[Note: I'm just passing on posts from sci.crypt. I've not confirmed this independently
It appears that not every product which uses smart cards is secure - pt] -------------------------------------------- From: [EMAIL PROTECTED] (Philippe Mestral) Newsgroups: sci.crypt Subject: I've tested the encryption system that comes with Acer laptops, and it's not pretty. Date: 26 Mar 2002 05:48:36 -0800 Message-ID: <[EMAIL PROTECTED]> Some Acer laptops comes with a built-in smartcard reader and a file encryption program called "Platinum Secure". My company recently acquired two of them. I spent some time playing around with that encryption system and came to the following conclusions: - they use a basic XOR stream cipher. - the keystream is always the same for any file, encrypted by any user on any of the two laptops I have. - I was able to generate that keystream with a long enough binary file containing only 0 and encrypting it. - I am now able to decrypt any file encrypted on either laptop without the smartcard. I am no crypto expert. It is surprising to me that a manufacturer would release such a badly designed product. It's even worse that providing no security at all, because with this product the users *think* their files are secure while they obviously aren't. any thoughts/comments? also, has anyone here already had this product in their hands? could someone who has installed that program possibly create a text file, put the string "test" in it, encrypt the file and send it to me at [EMAIL PROTECTED] so that I can see whether the encrypted file looks like mine or not? (they wouldn't use the same keystream for ALL their laptops would they?) thanks in advance. ------------------------------------------------------ From: "Scott Fluhrer" <[EMAIL PROTECTED]> Date: Tue, 26 Mar 2002 07:33:28 -0800 Message-ID: <a7q4ni$r77$[EMAIL PROTECTED]> Joël Bourquard <[EMAIL PROTECTED]> wrote in message news:3ca091af$[EMAIL PROTECTED]... > "Philippe Mestral" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED]... > > Some Acer laptops comes with a built-in smartcard reader and a file > > encryption program called "Platinum Secure". > > [...] > > - they use a basic XOR stream cipher. > > - the keystream is always the same for any file, encrypted by any user > > on any of the two laptops I have. > > [...] > > - I am now able to decrypt any file encrypted on either laptop without > > the smartcard. > > Hi, > I'm completely astonished by what you said. > What I can't understand, is why they're using a smartcard.. unless they want > people to BELIEVE that's secure. Well, the keystreams might be different for different smartcards (not that that would make it any more secure). Alternatively, they might put the keystream generation program on the smartcard, in the vain hope that if people can't look at it, they have a harder time cryptanalyzing it. -- poncho ------------------------------------------------------------------ From: "Philippe Mestral" <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <3ca091af$[EMAIL PROTECTED]> <a7q4ni$r77$[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Date: Tue, 26 Mar 2002 18:48:49 +0100 > > Well, the keystreams might be different for different smartcards (not that > > that would make it any more secure). Alternatively, they might put the > > keystream generation program on the smartcard, in the vain hope that if > > people can't look at it, they have a harder time cryptanalyzing it. > > Oh yes, I assumed he did use two different smartcards with the two laptops.. > and that the keys were the same. > Maybe he didn't. I did. ------------------------------------------------------------- From: "Philippe Mestral" <[EMAIL PROTECTED]> Date: Tue, 26 Mar 2002 19:19:28 +0100 Message-ID: <3ca0ba42$0$24006$[EMAIL PROTECTED]> "Joël Bourquard" <[EMAIL PROTECTED]> wrote in message news:3ca091af$[EMAIL PROTECTED]... > Hi, > I'm completely astonished by what you said. > What I can't understand, is why they're using a smartcard.. unless they want > people to BELIEVE that's secure. > apparently the card is used to store a unique ID which authenticates the card owner. As several card owners can use the same pc and the encrypting method and key are always the same, they had to find some sort of way to tell what file was encrypted by what user. A registry key contains information regarding encrypted files. For each encrypted file, a string is added to the registry. Its name is the current date concatenated to the encrypted file name, and its value corresponds to the unique ID of the user who encrypted the file (plus the original file extension, go figure). When a request to decrypt an encrypted file is made, the program browses the list of encrypted files in the registry. If it founds a file whose date & time and name correpond, it then checks that the user who encrypted that file corresponds to the one whose card is inserted in the reader. If it does, the file is decrypted. Incidentally, modifying the date and/or name of an encrypted file makes it impossible to decrypt!! it is also impossible to exchange files between machines, and if you back up your encrypted files on a CD or elsewhere, re-install Windows (thus deleting the registry), and restore your saved file, you will be unable to decrypt them!! also, you can easily decrypt other user's file by replacing their ID by yours. please note that I haven't been given any specifications by Acer regarding this program. Everything I say comes from double-checked tests and observations. I'm afraid I'm not far from the truth though... -- the infamous registry key: [HKEY_CLASSES_ROOT\EncryptFileInfo\ENCRYPT] "14/03/2002 18:37:00100000"="Validy13160301txt" "14/03/2002 18:38:0031"="Validy13160301txt" "15/03/2002 11:05:40500000"="Validy13160301txt" "15/03/2002 11:07:3769489"="Validy13160301zip" "15/03/2002 11:12:1727056"="Validy13160301txt" "15/03/2002 11:43:0010"="Validy13160301txt" "15/03/2002 11:44:15100"="Validy13160301txt" "15/03/2002 11:46:1530"="Validy13160301txt" "15/03/2002 11:47:0826"="Validy13160301txt" "15/03/2002 12:20:3127"="Validy13160301txt" "15/03/2002 14:21:3327"="Validy13160301txt" "15/03/2002 14:43:24100000"="Validy13160301txt" "15/03/2002 14:43:59100000"="Validy13160301txt" -------------------------------------------- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]