Saturday, February 4, 2012

Encrypted USB Sticks and crypto backdoors ; thoughts about Lok-it FIPS



Recently I was asked an advice about Lok-it encrypted USB keys which presented 4 interesting points :
- hardware AES256-CBC encryption
- FIPS 140-2 level 3 certification
- trusted path for pin entry (physical pin pad)
- fully hardware system, no need to execute untrusted code or require admin privileges

The two questions were : is it a secure product ? and Is it backdoored ?

Before focusing on this particular product, let's have a look on security issues related to encrypted USB sticks.

Secure Sticks
Numerous USB encrypted devices had some security issues (yes, even with 256 bit AES encryption and FIPS 140-2-L2 certification), and as a blackbox system it is difficult to assess the quality of the implementation.

It is very important to remember that the quality of the implementation and the operational conditions of use are as important as the quality of the algorithm of the key length ; and that a FIPS certification does not make a product secure.
But unfortunately marketing always focuses on algorithm, length and certification.

Example of broken secure Sticks
Here are some example of broken or flawed “secure devices” :

Some excellent analysis of encrypted devices can be found on SpritesMods site.

SySS made also a very good analysis of different products.

A very good example is the QNAP crypto backdoor (based on LUKS, when the users creates a key, a second one is automatically generated and hidden in the flash memory ; but easily retrievable)

Crypto-backdoors

The previous examples were “implementation errors” or “basic” crypto backdoors, but much more subtle ones can be designed, see :

Chapter 10: An Elliptic Curve Asymmetric Backdoor in OpenSSL RSA Key Generation

BuildingRobust Backdoors in Secret Symmetric Ciphers , Adam L. Young MITRE Corporation joint work with Moti Yung Columbia Univ./RSA Labs BlackHat 2005

Back to Lock-it
I did not make a security evaluation of this product, but as it is derived from a ClevX technology, which is FIPS certified, we can have a look at the FIPS security policy. Some parts seems interesting :

“LOK-IT® is pre-programmed with a unique set of encryption keys created during the manufacturing process. A list of 6 AES keys is supplied by a random number generator (RNG) executing on the manufacturer's computer. The RNG complies with ANSI X9.31 Appendix 2.4 specification for the generation of random numbers.” (p7)

If you were wondering were a potential crypto backdoor could be placed ... I'm not actually saying that the product is backdoored or not, but that if I had to backdoor the product, this would be a nice place among others.
Especially if the manufacturer uses a good RNG and keeps a copy of the keys : he can access the data but he is the only one (we do not consider here other persons who may access the key escrow system ; or legal compelling), and the device is secure for your own use.

Note : having keys which do not only depend on the PIN code is a good thing as the entropy of a 7 number PIN code is terribly low)

“Each LOK-IT® module is manufactured with 6 AES encryption keys. Only 1 of these keys is used to encrypt / decrypt data. The remaining 5 keys have no relationship to stored data. When zeroization occurs, the AES encryption key at the top of the list is erased; the next key becomes the key used to encrypt the private partition. Given enough zeroizations, all keys will be consumed and the drive becomes inoperable. ”

This is rather a good thing (not as good as an embedded smart card, but for the price it is a good deal), as keying material is zeroized after a set of wrong attempts, rather than a simple time delay.

The trusted path is also a very good thing, avoiding keyloggers related issues (both OS and hardware).

Some other information from the sec pol :
Physical security
“• Production grade components
• Hard, opaque epoxy covering the cryptographic boundary
• EEPROM memory protect fuse is set in the security controller ”

“The module is a multi-chip standalone cryptographic module, as defined by FIPS 140-2 and consists of an Initio 1861 USB controller, NAND Flash memory and a Microchip PIC16F688 security controller. All components are encased in hard, opaque, production grade integrated circuit packaging. The cryptographic boundary is defined as the boundary of the module's PCB and hard epoxy coating. ”

By the way ClevX pro technology is used in Corsair Padlock 2 (same as the non FIPS Lok-it) and the Datalock Personal is used in SDG Secret Diary



Conclusion

Is it backdoored ?
Without a proper security analysis we can not say if there is or not a backdoor, but as the crypto system is hardware implemented and as we don't have the hand on the key generation process we can not assume that the device implementation is secure.

