back to article BlockMaster SafeStick hardware-encrypted USB drive

It may make its money shelling shedloads of its security centric USB Flash drives to organisations like the NHS, but Sweden's BlockMaster believes the rest of us likewise need memory sticks with a high level of data protection built in. Leaving aside for a moment the question of whether you really want to keep confidential …

COMMENTS

This topic is closed for new posts.
  1. Marvin the Martian
    Pirate

    And physical access security?

    You mention a shoddy casing: what's stopping a geek from dismantling this thing and physically installing the memory part in another stick?

    I'm presuming the files are unencrypted in the flash memory, with password only providing access protection (hence higher speed than truecrypt), so password can be physically bypassed.

  2. djack

    Far better than software encryption

    "But you can make your own version using free software for a fraction of the price, and with no appreciable reduction in data security."

    Wrong. If I can get hold of your truecrypt volume, I can launch an 'offline' brute-force attack against your password. The great advantage to hardware encryption is that it attempts to remove that weakness which is why having an enclosure that is difficult to get into is a factor.

    Considering thath this is a security device, you have missed talking about what should be a large and important part of it's feature-set .. attack mitigation.

    For instance, with the Ironkey, I can tell you that after ten consecutive failed password attempts, the device will low-level wipe the flash ram and fry the crypto-chip. Also if you fail to avoid the various traps when trying to physically cut through the casing and expoxy potting, the device will similarly commit suicide the moment that power is applied. This means that the Ironkey has zero value to a would-be thief. What similar protection is being afforded by this device?

    This class of device should not be compared to a cheap normal stick. They are designed to keep sensitive data such as (personal) accounts, passwords etc. not as a hiding place for your pron collection.

  3. Pheet
    Thumb Down

    Nice but..

    Nice idea in principle - hardware encryption is a lot faster than doing it in software as the test shows.

    However, I'm not going to trust any security device/software unless the source code is available for peer review.

    Also, the lack of cross platform support (no linux or FreeBSD, less functionality on Mac) makes it a no-no. The point of USB sticks is they're _portable_ and work across platforms.

  4. Mark 65

    Couple of points

    "In each case, the SafeDisk proved much quicker than the combination of TrueCrypt and low-cost Flash drive. But then the latter is a lot cheaper. You pays your money, as they say."

    Problem is that TrueCrypt requires elevated privileges on the host PC in order to mount the volume. As follows...

    "In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows."

    So TrueCrypt isn't a very practical option for data portability unless you can guarantee admin rights wherever you go (if only). The IronKey works on Windows, OSX and Linux out of the box according to their site and seems to be the best option for this kind of want hence their pricing. It also appears to offer a greater degree of protection, especially the physical.

    Close but not quite.

  5. oxo 1
    Black Helicopters

    Better solution..

    That's a ridiculous price - I use a Transcend USB drive which has a fingerprint reader and AES encryption.

    And the best bit is it's less than 14 quid at Amazon

    http://www.amazon.co.uk/Transcend-JetFlashTM220-Fingerprint-Flash-Drive/dp/B000VJ5B1I/ref=cm_cr_pr_product_top

  6. djack

    @oxo1

    That device looks like snake-oil to me.

    For many reasons, biometrics does not make a good authentication solution. It's a good replacement for a username but nothing else.

    The fingerpint lock simply 'unlocks' the USB drive (presumably in much the same way as the myriad of other cheap 'password protected' drives do).

    The AES encryption is not hardware encryption, but host-based software encryption with an AES key presumably derived from or encrypted against your fingerprint data which admittedly will probably make it trickier to brute-force than many people's password based TC volumes.

    You also have to wonder quite how they have married the 'fuzzy' matching required to make fingerprint recognition work with the precise data required for encryption keys.

    In short, a flashy neat toy but not a real security device.

  7. Anonymous Coward
    Anonymous Coward

    Linux

    I've been waiting for the Linux version of the software since they first had a "Linux version coming soon" comment on their web site back in January.

