Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[Allen]

[EMAIL PROTECTED] wrote:

The below USB drive manufacture claims FIPS 140-2
certification.  Encryption is now required for USB
thumb drives used on DoD computer.   This one is
being used by the Military.

http://www.kanguru.com/kanguruusbflash.html


See:

http://csrc.nist.gov/cryptval/140-1/1401val2006.htm#682

Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Another Snake Oil Candidate

[Russ Nelson]

Dave Korn writes:
 >   So by your exacting standards, PGP, gpg, openssh, in fact basically
 > _everything_ is snake oil.

No.  In fact Aram is saying nothing of interest.  Cryptography without
a threat model is like motherhood without apple pie.  Can't say that
enough times.  More generally, security without a threat model is by
definition going to fail.

-- 
--my blog is athttp://blog.russnelson.com   | People have strong opinions
Crynwr sells support for free software  | PGPok | about economics even though
521 Pleasant Valley Rd. | +1 315-323-1241   | they've never studied it.
Potsdam, NY 13676-3213  | Sheepdog  | Curious how that is!

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Russ Nelson]

Damien Miller writes:
 > It protects against the common threat model of lost/stolen USB keys.

Remember, crypto without a threat model is like cookies without
milk.

-- 
--my blog is athttp://blog.russnelson.com   | People have strong opinions
Crynwr sells support for free software  | PGPok | about economics even though
521 Pleasant Valley Rd. | +1 315-323-1241   | they've never studied it.
Potsdam, NY 13676-3213  | Sheepdog  | Curious how that is!

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Another Snake Oil Candidate

[lists]

On  12 Sep 2007 20:18:22 -0700, Aram Perez wrote:
> I don't about you, but when I hear terms like (please pardon my
> cynicism):

>   "with military grade AES encryption" - Hum, I'll have
> to ask NIST
> about that.

AES can be permitted for use in classified environments. See
http://csrc.nist.gov/CryptoToolkit/aes/CNSS15FS.pdf. And, yes, the DoD
does use AES in certain circumstances.

> > The encryption keys used to protect your data are generated
> > in hardware by a FIPS 140-2 compliant True Random Number
> 
> As opposed to a FIPS 140-2 compliant False Random Number Generator.

While I don't understand this quibble about standard terminology, I do
note that the IronKey language is somewhat misleading. There are no
FIPS-approved non-deterministic RNGs at this point, as all of the
FIPS-approved RNGs are deterministic (pseudo) RNGs. (See
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf) It
is possible to use a non-deterministic RNG to seed a FIPS-approved PRNG,
but I don't know of anyone in the FIPS 140-2 world that claims doing so
makes the non-deterministic RNG "FIPS 140-2 compliant." 

(Also, if random data is utilized during key generation within a FIPS
140-2 module, then a FIPS-approved RNG must be utilized to generate that
data in order to meet FIPS 140-2 requirements. Since all the
FIPS-approved RNGs are PRNGs, a true RNG is not going to meet the FIPS
140-2 requirement here.)

Overall, colorful language and FIPS 140 hand-waving seem like the
marketing norm in the "security products that utilize crypto" world. I
think the language used by IronKey falls right in line with that, but I
don't get a sense of snake oil. Then again, I don't really care either.

-Andrew

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[wangude]

The below USB drive manufacture claims FIPS 140-2
certification.  Encryption is now required for USB
thumb drives used on DoD computer.   This one is
being used by the Military.

http://www.kanguru.com/kanguruusbflash.html

Thomas

On 9/13/07, Ali, Saqib <[EMAIL PROTECTED]> wrote:
> On 13 Sep 2007 13:45:42 -, John Levine <[EMAIL PROTECTED]> wrote:
> > I always understood snake oil crypto to refer to products that were of
> > no value to anyone, e.g., products that claim to have secret
> > unbreakable encryption, million bit keys, or "one time pads" produced
> > by PRNGs.
> hear hear!
> I think in the zeal for criticism of the IronDrive, folks have
> expanded the definition of Snake Oil to include "All" security
> products.
> I don't like the "Military Grade AES Encryption" phrase that IronDrive
> uses on their website, cause that implies they know what Military is
> using. Maybe somebody should notify DoD that these IronDrive folks
> know what Military uses to encrypt info ;-)
>
> But other then that I don't see any Snake Oil Crypto like
> techno-babble used by IronDrive Marketing.
> saqib
> http://security-basics.blogspot.com/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: flavors of reptile lubricant, was Another Snake Oil Candidate

[Charles Jackson]

Well, I don't want to start a flame war (drop me a note offline if I'm
coming across as doing so), but I do want to respond to one point.  

Ali Saqib wrote:

> I don't like the "Military Grade AES Encryption" phrase that IronDrive
> uses on their website, cause that implies they know what Military is
> using. Maybe somebody should notify DoD that these IronDrive folks
> know what Military uses to encrypt info ;-)
>
> But other then that I don't see any Snake Oil Crypto like
> techno-babble used by IronDrive Marketing.

Similarly, Aram Perez objected to the use of "Military Grade" in the IronKey
promotional materials


However, according to those promotional materials IronKey uses AES-I think
AES-256 although I can't find a reference to 256-bit key use in the chip.  

According to Wikipedia the U.S. Department of Defense (NSA) has certified
AES for Type-1 applications in the U.S. government.  See also, CNSSP-15 and
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm  A little exploring of the
net finds a number of documents that my browser says are housed on domains
ending in .mil that mention the use of AES-in particular for communications
between U.S. and coalition forces.  I think these facts qualify AES as
"military grade."  

Chuck Jackson


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[Aram Perez]

Hi Folks,

My last comment on this. I've stated my own personal opinion and  
anyone is free to disagree.


On Sep 13, 2007, at 9:33 AM, Ali, Saqib wrote:


On 13 Sep 2007 13:45:42 -, John Levine <[EMAIL PROTECTED]> wrote:
I always understood snake oil crypto to refer to products that  
were of

no value to anyone, e.g., products that claim to have secret
unbreakable encryption, million bit keys, or "one time pads" produced
by PRNGs.


hear hear!

I think in the zeal for criticism of the IronDrive, folks have
expanded the definition of Snake Oil to include "All" security
products.

I don't like the "Military Grade AES Encryption" phrase that IronDrive
uses on their website, cause that implies they know what Military is
using. Maybe somebody should notify DoD that these IronDrive folks
know what Military uses to encrypt info ;-)

But other then that I don't see any Snake Oil Crypto like
techno-babble used by IronDrive Marketing.


I don't know if a product has to meet m of n criteria as stated in  
, but,  
IMO, IronKey meets the following criteria: Technobabble, Experienced  
Security Experts, "Military Grade" and to a certain extend  
Unbreakability (normally applied to software, but IronKey claims the  
epoxy prevents "criminals from getting to the internal hardware  
components").


Respectfully,
Aram Perez

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Hagai Bar-El]

Hi,

On 13/09/07 15:14, Ian G wrote:
> Hagai Bar-El wrote:
>> Hi,
>>
>> On 12/09/07 08:56, Aram Perez wrote:
>>> The IronKey appears to provide decent security while it is NOT plugged
>>> into a PC. But as soon as you plug it in and you have to enter a
>>> password to unlock it, the security level quickly drops. This would be
>>> the case even if they supported Mac OS or *nix.
>>>
>>> As I stated in my response to Jerry Leichter, in my opinion, their
>>> marketing department is selling snake oil.
>>
>> I think there is a difference between a product that is susceptible to
>> an attack and the pure distilled 100% natural snake oil, as we usually
>> define it.
> 
> 
> So, is snake oil:
> 
>* a crap product?
>* a fine product with weaknesses?
>* a marketing campaign that goes OTT?
>* a term used to slander the opposing security model?
>* an adjective that applies to any of the above?


Just like any term, it can have many interpretations.
However, the most useful definition is the one that you can find at
http://en.wikipedia.org/wiki/Snake_oil_(cryptography) and which quite
accurately reflects what the people who first brought this term into use
used it for.

Hagai.

-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[Ali, Saqib]

On 13 Sep 2007 13:45:42 -, John Levine <[EMAIL PROTECTED]> wrote:
> I always understood snake oil crypto to refer to products that were of
> no value to anyone, e.g., products that claim to have secret
> unbreakable encryption, million bit keys, or "one time pads" produced
> by PRNGs.

hear hear!

I think in the zeal for criticism of the IronDrive, folks have
expanded the definition of Snake Oil to include "All" security
products.

