Hey Habr! In the comments to one of our readers asked an interesting question: “Why do you need a hardware-encrypted flash drive when you have TrueCrypt?”, And even expressed some concerns about “How can you make sure that there are no bookmarks in the software and hardware of the Kingston drive?”. We briefly answered these questions, but then decided that the topic deserves a fundamental analysis. This is what we will do in this post.
AES hardware encryption, like software encryption, has been around for a long time, but how exactly does it protect sensitive data on flash drives? Who certifies these drives, and can these certifications be trusted? Who needs such “complex” flash drives at all if you can use free programs like TrueCrypt or BitLocker. As you can see, the topic set in the comments really raises a lot of questions. Let's try to figure it all out.
How is hardware encryption different from software encryption?
In the case of flash drives (as well as HDD and SSD), a special chip is used to implement hardware data encryption, located on the device's printed circuit board. It has a built-in random number generator that generates encryption keys. Data is encrypted automatically and instantly decrypted when a user password is entered. In this scenario, it is almost impossible to access data without a password.
When using software encryption, the “locking” of data on the drive is provided by external software, which acts as a low-cost alternative to hardware-based encryption methods. The disadvantages of such software may lie in the simple requirement of regular updates in order to offer resistance to ever-improving hacking techniques. In addition, the power of a computer process (rather than a separate hardware chip) is used to decrypt data, and, in fact, the level of protection of the PC determines the level of protection of the drive.
The main feature of drives with hardware encryption is a separate cryptographic processor, the presence of which tells us that the encryption keys never leave the USB drive, unlike software keys that can be temporarily stored in the computer's RAM or hard drive. And since software encryption uses the PC's memory to store the number of login attempts, it cannot stop brute-force attacks on the password or key. The login attempt counter can be constantly reset by an attacker until the automatic password cracker finds the right combination.
By the way…, in the comments to the article “”Users also noted that, for example, TrueCrypt has a portable mode of operation. However, this is not a big advantage. The fact is that in this case the encryption program is stored in the memory of the flash drive, and this makes it more vulnerable to attacks.
In summary, the software approach does not provide the same level of security as AES encryption. It's more of a basic defense. On the other hand, software encryption of important data is still better than no encryption at all. And this fact allows us to clearly distinguish between these types of cryptography: hardware encryption of flash drives is a necessity, rather, for the corporate sector (for example, when company employees use drives issued at work); and software is more suited to user needs.
However, Kingston separates its drive models (such as the IronKey S1000) into Basic and Enterprise editions. In terms of functionality and protection properties, they are almost identical to each other, but the corporate version offers the ability to manage the drive using SafeConsole / IronKey EMS software. With this software, the drive works with either cloud or local servers to enforce password protection and access policies remotely. At the same time, users are provided with the ability to recover lost passwords, and administrators can switch over unused drives to new tasks.
How do Kingston flash drives with AES encryption work?
Kingston uses AES-XTS 256-bit hardware encryption (using an optional full-length key) for all of its secure drives. As we noted above, flash drives contain in their component base a separate chip for encrypting and decrypting data, which acts as a constantly active random number generator.
When you connect a device to a USB port for the first time, the initialization setup wizard prompts you to set a master password to access the device. After the drive is activated, encryption algorithms will automatically start working according to user preferences.
At the same time, for the user, the principle of operation of the flash drive will remain unchanged - he will still be able to download and place files in the device's memory, as when working with a regular USB flash drive. The only difference is that when you connect the flash drive to a new computer, you will need to enter the set password to gain access to your information.
Why and who needs flash drives with hardware encryption?
For organizations where sensitive data is part of the business (be it financial, medical or government agencies), encryption is the most reliable means of protection. AES hardware-based encryption is a scalable solution that can be used by any company, from individuals and small businesses to large corporations, as well as military and government organizations. Looking at this issue a little more specifically, the use of encrypted USB drives is necessary:
- To ensure the security of confidential company data
- To protect customer information
- To protect companies from loss of profits and customer loyalty
It is worth noting that some manufacturers of secure flash drives (including Kingston) provide corporations with customized solutions designed for the needs and tasks of customers. But mass lines (including DataTraveler flash drives) do an excellent job of their tasks and are able to provide a corporate class of security.
1. Ensuring the security of confidential company data
In 2017, a London resident discovered a USB drive in a park that contained unpassworded information regarding the security of Heathrow Airport, including the location of surveillance cameras, detailed information on protection measures in the event of the arrival of dignitaries. Also, the flash drive contained the data of electronic passes and access codes to the closed areas of the airport.
Analysts cite the cyber illiteracy of company employees as the reason for such situations, who can “leak” secret data due to their own negligence. Flash drives with hardware encryption partly solve this problem, because if such a drive is lost, it will not be possible to access the data on it without the master password of the same security officer. In any case, this does not negate the fact that employees need to be trained in handling flash drives, even if we are talking about devices protected by encryption.
2. Protection of customer information
An even more important task for any organization is to take care of customer data, which should not be exposed to the risks of compromise. By the way, it is this information that is most often transferred between different business sectors and, as a rule, is confidential: for example, it may contain data on financial transactions, medical history, etc.
3. Protection against loss of profits and customer loyalty
Using USB devices with hardware encryption can help prevent devastating impacts on organizations. Companies that violate the law on the protection of personal data can be fined large sums. The question therefore needs to be asked, is it worth taking the risk of exchanging information without proper protection?
Even if the financial implications are not taken into account, the amount of time and resources spent on fixing security bugs that occur can be just as significant. In addition, if a data breach compromises customer data, a company risks brand loyalty, especially in markets where there are competitors offering a similar product or service.
Who guarantees the absence of "bookmarks" from the manufacturer when using flash drives with hardware encryption?
In the topic raised by us, this question is perhaps one of the main ones. Among the comments to the article about Kingston DataTraveler drives, we came across another interesting question: “Do your devices have an audit from third-party independent experts?”. Well… quite a logical concern: users want to make sure that our USB drives don't have common bugs, like weak encryption or the ability to bypass password entry. And in this part of the article, we will talk about what certification procedures Kingston drives go through before they get the status of truly safe flash drives.
Who guarantees reliability? It would seem that we could well say that, they say, "Kingston produced - he guarantees." But in this case, such a statement would be incorrect, since the manufacturer is an interested party. Therefore, all products are tested by a third party with independent expertise. In particular, Kingston hardware-encrypted drives (excluding DTLPG3) are part of the Cryptographic Module Validation Program (CMVP) and are FIPS certified. Drives are also certified according to GLBA, HIPPA, HITECH, PCI and GTSA standards.
1. Cryptographic modules validation program
The CMVP program is a joint project of the US Department of Commerce's National Institute of Standards and Technology and the Canadian Center for Cybersecurity. The aim of the project is to stimulate demand for proven cryptographic devices and provide security metrics to federal agencies and regulated industries (such as financial and medical institutions) that are used in the procurement of equipment.
Devices are tested against a set of cryptographic and security requirements by independent cryptography and security testing labs accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). Each lab report is reviewed for compliance with Federal Information Processing Standard (FIPS) 140-2 and validated by CMVP.
Modules validated as FIPS 140-2 compliant are recommended for use by US and Canadian federal agencies through September 22, 2026. After that, they will fall into the archive list, although they can still be used. On September 22, 2020, the acceptance of applications for validation according to the FIPS 140-3 standard ended. After passing the reviews, the devices will be moved to the active list of tested and trusted devices for five years. If a cryptographic device fails verification, its use in US and Canadian government agencies is not recommended.
2. What are the security requirements for FIPS certification?
Cracking data even from an uncertified encrypted disk is difficult and few people can do it, so when choosing a consumer drive for home use with certification, you don’t have to bother. In the corporate sector, the situation is different: when choosing secure USB drives, companies often attach importance to FIPS certification levels. However, not everyone has a clear idea of what these levels mean.
