Exact match. Not showing close matches.
'[TECH] Encryption busted on NIST-certified Kingsto'
A word of warning to those of you who rely on hardware-based encrypted USB
flash drives. Security firm SySS has reportedly cracked the AES 256-bit
hardware-based encryption used on flash drives manufactured by Kingston,
SanDisk and Verbatim.
The crack relies on a weakness so astoundingly bone-headed that it's almost
hard to believe. While the data on the drive is indeed encrypted using
256-bit crypto, there's a huge failure in the authentication program. When
the correct password is supplied by the user, the authentication program
always send the same character string to the drive to decrypt the data no
matter what the password used. What's also staggering is that this character
string is the same for Kingston, SanDisk and Verbatim USB flash drives.
Cracking the drives is therefore quite an easy process. The folks at SySS
wrote an application that always sent the appropriate string to the drive,
irrespective of the password entered, and therefore gained immediate access
to all the data on the drive.
This is a big deal also from a point of certification. These drives are sold
as meeting security standards making them suitable for use with sensitive US
Government data (unclassified rating) and have a FIPS 140-2 Level 2
certificate issued by the US National Institute of Standards and Technology
Vendors have had a mixed reaction to the news. Kingston has done the right
thing and issued a recall. Verbatim and SanDisk has issued a statement and
have updates available, but the threat is downplayed.
Bottom line, check your flash drives!
That's why people should use TrueCrypt or similar instead of
On Thu, Jan 7, 2010 at 12:50 AM, Vitaliy <maksimov.org> wrote: piclist
One should'nt underestimate bone-headedness, but my recollection is that
the powers-that-be were'nt enthused about strong encryption being available
outside the Beltway.
I agree completely. I use Truecrypt (on flashdrives) To protect all of
my clients' data. Each client has his own 16G flashdrive, containing
all critical apps and critical data. I maintain a
weekly copy on another drive. If I lose the client's drive, I simply
work with the backup and
go on, because the thief can't read anything on a Truecrypt container,
it looks like noise..
I was never happy with Sandisk's algorithm from the getgo.
On Wed, Jan 6, 2010 at 8:39 PM, Tamas Rudnai <gmail.com> wrote: tamas.rudnai
More... (looser matching)
- Last day of these posts
- In 2010
, 2011 only
- New search...