Searching \ for '[TECH] Encryption busted on NIST-certified Kingsto' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page:
Search entire site for: 'Encryption busted on NIST-certified Kingsto'.

Exact match. Not showing close matches.
PICList Thread
'[TECH] Encryption busted on NIST-certified Kingsto'
2010\01\06@195129 by Vitaliy


A word of warning to those of you who rely on hardware-based encrypted USB
flash drives. Security firm SySS has reportedly cracked the AES 256-bit
hardware-based encryption used on flash drives manufactured by Kingston,
SanDisk and Verbatim.

The crack relies on a weakness so astoundingly bone-headed that it's almost
hard to believe. While the data on the drive is indeed encrypted using
256-bit crypto, there's a huge failure in the authentication program. When
the correct password is supplied by the user, the authentication program
always send the same character string to the drive to decrypt the data no
matter what the password used. What's also staggering is that this character
string is the same for Kingston, SanDisk and Verbatim USB flash drives.

Cracking the drives is therefore quite an easy process. The folks at SySS
wrote an application that always sent the appropriate string to the drive,
irrespective of the password entered, and therefore gained immediate access
to all the data on the drive.

This is a big deal also from a point of certification. These drives are sold
as meeting security standards making them suitable for use with sensitive US
Government data (unclassified rating) and have a FIPS 140-2 Level 2
certificate issued by the US National Institute of Standards and Technology

Vendors have had a mixed reaction to the news. Kingston has done the right
thing and issued a recall. Verbatim and SanDisk has issued a statement and
have updates available, but the threat is downplayed.
Bottom line, check your flash drives!

2010\01\06@224030 by Tamas Rudnai

face picon face
That's why people should use TrueCrypt or similar instead of
proprietary solutions.


On Thu, Jan 7, 2010 at 12:50 AM, Vitaliy <> wrote:
{Quote hidden}

> -

2010\01\06@225708 by John Gardner

picon face
One should'nt underestimate bone-headedness, but my recollection is that
the powers-that-be were'nt enthused about strong encryption being available
outside the Beltway.


2010\01\20@104038 by Bob Axtell

face picon face
I agree completely. I use Truecrypt (on flashdrives) To protect all of
my clients' data. Each client has his own 16G flashdrive, containing
all critical apps and critical data. I maintain a
weekly copy on another drive. If I lose the client's drive, I simply
work with the backup and
go on, because the thief can't read anything on a Truecrypt container,
it looks like noise..

I was never happy with Sandisk's algorithm from the getgo.

On Wed, Jan 6, 2010 at 8:39 PM, Tamas Rudnai <> wrote:
{Quote hidden}

>> --

More... (looser matching)
- Last day of these posts
- In 2010 , 2011 only
- Today
- New search...