LOK-IT Technical Overview

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
All information contained herein is considered confidential and is to be released only to the
intended recipient as directed by its author, Systematic Development Group, LLC. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please notify the sender and destroy the original and any copies of this
document.
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
T A B L E O F C O N T E N T S
PRODUCTS/TECHNOLOGY ...........................................................................................1
Background .......................................................................................................1
SECURING ACCESS TO THE DRIVE: AUTHENTICATION ...................................................2
Password Based .................................................................................................2
Biometric ..........................................................................................................3
PIN Pad.............................................................................................................4
SECURING THE DRIVES DATA: ENCRYPTION .................................................................7
FIPS Standard ...................................................................................................7
AES Standard ....................................................................................................7
Encryption Modes: Electronic Codebook (ECB) vs. Cipher-Block Chaining (CBC) .........8
Software vs. Hardware Encryption...................................................................... 10
SECURING THE PHYSICAL DEVICE..............................................................................11
FIPS 140-2...................................................................................................... 11
Form 11
Epoxy Potting .................................................................................................. 11
Security Controller ........................................................................................... 11
PIN 12
IP Code........................................................................................................... 12
DEPLOYMENT...........................................................................................................14
Establish a User Awareness Training Program ...................................................... 14
Enterprise Preparation and Configuration ............................................................ 14
Internet Usage and File Exchange Policy ............................................................. 15
OS Independence............................................................................................. 15
Port Management............................................................................................. 15
Admin PIN....................................................................................................... 15
Anti-Malware ................................................................................................... 16
GENERAL SPECIFICATIONS .......................................................................................17
Features ......................................................................................................... 17
System Requirements....................................................................................... 17
LOK-IT FEATURE COMPARISONS................................................................................18
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
PRODUCTS/TECHNOLOGY
Background
Millions of USB Flash Drives (UFDs) are used daily for data backup and transfers, as well
as for intermediate and primary storage. It is UFD’s ease of use, portability and costeffectiveness
that have led to their widespread use.
Despite their acceptance, many mid and large sized organizations have restricted the use
of UFDs because they pose a potential information leak. It is feared that sensitive
information, if copied to one of these drives, might end up in the wrong hands.
Additionally, in the fourth quarter of 2008, the Department of Defense banned use of
UFD’s as a potential threat for infecting secure networks where existing UFD usage policies
were deficient.
For the reasons described above, non-secure UFD’s pose several security challenges.
Protecting the UFD and its contents from malicious and unauthorized access is paramount
to a comprehensive security strategy. As a result, the marketplace has responded with a
myriad of solutions attempting to address these issues.
LOK-IT’s security strategy is based on three key components; user authentication, data
encryption and physical protection of the drive and its components. The purpose of this
technical review is to document LOK-IT’s overall security strategy and address best
practices for UFD deployment. It is also intended to demonstrate why LOK-IT drives can
be relied upon and why they offer the optimal balance of usability, security and value.
Page 1 of 1

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
SECURING ACCESS TO THE DRIVE: AUTHENTICATION
Currently, the computer's standard USB Mass Storage Class has no provision for user
authentication. The UFD connects to the computer and the host’s Operating System (OS).
The detection of a USB drive prompts loading of a standard driver that results in mounting
the device as a standard file system disk. This mechanism is provided by a number of
operating systems and some embedded equipment such as that used in offices and
manufacturing.
In these scenarios, user authentication is the responsibility of the host computer; it must
engage the user in an authentication procedure to grant access to a drive’s content.
Common approaches to authentication include proprietary software-based password
authentication and fingerprint recognition known as biometric authentication.
LOK-IT manages user authentication through DataLock, a patent-pending hardwarebased
technology utilizing a PIN pad located on the device itself.
Password Based
Typical secure UFDs, unlike the LOK-IT drive, are shipped with a partition separating the
drive into fixed-size public and private memory locations. To activate security, the user is
required to insert the drive, thereby establishing a data channel between the two
locations. A software solution within the public partition is then used to prevent
unauthorized access to the private partition until the correct password is entered. Users
typically enter their password via the computer’s keyboard. Upon entry of a correct
password, the device is unlocked and the user is granted access to the private partition
and its contents. During this time, the drive and its contents are exposed and therefore
vulnerable. File operations now pass through an encryption process to the private
partition. This configuration remains until the user exits to reconnect with the public
partition or unplugs the drive.
Step Software User Authentication Hardware User Authentication
(LOK-IT)
1 Drive inserted into USB port User enters PIN on the device
2
3
Data communication channel
established
User enters Password via computer
keyboard
4 Correct Password unlocks drive
Correct PIN unlocks drive
Password-based authentication has a number of drawbacks:
Drive inserted into USB port
Data communication channel
established
Security breaches: Establishing a data communication channel prior to user
authentication exposes the drive to a variety of vulnerabilities to surreptitiously
steal the device’s password to gain unauthorized access.
o
o
Password extraction by malicious software: Keyboard loggers and other
spyware can intercept passwords and redirect to a malicious source. This is
risky in hostile environments such as public computers, library, internet café or
kiosk.
Extract password by dictionary/brute-force attack: A malicious application
can generate a great number of passwords in an attempt to gain access to a
protected UFD. This may take some time and is password dependent. As
Page 2 of 2

