Jump to content
Corsair Community

questions about Flash Padlock 2


Aaron Nabil

Recommended Posts

I sent this a while ago but didn't get a reply, so I'll try here. I'm running up against a deadline to recommend a device to our staff and customers.

 

If answering these questions makes your device less secure, just say so and I'll exclude your device and move along, our selection criteria is that the device security be based on actual encryption, not "hidden knowledge of the designer". On the other hand if your device wouldn't be any less secure by answering the questions, please do so, what do you have to lose except to sell more of them to my staff and our customers?

 

 

 

 

---------- Forwarded message ----------

From: Aaron Nabil <nabil@>

Date: Thu, Mar 4, 2010 at 4:55 PM

Subject: questions about Flash Padlock 2

To: ramguy@corsairmemory.com

 

 

We needs a secure USB drive to give out to our traveling staff.

 

I called your tech support and although they were able to answer my first question, they didn't know the second.

 

1st question: Is the device any less secure if some had the complete schematics and source to all the firmware of the device, ie they knew everything about it?

As a sanity check please answer the same question as it applies to your "padlock 1" device.

 

2nd question: The device claims 256bit AES encryption. Where does the 256 bits of key material come from and how is it generated?

Link to comment
Share on other sites

1. Of course! Everything's less secure if you know how it works

 

Is AES less secure because it's a published standard? If the security of this device relies on the obscurity of the implementation or secrets in it's firmware then it's just snake oil.

 

Thanks for the link. I see other people are asking where the other 200 bits of key entropy are going to come from and that the "lockout mechanism" is only a casual deterrent.

Link to comment
Share on other sites

  • Corsair Employee
1st question: Is the device any less secure if some had the complete schematics and source to all the firmware of the device, ie they knew everything about it?

As a sanity check please answer the same question as it applies to your "padlock 1" device.

A: The device is no less secure if one had schematics and source code. The engineers that created this drive have both and cannot hack it.

 

2nd question: The device claims 256bit AES encryption. Where does the 256 bits of key material come from and how is it generated?

A: A Device key is created in the factory with a deterministic random number generator (RNG) and is unique for each drive. Subsequent Session keys are created inside the drive using a non-deterministic RNG that makes use of random events operating on the Device key as a seed.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...