Also I don't like the idea on relying on manufacturer generated keys (I do not only wonder about the quality of the (P)RNG, but also about the risk of a keys copy being kept).

Even if we could load our own keys, a backdoor can still allow an attacker to retrieve the key : for example by sending specific commands to the microchip which will directly surrender the key, or specific commands which will just bypass the PIN verification process, etc.

In a few words : or you can trust the system, by having access to the full implementation (software and hardware) and checking it or have it validated by a trusted organization which will perform a full analysis (FIPS, EAL, etc is not sufficient by itself).

Remember also that numerous manufacturers tend to add backdoors, for “recovery” purposes or at law enforcement agencies request.
I'm not saying that Lok-it or ClevX backdoored the product. I am only saying just that this kind of “enhancement” is a tradition in the crypto industry (see Général Jean-Louis Desvignes lesson at INSA Lyon, in French).

So is it a good product ?
Well as always, it depends on the use and the security target.

High security use
Especially if you need assurance of the correct implementation of the crypto system (in France we are a bit “sensitive” on crypto sovereignty, especially when we have to rely on US/UK blackbox crypto systems – even when US products are often much better and/or cheaper than their French equivalents), I would advice to stick to open source, evaluated and well engineered software such as truecrypt, LUKS or GPG but you have to keep in mind all the issues linked to software encryption ; and if possible use it with a smartcard.

Of course, if you are working for a company which is allowed to buy government accredited encryption products, there is no such question.

Other cases
When the information is sensitive but not confidential, Lok-it FIPS seems to be a very good product : very competitive price, trusted path for PIN entry, intuitive use, OS independent and FIPS 140-2 L3 (which is not a full guarantee of security, but at least validates some points, especially as cryptographic operations and PIN entry only take place on the key)

In a lot of cases it is preferable to have an untrusted encryption system always used rather than a high level encryption system scarcely used because it is too complicated to use in operational conditions.

We often encounter this issue during audits, when we have to retrieve data from a server where we are not allowed to install a software, or if we have to share the data with non IT persons which may have some difficulties to use crypto software.
At least with this kind of USB key, it is impossible not to encrypt the data, and the PIN is not entered on and untrusted system ; even if the user is not security aware, very tired or under heavy stress.
The OS independence is also very interesting when you have to deal with different populations (ex : design team using MAC, sysadmins using Un*x).

So I would recommend to use by default hardware encrypted USB keys, and for sensitive information use a truecrypt/dmcrypt-LUKS partition on top of it.
But always consider the device as “password protected” rather than “securely encrypted” ; and of course to securely backup the data.



Note : A nice combination would be to install a bootable linux on the stick : this will make it much more difficult for an attacker to tamper the kernel (I would still recommend to encrypt the root with dmcrypt-LUKS)


Note 2 : the GPF Crypto Stick v2 seems very promising (encypted storage + a GPG card)


===============




Case examples :

SanDisk Cruzer Enterprise - FIPS Edition


Here are the main parts :
“• FIPS 140-2 level 2 certified
• Hardware based 256-bit AES encryption
• Mandatory access control for all files (100% private partition)
• Strong password enforcement
• “Lockdown” mode when a set number of incorrect password attempts is made ”

“The reason for this is the way how user-supplied passwords are verified. The first security problem here is that the actual password verification is not done in hardware – i.e. on the USB mass storage device itself – but in software on the PC of the user. This fact makes it possible to analyze the password-based authentication process in detail with the help of a software debugger like OllyDbg2 , for instance. The second and bigger problem is, however, that secure cryptographic algorithms, like AES in this case, are used in an insecure way. ”

