FIPS 140-2 Level 2 Certified USB Memory Stick Cracked
FIPS 140-2 Level 2 Certified USB Memory Stick Cracked: Via Schneier on Security.
Kind of a dumb mistake:
The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.
Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.
Nice piece of analysis work.
The article goes on to question the value of the FIPS certification:
The real question, however, remains unanswered how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps what is the value of a certification that fails to detect such holes?
The problem is that no one really understands what a FIPS 140-2 certification means. Instead they think something like: "This crypto thingy is certified, so it must be secure." In fact, FIPS 104-2 Level 2 certification only means that certain good algorithms are used, and that there is some level of tamper resistance and tamper evidence. Marketing departments of security take advantage of this confusion -- it's not only FIPS 140, it's all the security standards -- and encourage their customers to equate conformance to the standard with security.
So when that equivalence is demonstrated to be false, people are surprised.
Read Original Article:(Via Schneier on Security.)
Twitter
Digg
StumbleUpon
Technorati
del.icio.us
Facebook
Furl
LinkedIn
YahooRecent blog posts
- In Bid to Sway Sales, Cameras Track Shoppers
- Unprecedented 25-Year Sentence Sought for TJX Hacker
- EFF Appeals Dismissal of Warrantless Wiretapping Case
- Viacom Makes Its Case Against Yesterday's YouTube
- Obama supports Senators draft plan to rework U.S. immigration policy - Includes National Biometric ID card for all.
- Domain Names Can't Defend Themselves
- Hacker Disables More Than 100 Cars Remotely
- Judges Approves $9.5 Million Facebook ‘Beacon’ Accord
- Hooking Up The Big Brother Machine... And Fighting It
- Court: State Can Dump Non-Sex Offenders Into Registry
