Home > Tips & Techniques > Locking Your Memory

Locking Your Memory

Several Alternatives to Securing Your Portable Memory

John R. Joyce, Ph.D.

Download / Listen to an Audio Intro from John R. Joyce.


Over the years, the capacity of USB memory drives has increased dramatically. Where once a 64 MByte drive would be considered huge (my first hard drive was only 20 MBytes), drives of 1-2 GBytes are common, with capacities of 8 GBytes and more being readily available.

DiskGO Biometric Flash Drive

With the vanilla USB drive now being a commodity product, some even being given away as specialty advertising, vendors are working to develop their unique product niche. These niches might consist of unique physical designs, such as bracelets and ball point pens, to physically hardened units for surviving adverse environments. The latest niche to appear is hardened secure drives. In this column we'll compare the alternate approaches that some vendors have taken.

Edge Tech Corporation makes a number of secure flash drives under their DiskGO label. One of the more interesting ones is their DiskGO Biometric Flash Drive, availble in 1, 2, & 4 GB ($59.95, $69.95, and $119.95) versions. The unique thing about this drive is that it includes an integrated fingerprint scanner. This allows you to use either a password or biometric information to access the encrypted drive. Their setup program allows you to capture scans off of ten fingers. From their wizard, it is assumed that these will be any 10 fingers off of one person, but there is nothing to stop you from scanning one finger of 10 different people, for instances where you want to have shared access. It is definitely useful to configure the password though, as there are times that the scanner can be finicky. Whether that is due to the scanner itself or changes in your physical condition, I don’t know.

A downside to this device is that the data is secured by a 128-bit TDES encryption algorithm. This is less than the key length required by some government standards. Whether it is sufficient for your use depends on what you want to use it for. If you are just trying to block casual browsing, it should work fine. If you are trying to keep business critical information secured against espionage, you might want something stronger. As with many encrypted USB drives, this will show up with two drive letters on your computer. The first holds the encryption program and various utilities, such as password management software. The second drive letter is the virtual drive containing the actual encrypted information.

For those requiring higher security, Edge Tech provides additional drive models. One of these is the DiskGO Secure USB 2.0 Flash Drive, which ranges in capacity from 1-32 GBytes ($29.95 - $274.95). Data is optionally secured by the U.S. government standard 256-bit AES encryption algorithm or 448-bit Blowfish encryption algorithm.

Another interesting drive, which takes a different approach to securing your data, is the Flash Padlock from Corsair. This is currently available in 2 GB and 4 GB ($35.33, $49.99) versions. However, if you check the Web, you might still be able to locate some of the original 1 GB versions. What makes this drive interesting is that it is not an encrypted drive. Instead, it has a six button membrane keypad built into it’s case. This allows you to enter a user assigned PIN number that can be up to 10 digits long. Entering the PIN correctly enables the USB interface, so that your computer can access the drive. If the PIN is not entered correctly, the interface is disabled so your computer doesn’t even realize the drive is there. Once the drive is removed from the computer, or the computer is powered down, the Flash Padlock automatically locks the interface 15 seconds later.

Because the interface must be activated manually via the keypad, it is immune to the brute force computational attack used against many other encrypted drives. In theory, it would be vulnerable to someone manually stepping through all possible combinations, but they’d end up with carpal tunnel syndrome long before they cracked the key, particularly as they have no idea of the length set. Obviously, the data on the drive would be vulnerable to access by malware once the interface was enabled, but they would only be able to see what was on the drive then, unlike many systems, they would not be able to capture the password to re-access it later, assuming they could get hold of it. If you want added security, there is nothing to say you couldn’t use one of the free encryption programs with it as well.

