There must be something in the water. A few weeks ago we heard about a lack of encryption on the US Predator drone video downlinks. This week we hear about an attack vector on encrypted USB hard drives. Cryptography is getting attention. :) In this case the big deal is about a FIPS 140-2 certification of these USB drives and the fact that they are vulnerable to an attack.
A few months ago I wrote about Federal Information Processing Standard 140-2. The article talks about what FIPS 140-2 is and what it is not and provides some overview of what you will need to do to follow the standard.
Note that I say "follow the standard" because most people will not be going through a certification process with what they build - the certification process, at least today, is for those who implement cryptographic algorithms, libraries, and modules for other people to use.
So, what happened with those certified USB drives? Well, one key (no pun intended but acknowledged) to correct use of any cryptographic system is managing the secret. You can think of the cryptographic keys as the secret, but if those are protected by encryption by a passphrase then that passphrase is also now a secret that must be protected.
In some cases the passphrase was obtainable because the the communication path (from your computer into the USB drive) over which the USB drive passphrase travels can be inspected and manipulated by a malicious program. However, for some drives the manufacturer actually used the same password for every drive. The former is poor design and the latter is a travesty.
Why did that "slip through testers nets", one might ask? The answer is revealed by understanding what FIPS 140-2 Level 2 certification really means. I provide the quote below:
"Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access."
I have highlighted the important portion. Read it carefully. The certification process does not require inclusion of the system into which the USB drive is plugged. That means that vetting the passphrase communication path was (I'm guessing, here) probably not required for FIPS 140-2 certification.
Why is it important to the USB drive manufacturer to chooses the USB drive as the TOE, or "target of evaluation"?
Number (2) above is the kicker. It means that the vendor would have to certify every combination of USB drive and operating system to make a generic claim of USB drive certification. Ouch.
On the other hand, if the manufacturer chooses the USB drive as the TOE then only one certification is needed per revision of the USB drive. That is a huge cost win.
Let me state something else that is both obvious and important:
It is impractical to make the average computer "show evidence of tampering" to meet the level 2 requirement.
That means that the USB manufacturer would have a nearly impossible job to achieve if they were required to include your computer.
Lastly, if I can run a program on your computer without your knowledge you are already in deep trouble. If my program can read your system memory then it can probably just record your passphrase keystrokes. Heck, lots of people fall prey to JavaScript keyloggers just by clicking links in their browser.
Here is a positive thought for you to hold onto: if your drive is one that validates the passphrase outside the USB drive then the attack does not disable encryption on your USB drive. Your data are still encrypted if you lose the drive.
However, if you have one of those drives with a single common passphrase, wipe your data, toss it into the trash, and buy a new one.
I'll close by summarizing some predictions
-Eric