[HV-INFO] Enova hardware encryption: false sense of security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Enova hardware encryption: False sense of security
Classification:
===============
Level: Informational
ID: HEXVIEW*2006*03*28*1
URL: http://www.hexview.com/docs/20060328-1.txt
Overview:
=========
Enova Technology is a manufacturer of the X-Wall ASIC that provides
transparent IDE/ATA hard disk encryption (http://www.enovatech.net).
Enova offers a variety of chips with levels of encryption strength ranging
from DES-40 to 3DES-192. AES encryption is also mentioned on the website
but we were unable to find any details on it in X-Wall datasheets.
A critical design flaw makes possible to duplicate hardware tokens and/or
capture the encryption key. Although this advisory is rated informational,
the issue might be of critical severity for those relying on Enova-based
devices to protect sensitive information.
Affected products:
==================
All hardware hard disc encryption solutions based on Enova X-Wall
ASICs are affected. Those include devices manufactured by:
CRU-DataPort
dLock Corp
Mapower Electronics Co.
SSI Computer Corp.
Storcase Technology
Jstac Corporation
PC Winner International
CipherShield
Macpower Peripherals (ThumbMax)
RocStor
NetStor Technology
Onnto Corp.
Quick-Serv Computer Co.
Deltron Technology
Jetway Information Co.
St. John Technology Co.
Asustek Computer Inc.
Abit Computer Corp.
Mitac Technology
The complete list of manufacturers and their products is available at:
http://www.enovatech.net/products/manufacturers.htm
Cause and Effect:
=================
Enova X-Wall crypto engine does not protect the confidentiality of the
encryption key. The X-Wall ASIC reads the key from a serial eeprom
using Microwire protocol. The key is stored in eeprom IN CLEAR TEXT.
Depending on a device the eeprom can be located on a hardware token
(so-called "Secure Key"), or emulated by additional authentication layers
(biometric, 2-factor, etc.) Essentially, the manufacturer decided
to go with a simpler design instead of implementing a method to securely
input the key to the device (Diffie-Hellman key exchange, for example).
The "Secure Key" hardware token is a Microchip 93C46 eeprom mounted on
the IEEE 1394 connector. It can be read and duplicated using any suitable
serial programmer. No matter how many authentication layers are implemented
for a device, it is trivial to capture the key directly from the microwire
bus bypassing other authentication methods.
More design flaws:
==================
The "Secure Key" token uses IEEE 1394 (firewire) connector which might cause
hardware damage when plugged in to the firewire port. While token's body
employs additional metal pin to prevent accidental insertion into most
firewire ports, the pin is useless with many firewire extension cables.
Security Risks Summary:
=======================
1. Hardware token can duplicated in seconds.
2. Encryption key can be sniffed off the wire.
3. Additional layers of protection (2-factor, smart cards, biometrics) are
in most cases useless. The key is still delivered to the ASIC in the clear.
4. Inability to change the key in many products.
Mitigation factors:
===================
1. Physical access to the device or hardware token is required to perform
the attack.
2. Some manufacturers derive encryption key from smartcard and biometric
technologies. In this case the only way to get the key is to sniff it
off the wire. Tamper-resistant and tamper-evident enclosures can make
it difficult (but not impossible) to tap into the microwire bus.
Vendor Status:
==============
Due to the nature of the problem (there is no possibility to correct the issue)
HexView decided that it is unnecessary to notify the vendor.
About HexView:
==============
HexView contributes to online security-related lists for over a decade.
The scope of our expertise spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. We also offer a variety of
consulting services. For more information visit http://www.hexview.com
Our website also features security news, papers, recent exploits, and
discussion forums.
Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key. Please direct all questions to vtalk@xxxxxxxxxxx
Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@xxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEKidKDPV1+KQrDqQRApqjAJ9Qil+hrq+28N0/1SfpxmURBOxlKACgiIzo
Usty1Mr1TA7xE2wOzmz6tr0=
=xpOw
-----END PGP SIGNATURE-----