. But none of those problems are the fault of the XOR operation.

I couldn't remember what

[2names]

"redundant" meant...until I got the Jerry Jackson memory system.

I was always forgetting important things, like the meaning of the word "redundant." But thanks to the Joe Johnson memory system, I can now remember things like the meaning of the word "redundant." Thanks, Jack!

Copyright 2004, Jake Johannson Memory systems.

rot13?

That's why I use ROT-13 for my encryption needs

Pshaw...That's real secure! You really should be using double, or better yet, quadruple Rot-13...

On an alternative note ..

[snaggled]

Check out this enigma machine for sale. How cool is this.

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem& ca tegory=4721&item=2269717995&rd=1&ssPageName=WD VW

This shows once again...

[piquadratCH]

...that the best encryption algorithm is worth nothing if you fuck up the implementation...

Man, that's scary...

[naer_dinsul]

Geeze... This is probably the first /. story I've read that ACTUALLY applies to me...

But seriously, I own one of these... In fact, they're pretty popular in my area just because their cheap and sold at Wal-Mart... I don't personally use the password protection because I always felt it was just an extra step and I didn't really need that much security on my Flash Drive anyways...

(It's not like I was storing all of my server's passwords on it or anything..... Honest...)

Thank you @stake and people like you for making sure products are as secure as they say they are...

Are you sure that wasn't my computer?

[Trigun]

Re-check that ip address.

the punchline

[soybean]

[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication.

That's not much of a punchline when you realize that XORing something to something unknon (and presumibly unknowable) is unbreakable excryption.

Re:the punchline

[Hrolf]

No, the password is XORed with itself. It's the ultimate form of protection. Plus the resulting encrypted string can be compressed very tightly, saving disk space.

Re:the punchline

[hymie!]

Um...

If A XOR B = C , then A XOR C = B and B XOR C = A.

So if MYPASSWD XOR SECRET = ENCRYPTEDCODE, and I know both MYPASSWD and ENCRYPTEDCODE, then I can find SECRET.

I don't know if all of the drives have the same SECRET or not, but, having determined what SECRET is on my drive, I can give the drive to you, or I can try my SECRET on another drive and see if it works.

--hymie!

My password is twice as secure as yours!!!

I use ROT-26.

-

Re:My password is twice as secure as yours!!!

[julesh]

I use ROT-26.

I don't advise that. All crypto experts know you should do something unexpected to throw the analysts, like performing extra rounds or something.

I use 3 rounds of ROT-8 followed by one of ROT-2. They'll never work that one out.

Security through obscurity sucks...

[GillBates0]

That's why I store and transmit all my data as plain text.

ROT13 - Only once?

[Reorax]

Sure, ROT13 is secure. But why not give potential crackers something to cry about: encrypt it twice!

I store all my passwords on...

a DOS floppy disk, as straight text in a file, called COMMAND.COM. I have a a big red label on the disk, "BOOT".

Noone ever stole any of my passwords.

Re:For my encryption needs

[Aardpig]

I use MD5. Not one collision ever found in the wild.

On the off chance that this isn't a joke, and you're one of the genii on /. who thinks that MD5 has anything to do with cryptography, let's reiterate:

MD5 is a hashing algorithm. All hashing algorithms are guaranteed to collide, since hashing is the process of reducing an N-fold dataset to an M-fold one, where M<N.

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

*holds down shift*

[ARRRLovin]

There we go.........my little brother won't keep his porn on one of these anymore. haha

ROT13?

[twigles]

ROT13 ... oooohhhh! 13!!! Shit, I was using 11! No wonder it wasn't working.

Tried contacting them...

[Vexler]

I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.

Sounds awfully like a head-in-the-sand approach to security to me.

Re:Tried contacting them...

[owlstead]

Sounds awfully like a head-in-the-sand approach to security to me.

If you would try that long enough it would probably work. Any data that was in the brain is probably irrecoverable.

Re:Almost...

XOR means "exclusive or". A regular "or": if one of the inputs is 1, return 1. An "exclusive or": if one of the inputs is 1, but not both, return 1.