    Initially they said it would be ready 'early in the year' so it's disappointing to hear that they're now talking about it being ready 'by the end of the year', especially given that it may not even have all the features of the Windows version (if the Mac version is anything to go by).

    The Reg review was handy because I'd not really considered the physical side of the security (which now seems far less than Ideal). I did consider the Ironkey but it's quite a bit bigger and I therefore prefer the look of the SafeStick.

    Hopefully a SafeStick2 will resolve these issues.

  8. Abstract8

    ... sorry, stilll an IronKey fan

    IronKey also has a nice password manager for your browser.

  9. Anonymous Coward
    Go

    These are awsome

    These sticks cannot be beaton on a price v's features front, thats why the NHS has adopted them as their preferred Encrypted USB device.

    To answer a few of the coments already posted.

    Marvin the Martian - You cannot remove the memory, and if you could the data stored on it would be AES256 bit encrypted anyway.

    Pheet - for many of the applictions SafeStick will be used for, read government they will mandate that you cannot use Open Source unless you have full rights to change the code, this is not possible with all open source licence agreements. Also by making your product fully Open Source you allow the competitors to copy you. My last email to BlockMaster indicated Linux Support might be available sooner than you think.

    oxo 1 - Most government oganisations stipulate that you cannot use biometrics with a hardware encrypted device, they are far too easy to break into. The product you link to is cr*) thats why it is £14

    Mark 65 - Is absolutely right, any software encrypted solution is easy to brute force attack, simply lift the encrypted data off the stick and copy it and have as many machines as you like attack the password with your chosen tool, SafeStick currently enforces 20 password attempts before wiping the data.

    Ironkey by the way is only 128 bit AES !

    Only goes up to 8GB in Storage

    The MacOSX and Linux is not very stable

    It is almost double the price of SafeStick.

    Thought review was reasonable, although completely misses the SafeConsole Central Management platform, which users can install on their LAN / Data Centre to manage their sticks, remote lock/disable/wipe sticks, publish apps, files to, and much much more.

    You cannot beat SafeStick on price v's features.

    download a trail of SafeConsole and request a free stick here - www.safestick.net - try getting a free evaluation stick from IronKey or a trial of their management suite...... you won't !

  10. Pheet
    Stop

    @AC 17:27 / Safestick Sales Weasel

    1) Open-source != Free (libre) Software. It's possible to publish source under a restrictive license.

    2) The source code of Truecrypt, GPG, and the older version of PGP is available. PGP is/was a relatively successful product. M16 use it (allegedly). As we're talking about public algorithms (AES), no major trade secrets are lost by releasing source. If there's a mistake in the implementation which means there's an effective key size of 64 bits for example, it would be good if it was spotted. For the paranoid, it's nice to know there's no government mandated back doors either. False sense of security is worse than no security, etc.

    3) I didn't actually mention open-source, I said peer-review. If the source was given to, say , the top 5000 cryptographers (the Bruce Schneiders & Phil Zimmermans of the world) to evaluate, then I'd prob. consider this peer-reviewed.

    4) Your paragraph about government & open-source doesn't appear to make sense gramatically.

    5) My main machine runs FreeBSD :-P . The linux version (if it's not vapourware) *might* run under the compat layer, but I'd be suprised.

    The website doesn't fill me with confidence, and I don't fancy being stuck on a mailing list for eternity in exchange for an evaluation stick either. Thanks, but no thanks.

  11. Mark 65

    @AC 17:27

    "Ironkey by the way is only 128 bit AES !

    Only goes up to 8GB in Storage"

    1. If people are happy to access their bank accounts using only 128 bit then they shouldn't be too bothered about their other data. The enterprise version (NHS applicable) even comes with a two factor RSA token.

    2. You should also read this publication regarding the "only 128 bit AES" as AES can be implemented in 5 different modes of operation. They chose the one that would allow them to use the shorter key without lessening the security, so that their CBC mode at 128 bit can be more secure than other's ECB mode at 256 bits when encrypting large blocks of data...

    https://learn.ironkey.com/docs/whitepapers/ironkey-data-encryption-wp.pdf

    3. It's a USB key, how much storage do you really need in this format? For anything more run a laptop with an encrypted drive/partition/data file or truecrypt portable on a USB hard drive. 8GB should be plenty.

