In association with heise online

18 February 2008, 16:09

Enclosed, but not encrypted

Christiane Rütten

Cracking a crypto hard drive case

A new generation of inexpensive disk drive enclosures using hardware encryption and RFID keys do not fulfil the promises of their publicity. The adverts claim 128-bit AES hardware encryption, but they don't tell us how it is used.

The specifications of the 2.5in. Easy Nova Data Box PRO-25UE RFID hard drive case by German vendor Drecom sound promising: hardware data encryption with 128-bit AES, access control via an RFID chip compact enough to carry around on your key ring and optional 160GB or 250GB hard disk capacity. Swiping the RFID chip along the case causes the integrated Innmax IM7206 crypto controller to reveal the drive as a USB 2.0 mass storage compatible device to the attached computer. This works under Linux and Mac OS X as well as Windows. There's no need for special drivers.

Look a little closer, and things don't look so good. Heise online's sister publication c't magazine has discovered that the encryption offered by this product was weak, and erroneously advertised as including "128-bit AES hardware data encryption". c't has since spoken with the manufacturers involved and can confirm that the encryption weakness discovered probably affects numerous similar products.

The first step in our analysis was visual inspection of the encrypted data on the medium. We began by taking out the included Samsung hard drive and connecting it to a normal USB SATA adapter. We immediately noticed that all sectors not overwritten by the partition table and FAT32 formatting were still full of the zero bytes the hard drive contained when shipped. While this does not represent a major cryptographic flaw, it does at least give attackers a rough idea of the volume of encrypted data on the hard drive.

Ideally, encrypted data should look like a random sequence. A phase-space plot helps us quickly determine the pseudo-randomness of data and hence the relative encryption quality of a given data volume. For a three-dimensional phase-space plot, the sequence a, b, c, d, e, f, etc. can be used as space coordinates (a-b, b-c, c-d), (b-c, c-d, d-e), (c-d, d-e, e-f), etc. Patterns in the plot created reveal recurring relations between subsequent sequences. In this phase plot, 50,000 16-bit random numbers would produce an unstructured cloud of dots.

random distribution in the phase space
random data and well encrypted data are evenly distributed across the plot

Since some 30 per cent of the first 100kB of the encrypted hard drive are zeros, we can expect a third of these dots to be found on the plot's origin. The remaining two thirds at least should be distributed randomly across the plot if properly encrypted. Unfortunately, the distribution is anything but even:

structured distribution
Encrypted data on the hard drive produced lines on the plot - an indication of poor encryption

A large part of the 35,000 non-zeros, which we would expect to find randomly distributed, are clumped together in four groups on the plot. If we take a closer look at the individual sectors in a hex editor, we find the same sequences repeated

00008e00  77 c8 54 35 ee 90 a9 6a  dc 21 53 d5 7d 43 a6 aa  |w.T5...j.!S.}C..|
00008e10 3f 86 4c 55 7e 0c 99 aa 39 18 32 55 72 30 64 aa |?.LU~...9.2Ur0d.|
...
00008fe0 fd 76 00 20 fa ed 00 40 f4 db 01 80 2d b7 03 00 |.v. ...@....-...|
00008ff0 5a 6e 07 00 b4 dc 0e 00 68 b9 1d 00 d0 72 3b 00 |Zn......h....r;.|

popping up in the following 512-byte block (200 hexadecimal):

00009000  77 c8 54 35 ee 90 a9 6a  dc 21 53 d5 7d 43 a6 aa  |w.T5...j.!S.}C..|
00009010 3f 86 4c 55 7e 0c 99 aa 39 18 32 55 72 30 64 aa |?.LU~...9.2Ur0d.|
...
000091e0 fd 76 00 20 fa ed 00 40 f4 db 01 80 2d b7 03 00 |.v. ...@....-...|
000091f0 5a 6e 07 00 b4 dc 0e 00 68 b9 1d 00 d0 72 3b 00 |Zn......h....r;.|

And again:

00009200  77 c8 54 35 ee 90 a9 6a  dc 21 53 d5 7d 43 a6 aa  |w.T5...j.!S.}C..|
00009210 3f 86 4c 55 7e 0c 99 aa 39 18 32 55 72 30 64 aa |?.LU~...9.2Ur0d.|
...
000093c0 4d 00 20 59 9a 00 40 b2 f1 01 80 64 e2 03 00 c9 |M. Y..@....d....|
000093d0 01 07 00 92 c7 0e 00 24 8e 1d 00 48 1c 3b 00 90 |.......$...H.;..|

And again:

00009400  77 c8 54 35 ee 90 a9 6a  dc 21 53 d5 7d 43 a6 aa  |w.T5...j.!S.}C..|
00009410 3f 86 4c 55 7e 0c 99 aa 39 18 32 55 72 30 64 aa |?.LU~...9.2Ur0d.|
...
000095e0 fd 76 00 20 fa ed 00 40 f4 db 01 80 2d b7 03 00 |.v. ...@....-...|
000095f0 5a 6e 07 00 b4 dc 0e 00 68 b9 1d 00 d0 72 3b 00 |Zn......h....r;.|

These regular repetitions continued, and the almost identical columns of numbers suggest that the 512-byte sectors of your drive are not in fact encrypted with AES, but merely with a constant 512-byte cipher block applied as an XOR (exclusive OR).

Print Version | Permalink: http://h-online.com/-746199
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit