Lexar JumpDrive Password Scheme Cracked

Saint Aardvark writes "Lexar describes the JumpDrive Secure as "loaded with software that lets you password-protect your data. If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." @stake has a different take: The password can be observed in memory or read directly from the device, without evidence of tampering." And best of all, the punch line: "[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication." That's why I use ROT-13 for my encryption needs."

Even worse...

Why go through all the trouble of attaching a debugger to the process when you can bribe the user to tell you the password with a chocolate bar! Best of all, this trick will still work long after Lexar fixes their security issue.

Re:Even worse...

[Minwee]

And more importantly, do you even know what "redundant" means?

Re:Even worse...

[Marxist+Hacker+42]

I like those people. They're so stupid. I can get chocolate out of them simply by saying "I use the 9 billion names of God for my passwords. I'm up to Shiva".

DMCA

[Lead+Butthead]

Doesn't that violate DMCA?

Re:DMCA

[kelnos]

This may sound silly, but how is the "first post" redundant? I mean... first. Mods, you do know what the word "first" means, right?

Re:DMCA

[micromoog]

Yep, the new watchword in American 'security': "Who needs respectable technology when you've got the DMCA?"

And it only took the guys at distributed.net

[PrimeWaveZ]

Three years to get .01% of the way done cracking this before someone realized it was ROT13. ;)

An embarassment of security.

[michael+path]

The password is in XOR'd form? Yeah. That's encryption.

Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?

From the article:


Vendor Response:

08-05-2004 Vendor contacted via email to support@lexarmedia.com
No response.
08-12-2004 Vendor contacted again via email to support, sales
Public Relations, Investor Relations, and general
inquiry email addresses.
08-12-2004 Automated response from support received
09-13-2004 No further response from vendor, advisory released

Vendor has not acknowledged issue or produced a fix.


This is a pretty embarassing non-response.

The product is only about 5 or 6 months old, and the password was just sitting there. AES is a perfectly fine standard for encryption, but this is an embarassing implementation. Thankfully, I don't know anyone who owns this.

Re:An embarassment of security.

[pete-classic]

Horseshit. All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

-Peter

Re:An embarassment of security.

[Alizarin+Erythrosin]

The password is in XOR'd form? Yeah. That's encryption.

Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?

Aside from storing the password in XOR'd form, the software checking the password is flawed. It unencrypts the password first, then compared the password entered. Rather then encrypting the password entered and comparing it to the device?

There may even be better ways than that. I'm not a cryptography person, but that's the first thing that comes to mind.

Re:An embarassment of security.

[benchbri]

I've got one of these, so now you do know someone with one.

If you're carrying around secure documents/files on a jumpdrive using only the included encryption scheme, you may need a lobotomy. I took one look at the security program that came on the drive, and threw it out. I knew I'd never need it. It wasn't a program that looked like it reeked of security, either. I'm acutally surprized this is the first report of the JumpDrive being cracked.

Since there are dozens of USB drives on the market, and the're basically the same price (my JumpDrive was the same price as the other 128Mb offerings in Circut City), I wouldn't think a consumer to expect a fairly decent encryption system for free. On top of that, if you're carrying around sensitive documents on your keys, just think: when's the last time you lost your keys?

Re:An embarassment of security.

[alienw]

Rather then encrypting the password entered and comparing it to the device?

That would not be any better than it is now.

The right way to do this would be to use the password to generate an encryption key and encrypt the data with it. Then, the only possible vulnerabilities are the password itself and various known-plaintext attacks.

Re:An embarassment of security.

[steveha]

All my data is XORed against itself before it is written to disk.

What a waste of valuable CPU cycles! Here's a speedup that does the same thing much faster:

/* implement "XOR data with itself" security algorithm */
/* but cleverly don't actually use XOR */
/* don't forget to null-terminate encrypted data! */

int
CopyWithL337XORSecurity(char *in, char *out)
{
int length;

length = strlen(in);

memset(out, 0, length + 1); /* length + 1 for null termination */

return length;
}

That should run much faster -- standard library functions are always well-optimized.

