LOK-IT Technical Overview
LOK-IT Technical Overview
LOK-IT Technical Overview
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
All information contained herein is considered confidential and is to be released only to the<br />
intended recipient as directed by its author, Systematic Development Group, LLC. Any<br />
unauthorized review, use, disclosure or distribution is prohibited. If you are not the<br />
intended recipient, please notify the sender and destroy the original and any copies of this<br />
document.<br />
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
T A B L E O F C O N T E N T S<br />
PRODUCTS/TECHNOLOGY ...........................................................................................1<br />
Background .......................................................................................................1<br />
SECURING ACCESS TO THE DRIVE: AUTHENTICATION ...................................................2<br />
Password Based .................................................................................................2<br />
Biometric ..........................................................................................................3<br />
PIN Pad.............................................................................................................4<br />
SECURING THE DRIVES DATA: ENCRYPTION .................................................................7<br />
FIPS Standard ...................................................................................................7<br />
AES Standard ....................................................................................................7<br />
Encryption Modes: Electronic Codebook (ECB) vs. Cipher-Block Chaining (CBC) .........8<br />
Software vs. Hardware Encryption...................................................................... 10<br />
SECURING THE PHYSICAL DEVICE..............................................................................11<br />
FIPS 140-2...................................................................................................... 11<br />
Form 11<br />
Epoxy Potting .................................................................................................. 11<br />
Security Controller ........................................................................................... 11<br />
PIN 12<br />
IP Code........................................................................................................... 12<br />
DEPLOYMENT...........................................................................................................14<br />
Establish a User Awareness Training Program ...................................................... 14<br />
Enterprise Preparation and Configuration ............................................................ 14<br />
Internet Usage and File Exchange Policy ............................................................. 15<br />
OS Independence............................................................................................. 15<br />
Port Management............................................................................................. 15<br />
Admin PIN....................................................................................................... 15<br />
Anti-Malware ................................................................................................... 16<br />
GENERAL SPECIFICATIONS .......................................................................................17<br />
Features ......................................................................................................... 17<br />
System Requirements....................................................................................... 17<br />
<strong>LOK</strong>-<strong>IT</strong> FEATURE COMPARISONS................................................................................18<br />
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
© 2011 Systematic Development Group, LLC. All rights reserved. Strictly Confidential.
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
PRODUCTS/TECHNOLOGY<br />
Background<br />
Millions of USB Flash Drives (UFDs) are used daily for data backup and transfers, as well<br />
as for intermediate and primary storage. It is UFD’s ease of use, portability and costeffectiveness<br />
that have led to their widespread use.<br />
Despite their acceptance, many mid and large sized organizations have restricted the use<br />
of UFDs because they pose a potential information leak. It is feared that sensitive<br />
information, if copied to one of these drives, might end up in the wrong hands.<br />
Additionally, in the fourth quarter of 2008, the Department of Defense banned use of<br />