I don't like the "Military Grade AES Encryption" phrase that IronDrive
uses on their website, cause that implies they know what Military is
using. Maybe somebody should notify DoD that these IronDrive folks
know what Military uses to encrypt info ;-)

But other then that I don't see any Snake Oil Crypto like
techno-babble used by IronDrive Marketing.

saqib
http://security-basics.blogspot.com/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[John Levine]

I always understood snake oil crypto to refer to products that were of
no value to anyone, e.g., products that claim to have secret
unbreakable encryption, million bit keys, or "one time pads" produced
by PRNGs.

What we have here is something else, a product that is reasonable for
one kind of threat, physically losing it, oversold for a threat where
it's not, end to end security.

Seems to me that we need a different term for this category.  Of
course, given the nature of marketing departments, it may well
apply to all crypto products.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Another Snake Oil Candidate

[Charles Jackson]

I looked at the Ironkey website and, although there is obviously a little
marketing-speak, my snake-oil and BS detectors do not go off.  Some of the
criticisms by Aram Perez appear to be somewhat unjustified.


Perez states:

"Protected by a password that is entered on whatever PC you plug the  
IronKey into and that is somehow auto-magically protected against all  
keylogging spyware that may exist on that PC."

Relevant Ironkey assertion in their FAQs:
A word of caution: if your computer is infected with a keystroke logger
before you purchase your IronKey, and if you initially enter your passwords
into your IronKey on the computer that is already infected with a keystroke
logger, then your passwords of course will be tracked by that keystroke
logger. For this reason, we recommend that you setup your IronKey and
initially enter your passwords into the Password Manager from a computer
that you control and that has anti-spyware and anti-virus software
installed. We recommend that you update your anti-spyware and anti-virus
definitions and run a sweep of your PC before setting up your IronKey.


Perez  also states: 
"They imply that you can use an IronKey with any PC and be completely safe."

Relevant Ironkey assertion in their FAQs:
If I get an IronKey, will I be 100% protected from malware?

No. The IronKey does not replace the need good security practices, such as
regular anti-virus and anti-spyware scans, not sharing passwords, and
avoiding websites that you do not trust. The IronKey does equip you to
further protect your data, identity, and privacy-an increasingly necessary
tool for today's security-minded consumer.

Additionally, new threats are constantly surfacing, so even today's best
solutions cannot guarantee "future-proof" protection. But since you have the
ability to securely update your IronKey, you can make sure you have the
latest and most secure software and firmware for maximum protection today
and tomorrow.


Chuck Jackson 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Jeffrey Altman]

Damien Miller wrote:

> It protects against the common threat model of lost/stolen USB keys. Why is
> this snake oil? Your criticism seems akin to calling a physical lock insecure
> because it doesn't protect you from burglars once you have unlocked it.

Many many years ago an office that a startup I was working for was
burglarized by picking the lock on the office door.  They took a number
of computers.  The police recommended that we replace the locks with XYZ
super lock that could not be picked and we did so at significant expense
prior to replacing all of the computers.

Three or four weeks later the office was burglarized again.  They could
not pick the lock so they took a sledgehammer to the wall next to the
door, reached in unlocked the door from the inside and proceeded to go
about their business.

This wasn't a failure of the lock.  The lock did its job.

---

The product you are describing is not snake oil.  You have a valid gripe
that the product is not marketed along with a description of the attack
vectors it protects against and those that it does not.

Jeffrey Altman



smime.p7s
Description: S/MIME Cryptographic Signature

RE: Another Snake Oil Candidate

[Dave Korn]

On 13 September 2007 04:18, Aram Perez wrote:

>   "to circumvent keylogging spyware" - More on this later...

>   "The first time you plug it in, you initialize it with a password" -
> Oh, wait until I disable my keylogging spyware.
>   "You enter that password to unlock your secure files" - Did I
> disable my keyloggin spyware?
 
> Protected by a password that is entered on whatever PC you plug the
> IronKey into and that is somehow auto-magically protected against all
> keylogging spyware that may exist on that PC.

> "Decrypting your files is then as easy as dragging and dropping them
> onto the desktop" and by any malware that detects that the IronKey is
> present and has been unlocked and copies the files to a hidden folder.

  So by your exacting standards, PGP, gpg, openssh, in fact basically
_everything_ is snake oil.  Endpoint security is a real issue, but it's not
within the remit of this product to address.  I feel your complaint is
overblown.  Marketspeak alone doesn't make a product snakeoil, its security
has to actually be bogus too.