Just doing my part for data security.

steveha

Re:An embarassment of security.

[Chris+Mattern]

> Thankfully, I don't know anyone who owns this.

I do, and I keep fairly sensitive information on it (in fact, I bought it in order to keep that information handy but secure). But I don't use Lexar's software--never even occured to me to try to use it, as I want to access it in Solaris and Linux. I use GPG; downloaded a GPG for Windows and put it right on the key so that I can use it in any Windows machine as well.

Chris Mattern

Re:An embarassment of security.

[SamNmaX]

Horseshit. All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

That joke sure was cryptic.

Re:An embarassment of security.

[alienw]

If the device actually encrypts the files, it is not necessary to store the password in any form, hashed or otherwise. You can just decrypt the data with the given password and check if the CRC matches to find out if the password is correct or not.

Dude,

[2names]

EVERYTHING violates the DMCA. Everything. Even talking about violating the DMCA violates the DMCA.

Re:Dude,

[Ignominious+Cow+Herd]

So, all we have to do is prove that the DMCA violates the DMCA and it will disappear in a puff of illogic, right?

Cue::Cat

[althalus]

That's what happens when you get your security developers from the Cue::Cat Development team. Wasnt' their 'encryption' just XOR or something similar?

Re:Cue::Cat

[AKAImBatman]

It was Base64 "encryption" (*snicker*)

Re:Cue::Cat

[artemis67]

that, and their password was "PASSWORD"

It's a "feature"

[grunt107]

It allows those who forget their passwords to quickly access the 'lostpaswd?' file, saving on support calls.

Not much detail?

XOR'ed with what? XOR is just a method of encryption, not a cypher or anything... it's the basis for the one-time-pad, the strongest encryption method next to quantum encryption.

Re:Not much detail?

[PhilipPeake]

This is actually a clever sales gimmick.

You can find the "what with" part by simply XORing again with you key. So to find out what the magic string is, simply buy one of these devices, encrypt some data to it, then locate the encrypted key and XOR you original password with the "encrypted" version.

Doing this with your own device means you are not violating DMCA - trying this out with someone elses device will subject you to the possibility of 57 consecutive life sentences.

Re:Not much detail?

[nkh]

Without a doubt it's a xor used with a key length of a few bytes.
xor + small_key = cypher for dummies, it's an old standard for those who don't care about security.

The #1 DMCA Rule

[Tackhead]

> EVERYTHING violates the DMCA. Everything. Even talking about violating the DMCA violates the DMCA.

The number one rule of talking about the DMCA and archiving the results, encrypted, on a Lexar JumpDrive.

You do NOT talk about DMCA and archive the results, encrypted, on a Lexar Jumpdrive!

Re:The #1 DMCA Rule

[mothz]

But if you did talk about the DMCA and encrypt the results, it would require someone else to violate the DMCA to decrypt the results to prove your guilt. Furthermore, it would take someone to even think about violating the DMCA, thereby being in automatic violation of the DMCA, to even suspect that you violated the DMCA.

Tin-foil hats work, I tell you!

Re:The #1 DMCA Rule

[mattyrobinson69]

i use a uranium hat - it protects the data in my brain, like file shredding, except better

Drive Crypt

[xombo]

That's why I use DriveCrypt. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).

Inevitable?

[xanthines-R-yummy]

Isn't this in line with the whole "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

Re:Inevitable?

[Minna+Kirai]

"No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

That's not true. If my harddrive contains an encrypted filesystem, it does a "hacker" no good to steal my PC. He's mathmatically less likely to brute force that encryption than if he sniffed encypted email or SSL sessions.

If the hacker installs a keylogger, and I don't detect the intrusion when I return, then a second trip to physical access could break the security... but getting his hands on it once won't help.

That famous saying only applies if the machine gets some ongoing use after the hacker has physical access. (Thus it demonstrates a core flaw of DRM, etc)

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

No. There is no reason a device like this needs to store the password at all.