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
mentioned above, users typically use simple passwords as it is difficult to recall
“strong/good” passwords.
Authentication is Host and OS Dependent: While the public partition is visible
to any USB Mass Storage Class compliant OS, access to the private partition is
controlled by a proprietary authenticating application (software). Therefore,
authenticating applications must be created and distributed for each operating
environment. Beyond the initial installation and setup, the use of software for
authentication necessitates the user making certain their computer OS is
compatible with the latest version of the authentication software and the correct,
most current drivers are installed.
Reliance Upon the Internet: An alternative or supplemental authentication
method involves connection to a remote host over the Internet. The risks of
transmitting passwords over the Internet are well known. This also necessitates the
use of software on the device to communicate with the centralized management
software, making them platform-dependent and sensitive to any OS and driver
updates.
Complex User Interface: Many users avoid, or give up altogether, because the
procedure is perceived as complex and not particularly intuitive.
o
o
Cumbersome partition management: Users are unable to anticipate the
required size for private partitioning. If more space is needed later,
repartitioning requires reformatting, thereby requiring existing data to be
temporarily moved off the device.
Good security requires complex passwords: In order to defend against
dictionary and similar attacks, pass phrases must be long, complex, and include
special characters. Policy dictates a frequent change of passwords, making them
even harder to remember. In reality, users tend to create simple, easy to
remember passwords, and don’t change them unless forced to do so. Often,
they use the same password for multiple logins, and possibly on websites where
passwords are stored incorrectly and therefore vulnerable to discovery
Biometric
Less common than passwords are biometric authentication systems such as finger-print
scanning sensors. Authentication is similar to password-based drives with both public and
private partitions. The private partition is made available when the authorized fingerprint
is recognized.
Drawbacks to biometric authentication include:
Authentication is Host and OS dependent. While the public partition is visible to
any USB Mass Storage Class compliant OS, access to the private partition is
restricted to an OS-specific application that is capable of executing authentication.
Long-term reliability has not yet been established. Current methods of finger
print recognition, when packaged in a small scale UFD, do not provide the
necessary reliability. There are many reports indicating problems with false-positive
and false-negative readings.
A back door password is often used to compensate for inherent unreliability –
specifically because of the need to address false negatives (legitimate user cannot
gain access). This undermines the basis for biometric authentication in the first
place. Thus, it has all the vulnerabilities of password protection.
Page 3 of 3