UFD’s as a potential threat for infecting secure networks where existing UFD usage policies<br />
were deficient.<br />
For the reasons described above, non-secure UFD’s pose several security challenges.<br />
Protecting the UFD and its contents from malicious and unauthorized access is paramount<br />
to a comprehensive security strategy. As a result, the marketplace has responded with a<br />
myriad of solutions attempting to address these issues.<br />
<strong>LOK</strong>-<strong>IT</strong>’s security strategy is based on three key components; user authentication, data<br />
encryption and physical protection of the drive and its components. The purpose of this<br />
technical review is to document <strong>LOK</strong>-<strong>IT</strong>’s overall security strategy and address best<br />
practices for UFD deployment. It is also intended to demonstrate why <strong>LOK</strong>-<strong>IT</strong> drives can<br />
be relied upon and why they offer the optimal balance of usability, security and value.<br />
Page 1 of 1
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
SECURING ACCESS TO THE DRIVE: AUTHENTICATION<br />
Currently, the computer's standard USB Mass Storage Class has no provision for user<br />
authentication. The UFD connects to the computer and the host’s Operating System (OS).<br />
The detection of a USB drive prompts loading of a standard driver that results in mounting<br />
the device as a standard file system disk. This mechanism is provided by a number of<br />
operating systems and some embedded equipment such as that used in offices and<br />
manufacturing.<br />
In these scenarios, user authentication is the responsibility of the host computer; it must<br />
engage the user in an authentication procedure to grant access to a drive’s content.<br />
Common approaches to authentication include proprietary software-based password<br />
authentication and fingerprint recognition known as biometric authentication.<br />
<strong>LOK</strong>-<strong>IT</strong> manages user authentication through DataLock, a patent-pending hardwarebased<br />
technology utilizing a PIN pad located on the device itself.<br />
Password Based<br />
Typical secure UFDs, unlike the <strong>LOK</strong>-<strong>IT</strong> drive, are shipped with a partition separating the<br />
drive into fixed-size public and private memory locations. To activate security, the user is<br />
required to insert the drive, thereby establishing a data channel between the two<br />
locations. A software solution within the public partition is then used to prevent<br />
unauthorized access to the private partition until the correct password is entered. Users<br />
typically enter their password via the computer’s keyboard. Upon entry of a correct<br />
password, the device is unlocked and the user is granted access to the private partition<br />
and its contents. During this time, the drive and its contents are exposed and therefore<br />
vulnerable. File operations now pass through an encryption process to the private<br />
partition. This configuration remains until the user exits to reconnect with the public<br />
partition or unplugs the drive.<br />
<br />
Step Software User Authentication Hardware User Authentication<br />
(<strong>LOK</strong>-<strong>IT</strong>)<br />
1 Drive inserted into USB port User enters PIN on the device<br />
2<br />
3<br />
Data communication channel<br />
established<br />
User enters Password via computer<br />
keyboard<br />
4 Correct Password unlocks drive<br />
Correct PIN unlocks drive<br />
Password-based authentication has a number of drawbacks:<br />
Drive inserted into USB port<br />
Data communication channel<br />
established<br />
Security breaches: Establishing a data communication channel prior to user<br />
authentication exposes the drive to a variety of vulnerabilities to surreptitiously<br />
steal the device’s password to gain unauthorized access.<br />
o<br />
o<br />
Password extraction by malicious software: Keyboard loggers and other<br />
spyware can intercept passwords and redirect to a malicious source. This is<br />
risky in hostile environments such as public computers, library, internet café or<br />
kiosk.<br />
Extract password by dictionary/brute-force attack: A malicious application<br />
can generate a great number of passwords in an attempt to gain access to a<br />
protected UFD. This may take some time and is password dependent. As<br />
Page 2 of 2
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
mentioned above, users typically use simple passwords as it is difficult to recall<br />
“strong/good” passwords.<br />
Authentication is Host and OS Dependent: While the public partition is visible<br />
to any USB Mass Storage Class compliant OS, access to the private partition is<br />
controlled by a proprietary authenticating application (software). Therefore,<br />
