conference logo

Playlist "rC3 NOWHERE"

Practical bruteforce of military grade AES-1024

Sylvain Pelissier and Boi Sletterink

Sony, SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products. The software is already present when buying a new product and used to keep data on the storage safe. This solution is developed by a 3rd party called ENCSecurity. The security claims of this solution were very strong *i.e.* "Ultimate encryption using 1024 bit AES keys Military grade". Our analysis of the DataVault software revealed three serious flaws impacting the security of the DataVault solution. This presentation is a look the flaws we identified along with our process for discovery and how the vulnerabilities were addressed.

The DataVault solution is a stand-alone application used by default as an encryption solution for many Sony, SanDisk, and Lexar products and as well used by some libraries to offer data security. This solution was not analyzed before, and the strong security claims were not assessed to match the reality. This presentation gives background details of the analysis and the context which brought us to perform the analysis. The method for reverse engineering and inspecting the DataVault solution will be presented. It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices.

The data encryption method was also found to be malleable, allowing malicious modifications of files in a vault without any detection. No data integrity mechanism was set up. The settings of the full version of the software allows choosing between 4 different levels of security, namely AES-128, 256, 512 and 1024 bits. The encryption method has been reversed and is a CTR like construction based on AES-128 using a single key. Multiple iterations of encryptions are chained with the keys obtained by the key derivation function used as IVs. However, it turned out after the analysis that all these modes offer only a security level of 128-bit.

A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation.

We have a continuous, welcomed, and constructive collaboration with the ENCSecurity company. During this presentation, we will explain the coordinated disclosure process, which was difficult since it impacted several vendors and some deployed libraries. The solution which was provided for the correction will be presented and compared to the best practice standards along with a discussion of the process of selecting the specific improvements.