Cracking a Crypto Hard Drive Case

← Back to Stories (view on slashdot.org)

Cracking a Crypto Hard Drive Case

Posted by kdawson on Monday February 18, 2008 @06:29PM from the easy-button dept.

juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

41 of 238 comments (clear)

Min score:

Reason:

Sort:

Criminal prosecution? by palegray.net · 2008-02-18 18:33 · Score: 5, Insightful

For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? I guess their next product will use advanced ROT13 encryption technology.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
1. Re:Criminal prosecution? by Nero+Nimbus · 2008-02-18 18:35 · Score: 5, Funny
  
  Hey, that's better than ROT26.
2. Re:Criminal prosecution? by GaryPatterson · 2008-02-18 18:35 · Score: 4, Funny
  
  It'll be so good, it'll do ROT13 twice!
3. Re:Criminal prosecution? by dbIII · 2008-02-18 18:59 · Score: 4, Funny
  
  It's not fraud if it's still AES. In this case AES stands for the claims which are Advanced Equine Stool.
4. Re:Criminal prosecution? by mxs · 2008-02-18 19:18 · Score: 5, Insightful
  
  For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? AES was used /somewhere/.
  
  It's /never/ a good idea to rely on cryptographic features when you don't know exactly how they are implemented. A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use.
  
  It's also NEVER a good idea to use any "crypto developed in-house". Manufacturers love to tell you since they developed it and their development is secret and such that their product is safe and secure, much more secure even since nobody knows how it works.
  Cryptologists laugh at those claims, and everybody else should, too. These non-encrypting devices are a good reason as to why they do so.
  
  If you want truly encrypted files and disks, don't rely on cheap external enclosures. TrueCrypt is not hard to use and offers a decent level of protection (forget Windows crypto, it's littered with backdoors unless configured JUST right, which is not an easy task and definitely not default). Under linux, it's decidedly easy to use AES encryption on block devices.
  I guess their next product will use advanced ROT13 encryption technology. For good measure, they'll apply it twice -- after all, twice is better than once.
5. Re:Criminal prosecution? by Spy+der+Mann · 2008-02-18 19:21 · Score: 5, Funny
  
  It'll be so good, it'll do ROT13 twice!
  
  Hah! That doesn't compare with DOUBLE-XOR encryption! :D
6. Re:Criminal prosecution? by Anonymous Coward · 2008-02-18 19:29 · Score: 5, Funny
  
  Double-ROT-13 is funny
  Quadruple-ROT-13 is twice as funny
  Sextuple-ROT-13 is thrice as funny, and gets a two bonus points for the 's-e-x' string in it
  Octuple-ROT-13 is twice twice as funny, and gets a bonus point for sounding a bit like the word 'octopus', which has 'p-u-s' in it, which sounds a bit like 'pussy', which is a synonym for 'vagina', which is related to 'sex'
  Decuple-ROT-13 is twice plus thrice as funny
  Duodecuple-ROT-13 is twice thrice as funny
  
  After that it just gets lame.
7. Re:Criminal prosecution? by pipatron · 2008-02-18 20:24 · Score: 4, Insightful
  
  This is, of course, also the reason why you should never trust any closed-source products to do anything important. You have absolutely no clue about what it does and how it does it, no matter what it claims to do.
  
  --
  c++; /* this makes c bigger but returns the old value */
8. Re:Criminal prosecution? by pipatron · 2008-02-18 20:41 · Score: 4, Informative
  
  Hardware crypto, such that key authentication/management is done without any computer interaction, means I don't have to worry about the security of the machine I'm using
  Wrong. If the machine you are using is compromised, anyone with access to it can access your data as soon as you unlock it, either with your physical key, or with a password. Doesn't matter if you use software or hardware encryption. If your text editor can read the file on the disk, so can any other program on the computer.
  
  --
  c++; /* this makes c bigger but returns the old value */
9. Re:Criminal prosecution? by jmv · 2008-02-18 21:24 · Score: 4, Funny
  
  I do double-xor with a one-time pad. I've even figured out a way to do what without having to give the one-time-pad to the recipient, so I guess it counts as asymmetric cryptography.
  
  --
  Opus: the Swiss army knife of audio codec
10. Re:Criminal prosecution? by pyite · 2008-02-18 22:12 · Score: 4, Funny
  
  Is ROT13 a group? We may never know...
  
  After much work, I have proved that ROT forms a group under functional composition. I shall call it "the rotation group." This comment field, however, is simply too small to contain the proof.
  
  --
  "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
11. Re:Criminal prosecution? by TheVelvetFlamebait · 2008-02-18 22:58 · Score: 4, Funny
  
  Can you please repost your comment in plain text? Most of us can't be bothered decrypting your message.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
12. Re:Criminal prosecution? by garutnivore · 2008-02-19 00:06 · Score: 5, Insightful
  
  Open source is better than closed source for security code but it is not a silver bullet. The idea is that you want to have as many objective and capable coders able to examine the security code. That way, weaknesses in the code or shady things like back-doors are likely to be spotted and publicized. Closed source creates a significant obstacle against that examination. Open source does not create the obstacle but even without obstacle to examination you have no guarantee that objective and capable coders will actually examine the code.
13. Re:Criminal prosecution? by alexgieg · 2008-02-19 00:11 · Score: 5, Funny
  
  Octuple-ROT-13 is twice twice as funny, and gets a bonus point for sounding a bit like the word 'octopus', which has 'p-u-s' in it. . .
  And tentacles.
  
  --
  Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
14. Re:Criminal prosecution? by pnewhook · 2008-02-19 02:39 · Score: 4, Funny
  
  I agree completely - open source or nothing. But you would not BELIEVE the hassle I get checking into an airline when I refuse to let them close the door and take off until I've inspected all of their flight code. Bunch of unreasonable pricks.
  
  --
  Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
How about a software solution? by palegray.net · 2008-02-18 18:36 · Score: 5, Interesting

Would something like TrueCrypt, where you can easily look at the source, be a better solution? At the very least, it could avoid problems like these.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
1. Re:How about a software solution? by palegray.net · 2008-02-18 18:49 · Score: 5, Insightful
  
  I'm aware it's not the same thing :). While I understand the performance benefits of doing the heavy computation with specialized hardware, I'm questioning the wisdom of trusting any embedded encryption platform that isn't easily audited for correct operation. What about devices that actually perform encryption using the algorithms claimed, but the implementation of the crypto routines contains a flaw that isn't easily detected? What do you do about it when your organization has a few of them in production? Closed platforms make me nervous when security really matters.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:How about a software solution? by davmoo · 2008-02-18 18:56 · Score: 5, Interesting
  
  There's another disadvantage to hardware encryption like this product, even if it worked correctly, and why I also favor something like TrueCrypt (which is infact what I use) even if it might make a bit more work for the computer. The maker says "this is our special chip, and here's the source for our firmware for you to inspect"...now, how do you *know* that's really the firmware that's on that chip? Very few of us are in a position where we could take that source and make our own chip. In a situation where I want to be assured of security, I'm going to not only use TrueCrypt, I'm going to compile it myself.
  
  --
  I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
3. Re:How about a software solution? by blackwing0013 · 2008-02-18 19:00 · Score: 5, Informative
  
  Call me back when they have released something based on version 5.0 that "works" with Linux. Right now, the newly released 5.0 series is broken on Linux. It will cause your machine to lockup on most kernel versions used by Linux distros. Apparently, according to the authors of Truecrypt, they require you to upgrade to the latest release of the Linux kernel, which may not be an option for most of us.
  
  Secondly, even if you were able to make it work the Linux kernel on your machine, the new FUSE-based Truecrypt 5.0 series is only 1/20-1/10 of the speed I get from the 4.x series. From 20-40 MB/s, now I only get 1-5 MB/s.
  
  I am now considering to switch to dmcrypt+luks.
4. Re:How about a software solution? by Anonymous Coward · 2008-02-18 19:45 · Score: 5, Interesting
  
  I'm going to not only use TrueCrypt, I'm going to compile it myself.
  
