[Fwd] NIST-certified USB Flash drives with hardware encryption cracked

Geoffrey Hird geoffrey at arcot.com
Thu Jan 7 14:30:47 PST 2010

> USB Flash drives with AES 256-bit hardware encryption that supposedly
> meet the highest security standards. This is emphasised by the FIPS
> 140-2 Level 2 certificate issued by

It's a poorly written article, as the claim "highest security standards" is in
direct contradiction to "Level 2", given the existence of levels 3 and 4.

Peter Gutmann writes:
> #include <standard debate about the value, or lack thereof,
> of FIPS 140 certification>

Will do.  I read yesterday (I think on the NIST web site) that a major FIPS
140 test lab reported that something like 50% or 60% (sorry I can't find the
story) of the modules it received for testing had bugs in them.  I have been
through the validation process, and anyone who has written any nontrivial
software is not surprised by those figures.  Think about it for a second.  As
security jocks most people here think only about security-specific challenges.
Basic software bugs that could occur in any product are not worth talking
about.  But if there were no FIPS 140 certification then for sure people would
use modules that had bugs, like any other product.  Eg: if you give an empty
string for a key then the putative ciphertext comes out plain.  Again: a RNG
is poorly implemented (ring a bell?).

So algorithm correctness is a main focus of Level 1, and this is a surprise to
many people (not knowledgeable people on this list) who think only about spies
extracting keys.  But it is very important.  Here is a summary of Levels 1 and
2, to show that they are aimed at important things.  Now please, it's
impossible to summarize hundreds of pages properly.  Anyone can cavil at what
I have omitted, so cut me some slack here.

Level 1:
	-- Algorithm correctness
		-- Approved algorithms
			-- 3DES, AES yes.
			-- SHA0, DES removed from 140-2
	-- Self test upon startup.
	-- State diagrams, module has awareness of state:
		-- ERROR
		-- ETC.
	-- No physical protection, but don't do anything stupid
	   like make keys freely available (hardware) or post keys to
	   the internet (software).

Level 2:
	-- Add user roles.
	-- Add tamper evidence.

I presume that these USB sticks were validated as hardware. If so, the failure
of "tamper evident" is egregious (assuming that the story did not omit mention
of torn seals, etc).  But I have argued that FIPS 140 in general is
worthwhile, and that the description "highest security standards" of the
article is ill-informed.


More information about the cypherpunks-legacy mailing list