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
Fingerprint recognition is best performed when the finger is clean without cuts.
Changes in skin surface can potentially create problems.
Biometric authentication is expensive. Biometrics adds a considerable price
premium. Biometric drives have seen limited success in the market place.
Restricted to office environments. It is impossible to work with biometric
sensors wearing gloves, which may be required for biotech and military applications
PIN Pad
LOK-IT is a self-secured, host-independent (cross-platform) UFD with a hardware
authentication mechanism. When locked, LOK-IT is invisible – and therefore
inaccessible – to its host. The drive is authenticated offline by users, who enter their
unique PIN codes. Only when the correct PIN is entered is the drive unlocked and
inserted into the USB port is a data channel established. As a result, a LOK-IT drive is
never recognizable to the computer until the correct PIN is entered and the drive is
unlocked and the PIN is not stored anywhere accessible via the computer.
Status indicators provide visual feedback for authentication. A red status indicator
means the drive is locked; green indicates the drive is unlocked and ready for
operation.
An auto-locking feature enables LOK-IT to lock itself when removed or the host shuts
down. After the drive is unlocked, it will automatically re-lock if a host is not detected
within 30 seconds. LOK-IT’s DataLock technology provides the following advantages:
Truly Host-Independence and Cross-Platform: Since authentication does not
depend on host functions, it works equally well with all operating systems that
support the USB Mass Storage Class: for example Windows, Mac OS, Linux, and
office equipment.
Authentication is Self Contained: No special software or driver installation
required. In fact, the host computer is not involved and unaware of the
authentication process. LOK-IT provides complete PIN management.
Zero File System Configuration: Since the drive can only mount after
authentication, there is no need for partitioning. The user experiences a single
partition that comprises the entire media.
Ease of Use: The LOK-IT usage model is intuitive and resembles that used with
debit cards and ATM machines. The user remembers a short PIN as opposed to a
long and complex password.
Immune to Host-Originated Attacks: Since no LOK-IT communication channel
exists when locked, it is immune to attacks originating from its host.
Two Factor Authentication: LOK-IT makes a natural Two Factor Authentication
device recommended by government and financial institutions. The term “Two
Factor Authentication” is used to describe an authentication mechanism that
requires (1) something you have (LOK-IT) and (2) something you know (PIN).
Using a typical software protected USB drive, a data channel is established as soon as the
drive is inserted into the USB port. The user enters a password using the computer
keyboard. If the password is matched to the password stored on the drive, access to the
encrypted media is granted. Typically the encryption key is stored in and read from the
flash. This methodology has several security flaws.
LOK-IT drives utilizing DataLock are unlocked using a PIN code on the device before access
to the drive is granted. The following is a non-technical description of DataLock.
Page 4 of 4

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
Step 1: LOK-IT is invisible to the computer until the user unlocks the drive. The user
enters a PIN which is processed by the tamper proof security controller (see Figure 1
below).
Figure 1
Step 2: When the correct PIN is entered, the user is authenticated; the USB Controller is
enabled and allowed to enumerate itself with the host computer (see Figure 2 below).
Figure 2
Page 5 of 5

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
Step 3: Next, the Encryption Key is passed to the Encryption/USB Controller (see Figure 3
below).
Figure 3
Step 4: The drive is now recognizable to the host computer; the data channel is
established; the encrypted media becomes accessible and the green LED illuminates. The
Encryption Key is stored in and read from the Security Controller (see Figure 4 below).
Figure 4
Page 6 of 6

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
SECURING THE DRIVES DATA: ENCRYPTION
Protecting the drive’s data is a vital component of any comprehensive security strategy
and is accomplished through various types and levels of encryption. LOK-IT employs FIPS
approved, AES 256-bit, CBC military grade hardware encryption.
FIPS Standard
Under the Information Technology Management Reform Act (Public Law 104-106), the
Secretary of Commerce approves standards and guidelines that are developed by the
National Institute of Standards and Technology (NIST) for Federal computer systems.
These standards and guidelines are issued by NIST as Federal Information Processing
Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling
Federal government requirements such as for security and interoperability and there are
no acceptable industry standards or solutions.
AES Standard
The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic
algorithm that can be used to protect electronic data. The AES algorithm is a symmetric
block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption
converts data to an unintelligible form called ciphertext; Decryption converts the
ciphertext into its original form, called plain text. The AES algorithm is capable of using
crypto graphic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128
bits.
Page 7 of 7

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
Encryption Modes: Electronic Codebook (ECB) vs. Cipher-Block Chaining (CBC)
The simplest of the encryption modes is the electronic codebook (ECB) mode. The
message is divided into blocks and each block is encrypted separately. The disadvantage
of this method is that identical plaintext blocks are encrypted into identical ciphertext
blocks; thus it does not hide data patterns well.
Page 8 of 8

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the
previous ciphertext block before being encrypted. This way, each ciphertext block is
dependent on all plaintext blocks processed up to that point. Also, to make each message
unique, an initialization vector must be used in the first block. As a result, CBC is a more
secure encryption mode and is why it is part of LOK-IT’s security strategy for protecting
drive content.
Page 9 of 9

