EncryptStick

Has anyone taken this for a test drive yet Won't accept my SD card as a flash drive

Offers both Free/Paid versions with the free version having some limitations. Can create encrypted vaults on both the flash drive and computers with the encryption tied to that particular flash drive which needs to be inserted first and then the password entered before access to the vault(s) is granted. Any comments on their encryption??

Homepage - http://encryptstick.com/

 

It's in one's best interest to shy away from this product, as it incorporates Bernd Röellgen's proprietary polymorphic encryption. Given that Mr. Röellgen is touted as "one of the foremost experts in the field of cryptography," along with the boast that his polymorphic offering is the "world's strongest encryption algorithm," you'd think there'd be an academic paper that clearly states, with mathematical proofs, its resistance to specific cryptanalytical attacks. This is the way cryptographers propose new cryptographic primitives, after all. On the contrary, there isn't such a paper, and you'll be hard-pressed to find any academic papers on cryptography by Mr. Röellgen at all. The entire presentation of his methodologies lacks in both sense and convention.

I shared dialogue with Mr. Röellgen nearly eight years ago, and while I feel he means well, I'm not, in the slightest bit, convinced that he possesses the cryptographic competence required to design cryptographic primitives. Not even close. As such, deploying his methodologies in a real-world setting seems rather antithetical to state-of-the-art best [cryptographic] practice. Trying to ad hoc the implementation of a non-standard, overly-complex, and largely-unknown is the most counterproductive and fruitless risk one could take, and one that I can't see any justification for, in an arena where cryptography falls apart because of the implementation, not the mathematics. Stick with standards; going against the grain doesn't pay in this field.

 

Thanks Justin - very informative!

 

I've shared a dialog with Mr. Troutman years ago. Here's the link:
http://www.security-forums.com/viewtopic.php?p=69206

At the time I was amazed how a human being could possibly post 1223 comments (or replies) within less than 8 months! That's more than 5 posts per day! The only logical explanation for this is that he's got a number of ghost writers and that these people get paid for their work!

Comments that are intended to take somebody apart without going into details are easy to write: ".. I'm not, in the slightest bit, convinced that he possesses the cryptographic competence required to design cryptographic primitives. Not even close."

Ok, was the Enigma properly designed? Without any doubt: NO.
Was DES well designed? Hmm... declared unbreakable in 1977 and being broken in 1997 .. hmm... NO.
Does the military use AES? No idea, but I guess not.

Only by taking history into account, the likelihood is high that it is possible to improve encryption algorithms that are available to the public. But there seems to be little interest in doing this in "Ghost Writer City".

 

Oh, and sorry -- no ghost writers. Doesn't make a whole lot of sense. I try to stay active in discussion amongst the users and developers of cryptographic products. That seems reasonable to me.

As I mentioned before, I believe you mean well, but when a presentation is filled with marketing drivel, anti-AES campaigning, head-scratching misinformation, and incoherent technical documentation that fails to capture any modern cryptographic goals (i.e., IND-CPA, IND-CCA2), it's only fair that we're frank in our criticism, such that potential consumers won't be misled into thinking that this is world-renowned, best-in-class cryptography, when reality shows that it, along with its inventor, are relatively unheard of in the cryptographic community. There's no evidence of the etiquette that you'd expect from cryptographers proposing new cryptographic primitives. There's absolutely nothing wrong with proposing new cryptography, but the method of presentation needs a complete overhaul.

I've been diligent in efforts towards making the implementation of cryptography easier to get right, which is, in the real world, a much bigger issue than designing stronger cryptographic primitives.

I'm genuinely interested in learning more about how your theory fares under the establish cryptographic models we have today, and I hope we can partake in such a discussion. Please accept this as a cordial invitation, with the understanding that any criticism is aimed at the theory in question, as well as the cryptographic know-how of the author of that theory. Nothing against personal character.

 

Further discussions here is just fine by me guys

 

I must admit that I'm slow. I'll never be able to make five posts per day. I try to do more useful things in my life than writing posts in forums.
Mr. Troutman, I honestly agree with you that implementation issues are of primary concern: A nice man showed me this today:
http://www.lostpassword.com/hdd-decryption.htm

No idea if this is head-scratching misinformation, but it could be the case that your modern cryptographic goals are just as important as the classic ones in this field. The question is: Who pays people who write disk encryption software (with pre-boot functionality!) that is totally free of charge?