OR:
0101
0011
----
0111

XOR:
0101
0011
----
0110

AND:
0101
0011
----
0001

Not so fast!

[PaulBu]

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

MD5 *does* have something to do with cryptography (why else would Schneier devote the whole 14th chapter of Applied Cryptography to "One-way hash functions"), and the reason is simple: it is used to encrypt your *password*, not your data (Lexar was claiming that they use 256-bit AES encryption for the data itself).

For authentication you do not store the password in plaintext, only its MD5 hash, when user enters the password, MD5 of that is computed and compared to the stored MD5 string, if they match -- your user is authenticated. Of course XOR with a "magic number" could be used for the same purposes, but it would be much weaker. Thus, I think that the GP was not a troll and made a valid point: use MD5 to hash your passwords, and preferrable add some salt value to prevent against dictionary attack.

The other questiuon is why did Lexar had to store passwords on the drive at all, one does not need to authenticate users in their scenario (the drive itself is not a self-cointained computer to which a user needs to gain access) -- they could've just asked for the password, convert it to the key used in AES algorithm, decode the data and give the result: if password is incorrect, the decoded data is garbage.

Paul B.

Re:Not so fast!

[Piquan]

Reading your post is like one of those "How Many Mistakes Are In This Picture" things you see in Highlights.

The salt doesn't have anything to with protecting against dictionary attacks,

The salt is exactly to prevent against dictionary attacks. A dictionary attack (using the term old-school) is where I prepare, in advance, a dictionary of passwords and their hash values, indexed by the latter. Then, when you're making your attack, you look up the hashed password and voila! you know the password. In a world without salts, I expect that many security folks would be able to recognize many common passwords' hash values on sight.

it is used to make the algorithm computationaly harder to break.

The salt does nothing (or rather an insignificant amount) to make the computation harder. It's specifically used to prevent a dictionary attack.

The salt is simply the first two characters in your hash,

The salt is a randomly-generated sequence. It's stored as the first two characters of the encrypted password in traditional crypt() passwords, and is followed by the hash. But it's not the first two characters of the hash.

all of the subsequent characters are based from the salt.

They're based off of both the salt and the password. Your post makes it sound like the password is hashed, the first two characters of the hash are the salt, and the rest of the password entry are generated from that. This is not at all what happens.

The salt is generated randomly (from the time of day, number of processes running, etc), to get 12 bits of randomness (note that the salt is isomorphic with the space [A-Za-z0-9/.]{2}). The password is hashed using a DES, with the password as the key and a string of 0s as the plaintext. Partway through the DES operation (specifically, after the E-box), some of the bits are swapped based on the salt.

After DES outputs the hash value (its ciphertext), it is appended to the salt. This concatenated value is stored in the passwd field of your passwd file. So the salt is the first two characters of that output, but it's not the first two characters of the hash. It's used to perturb the hash in one of 2^12 ways.

Note that the specifics I gave (length of salt, use of DES) only applies to traditional Unix passwords. Most modern Unixes use a different hash scheme by default, such as MD5. The role of the salt still applies: it's used to perturb the hash function to prevent dictionary attacks. There are differences in how it's stored and how it perturbs the hash.

For further study, I recommend reading Password Security: A Case History by Robert Morris and Ken Thompson.

Snuffle

[tepples]

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

Try telling that to Daniel Bernstein. His "Snuffle" code converts any hash into a cipher. To put it shorter: sampling the output of a well-designed hashing algorithm after every n bytes produces a suitably random bitstream; XORing that against the message produces a stream cipher.

XOR Encryption is NOT unbreakable

[bahamutirc]

I've seen a number of posts stating the XOR is unbreakable. Hopefully they're just joking and didn't get modded as such, because I've read in several places that XOR sucks. A quick Google revealed the following.

Hack-FAQ

And I quote: XOR encryption is trivially simply to implement and equally trivial to break. XOR encryption should not be utilized for any data which you would want to protect.

I could go grab my Applied Cryptography book and make sure, but it's out of arms reach right now.