authenticating applications must be created and distributed for each operating<br />
environment. Beyond the initial installation and setup, the use of software for<br />
authentication necessitates the user making certain their computer OS is<br />
compatible with the latest version of the authentication software and the correct,<br />
most current drivers are installed.<br />
Reliance Upon the Internet: An alternative or supplemental authentication<br />
method involves connection to a remote host over the Internet. The risks of<br />
transmitting passwords over the Internet are well known. This also necessitates the<br />
use of software on the device to communicate with the centralized management<br />
software, making them platform-dependent and sensitive to any OS and driver<br />
updates.<br />
Complex User Interface: Many users avoid, or give up altogether, because the<br />
procedure is perceived as complex and not particularly intuitive.<br />
o<br />
o<br />
Cumbersome partition management: Users are unable to anticipate the<br />
required size for private partitioning. If more space is needed later,<br />
repartitioning requires reformatting, thereby requiring existing data to be<br />
temporarily moved off the device.<br />
Good security requires complex passwords: In order to defend against<br />
dictionary and similar attacks, pass phrases must be long, complex, and include<br />
special characters. Policy dictates a frequent change of passwords, making them<br />
even harder to remember. In reality, users tend to create simple, easy to<br />
remember passwords, and don’t change them unless forced to do so. Often,<br />
they use the same password for multiple logins, and possibly on websites where<br />
passwords are stored incorrectly and therefore vulnerable to discovery<br />
Biometric<br />
Less common than passwords are biometric authentication systems such as finger-print<br />
scanning sensors. Authentication is similar to password-based drives with both public and<br />
private partitions. The private partition is made available when the authorized fingerprint<br />
is recognized.<br />
Drawbacks to biometric authentication include:<br />
Authentication is Host and OS dependent. While the public partition is visible to<br />
any USB Mass Storage Class compliant OS, access to the private partition is<br />
restricted to an OS-specific application that is capable of executing authentication.<br />
Long-term reliability has not yet been established. Current methods of finger<br />
print recognition, when packaged in a small scale UFD, do not provide the<br />
necessary reliability. There are many reports indicating problems with false-positive<br />
and false-negative readings.<br />
A back door password is often used to compensate for inherent unreliability –<br />
specifically because of the need to address false negatives (legitimate user cannot<br />
gain access). This undermines the basis for biometric authentication in the first<br />
place. Thus, it has all the vulnerabilities of password protection.<br />
Page 3 of 3
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
Fingerprint recognition is best performed when the finger is clean without cuts.<br />
Changes in skin surface can potentially create problems.<br />
Biometric authentication is expensive. Biometrics adds a considerable price<br />
premium. Biometric drives have seen limited success in the market place.<br />
Restricted to office environments. It is impossible to work with biometric<br />
sensors wearing gloves, which may be required for biotech and military applications<br />
PIN Pad<br />
<strong>LOK</strong>-<strong>IT</strong> is a self-secured, host-independent (cross-platform) UFD with a hardware<br />
authentication mechanism. When locked, <strong>LOK</strong>-<strong>IT</strong> is invisible – and therefore<br />
inaccessible – to its host. The drive is authenticated offline by users, who enter their<br />
unique PIN codes. Only when the correct PIN is entered is the drive unlocked and<br />
inserted into the USB port is a data channel established. As a result, a <strong>LOK</strong>-<strong>IT</strong> drive is<br />
never recognizable to the computer until the correct PIN is entered and the drive is<br />
unlocked and the PIN is not stored anywhere accessible via the computer.<br />
Status indicators provide visual feedback for authentication. A red status indicator<br />
means the drive is locked; green indicates the drive is unlocked and ready for<br />
operation.<br />
An auto-locking feature enables <strong>LOK</strong>-<strong>IT</strong> to lock itself when removed or the host shuts<br />
down. After the drive is unlocked, it will automatically re-lock if a host is not detected<br />
within 30 seconds. <strong>LOK</strong>-<strong>IT</strong>’s DataLock technology provides the following advantages:<br />
Truly Host-Independence and Cross-Platform: Since authentication does not<br />
depend on host functions, it works equally well with all operating systems that<br />
support the USB Mass Storage Class: for example Windows, Mac OS, Linux, and<br />
office equipment.<br />
Authentication is Self Contained: No special software or driver installation<br />
required. In fact, the host computer is not involved and unaware of the<br />
authentication process. <strong>LOK</strong>-<strong>IT</strong> provides complete PIN management.<br />
Zero File System Configuration: Since the drive can only mount after<br />
authentication, there is no need for partitioning. The user experiences a single<br />
partition that comprises the entire media.<br />
Ease of Use: The <strong>LOK</strong>-<strong>IT</strong> usage model is intuitive and resembles that used with<br />
debit cards and ATM machines. The user remembers a short PIN as opposed to a<br />
long and complex password.<br />
Immune to Host-Originated Attacks: Since no <strong>LOK</strong>-<strong>IT</strong> communication channel<br />
exists when locked, it is immune to attacks originating from its host.<br />
Two Factor Authentication: <strong>LOK</strong>-<strong>IT</strong> makes a natural Two Factor Authentication<br />
device recommended by government and financial institutions. The term “Two<br />
Factor Authentication” is used to describe an authentication mechanism that<br />
requires (1) something you have (<strong>LOK</strong>-<strong>IT</strong>) and (2) something you know (PIN).<br />
Using a typical software protected USB drive, a data channel is established as soon as the<br />
drive is inserted into the USB port. The user enters a password using the computer<br />
keyboard. If the password is matched to the password stored on the drive, access to the<br />
encrypted media is granted. Typically the encryption key is stored in and read from the<br />
flash. This methodology has several security flaws.<br />
<strong>LOK</strong>-<strong>IT</strong> drives utilizing DataLock are unlocked using a PIN code on the device before access<br />
to the drive is granted. The following is a non-technical description of DataLock.<br />
Page 4 of 4
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
Step 1: <strong>LOK</strong>-<strong>IT</strong> is invisible to the computer until the user unlocks the drive. The user<br />
enters a PIN which is processed by the tamper proof security controller (see Figure 1<br />
below).<br />
Figure 1<br />
Step 2: When the correct PIN is entered, the user is authenticated; the USB Controller is<br />
enabled and allowed to enumerate itself with the host computer (see Figure 2 below).<br />
Figure 2<br />
Page 5 of 5
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
Step 3: Next, the Encryption Key is passed to the Encryption/USB Controller (see Figure 3<br />
below).<br />
Figure 3<br />
Step 4: The drive is now recognizable to the host computer; the data channel is<br />
established; the encrypted media becomes accessible and the green LED illuminates. The<br />
Encryption Key is stored in and read from the Security Controller (see Figure 4 below).<br />
Figure 4<br />
Page 6 of 6
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
SECURING THE DRIVES DATA: ENCRYPTION<br />
Protecting the drive’s data is a vital component of any comprehensive security strategy<br />
and is accomplished through various types and levels of encryption. <strong>LOK</strong>-<strong>IT</strong> employs FIPS<br />
approved, AES 256-bit, CBC military grade hardware encryption.<br />
FIPS Standard<br />
Under the Information Technology Management Reform Act (Public Law 104-106), the<br />
Secretary of Commerce approves standards and guidelines that are developed by the<br />
National Institute of Standards and Technology (NIST) for Federal computer systems.<br />
These standards and guidelines are issued by NIST as Federal Information Processing<br />
Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling<br />
Federal government requirements such as for security and interoperability and there are<br />
no acceptable industry standards or solutions.<br />
AES Standard<br />
The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic<br />
algorithm that can be used to protect electronic data. The AES algorithm is a symmetric<br />
block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption<br />
converts data to an unintelligible form called ciphertext; Decryption converts the<br />
ciphertext into its original form, called plain text. The AES algorithm is capable of using<br />
crypto graphic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128<br />
bits.<br />
Page 7 of 7
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