  That won't help you. You need to read Reflections of Trusting Trust by Ken Thompson: http://cm.bell-labs.com/who/ken/trust.html
5. Re:How about a software solution? by evanbd · 2008-02-18 21:21 · Score: 4, Insightful
  
  Especially since compiling the code yourself is completely sufficient to prevent security flaws. Erm. You were planning to audit it, right? Since everyone knows that's sufficient.
  
  Computer security is hard. Doing it right is really hard.
6. Re:How about a software solution? by Teun · 2008-02-19 01:04 · Score: 4, Informative
  
  Nothing stops you from using version 4.3. Even when you think you need a GUI, there are several available.
  
  In the mean time I'm quite happy with the new 5.0.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
So what happens... by TubeSteak · 2008-02-18 18:37 · Score: 4, Insightful

...when you lose the RFID fob?

Does the mfg keep a list of serial #s and RFID keys so they can mail you/thief a replacement?

--
[Fuck Beta]
o0t!
1. Re:So what happens... by palegray.net · 2008-02-18 18:40 · Score: 5, Funny
  
  All the fobs are encoded with the special key: QWERTYUIOP1234567890. Don't worry though, the key is copyrighted internationally and cannot be used without proper authorization. Devilishly ingenious, those wily engineers...
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:So what happens... by kcbanner · 2008-02-18 18:57 · Score: 5, Interesting
  
  I think this is actually true in some cases. I once worked on some 2.4ghz radios from a certain vendor, and if you forgot the admin password you could expose them to the net and they could "unlock" them (YIKESOMG). They also had a version where you gave them the MAC of the radio and they gave you a special "unlock" password over the phone. Yea. It wasn't even random either, it was an english word iirc. The world of proprietary network gear = ugh. I prefer building them myself using Soekris or similar.
  
  --
  Obligatory blog plug: http://www.caseybanner.ca/
3. Re:So what happens... by mxs · 2008-02-18 19:25 · Score: 4, Insightful
  
  ...when you lose the RFID fob? Glad that you asked. Thank you for being our customer. Please go download http://vendor/recover.exe. It will recover your data on your harddrive. This is a feature. Thank you for your business.
  Does the mfg keep a list of serial #s and RFID keys so they can mail you/thief a replacement? Quite honestly the entire concept is flawed. a.) if you loose your key and somebody else can furbish another one, your crypto is broken by default. You cannot trust it to secure anything at all. b.) RFID IDs as keys ? Sure, everybody knows RFIDs can ONLY be read at a distance of several centimeters. Right ? RIGHT ?
  
  The question you should be asking is "If somebody copies my key, can I change the lock ?"
4. Re:So what happens... by TheThiefMaster · 2008-02-18 21:21 · Score: 4, Insightful
  
  How about: "If somebody copies my key, will I even know?"
This has to be illegal by pembo13 · 2008-02-18 18:44 · Score: 4, Insightful

This can't possibly be legal. Even the CEO should have an idea if one of their newest product does some highly technical thing which it advertises as a major feature. I don't expect him/her to know how AES works... but he should at least be sure that it is working on the drive. I'm sure his pocket change could hire a contractor to test this.

--
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Trust by Mikey-San · 2008-02-18 18:48 · Score: 5, Insightful

The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

Trust is a precious resource that you must cultivate; it's not a boomerang. Never risk throwing it away.

--
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
1. Re:Trust by Anonymous Coward · 2008-02-18 19:11 · Score: 4, Funny
  
  Yea, it is so!
  
  The precious resource of trust can only be grown slowly, fed by the nutrients of honesty, the rains of commercial and/or interpersonal interaction, and the sun-like rays of consistency. Like the noble crops of wheat that adorn the fields of the Great Plains, it is only finally harvested in the autumn of our lives. But, unlike those nutritious grains, its wholesomeness fills the belly of our souls every day of our lives.
  
  Nay, trust is _not_ a boomerang.
XOR encryption can be good by corsec67 · 2008-02-18 18:52 · Score: 4, Informative

XOR doesn't immediately mean that it is a crappy form of encryption. One Time Pads can be a very good form of encryption, if the pad is generated correctly and used only once. But, that isn't very useful for encrypting a hard drive. It looks to me like the "encryption" in the box was just a 512 byte key used like a OTP for each sector, which is trivial to break, as the article says.

