USB Encryption

What you really need to know about USB encryption… (Hint: It’s not all about the encryption)

There are many types of encryption security algorithms out there in the world of cryptography. In the US, the National Institute of Standards and Technology has made AES (Advanced Encryption Standard) the standard for the Federal government USB flash security.  All encryption algorithms used for encrypted flash drives  have a single key, and this key is used to both encrypt and decrypt the data.  As you can imagine, it is very important to protect this key because no matter how great the encryption algorithm is, if the key is found, the data can be decrypted. When software encryption is used, this key is stored either in the flash memory of the USB drive or on the computer or network that originated the file encryption.  Neither of these cases of key storage is desirable:
  • It is commonly understood that an encryption key should not be stored in the same place that the encrypted data is stored.  This is like having the combination to a lock taped to the back of the combination lock.
  • If an encryption key is stored on a computer or network, this significantly reduces the usability of the USB flash drive since it must be connected to that computer/network to access the files.  This is similar to leaving the combination to a lock at home (and not memorizing the sequence) but wanting to use the lock while on a trip.
The better USB flash drives store the encryption key on a separate controller within the USB device and physically protect the inner contents with a tamper resistant shell and epoxy potting surrounding the controller and flash memory. The encryption key is a very very long string that can not be easily memorized.   So we must now provide an easier way for us humans to apply the encryption key to the encrypted data, and we do this through another mechanism called the authentication.  Common authentication types are software-based password prompts, physical PIN-pads, and biometric readers (such as fingerprint). The authentication is the weak part of this encryption process. The encryption algorithm could be top-notch and the encryption key might be stored with the utmost protection, but now we base all of the security on the authentication mechanism. Software-based password authentication mechanisms involve a computer operating system and this password can be easily compromised by keylogging malware or brute-force hacking attempts (computerized key or password guessing). So you see that USB encryption is really not all about the strength of the encryption, it is about the security of the encryption key and the authentication process. LOK-IT provides hardware authentication via the on-board PIN-pad which does not involve a computer so thereby impossible to compromise the PIN authentication with keyloggers or brute-force attacks.