You are incorrect. FIPS validated products cannot use the password for key generation. Instead, they must use a random number generator to create the AES key (eg 256-bit key). They password is used to gain access to the key. So a short password can be used, yet you still get 256 bit encryption. As long as brute force password protection counter is also implemented in hardware and cannot be rolled back, you do not need very long passwords (eg. set a 3 try limit). Also, you should encrypt the random AES key with a SHA-256 hash of the password, so that the key isn't stored in the clear anywhere.
IronKey D200 and S200 models are validated to the much more demanding FIPS 140-2 Level 3. The products that are the subject of this hack are validated to Level 2. They are all in fact manufactured by SanDisk.
Previous authors are correct, their architecture has serious design flaws. They are relying on the host PC to do password verification, and essentially using a static code to tell the device to unlock. Basically it's a back door to all of those affected SanDisk, Kingston and Verbatim devices.
I will be posting an FAQ later today on the https://www.ironkey.com/ website describing the flaws and how IronKey's architecture does not have these issues.
IronKey validates all passwords in hardware. We have password replay prevention and encrypted USB command channels. We also use a hash of the password to decrypt the data AES key, so it's cryptographically impossible to unlock an IronKey without the password. Finally, IronKeys store encryption keys and brute force counters in a hardened CryptoChip. The SanDisk, Kingston and Verbatim products store them in Flash memory, which isn't even part of their FIPS 140-2 security policy.
Dave
IronKey does encryption in hardware on the device. All keys are generated on the device and are not-exportable from the device. No software or drivers need to be installed on your computer.
Not at all. Any system could be compromised or taken over or have a subpoena to get the data IN ANY COUNTRY.
This is why systems like IronKey are designed using strong cryptography with great attention to key management, no back doors, etc. To rely on someone saying they won't disclose data is not a secure system.
Thanks gweihir. We have tried to be quite open about our product and algorithms (see our whitepapers, demo and FAQ as well as https://learn.ironkey.com./
We're not prepared to discuss in a public forum which processors we are using. Might be competitors lurking about:-)
Actually, the nodes WERE in fact operated by a single operator. I don't recall Roger ever naming who this fellow actually was. According to Roger
"He's still running quite a few, on the same network, but now he sets the MyFamily torrc option on them."
Also it caused him to add code to the tor client to not pick more than one node from a/16 when building a circuit.
We have taken great care to ensure that the design of our crypto and key management ensures that only the owner of an ironkey can access their data and traffic. This is completely legal.
Mikey,
Yes, we're looking into this. The trick is to get one that does not require software to be installed on the computer. There are a couple of lightweight options out there. Thanks for the great suggestion.
Its is actually more Secure, because the exit-nodes aren't going to be injecting malware, tracking bugs, or providing false DNS information (eg. pharming).
It may be less Anonymous (although it was recently discovered that a group of Tor nodes in the Washington DC area were routing large amounts of the public Tor network http://cryptogon.com/?p=624)
We're working on giving you the option of public mix-in, along with optimized route selection.
TrentTheThief, I have no idea who you are, but your statement is patently false: "Ironkey provides the US gov't access to anything it wants." The US government, and anyone else, are free to purchase IronKeys.
On the EU side of things, if you use our backup services, then yes we would have some data in the US. However, that data is encrypted on your IronKey, so it's just an encrypted blob. Also, we don't know who a given user is, so there's no way to track that back to an individual customer.
Dave @ IronKey.
WZ,
What you refer to is a $29 browser with crypto from EISST. I am sure it is a great product, but its just software Remember that you would have to factor in the cost of purchasing a U3 drive to run it on. And you'd need truecrypt or some other flash drive encryption software to protect your data on the flash drive.
With IronKey you are getting a super-fast, super-reliable, tamper-resistant, waterproof hardware encrypted drive. And it comes with FireFox that talks to our CryptoChip for authentication operations, plus the password manager and private Tor network. All browsing data is stored encrypted on the IronKey, and no software is installed on the host computer.
