- Status
hawkwindeb
Distinguished
- Jul 14, 2006
- 76
- 1
- 18,630
Its web site says "Protection: Your own 4-10 digit PIN....Multiple failed entries locks device for 2 minutes to prevent repeated attempts to access data" But there are only 5 buttons, so its really only a 4-10 digit combo of only 5 possible digit types. That's easier to crack than if all 10 digits were avail to make up the pin. It's really just to keep the folks that don't know or don't have (or can make) tools to automate including with the 2 min delay after the "Multiple failed entries" limit is exceeded. That's still a lot of folks that a device with these features protects against.
And for those folks that ask why this type of protection is needed, I'll just say, if you have to ask, then this type of product is not for you. However, there's a sizable market for portable but secure devices - and secure at all cost is not needed or wanted by most of the market I'm talking about. Lower cost with convenience features in most cases = a compromise in security at some level. These are always in some balance act where at one point one side out weighs the other for a specific market.
And for those folks that ask why this type of protection is needed, I'll just say, if you have to ask, then this type of product is not for you. However, there's a sizable market for portable but secure devices - and secure at all cost is not needed or wanted by most of the market I'm talking about. Lower cost with convenience features in most cases = a compromise in security at some level. These are always in some balance act where at one point one side out weighs the other for a specific market.
hawkwindeb
Distinguished
- Jul 14, 2006
- 76
- 1
- 18,630
[citation][nom]snowhare[/nom]...the lockout codes on the missiles were set to *all zeros*: OOOOOOOO I suspect rick2689 was pointing out that no amount of encryption security can overcome the ability of fools to use bad passwords.[/citation]
I thought they were set to 12345, which was the same as all the presidents' luggage during the same time period.
I thought they were set to 12345, which was the same as all the presidents' luggage during the same time period.
[citation][nom]hawkwindeb[/nom]Its web site says "Protection: Your own 4-10 digit PIN....Multiple failed entries locks device for 2 minutes to prevent repeated attempts to access data" But there are only 5 buttons, so its really only a 4-10 digit combo of only 5 possible digit types. That's easier to crack than if all 10 digits were avail to make up the pin. It's really just to keep the folks that don't know or don't have (or can make) tools to automate including with the 2 min delay after the "Multiple failed entries" limit is exceeded.[/citation]
Yes, but their 2 minute lockout only applies if you want to use their unmodified hardware. If you pull the flash chips and copy off the encrypted data, or possibly modify the circuitry in the stick to remove the lockout protection, then you can work at finding the password without restrictions, which is as you pointed out, even easier with only 5^10 combinations to choose from. That is only equivalent to a 24-bit key, which even the little CPU in your smartphone could probably crack in a few seconds, but still better than most encryption you might want to do by pencil-and-paper, so maybe that's something good to say about it? 🙂
Yes, but their 2 minute lockout only applies if you want to use their unmodified hardware. If you pull the flash chips and copy off the encrypted data, or possibly modify the circuitry in the stick to remove the lockout protection, then you can work at finding the password without restrictions, which is as you pointed out, even easier with only 5^10 combinations to choose from. That is only equivalent to a 24-bit key, which even the little CPU in your smartphone could probably crack in a few seconds, but still better than most encryption you might want to do by pencil-and-paper, so maybe that's something good to say about it? 🙂
Lots of people here are uninformed it seems.
1. You can't simply desolder the flash chips and read them elsewhere, since the data commited to the flash chips never goes to them unencrypted.
2. It does NOT come down to 10 billion combinations for an off-line brute force cracking, due to salting...
The Padlock 2 has a unique-per-drive pseudo random number (deterministic) hard coded at the factory at manufacture time and it also generates a non-deterministic "session" random number (hardware-generated non-pseudo) at time of PIN creation, to pad-out the remaining entropy that is required to fulfil the requirements needed to maximise the entropy for 256-bits. This is called salting and is a industry standard method for ensuring that key strength is maximal.
To prove this actually works, you can remove the PIN (using the 9-1-1 method) and then recreate with the exact same PIN and not get access to your previous data, because a new session random number was generated and you don't know the previous number (it's internal to the control chip).
3. To brute force these in 10 billion combinations, you need to leave the chips in the thumb drive and crack via the keypad. This could be automated but replacing the buttons with wires to a computer, however with the 2 minute lock-out, your grandchildren will have retired before it finishes.
4. The PIN number does NOT have to be stored in the unit and any half decent crypto implementation WILL NOT do so. A cryptographically secure hash could be used and typically is.
5. It is NOT limited to 5 digits on account of having 5 buttons. For 0 you press 0|1 once and for 1 you press 0|1 twice, just like a mobile phone.
If this device does what it claims (256-bit AES encryption in hardware with deterministic and non-deterministic salting), then it is an absolute bargain at the asking price.
The IronKey requires password entry via your systems keyboard, which can be keylogged. If someone keylogs your IronKey password, then it is worth their while to steal your IronKey. You might then feel an unfounded sense of safety, not realising that your IronKey has fallen into the hands of someone with its password!
The Padlock 2 does not suffer from the dangers of keylogging, as you enter the password via the inbuilt number pad. What's more, you can even unlock the Padlock 2 BEFORE you plug it into the computer (has a built in rechargable battery).
I have an 8GB IronKey S200 and 2 of these 8GB Corsair Padlock 2's. I much prefer the Corsair (it is completely system agnostic, so I can also use it with OpenBSD). If you were skeptical, you could also layer the security by using TrueCrypt on it also.
1. You can't simply desolder the flash chips and read them elsewhere, since the data commited to the flash chips never goes to them unencrypted.
2. It does NOT come down to 10 billion combinations for an off-line brute force cracking, due to salting...
The Padlock 2 has a unique-per-drive pseudo random number (deterministic) hard coded at the factory at manufacture time and it also generates a non-deterministic "session" random number (hardware-generated non-pseudo) at time of PIN creation, to pad-out the remaining entropy that is required to fulfil the requirements needed to maximise the entropy for 256-bits. This is called salting and is a industry standard method for ensuring that key strength is maximal.
To prove this actually works, you can remove the PIN (using the 9-1-1 method) and then recreate with the exact same PIN and not get access to your previous data, because a new session random number was generated and you don't know the previous number (it's internal to the control chip).
3. To brute force these in 10 billion combinations, you need to leave the chips in the thumb drive and crack via the keypad. This could be automated but replacing the buttons with wires to a computer, however with the 2 minute lock-out, your grandchildren will have retired before it finishes.
4. The PIN number does NOT have to be stored in the unit and any half decent crypto implementation WILL NOT do so. A cryptographically secure hash could be used and typically is.
5. It is NOT limited to 5 digits on account of having 5 buttons. For 0 you press 0|1 once and for 1 you press 0|1 twice, just like a mobile phone.
If this device does what it claims (256-bit AES encryption in hardware with deterministic and non-deterministic salting), then it is an absolute bargain at the asking price.
The IronKey requires password entry via your systems keyboard, which can be keylogged. If someone keylogs your IronKey password, then it is worth their while to steal your IronKey. You might then feel an unfounded sense of safety, not realising that your IronKey has fallen into the hands of someone with its password!
The Padlock 2 does not suffer from the dangers of keylogging, as you enter the password via the inbuilt number pad. What's more, you can even unlock the Padlock 2 BEFORE you plug it into the computer (has a built in rechargable battery).
I have an 8GB IronKey S200 and 2 of these 8GB Corsair Padlock 2's. I much prefer the Corsair (it is completely system agnostic, so I can also use it with OpenBSD). If you were skeptical, you could also layer the security by using TrueCrypt on it also.
- Status
TRENDING THREADS
-
Question No POST on new AM5 build - - - and the CPU & DRAM lights are on ?
- Started by Uknownflowet
- Replies: 13
-
-
-
-
Facebook
Twitter
Instagram