Kingston, IronKey announce new FIPS-certified USB drives

April 17, 2008 (Computerworld) Both Kingston Technology Co. and IronKey Inc. this week announced new models of their USB flash drives, as well as a security certification that clears them for use by U.S. and Canadian government agencies in accordance with Federal Information Processing Standard 140-2 Level 2.

Kingston announced its new DataTraveler BlackBox USB drive, which uses 256-bit hardware-based Advanced Encryption Standard (AES) encryption. IronKey announced an enterprise-class version of its drive, which uses 128-bit hardware-based AES encryption.

Neither 256-bit nor 128-bit AES encryption methods have been broken, nor will they likely be any time soon, experts said.

IronKey's enterprise drive allows central password management and allows administrators to define what software runs on the drives, the password strength and how many failed log-ins can occur before users are permanently locked out of devices. Admins can also control whether end users can perform their own password recovery through authentication questions, which Jevans said is useful for nontechnical employees who use flash drive infrequently.

See also ""Review: 7 secure USB drives."

Charles Kolodgy, research director for secure content and threat management products at market research firm IDC, said FIPS 140-2 reviews ensure device designs and encryption methods have been performed correctly. "That's the first step ... to validate that the encryption works as advertised," he said.

FIPS (Federal Information Processing Standard) was developed by the National Institute of Standards and Technology for use by government agencies and their contractors, but not necessarily by the military, which often requires even higher security standards.

Security technologist and author Bruce Schneier, however, sees security certifications as nothing more than a facade, saying that security is a "lemons" market and that the only way to really guarantee that data will be safe on any given device is to shell out thousands of dollars for an engineering study.

"It's all about signals, and certifications is one way a seller signals to a buyer that his products are good," Schneier said. "It has nothing to do with whether or not the certification is a good idea or not; it's all about marketing."

Dave Jevans, CEO of IronKey, said getting the IronKey drive FIPS-certified took about eight months and required visits by government evaluators who tested the product.

"Effectively, they validate that your encryption algorithms are correct. Then they validate more complicated things like your overall system design," he said.

AES is the successor to the older DES (Data Encryption Standard) and is used by the U.S. government for encrypting secret and top-secret documents, using the 128-bit and 256-bit strengths, respectively.

Both drives use hardware-based encryption, which Kolodgy has said is more secure than software-based encryption because in the latter, the keys are placed in the device's memory, so a hacker will know where to look for the keys by their unique format and can target those keys for a brute-force attack.