Feb 24 2015

A Higher Level of Security

Federal efforts to secure portable devices are largely effective, but they're not perfect, which means protections need to take a leap forward.

Most federal agencies require portable devices to comply with the Federal Information Processing Standard (FIPS) 140-2 Level 2. This provides a solid platform against most hacking attempts because all data is protected using 128-bit or 256-bit encryption. However, with enough time and resources, many Level 2 devices can be attacked at weak points in their architecture, potentially compromising security.

The Achilles’ heel is the location of the cryptographic key, which is often stored in the flash memory or hard drive built into a Level 2 device, making it easier to read by an attacker trying to get to the stored data. Many devices that meet the FIPS 140-2 Level 2 security standard store their keys in this way. Some take the additional step of hiding the key using an algorithm based on the device password. In either case, the average attacker who gets possession of a Level 2 device probably won’t be able to do anything with it. However, a well-funded attacker or one supported by a nation state might be able to crack the security by reading the encryption key directly from memory after physically opening up the device to access the components on which the encryption key is stored.

The IronKey Workspace W700 by comparison is compliant with FIPS Level 3 security, meaning that the manufacturer has taken extra steps to prevent even advanced hackers from obtaining the encryption key. The W700 stores its key on a separate cryptochip deep inside the metal case. The chip is additionally protected by a thick epoxy and a metal mesh cladding. Trying to remove the epoxy warps the delicate chip, rendering it useless. Tampering with the metal mesh does the same thing; but in addition, the chip can detect if the mesh has been disturbed the next time it’s powered up. Instead of opening the device to hack attempts, it will instead make the drive inoperable and render its data completely unrecoverable.

Some security experts have suggested that Level 3 security could be breached by high-end technology such as $500,000 computing rigs, electron microscopes and lasers. But at this point, such suppositions are theoretical. Given that one misstep in hacking a W700 would render the device and all its data useless, it’s a safe bet that the IronKey Workspace is secure enough for even the most important federal secrets.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT