Heise Security has a good story called Enclosed, but not encrypted which is essentially about false advertising. They were testing a hard drive which advertises that it provides AES encryption of the drive, decrypting when your RFID tag gets close enough to be read. Unfortunately, things were not as they seemed.

the almost identical columns of numbers suggest that the 512-byte sectors of your drive are not in fact encrypted with AES, but merely with a constant 512-byte cipher block applied as an XOR (exclusive OR) ... an XOR with an unchanging cipher block does represent a major cryptographic flaw – in fact, the open kind of flaw that, used in this way, is susceptible to what are known as “known plain-text attacks”.

Rather than performing 128 bit AES encryption of the whole drive, they instead just AES encrypted the RFID tag in memory, and did 512-byte XOR of the whole drive.

This underscores the need to have a policy which either requires FIPS 140 certification of all cryptographic devices, or enlisting the help of a security expert to dig deeper.

This entry was posted on Tuesday, February 19th, 2008 at 6:58 pm by Peter Hesse and is filed under data protection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.