Schneier on Security
A blog covering security and security technology.
« Potential Airbus Flaw and Coverup |
| Prince Andrew Screened At Melbourne Airport »
October 3, 2005
The Doghouse: Lexar LockTight
Do you think we should tell these people that SHA-1 is not an encryption algorithm?
Developed by Lexar, the new security solution is based on a 160-bit encryption technology and uses SHA-1 (Secure Hash Algorithm), a standard approved by the National Institute of Standards and Technology (NIST). The 160-bit encryption technology is among the most effective and widely accepted security solutions available.
This seems not to be a typo. They explain themselves in more detail here:
Lexar has provided us with the following explanation as to how data is protected on the LockTight cards: (we understand that the encryption is carried out on the communications layer between the card and camera/computer rather than the data itself).
"Lexar employs a unique strategy to protect data on LockTight cards. LockTight cards are always 'locked.' In other words no computer or camera can read or write data from/to a LockTight card until a critical authorization process takes place between the LockTight card and the host computer or host camera. This authorization process is where the 160-bit HMAC SHAH-1 encryption algorithm is employed."
Posted on October 3, 2005 at 8:22 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So what exactly is your beef with this? Just their terminology? They say up front that none of the data is encrypted, it's just a matter of authenticating a user to access the unencrypted data, which is obviously why they use a hash algorithm. So they called it an encryption algorithm... who cares?
Looks like an authentication layer tacked onto the normal CF card interface. Yeah, they don't get their wording straight, <marketroid>But the consumer slobs don't know the difference, right?</marketroid>
What I see here though is a proprietary hardware interface added to a standard piece of hardware. So the card doesn't work (or works as an extra-expensive normal CF card) in a non-LockTight camera or card reader. If it doesn't work in non-compliant hardware, then it doesn't matter whether their authentication is secure or not, it's Security By Incompatibility.
From the Lexar documentation:
"LockTight encrypts login access to the LockTight card. By not encrypting file data, the full 80X speed of the LockTight card is available to the photographer while still providing full card level security"
The data is not encrypted, but there is a simple authentication layer added to access the data card.
There is clearly some "misguided" marketing here, I think intentionally worded to mislead the consumer. They repeatedly mention "encryption", yet there is no actual data encryption here, just authentication.
Based on the wording of their market-speak, I know people that would be mislead into thinking their data was actually secured and made "unreadable" by this card.
The dpreview actually reinforces this misleading security, "Attempting to read the card in another card reader or on another computer using the Lexar card reader also failed to work, Windows didn't even register that a card had been inserted.", "So it's clear that the Lexar LockTight technology really does work."
Huh, I guess that's all the crypanalysis I need to know my data is safe!
Kind of like saying your data on a SDcard is safe as long as no one else has a SDcard reader. I agree with meme that this is more "security by incompatibility" than anything else.
For the misleading documentation and market-speak, Lexar _does_ deserve to be in the doghouse.
If I'm reading this correctly this looks like some form of nuisance protection scheme. It'll prevent people without the time, money, or interest to access the data. But if your adversaries have interest and the time or money they can rip the card apart and "direct" read from what is probably standard NAND flash parts inside.
Hmmm, assuming they are standard NAND flashes inside I wonder if they use the same formating as "standard" flash cards. Then you can desolder them and attach them to a "regular" Lexar card and read the data directly without their new cool controller chip getting in the way.
And what is the market?, seems vaguely related to photography. Is it to keep other photographers from stealing your cards? that seems questionable. Is it to keep the "man" from harassing you and wiping your images of police state brutality, If they catch you they can do all that on your camera with this card. Hmmm.
In my previous post, I incorrectly attributed the quote, "security by incompatibility". Matt posted this, not meme. Sorry Matt.
As I think about this some more, this product really does provides security... for Lexar!
With this product, Lexar can market a "secure" product, and I suspect many customers will be mislead into thinking their data is actually "encrypted" on the card when it is not. In this case, Lexar has the added security of more sales.
Also, Lexar has more security in that for those professional photags that buy this "secure" card, then forget their password to access their priceless photos, Lexar can easily recover their photos from the card.
If the photos on the card were actually encrypted (with strong encryption), and the owner forgot the password, they would never see their photos again. However, since the data is not actually encrypted on the card, all Lexar needs is a "superuser" logon/password to access the data on _any_ card, or a special reader that bypasses the authentication on the card. I suspect Lexar has both a "magic" user/password as well as card readers that can bypass the auth for testing purposes.