“The research of the SySS GmbH showed that the password verification works in the following way:
1. The user-supplied password is converted from ASCII to WideChar
2. A MD5 hash of the WideChar password is calculated
3. A ASCII-HEX representation of the MD5 hash is generated and also converted to
WideChar; the first half of the result serves as key in the next step
4. With the generated key, 32 bytes of data, which have been read from the USB flash
drive before, are decrypted via AES-256-ECB
5. If the result of the decryption corresponds with a specific value, the password is correct and the protected data storage of the USB flash drive can be accessed

In the course of the security analysis it was found out that the result of the decryption in step 5 was always the same when supplying the correct password. This did not even change when a new password was set or when the USB flash drive was formatted.
The reason for this is that when setting a new password, always the same 32 bytes are encrypted via AES-256-ECB and therefore must consequently be the result of the decryption during the password verification process. ”

“In order to gain access to the protected mass storage of the USB flash drive, one just has to make sure that the password verification always results in these 32 bytes. In the further login process those 32 bytes are used for unlocking the protected partition of the USB flash drive.” and “makes it possible to gain access to all stored data by just a few mouse clicks fairly easily ”

ThumbDrive CRYPTO
This one also is very interesting :
“ThumbDrive R CRYPTO ensures that 100% of the storage area is encrypted.
With this 256-bit hardware AES engine, the ThumbDrive R CRYPTO offers
one of the most advanced security solutions available today ”

Here are the main parts :
“A further analysis showed that the device configuration including the administrative password is stored in a special memory of the USB flash drive. When the program SecureLogin.exe is started, the device configuration is read from this memory using a controller-specific command. In each reading operation one 8K data block (8192 bytes) is copied from the USB flash drive to the host PC. ”
“The administrative password is stored in an encrypted manner (marked red) along with
the used encryption key (marked green). To be precise, only the first eight characters
of the password are encrypted (byte sequence 7FAB977474776DA6), the remaining six
characters are stored in plaintext (byte sequence 627230783432, which is the ASCII
string “br0x42”).
As figure 4 illustrates, the used encryption algorithm is very simple and completely
reversible in contrast to cryptographically secure one-way hash algorithms. The first 8
characters are encrypted by adding the value of the one byte long encryption key (26h)
followed by a bitwise not-operation. ”
“In the course of the security analysis, the SySS GmbH developed a proof-of-concept software tool for demonstration purposes. This software tool named ThumbDrive CRYPTO Unlocker extracts the correct administrative password and automatically unlocks the protected mass storage device of a TREK ThumbDrive CRYPTO USB flash drive with a single mouse click. Figure 10 shows this proof-of-concept software tool in action.”


QNAP crypto Backdoor
Even when products rely on well engineered software like LUKS, it can be poorly implemented or intentionally backdoored. For instance in this case, when the user creates a new key, a second one is generated, obfuscated and then stored in the flash memory. Accessing the data can be easily done by reading the “backup” key, and de-obfuscating it (and everything is documented here http://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt).

“When a user selects in the web GUI to encrypt a hard drive, he has to supply a passphrase of 8-16 length. The Qnap solution is to use the underlying Linux standard mechanisms of LUKS to create the encrypted partition. The user supplied passphrase is crypt(3)'ed with the MD5 salt of $1$YCCaQNAP$ and used as the initial key to access the LUKS master key for the drive.

Additionally, the system creates a second key, which is 32 characters long and contains all low case characters and the numbers 0-9, and adds it to the LUKS keyring: /sbin/cryptsetup luksAddKey /dev/md0 /tmp/temp.wLbZNp --key-file=/tmp/temp.rUBxFo”


Source : http://www.securityfocus.com/archive/1/506607

(2010)

"Kingston Technology has asked customers to return certain models of its DataTraveler secure flash drives for an update, following the discovery of a flaw in the memory sticks.
The affected models include the DataTraveler BlackBox; DataTraveler Secure — Privacy Edition; and DataTraveler Elite — Privacy Edition."

Source: http://www.zdnet.co.uk/news/security-threats/2010/01/04/kingston-flash-drives-suffer-password-flaw-39963327/

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.