Properly, it shouldn't be a "password" at all, but a decryption-key you type before accessing the files. Type in the wrong key, and the files appear scrambled.

Re:Inevitable?

[merlin_jim]

I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

No. It is absolutely possible to implement a symmetric encryption scheme that does not expose any details of the password and requires the password to be correct in order to decrypt the data.

For instance, instead of saving an xored version of the password (I'm assuming you need the cleartext of the password to run through your decryption algorithm), you can save a hash of the password. Then when the user enters their password, you compare hashes for correctness, and if there's a match, you use the cleartext they just entered.

Assuming all your math is done right and you're using strong crypto, there's nothing anyone could do to decrypt that data without a) knowing the password or b) having more computing power at their disposal than is currently available to any private citizen or group.

wow

I had one of those things. I'm glad that I always manually encrypted sensitive information instead of relying on their tool. That is until the drive mysteriously stopped working at all after about 6 months.

No way am I buying anything they make again.

I'm fuzzy on something...

[ALecs]

Why does the password need to be 'stored' anyway? Isn't that kinda the point?

Is this some sort of 'encrypted session key' thing where one long, secure password decrypts another shorted one that's used to do the dirty work? Is it stored for key recovery by tech support droids?

Why store the password? Is this just the worst implementation in the whole world or am I missing something?

Re:I'm fuzzy on something...

[savagedome]

Why does the password need to be 'stored' anyway?

One word: support.

Ideally, they should not be storing the password on the disk itself at all for it to be a secure drive. But I've seen a lot of these decisions that seem boneheaded because a *lot* of people will forget their passwords and come back *demanding* that you decrypt their shit. If this is someone that even remotely knows the CEO of the company or somebody higher up and if you try to explain them one-way math functions, you will be getting the pink slip in no time.

Although what these guys did is unpardonable. I mean XOR? Jeez.

Re:I'm fuzzy on something...

[pclminion]

Although what these guys did is unpardonable. I mean XOR? Jeez.

What's wrong with XOR? Example. I've encrypted a short message of ten bytes, by XORing it with a random sequence of ten bytes. Here's the ciphertext:

26 6B F1 2C 2E 1E 71 12 A9 68

Since XOR encryption is so weak, this should be no sweat to crack, right?

Unfortunately, you'll never be able to crack it, because you don't know what the key was. Even if you found a key that would decrypt this sequence to a meaningful series of bytes, you still don't know if that's the correct answer. More than one valid message can fit into 10 bytes, and you have no way of telling which one of those valid messages was the one I intended. It is literally unbreakable. This is called a one-time pad. Now, if I used the same key repeatedly to encrypt lots and lots of data, you could apply statistical techniques to attack it. But the weakness is not inherent in the XOR operation.

The weakness is in the key security. If you cannot protect the key properly, not even the most complicated cipher in the world can help you.

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

Re:I'm fuzzy on something...

[Lost+Race]

There's only one thing you need to make encryption work, and that's the key (or key pair for asymmetric encryption). Where you store the key is the trick. Ideally you want to keep the key separate from the data at all times -- in a separate medium, in the user's brain, whatever. Unfortunately that would mean either carrying around a separate physical key storage device to unlock your storage device (and of course being able to lose them together since you would naturally keep them both on the same keychain) or memorizing a 50-digit number and typing it correctly every time you want to access the device.

So what we usually do in these situations is store the main key in the device itself, encrypted with a smaller key which can be generated from a user-selected password. Why not just use the password-generated key as your main key? Because easily-remembered passwords don't have enough entropy to generate a key strong enough to protect megabytes of data, but they are good enough to protect something small like an encryption key.

Usually such schemes fail when the encryption of the main key is too weak for whatever reason, such that the main key can be recovered without knowing the password. It is indeed bizarre that they would store the password itself on the device in any form, though as we all know the world is full of crappy software "designed" by idiots.

Re:I'm fuzzy on something...

