Friday, February 5, 2010

Always remember: A chain is no stronger than its weakest link

Sometimes I’m surprised to see how big companies are handling security issues. Other times I’m simply shocked to see products coming from big players and marketed as extra-secure, super-strong or military-approved-security-level when in fact they are not.

Recently it happened that the German security research group SySS GmbH played a little bit with some so-called “encrypted USB drives” and managed to get access to the protected data. They were testing products from SanDisk, Kingston and Verbatim (like “SanDisk Cruzer Enterprise - FIPS Edition” and “Kingston DataTraveler BlackBox”) and they were able “to gain access to all stored data by just a few mouse clicks fairly easily”. That’s it, “just a few mouse clicks” and the information from the super-secure enterprise-grade encrypted drive US Government FIPS 140-2 approved featuring 256-bit AES encryption is as secret as the text from this page.

Mainly, a design flaw, in my opinion plain stupid, contributed to this circus. The poor AES encryption algorithm used was fine and doing his job ok, but the decryption key used was always the same no matter the user’s password. It took them just some little time to crack the authentication software in order send always the fixed decryption key and voila, zero security for the secure drive. Clear and obvious hacking. No computer clusters burning megawatts to crack keys, just a simple and straight forward approach.

Obvious I have a question: Who had the great idea to design a security system in 2010 the way we’re doing in the 90's in college? I understand that mistakes can happen, but I find this case the mistake is totally unacceptable for such products coming from such companies.

Something is amazing me even more: how did they get the FIPS 140-2 certification?

In general, I’m a skeptic person; I don’t take things for granted. However, with this kind of security devices coming from important companies, when AES 256 was waived in front of my eyes, I always had in my mind that the data is encrypted with your key. Well, I was terribly wrong.


Post a Comment