Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for January 2009

Friends Don’t Let Friends Use ECB-Mode Encryption

leave a comment »

A number of companies create a false sense of security by using weak encryption modes in their products or services. Customers think they are covered because they’re using cutting edge AES encryption, when in reality the mode of that encryption leaves them vulnerable.

In particular, Electronic Codebook or ECB mode encryption is poor at hiding data patterns, as identical blocks of plaintext are coded into identical blocks of ciphertext. This makes it ineffective at encrypting certain types of data, especially that stored in images or BLOBs.

Here is a well known example of ECB mode encryption at work:

Original

Original

Original

ECB Mode Encrypted

Securely Encrypted

Securely Encrypted

As you can see, in ECB mode the outline of Tux the penguin can still be easily made out despite the encryption. There are a number of alternative encryption modes that avoid this weakness, but the one perhaps most frequently found is Cipher-Block Chaining or CBC mode encryption. It is generally agreed within the cryptographic community that CBC is superior to ECB, and that the latter should be avoided in most cases.

Despite this, many companies – especially those for whom security is an add-on to insecure offerings – sell security products or services that use ECB mode encryption because it is cheaper and easier to implement. Often they hide this fact deep in technical specs or avoid mentioning their encryption mode at all. Here are three such companies in the secure flash drive space and their guilty offerings:

As always, stay safe and avoid a false sense of security.

Written by Alice

January 28, 2009 at 20:54

Posted in Uncategorized

Spritesmods Breaks a Biometric “Secure USB Flash Drive”

leave a comment »

Sprites mods has a nicely detailed article on how they broke through the biometric finger print reader on the BioSlimDisk, a supposedly secure USB memory stick, and were able to access the information stored on the device.

It’s yet another indication that encryption of data really doesn’t do much of a job of protecting it, if the product doesn’t deal with issues such as key generation, key management, brute force attacks, modification of firmware, or simple power attacks against the chips.

As always, stay safe and avoid a false sense of security.

Written by Alice

January 21, 2009 at 18:50

Breaking the Security of an Encrypted Hard Drive with Biometrics

leave a comment »

In these days of data protection regulations, it’s encouraging to see some vendors starting to deliver encrypted hard drives. Here is an article that looks at the BIO-250U AES encrypted hard drive by Synology.

http://spritesmods.com/?art=securehd

We found the following attack on this biometric and password-protected encrypted hard drive to have echoes of the attacks on flash drives below. Basically by modifying a single register in an unlocker program, you are able to defeat the biometric security, and the drive just opens up. The password is similarly insecure.

What this points to for biometric devices is a potential weakness in encryption key management. For example, if a password-protected device uses the password to derive an encryption key (this would not meet FIPS 140-2 requirements), then the biometric chip would somehow have to store the password so that when you authenticate, you can decrypt the data.

Another approach would be for the encryption key to be randomly generated (this is in compliance with FIPS 140-2 requirements), and then stored encrypted by some derivation of the password. Again though, the biometric device would need a copy of this password derivation in order to decrypt the AES encryption key. If the architecture doesn’t use some kind of secret key sharing, then you are simply relying on the biometric device to say “please unlock” the encrypted data. That’s the basis for many of these biometric device hacks.

As always, stay safe and avoid a false sense of security.

Written by Alice

January 9, 2009 at 22:33

Posted in Synology: BIO-250U