>>  Encryption Keys
>> 
>>  The encryption keys used to protect your data are generated
>>  in hardware by a FIPS 140-2 compliant True Random Number
> 
> As opposed to a FIPS 140-2 compliant False Random Number Generator.

  No, as opposed to a *Pseudo* Random Number Generator.  This is a really
silly thing to attempt to complain about; they're correctly using technical
terminology that you should be perfectly familiar with.


cheers,
  DaveK
-- 
Can't think of a witty .sigline today

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Ian G]

Hagai Bar-El wrote:

Hi,

On 12/09/07 08:56, Aram Perez wrote:

The IronKey appears to provide decent security while it is NOT plugged
into a PC. But as soon as you plug it in and you have to enter a
password to unlock it, the security level quickly drops. This would be
the case even if they supported Mac OS or *nix.

As I stated in my response to Jerry Leichter, in my opinion, their
marketing department is selling snake oil.


I think there is a difference between a product that is susceptible to
an attack and the pure distilled 100% natural snake oil, as we usually
define it.



So, is snake oil:

   * a crap product?
   * a fine product with weaknesses?
   * a marketing campaign that goes OTT?
   * a term used to slander the opposing security model?
   * an adjective that applies to any of the above?

iang

OTT == over-the-top, excessive and dangerous.  Derives from 
WW1 trench warfare.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Aram Perez]

Hi Jerry,

I accidently sent this response in HTML last night which was bounced.  
So here it is again.


On Sep 11, 2007, at 2:18 PM, Leichter, Jerry wrote:

| The world's most secure USB Flash Drive: .

What makes you call it snake oil?  At least the URL you point to says
very reasonable things:  It uses AES, not some home-brew  
encryption; the

keys are stored internally; the case is physically protected, and has
some kind of tampering sensor that wipes the stored keys when  
attacked.


I don't about you, but when I hear terms like (please pardon my  
cynicism):


"with today's most advanced security technology"
"advanced Internet protection for securing your passwords and browsing"
	"with military grade AES encryption" - Hum, I'll have to ask NIST  
about that.
	"it initiates a self-destruct sequence" - Begin auto-destruct  
sequence, authorization Picard-four-seven-alpha-tango...
	"a harden version of Mozilla's Firefox browser" - Where can I  
download that version?

"to circumvent keylogging spyware" - More on this later...
"you can enable high speed, stealth browsing technology"
"for the ultimate data protection"
	"to prevent criminals from getting to the internal hardware  
components" - But not PhD graduate students...
	"this makes the IronKey not only tamper-proof but waterproof far  
beyond military standards" - Well I'm glad a Navy Seal can't break it.

"this gives you online and off-line protection for today and tomorrow"
	"While the underlying security technologies are complex" - Joe  
Customer is just too dumb to understand it.
	"The first time you plug it in, you initialize it with a password" -  
Oh, wait until I disable my keylogging spyware.
	"You enter that password to unlock your secure files" - Did I  
disable my keyloggin spyware?
	"The result of years of research and development by leading security  
and industry experts" - But not by marketing department...
	"With unparalleled security in the palm of your hand" - Imagine all  
that security in the palm of my hand!


Yes, the term "snake oil" comes to mind. And it's only $79 with "1  
Year of Internet Protection"!



In fact, they make some of the same points:

Your IronKey is literally packed with the latest and most
secure encryption technologies, all enabled by the powerful
onboard Cryptochip. Rather than employing "homegrown"
cryptographic algorithms that have not undergone rigorous
cryptoanalysis, IronKey follows industry best practices and
uses only well-established and thoroughly tested
cryptographic algorithms.

All of your data on the IronKey drive is encrypted in
hardware using AES CBC-mode encryption.


   1. Encryption Keys
   2. Always-On Encryption
   3. Two-Factor Authentication

Encryption Keys

The encryption keys used to protect your data are generated
in hardware by a FIPS 140-2 compliant True Random Number


As opposed to a FIPS 140-2 compliant False Random Number Generator.


Generator on the IronKey Cryptochip.  This ensures maximum
protection via the encryption ciphers. The keys are
generated in the Cryptochip when you initialize your
IronKey, and they never leave the secure hardware to be
placed in flash memory or on your computer.


