0

I have searched the web for information on secure encrypted USB flash drives. I have found that the most secure encryption is hardware-based like Kingstom DT4000 for example.

  1. Why is a simple USB flash with an encryption from TrueCrypt isnt so safe as the encryption hardware?
  2. What is the (in)compatibility situation with encrypted USB flash drives and Linux? I read many articles that say hardware-encrypted USB flash drive cannot work with any Linux distribution.
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
John B
  • 3
  • 2
  • Your question is actually two: One about the security of hardware encryption on flash drives, and one about interaction of hardware encryption with Linux. There's been [previous discussion[(http://security.stackexchange.com/q/11680/13239) of hardware vs software encryption, although it's probably not an exact duplicate. – Jonathan Garber Jan 09 '13 at 14:15
  • @JonathanGarber Sry for opening new Question. I didnt find that Question before! – John B Jan 09 '13 at 14:28
  • I'm not entirely sure it IS an *exact* duplicate. I'm just tossing it out there for you to look at and the community to consider. – Jonathan Garber Jan 09 '13 at 14:41
  • @JohnB - There have been many examples of the software for the hardware encryption on devices like your asking about being implemented in the incorrect way. One of the worst examples it that every single device used the same key, so when I bug was found in the software, the encryption was vulerable to a stronger and easier to implemnt attack. – Ramhound Jan 10 '13 at 13:44

2 Answers2

1

I personally really like the idea of an encrypted container residing on a storage device. Truecrypt can do that stuff and while setup properly it is secure.

Reference

happy
  • 225
  • 1
  • 6
  • 1
    the key benefit (relating to the OP question) of using TrueCrypt is that it is platform independent. – Callum Wilson Jan 09 '13 at 10:39
  • @CallumWilson I agree to use true Crypt b/c it is independent from OP but for security? With True Crypt a bruteforce method will decrypt the files, but with a hardware decryption you have nothing to scare. I read that the most popupal usb flash with hardware decryption will auto-format usb stick if you fail 10 times the decryption password. So, none can see your files throught bruteforce method on your usb stick. – John B Jan 09 '13 at 14:34
  • 1
    @JohnB Even if an attacker got hold of your encrypted files, it would take them a very large amount to time to brute-force your key. For example, if you used a 128-bit cipher, it could take approximately 30,810,000,000,000,000,000 years to brute-force at 350 billion guesses per second. – LMS Jan 09 '13 at 16:08
  • 1
    @JohnB If the attacker had the resources to pose a significant threat to the encryption, they'd likely have no trouble removing the flash chips from the USB stick and accessing the raw encrypted data directly, bypassing any logic that'd erase after too many failed access attempts. – Kitsune Jan 09 '13 at 16:39
  • @Kitsune - Most devices that provide hardware encryption "self destruct" when they are taken apart. Futhermore there is little difference between software/hardware encryption, one of the benefits of hardware encryption is you can implement protection as "self destruction" easier then dealing with software. You could if you wanted implement that same feature into software, and most hardware devices uses software, to determine when the "self destruction" should be enabled anyways. – Ramhound Jan 10 '13 at 13:48
  • @Ramhound that's a load of bull. There are no tampering protections built in like explosives to melt the flash memory if you take it out of it's case... – Lucas Kauffman Jan 26 '13 at 09:36
  • @LucasKauffman - The devices that I have used are design to damage the memory cell if the shell is opened. – Ramhound Jan 28 '13 at 11:58
  • @Ramhound I doubt that it's impossible to do it, if you look at the Victorinox USB, then it had this feature, but hackers (during testing) were only allowed to try for 2 hours, which is a limited time scope. Given a few days and a few of those pen drives I don't think it will be all that difficult to develop a technique to remove the shell without damaging the memory... – Lucas Kauffman Jan 28 '13 at 12:23
  • @LucasKauffman - The `Victorinox USB` does not even advertise it has hardware encryption. I am talking about stuff like http://www.ironprotector.com/ which contains hardware encryption. I won't be returning to this question. You claimed my comment wasn't truthful except it was, claimed its impossible to do it, except **its been done before**. – Ramhound Jan 28 '13 at 13:15
  • I'm just saying it's nothing that's done by default and I'm also saying there is probably a way around, given enough time. – Lucas Kauffman Jan 28 '13 at 13:16
  • Also I apologize, my initial comment was a bit too snarky :) – Lucas Kauffman Jan 28 '13 at 13:17
1

The problem with hardware encryption is that operating system engineers and cryptographers have their own view on encryption and/or design goals; this can create implementation incompatibilities with different operating systems; and with different operating systems comes different filesystems; and with different filesystems comes a wealth of new issues with encryption at the filesystem level.

This means that:

  1. There must be a standard among operating systems to create a compatibility with eachother for encryption, and...
  2. There must be a standard filesystem among operating systems, and...
  3. The encryption method used must be open source for peer review.

I have my own solution:

  1. Create two partitions; one about 100MB and the other the rest of the space using TrueCrypt. Alternatively, just create a TrueCrypt volume container.
  2. The compatibility between Linux, Windows, and Mac comes from ensuring that your filesystem is a compatible one between OS's such as FAT.

The incompatibilities with Linux and encryption most likely stems from LUKS and the new standard ecryptfs.

Encryption with TrueCrypt can be defeated by dumping keys (easily done with aeskeyfind). I should note that decryption in general requires the secret key; this means that in order to read the data off of the hardware encrypted flash drive the key must be present somewhere (most likely in RAM like with TrueCrypt). I do not know of any way to break truecrypts encryption other than dumping the keys from RAM or by brute-force which leaves the same issue present with the hardware encrypted flash drives.