For those that absolutely, positively, must have their data secured, there is the IronKey Personal drive from IronKey, Inc. It is available in 1, 2, and 4 GB ($79, $109, and $149) capacities. According to the companies Web site, the IronKey was designed to be the world’s most secure flash drive, and it appears to live up to that billing. It provides military grade encryption using AES CBC-mode encryption in hardware with 128 bit keys. Unlike most encrypted drives, which use your computers processor to run their encryption algorithms, the IronKey contains an integrated Cryptochip that automatically handles data encryption and decryption, running much faster than software encryption programs. The encryption keys are automatically generated via the Cryptochip and never leave the IronKey drive, so are not vulnerable to capture. To prevent a variety of parallel off-line attacks, the IronKey does not mount the encrypted partition until after the password is successfully entered. To further enhance your data security, if the Cryptochip detects ten sequential password entry failures, it enters a self-destruct mode. Don’t expect any smoke to come out of it, as in Mission: Impossible, but it first securely wipes all of the crypto keys and then all of the memory, making it impossible to recover any data from the unit. Once an IronKey enters the self-destruct mode it becomes a paper weight; it cannot be reinitialized and used again.

Flash Padlock

The IronKey is physically one of the sturdiest flash drives I’ve seen. It comes in a cast metal case, potted with an epoxy compound to make it nearly impossible to physically attack the drive and allow it to exceed the military waterproof standards (MIL-STD-810F). The only drive I’ve seen that might be sturdier is the Flash Survivor from Corsair.

The IronKey comes with a number of other value added features that can help justify its cost. For one thing, it includes a password manager, allowing you to manage all of your online accounts and passwords in one place. This can help keep your passwords secure from key logger software, particularly while on the road. It also comes with an onboard version of the Firefox Web browser. This component is particularly useful when used in conjunction with IronKey’s Secure Sessions Service. This effectively sets up an instant Virtual Private Network (VPN) link to IronKey’s own network of Tor (The Onion Router) servers, originally sponsored by the US Naval Research Laboratory, to anonymize your Web surfing. In addition, it checks your target IP address against a list of known phishing sites. By using known DNS databases, it also prevents pharming attempts by eliminating the use of possibly corrupt local DNS databases.

So, which one of these nifty items is best? As usual, the answer is ‘it all depends’. For general use, any of these drives would probably meet your needs. If you had to transport information and it was absolutely critical that it not fall into anyone else’s hands, then the IronKey probably wins. For general ease of use, the Flash Padlock is very nice. It doesn’t appear to be a potted unit, so may be vulnerable for a disassembly attack, if someone is willing to invest the time and money. Another advantage of the Flash Padlock is that it doesn’t play games with the drive allocation tables. When it is activated it shows up as a single USB drive. With other drives I’ve tried, where one drive letter is assigned to the encryption software partition and a second to the encrypted software partition, Windows sometimes gets confused regarding the drive letters, particularly if you have network drives assigned as well. Some versions of Windows are more vulnerable to this than others. We’ll take a closer look at this issue in a future column.

While on an intrinsic basis the IronKey is probably the most secure, I have concerns regarding its practical security. By this I mean how secure is it in actual use. While its encryption and defense features are second to none, these could easily prove useless if the user is so paranoid about forgetting the password and accidentally triggering a self-destruct that they keep the password written down on the unit. Some of this can probably be handled via training and policy, but I still wonder. I don’t think I’d worry about it as much if you could reinitialize the drive after the self-destruct system wiped the drive. On the other hand, I can see why some users would prefer to have the drive reduced to scrap. I suppose a decision like this comes down to how paranoid you are and how motivated your people are to follow the specified procedures. Once setup, the DiskGO Biometric Flash Drive may be the easiest to use, as the user does not need to enter a password, but there are times when they must put up with some frustration, while attempting to get a good fingerprint scan. In many ways, it reduces to balancing how important the security of your data is, with the chance of a successful attack on the drive, and how well the user can follow accepted security policies; I fear those are things only you can answer. For general use, I’d lean toward the Flash Padlock. However, IronKey’s Secure Session Service and anonymous Web surfing might well be worth the cost difference to some all by itself.

Let us know what your feelings are regarding secure flash drives. If you’ve encountered another one that we haven’t covered that you feel incorporates exceptional features, please let us know more about it.

John Joyce is the LIMS manager for Virginia's State Division of Consolidated Laboratory Services. He may be contacted at editor@ScientificComputing.com.

Internet Resources
IronKey, Inc. www.ironkey.com | Corsair Memory www.corsair.com | Edge Tech Corporation www.edgetechcorp.com | Tor (anonymity network) en.wikipedia.org/wiki/The_Onion_Router