Hardware encryption: Caveat emptor

When is 128-bit AES not 128-bit AES? When it's actually XOR.

According to security publication Heise, numerous hardware encryption products are being misadvertised as encrypting data using 128-bit AES.

The Advanced Encryption Standard (AES) is a block cipher used by the US Government, and other organisations, interested in having very strong encryption indeed.

Heise sister publication c't magazine cracked open an Easy Nova Data Box by German vendor Drecom, advertised as using 128-bit AES. However, by analysing the encryption, c't found that the block cipher was actually exclusive-or (XOR).

The problem with XOR by itself is that it's relatively easy to break, by analysing how frequently letters or groups of letters appear in the ciphertext.

This is exactly how c't managed to deduce the XOR cipher.

"Who would have expected that decryption would be so easy?" said the article. "Indeed, the bar is so low that even novice attackers will have no trouble getting over it."

Moreover, when c't went to Innmax, the manufacturer of the chip used in the hardware, the IM7206 controller chip, Innmax confirmed their findings.

The publication warned that other hardware encryption products using the IM7206 would probably be similarly easy to crack.