QNAP backdoor
Alexander Klimov
alserkli at inbox.ru
Wed Sep 23 02:41:50 PDT 2009
<http://www.securityfocus.com/archive/1/506607>
Overview:
The premium and new line of QNAP network storage solutions allow for
full hard disk encryption. When rebooting, the user has to unlock the
hard disk by supplying the encryption passphrase via the web GUI.
However, when the hard disk is encrypted, a secondary key is created,
added to the keyring, and stored in the flash with minor obfuscation.
Additional Weaknesses:
The backdoor key is generated by rand() calls. As the rand() function
produces random numbers unsuitable for cryptographic keys. The
cryptographic strength of this generated key is approx 2^32, hence
feasible for breaking. This would make access to the flash
unnecessary.
Original Vendor FUD:
"The functionality for encryption the hard disk does not include a
crypto backdoor."
(in response to a user question why two keyslots are allocated, and if
this is because of a backdoor)
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list