    4. It's also worth noting that as these devices destruct to protect data it would need to be securely backed up elsewhere and the large the device is the more of a pain in the arse that becomes. The USB drive with truecrypt file could be backed up on it's own but suffers the brute force issues.

  12. John Smith 19 Gold badge
    Go

    AES on an 8051 without hardware assist?

    I doubt that. This Intel microcontroller is donkey's years old and was slow even then. However as the host for some on-chip accelerator hardware that might work well.

    People have commented about physical attack. But what is the real horse power requirement to break AES. Of course it's possible. But how long?

    If your staff absolutely got to have to have a load of sensitve data on their PC right now I think TrueCrypt and proper password management will get a system in place faster and cheaper. This thing looks easy to walk off with or replace with a dummy.

    But designing systems which *don't* need all that data on a laptop or USB drive in the first place would be better.

    That takes intelligence and commitment (from management). Items in very short supply in the UK business and government communities.

  13. Jeron
    Stop

    I think your missing the point - Hardware encryption!

    Are you seriously suggesting to me that the cheap alternative is anywhere near as good, hasn't anyone heard of the benefits of hardware encryption against software encryption?

    Its so easy tamper with DIY encrypted sticks - acceptable for the home user but I certainly would not want my doctor carrying my personal details around on a DIY stick, what standard does the true crypt conform to? FIPS 140-2? no I don't think so, the comment about SafeStick being for security obsessed users, is this not the point? - and why is it considerd obsessive - people need to take this more seriously.

    Through put does not bother me, but security and management does, I think this article has gravely overlooked hardware encryption for a cheaper alternative - its sad to see that the point of security is still be overlooked by cost - you pay for what you get -

  14. spidey99

    my 2 cents

    @ Pheet - the website says its FIPS 197 so it must have been certified to meet the fully published AES standard?

    Whatever the standard, im sure given the horsepower, time and will, anything can be cracked. Surely an easier way to gain a password from a Bank or Government employee if you REALLY want the data is much simpler - should such people want access to your data bad enough, a threat of violence will do it.

    Id rather Government departments, Banks, Corporates NOT stick CD's stuffed with data in the post or leave an unencrypted sticks / pda's / mobile phone's on a train for thieves to get my data, account details etc.. Surely enforcing seamless data encryption is a good thing?

    I think some comments may be missing the point of this device as I see it - I dont see it as cheap, single user encryption device - of which there are loads to choose from - although not everyone is techie enough to understand what is good, bad, good value, false sense of security etc..

    For the techies there are always other options - including the best one - not storing your data on removable devices anyways.

    safe stick is useful to us because we can deploy and manage hundred of sticks from a single web console and KNOW they are all encrypted. Integration with backend AD accounts etc. means we can give sticks to employees, with a fixed password policy - and importantly they can be disabled / wiped / reset / de-activated if lost. Also surely stopping malware spread has to be a good thing for everyone?

    We also use the stick to provide 2-factor authentication - it saves us a large fortune not having to deploy / replace additional hardware tokens.

  15. Jeron
    Happy

    Just one more thing

    Just one more thing, I like the idea that the Stick will wipe itself after a user defined amount of incorrect password attempts - if a thief put that in a cracking machine they have 20 attempts to get it right or their efforts were in vein.

  16. pspgimp

    CBC v's ECB mode

    Mark 65 17th June 2009 02:59

    You are of course right in that CBC mode AES128 is stronger than ECB mode AES256, obviously then the AES256 in CBC mode that SafeStick uses is much stronger than the AES128 bit in CBC mode that the product you mention uses ?

    SafeStick also has a two factor authentication token, plus the ability to install ANY application onto the device that you wish, be it a hardened web browser, password manager etc etc

This topic is closed for new posts.

Other stories you might like