UPDATE from conversation with Lexar...

[Vexler]

After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.

The ostrich finally wakes up.

Re:UPDATE from conversation with Lexar...

[fishbowl]

>The ostrich finally wakes up.

Wrong, he just got you off the phone, while still denying any knowledge of the problem.

Re:XOR is not the problem

[pclminion]

If the attacker had a good sample of passwords, this would be vulnerable to statistical analysis attacks.

Not if the key was exactly as long as the message. In that case, we'd have a system equivalent to a one-time pad (i.e., unbreakable) so long as the key was kept secure.

In this case, it might be feasible to XOR an 8-character password with 8 random bytes (those 8 random bytes would be the key). The problem isn't the XOR operation. The problem is maintaining the security of the key itself.

Statistical attacks can only work when there is a lot of ciphertext, AND the key is significantly shorter than the message.

A better way to make "secure zones"

[g_adams27]

I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.

You can check out the commercial version at http://www.pgp.com/, but I would also seriously consider PGPckt 6.58, a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.

Re:A better way to make "secure zones"

[chill]

Or...

You could partition the USB drive. Partition #1 is normal (FAT-12) and partition #2 is mounted via loop-aes.

Assuming you use Linux or BSD and not Windows.

The fun part is if you partition 50%/50%, and the drive doesn't have the size printed on it, when a Windows person installs it they will never even see partition #2 unless they go into a partition editor. All they get is an automounted partition #1 -- which is the proper size for the little brother to the model you're using.

Security through obscurity! (Backed by AES, just in case.)

Grrrr

[c++]

This kind of thing just burns me up. Clueless companies hire clueless developers who think they can make software or hardware relatively secure by mearly applying encryption in whatever way they think is convenient. Never mind the plain-text password behind the curtain. Never mind that xor is equivalent to plain text (Lexor). Never mind that supporting multiple decription keys reduces the effective key length (DVD). Never mind that if you somehow store the decryption keys in a way that the software retreive (DVD again) that anyone can extract them. Never mind that storing a strongly-encoded password along with a weakly-encoded one buys you nothing (Microsoft). Never mind that encryption can't prevent copying (DRM). Never mind that this list can go on forever...

I own a JumpDrive Secure. Don't laugh; I only got it because Wally World didn't have the regular 256MB one. I plugged it in and the first thing it did was install their security software *without asking me*. Yes, Windows XP. Yes, I had turned AutoRun off on my CD. No, I have no idea how to disable AutoRun on a device that has never been plugged in before. Grrrr.

What did I do? I used Linux to reformat the JumpDrive then uninstalled the software it added without my permission. Now I have a perfectly usable device. (This was 4 months ago)

This reminds me of an "un-pickable" lock my ....

[StressGuy]

dad once bought.

It had no keyhole, just a bunch of magnectic "reeds" that would line up when a special magnetic key was put along side of it. My dad had just purchased it that day and was explaining to me how it worked. I asked, "couldn't you just shake it until the reeds lined up?". He tosses the lock to me and says, "here...try it then". I shook the lock for a couple of seconds and, sure enough, it popped right open.

my dad was pretty grumpy for the rest of the day...

Re:For my encryption needs

[owlstead]

Not completely true. If you look at the techniques of hash functions you'll understand why. They are very much like symetric encryption. You can even encrypt something by starting off with a "key", hash that, then hash the result of that, etc. etc. Now you have basically a stream cipher.

It also works for small data units, like e.g. keys. Hash a (sufficiently difficult) password and xor the result of the hash with the (symetric) key and presto.

"Milk Experiment"

[sremick]

For some bizarre reason, this reminded me of a story I once heard somewhere (no longer rememeber where).

Some guy was living with a bunch of others and always had a problem with them drinking up his milk. So one day he simply wrote "Milk Experiment" in big letters on the carton and never had another issue.

