Cracking a Crypto Hard Drive Case

juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

Criminal prosecution?

[palegray.net]

For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone? I guess their next product will use advanced ROT13 encryption technology.

So what happens...

[TubeSteak]

...when you lose the RFID fob?

Does the mfg keep a list of serial #s and RFID keys so they can mail you/thief a replacement?

Re:How about a software solution?

[kcbanner]

Its not the same thing. We're talking about encryption in the device (apparently), so its done before it hits the computer.

This has to be illegal

[pembo13]

This can't possibly be legal. Even the CEO should have an idea if one of their newest product does some highly technical thing which it advertises as a major feature. I don't expect him/her to know how AES works... but he should at least be sure that it is working on the drive. I'm sure his pocket change could hire a contractor to test this.

Trust

[Mikey-San]

The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

Trust is a precious resource that you must cultivate; it's not a boomerang. Never risk throwing it away.

Re:How about a software solution?

[palegray.net]

I'm aware it's not the same thing :). While I understand the performance benefits of doing the heavy computation with specialized hardware, I'm questioning the wisdom of trusting any embedded encryption platform that isn't easily audited for correct operation. What about devices that actually perform encryption using the algorithms claimed, but the implementation of the crypto routines contains a flaw that isn't easily detected? What do you do about it when your organization has a few of them in production? Closed platforms make me nervous when security really matters.

Re:Leaves Software Based Encryption Relevant

[palegray.net]

Defining security is the process of calculating that magical combination of (1) the value of what you're protecting, (2) what is costs you to protect (encrypt) it, and (3) the computational cost a determined adversary would have to expend to break the crypto. Determining an adequate level of protection for personal data is left as a personal exercise.

MOD PARENT UP

[chebucto]

TFA says the chip manufacturer was misleading, implying that AES was used for all data when in fact it was used for the key.

That said, the case manufacturers should have tested the product themselves. They should at least offer returns / refunds.

Re:Criminal prosecution?

[mxs]

For God's sake, can't the company's executives be charged under a criminal statute? Fraud, anyone?

AES was used /somewhere/.

It's /never/ a good idea to rely on cryptographic features when you don't know exactly how they are implemented. A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use.

It's also NEVER a good idea to use any "crypto developed in-house". Manufacturers love to tell you since they developed it and their development is secret and such that their product is safe and secure, much more secure even since nobody knows how it works.
Cryptologists laugh at those claims, and everybody else should, too. These non-encrypting devices are a good reason as to why they do so.

If you want truly encrypted files and disks, don't rely on cheap external enclosures. TrueCrypt is not hard to use and offers a decent level of protection (forget Windows crypto, it's littered with backdoors unless configured JUST right, which is not an easy task and definitely not default). Under linux, it's decidedly easy to use AES encryption on block devices.

I guess their next product will use advanced ROT13 encryption technology.

For good measure, they'll apply it twice -- after all, twice is better than once.

Re:So what happens...

[mxs]

...when you lose the RFID fob?

Glad that you asked. Thank you for being our customer. Please go download http://vendor/recover.exe [vendor]. It will recover your data on your harddrive. This is a feature. Thank you for your business.

Does the mfg keep a list of serial #s and RFID keys so they can mail you/thief a replacement?

Quite honestly the entire concept is flawed. a.) if you loose your key and somebody else can furbish another one, your crypto is broken by default. You cannot trust it to secure anything at all. b.) RFID IDs as keys ? Sure, everybody knows RFIDs can ONLY be read at a distance of several centimeters. Right ? RIGHT ?

The question you should be asking is "If somebody copies my key, can I change the lock ?"

Re:And a legal battle ensues

[palegray.net]

Not everyone lives in jurisdictions that consider the act of reverse engineering a cryptographic device illegal. Even at that, generally people would only have a legal case if the reverse engineering / circumvention were to circumvent a copy protection mechanism. IANAL, however.

Well, as others have noted

[Sycraft-fu]

This was a hardware solution. There's reason to want your encryption done in hardware (less CPU load for example).

However more importantly, what good does the source really do you? I mean I can get the Truecrypt source, and I can look at it, but it really isn't going to tell me anything other than that I'm not very good at C++. I'm not a programmer by trade, so I certainly can't trace through all the complicated code that makes up a program like Truecrypt (it even includes assembly).

What's more, even if you are a programmer, it doesn't necessairily do you any good. Cryptography is a pretty specialized field and a pretty complex one. So while you might be able to trace through all the code and see what it does, do you have all the cryptographic knowledge to know if it is doing everything right? Can you tell the different between a properly and improperly applied algorithm? Will you notice a minor bug in assembly where they put a JNA instead of a JNAE? You might conclude everything looks fine, but be wrong simply because you don't understand how it works well enough or because the error is non-obvious.

Now please don't misunderstand, I'm not saying I think Truecrypt is untrustworthy. Far from it, I use and trust it. I am just saying that there is the false warm fuzzy myth about OSS that tends to get thrown around on /. a lot. That the code is open doesn't mean anything because 99.999+% of people can't "easily look at the source" since it won't be meaningful to them. A source audit is only useful if the person doing it is an expert and does a thorough job.

Well, while that certainly can, and does, happen with OSS, it can happen with closed software as well. Being open doesn't make it inherantly secure, and doesn't mean a normal person can tell.

For that matter, to really check crypto software you don't just need a code audit, it is even more important to do a results audit. Basically you take data, you encrypt it, and then you look at the result and see if it is good. You treat the software like a black box because the question isn't "Is it producing the correct result based on the code," the question is "Is it producing the correct result based on the cryptosystem." If I wanted to audit Truecrypt I wouldn't so much be interested in how it did things internally. Heck, even if I was an expert it might easily have a bug I'd miss (since after all other experts had written it and missed said bug). What I'd be interested in is having it do encryption, then comparing the result against controls. Maybe another AES implementation I knew to be good, maybe one I wrote, maybe a bit of a test worked out by pen and paper, maybe just trying to do cryptographic attacks against the ciphertext..

