Aaron Nabil Posted March 22, 2010 Share Posted March 22, 2010 I sent this a while ago but didn't get a reply, so I'll try here. I'm running up against a deadline to recommend a device to our staff and customers. If answering these questions makes your device less secure, just say so and I'll exclude your device and move along, our selection criteria is that the device security be based on actual encryption, not "hidden knowledge of the designer". On the other hand if your device wouldn't be any less secure by answering the questions, please do so, what do you have to lose except to sell more of them to my staff and our customers? ---------- Forwarded message ---------- From: Aaron Nabil <nabil@> Date: Thu, Mar 4, 2010 at 4:55 PM Subject: questions about Flash Padlock 2 To: ramguy@corsairmemory.com We needs a secure USB drive to give out to our traveling staff. I called your tech support and although they were able to answer my first question, they didn't know the second. 1st question: Is the device any less secure if some had the complete schematics and source to all the firmware of the device, ie they knew everything about it? As a sanity check please answer the same question as it applies to your "padlock 1" device. 2nd question: The device claims 256bit AES encryption. Where does the 256 bits of key material come from and how is it generated? Link to comment Share on other sites More sharing options...
Wired Posted March 22, 2010 Share Posted March 22, 2010 No, I don't work for them. 1. Of course! Everything's less secure if you know how it works. This won't answer #2, but it's worth a read: http://www.schneier.com/blog/archives/2010/03/crypto_implemen.html Link to comment Share on other sites More sharing options...
Aaron Nabil Posted March 22, 2010 Author Share Posted March 22, 2010 1. Of course! Everything's less secure if you know how it works Is AES less secure because it's a published standard? If the security of this device relies on the obscurity of the implementation or secrets in it's firmware then it's just snake oil. Thanks for the link. I see other people are asking where the other 200 bits of key entropy are going to come from and that the "lockout mechanism" is only a casual deterrent. Link to comment Share on other sites More sharing options...
Corsair Employee RAM GUY Posted March 24, 2010 Corsair Employee Share Posted March 24, 2010 1st question: Is the device any less secure if some had the complete schematics and source to all the firmware of the device, ie they knew everything about it? As a sanity check please answer the same question as it applies to your "padlock 1" device. A: The device is no less secure if one had schematics and source code. The engineers that created this drive have both and cannot hack it. 2nd question: The device claims 256bit AES encryption. Where does the 256 bits of key material come from and how is it generated? A: A Device key is created in the factory with a deterministic random number generator (RNG) and is unique for each drive. Subsequent Session keys are created inside the drive using a non-deterministic RNG that makes use of random events operating on the Device key as a seed. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.