Dave
We will publish benchmarks on speed, but it's faster than any software crypto we've tried.
You are missing a number of advantages. Did you read the whitepaper on why hardware encryption is better than software????
https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf
You fail to mention:
- prevents brute-force password attacks (this is a big one)
- prevents offline attacks on the encrypted data (because there is no.img file to copy and crack)
- strong key generation and storage
- no software or drivers to install, and works in non-admin mode on Windows (TrueCrypt installs a driver and required Admin-mode)
- always on, cannot be disabled by user error or malware (unlike software crypto)
As far as your disadvantages:
1. you're free to run an open source software crypto package on the device as well as the hardware crypto.
2. We are doing a FIPS-140 certification, whereby a third party is reviewing our code.
3. Possible, but if malware is power cycling your computer, you've got other things to worry about than it trying to DOS your IronKey.... like it would probably just erase your hard drive, no?
Thanks for your comments and questions.
- Dave @ IronKey
Thanks dch24,
Once people dig into the technical details, and actually use the device, I'm confident that initial scepticism will turn into enthusiasm. Thanks for your support.
Dave
IronKey's CryptoChip includes voltage, frequency and temperature detectors, illegal code execution prevention, tampering monitors and
protection against side channel attacks and probing. The CryptoChip can detect tampering attempts and
destroy sensitive data on such events. We are designed to not leak information when attackers measure current consumption, radio emissions and other side channel attacks.
The chip was designed in conjunction with one of the major security chip vendors in the space, and its core has been used in millions of secure devices.
All crypto is standard open algorithms (AES, RSA, SHA). No proprietary crypto.
TrueCrypt is exceptionally good data encryption software.
Our whitepaper describes the IronKey hardware crypto approach and how it's better than a pure software implementation:
- speed
- brute force key guessing
- brute force password guessing
- cross platform without drivers or admin mode required
- tamper resistant
We also provide strong 2-factor authentication for Internet password protection. The device does strong PKI crypto, which is integrated into FireFox with PKCS11.
We tried to get a small amount of thermite into the device, but it just refused to pass the CE and FCC approvals needed to sell in USA and Canada. Maybe we can sell the thermite-grenaded versions out of China and have people mail order from there?:-)
D @ IronKey
We run a number of TOR nodes across the world. The TOR client selects these preferentially. Thus you get higher bandwidth, lower latency and more predictable performance than using the regular public TOR network, where you could end up going through some guys computer connect to the net on a DSL or dial-up line.
Dave @ IronKey
We prototyped a laser projected keyboard, but they are pretty expensive ($100) and require a flat surface.
We have put more effort into a keypad and also a rotary numerical selector design on the case.
Dave
The key-store in the cryptochip will destruct if tampered with physically or electrically.
You are right that without a battery we cannot reliably delete the gigabytes of encrypted data if the device is immediately pulled out of a power supply and never re-inserted into another computer. This would only happen with a very determined and knowledgeable attacker. In such case, their recourse is to disassemble the device and try to attack AES encrypted data.
Because the AES keys are randomly generated, and not based on a hash of a password for example, an attacker would have to brute force an AES key, which would be pretty impractical.
BlueCoder, in essence you are correct. However this narrows the attack surface down considerably. An attacker has to etch away the potting compound to get at the flash chips. Then unmount them. Then they can get at the AES encrypted data, and try to crack AES.
The AES keys are not accessible, because they are not stored in the flash memory, but rather in our cryptochip which is tamper-resistant. The AES keys are not based on a password (they are generated by a random number generator), thus they are very strong. This means that password guessing isn't going to be effective for cracking the encrypted data. You would have to do an exhaustive AES key space attack.
Dave @ IronKey
Z,
Unfortunately you're not correct. The flash drive firmware would have to be able to parse the FAT file system in order for this to work. USB storage media does not receive data as files, but rather as blocks, at a much lower level than the windows file system.