The current FIPS 140-2 standard defines four different levels of security that flash drives can meet. The first level provides a moderate set of security features. The fourth level - implies strict requirements for the self-protection of devices. Levels two and three provide a gradation of these requirements and form a kind of middle ground.
- Level XNUMX Security: Level XNUMX certified USB drives are expected to use at least one encryption algorithm or other security feature.
- The second level of security: here the drive is required not only to provide cryptographic protection, but also to fix unauthorized intrusions at the firmware level if someone tries to open the drive.
- The third level of security: provides for the prevention of hacks by destroying the "keys" of encryption. That is, a response to penetration attempts is required. Also, the third level guarantees a higher level of protection against electromagnetic interference: that is, it will not work to read data from a flash drive using wireless hacking devices.
- The fourth level of security: the highest level, which involves the complete protection of the cryptographic module, which provides the maximum probability of detection and counteraction to any attempts of unauthorized access by an unauthorized user. Flash drives that have received Level XNUMX certification include security options that prevent hacking by changing the voltage and ambient temperature.
The following Kingston drives are FIPS 140-2 Level 2000 certified: DataTraveler DT4000, DataTraveler DT2G1000, IronKey S300, IronKey D10. The key feature of these drives is the ability to respond to an attempted penetration: if the password is entered incorrectly XNUMX times, the data on the drive will be destroyed.
What else can Kingston flash drives besides encryption?
When it comes to complete data security, along with hardware encryption of flash drives, built-in antiviruses, protection from external influences, synchronization with personal clouds and other features come to the rescue, which we will discuss below. There is no great difference in flash drives with software encryption. The "devil" is in the details. And here are some.
1. Kingston DataTraveler 2000
Take, for example, a USB stick . This is one of the hardware-encrypted flash drives, but the only one with its own physical keyboard on the case. This 11-key keypad makes the DT2000 completely independent of host systems (to use the DataTraveler 2000, you must press the Key button, then enter your password and press the Key button again). In addition, this flash drive has a degree of protection IP57 against water and dust (surprisingly, Kingston does not state this anywhere either on the packaging or in the specifications on the official website).
The DataTraveler 2000 has a lithium polymer battery (40mAh capacity) inside, and Kingston advises customers to plug the drive into a USB port for at least an hour before using it to allow the battery to recharge. By the way, in one of the previous materials : there is no reason to worry - the flash drive is not activated in the charger, because there are no requests to the controller by the system. Therefore, no one will steal your data through wireless intrusions.
2. Kingston DataTraveler Locker+ G3
If we talk about the Kingston model - it attracts attention with the ability to set up data backup from a flash drive to Google cloud storage, OneDrive, Amazon Cloud or Dropbox. Data synchronization with these services is also provided.
One of the questions that readers ask us is: “But how to take encrypted data from a backup?”. Very simple. The fact is that when synchronizing with the cloud, the information is decrypted, and the protection of the backup on the cloud depends on the capabilities of the cloud itself. Therefore, such procedures are made solely at the discretion of the user. Without his permission, no data will be uploaded to the cloud.
3. Kingston DataTraveler Vault Privacy 3.0
But Kingston devices They also come with built-in Drive Security antivirus from ESET. The latter protects data from viruses, spyware, Trojans, worms, rootkits, and connection to other people's computers. The antivirus will instantly warn the owner of the drive about potential threats, if any. At the same time, the user does not need to install anti-virus software on his own and pay for this option. ESET Drive Security is pre-installed on a flash drive with a five-year license.
Kingston DT Vault Privacy 3.0 is designed and targeted primarily at IT professionals. It allows administrators to use it as a standalone drive or add it as part of a centralized management solution, and can also be used to configure or remotely reset passwords and configure device policies. Kingston even added USB 3.0, which allows you to transfer secure data much faster than USB 2.0.
Overall, DT Vault Privacy 3.0 is a great option for the corporate sector and organizations that need maximum protection for their data. And it can also be recommended to all users who use computers located on public networks.
For more information about Kingston products, please visit .
Source: habr.com