Regardless of the method, what I'd want to do is verify operation, not design. I imagine that's what they did in this case. Drive claims "this is AES encryption" so they do a little compare and contrast and, what do you know, it isn't.

Re:Criminal prosecution?

[pipatron]

This is, of course, also the reason why you should never trust any closed-source products to do anything important. You have absolutely no clue about what it does and how it does it, no matter what it claims to do.

How about some product testing.

[therufus]

If you make something that has some form of security (anything really) and you promote that it has security, surely the last thing you do before you release it is test your security. In IT especially, if you ever release a product to do with security, you have to expect that there will be a group of nerds (or even one) who will try to hack your security just so they can say they've done it. It's pure embarrassment that such a simple encryption mechanism is locking down a so-called secure device.

Am I wrong?

Re:How about a software solution?

[evanbd]

Especially since compiling the code yourself is completely sufficient to prevent security flaws. Erm. You were planning to audit it, right? Since everyone knows that's sufficient [bell-labs.com].

Computer security is hard. Doing it right is really hard.

Re:So what happens...

[TheThiefMaster]

How about: "If somebody copies my key, will I even know?"

Re:Well, as others have noted

[Bert64]

Well, just because you may not know too much about C or encryption...
I'm not really inclined to trust some company that says product X is secure, but i'm far more likely to trust a string of unconnected individuals, especially if some of those individuals are recognised cryptography experts or have at least studied cryptography at a reputable establishment.
Sure it's not perfect, but its a huge step in the right direction. The only perfect solution would be to study cryptography and programming (in whatever language) yourself first.

Re:How about some product testing.

[Ihlosi]

Am I wrong?

Yes, you are. You're thinking way too technical and way too little in marketing terms. If you want to make money, the easiest way is to find enough clueless users that will swallow your marketing babble hook, line and sinker and sell your stuff to them.

Re:Criminal prosecution?

[somersault]

That's why I always switch off the driver aids when driving my car and my fighter jets - if I haven't seen the source, then I'm damned if I'm going to trust some little computer to keep me alive.

AES in counter mode?

[nickovs]

It's perfectly possible that they have actually implemented AES, they've just done it wrong. It is not uncommon to use AES in Counter Mode [wikipedia.org] or Galois/Counter Mode [wikipedia.org], especially in high-throughput hardware implementations. This is reasonably strong providing that the key used for each disc block is different (for example by hashing or even just XORing the block ID with the base key). However, if the key is left the same for every block then you would get exactly the effect observed here, and the resulting solution is very weak indeed.

So, it's perfectly possible that they are not lying at all, they just are not very good at crypto.

Re:Criminal prosecution?

[garutnivore]

Open source is better than closed source for security code but it is not a silver bullet. The idea is that you want to have as many objective and capable coders able to examine the security code. That way, weaknesses in the code or shady things like back-doors are likely to be spotted and publicized. Closed source creates a significant obstacle against that examination. Open source does not create the obstacle but even without obstacle to examination you have no guarantee that objective and capable coders will actually examine the code.

Re:And a legal battle ensues

[gnasher719]

Not everyone lives in jurisdictions that consider the act of reverse engineering a cryptographic device illegal. Even at that, generally people would only have a legal case if the reverse engineering / circumvention were to circumvent a copy protection mechanism. IANAL, however.

Reverse engineering doesn't mean cracking. If you build a cryptographic device, I can reverse engineer it and then know exactly what you are doing, and I might be able to sell that your device is uncrackable. Or, like in this case, I might say that it isn't actually a cryptographic device :-)

XOR is good enough for general situations

[Viol8]

Sure its "easy" to crack if you know about these things , but the encryption is just meant to protect against casual snooping if the drive is stolen. Lets be honest , most thieves would have trouble spelling their own name on their crack cocaine receipts, what are the odds on them being able to decipher the data on an XOR'd drive? They just want to sell the drive on and the mug who buys it down the pub will find it won't work anyway because he doesn't have the fob. Is he going to hire some hacker from L337D00d5-r-u5 to decode the data for him? Doubt it. Sure theres a possibility but then theres probably a greater possibility of fraudsters going through your garbage or intercepting your post.

Re:It's not the company's fault...

[Svartalf]

Cheap Chinese Crap.

Definitely not anything unheard of. Sometimes you get a gem out of the Chinese stuff. Most of the time, though, you
get shoddy workmanship, which is what you expect. That's because the incentives are on cutting corners wherever you
can on the stuff over there. That's part of why I question any value in much, if not most, of the offshoring we keep
insisting upon doing here in the States.

Re:Freecom equally bad

[laymil]

(I bought that model FOR it's antenna figuring it wouldn't hurt, and might help).

Adding that plastic antenna got them a marketing and competitive advantage. How many people were, like yourself, sold on the fact that "this adapter has an antenna, so it probably has better range!" and used this 'fact' to make their decision? I wouldn't necessarily consider it fraud, as you never know what internal design iterations the device went through. Maybe the initial design called for an actual antenna and the casing was designed around that. Perhaps later testing showed the antenna provided no actual gain and it was removed, but the cases were already in production. Perhaps a later revision removed the antenna, but the plastic case kept it in order to keep the device recognizable as part of the Freecom brand.

You immediately attribute to malice and fraud that which could be explained plausibly in several other ways. If the device worked as expected, real antenna or not, I fail to see the justification for your complaint. At worst, the design is a smart marketing decision; at best, it is a vestigial part from an earlier design iteration.