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
Software vs. Hardware Encryption
The actual process of encryption and the algorithm used to encrypt data are the same
whether done in software or in hardware. Software encryption is performed by a
computer’s CPU using a program installed on a particular operating system.
Hardware encryption is performed in a processor dedicated to the task of encryption. The
instructions for encryption and decryption are embedded directly in this processor.
Hardware designed for a particular purpose can perform its task much faster than a
software implementation of the same task running on a computer CPU that is under the
control of an operating system.
Hardware encryption can be made transparent to other software while encryption done in
software cannot. Malicious code written by hackers can be designed to interfere with a
program used to perform software encryption. Hardware encryption, however, is
impervious to such attacks as malicious code has no means of accessing the operations
being performed by a processor dedicated to hardware encryption.
A further disadvantage to software encryption is the fact that it is specific to particular
operating systems. As such, if software encryption is performed on a Windows platform
and needs to be decrypted on a Macintosh platform, the encrypt/decrypt software must be
available on both platforms. Furthermore, encryption performed on a Windows 32-bit
platform must have the same encrypt/decrypt software available if they wish to decrypt on
a Windows 64-bit platform. Hardware encryption on the other hand is completely OS
independent
Page 10 of 10

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
SECURING THE PHYSICAL DEVICE
LOK-IT employs a series of measures to defend against physical tampering of the device
and attempted unauthorized access to its contents.
FIPS 140-2
LOK-IT models SDG003FM and SDG004FP are configured to meet FIPS 140-2 Level 3.
Both models have passed all CMVP requirements and are NIST listed (Certificate #1527).
LOK-IT models SDG002P and SDG005M incorporate the same user authentication,
encryption and epoxy coating as SDG003FM and SDG004FP but are not configured to meet
FIPS 140-2 Level 3.
Level 1: FIPS 140-2 Security Level 1 provides the lowest level of security. Basic security
requirements are specified for a cryptographic module (e.g., at least one Approved
algorithm or Approved security function shall be used). No specific physical security
mechanisms are required in a Security Level 1 cryptographic module beyond the basic
requirement for production-grade components.
Level 2: FIPS 140-2 Security Level 2 improves upon the physical security mechanisms of
a Security Level 1 cryptographic module by requiring features that show evidence of
tampering, including tamper-evident coatings or seals that must be broken to attain
physical access to the plaintext cryptographic keys and critical security parameters (CSPs)
within the module, or pick-resistant locks on covers or doors to protect against
unauthorized physical access.
Level 3: In addition to the tamper-evident physical security mechanisms required at
Security Level 2, FIPS 140-2 Security Level 3 attempts to prevent the intruder from
gaining access to CSPs held within the cryptographic module. Physical security
mechanisms required at Security Level 3 are intended to have a high probability of
detecting and responding to attempts at physical access, use or modification of the
cryptographic module. The physical security mechanisms may include the use of strong
enclosures and tamper detection/response circuitry that zeroes all plaintext CSPs when the
removable covers/doors of the cryptographic module are opened.
Form
SDG002P and SDG004FP utilize an ABS form. SDG003FM and SDG005M utilize an
anodized aluminum form. Through the FIPS process SDG will implement a uniform bonding
process for ABS casings on all models (FIPS and non FIPS approved) as well as qualifying
a standard for the anodized aluminum form.
Epoxy Potting
Epoxy potting defeats unauthorized access to the internal components within the
cryptographic boundary and provides evidence of such attempts. Attempted removal of
the epoxy potting causes irreversible damage to the components within the cryptographic
boundary, thereby rendering them useless.
LOK-IT models SDG003FM and SDG004FP are designed to meet epoxy potting
requirements for protection of the cryptographic module as specified by FIPS 140-2 Level
Level 3. LOK-IT models SDG002P and SDG005M use the same epoxy potting techniques
but are not configured to meet FIPS 140-2 Level 3.
Security Controller
Most secure UFD security systems store the encryption key on the flash media.
Accordingly, if the flash is accessed by forcing open the drive, the key can be accessed as
Page 11 of 11