Protected by a password that is entered on whatever PC you plug the  
IronKey into and that is somehow auto-magically protected against all  
keylogging spyware that may exist on that PC.




Always-On Encryption

Because your IronKey implements data encryption in the
hardware Cryptochip, all data written to your drive is
always encrypted. There is no way to accidentally turn it
off or for malware or criminals to disable it. Also, it runs
many times faster than software encryption, especially when
storing large files or using the on-board portable Firefox
browser.


"Decrypting your files is then as easy as dragging and dropping them  
onto the desktop" and by any malware that detects that the IronKey is  
present and has been unlocked and copies the files to a hidden folder.



Two-Factor Authentication

Beyond simply protecting the privacy of your data on the
IronKey flash drive, the IronKey Cryptochip incorporates
advanced Public Key Cryptography ciphers that allow you to
lock down your online IronKey account. That way you must
have your IronKey device, in addition to your password, to
access your online account. This highly complex process runs
behind the scenes, giving you state-of-the-art protection
from phishers, hackers and other online threats.

The management team lists some people who should know what they are
doing.  They have a FAQ which gives a fa

Re: Another Snake Oil Candidate

[William Arbaugh]

On Sep 12, 2007, at 1:56 AM, Aram Perez wrote:

The IronKey appears to provide decent security while it is NOT  
plugged into a PC. But as soon as you plug it in and you have to  
enter a password to unlock it, the security level quickly drops.  
This would be the case even if they supported Mac OS or *nix.




Yes- the IronKey like just about EVERY security product right now  
lacks a trusted path. However, they address this by suggesting that you:
	a. Use a "clean" PC to install your passwords into Mozilla's  
password manager, and

b. use the mozilla's password manager from the USB device.
This mitigates the lack of a trusted path between the user and the  
USB device.


Granted the average user can't discern a "clean" machine from a "non- 
clean" machine. But, I think they've addressed your issue as best  
they can.


The marketing is a bit over the top, but hardly snake oil.

Bill

p.s. I have no relationship with Ironkey.

As I stated in my response to Jerry Leichter, in my opinion, their  
marketing department is selling snake oil.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Damien Miller]

On Tue, 11 Sep 2007, Aram Perez wrote:

> The IronKey appears to provide decent security while it is NOT plugged into a
> PC. But as soon as you plug it in and you have to enter a password to unlock
> it, the security level quickly drops. This would be the case even if they
> supported Mac OS or *nix.
> 
> As I stated in my response to Jerry Leichter, in my opinion, their marketing
> department is selling snake oil.

It protects against the common threat model of lost/stolen USB keys. Why is
this snake oil? Your criticism seems akin to calling a physical lock insecure
because it doesn't protect you from burglars once you have unlocked it.

-d

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Hagai Bar-El]

Hi,

On 12/09/07 08:56, Aram Perez wrote:
> The IronKey appears to provide decent security while it is NOT plugged
> into a PC. But as soon as you plug it in and you have to enter a
> password to unlock it, the security level quickly drops. This would be
> the case even if they supported Mac OS or *nix.
> 
> As I stated in my response to Jerry Leichter, in my opinion, their
> marketing department is selling snake oil.

I think there is a difference between a product that is susceptible to
an attack and the pure distilled 100% natural snake oil, as we usually
define it.

Indeed, the encrypted USB token is susceptible to sniffing of the
password on the PC where it is entered. But in my opinion this is not
the type of flaw that snake oils the product, because:

1. It's a limitation that also exists in the state of the art products
of its type. That is, nobody could ever do better (I think).
2. It therefore does not reflect complete lack of understanding on the
developer's side...

So perhaps it's not pure snake oil but just a product with an attack
vector; most products have at least one.

Actually, this product is (almost) the first one that I saw which
actually bothers to deal with the brute-force attack vector, which does
exist in many other similar products. So it's not perfect, and I would
certainly not bet my life on it, probably not even my life's data, but
it's reasonable.

Hagai.

-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Aram Perez]

Hi Jon,

On Sep 11, 2007, at 5:35 PM, Jon Callas wrote:

I'm a beta-tester for it, and while I can understand a small twitch  
when they talk about "miltary" and "beyond military" levels of  
security, it is very cool.


