Attack
The identity matrix for 64-bit functions consists of 64 by 64 bits. Their 64 hexadecimal row values can be derived in the same way as in the 8-bit example. A binary editor like bvi or a short Perl program can be used to write the identity matrix to a file. We use dd to deposit this file on the disk drive we have connected via SATA:
# dd if=/tmp/unitymatrix.bin of=/dev/sda bs=1K seek=244193758
After installing the drive into the S325, block 1001 of the protected disk contains the decrypted rows of our matrix A-1 in sequential. Here are the first few of the 64 rows:
0000000000000100
0000000000000004
0000000000008000
0000000000000080
0000000000000040
0000000000000200
0000000000000002
0000000000000010
00000000000009ef
0000000000000400
0000000000000020
...
Together with a matrix multiplication program written by Harald Bögeholz, who came across a GStor hard disk that uses this type of encryption, this matrix already produces the complete decryption algorithm. The only thing left to do is match its byte order (Endianness) when sequentially reading and writing the 64-bit values via fread() and fwrite() to that of the row values in our identity matrix.
The matrix consisting mainly of zeros, not only indicates that our assumption was correct, but also that the encryption is extremely primitive, even for a linear map. Although Raidon's engineers may have devised a highly complicated algorithm with dozens or even hundreds of lines of code, the algorithm's linear behaviour allows us to fully describe it, via the matrix we determined.
Now it is no problem to extract an image of the encrypted partition via dd, decrypt it using the program, and mount it via cloop. We have cracked the encryption completely.
Staray S125
When informed of our findings, vendor Raidon was co-operative and very willing to share information. The first thing we learnt is that the encryption algorithm varies with the hard disk drive inserted – probably according to serial number or type. The decryption matrix is indeed slightly different with a different hard disk, so that the attack has to be redone from scratch for every hard disk drive used with the enclosure.
Raidon also informed us that the Staray S125 enclosure, which is unlocked via Windows software instead of a PIN pad, uses the same encryption algorithm. Encryption no longer being an obstacle we can now look at the S125 controller's administrative information, which appears to be located somewhere on the hard disk.
As there were only a few zeros between the end of the first partition and the encrypted MBR, the admin information is probably located at the end of the disk. We therefore start our read operation at the end of the second partition, using hexdump's compressed display mode as before:
# dd if=/dev/sda bs=1K skip=488375936 | hexdump -C
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0095c010 d8 00 00 00 31 32 33 34 35 00 00 00 00 00 00 00 |....12345.......|
0095c020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
...
Ouch! The first result already reveals the enclosure's PIN in plain text. The Staray S125's protection therefore is a total loss.
Fuelled by our success, we also cast a glance at the corresponding disk region in the S325's setup. But here, the PIN is not returned in plain text. Small changes to the PIN result in completely different entries in the relevant area. It seems that the S325 offers better quality encoding, which appears to require far more analysis effort. However, as we have already cracked its encryption, we don't consider it necessary to investigate the S325 any further.
Conclusion
Our earlier conclusion unfortunately remains unchanged: Cheap hardware offers cheap encryption. The USB storage market has been flooded with budget products, and a vendor wanting to successfully introduce a storage solution with hardware encryption needs to produce it as cheaply as possible. However, vendors tend to economise in the wrong place by incorporating budget encryption. Developing a secure encryption system costs money, and vendors have to find a balance between manufacturing costs, data throughput and security, taking in to account the limited processing power of these controller chips.
While the Staray S products, in the case of physical loss, may prevent casual snooper from accessing the data without authorisation, the same can be achieved, just as effectively and more cheaply, with a free software product like TrueCrypt. The encryption algorithms used in these programs are currently regarded as uncrackable, even with state-of-the-art technology, provided that a strong password is used. (cr)
Bibliography
[1] Christiane Rütten, Enclosed, but not encrypted
[2] Harald Bögeholz, Windige Festplattenverschlüsselung, Excelstors GStor-Plus-Festplatte gehackt
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
