NIST Investigating Mass Flash Drive Vulnerability

Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked. "A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"

Re:If you want to encrypt your data

[snemarch]

Not really applicable to a hardware device.

Also, keep in mind that RSA by itself is much too slow to encrypt large amounts of data; thus, PGP and other solutions only use RSA to encrypt a symmetric cipher, which is then used for the bulk encryption.

Standard AES-256 is actually just fine, problem with these devices is that the manufacturers screwed up the implementation *majorly* (as I understand it, use the same key for every device and depend on a usermode app to say GOOD_GUY/BAD_GUY to the hardware) - but that's covered elsewhere.

Significant flaw & workaround

[Snotboble_]

This is pretty major as so many vendors are affected by it. However, until there's an update or complete recall & replacement, I'd recommend using Truecrypt [truecrypt.org]. Certified by NIST (see HERE [law2point0.com]. Cross platform. Free (as in spoken beer ;o). Of course, one can only hope that its implementation is better than the devices currently uncovered :P

some vendors got it right... Trust no 1

[advocate_one]

IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks. Jevans said that's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.
"We don't trust the computer at all," he said. "The computer could have malware on it or have hackers accessing it. In our security design, we said we have to assume the computer is completely untrustworthy. That's where we started our threat modeling."

Re:If you want to encrypt your data

[evilviper]

you get an equivalent clock of 5.8 MHz for Colossus. That is a remarkable speed for a computer built in 1944.

It would be incredible if true, but it's not. Special-purpose hardware can perform certain types of computations far faster than general-purpose processors. Hardware that could decode 1080i MPEG-2 (HDTV) could easily (though not inexpensively) have been made a decade before Intel/AMD CPUs were up to the task. That doesn't mean we had 2GHz+ CPUs in the early 1990s, it just means we had special-purpose hardware, which would require a 2GHz+ CPU to allow it to be replicated in software...

It's the same nonsense you get with low-power devices all the time: "OMG! This 10MHz ARM CPU is fast enough to decode H.264 videos!" Not understanding there's just a DSP slapped in the same package there, which is performing the video decoding without using the CPU for anything.