Note that AES is always used in a "mode of operation" to provide any sort of secure encryption. AE-secure modes are AES-SIV, AES-GCM-SIV, AES-OCB, and AES-GCM in decreasing order of safety/performance (possibly others, but those are the most well reviewed and most used). Those sometimes get noted with the key length, eg AES-256-GCM-SIV, sometimes not.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation...
However ECB is a lot worse than "you can see data patterns"--with a chosen plaintext attack (very common scenario in networking and storage applications) any dumbass can decrypt it trivially.
This is what the talk is called because that is what the vendor advertised not because it is a standardized thing which makes sense.
Actually the vendor does a lot of not so grate things, from a very very bad password hashing to how they handled file encryption.
Interesting is that the talk about the security ends at 32min, after this is a talk from a private contractor hired by the the company which messed up the encryption. Still watching it but that's unusual and nice.
Symmetric key sizes larger than 256 bits are pretty much universally snake oil.
1024 is marketing fluff, which they justified by running 8 passes on the file encryption key (to paraphrase the presentation - ‘Regular consumers don’t understand encryption standards, but think bigger numbers = better and trust the term Military Grade’).
It's not a 100% guarantee that it's proprietary junk, but it's a very good indicator.
It uses the sector number and block offset within the sector as input, a little like a counter mode. Its major advantage is zero overhead, so you don't lose disk capacity, or need to map blocks around, you can just sorta use it as a filter layer in your disk reads/writes.
It's not properly authenticated though, as data tampering can result in altered or scrambled plaintext rather than detectable errors, so you need other mechanisms for error detection, which then have to be secure against attacks.
I'm someone who bought several Sandisk devices over the years. The first thing I do after buying and unboxing is setup LUKS[0] on the device with the Disks utility in Ubuntu. These USB flash drives usually ship with an `.exe` piece of 'security software' written to the disk, which I never execute because I don't trust their claims. I prefer battle-hardened and trusted things like LUKS, instead of proprietary products that use snake-oil terms like 'Military Grade'.
often we hear about how broken something is, very RARELY do you get to see the remediation action and decision making. Hats off to the guys at EncSecurity for stepping up to fix their issues AND sharing the lesson with the industry.
It would be great if exFAT was not patent-encumbered and supported native encryption+integrity. ZIP archives at least provide cross-platform encryption+integrity with AES-256 but without block-level hmacs or encrypted file names. Maybe Windows will add support for ZFS someday?
Also aes-1024 sounds like some proprietary thingy, not something people should probably trust anyway...
> It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user.
I'd stick with veracrypt for now.
This ends up being a common usability issue whenever a user is asked to provide a passphrase for some sort of symmetrical encryption scheme. The user is almost never given any guidance to allow them to chose a passphrase strong enough for the system in use. So they end up with a dictionary word with a digit on the end and have no way to know that they have not actually protected anything. It ends up being sort of a con in practice. The user is allowed to believe that the system is much more convenient to use than it actually is.
The system under consideration is not really any worse than other things in this.
First of all, every single devices shares a common, constant salt. Although that doesn't simplify a single instance of an attack on the key-derivation function, it permits the construction of rainbow tables to trade off storage against time and attack all devices simultaneously.
Secondly, the key-derivation function has a flawed construction. In PBKDF2, if you need more key bits than the hash function outputs, you repeat the process varying a value that's concatenated to the salt as the initial input. This means the cost to generate a key to test scales with the length of the key. In this implementation, the salt + constant is not actually an input in the hash function at all, but instead XOR'd against the result of the hash.
As a result, you get no increase in work factor at all.
There are other problems in the implementation of the actual cipher (AES-CTR is malleable, not authenticated; keys longer than 128 bits are only actually using half of the additional key bits - "AES-1024" only uses 576 bits of the generated key) but the KDF is the real problem.
a dictionary word with common letters substituted with a number, case-sensitive, and one or two punctuation.. that is "not protected anything" ? .. almost any two dictionary words put together, not even case sensitive also "not protected anything" ? the out-of-breath security analysis is bothersome and lead us to mandatory ten characters of garble and other extreme anti-user patterns.. I am looking at a stack of forty accounts with passwords as an ordinary library user.. not convinced of this expert analysis today
Edit: I'm not actually looking for definitions of "military grade encryption", thank-you everyone who tried to explain it though. I work in cybersec, and encryption is encryption. It is either compliant with standards or it is not. But "military grade" is pure marketing fluff, hence why I avoid it.
But military-grade is just a buzzword. Unlike something like MIL-SPEC there is no body that determines what is military grade. And even MIL-SPEC is not very specific, most of its standards have many components that don't apply unless the vendor specifically certifies for it.
But yeah most vendors that use such terminology demonstrate a very poor understanding of the technical principles and use their marketing buzzwords to make up for it.
(After reading your comment I went to wikipedia to check that Bruce Schneier hadn’t unexpectedly passed away.)
Done by the cheapest contractor :)
A big, undisputed, downside is that newer algorithms take longer to be approved and it's possible that people keep using the term after algorithms get deprecated.
Encryption is more like "milspec", meeting military minimum quality guidelines than "military issue" which is the cheapest implementation of milspec in physical (or electronic for that matter) goods.
Legit vendors who sell actual mil-spec equipment (except stuff that has known shitty mil-specs like entrenching tools) don’t use ‘military grade’ anywhere when they’re selling to the military. They go through procurement and identify the specific mil-spec’s they are compliant with.
Military grade is the weasel word way of implying they have done that without being able to be sued because they aren’t.
When you see "FIPS", that means NIST approved/validated.
NSA approval/validation is relevant when the system has to handle classified information and often (but not necessarily) you start with components that have FIPS certification.
The presenter shows a slide with an online post saying: “cryptography marketed as military grade is often to crypto what military music is to music”
The use in the title is almost certainly self aware and tongue in cheek.
Then a team from Europe published some free software that enabled people to use stronger encryption than the ones on the top rank from the US, and their government stopped with this nonsense. So, the only really "military grade" algorithms are broken stuff from the 90's.
Grade implies something fundamentally changed/altered/adjusted in the underlying product to make it suitable for government/military/whatever use. Here, though, AES is AES whether it is used by my mother or by the military.
Mostly means someone is trying to sell you something and betting you dont know much about the subject matter.
It shows that all components of a cryptosystem are important. Attacks seldom target things like actual ciphers unless it's one known to be weak like RC4 or single-DES. They target bad constructions (like this), implementation bugs, etc.
What really happened: Yet another random company simply implemented the password code wrong. This has nothing to do with the integrity of AES which remains unbroken in principle.
Nothing to see here.
I feel like this is being bad on purpose.
Yikes
Correct me if I am wrong, but isn't AES a group, like DES? If so, encrypting twice under keys of the same strength is the same as encrypting once, with a different key.
This is why, e.g., 3-DES uses encryption-decryption-encryption, under different keys.
>A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation.
My understanding was that even 128-bit security is safe from brute forcing at the present. Am I missing something?
If you are a human being, your password is more likely to be a single English word or name with some arbitrary capitalization, some swapping out of o/0 a/@ s/$ t/+ or some such, and then a number tacked on the beginning or end.
At this point, brute-forcing your password is going to be a much simpler proposition; you're reliant on a key-derivation function being sufficiently expensive to compute to slow down that brute-force attack.
The attack in this case was of the latter kind; the KDF was so poor that it could be attacked very quickly. No 128-bit encryption was harmed in the filming of that presentation.
(Technically, the actual software in the USB is white-labeled with the USB flash drive brand, but apart from that this is it.)
Tech-savy users will always use "the best" tools, but for "normal people", the police having the ability to decrypt their data, is a thing government wants. If the encryption is bundled, they'll use the broken one, because the alternative (googling the software) will usually show them only the software that actually works.
The bruteforcing is about bruteforcing pbkdf2 w/ only 1000 iterations being used with user passwords, and doesn't have anything to do with aes