[josquin00]

From Encryption Matters:

Here's how to perform an attack that will break the trivial XOR encryption in a few minutes:

* Determine how long the key is

This is done by XORing the encrypted data with itself shifted various numbers of places, and examining how many bytes are the same. If the bytes that are equal are greater than a certain percentage (6% accoridng to Bruce Schneier's Applied Cryptography second edition), then you have shifted the data by a multiple of the keylength. By finding the smallest amount of shifting that results in a large amount of equal bytes, you find the keylength.

* Shift the cipher text by the keylength, and XOR against itself.

This removes the key and leaves you with the plaintext XORed with the plaintext shifted the length of the key. There should be enough plaintext to determine the message content.

Your example works, because your key and plain text are the same length. I think the point is that all Jumpdrives either use the same key, or use one short enough to apply the above to, etc. Short of including (and inventing) a one time pad generator that is truly random, and with the availability of other password encryption methods, why use XOR?

Re:I'm fuzzy on something...

[Piquan]

XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

If you're using the key, it has to be an OTP. As soon as you repeat your message using the same key, your cipher's busted.

In the case of key-generated data, that's pretty much what a stream cipher does. But then you don't refer to the cipher as XOR, you refer to it as a stream cipher. You could just as easily use mod-256 addition as XOR if you wanted; the point of the cipher isn't the combination technique, but the stream generator.

The grandparent was referring to XOR as the only cipher method. In the case of an OTP (like you used), it's okay, but that's the only case. This is clearly not an OTP we're dealing with here.

What's worse (and aside from your point), it's open to a chosen-plaintext attack: buy another JumpDrive, set the password, observe. A chosen-plaintext attack can reveal the key of a simple XOR cipher in a single attack (assuming you can ascertain the maximum key length, which is probably something that the password entry dialog gives you). Even without chosen-plaintext, it doesn't take many samples to reveal the key of an XOR cipher, but with chosen-plaintext it's just too trivial.

I couldn't remember what

[2names]

"redundant" meant...until I got the Jerry Jackson memory system.

I was always forgetting important things, like the meaning of the word "redundant." But thanks to the Joe Johnson memory system, I can now remember things like the meaning of the word "redundant." Thanks, Jack!

Copyright 2004, Jake Johannson Memory systems.

This shows once again...

[piquadratCH]

...that the best encryption algorithm is worth nothing if you fuck up the implementation...

Man, that's scary...

[naer_dinsul]

Geeze... This is probably the first /. story I've read that ACTUALLY applies to me...

But seriously, I own one of these... In fact, they're pretty popular in my area just because their cheap and sold at Wal-Mart... I don't personally use the password protection because I always felt it was just an extra step and I didn't really need that much security on my Flash Drive anyways...

(It's not like I was storing all of my server's passwords on it or anything..... Honest...)

Thank you @stake and people like you for making sure products are as secure as they say they are...

My password is twice as secure as yours!!!

I use ROT-26.

-

Re:For my encryption needs

[Aardpig]

I use MD5. Not one collision ever found in the wild.

On the off chance that this isn't a joke, and you're one of the genii on /. who thinks that MD5 has anything to do with cryptography, let's reiterate:

MD5 is a hashing algorithm. All hashing algorithms are guaranteed to collide, since hashing is the process of reducing an N-fold dataset to an M-fold one, where M<N.

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

*holds down shift*

[ARRRLovin]

There we go.........my little brother won't keep his porn on one of these anymore. haha

Tried contacting them...

[Vexler]

I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.

Sounds awfully like a head-in-the-sand approach to security to me.

Re:Almost...

XOR means "exclusive or". A regular "or": if one of the inputs is 1, return 1. An "exclusive or": if one of the inputs is 1, but not both, return 1.

OR:
0101
0011
----
0111

XOR:
0101
0011
----
0110

AND:
0101
0011
----
0001

Not so fast!

