[Cryptography] Encrypted flash drives: Secure?
Paul Renault
thaumatechnician at gmail.com
Thu Jul 27 16:44:41 EDT 2017
On 2017-07-26 07:49, Jonathan Thornburg wrote:
> On Tue, Jul 25, 2017 at 03:18:26PM -0400, Erik wrote:
>> I'm looking at some of the encrypted flash drives on the market, and one
>> from Corsair features all-hardware encryption with a pin-pad physically
>> located on the flash drive.
>>
>>
>> https://www.corsair.com/en-us/flash-padlock-2-8gb-usb-flash-drive-refurbished
> Using this means trusting the hardware manufacturer to get crypto right.
> Past history is not encouraging:
> http://eprint.iacr.org/2015/1002.pdf
> http://www.heise-online.co.uk/security/features/112548
>
> AES is all well and good, but is it in ECB mode? Are expanded keys
> stashed somewhere accessible? Software is already hard to audit, but
> closed-source firmware/hardware is even worse. And if this system is
> really good, you have to worry about various countries' spy agencies
> "persuading" the manufacturer to put in backdoors. Ick.
> Not to mention, the pinpad buttons' wear would be a source of some information to what the PIN is.
If you really need to have one...:
The Corsair uses a 4-10 digit PIN with a 5-character character set,
giving 12,206,875 possible PINs. The "Built-in hacking detection locks
device for 2 minutes after 5 failed attempts". Just rinse, repeat.
This guy - www.exploit-db.com/papers/15424/ - claims he can crack it.
In contrast, the Kingston DataTraveler 2000, which at least is FIPS 197
certified, uses a 7-15 digit PIN with a ten-character character set,
giving 1,111,111,110,000,000 possible PINs. After ten failed attempts,
it deletes the stored PIN, the AES key, then wipes the flash, returning
it to the blank state it was when it left the factory.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170727/6047972b/attachment.html>
More information about the cryptography
mailing list