Encryption Modes: Electronic Codebook (ECB) vs. Cipher-Block Chaining (CBC)<br />
The simplest of the encryption modes is the electronic codebook (ECB) mode. The<br />
message is divided into blocks and each block is encrypted separately. The disadvantage<br />
of this method is that identical plaintext blocks are encrypted into identical ciphertext<br />
blocks; thus it does not hide data patterns well.<br />
Page 8 of 8
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the<br />
previous ciphertext block before being encrypted. This way, each ciphertext block is<br />
dependent on all plaintext blocks processed up to that point. Also, to make each message<br />
unique, an initialization vector must be used in the first block. As a result, CBC is a more<br />
secure encryption mode and is why it is part of <strong>LOK</strong>-<strong>IT</strong>’s security strategy for protecting<br />
drive content.<br />
Page 9 of 9
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
Software vs. Hardware Encryption<br />
The actual process of encryption and the algorithm used to encrypt data are the same<br />
whether done in software or in hardware. Software encryption is performed by a<br />
computer’s CPU using a program installed on a particular operating system.<br />
Hardware encryption is performed in a processor dedicated to the task of encryption. The<br />
instructions for encryption and decryption are embedded directly in this processor.<br />
Hardware designed for a particular purpose can perform its task much faster than a<br />
software implementation of the same task running on a computer CPU that is under the<br />
control of an operating system.<br />
Hardware encryption can be made transparent to other software while encryption done in<br />
software cannot. Malicious code written by hackers can be designed to interfere with a<br />
program used to perform software encryption. Hardware encryption, however, is<br />
impervious to such attacks as malicious code has no means of accessing the operations<br />
being performed by a processor dedicated to hardware encryption.<br />
A further disadvantage to software encryption is the fact that it is specific to particular<br />
operating systems. As such, if software encryption is performed on a Windows platform<br />
and needs to be decrypted on a Macintosh platform, the encrypt/decrypt software must be<br />
available on both platforms. Furthermore, encryption performed on a Windows 32-bit<br />
platform must have the same encrypt/decrypt software available if they wish to decrypt on<br />
a Windows 64-bit platform. Hardware encryption on the other hand is completely OS<br />
independent<br />
Page 10 of 10
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
SECURING THE PHYSICAL DEVICE<br />
<strong>LOK</strong>-<strong>IT</strong> employs a series of measures to defend against physical tampering of the device<br />
and attempted unauthorized access to its contents.<br />
FIPS 140-2<br />
<strong>LOK</strong>-<strong>IT</strong> models SDG003FM and SDG004FP are configured to meet FIPS 140-2 Level 3.<br />
Both models have passed all CMVP requirements and are NIST listed (Certificate #1527).<br />
<strong>LOK</strong>-<strong>IT</strong> models SDG002P and SDG005M incorporate the same user authentication,<br />
encryption and epoxy coating as SDG003FM and SDG004FP but are not configured to meet<br />
FIPS 140-2 Level 3.<br />
Level 1: FIPS 140-2 Security Level 1 provides the lowest level of security. Basic security<br />
requirements are specified for a cryptographic module (e.g., at least one Approved<br />
algorithm or Approved security function shall be used). No specific physical security<br />
mechanisms are required in a Security Level 1 cryptographic module beyond the basic<br />
requirement for production-grade components.<br />
Level 2: FIPS 140-2 Security Level 2 improves upon the physical security mechanisms of<br />
a Security Level 1 cryptographic module by requiring features that show evidence of<br />
tampering, including tamper-evident coatings or seals that must be broken to attain<br />
physical access to the plaintext cryptographic keys and critical security parameters (CSPs)<br />
within the module, or pick-resistant locks on covers or doors to protect against<br />
unauthorized physical access.<br />
Level 3: In addition to the tamper-evident physical security mechanisms required at<br />
Security Level 2, FIPS 140-2 Security Level 3 attempts to prevent the intruder from<br />
gaining access to CSPs held within the cryptographic module. Physical security<br />
mechanisms required at Security Level 3 are intended to have a high probability of<br />
detecting and responding to attempts at physical access, use or modification of the<br />
