Screwing up security
USB stick with hardware AES encryption
Whether you are talking about certification or 256-bit AES, even the best encryption provides no protection if an additional function accidentally renders the password vulnerable.
The MXI Security Stealth MXP USB memory stick tested by Objectif Sécurité, is not a USB stick with just run-of-the-mill security features. Rather, it is FIPS-140-2 certified, which means that after thorough testing, the US National Institute of Standards and Technology (NIST) declared it safe for use by federal US authorities .
On examination it is evident that the Stealth MXP is a serious security product. Stealth MXP sticks have their own processor and a Field Programmable Gate Array (FPGA) chip – Actel ProASIC 3 A3P250 – that implements AES encryption in hardware and prevents the memory contents from being read. The markings on the processor and memory chips are scratched off to hamper reverse engineering.
The Stealth MXP stick includes a fingerprint scanner that can be used as a key for data access and is one of a family of four USB security devices. These products allow for 2 factor authentication– fingerprint plus password, for protection of data stored on the stick. When used to secure information on a computer (rather than on the sticks themselves) they can also provide 3 factor authentication requiring possession of the USB device itself, plus a fingerprint and password. Originally the security hardware and its managing software – now called MXI ACCESS Enterprise – were designed as a managed product with the intention that security policies would be set up and controlled by a companies IT department. A later version of the management software – called MXI ACCESS – allows for individual users to control security settings.
The required security policies must be established before the Stealth MXP can be put to use. On first insertion the autorun feature should launch the ACCESS set up software from a small unsecured partition. The first menu choice is to – Personalise Device. When selected this offers two choices; Typical (Biometric user) the biometric choice is the default, or Custom. Choosing Typical (Biometric user) leads to a request to enter an Administrator password. With an admin password entered an Adminstrators account is opened allowing multiple user accounts to be set up and associated fingerprints to be logged.
When you insert the stick, you see an initial partition that you can read and even write onto. This partition is reset to its original status every time the stick is inserted, in order to prevent trojan based attacks. The program you see, called Start.exe, displays a login dialog where you can enter your username and password. Once you have logged in, you then see a second partition – with content encrypted and decrypted by the stick in accordance with the FIPS test protocol with AES-256.
Optionally, for authentication via a fingerprint, you simply drag your finger across the scanner window on the side of the stick– no program is needed. This process even works under Linux, but if you want to change the stick's settings, you will need to use the Windows software.
Our analysis in a debugger showed that communication between the software and the processor on the stick via the USB port is also encrypted. For instance, the function SSD_AuthenticatePassword prepares a query to the stick starting with SSD_MSG_Encode, followed by CipherSession::encrypt with encryption before finishing with Stealth_DeviceCom::SendRequest. The password or fingerprint is therefore apparently confirmed within the certification profile on the stick rather than on the PC, where it would be vulnerable.
At this point, we were so impressed with the security and official certifications that we almost stopped testing. But then, something caught our eye…