The market is news photogs or paparazzi who take pictures and want to make sure they get credit (aka paid).
I just wonder what happens the first time the police come across one of these. I suspect the Lexar folks won't be willing to go to jail to protect a source.
This is so typical.
The tech guys create a (hopefully) well-thought-out solution of sorts. Lexar don't have a good history on the "well-thought-up" part, but let's give them the benefit of the doubt here.
We'll never get to know if it's good or not, we'll only be able to guess, because the marketing guys talk to the tech guys, get some tech documents, and then they hash the tech documents (with SHA-160 :-) ) so that "non-techies can understand the concepts", and then they put it on their web site.
Then when us technically-minded people come along it's all gibberish to us.
If I had to put my money down, I would bet that the card is not encrypted, and the camera's serial number is the key to unlocking it ("A LockTight CF card will not be recognized by any camera other than the LockTight enabled cameras for which it has been authorized"). I also bet that the card doesn't have a proper CPU on it, so it uses some simple compare function to compare a hash of the serial number that the camera supplies with a hash provided by their software ("Users and cameras are assigned card privileges with a simple drag and drop")
Annoying as it is, it's futile to get worked up over a process that every technical document goes through when the marketing people process it. I see it happen all the time.
My beef: They talk about encryption, but are clearly only authenticating "In other words no computer or camera can read or write data from/to a LockTight card...." To a non-cryptographer, that means that data on the card is private. But it's not. Their solution promises privacy, but doesn't deliver it.
(Actually, we have no idea if it does or not. There might be some sort of encryption in the system as well as authentication. We don't know.)
My first reaction to reading that was "market speak". Even if I didn't understand exactly what was going on, they seemed to be laying it on pretty thickly. One of the links I followed stated a locked flash can't be read (invalid format) or re-formatted (format failed) unless it was inserted into one of their (proprietary) readers. It sounds to me like they are simply breaking a protocol (swapping wires, inverted logic, wrong voltage, etc). I believe it'll be hacked in a week.
This sounds much more like "lock your customers into buying your overpriced cards" than anything. Much like they've been trying to do with printer carts, this seems more like a way for equipment vendors to key they products in a way that prevents you from going and buying cheaper 3rd party storage. It seems much more like a "secret handshake" tacked onto what was an open standard.
From the link you provided to the Lexar website, they state there is no file data encryption, although, it is not clear what "encrypts login access" is, likely they confused authentication with encryption (either intentionally or unintentionally).
"LockTight encrypts login access to the LockTight card. By not encrypting file data, the full 80X speed of the LockTight card is available to the photographer while still providing full card level security. A LockTight card absolutely cannot be accessed on any camera other than an authorized LockTight camera nor any computer that does not have LockTight Access and a correct User Name and Password. "
I suspect their choice of using authentication vs. data encryption was a trade off, performance as well as recoverability.
They state that since they are not encrypting file data, the full speed of the card can be realized (this may also be a limitation of the card and/or camera hardware/software in not being able to perform on-the-fly encryption/decryption).
Also, by not encrypting data, Lexar saves themselves from potential problems of lost data when users forget their passwords, which is very likely to occur with these types of consumer products (likely easier to build in a bypass for an authentication/access control scheme than to build in a key escrow/recovery mechanism). I suspect Lexar made a decision somewhere in their design process that it would be easier for them to "recover" data from a card using an authentication based security solution opposed to a data encryption based solution.
you say the market is news photogs/paparazzi who want to make sure they get paid. don't they have other means of doing this, and is theft of photographer intellectual property a big problem you hear about every day?
child pornographers, on the other hand, need to lock those images away tight under pain of going to prison for a long time. good physical security where the camera is stored doesn't stand up very well to a search warrant. there's an underserved market!
Actually, I think the following verbiage on the site makes it clear that Lexar is acutely aware of the limitations of the technology:
"LockTight encrypts login access to the LockTight card."
- We provide an 'encrypted' authentication mechanism
"By not encrypting file data, the full 80X speed of the LockTight card is available to the photographer ..."
- We do not encrypt your data
"...while still providing full card level security. "
- If someone finds a method of accessing below the card level, sucks for you!
A critical review of the phrasing indicates that they never say that your data is secure, only that it is secure if stored on a LockTight enabled card.
This is not a security technology, it is a marketing technology.
Furthermore, rather than unsolder and resolder the flash chips, it is likely (pure speculation, I haven't taken one apart yet) easier to remove the authentication chip, and then solder things to skip over the process.
It's always been my impression that you reserve the Doghouse for truly insecure products that make fantastic claims. From what I can see, this is not that sort at all. Its claims of security, while not fully documented, are certainly plausible - anyone who has been exposed to the Unix password hash (referred to in the manuals as "encryption", equally incorrectly) can easily imagine how a strong hash could be used to implement a workable password-protection scheme.
No claims about absolute uncrackability based on either secret proprietary algorithms or industrial-strength standards here, just a little market-speak failing to make a distinction that is neither easy for their target audience to understand nor worth their time to explain. Only the reviewer seems to stick his foot in his mouth, by misspelling the algorithm name...
Here is another company that belongs in the dog house:
Intersil's proprietary "FlexiHash" technology is basically a munged CRC8 algorithm.. It has only 8-bits of output. But they claim their authentication scheme is superior to SHA-1!
"Non-unique mapping of the secret key to an 8-bit authentication code maximizes hacking difficulty due to need for exhaustive key search (superior to SHA-1)."
The link above will give you a datasheet with algorithm details.
Ah, that is an even better doghouse than Lexar. I think Lexar knows their limitations, the question really is are they communicating it fairly to the public?
After sitting through Lexar's flash presentation, I can think of a number of use cases for what they are doing. There are some features (an option to require a PIN even in camera use) that are only mentioned in the presentation.
It appears to be possible to tie cards to users, and require a PIN entry even if the camera is authenticated. They also talk about "user rights" but don't explain in detail.
The combination of these two *might* allow a photographer to shoot pictures, download pictures, but not delete pictures. Thus, a news organization could give its photographers all the flexibility they have today - except that they guarantee they will always get to see the original photos. With the concerns over originality and modifications, I can see organizations finding a lot of benefit in that capability.
Even without that, it looks like picking up a random camera will not enable you to download the images on it, and may even keep you from viewing them on the camera. This means that a single person can reasonably be held responsible for the contents of a card.
It's really too bad that Lexar doesn't just come right out and describe what they are offering, and what uses they see as best for it. I'm beginning to think that an attempt to market this as "all security to all people" has confused the message about some valuable features.
As part of a larger system of controls and assurances, this would be a valuable piece of the puzzle. Even if it is possible to lift data by disassembling the card, that certain places a far higher barrier than current cards.
It is not to be named nicely what lexar does. The description on the site is sale talks. I suspect seen the manner of defining that they know also that it is not good. But which photographer know that… Recently have I yet someone else “safe��? flash disk for me had on which the JTAG pins (with flash entry) immediately accessible were, only the box must be screw open. It would not astonish me if that is here also the case.
Intersil makes well a quite beautiful product ;) as you the datasheet reads will you almost will believe that it really is good. CRC as a superior of SHA-1, don't let me cry :S.
The reason they got dog-housed is because they claim the data is protected by encryption. That is not what the product is. It is protected by authenticated access, not encryption. Further more, the objective Lexar advertises (confidentiality, integrity) as the premise for implementing authentication is ripped apart below :)
The fact that this is a technology designed for people who are concerned about the security of their media automatically infers that the product is intended for people who are concerned with at least the availability, integrity, or confidentiality of their data.
Authentication can be used to ensure integrity or confidentiality*; since the authentication mechanism here does not encrypt the data, it is not a privacy measure.
It can furthermore be argued that since the technology is required to be in place to assure the integrity, and it is (theoretically) possible to remove the actual flash media, modify it, and return it to the original container, the technology fails to assure integrity as well.
The technology does trivially raise the bar for a number of users, however the types of users the technology is designed to protect are typically the subjects of non-trivial attacks. Copy protection and privacy protection that cannot withstand a trivial side-channel attack such as this is poorly implemented, especially when on considers the relative ease with which even basic crypto could probably be implemented by nominally reducing the write speed of the media. (Of course, there would be cost impacts, and key management nightmares, but that would be an entirely different dog-house issue).
* Authentication impacts availability as well, however if authentication or lack there of prevents a change to the protected system, or the ability to observe the contents, the availability impact is in either case congruent with one or both of the above, and is therefore not a separate issue in this case.