Re:For my encryption needs

[Sheepdot]

Oh really?
------------------
#!/usr/bin/perl -w

use strict;
use Digest::MD5 qw(md5_hex);

# Create a stream of bytes from hex.
my $bytes1 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70
);

# Create a second stream of bytes from hex.
my $bytes2 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
);

# Print MD5 hashes
print md5_hex($bytes1), "\n";
print md5_hex($bytes2), "\n";
------------------

What do I win?

ROT-13?

[AyeRoxor!]

How's this for ROT-13?

Bu abrf! Yrkne = shknerq!

Re:This reminds me of an "un-pickable" lock my ...

[bhny]

did you know you can open a bicycle lock with a bick pen?

Re:XOR is not the problem

[jnaujok]

But the key cannot be kept secure, as I need only enter a known password on a known device, get the "encrypted" text and XOR it against my original password. Since XOR is symetrical, A^B = B^A, then we are guaranteed that (A^B)^A = B, and *poof* we derive the magic password.

A single XOR when I can generate more than one "encrypted" text is no security at all.

One-Time pad means ONE-TIME ! If you use it twice, the security becomes exactly Zero.

Jeff Naujok

Refunds?

[ShavenGoat]

I sent an email to Lexar support demanding a refund for my "Secure" Jumpdrive. While I never used the "security" feature that they offer (I bought this because it was cheep at Sam's Club), this is still deceptive advertising. I don't think you can claim a product as "secure" when it is trivial for someone to bypass security.

As one poster commented, "Why not just use ROT-13 to hide the password?"

If Lexar replies, I'll post a follow up. If they don't, then it is off to the BBB to get things fixed.

Re:XOR is not the problem

[pclminion]

One-Time pad means ONE-TIME ! If you use it twice, the security becomes exactly Zero.

Yes, but the problem is using the pad again. Nothing to do with XOR. Notice that any key-combining operation must be a bijective operation (i.e., "one to one, and onto"). Thus, at least theoretically, you can determine the key by comparing various plain/ciphertext pairs, regardless of which key-combining operation was chosen. Yes, XOR makes this slightly easier. So?

XOR is not the problem. The fact that the key is reused, and is most likely much shorter than the plaintext, is the problem.

Mac Users

[agentkhaki]

If you're using a Mac, I'd suggest doing the following:

• Format your pen drive to MS-DOS
• Create an encrypted, password protected disk image roughly the size of your pen drive (also in MS-DOS format)
• Store the disk image on your pen drive

The reason I recommend using MS-DOS format for both the disk and disk image is two-fold. First off, you can use the extra space not taken up by the disk image to grab files from a PC (since both the Mac and PC can read the MS-DOS file system), and because if you use HFS+, the Mac will store all sorts of file extras on the disk, giving you much less usable space (same reason you can't get the full 654 or 700 MB when you burn an HFS+ CD).

I would also recommend storing a fake .Trash file on the disk -- that way, when you delete stuff, it dies immediately (after warning you), rather than going to the trash. Google for more info.

(fixed) A better solution

[DamienMcKenna]

Truecrypt (mirror 1 [freewebtown.com], mirror 2) does the same as PGPdisk but is open-source and seems to still be actively developed, unlike PGP658ckt. It also doesn't have the drive size limitations of some competing commercial products.

Damien

I tried that...

[Gordonjcp]

... but I found that the decryption key was inconveniently large, being the same size as the original data.

Re:For my encryption needs

[legirons]

"Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption"

Count me an idiot then. I should mention why:

(a) take your key. MD5 it. Store this as X1
(b) Take X1. MD5 it. Store this as X2
(c) ... repeat until you get to Xn (n being the length of your message)
(d) For each 64-byte segment of your message, XOR it with one of the numbers in the sequence you just generated

To decrypt the message, do exactly the same thing.

I didn't buy it for the security

[digitalgimpus]

I bought it for the following reasons:
- Good cost per MB
- Fast
- Great rebate offer at the time
- DURABLE! This thing looks a little bulky, but it's rock solid. Thick plastic, really solid. Unlike any other I've seen so far.

I never used the security stuff. IMHO not worth it. But having such a durable, fast, cheap device was more than worth it to me.

