Recently I wrote an article about how Trust can be a security risk in one’s environment; today I will expand on that further. On the 4th of January H-Online  reported a story where security firm SySS managed to get around the security of some USB drives and access the data without needing to break the cryptography involved. The closing argument that we will be tackling in the article by H-Online is, how could these devices, whose security could so easily be broken, been given the FIPS 140-2 Level 2 Certification?

The reason why these USB drives were given this certification is because they were compliant and still are. Certification claims one thing and one thing alone – that whatever they certify complies with what the certification is all about. In case of FIPS 140-2 in order to achieve level 2 compliance all a USB drive needed were 2 things.

  • Requirement to achieve level 1 consisted of the USB drive to use one of the certified cryptographic algorithms, which in this case they did since the algorithm used was AES 256 bit.
  • Requirements for Level 2 were compliance with level 1 and physical security for the device. Tamper proof seals or at least notification when physical tampering occurred.

The flaw discovered by SySS was that after entering a password which was validated using a number of cryptographical algorithms, the program would always send the same sequence of bytes, irrespective of the password, to unlock the drive. Obviously none of this has anything to do with FIPS 140-2 level 2 certification.

That being said just because the FIPS certification is not stating anything false even in light of this security flaw there is still a huge problem. When people decide to buy a secure USB drive it is quite safe to assume that they will first look at the certifications it has been given. FIPS 140-2 is the certification that government agencies use to decide on product applicability. What people will think when seeing a USB drive certified with such a certification is that if this is good enough for the government it will certainly be good for them. Very few people will stop to see what a FIPS 140-2 Level 2 certification really means. Even if people do check out what FIPS 140-2 level 2 is all about, it is unlikely that a person who is not into security will realize which parts have been tested and found compliant and which parts have had no actual oversight whatsoever. Finally even people in security who might ask these questions have no way of knowing how such a device really works by just looking at it! How is one supposed to know that this device is unlocked with a byte sequence that remains constant no matter what passwords are used?

The answer is that obviously you cannot. One has to TRUST that the certification process is enough to protect you. The same problem or possibly worse is with devices that have no certification because here you need to believe that the vendor tested the product well enough before shipping it with no independent oversight.  So what is one to do? The answer is never trust a device or system to be secure. This not to say that there is no need to buy a secure USB drive, it simply means do not trust that your data is completely safe because it is being stored on a USB drive which has certified encryption. If that USB drive is stolen, in most cases whoever stole it will not be able to gain access however there is no real guarantee of that.

These same arguments don’t apply solely to USB drives; they apply to any device and any certification. No certification claims that no matter what happens you’re safe with the certified device and this is an important point to keep in mind. If the certified device will be used in critical capacity it is essential that the first step in choosing such a device should be researching the certifications in question. Get familiar with what each one is claiming and look for devices that attain the requirements you seek. However keep in mind that no certification covers everything and tests everything. Risk can only be minimized never entirely eliminated. Remember there is no such thing as total security.

In closing, security is a process. Each element you add to it will reduce the risk on a certain front. The biggest danger to this however is when a new added element seems so strong and reduces the risk so much that it makes the user neglect other parts, mistakenly thinking that this new element is enough to mitigate all other risks. This is never the case and it is essential to remember that one only needs to break the weak link to get through, and not the whole security echo system.