[Fwd] NIST-certified USB Flash drives with hardware encryption cracked
http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-w... Encrypting USB Flash memory from Kingston, SanDisk and Verbatim Vergrv_ern Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password. [...] The real question, however, remains unanswered . how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps . what is the value of a certification that fails to detect such holes? #include <standard debate about the value, or lack thereof, of FIPS 140 certification> Peter.
#include <standard debate about the value, or lack thereof, of FIPS 140 certification>
Because, IIRC, the standard just certified the vendors implementation of actual encryption algorithm, not the device as a whole or what happens outside encryption. I might be wrong as been two years since I looked at this but I think that was the problem we ran into when trying to find a FIPS 140-2 compliant bluetooth device for one of the flags officers I was supporting (per the DISA Wireless STIG requirement: http://iase.disa.mil/stigs/stig/wireless_stig_v6r1_6aug2009.zip). At the end of the day we couldn't find an acceptable one but being a flag he just used a signed off on using non-approved one anyways because flags are special like that. -Peter
USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by
It's a poorly written article, as the claim "highest security standards" is in direct contradiction to "Level 2", given the existence of levels 3 and 4. Peter Gutmann writes:
#include <standard debate about the value, or lack thereof, of FIPS 140 certification>
Will do. I read yesterday (I think on the NIST web site) that a major FIPS 140 test lab reported that something like 50% or 60% (sorry I can't find the story) of the modules it received for testing had bugs in them. I have been through the validation process, and anyone who has written any nontrivial software is not surprised by those figures. Think about it for a second. As security jocks most people here think only about security-specific challenges. Basic software bugs that could occur in any product are not worth talking about. But if there were no FIPS 140 certification then for sure people would use modules that had bugs, like any other product. Eg: if you give an empty string for a key then the putative ciphertext comes out plain. Again: a RNG is poorly implemented (ring a bell?). So algorithm correctness is a main focus of Level 1, and this is a surprise to many people (not knowledgeable people on this list) who think only about spies extracting keys. But it is very important. Here is a summary of Levels 1 and 2, to show that they are aimed at important things. Now please, it's impossible to summarize hundreds of pages properly. Anyone can cavil at what I have omitted, so cut me some slack here. Level 1: -- Algorithm correctness -- Approved algorithms -- 3DES, AES yes. -- SHA0, DES removed from 140-2 -- Self test upon startup. -- State diagrams, module has awareness of state: -- ENABLED -- DISABLED -- ERROR -- ETC. -- No physical protection, but don't do anything stupid like make keys freely available (hardware) or post keys to the internet (software). Level 2: -- Add user roles. -- Add tamper evidence. I presume that these USB sticks were validated as hardware. If so, the failure of "tamper evident" is egregious (assuming that the story did not omit mention of torn seals, etc). But I have argued that FIPS 140 in general is worthwhile, and that the description "highest security standards" of the article is ill-informed. GH
Geoffrey Hird <geoffrey@arcot.com> writes:
I read yesterday (I think on the NIST web site) that a major FIPS 140 test lab reported that something like 50% or 60% (sorry I can't find the story) of the modules it received for testing had bugs in them.
It's not "have bugs", it's "failed to meet the silly-walk requirements set by that lab". The labs will always find at least one thing to nitpick (and preferably several, even if it's just the punctuation in your paperwork [0]), no matter how perfect your code, because to not do so would imply that they're not doing their job. In addition since the silly-walk changes arbitrarily from one lab to another, the "bugs" found will be different for each lab. If you really don't want to make some required change (for example because it'd mean re- architecting your entire product) then the easiest solution is to jury-shop labs until you find one that waves you through.
But I have argued that FIPS 140 in general is worthwhile,
As was recently pointed out on another list, it's very worthwhile from a marketing perspective. Doesn't guarantee much about security, but provides a guarantee of sales to government agencies. This is why the certification costs for a company's product will often be taken from the marketing budget rather than the engineering budget. Peter. [0] This actually happened in one eval when they were really struggling to find anything to complain about.
could it not be a backdoor in the guise of a bug? Sarad. --- On Thu, 1/7/10, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
From: Peter Gutmann <pgut001@cs.auckland.ac.nz> Subject: [Fwd] NIST-certified USB Flash drives with hardware encryption cracked To: cypherpunks@al-qaeda.net Date: Thursday, January 7, 2010, 9:42 AM http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-w...
Encrypting USB Flash memory from Kingston, SanDisk and Verbatim Vergrv_ern Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.
[...]
The real question, however, remains unanswered . how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps . what is the value of a certification that fails to detect such holes?
#include <standard debate about the value, or lack thereof, of FIPS 140 certification>
Peter.
participants (4)
-
Geoffrey Hird -
Peter Gutmann -
Peter Thoenen -
Sarad AV