Also, your approach basically sends your password in the clear over USB. We AES encrypt our USB traffic, protecting your password from USB level sniffers.
We have IronKey working on MacOS now, and are working on Linux.
Please be aware that we are more than a secure flash drive. We've got hardware encrypted password storage, strong 2-factor authentication (the firefox has a PKCS11 driver that talks to our onboard crypto).
Dave @ IronKey
Slashdot Mirror
You are incorrect. FIPS validated products cannot use the password for key generation. Instead, they must use a random number generator to create the AES key (eg 256-bit key). They password is used to gain access to the key. So a short password can be used, yet you still get 256 bit encryption. As long as brute force password protection counter is also implemented in hardware and cannot be rolled back, you do not need very long passwords (eg. set a 3 try limit). Also, you should encrypt the random AES key with a SHA-256 hash of the password, so that the key isn't stored in the clear anywhere.
IronKey D200 and S200 models are validated to the much more demanding FIPS 140-2 Level 3. The products that are the subject of this hack are validated to Level 2. They are all in fact manufactured by SanDisk. Previous authors are correct, their architecture has serious design flaws. They are relying on the host PC to do password verification, and essentially using a static code to tell the device to unlock. Basically it's a back door to all of those affected SanDisk, Kingston and Verbatim devices. I will be posting an FAQ later today on the https://www.ironkey.com/ website describing the flaws and how IronKey's architecture does not have these issues. IronKey validates all passwords in hardware. We have password replay prevention and encrypted USB command channels. We also use a hash of the password to decrypt the data AES key, so it's cryptographically impossible to unlock an IronKey without the password. Finally, IronKeys store encryption keys and brute force counters in a hardened CryptoChip. The SanDisk, Kingston and Verbatim products store them in Flash memory, which isn't even part of their FIPS 140-2 security policy. Dave
IronKey does encryption in hardware on the device. All keys are generated on the device and are not-exportable from the device. No software or drivers need to be installed on your computer.
This is why systems like IronKey are designed using strong cryptography with great attention to key management, no back doors, etc. To rely on someone saying they won't disclose data is not a secure system.
We're not prepared to discuss in a public forum which processors we are using. Might be competitors lurking about :-)
We store the AES keys encrypted (just in case).
Major partner with well used and tested core.
Actually, the nodes WERE in fact operated by a single operator. I don't recall Roger ever naming who this fellow actually was. According to Roger "He's still running quite a few, on the same network, but now he sets the MyFamily torrc option on them." Also it caused him to add code to the tor client to not pick more than one node from a /16 when building a circuit.
We comply with all applicable laws.
Yep, agreed that there is utility and a market. We're working on it.
Great ideas. Thanks. I like the thought about different exit policies.
Dave
It may be less Anonymous (although it was recently discovered that a group of Tor nodes in the Washington DC area were routing large amounts of the public Tor network http://cryptogon.com/?p=624)
We're working on giving you the option of public mix-in, along with optimized route selection.
TrentTheThief, I have no idea who you are, but your statement is patently false: "Ironkey provides the US gov't access to anything it wants." The US government, and anyone else, are free to purchase IronKeys. On the EU side of things, if you use our backup services, then yes we would have some data in the US. However, that data is encrypted on your IronKey, so it's just an encrypted blob. Also, we don't know who a given user is, so there's no way to track that back to an individual customer. Dave @ IronKey.