cryptographic module. The physical security mechanisms may include the use of strong<br />
enclosures and tamper detection/response circuitry that zeroes all plaintext CSPs when the<br />
removable covers/doors of the cryptographic module are opened.<br />
Form<br />
SDG002P and SDG004FP utilize an ABS form. SDG003FM and SDG005M utilize an<br />
anodized aluminum form. Through the FIPS process SDG will implement a uniform bonding<br />
process for ABS casings on all models (FIPS and non FIPS approved) as well as qualifying<br />
a standard for the anodized aluminum form.<br />
Epoxy Potting<br />
Epoxy potting defeats unauthorized access to the internal components within the<br />
cryptographic boundary and provides evidence of such attempts. Attempted removal of<br />
the epoxy potting causes irreversible damage to the components within the cryptographic<br />
boundary, thereby rendering them useless.<br />
<strong>LOK</strong>-<strong>IT</strong> models SDG003FM and SDG004FP are designed to meet epoxy potting<br />
requirements for protection of the cryptographic module as specified by FIPS 140-2 Level<br />
Level 3. <strong>LOK</strong>-<strong>IT</strong> models SDG002P and SDG005M use the same epoxy potting techniques<br />
but are not configured to meet FIPS 140-2 Level 3.<br />
Security Controller<br />
Most secure UFD security systems store the encryption key on the flash media.<br />
Accordingly, if the flash is accessed by forcing open the drive, the key can be accessed as<br />
Page 11 of 11
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
well and used to decrypt the content. In addition to the epoxy potting all <strong>LOK</strong>-<strong>IT</strong> models<br />
internal security system are designed to store the encryption key on a separate<br />
electronically protected security controller. Therefore, even if the flash is accessed by<br />
slicing away the epoxy potting, the encryption key remains secure and the data cannot be<br />
decrypted.<br />
PIN<br />
Drive Default Status<br />
To meet the varying requirements of clients, <strong>LOK</strong>-<strong>IT</strong> drives may be configured to be<br />
shipped unlocked (i.e. use of PIN is optional) or disabled (i.e. PIN must be set before initial<br />
use). See <strong>LOK</strong>-<strong>IT</strong> FEATURE COMPARISONS on page 18 for a listing of drive default states.<br />
PIN Strength<br />
PIN strength is a factor of PIN length as demonstrated in the table below. <strong>LOK</strong>-<strong>IT</strong> drives<br />
are configured with variable minimum PIN length requirements. See <strong>LOK</strong>-<strong>IT</strong> FEATURE<br />
COMPARISONS on page 18 for a listing of default minimum PIN lengths.<br />
5 Key 10 Key<br />
PIN<br />
Length Probability "One In …"<br />
PIN<br />
Length Probability "One In …"<br />
1 20.000000000% 5 1 10.000000000% 10<br />
2 4.000000000% 25 2 1.000000000% 100<br />
3 0.800000000% 125 3 0.100000000% 1,000<br />
4 0.160000000% 625 4 0.010000000% 10,000<br />
5 0.032000000% 3,125 5 0.001000000% 100,000<br />
6 0.006400000% 15,625 6 0.000100000% 1,000,000<br />
7 0.001280000% 78,125 7 0.000010000% 10,000,000<br />
8 0.000256000% 390,625 8 0.000001000% 100,000,000<br />
9 0.000051200% 1,953,125 9 0.000000100% 1,000,000,000<br />
Incorrect PIN Attempts<br />
After 10 unsuccessful PIN entries, the encryption key is deleted, both User and Master<br />
PIN's are reset and stored data is no longer readable. If the drive is reinserted into a<br />
computer, it cannot be used until a reformat operation is performed. When the user<br />
selects the reformat option, all stored data is automatically deleted and a new encryption<br />
key is created. Although all previously stored data has been deleted, this feature allows<br />
the drive to be recovered for reuse.<br />
IP Code<br />
The IP Code (or International Protection Rating) consists of the letters IP followed by two<br />
digits and an optional letter. As defined in international standard IEC 60529, it classifies<br />
the degrees of protection provided against the intrusion of solid objects (including body<br />
parts like hands and fingers), dust, accidental contact, and water in electrical enclosures.<br />
The standard aims to provide users more detailed information than vague marketing terms<br />
such as "waterproof". The digits ('characteristic numerals') indicate conformity with the IP<br />
Code rating system. Where there is no protection rating with regard to one of the criteria,<br />
the digit is replaced with the letter X.<br />
Page 12 of 12
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
<strong>LOK</strong>-<strong>IT</strong> model SDG003FM and SDG005M have passed testing to achieve an IP57 Rating.<br />
This rating denotes the following:<br />
<br />
<br />
Level 5 denotes ‘Dust Protected’: Ingress of dust is not entirely prevented, but it must<br />
