Competing Products Contain Serious Flaw - SafeStick Not Affected

Posted by Anders Pettersson on Wednesday, January 6, 2010 · Leave a Comment 

SECURITY ANNOUNCEMENT - SAFESTICK NOT AFFECTED

A flaw has been found in competing products to SafeStick. SafeStick does not contain this flaw.
The flaw exposed by the independent penetration testing firm SySS enables any user to access the unencrypted data quickly on all shipped drives from select competitors without the required password.

BlockMaster issues this statement to clearly inform customers and partners that this is not a flaw found in any version of SafeStick.

This is in short how SafeStick works in this aspect (in contrary to the flawed drives)

  • The user password is verified within the SafeStick hardware device.
  • The password set by the user is what gives access to information stored on SafeStick.

SafeStick password and key procedure in more detail

  • Password verification is performed onboard the SafeStick device.
  • The SafeStick brute-force protection is also operated within the hardware controller.
  • The password entered by the user is hashed in the SafeStick computer host software using MD5.
  • The unique password string enters the SafeStick BM9930 hardware controller through a private channel over USB.
  • The hashed password string is hashed ones more (SHA256) in firmware onboard the SafeStick device.
  • The dually hashed password is used to access the hardware encrypted cryptographic keys created with the random number generator (ANSI X9.31 RNG) onboard SafeStick.
  • The unique cryptographic keys are used to encrypt all user stored information with AES256-CBC.
  • The SafeStick hardware is fully epoxy encapsulated.

Filed under Security · Tagged with

Comments are closed.