WZ, What you refer to is a $29 browser with crypto from EISST. I am sure it is a great product, but its just software Remember that you would have to factor in the cost of purchasing a U3 drive to run it on. And you'd need truecrypt or some other flash drive encryption software to protect your data on the flash drive. With IronKey you are getting a super-fast, super-reliable, tamper-resistant, waterproof hardware encrypted drive. And it comes with FireFox that talks to our CryptoChip for authentication operations, plus the password manager and private Tor network. All browsing data is stored encrypted on the IronKey, and no software is installed on the host computer. Dave
We will publish benchmarks on speed, but it's faster than any software crypto we've tried. You are missing a number of advantages. Did you read the whitepaper on why hardware encryption is better than software???? https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf
You fail to mention:
- prevents brute-force password attacks (this is a big one)
- prevents offline attacks on the encrypted data (because there is no .img file to copy and crack)
- strong key generation and storage
- no software or drivers to install, and works in non-admin mode on Windows (TrueCrypt installs a driver and required Admin-mode)
- always on, cannot be disabled by user error or malware (unlike software crypto)
As far as your disadvantages:
1. you're free to run an open source software crypto package on the device as well as the hardware crypto.
2. We are doing a FIPS-140 certification, whereby a third party is reviewing our code.
3. Possible, but if malware is power cycling your computer, you've got other things to worry about than it trying to DOS your IronKey.... like it would probably just erase your hard drive, no?
Thanks for your comments and questions.
- Dave @ IronKey
Thanks dch24, Once people dig into the technical details, and actually use the device, I'm confident that initial scepticism will turn into enthusiasm. Thanks for your support. Dave
The chip was designed in conjunction with one of the major security chip vendors in the space, and its core has been used in millions of secure devices.
All crypto is standard open algorithms (AES, RSA, SHA). No proprietary crypto.
TrueCrypt is exceptionally good data encryption software. Our whitepaper describes the IronKey hardware crypto approach and how it's better than a pure software implementation: - speed - brute force key guessing - brute force password guessing - cross platform without drivers or admin mode required - tamper resistant We also provide strong 2-factor authentication for Internet password protection. The device does strong PKI crypto, which is integrated into FireFox with PKCS11.
Thanks Bill for posting the domain and headers. The registrant of the domain ironkeysales.com gives me a good clue who to chase. DJ
We tried to get a small amount of thermite into the device, but it just refused to pass the CE and FCC approvals needed to sell in USA and Canada. Maybe we can sell the thermite-grenaded versions out of China and have people mail order from there? :-)
D @ IronKey
We run a number of TOR nodes across the world. The TOR client selects these preferentially. Thus you get higher bandwidth, lower latency and more predictable performance than using the regular public TOR network, where you could end up going through some guys computer connect to the net on a DSL or dial-up line. Dave @ IronKey
We prototyped a laser projected keyboard, but they are pretty expensive ($100) and require a flat surface. We have put more effort into a keypad and also a rotary numerical selector design on the case. Dave
You are right that without a battery we cannot reliably delete the gigabytes of encrypted data if the device is immediately pulled out of a power supply and never re-inserted into another computer. This would only happen with a very determined and knowledgeable attacker. In such case, their recourse is to disassemble the device and try to attack AES encrypted data.
Because the AES keys are randomly generated, and not based on a hash of a password for example, an attacker would have to brute force an AES key, which would be pretty impractical.
Dave @ IronKey
The AES keys are not accessible, because they are not stored in the flash memory, but rather in our cryptochip which is tamper-resistant. The AES keys are not based on a password (they are generated by a random number generator), thus they are very strong. This means that password guessing isn't going to be effective for cracking the encrypted data. You would have to do an exhaustive AES key space attack. Dave @ IronKey
Z, Unfortunately you're not correct. The flash drive firmware would have to be able to parse the FAT file system in order for this to work. USB storage media does not receive data as files, but rather as blocks, at a much lower level than the windows file system. Also, your approach basically sends your password in the clear over USB. We AES encrypt our USB traffic, protecting your password from USB level sniffers. We have IronKey working on MacOS now, and are working on Linux. Please be aware that we are more than a secure flash drive. We've got hardware encrypted password storage, strong 2-factor authentication (the firefox has a PKCS11 driver that talks to our onboard crypto). Dave @ IronKey