Bruce Schneier posted today about the cracking of a FIPS certified encrypted USB key. The attack from the original article:
“During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations — and this is the case for all USB Flash drives of this type.”
Bruce calls out that “FIPS 104-2 Level 2 certification only means that certain good algorithms are used, and that there is some level of tamper resistance and tamper evidence.”
Does it really matter that these USB keys have been cracked? The reason I ask is that everyone cares so much about the Cloud and having their data secured in the Cloud that it seems like securing removable media is taking a back seat. If the person who has the encrypted USB key also copies their files to the Cloud will they care that the USB is crackable or will they focus on how to protect that data in the Cloud.
