Slashdot Mirror
NIST Investigating Mass Flash Drive Vulnerability
Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked.
"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"
Use PGP. Create a really long key, like 4096 bits.
http://michaelsmith.id.au
Encryption algorithm's aren't the weak link, its the implementation. But most people just look at how big the key is not who implemented it.
Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"
... OR it was a deliberate mistake. Damn Germans for not playing ball.
This is pretty major as so many vendors are affected by it. However, until there's an update or complete recall & replacement, I'd recommend using Truecrypt. Certified by NIST (see HERE. Cross platform. Free (as in spoken beer ;o). Of course, one can only hope that its implementation is better than the devices currently uncovered :P
Q: How does a Unix guru have sex? A: unzip;strip;touch;finger;mount;fsck;more;yes;umount;sleep
"Kingston Technology Inc. ---- ....is warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives."
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
what if you spent a lot of money on one of these drives, too bad your out of luck, I doubt there will be a refund.
See, this is why I can't watch movies anymore.
Back in the nineties there was a teapot tempest around an issue with Intuit's Quicken personal finance software. Users could "encrypt" their Quicken data files, but the password they created to access it was easily recoverable by simply looking at the plain text raw data stored on hard drive sectors. I had Norton Utilities which allowed me to examine drive sectors, and sure enough, there was my Quicken password (altho the actual data was encrypted).
That's what this reminds me of. Is this a valid -if perhaps incomplete- comparison?
I really do not understand this part:
"The National Institute of Standards and Technology said it's investigating whether it needs to modify [CC] its standards to include password authentication software on host systems."
This has already been proven to be very unsafe hardware. The fact that you can access the data without using the original software and without knowing the user's password should leave no doubt. As long as you have some software which says "Open Sesame" in the same way as the original software, you will get access.
So why was this not discovered during the NIST certification process? And why do NIST state that they may need to approve the software too to protect against this?
It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.
From Enigma, Crypto AG to Kingston the NSA like parts of the US gov love you all.
Domestic spying is now "Benign Information Gathering"
is how everything is carefully run through the make-nice factory. The memory chip makers ucked fup. NIST ucked fup. Yet, NIST cannot say, "whoa, we blew it, we have to fix that standard immediately" (else it will be completely worthless). No, they're organizing a committee to appoint a task force to propose revisions to the standard, pending who-knows-what. And even the guys who got it right, try to make nice with a handy excuse for how this came about -- "difficult to administer with all those different passwords". You set two passwords for each device, duh, and let either access the bits. Vendors provide them with a customer-specified admin password, or vendor supplies a chip initialization utility where customer may bake in an admin password.
You need buttons on the device. Without that, your password could be swiped by PC malware.
A no-frills minimal device comes with 10 buttons. The password is a 10-digit number printed on a card hidden in the packaging. To avoid having the password revealed by button wear, none of the digits repeats. You put the device in, press buttons, and then it shows up to the OS.
A better device has a config setup. Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all. Go to the device's internal web page, just like setting up a home wireless router. There you could create multiple virtualized devices, each with a distinct password. (if you create more than one, then the device shows up as a hub with child devices) This also allows for data-losing recovery from password loss: you just delete the virtual device you can no longer access, then create an empty virtual device with a new password.
Any flash drive whose "security" involves a required app running on the host system will not be suitable for cross-platform use even if the app is well-written. The only right way to do it is to encrypt the data written to the drive, using well-known secure encryption algorithms run on the host. And for that purpose a cheap, dumb drive works just as well as a super-expensive "secure, tamper-proof" drive.
-- Old Man Kensey
Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"
That's our Bruce.
The higher the technology, the sharper that two-edged sword.
If all the drives have identical challenge response interchanges, why wasn't this noticed the first time someone using his own machine/software/password successfully accessed the wrong drive?
I would never even bother to encrypt data on a flash drive.
1) If your data is so important that other people shouldn't read it, why are you putting it on a flash drive which can be stolen?
2) If, for some reason, you are storing your data on a flash drive, why are you leaving it where others can steal it? You can have my flash drive when you pry it from my cold, dead hands!
3) If you do put your data on a flash drive and somebody kills you to get it, it stands to reason that they will be able to work at their own leisure to decrypt the data on it. I don't know any form of encryption that is 100% bulletproof. (Except, maybe a one-time pad. - Assuming they don't get your key.) It's only a matter of time before your encrypted data is broken. Your only hope is that the information will go stale before they can decrypt it.
Flash drives are ubiquitous, easily stolen and easily concealable. They are, AFAIAC, the WORST place to store valuable data.
Encrypting data on a flash drive is like putting a padlock on a cardboard box.
Posting anonymously since I work at NIST (but not in crypto or infosec). The problem isn't NIST or even really FIPS 140-2. The problem is that FIPS 140-2 certifies something very specific -- the encryption module. It doesn't certify the entire system or the hardware.
This was not a big deal when FIPS 140-2 was initially written or expanded. However, now that full-disk encryption is mandated for federal computers and encrypted USB keys are something everyone buys, the reality is that FIPS 140-2 certification doesn't mean very much. Encryption grew up and moved out of the house, and as usual federal standards take some time to catch up.