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
well and used to decrypt the content. In addition to the epoxy potting all LOK-IT models
internal security system are designed to store the encryption key on a separate
electronically protected security controller. Therefore, even if the flash is accessed by
slicing away the epoxy potting, the encryption key remains secure and the data cannot be
decrypted.
PIN
Drive Default Status
To meet the varying requirements of clients, LOK-IT drives may be configured to be
shipped unlocked (i.e. use of PIN is optional) or disabled (i.e. PIN must be set before initial
use). See LOK-IT FEATURE COMPARISONS on page 18 for a listing of drive default states.
PIN Strength
PIN strength is a factor of PIN length as demonstrated in the table below. LOK-IT drives
are configured with variable minimum PIN length requirements. See LOK-IT FEATURE
COMPARISONS on page 18 for a listing of default minimum PIN lengths.
5 Key 10 Key
PIN
Length Probability "One In …"
PIN
Length Probability "One In …"
1 20.000000000% 5 1 10.000000000% 10
2 4.000000000% 25 2 1.000000000% 100
3 0.800000000% 125 3 0.100000000% 1,000
4 0.160000000% 625 4 0.010000000% 10,000
5 0.032000000% 3,125 5 0.001000000% 100,000
6 0.006400000% 15,625 6 0.000100000% 1,000,000
7 0.001280000% 78,125 7 0.000010000% 10,000,000
8 0.000256000% 390,625 8 0.000001000% 100,000,000
9 0.000051200% 1,953,125 9 0.000000100% 1,000,000,000
Incorrect PIN Attempts
After 10 unsuccessful PIN entries, the encryption key is deleted, both User and Master
PIN's are reset and stored data is no longer readable. If the drive is reinserted into a
computer, it cannot be used until a reformat operation is performed. When the user
selects the reformat option, all stored data is automatically deleted and a new encryption
key is created. Although all previously stored data has been deleted, this feature allows
the drive to be recovered for reuse.
IP Code
The IP Code (or International Protection Rating) consists of the letters IP followed by two
digits and an optional letter. As defined in international standard IEC 60529, it classifies
the degrees of protection provided against the intrusion of solid objects (including body
parts like hands and fingers), dust, accidental contact, and water in electrical enclosures.
The standard aims to provide users more detailed information than vague marketing terms
such as "waterproof". The digits ('characteristic numerals') indicate conformity with the IP
Code rating system. Where there is no protection rating with regard to one of the criteria,
the digit is replaced with the letter X.
Page 12 of 12

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
LOK-IT model SDG003FM and SDG005M have passed testing to achieve an IP57 Rating.
This rating denotes the following:
Level 5 denotes ‘Dust Protected’: Ingress of dust is not entirely prevented, but it must
not enter in sufficient quantity to interfere with the satisfactory operation of the
equipment; complete protection against contact
Level 7 denotes that it is protected against ‘immersion up to 1 meter of water’:
Ingress of water in harmful quantity shall not be possible when the enclosure is
immersed in water under defined conditions of pressure and time (up to 1 m of
submersion).
Page 13 of 13

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
DEPLOYMENT
Despite their widespread acceptance, recent events have caused many corporations and
governmental entities to revisit or establish policies regarding use of UFD’s. This has led
to an even larger conversation regarding best practice methods for use and deployment of
UFD’s. Virtually all manuals on cyber-security include statements that no electronic
measures can combat lack of training or failure to enforce policies. In addition most concur
sensitive/secret information is best stored on computers/devices with no access to the
Internet. Despite this reality, recently several solutions utilizing UFD’s to protect against
viruses/malware have been put forth.
It is our opinion that these solutions are ineffective and provide a false sense of security.
For example, portable anti-virus programs are relatively ineffective because they cannot
hook into web browsers and email clients the way that installed anti-virus programs can.
In addition, these solutions are time-consuming. It would likely take hours for a portable
anti-virus program to scan the entire computer system, including network drives, after
being invoked upon insertion of the UFD on which it resides. Reduced-scope scans (e.g.
Windows Registry only) provide very little security. Finally, these solutions cause conflicts
with installed anti-virus programs. Interference between simultaneously running anti-virus
products is widely discussed on internet forums.
The following are our recommendations for best practices for enterprise usage of secure
USB Drives.
Establish a User Awareness Training Program
USB drives provide a convenient means of transferring files between workstations.
Increased ease of transferring files can result in increased likelihood of transmitting
malware files unless sound security practices and policies exist. The original transmission
of malware files is almost always via the internet. Virtually all enterprise cyber-security
programs start with user awareness and training. Despite our desire for electronic
prevention of the spread of malware, no existing combination of products or technologies
is effective against an untrained user. Such a program should include:
Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
Detecting and Avoiding Bots and Zombies
Using Browsers and Downloading Files
Blogging and Social Networking
Insider Threats
Enterprise Preparation and Configuration
The enterprise should generally include the following:
Anti-Virus, Anti-Spyware, and Other Protective Software
Sound Authentication Mechanisms
Access Controls, Including Wireless, Modems, VPNs, and Physical Access
Host-based Firewalls and Filtering
Automated Deployment of Updates and Patches
Software Authenticity Verification (Digital Signatures, MD5, etc.)
Data Encryption
Page 14 of 14