Stream Ciphers also use XOR, but are much more convenient to use and could very easily be used to encrypt a hard drive.

--
If I have nothing to hide, don't search me
1. Re:XOR encryption can be good by RupW · 2008-02-18 19:21 · Score: 5, Interesting
  
  Stream Ciphers also use XOR, but are much more convenient to use and could very easily be used to encrypt a hard drive. The problem is that very few stream ciphers allow you to quickly seek to an arbitrary point in the stream - so unless you just want to read the entire drive sequentially you're SOL.
  
  The only exception I've read about is SEAL but IIRC that's still patented by IBM.
2. Re:XOR encryption can be good by kiltyj · 2008-02-18 19:28 · Score: 5, Informative
  
  To enforce parent's point, many (if not all) of the best modes of operation (CCM, etc) for block ciphers like AES use XOR -- it would be silly to think of cryptography without XOR.
  
  It is also true that one can use AES (ignorantly) in a way that allows decryption as described in the article. Using Electronic codebook (ECB), for example, with the same key for each block, would provide no security beyond what would be provided by a reused OTP. Sadly (though obviously insecure), this is still technically using AES as a block cipher -- it's just using an insecure mode of operation. My first thought was that the manufacturers used ECB, or a similar insecure mode of operation (trusting the claim of using AES).
  
  From reading the article, though, it seems the manufacturers even admitted only using AES "when saving the RFID chip's ID in the controller's flash memory" and that "actual data encryption is based on an algorithm developed in-house." Just goes to show that if tried-and-true algorithms / ciphers are available, you should NEVER have to develop your own.
3. Re:XOR encryption can be good by Woek · 2008-02-18 19:48 · Score: 4, Informative
  
  XOR is not an encryption method, it's just a binary operation. It's what you XOR your data with that determines if your encryption is good or not. That's what is the problem in this case.
This is nothing new by SchizoDuckie · 2008-02-18 19:28 · Score: 4, Interesting

Actually, this is nothing new. A couple of months ago the dutch colleagues at tweakers.net had a couple of great reports on how crappy the 'fingerprint security' USB drives are. Most of them are ont he same level of crappyness this one is.

--
Quack damn you!
Well, as others have noted by Sycraft-fu · 2008-02-18 20:06 · Score: 4, Insightful

This was a hardware solution. There's reason to want your encryption done in hardware (less CPU load for example).

However more importantly, what good does the source really do you? I mean I can get the Truecrypt source, and I can look at it, but it really isn't going to tell me anything other than that I'm not very good at C++. I'm not a programmer by trade, so I certainly can't trace through all the complicated code that makes up a program like Truecrypt (it even includes assembly).

What's more, even if you are a programmer, it doesn't necessairily do you any good. Cryptography is a pretty specialized field and a pretty complex one. So while you might be able to trace through all the code and see what it does, do you have all the cryptographic knowledge to know if it is doing everything right? Can you tell the different between a properly and improperly applied algorithm? Will you notice a minor bug in assembly where they put a JNA instead of a JNAE? You might conclude everything looks fine, but be wrong simply because you don't understand how it works well enough or because the error is non-obvious.

Now please don't misunderstand, I'm not saying I think Truecrypt is untrustworthy. Far from it, I use and trust it. I am just saying that there is the false warm fuzzy myth about OSS that tends to get thrown around on /. a lot. That the code is open doesn't mean anything because 99.999+% of people can't "easily look at the source" since it won't be meaningful to them. A source audit is only useful if the person doing it is an expert and does a thorough job.

Well, while that certainly can, and does, happen with OSS, it can happen with closed software as well. Being open doesn't make it inherantly secure, and doesn't mean a normal person can tell.

For that matter, to really check crypto software you don't just need a code audit, it is even more important to do a results audit. Basically you take data, you encrypt it, and then you look at the result and see if it is good. You treat the software like a black box because the question isn't "Is it producing the correct result based on the code," the question is "Is it producing the correct result based on the cryptosystem." If I wanted to audit Truecrypt I wouldn't so much be interested in how it did things internally. Heck, even if I was an expert it might easily have a bug I'd miss (since after all other experts had written it and missed said bug). What I'd be interested in is having it do encryption, then comparing the result against controls. Maybe another AES implementation I knew to be good, maybe one I wrote, maybe a bit of a test worked out by pen and paper, maybe just trying to do cryptographic attacks against the ciphertext..

