Posted on Leave a comment

DataVault Encryption Software Flaws Affect Multiple Storage Devices.

Sylvain Pelissier, a researcher, discovered that ENC Security’s DataVault encryption software, which is used by a number of vendors, is affected by a couple of key derivation function issues. An attacker can take advantage of the flaws to obtain user passwords.

DataVault is advanced encryption software that provides comprehensive military grade data protection and security features to multiple systems.

The researchers reported that “It was discovered that the key derivation function was PBKDF2, with 1000 iterations of MD5 used to generate the encryption key. The salt used to generate keys is consistent and hardcoded in all solutions and vendors. This makes it easier for an attacker to guess a vault’s user password using time/memory tradeoff attack techniques like rainbow tables and then re-use the tables to retrieve passwords for all users who use the software. 

The implementation was flawed, and even with a randomly generated unique salt, it would be trivial to recover a user’s password. Other shortcomings of the key derivation function will be discussed and compared to current best practises.

ENC’s security advisory concluded that , “DataVault and its derivatives used a one-way cryptographic hash with a predictable salt, making them vulnerable to dictionary attacks by an inexperienced user.” The software also used a password hash with insufficient computational effort, allowing an attacker to brute force user passwords and gain unauthorised access to user data. In the updated version DataVault 7.2, both of the key derivation function issues described above have been resolved.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply