Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracking a Crypto Hard Drive Case

Posted by kdawson on from the easy-button dept.

juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

6 of 238 comments (clear)

  1. Criminal prosecution? by palegray.net · · Score: 5, Insightful

    For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? I guess their next product will use advanced ROT13 encryption technology.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:Criminal prosecution? by mxs · · Score: 5, Insightful

      For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? AES was used /somewhere/.

      It's /never/ a good idea to rely on cryptographic features when you don't know exactly how they are implemented. A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use.

      It's also NEVER a good idea to use any "crypto developed in-house". Manufacturers love to tell you since they developed it and their development is secret and such that their product is safe and secure, much more secure even since nobody knows how it works.
      Cryptologists laugh at those claims, and everybody else should, too. These non-encrypting devices are a good reason as to why they do so.

      If you want truly encrypted files and disks, don't rely on cheap external enclosures. TrueCrypt is not hard to use and offers a decent level of protection (forget Windows crypto, it's littered with backdoors unless configured JUST right, which is not an easy task and definitely not default). Under linux, it's decidedly easy to use AES encryption on block devices.

      I guess their next product will use advanced ROT13 encryption technology. For good measure, they'll apply it twice -- after all, twice is better than once.
    2. Re:Criminal prosecution? by garutnivore · · Score: 5, Insightful

      Open source is better than closed source for security code but it is not a silver bullet. The idea is that you want to have as many objective and capable coders able to examine the security code. That way, weaknesses in the code or shady things like back-doors are likely to be spotted and publicized. Closed source creates a significant obstacle against that examination. Open source does not create the obstacle but even without obstacle to examination you have no guarantee that objective and capable coders will actually examine the code.

  2. Trust by Mikey-San · · Score: 5, Insightful

    The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

    Trust is a precious resource that you must cultivate; it's not a boomerang. Never risk throwing it away.

    --
    Mikey-San
    Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
  3. Re:How about a software solution? by palegray.net · · Score: 5, Insightful

    I'm aware it's not the same thing :). While I understand the performance benefits of doing the heavy computation with specialized hardware, I'm questioning the wisdom of trusting any embedded encryption platform that isn't easily audited for correct operation. What about devices that actually perform encryption using the algorithms claimed, but the implementation of the crypto routines contains a flaw that isn't easily detected? What do you do about it when your organization has a few of them in production? Closed platforms make me nervous when security really matters.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  4. Re:Well, as others have noted by Bert64 · · Score: 5, Insightful

    Well, just because you may not know too much about C or encryption...
    I'm not really inclined to trust some company that says product X is secure, but i'm far more likely to trust a string of unconnected individuals, especially if some of those individuals are recognised cryptography experts or have at least studied cryptography at a reputable establishment.
    Sure it's not perfect, but its a huge step in the right direction. The only perfect solution would be to study cryptography and programming (in whatever language) yourself first.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!