not enter in sufficient quantity to interfere with the satisfactory operation of the<br />
equipment; complete protection against contact<br />
Level 7 denotes that it is protected against ‘immersion up to 1 meter of water’:<br />
Ingress of water in harmful quantity shall not be possible when the enclosure is<br />
immersed in water under defined conditions of pressure and time (up to 1 m of<br />
submersion).<br />
Page 13 of 13
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
DEPLOYMENT<br />
Despite their widespread acceptance, recent events have caused many corporations and<br />
governmental entities to revisit or establish policies regarding use of UFD’s. This has led<br />
to an even larger conversation regarding best practice methods for use and deployment of<br />
UFD’s. Virtually all manuals on cyber-security include statements that no electronic<br />
measures can combat lack of training or failure to enforce policies. In addition most concur<br />
sensitive/secret information is best stored on computers/devices with no access to the<br />
Internet. Despite this reality, recently several solutions utilizing UFD’s to protect against<br />
viruses/malware have been put forth.<br />
It is our opinion that these solutions are ineffective and provide a false sense of security.<br />
For example, portable anti-virus programs are relatively ineffective because they cannot<br />
hook into web browsers and email clients the way that installed anti-virus programs can.<br />
In addition, these solutions are time-consuming. It would likely take hours for a portable<br />
anti-virus program to scan the entire computer system, including network drives, after<br />
being invoked upon insertion of the UFD on which it resides. Reduced-scope scans (e.g.<br />
Windows Registry only) provide very little security. Finally, these solutions cause conflicts<br />
with installed anti-virus programs. Interference between simultaneously running anti-virus<br />
products is widely discussed on internet forums.<br />
The following are our recommendations for best practices for enterprise usage of secure<br />
USB Drives.<br />
Establish a User Awareness Training Program<br />
USB drives provide a convenient means of transferring files between workstations.<br />
Increased ease of transferring files can result in increased likelihood of transmitting<br />
malware files unless sound security practices and policies exist. The original transmission<br />
of malware files is almost always via the internet. Virtually all enterprise cyber-security<br />
programs start with user awareness and training. Despite our desire for electronic<br />
prevention of the spread of malware, no existing combination of products or technologies<br />
is effective against an untrained user. Such a program should include:<br />
<br />
<br />
<br />
<br />
<br />
Understanding Online Threats, Phishing, Fraud, Keystroke Loggers<br />
Detecting and Avoiding Bots and Zombies<br />
Using Browsers and Downloading Files<br />
Blogging and Social Networking<br />
Insider Threats<br />
Enterprise Preparation and Configuration<br />
The enterprise should generally include the following:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Anti-Virus, Anti-Spyware, and Other Protective Software<br />
Sound Authentication Mechanisms<br />
Access Controls, Including Wireless, Modems, VPNs, and Physical Access<br />
Host-based Firewalls and Filtering<br />
Automated Deployment of Updates and Patches<br />
Software Authenticity Verification (Digital Signatures, MD5, etc.)<br />
Data Encryption<br />
Page 14 of 14
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
<br />
USB Port Management: Port Management Software addresses the case where there<br />
is a need to limit the type of USB drive that can be used.<br />
Internet Usage and File Exchange Policy<br />
The enterprise must have a policy on how information can be exchanged between and<br />
within organizations. The policy must address the usage of USB drives on non-managed<br />
computers, such as those in their homes. If such use is permitted, a policy addressing<br />
preparation and configuration of home computers must exist, typically in combination with<br />
explicit scanning of any files transferred from USB drives to enterprise computers.<br />
Encryption of sensitive information stored on backups, removable media or in emails is<br />
recommended. In the case of removable media that is exposed to possible physical loss,<br />
strong encryption is essential (the <strong>LOK</strong>-<strong>IT</strong> drive does this automatically).<br />
OS Independence<br />
Operating system independence is critical for any large-scale deployment of UFDs. <strong>LOK</strong>-<strong>IT</strong><br />