"Do you think we should tell these people that SHA-1 is not an encryption algorithm?"
I think you already are.
Hrm... They say SHA-1 is approved by NIST. Didn't NIST just recently depreciate SHA-1?
Back in June, I posted a few unkind words about this product and Phil Askey's review of it on my own website. http://emergent.unpy.net/index.cgi/01118099352
I suggested a few ways to "break" LockTight (use the flash chip in a different card, get the secret from the camera, or steal the camera along with the card), but of course it is all idle speculation.
Ultimately, I'm with those who think this technology primarily enables Lexar to sell new, expensive cards and readers to people with too much money.
The market for this card seems to be people who want to protect against casual snooping.
No need to go to criminal activities to justify that market: consumers who do not want someone in their household (their spouse?) to access pictures of them and unnamed third parties, and assume (possibly correctly) that adding some harassment value to snooping would be sufficient.
That said, I wouldn't buy this 'secure' card; I just XOR all my documents with my birthdate. Twice.
Well, they could use SHA to generate a keystream and then XOR stuff with it, but it wouldn't be too good. They probably just hash a password for authentication and call that encryption (for marketing).
Off on a slight tangent, something I can imagine a real need for is cameras with strong authentication: i.e. the ability to prove that a photo was taken with a particular camera and has not been modified since it left the camera. (Ideally also time-and-date would be provable, but this is harder.) Do such things exist?
Note it is "SHAH-1", not SHA-1, so there is still a narrow margin for an excuse :)
@yaniv & @rsanders,
Child pornography, hiding things from your wife... Dang, I hadn't even thought of the devious personal requirements for authentication. Although the lack of encryption probably doesn't remove the legal hassels of the former, though the nuisance factor might prevent the later.
I still don't see the pro-photographer need. It seems that photograph authentication would still have a bunch of holes with this technology. And long ago when I took photos for local papers there was never any interest in the other guys' film. But it's a different millenium now so maybe someone asked for such a thing.
A encrypted card is probably useful for someone who needs to take photos in dangerous places. Better yet, it should have a "fake mode" which can be used as a normal CF card, for deception.
Another security related issue about digital cameras is the authentication of the photo, especially for journalists and photo contests. It's becoming easier and easier to modify a photo digitally, and it's very possible someone send a fake photo to a newspaper.
A simple method is to put a digital signature chip inside the camera, which generates a secret key when activated (which is an one time, unreversible job, to make sure the camera vendor doesn't have the access to the secret key either). The secret key can't be recovered, but public key can. The camera sign every photograph it takes and people can check it with the public key from the camera. Of course, this alone does not prevent people from photographing a digitally altered picture, but such cases are much easier to detect.
In one of your books, you show how to use a one way or hash algorithum to make an encryption system using a Fiestel round....
Posted just for the heck of it ;)
A bit off topic, but the SpreadFirefox site was breached, and in a mail they sent to registered users they revealed that:
also recommend that you change your Spread Firefox password and the
password of any accounts where you use the same password as your Spread
Firefox account. We will notify you again when the site is back up with
instructions on how to change your password. (Note: We do use MD5
hashing on the passwords, but MD5 cannot protect all passwords against
off-line dictionary style attacks.)"
Details on slashdot:
I believe they use a small portion of the drive to run an autorun program when plugged into a Windows system. The autorun program asks for a password before allowing access through Windows.
If I bought an encrypted storage device, I would hope it encrypts my data.
Lexar has tried a similar scheme before where they used a binary on the media to control access to an encrypted area on the flash media. The bigger concern with this application was that Lexar decided it would be prudent to store the password (which I beleive was used as the encryption key) in an XOR scrambled section on the jumpdrive media.
Lexar sucks at crypto related technologies; they have gotten it wrong twice. They know how to use AES-256 and certainly they know how to market devices to people, but they don't understand key management, and they don't appear to understand the purpose of authentication.
I seem to recall that years ago DJB's Snuffle could turn any hash function into an encryption algorithm.
Ignoring the various flaws with the product, I think there are some legitimate uses for this device. The organisation I work for performs crime scene analysis, involving the use of digital photography for gathering evidence. A device that can impede tampering with images, and their theft/public release would be useful to us.
How do I use the debugger or decrypt the XOR? Please help, I don't want to format my whole lexar jumpdrive.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.