Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives

Wed Jan 13 13:33:56 CET 2010

REPLY TO: D66 at nic.surfnet.nl

Dus je dacht dat je gegevens veilig waren?
Met als password de meisjesnaam van je overgrootmoeder?
Jammer, want die wordt niet gebruikt.

Groet / Cees

PS. Legitieme vraag: wat voor waarde heeft het label NIST-certificatie
op deze manier?
PPS. TalkBack 62 of 69: This wasn't a "FIPS 140-2 certified" device. The
FIPS compliance was only of the alogrithm, (AES, for example). That
someone used a very secure lock design, but then made a thousands of
them with a single key that fit them all is not a flaw in the lock.

January 6th, 2010
Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB
flash drives
http://blogs.zdnet.com/hardware/?p=6655
Posted by Adrian Kingsley-Hughes @ 10:04 am

Categories: Hardware, Security

Tags: SanDisk Corp., Kingston Technology Corp., USB Flash Drive,
Encryption, NIST, Verbatim, Flash Memory, Adrian Kingsley-Hughes

A word of warning to those of you who rely on hardware-based encrypted
USB flash drives. Security firm SySS has reportedly cracked the AES
256-bit hardware-based encryption used on flash drives manufactured by
Kingston, SanDisk and Verbatim.

The crack relies on a weakness so astoundingly bone-headed that it’s
almost hard to believe. While the data on the drive is indeed encrypted
using 256-bit crypto, there’s a huge failure in the authentication
program. When the correct password is supplied by the user, the
authentication program always send the same character string to the
drive to decrypt the data no matter what the password used. What’s also
staggering is that this character string is the same for Kingston,
SanDisk and Verbatim USB flash drives.

Cracking the drives is therefore quite an easy process. The folks at
SySS wrote an application that always sent the appropriate string to the
drive, irrespective of the password entered, and therefore gained
immediate access to all the data on the drive.

This is a big deal also from a point of certification. These drives are
sold as meeting security standards making them suitable for use with
sensitive US Government data (unclassified rating) and have a FIPS 140-2
Level 2 certificate issued by the US National Institute of Standards and
Technology (NIST).

Vendors have had a mixed reaction to the news. Kingston has done the
right thing and issued a recall. Verbatim and SanDisk has issued a
statement and have updates available, but the threat is downplayed.

Bottom line, check your flash drives!

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********