It has hardware encryption and will erase itself if there are too  
many password failures. I consider that an issue, personally, but  
it appeals to people. The reason I consider it an issue is that I  
have had to use a brain-dead-simple password I'm not going to  
forget because if I get cute and need to try a number of things,  
poof, I'm dead.


Yeah, it's using AES CBC mode, but that's a good deal better than a  
lot of encrypted drives that are using ECB.


It also has their own little suite of Mozilla plus Tor and Privoxy  
for browsing and they've set it up so that you can run that on  
another computer from the drive.


It's not bad at all. My only real complaint is that it requires  
Windows.


The IronKey appears to provide decent security while it is NOT  
plugged into a PC. But as soon as you plug it in and you have to  
enter a password to unlock it, the security level quickly drops. This  
would be the case even if they supported Mac OS or *nix.


As I stated in my response to Jerry Leichter, in my opinion, their  
marketing department is selling snake oil.


Regards,
Aram

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Jon Callas]

I'm a beta-tester for it, and while I can understand a small twitch  
when they talk about "miltary" and "beyond military" levels of  
security, it is very cool.


It has hardware encryption and will erase itself if there are too  
many password failures. I consider that an issue, personally, but it  
appeals to people. The reason I consider it an issue is that I have  
had to use a brain-dead-simple password I'm not going to forget  
because if I get cute and need to try a number of things, poof, I'm  
dead.


Yeah, it's using AES CBC mode, but that's a good deal better than a  
lot of encrypted drives that are using ECB.


It also has their own little suite of Mozilla plus Tor and Privoxy  
for browsing and they've set it up so that you can run that on  
another computer from the drive.


It's not bad at all. My only real complaint is that it requires Windows.

Jon

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Leichter, Jerry]

| The world's most secure USB Flash Drive: .
What makes you call it snake oil?  At least the URL you point to says
very reasonable things:  It uses AES, not some home-brew encryption; the
keys are stored internally; the case is physically protected, and has
some kind of tampering sensor that wipes the stored keys when attacked.
In fact, they make some of the same points:

Your IronKey is literally packed with the latest and most
secure encryption technologies, all enabled by the powerful
onboard Cryptochip. Rather than employing "homegrown"
cryptographic algorithms that have not undergone rigorous
cryptoanalysis, IronKey follows industry best practices and
uses only well-established and thoroughly tested
cryptographic algorithms.

All of your data on the IronKey drive is encrypted in
hardware using AES CBC-mode encryption.


   1. Encryption Keys
   2. Always-On Encryption
   3. Two-Factor Authentication

Encryption Keys

The encryption keys used to protect your data are generated
in hardware by a FIPS 140-2 compliant True Random Number
Generator on the IronKey Cryptochip.  This ensures maximum
protection via the encryption ciphers. The keys are
generated in the Cryptochip when you initialize your
IronKey, and they never leave the secure hardware to be
placed in flash memory or on your computer.

Always-On Encryption

Because your IronKey implements data encryption in the
hardware Cryptochip, all data written to your drive is
always encrypted. There is no way to accidentally turn it
off or for malware or criminals to disable it. Also, it runs
many times faster than software encryption, especially when
storing large files or using the on-board portable Firefox
browser.

Two-Factor Authentication

Beyond simply protecting the privacy of your data on the
IronKey flash drive, the IronKey Cryptochip incorporates
advanced Public Key Cryptography ciphers that allow you to
lock down your online IronKey account. That way you must
have your IronKey device, in addition to your password, to
access your online account. This highly complex process runs
behind the scenes, giving you state-of-the-art protection
from phishers, hackers and other online threats.

The management team lists some people who should know what they are
doing.  They have a FAQ which gives a fair amount of detail about
what they do.

I have nothing at all to do with this company - this is the first I've
heard of them - but it's hardly advancing the state of security if
even those who seem to be trying to do the right thing get tarred as
delivering snake-oil.

If you know something beyond the publicly-available information about
the company, let's hear it.  Otherwise, you owe them an apology -
whether they actually do live up to their own web site or not.

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

[Ali, Saqib]

On 9/11/07, Aram Perez <[EMAIL PROTECTED]> wrote:
> The world's most secure USB Flash Drive: .

you didn't explain why it is a "Snake Oil" Candidate..

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Another Snake Oil Candidate

[Aram Perez]

The world's most secure USB Flash Drive: .

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]