Regardless of the method, what I'd want to do is verify operation, not design. I imagine that's what they did in this case. Drive claims "this is AES encryption" so they do a little compare and contrast and, what do you know, it isn't.
1. Re:Well, as others have noted by Bert64 · 2008-02-18 21:23 · Score: 5, Insightful
  
  Well, just because you may not know too much about C or encryption...
  I'm not really inclined to trust some company that says product X is secure, but i'm far more likely to trust a string of unconnected individuals, especially if some of those individuals are recognised cryptography experts or have at least studied cryptography at a reputable establishment.
  Sure it's not perfect, but its a huge step in the right direction. The only perfect solution would be to study cryptography and programming (in whatever language) yourself first.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Perfect XOR encryption. by Ihlosi · 2008-02-18 20:48 · Score: 5, Funny

XOR is not an encryption method, it's just a binary operation. It's what you XOR your data with that determines if your encryption is good or not. That's what is the problem in this case.

Indeed. I XOR the data with itself, making sure that it can never, ever be decrypted.
WTF? by EddyPearson · 2008-02-18 23:01 · Score: 4, Interesting

Why havn't they been charged with fraud and false advertising.

If I sell you a padlock, claiming that its made of steel, when actually its made of a Silly Putty and rubber bands, then I'm going have my day in court. Why Tech vendors seem TOTALLY immune to this kind of prosecution.

Puts me in mind of SecuLock (was that the name?), they were featured here a while back, they make "secure" USB memory sticks, they claimed AES encryption, killswitches and other bells and whistles, but if you were to have a quick look at one of the DLL's exports, you can see a an Unlock routine. You see, the user's password wasn't used as a key, Oh no, they had one global key and a simple IF to check the passwords.

Though this is much, much worse, it beggars the question; how can we berate employees for losing disks and laptops, when the vendors are happy to look us in the eye and lie to us, about standards that I was able to implement when I was about 16.

It's either government interferance (remember, the USA's law forcing vendors to embed backdoors for them), or its just plain lazy, either way, it's got to stop.

--
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
It's not the company's fault... by msauve · 2008-02-19 00:47 · Score: 5, Informative

although they perhaps didn't do due diligence.

They used a chipset from INNMAX, the IM7206, believing it provided AES encryption to data. INNMAX's marketing strongly implies that AES encryption is being used for data on disk.

According to the article, when confronted with this situation, INNMAX's response was
The IN7206 merely uses AES encryption when saving the RFID chip's ID in the controller's flash memory. The company explained that actual data encryption is based on a proprietary algorithm. The company claims the IM7206 only offers basic protection and is designed for "general purpose" users.
Cheap Chinese Crap.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
Freecom equally bad by CarpetShark · 2008-02-19 00:59 · Score: 4, Interesting

Trust is a precious resource that you must cultivate; it's not a boomerang. Never risk throwing it away.

Agreed. This is exactly what freecom did when they sold me a usb bluetooth adaptor with an antenna. I dropped it one day, and the little case popped open. OK, that happens; no big deal. What WAS a big deal though, was the antenna -- it was simply a bit of plastic, swinging from a hole in the case. There were no wires attached to this, nothing else near it that even suggested it might have accidentally been shipped with a "placeholder" or something like that. It was simple, unadultered fraud. The antenna might as well have been made by Tomy, which is a shame, as otherwise, it worked fine, and the antenna probably was unnecessary after all (I bought that model FOR it's antenna figuring it wouldn't hurt, and might help).

What do freecom gain from this? Something like $5, I'd guess, after the store etc. take their cuts.

What do they lose? Me, as a an IT industry purchaser, ever buying their products again. Me telling other IT people on slashdot what I think of Freecom.

What could they have done instead, to compete with manufacturer X's? "We're confident in our product's reception/transmission, and have no need for gimmicks like the antennas manufacturer X uses." I probably would have bought a lot more of their stuff after that.

Dumbasses.