drives provide all authentication and encryption tasks within the hardware controllers.<br />
Since these tasks are completed without interaction of the computer operating system,<br />
<strong>LOK</strong>-<strong>IT</strong> is completely platform independent. This makes deployment of the drives very<br />
simple, in that <strong>IT</strong> administrators do not have to consider any of the following elements<br />
that are a part of other secure flash drive deployments:<br />
<br />
<br />
<br />
<br />
<br />
Computer operating systems in use<br />
Versions/releases of those operating systems<br />
Future OS compatibility<br />
Flash drive software rollout issues<br />
Flash drive software upgrades, updates and patches<br />
Other secure drives must use software for authentication, along with possible software for<br />
encryption or other tasks. The software either requires installation on the computer in<br />
order to use, or the software is embedded within the drive. In either case, the software<br />
interacts with the computer’s operating system, so compatibility with both current and<br />
possible future operating systems must be a consideration.<br />
These considerations are not relevant to <strong>LOK</strong>-<strong>IT</strong> deployment.<br />
Port Management<br />
Port management software empowers network administrators to restrict access and use of<br />
UFD’s within a network. Through use of port management software, historical usage data<br />
is also recorded in a central location. <strong>LOK</strong>-<strong>IT</strong> does not rely upon software on the host for<br />
user authentication or encryption, therefore it is agnostic to port management software.<br />
Each device is coded with a unique (electronic) VID/PID thereby making it compatible with<br />
any port management software (i.e. DeviceLock, DeviceWall, Sanctuary Device Control,<br />
etc).<br />
Admin PIN<br />
<strong>LOK</strong>-<strong>IT</strong> is configurable for use with an administrator PIN (in addition to the user PIN)<br />
thereby making the drive and its contents recoverable if the user PIN is forgotten or the<br />
user refuses to or is unable to provide their PIN (e.g. termination or death). To use this<br />
feature, the Admin PIN is set prior to distribution to the user. It is possible to set the<br />
Admin PIN after the user has set their PIN, however, the user must first unlock the drive<br />
to do so. Using the Admin PIN, the UFD may be unlocked and the contents accessible at<br />
Page 15 of 15
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
any time. For security purposes, when the drive is unlocked using the Admin PIN, the user<br />
PIN is automatically cleared and must be reset.<br />
Anti-Malware<br />
If users are permitted to install or run executables not contained on a white-list, an antimalware<br />
program must be installed on the host computer. An installed anti-malware is<br />
the best means for protecting the host computer from infection by malware. Installation of<br />
additional anti-malware on UFD’s is likely to interfere with the anti-malware installed at<br />
the end-point.<br />
Like CD disks, flash drives may contain auto-run files that allow a program on the drive to<br />
run automatically when the drive is connected. In the Windows operating system, this<br />
setting is off by default, to protect users from malware-contaminated devices. An<br />
administrator can set a policy whereby end users cannot enable auto-run on any device.<br />
Page 16 of 16
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
GENERAL SPECIFICATIONS<br />
Features<br />
USB 2.0 compliant (USB 1.1 is implied as it is backward compatible)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Works with all Windows, Mac, Linux and embedded/office and home-entertainment<br />
systems<br />
Self-contained hardware-based security<br />
FIPS Certified AES 256 Bit on-the-fly hardware encryption<br />
No software required<br />
Easy and intuitive to use<br />
Auto-Locks immediately upon disconnect or computer shutdown<br />
Rechargeable battery<br />
Drive recovery in case of forgotten PIN<br />
USB-IF Certified<br />
FCC<br />
CE/EMC<br />
IP57 (10 KEY Only)<br />
Package with Lanyard<br />
Credit Card Style User Guide<br />
System Requirements<br />
Any operating system that supports USB 2.0 (Windows, Mac, Linux, etc)<br />
<br />
o<br />
o<br />
o<br />
Security does not require any computer software / drivers<br />
Comes pre-formatted as FAT32<br />
Can be reformatted for any file system<br />
Available USB port (version 2.0 for faster read/write access)<br />
Page 17 of 17
S Y S T E M A T I C D E V E L O P M E N T G R O U P , L L C<br />
<strong>LOK</strong>-<strong>IT</strong> FEATURE COMPARISONS<br />
(1) NIST Listed. FIPS 140-2 Level 3 Certificate #1527<br />
Page 18 of 18