[PaulBu]

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

MD5 *does* have something to do with cryptography (why else would Schneier devote the whole 14th chapter of Applied Cryptography to "One-way hash functions"), and the reason is simple: it is used to encrypt your *password*, not your data (Lexar was claiming that they use 256-bit AES encryption for the data itself).

For authentication you do not store the password in plaintext, only its MD5 hash, when user enters the password, MD5 of that is computed and compared to the stored MD5 string, if they match -- your user is authenticated. Of course XOR with a "magic number" could be used for the same purposes, but it would be much weaker. Thus, I think that the GP was not a troll and made a valid point: use MD5 to hash your passwords, and preferrable add some salt value to prevent against dictionary attack.

The other questiuon is why did Lexar had to store passwords on the drive at all, one does not need to authenticate users in their scenario (the drive itself is not a self-cointained computer to which a user needs to gain access) -- they could've just asked for the password, convert it to the key used in AES algorithm, decode the data and give the result: if password is incorrect, the decoded data is garbage.

Paul B.

Re:Not so fast!

[Piquan]

Reading your post is like one of those "How Many Mistakes Are In This Picture" things you see in Highlights.

The salt doesn't have anything to with protecting against dictionary attacks,

The salt is exactly to prevent against dictionary attacks. A dictionary attack (using the term old-school) is where I prepare, in advance, a dictionary of passwords and their hash values, indexed by the latter. Then, when you're making your attack, you look up the hashed password and voila! you know the password. In a world without salts, I expect that many security folks would be able to recognize many common passwords' hash values on sight.

it is used to make the algorithm computationaly harder to break.

The salt does nothing (or rather an insignificant amount) to make the computation harder. It's specifically used to prevent a dictionary attack.

The salt is simply the first two characters in your hash,

The salt is a randomly-generated sequence. It's stored as the first two characters of the encrypted password in traditional crypt() passwords, and is followed by the hash. But it's not the first two characters of the hash.

all of the subsequent characters are based from the salt.

They're based off of both the salt and the password. Your post makes it sound like the password is hashed, the first two characters of the hash are the salt, and the rest of the password entry are generated from that. This is not at all what happens.

The salt is generated randomly (from the time of day, number of processes running, etc), to get 12 bits of randomness (note that the salt is isomorphic with the space [A-Za-z0-9/.]{2}). The password is hashed using a DES, with the password as the key and a string of 0s as the plaintext. Partway through the DES operation (specifically, after the E-box), some of the bits are swapped based on the salt.

After DES outputs the hash value (its ciphertext), it is appended to the salt. This concatenated value is stored in the passwd field of your passwd file. So the salt is the first two characters of that output, but it's not the first two characters of the hash. It's used to perturb the hash in one of 2^12 ways.

Note that the specifics I gave (length of salt, use of DES) only applies to traditional Unix passwords. Most modern Unixes use a different hash scheme by default, such as MD5. The role of the salt still applies: it's used to perturb the hash function to prevent dictionary attacks. There are differences in how it's stored and how it perturbs the hash.

For further study, I recommend reading Password Security: A Case History by Robert Morris and Ken Thompson.

Snuffle

[tepples]

Because of this, hashing is irreversable, and therefor only an idiot would use it for encryption. It's proper purpose is for checksuming.

Try telling that to Daniel Bernstein. His "Snuffle" code converts any hash into a cipher. To put it shorter: sampling the output of a well-designed hashing algorithm after every n bytes produces a suitably random bitstream; XORing that against the message produces a stream cipher.

XOR Encryption is NOT unbreakable

[bahamutirc]

I've seen a number of posts stating the XOR is unbreakable. Hopefully they're just joking and didn't get modded as such, because I've read in several places that XOR sucks. A quick Google revealed the following.

Hack-FAQ

And I quote: XOR encryption is trivially simply to implement and equally trivial to break. XOR encryption should not be utilized for any data which you would want to protect.

I could go grab my Applied Cryptography book and make sure, but it's out of arms reach right now.

UPDATE from conversation with Lexar...

[Vexler]

After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.

The ostrich finally wakes up.