I don't regret my purchase. It's a solid product. I'd still recommend it.

stupid response #1

[snake_dad]

"me" is too short for a decent password :)

Re:stupid response #1

[tabrnaker]

You need to read more about shiva. Shiva is not a destroyer. Shiva disolves so that creation can happen. Shiva represents creation as well as dissolution. If you want to reach enlightenment it is through shiva. Shiva is nothing close to the christian belief of devil which is naught but a fallen angel.

Re:stupid response #1

Only one addition, since from what I know, your post is fundamentally right. I have a Hindu friend, and he got upset when I refered to Shiva as the Hindu equivalent to the devil while trying to make sense of his religion. He explained it this way: Shiva is usually portrayed as benevolent. Old buildings decay to make way for new ones, old people die to clear the way for the next generation, old animals die so they don't slow the herd down, old civilizations fall as new ones are created, and so forth. If not for Shiva, the world would become choked with the old and sick, and the world would be a much worse place. When things are particularly off course, there are large epochs of destruction (Ranging from war to famine to cataclysmic floods, fires, and earthquakes, and that this is also used to reconsile scientific observations like mass extinctions with the religion). There's also a belief (which he says is obsolete and not held as seriously as it once was by many Hindus, at least those living in the western world) that the entire cosmos is periodically destroyed when a great many things get too far gone to be fixed even by global-level catastrophe, and Brama starts creation over anew.

Also, another thing he pointed out is that the devil (in Judeo-Christian theology) is not a destroyer in himself, only a temptor who can lead humans to destroy, but does not destroy himself. God orchestrates the end of the world in Revelation, and is also caused all the destructive events in the Bible. He rattled off several names (many of which sounded like names for D&D characters to me) for minor Hindu gods who are more comparable to the devil, since they manipulate living beings into distrupting the normal order of things.

Re:stupid response #1

[Ayaress]

Actually, in the Christian chronology, the devil is not a destroyer. A trickster, seducer, temptor, etc, yes, but not a destroyer. Armageddon, Sodom and Gamorrah, Noah's Flood, etc. All the epochs of destruction were carried out by God. Noah's Flood is exactly the sort of role Shiva sometimes plays in Hindu myth, which includes the constant cycle of life and death (creation and destruction), but also epochs of massive destrucion used to eliminate something fundamentally wrong with the universe.

FLASH: One Time Pad CRACKED

[hugesmile]

Somebody told them that a One Time Pad encryption scheme is uncrackable. So they used the pad "11111111111..." and did an XOR.

Since no one else is stupid enough to use that pad, it's a one time pad.

Another milestone in encryption technology - One time Pad CRACKED!

Emergency patch: Now they use the Pad "000000000...."

Somebody call the police

[Ayaress]

I think you just killed Schrodinger's Cat.

Another good one..

[Gentlewhisper]

would be jetico's bestcrypt.

http://www.jetico.com/

supports twofish and blowfish too and even GOST too, all the way up to 446bit of keylength.

a must have for any paranoid nut

Tough..

[Gentlewhisper]

Bestcrypt http://www.jetico.com/ encrypts swap files too, so all you can get with your grepping is just @(#*)$#)$*)#*(#*^0

Lexar is not alone in bad cryptography

[plover]

Don't look to San Disk for any better security.

I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.

Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678 When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)

Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.

At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.

I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.

Re:Bleh

[bhtooefr]

I know this is a troll, but interesting point. Make it so Winboxes (except those with Ext2 for Windows (or whatever it's called)) can't read it... But there's a couple problems. You might NEED it on Windows eventually (I use Linux on my main computer, but I interact with Windows computers EVERY DAY), and that Ext2 for Windows. The second cancels out the first, but then how do you get it on the box? Carry TWO JumpDrives, or a CD with it burned on?

Also, if you only work with Win2K/XP boxes, there might be a way to use NTFS encryption, and format it like that. You could also use some Linux filesystem's encryption, and have a FAT12 partition with a driver for that filesystem (AFAIK, you can partition JumpDrives with Linux).