NIST Investigating Mass Flash Drive Vulnerability 71
Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked.
"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"
Re:If you want to encrypt your data (Score:3, Interesting)
Bah, instead, I am still using an Enigma machine that my grandfather brought me back. He stole it from the ennemy while in combat.
http://en.wikipedia.org/wiki/Enigma_machine [wikipedia.org]
You should count yourself lucky that Alan Turing died all those years ago, otherwise your data could be compromised.
Re:Encryption algorithm's aren't the weak link (Score:5, Interesting)
Encryption algorithm's aren't the weak link, its the implementation.
What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way. Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system. Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.
Re:If you want to encrypt your data (Score:4, Interesting)
> otherwise your data could be compromised.
With this ? :
http://en.wikipedia.org/wiki/File:Bombe-rebuild.jpg [wikipedia.org]
Too complex to maintain in good working order. ;-))
Re:Encryption algorithm's aren't the weak link (Score:1, Interesting)
What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way. Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system. Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.
That's a problem with software in general, not just encryption.
Often once the coders have solved the "interesting" problems, they get bored with the mundane implementation details. If your software does everything it is supposed to, but the user experience sucks, then you have still failed. Coding isn't about creating great code. The user doesn't care about your code. They want to solve their problem. Programs are only a tool to achieve that.
Nope. How to do it right... (Score:3, Interesting)
You need buttons on the device. Without that, your password could be swiped by PC malware.
A no-frills minimal device comes with 10 buttons. The password is a 10-digit number printed on a card hidden in the packaging. To avoid having the password revealed by button wear, none of the digits repeats. You put the device in, press buttons, and then it shows up to the OS.
A better device has a config setup. Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all. Go to the device's internal web page, just like setting up a home wireless router. There you could create multiple virtualized devices, each with a distinct password. (if you create more than one, then the device shows up as a hub with child devices) This also allows for data-losing recovery from password loss: you just delete the virtual device you can no longer access, then create an empty virtual device with a new password.