A better way to make "secure zones"

[g_adams27]

I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.

You can check out the commercial version at http://www.pgp.com/, but I would also seriously consider PGPckt 6.58, a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.

Grrrr

[c++]

This kind of thing just burns me up. Clueless companies hire clueless developers who think they can make software or hardware relatively secure by mearly applying encryption in whatever way they think is convenient. Never mind the plain-text password behind the curtain. Never mind that xor is equivalent to plain text (Lexor). Never mind that supporting multiple decription keys reduces the effective key length (DVD). Never mind that if you somehow store the decryption keys in a way that the software retreive (DVD again) that anyone can extract them. Never mind that storing a strongly-encoded password along with a weakly-encoded one buys you nothing (Microsoft). Never mind that encryption can't prevent copying (DRM). Never mind that this list can go on forever...

I own a JumpDrive Secure. Don't laugh; I only got it because Wally World didn't have the regular 256MB one. I plugged it in and the first thing it did was install their security software *without asking me*. Yes, Windows XP. Yes, I had turned AutoRun off on my CD. No, I have no idea how to disable AutoRun on a device that has never been plugged in before. Grrrr.

What did I do? I used Linux to reformat the JumpDrive then uninstalled the software it added without my permission. Now I have a perfectly usable device. (This was 4 months ago)

Re:the punchline

[hymie!]

Um...

If A XOR B = C , then A XOR C = B and B XOR C = A.

So if MYPASSWD XOR SECRET = ENCRYPTEDCODE, and I know both MYPASSWD and ENCRYPTEDCODE, then I can find SECRET.

I don't know if all of the drives have the same SECRET or not, but, having determined what SECRET is on my drive, I can give the drive to you, or I can try my SECRET on another drive and see if it works.

--hymie!

This reminds me of an "un-pickable" lock my ....

[StressGuy]

dad once bought.

It had no keyhole, just a bunch of magnectic "reeds" that would line up when a special magnetic key was put along side of it. My dad had just purchased it that day and was explaining to me how it worked. I asked, "couldn't you just shake it until the reeds lined up?". He tosses the lock to me and says, "here...try it then". I shook the lock for a couple of seconds and, sure enough, it popped right open.

my dad was pretty grumpy for the rest of the day...

Re:For my encryption needs

[Sheepdot]

Oh really?
------------------
#!/usr/bin/perl -w

use strict;
use Digest::MD5 qw(md5_hex);

# Create a stream of bytes from hex.
my $bytes1 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70
);

# Create a second stream of bytes from hex.
my $bytes2 = map {chr(hex($_))} qw(
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
);

# Print MD5 hashes
print md5_hex($bytes1), "\n";
print md5_hex($bytes2), "\n";
------------------

What do I win?

ROT-13?

[AyeRoxor!]

How's this for ROT-13?

Bu abrf! Yrkne = shknerq!

Re:This reminds me of an "un-pickable" lock my ...

[bhny]

did you know you can open a bicycle lock with a bick pen?

(fixed) A better solution

[DamienMcKenna]

Truecrypt (mirror 1 [freewebtown.com], mirror 2) does the same as PGPdisk but is open-source and seems to still be actively developed, unlike PGP658ckt. It also doesn't have the drive size limitations of some competing commercial products.

Damien

I tried that...

[Gordonjcp]

... but I found that the decryption key was inconveniently large, being the same size as the original data.

FLASH: One Time Pad CRACKED

[hugesmile]

Somebody told them that a One Time Pad encryption scheme is uncrackable. So they used the pad "11111111111..." and did an XOR.

Since no one else is stupid enough to use that pad, it's a one time pad.

Another milestone in encryption technology - One time Pad CRACKED!

Emergency patch: Now they use the Pad "000000000...."

Somebody call the police

[Ayaress]

I think you just killed Schrodinger's Cat.

Lexar is not alone in bad cryptography

[plover]

Don't look to San Disk for any better security.

I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.

Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678 When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)

Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.

At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.

I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.