SPYRUS Responds to Recent Reports of Hacked USB Encryption Drives
SPYRUS USB Encryption Drives Are Absolutely Invulnerable to Such Attacks
San Jose, Calif. January 11, 2010 In response to widely circulated reports regarding a serious vulnerability in certain USB encryption drives, SPYRUS, Inc. today has confirmed that the entire SPYRUS line of Hydra PC USB encryption drives is absolutely invulnerable to the flaw described in the reports. Since 1997, SPYRUS has been making the most secure military-grade commercial encryption flash drives in the world.
On December 18th, researchers at the German firm SySS GmbH published a penetrating analysis (http://www.syss.de/index.php?id=veroeffentlichungen&no_cache=1&L=1) of the flaws inherent in several vendors’ Enterprise-grade USB encryption drives. The reported vulnerability focused on the use of a simplistic challenge response authentication method which employs a fixed/constant value which, once known, can be used by a hacker to bypass protection. This is in direct violation of sound security practices.
The entire line of SPYRUS Hydra PC USB encryption drives are invulnerable to such attacks because no password authentication values or keys are ever stored on Hydra PC devices after logoff or removal. Unlike any competing USB encryption drive, the Hydra PC reconstitutes a Master Key Encryption Key at logon using a FIPS-approved Key Derivation Function which utilizes, at a minimum, an Elliptic Curve Diffie-Hellman (ECDH) public/private key pair unique to the device and a random, secret 256-bit salt value together with a SHA-256 hash of the user’s password. The secret salt value and all other cryptographic computations are securely bound within the FIPS 140-2 epoxy-encased cryptographic hardware rather than in host system software. Therefore it is not computationally feasible to mount an offline attack against the PIN/password. SPYRUS has the only USB encryption drive that provides such a robust authentication process to protect access to the data encrypted on the device.
SPYRUS has specialized in portable, Government-approved commercial hardware-based encryption devices for more than 15 years. SPYRUS was the first company to merge hardware encryption with flash, the first to implement the full set of Suite B cryptographic algorithms, and the first and only company to support both hardware-based file encryption and sector-based encryption.
All Hydra PC USB encryption drives are designed, developed, and manufactured in the U.S.A. and have FIPS 140-2 Level 2/Level 3 validations. Hydra PC is the only commercial USB encryption drive to be approved for protecting tactical classified data at the SECRET level and below when used in accordance with the applicable security doctrine.
SPYRUS customers, including the U.S. Government and other demanding enterprise customers, can rest assured that their encrypted data remains completely secure.
SPYRUS, Inc. provides high-assurance security technology for the U.S. Government, industries required to comply with security regulations, and everyday users who want the best protection for sensitive information. Secured by SPYRUS™ security technology is designed, developed, and manufactured entirely in the USA. SPYRUS hardware and software support the strongest commercially available cryptographic algorithms, including elliptic curve cryptography (ECC) and AES-256. SPYRUS holds patents in the U.S. and abroad that enable solutions for secure authentication, secure communication, and full disk encryption, as well as patents relating to data protection and rights management for digital content. SPYRUS, Inc. is headquartered in San Jose, California. See www.spyrus.com for more information.
SPYRUS, the SPYRUS logo, Hydra Privacy Card and Hydra PC are either registered trademarks or trademarks of SPYRUS, Inc., in the U.S. and/or other jurisdictions. All other company, organization and product names are trademarks of their respective organizations.