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
USB Port Management: Port Management Software addresses the case where there
is a need to limit the type of USB drive that can be used.
Internet Usage and File Exchange Policy
The enterprise must have a policy on how information can be exchanged between and
within organizations. The policy must address the usage of USB drives on non-managed
computers, such as those in their homes. If such use is permitted, a policy addressing
preparation and configuration of home computers must exist, typically in combination with
explicit scanning of any files transferred from USB drives to enterprise computers.
Encryption of sensitive information stored on backups, removable media or in emails is
recommended. In the case of removable media that is exposed to possible physical loss,
strong encryption is essential (the LOK-IT drive does this automatically).
OS Independence
Operating system independence is critical for any large-scale deployment of UFDs. LOK-IT
drives provide all authentication and encryption tasks within the hardware controllers.
Since these tasks are completed without interaction of the computer operating system,
LOK-IT is completely platform independent. This makes deployment of the drives very
simple, in that IT administrators do not have to consider any of the following elements
that are a part of other secure flash drive deployments:
Computer operating systems in use
Versions/releases of those operating systems
Future OS compatibility
Flash drive software rollout issues
Flash drive software upgrades, updates and patches
Other secure drives must use software for authentication, along with possible software for
encryption or other tasks. The software either requires installation on the computer in
order to use, or the software is embedded within the drive. In either case, the software
interacts with the computer’s operating system, so compatibility with both current and
possible future operating systems must be a consideration.
These considerations are not relevant to LOK-IT deployment.
Port Management
Port management software empowers network administrators to restrict access and use of
UFD’s within a network. Through use of port management software, historical usage data
is also recorded in a central location. LOK-IT does not rely upon software on the host for
user authentication or encryption, therefore it is agnostic to port management software.
Each device is coded with a unique (electronic) VID/PID thereby making it compatible with
any port management software (i.e. DeviceLock, DeviceWall, Sanctuary Device Control,
etc).
Admin PIN
LOK-IT is configurable for use with an administrator PIN (in addition to the user PIN)
thereby making the drive and its contents recoverable if the user PIN is forgotten or the
user refuses to or is unable to provide their PIN (e.g. termination or death). To use this
feature, the Admin PIN is set prior to distribution to the user. It is possible to set the
Admin PIN after the user has set their PIN, however, the user must first unlock the drive
to do so. Using the Admin PIN, the UFD may be unlocked and the contents accessible at
Page 15 of 15

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
any time. For security purposes, when the drive is unlocked using the Admin PIN, the user
PIN is automatically cleared and must be reset.
Anti-Malware
If users are permitted to install or run executables not contained on a white-list, an antimalware
program must be installed on the host computer. An installed anti-malware is
the best means for protecting the host computer from infection by malware. Installation of
additional anti-malware on UFD’s is likely to interfere with the anti-malware installed at
the end-point.
Like CD disks, flash drives may contain auto-run files that allow a program on the drive to
run automatically when the drive is connected. In the Windows operating system, this
setting is off by default, to protect users from malware-contaminated devices. An
administrator can set a policy whereby end users cannot enable auto-run on any device.
Page 16 of 16

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
GENERAL SPECIFICATIONS
Features
USB 2.0 compliant (USB 1.1 is implied as it is backward compatible)
Works with all Windows, Mac, Linux and embedded/office and home-entertainment
systems
Self-contained hardware-based security
FIPS Certified AES 256 Bit on-the-fly hardware encryption
No software required
Easy and intuitive to use
Auto-Locks immediately upon disconnect or computer shutdown
Rechargeable battery
Drive recovery in case of forgotten PIN
USB-IF Certified
FCC
CE/EMC
IP57 (10 KEY Only)
Package with Lanyard
Credit Card Style User Guide
System Requirements
Any operating system that supports USB 2.0 (Windows, Mac, Linux, etc)
o
o
o
Security does not require any computer software / drivers
Comes pre-formatted as FAT32
Can be reformatted for any file system
Available USB port (version 2.0 for faster read/write access)
Page 17 of 17

S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C
LOK-IT FEATURE COMPARISONS
(1) NIST Listed. FIPS 140-2 Level 3 Certificate #1527
Page 18 of 18