It's nice that you claim to be interested in learning more about Polymorphic Encryption. As your snotty attitude leaves little room for unbiased discussions, I've decided to choose a method that leaves NO room for ANY prejudice and arrogance:

Do you think that you and/or your friends can break any symmetric cipher that utilizes passwords of 56 bit length at maximum? This is where DES has failed completely. DES was broken in 1997 (and later in 1999 it took less than a day for Brute Force to break any message and password).
As anti-AES campaigning is no choice for you, you will have to answer with "YES".
AES has a short key setup time and can be executed in parallel on modern graphics boards. Without any doubt you will agree.
Can AES be implemented on an 8'' wafer with at least 1 million blocks that can all operate in parallel? Without any doubt you will agree.
Can each of these 1 million blocks run at approx. 2GHz (e.g. with Fluorinert cooling)? Without any doubt you will agree.
As a matter of consequence, is 2^56 in reach? Again without any doubt you will (have to) agree. This is the maths: 2^20 AES blocks * 2^20 key combinations per second * 1 wafer * 2^16 seconds yields 2^56 key combinations (within 65536 seconds). A day has 86400 seconds. Within 19 hours, a code-breaking machine consisting of a single silicon wafer can do the job. Without any doubt you will agree.
This is not anti-AES campaigning. This is THE TRUTH and there is nothing wrong about that.

Please don't be so stupid to say that "Brute Force Attacks" are no issue. They clearly are. DES is the vivid proof. DES was so phantastically unbreakable that even a private organisation was able to do so. I somehow remember the investment to be around $200.000.
What would you say if I gave you the chance to break my latest cipher with the length of the keyphrase (or password) limited to 56 bit?
Hmm... you'll probably say "this is ********".
It isn't. I remember the "40 bit export limit" imposed by the U.S. government years ago very well. What if even 40 bit were out of reach for professional hackers with (almost) unlimited resources today?
This is a no-brainer! Such a cipher would be cool ! You might argue that bit sizes are of little interest. But why was there a 40 bit limitation in place?

What if I gave you the chance to break a 40 bit password with my latest Polymorphic Cipher within one week? The problem looks like being 65535 times smaller than breaking DES with Brute Force more than 10 years ago. Looks fair to me.

Do you accept this unique offer or do you prefer to make fun of my methods of presentation? Let's leave religion away. Nobody has the monopoly for the truth.
I'm sure that most readers of my post think that I must be pretty stupid to offer such a challenge. We'll see.

 

It's cake for those who can type fast -- considering most posts aren't that long anyhow.

That's good. As do most. However, being active amongst security consumers is important -- especially when you have hefty marketing claims to substantiate.

I haven't looked into the product referenced by that link, but I think we can agree that otherwise kosher cryptographic innards can quite easily be undermined by poor implementation and an insecure operating environment.

It's unfortunate that you've taken my criticism personally. I question only the cryptographic aspects of your approach to design and presentation, and your ability to do either. In a field like this, you've got to be frank. I'm genuinely curious about your motivations, and how you justify your unorthodox approach to cryptography.

In other words, why wouldn't I want to use a completely open standard, such as the AES, guided by best practice for encryption and authentication (e.g., IND-CCA2 /\ INT-CTXT), as agreed upon by the lion's share of the cryptographic community, instead of a patented algorithm for which there is no public analysis -- yet is the "world's strongest encryption algorithm" -- designed by someone with little to no published work -- yet is the "one of the foremost experts in the field of cryptography?"

See the cause for skepticism here? How would you go about addressing it? I'm willing to communicate amicably. I would appreciate that same courtesy.

Are you talking about using the AES with a 56-bit key?

With conservative key lengths -- which is what we'd use in practice -- this is probably the biggest non-issue in real-world cryptography.

I do not accept.

Please, do not mistake criticism for making fun. Presentation is one's first impression of another's ability.

 

Ok, Mr. Troutman, I agree that it's good to be frank:

You more than less belong to extorque.com. Right? I think that you ARE extorque.com.
You've written this paper here in 2007:
http://www.extorque.com/files/bitlocker.pdf

Right?

The link that I gave you yesterday (http://www.lostpassword.com/hdd-decryption.htm) addresses an inherent weakness of two popular encryption products.
These guys write: ".. Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume".

Ouch! I begin to understand why you don't want to have a closer look at Passware Kit! The truth might be pretty embarrassing!

I haven't tried that software, but I'm beginning to admire these folks. They pretend that they are able to break important competitor products. If this is true, then these people are great!
Alternatively they could intercept the mounting process: http://www.pmc-ciphers.com/eng/content/TurboCrypt/Mount-Control-Code-Attack.html

Could it be that users out there are listening to the wrong people?
Could it be that they should listen more carefully to people who have not attented "cipher etiquette courses"?


To the "break PMC with 40 bit password limit" challenge:
My offer is (IT STILL IS) to break a freakin' 40 bit password. The problem is, generally speaking, 1/65536 times as difficult as breaking DES by using the Brute Force Attack. Should be manageable these days. A single Intel Pentium IV running at 3GHz should do this within a day or so.
In my offer I clearly have to take into account that an entire university or even some government agency makes all of their computing power available to you. How can I know what resources are at your disposition?
That's why one week must be sufficient. Sure you need the complete source code. Peer review is more important than anything else.

This truly is a very fair offer. Looks like Kamikaze to most folks out there, but in fact it isn't.

The truth is this:
You surely know exactly that I'm operating with block sizes of (currently) up to 256 megabyte. The info is publically available here: www.pmc-ciphers.com and in a press release (http://www.pressebox.de/pressemeldungen/global-ip-telecommunications-ltd/boxid/369882). I'm sure that you've already visited www.pmc-ciphers.com.
AES has a fixed block size of 128 bit. If my test file is e.g. 1.954.320 bits long, then block length is exactly 1.954.320 bits. The cipher takes advantage of a huge S-box. I've once thought to myself, why only 128 bit? Why not 1.600 bit or 12.800 bit or any other number?
To set up such a cipher consumes CPU time and RAM. Plenty of RAM and plenty of CPU time - inevitably! It takes much longer than a week to break a very short password, even if the problem appears to be more than simple. You are a clever guy and you know exactly why you've declined my offer.

My ideas are clearly getting noticed. Things take time as can be seen here and today.
Users might notice that TurboCrypt, which I'm the author of, is not on the list of disk encryption products for which passwords can be intercepted by Passware Kit. Maybe it's pure chance, but maybe the product is difficult to break? We've distributed over 4 million copies so far and the product is out there for 6 or 7 years. So TurboCrypt is for sure a possible target and - without the slightest doubt - more difficult to break than those products that can apparently be broken with Passware Kit.

As a matter of logic, this clearly speaks for the author.

 

Take a few moments to read the paper; by doing so, you'll discover that it's about the cryptographic design decisions behind BitLocker -- that being, the risky, but calculated move to build a specialized diffuser algorithm (i.e., Elephant) to work in tandem with AES-CBC, in order to buy as much poor man's authentication as possible, due to constraints that prevented a proper MAC.

That, and quoting myself from the paper:

No need for embarrassment, really. All of the attacks that have surfaced for disk encryption products lately are fascinating, and a big deal. However, my paper is about something entirely different -- therefore, unaffected. But, then again, you have to be prepared to have your work made obsolete in a field like this.

If you have a group of seasoned cryptographers from all over, who, despite differing opinion, are a part of, fundamentally, the same school of thought on best practice -- that is, use open standards, following Kerckhoffs Principle and Shannon's Maxim -- wouldn't it make more sense to follow their advice, as opposed to an individual who's touting something against the grain of established convention, with hefty marketing claims and very little in the way of published analyses? This is a genuine question.

Proposing new cryptography shouldn't sound like a sales pitch -- especially when you, and your theory, haven't much of a public track record. You would probably be more well-received, and taken more seriously, if you polish your presentation. If you take a look at most academic papers introducing new cryptography, you'll see that there's a very good reason for this format, as well as the etiquette surrounding an algorithm's life cycle, from proposal, to anaylsis, to acceptance, to product. This is a genuine suggestion.

Have any well-known cryptographers shared their thoughts on your work? If so, could you share their names and their remarks? This might be useful in others building confidence in your work. As it stands, there's a gigantic risk in using your algorithm. It's a complex design that essentially no one really knows anything about; given that our concern should be at the implementation level, this is a terrible trade-off. How do you alleviate this?

Cheers!

 

Ouch, once again!
Looks like "doing things like a cryptographer" doesn't help folks like you when designing a disk encryption product!

Why? Easy answer: AES causes trouble when it comes to concealing the Internal State (and, yes, it's again AES, Twofish, DES, Blowfish, etc that stand out!):
struct aes_context
{
int nr; // number of rounds
uint32 erk[64]; // encryption round keys
uint32 drk[64]; // decryption round keys
};

The context is exactly 516 bytes long. 512 of them look pretty much random after key setup. If you've ever made a memory dump, then you'll know that this particular chunk of memory can even be spotted from outer space.
Even worse: keys are typically cached and transmitted to the encryption driver IN THE CLEAR!

TurboCrypt does it a bit better: Distributed and huge crypto context + Diffie-Hellman key exchange with the encryption driver. There's no 100% security if one cannot trust the Operating System, but at least we implemented things better.

Well, you fail when it comes to looking back to your work three years ago. I was clearly able to show that.
You also fail when it comes to breaking a substantially reduced implementation of my latest cipher. It's nice that you don't even give it a try. That's practical as I don't have to wait a week.

So I even have a solution for this here:
http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#draft-ei
"United States of America.. Export Administration Regulations (EAR)..
.. This provision was changed in December 1998, when all 56-bit crypto was released for export after a one-time review, with no requirement of data recovery."
You probably have no idea of how cool this is! Oh, yes, this is also marketing. Even you do marketing. All the time. Believe me.

Peer review: Good that you ask!
Of course you cannot know that the Key Laboratory of Computer Network and Information Security of Xidian University, Xi'an 710071, People's Republic of China is conducting research on Polymorphic Ciphers. The work is supported by the National Laboratory for Modern Communications Foundation of China under Grant No. 51436030105DZ0105, the National Natural Science Foundation of China under Grant No.60473029 (previously stated Grant No.: 60273084) as well as the Open Foundation of Beijing Institute of Electronic Science and Technology.
I don't like that, because encryption technologies are highly illegal in China. Only the government is allowed to do that. Guess for which purpose..
Of course I have declined to do any work for them.

So there's already derivative work available. We have no insight. Not much is publically available, of course. I guess that the NSA won't publish their results in the Washington Post or have I missed something?

I wanted to take advantage to draw everyone's attention to the block size issue once again:
Imagine that you have a photo of someone and the JPEG file shall be 250.119 bytes in size. The latest Polmorphic Block Cipher creates an S-Box with exactly 250.119 byte size and encrypts it so that each and every bit in the ciphertext depends on each and every bit in the plaintext. If only one bit in the plaintext changes it's state, then 50% of the bits in the ciphertext change. This cipher thus satisfies the Strict Avalanche Criterion perfectly. Common practice would surely be the use of AES-CBC. If one of the lasts bits in the JPEG file changed it's state, only all following blocks would be affected in the ciphertext. AES in CBC mode (or any othr mode) won't do it.
Padding is as well necessary.

The old marketing rule that 10% early adopters are followed by the remaining 90% will prove to be valid in this case as well.

I guess it's best to finish this thread. Ok, maybe some of the usual "no competence, no resistance to specific cryptanalytical attacks" bla bla will follow. That's crap. I've dropped my trousers to an extent that nobody with brains would ever do with AES or DES or likewise.
For me the risk was quite low. Isn't that called "progress"?

 

Kindly, sir, you weren't, because my work was regarding the notions of confidentiality and integrity, and BitLocker's response to those notions with their AES-CBC+Elephant design, and the resulting better-than-nothing "poor man's authentication" it provides. This is a matter of data granularity, and how it affects adversarial manipulation; these attacks are not in regards to the cryptographic security of AES-CBC+Elephant. My point was that they made commendable cryptographic design decisions; obviously, real-world cryptographic implementations fail most often because of non-cryptographic decisions, which is the case here.

I'm sorry. I imagine I won't be the first. I won't even boast that I could, but there's little incentive in focusing resources on a non-target.

I agree. While I think prematurely disseminating your work on the back of whale-sized marketing claims is a disservice, I wish you fruitful cryptographic endeavors. Thank you for the discussion.

