Tuesday, February 19, 2008

Proprietary encryption strikes again

Slashdot readers may have noticed the Heise Security analysis of the 2.5in. Easy Nova Data Box PRO-25UE RFID hard drive case build by Drecom. In short, the issue is that the encryption used by the enclosure's chipset is very poor, and won't stop more than a casual attempt to decrypt the data.

The article says:

The company explained that actual data encryption is based on a proprietary algorithm. The company claims the IM7206 only offers basic protection and is designed for "general purpose" users.
(Emphasis mine)

Joe Consumer isn't likely to have access to chipset specifications - and in fact, the vendor even disclaims responsibility in the Heise article:
Easy Nova product manager Holger Henke says that the improper label "128-bit AES Hardware Data Encryption" for Data Box PRO-25SUE was the result of Innmax's misleading formulation of its controller specifications.
Security analysts should know to avoid proprietary encryption algorithms if they're able to find out that they're in use, but the users who rely on what sounds like a standards based encryption capability will be disappointed - and may have their data put at risk. Very few vendors go so far as to tell you what chipset they're using for encryption, so buyers are put in the position of relying on marketing materials and product labels. That can be an uncomfortable position to be in if you really need to rely on the encryption.

Heise also notes that the same chipset used in the PRO-25UE is used in a number of other products, and that the AES encryption used in the chipset is only to encrypt the RFID unlock token, not the data on the drive. Sadly, the data on the drive is "encrypted" with a simple XOR that Heise reverse engineered rather quickly.

What options do you have? Well, hardware encryption means that you have to trust the vendor to have implemented their encryption system correctly. Since there isn't a central security standards body that certifies encryption devices like this, users are left to investigate on their own, or to rely on third parties who may take interest. If you don't trust the hardware solutions on the market, a software package like TrueCrypt, PGPDisk, or BitLocker is likely your best answer for now.

No comments: