Re: [HV-INFO] Enova hardware encryption: false sense of security

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [HV-INFO] Enova hardware encryption: false sense of security
From: rwann@xxxxxxxxxxxxx
Date: 29 May 2008 15:53:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello,
 
This is Robert Wann and I am representing Enova Technology. I'd like to respond 
to your published article about the so called "False Sense of Security" for 
balanced review.
 
My comments follow my signature line and I look forward to your publishing of 
our comments (Vendor Comments) to the same sites to balance the view and to 
give us an opportunity defending ourselves. Thank you and I look forward to 
hearing from you.
 
Regards,
Robert Wann
CTO
Enova Technology
http://www.enovatech.com
Office +886 3 577 2767
Fax +886 3 577 2770
 
--------------------------------------------------
Here Enova Technology comments
 
Speaking of X-Wall not being able to hold the secret of the secret key, it is 
actually an intended engineering design and has been praised by many well known 
cryptographers. As X-Wall does not equip with any none-volatile memory and all 
the secret keys reside in the volatile memory, the security of data-at-rest is 
guaranteed as long as the power is shut down or the computer goes into 
hibernation state. The design was meant for the authentication part to hold the 
secret value as it makes sense that secret key will only be released upon 
correct authentication. Advantage in this design also guarantee there won?t be 
a risk of secret been extracted going through sophisticated semiconductor layer 
extraction method.

 

Speaking of the Enova key fob, there is a reverse diode that safeguards the 
accidental insertion of the key fob into a real 1394 (firewire) port that 
carries voltage more than 18 Volts. As a result, damage to the key fob due to 
mismatch of the firewire port can be avoided.

 

We would agree that a capable engineer would be able to apply electrical wire 
onto the serial bus and snoop the protocol to get to the secret key. But this 
is our simplest and basic design which was engineered to educate/show most of 
our customers how the X-Wall will be actually functioning. To show the exact 
opposite, we also engineered a sophisticated FIPS certified smartcard 
authenticated X-Wall design (to view more details, visit our website at 
http://www.enovatech.net/products/reference/secureusb_pro.htm). Being said, to 
snoop an electrical protocol maybe still a bit tougher than simply installing a 
key logger or camera for the password entry. Anyway, to conduct such hot plug 
electrical protocol attack, the attacker needs to get hold of the key fob as 
well as the circuit board and X-Walled hard drive. 

 

To prevent serial bus sniffing, apply the harden epoxy on the X-Wall such that 
it creates chemical effect with the molding compound of the X-Wall to 
effectively avoid such attack as the attempts to use special dissolvent would 
effectively destroy the molding compound of the X-Wall thus destroy the 
circuitry. Alternatively, use the FIPS certified authentication mechanism to 
hold the secret key, which can only be released upon correct authentication.

------------------------------

Prev by Date: dvbbs8.2(access/sql)version login.asp remote sql injection
Next by Date: XEROX DocuShare URL XSS Injection Vulnerabilities
Previous by thread: Re: [HV-INFO] Enova hardware encryption: false sense of security
Next by thread: [xfocus-SD-060329]MPlayer: Multiple integer overflows
Index(es):
- Date
- Thread