January 25th, 2010 by Dustin Sklavos
Hardware-Based Encryption - The Better Way to Secure USB Drives
When floppy disk drives started going the way of the Dodo, I know I personally wasn't entirely sure who the heir apparent was. ZIP disks had potential, but were too pricy. Writing CDs and DVDs may have gotten faster over the years, but it's still too time-consuming. Essentially the purposes that the floppy disk occupied – dissemination of data and portable storage – wound up being bifurcated into two pieces of technology: optical media for the first, and flash drives for the second.
USB flash drives have proliferated wildly. I have one on my keychain; it's the fourth one I've owned. You can get a respectable 8GB of storage in a small portable form for under $20 now. That's a heck of a lot of data you can carry around. But what happens if it falls into someone else's hands?
While I don't keep anything of any real value on my own flash drive, some people – particularly individuals in corporate or government sectors – do. Flash drives are small and handy, but that also makes them extremely easy to steal or lose.
To combat the problem, many manufacturers started introducing drives with varying degrees of encryption. These drives are marked up in price and more for enterprise usage, but allow the user to password-lock the data on them to ensure that anyone who steals the drive won't be able to recover the valuable cargo.
The problem? A lot of this is handled in software in a way that, thus far, has proven unreliable for security. While the average jerk just trying to steal some other guy's flash drive probably doesn't really care about what's on it (though likely also won't be able to use it, effectively just wasting time and energy), for government and private purposes this just won't cut it.
It gets worse. Recently, an encryption scheme that had been ratified to be suitable for government use was hacked.
First, the basic method of encryption currently being used isn't necessarily fundamentally flawed. 256-bit AES encryption is a standard adopted by the government, and without getting into too much detail on how it works (even my eyes crossed studying it), suffice to say it's not easily broken. The “brute force” method of hacking encryption – basically trying keys until one works – is extremely impractical and time-consuming.
The issue came with the implementation of the encryption, and how the drives handled it. Formerly government-ratified flash drives could be tricked into decrypting the data without the proper key; the key itself wasn't tied to the password.
Fortunately, if you have very important cargo that needs to be transported via USB flash drive, there are some companies that have come forward with new (and even some old) alternatives.
The Kingston, Verbatim, and SanDisk drives originally hacked have received either recalls or updates that correct the encryption problem, but part of the fundamental flaw does remain: these drives still handle validation in software.
On the other hand, IronKey produces flash drives with what they call the “CryptoChip,” hardware which handles all of the encryption and security for data stored on the drive. Having all of this functionality stored in hardware on the drive itself – outside of the actual storage flash – makes it very resistant to hacking.
Kanguru Solutions also recently released flash drives featuring hardware-based encryption similar to IronKey's implementation, where validation is handled on a chip inside the drive as opposed to being done in software on the PC.
By using hardware solutions, these vendors dodge an essential issue: the software being run on the PC used to access the encrypted data is substantially less secure than that data. The hacker doesn't need to get the key itself, he just needs to fool the software into providing it to the drive.
At the end of the day, the future of flash drive security is where IronKey saw it: hardware-based encryption and validation. The addition of this hardware may be of greater expense to the manufacturer (and the consumer in kind), but the results are undeniably better than the software-based validation that the hacked drives suffered from.
Security is going to come down to a matter of personal needs and data sensitivity. If you're just a Regular Joe who doesn't necessarily need to carry sensitive material around with you – like me – then a secure flash drive of any feather is going to be overkill for you. If you're not necessarily carrying around top corporate secrets or anything and are just worried about some stranger stealing your drive, then though software encryption has its flaws, it should be more than enough to outwit the average thief.
If, however, you're going to be carrying around any extremely sensitive material, hardware-based encryption is going to be the only way to go.