[Fwd] NIST-certified USB Flash drives with hardware encryption cracked

Sarad AV jtrjtrjtr2001 at yahoo.com
Mon Jan 11 05:35:56 PST 2010

 could it not be a backdoor in the guise of a bug?


--- On Thu, 1/7/10, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
> Subject: [Fwd] NIST-certified USB Flash drives with hardware encryption  cracked
> To: cypherpunks at al-qaeda.net
> Date: Thursday, January 7, 2010, 9:42 AM
> http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html
> Encrypting USB Flash memory from Kingston, SanDisk and
> Verbatim Vergrv_ern
> Kingston, SanDisk and Verbatim all sell quite similar USB
> Flash drives with
> AES 256-bit hardware encryption that supposedly meet the
> highest security
> standards. This is emphasised by the FIPS 140-2 Level 2
> certificate issued by
> the US National Institute of Standards and Technology
> (NIST), which validates
> the USB drives for use with sensitive government data.
> Security firm SySS,
> however, has found that despite this it is relatively easy
> to access the
> unencrypted data, even without the required password.
> [...]
> The real question, however, remains unanswered . how could
> USB Flash drives
> that exhibit such a serious security hole be given one of
> the highest
> certificates for crypto devices? Even more importantly,
> perhaps . what is the
> value of a certification that fails to detect such holes?
> #include <standard debate about the value, or lack
> thereof, of FIPS 140 certification>
> Peter.

More information about the cypherpunks-legacy mailing list