If she does not decrypt the drive by month’s end, as ordered, she could be held in contempt and jailed until she complies. If the case gets to that point, Judge Blackburn would have to make a judgement call and determine whether the woman had forgotten the code or was refusing to comply.
It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
C’est evidemment juste pour rire un peu que j’ecris a ce sujet. Qui, avec des connaissances minimales et du gros bon sens, pourrait bien s’imaginer que ces produits sont securises correctement 😉 C’est quand meme interessant de penser que la facon d’entrer chez-vous pour hacker le reseau sera la TV ou le lecteur Blu-Ray. La seule facon de se proteger serait-elle d’avoir un firewall/router interne dedie aux cochonneries electroniques comme les TV/Blu-Ray? Remarquez que le probleme existait deja avec les consoles de jeu qui utilisent encore WEP!
Un commentaire sur slashdot pointait sur xkcd.com:
Aussi interessant dans cet episode (evidemment aussi disponible en audio):
Steve: And the Verbatim Corporate Secure FIPS Edition. Now, FIPS is the National Institute of Standards and Technology, NIST. That’s its federal security rating system. These devices have all received the FIPS 140-2 Level 2 certificate which validates devices as being secure for use with sensitive government data. And…
Leo: That’s pretty good. I’d take…
Steve: …they are completely hackable.
Steve: They’ve got hardware AES-256 encryption in the key. So they’re not inexpensive. But get a load of this, Leo. You use some software that comes with a key, which of course prompts you for your password. You put your password in. And it does some mumbo jumbo with your password, whatever it is it does. But every single one of them, no matter what your password was, sends the same key string into the AES-256 cipher engine.
Leo: You’d think something at FIPS, at NIST, might have noticed.
Steve: Uh, yes. In fact, embarrassed by this, NIST has said that they will be considering whether they should make changes to their validation process because the USB drives in question met all their criteria.
Leo: Oh, boy.
Steve: So once again, so it’s true that if, as a user, you did not put the right passphrase in, the software would say, oh, sorry, that’s the wrong passphrase. But a security company reverse-engineered the software, wondering what was going on inside. And what they discovered was that there was a fixed key.
Steve: Well, yeah. And what boggles my mind is, again, our listeners understand this. You take and hash the passphrase with a secure hash, and that’s what you use as the key. This is not hard. I mean, that’s all there is to it. In which case the key would be derived from the passphrase through a secure hash and, bang, you’ve got it. I mean, sure, you want to put minimum security requirements on the length of the passphrase and all those things, and it wants to be nonguessable because it would be prone to a brute-force attack, blah blah blah, all the things we know about. But the idea that the passphrase isn’t being used to generate the key, but that the key is fixed, that’s just, I mean, actually it’s a really good lesson because it demonstrates that just saying AES-256 means nothing.