Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracking a Crypto Hard Drive Case

Posted by kdawson on from the easy-button dept.

juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

5 of 238 comments (clear)

  1. How about a software solution? by palegray.net · · Score: 5, Interesting

    Would something like TrueCrypt, where you can easily look at the source, be a better solution? At the very least, it could avoid problems like these.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:How about a software solution? by davmoo · · Score: 5, Interesting

      There's another disadvantage to hardware encryption like this product, even if it worked correctly, and why I also favor something like TrueCrypt (which is infact what I use) even if it might make a bit more work for the computer. The maker says "this is our special chip, and here's the source for our firmware for you to inspect"...now, how do you *know* that's really the firmware that's on that chip? Very few of us are in a position where we could take that source and make our own chip. In a situation where I want to be assured of security, I'm going to not only use TrueCrypt, I'm going to compile it myself.

      --
      I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
    2. Re:How about a software solution? by Anonymous Coward · · Score: 5, Interesting

      I'm going to not only use TrueCrypt, I'm going to compile it myself.

      That won't help you. You need to read Reflections of Trusting Trust by Ken Thompson: http://cm.bell-labs.com/who/ken/trust.html

  2. Re:So what happens... by kcbanner · · Score: 5, Interesting

    I think this is actually true in some cases. I once worked on some 2.4ghz radios from a certain vendor, and if you forgot the admin password you could expose them to the net and they could "unlock" them (YIKESOMG). They also had a version where you gave them the MAC of the radio and they gave you a special "unlock" password over the phone. Yea. It wasn't even random either, it was an english word iirc. The world of proprietary network gear = ugh. I prefer building them myself using Soekris or similar.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  3. Re:XOR encryption can be good by RupW · · Score: 5, Interesting

    Stream Ciphers also use XOR, but are much more convenient to use and could very easily be used to encrypt a hard drive. The problem is that very few stream ciphers allow you to quickly seek to an arbitrary point in the stream - so unless you just want to read the entire drive sequentially you're SOL.

    The only exception I've read about is SEAL but IIRC that's still patented by IBM.