By the way, on your site, in a response to Bruce Schneier's commentary on your work, you state that the "AES is only approved for encrypting unclassified information!" You do know this is false, right, and that it's actually approved for classified information at the SECRET (AES-12 and TOP SECRET (AES-256) levels?

 

Justin, Thanks for taking the high road in this thread. Clearly, the poster is out of the mainstream and is lashing out for not being taken seriously. For anyone who chooses to read through this thread, I'm sure most will arrive at my conclusion: this guy has ZERO credibility.

 

Controversy is actually pretty helpful!
Would be rather dull if everybody had the same opinion.

In contrast to the "believers fraction" I'm constantly providing proofs in this (obviously ongoing) discussion:
AES and what it is good for: Here's the spec.:
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

and here's the part that is of interest:
"6. Applicability. This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requires cryptographic protection.
Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard. Federal agencies or departments that use cryptographic devices for protecting classified information can use those devices for protecting sensitive (unclassified) information in lieu of
this standard.
In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is encouraged when it provides the desired security for commercial and private organizations."

hmmm.. "sensitive (unclassified) information" is not strictly TOP SECRET. My English cannot be that poor! Are you really telling the truth to our readers?

Ok, you might come up with this here:
http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
But even on that page they link to:
".. See FIPS PUB 197 at the National Institute of Standards and Technology, FIPS Publications listing (http://csrc.nist.gov/publications/PubsFIPS.html)."
And when you click at FIPS-197 there, you're right at the document that I've referenced on top of this post.


On the web page at "http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml" there's something interesting:
"Another suite of NSA cryptography, Suite A, contains some classified algorithms that will not be released. Suite A will be used for the protection of some categories of especially sensitive information."

Ok, this will be good for the TOP SECRET stuff, I suppose.


My interpretation is that Suite B must be intended for use with rather unreliable sources with whom one would probably not want to share "Suite A Cryptography", but all kinds of (most certainly inbound) information. Pretty logical as this solves an obvious dilemma that is certainly common for an espionage agency.

See, any time you write something, I'm pretty good in taking that apart to quite an extent. AND I DISCLOSE MY SOURCES!

Really, advertising like this is good! Thank you very much!

You even point me to something that goes beyond Suite B stuff:
Who wants to go for second or third choice when there's the real good stuff out there?

I'd be interested to learn more about such a Class A cipher. You as well, right?
I somehow have the notion that you have no insight in this. Right?

 

I hope I don't offend if I try to streamline this discussion for the rest of us who are trying to follow along.

The 2001 FIPS publication BT links to announces the AES (Advanced Encryption Standard.) FIPS are U.S. information processing standards, in this case used for computer information. And here, we're obviously dealing with encryption standards. Section 6 of the FIPS document discusses AES applicability. BR has quoted the relevant section above.

However, JT points out to NSA's overview on Suite B cryptography.

Suite B Cryptography builds on the National Policy on the use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information. See (CNSSP-15)

Here's NSA's overview of Suite B:

AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

And here's an overview on CNSSP-15, which indicates that 192 & 256 bit AES can be used for up to Top Secret information.

http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf

This is vast simplification of this particular aspect of their discussion, so I hope its not misleading.

 

@ nix: You stick to facts, make your sources of information available... it's a pleasure to read your post. Thank you very very much!

 

Thanks, nix. It was kind of you to take the time to break things down. Cheers!

 

Yes. Cheers to you. Just contributing some background sources. I'll wait for the next installment, though.

 

In security it is always best to choose well tested and reviewed ciphers other than going for something new, I think most if not all cryptographers will agree with that.

I see no reason at all to secure my very important data with this polymorphic algorithm that has not been widely reviewed and tested like AES has. It might be as secure, I don't know about that, but I know that most experts in the field have found AES to be good enough for the job and I am not willing to take risks with something I heard very little about when I already have something that works.

 

I respect Everyones views on this, but let's be fair. Just because someone does something in a new or unconventional manner, doesn't auotmatically mean it's ****

Of course it might be, i wouldn't have a clue if it is or isn't, nor would 99.99999% of others either

Unless someone actually independently tests it Properly who Really knows what they are doing, we'll never know for sure. And if it turns out to be good etc then If not so be it, lessons learned All round !

At least give people a break