Kingston Technology develops hardware-encrypted USB drives that assist federal agencies in addressing real-world data security issues with a focus on mobile uses.
In 2019 the National Institute of Standards and Technology issued Federal Information Processing Standard 140-3, the first update to FIPS 140 since the 140-2 update in 2002
Federal agencies are transitioning from the military-grade security of FIPS 140-2 to the new FIPS 140-3 standard. To maintain data safety and compliance, Richard Kanadjian, global business manager of the encrypted unit at Kingston Technology, says it is essential that agencies ensure mobile storage devices meet these FIPS 140-series standards and transition to FIPS 140-3 in 2023.
Kingston was first to market with a FIPS 140-3 Level 3 (pending) USB drive: The IronKey Keypad 200 drive launched in September 2023. In summer, Kingston will launch the flagship IronKey D500S with advanced features that are designed for government use. Both drives have completed extensive testing and design reviews at a NIST-certified lab and are pending NIST certification.
“We focus on the data that federal employees are taking with them and how to secure it,” Kanadjian says. “One of the key problems for agencies is, what happens when a USB drive is lost or stolen, and how do you protect that data? We make sure that the USB drive is hardened against many penetration attacks and layered with multiple levels of data protection to avoid a breach.”
DISCOVER: How Kingston Technology can empower innovation across your organization.
FEDTECH: The Latest FIPS 140-3 Standard Is the First Update Since 2002. Can You Talk About How Cryptographic Modules Have Evolved Since Then?
KANADJIAN: There have been many advancements in cryptography since 2002, resulting in the development of more secure cryptographic algorithms, such as:
- Elliptic-curve cryptography
- XTS mode replacing CBC mode for the Advanced Encryption Standard (AES)
- The discontinuation of less secure algorithms, such as replacing SHA-1 with SHA-2
On computers, you've got Secure Boot, the Trusted Platform Module (TPM) on your notebook that you could lock down to your storage. There's increasing use of hardware security modules (HSMs), which are like crypto chips on motherboards that are used to implement TPMs. It's a very broad standard that covers a lot of devices.
Overall, FIPS 140-3 is a more modern and comprehensive standard than FIPS 140-2, reflecting advances in technology and changes in the security landscape. However, both standards remain important in 2023 for ensuring the security of cryptographic modules used by government agencies and other organizations.
LEARN MORE: How (and why) to establish a cloud center of excellence.
FEDTECH: What Should Agencies Keep in Mind in Complying with FIPS 140-3?
KANADJIAN: Ensure security products are sourced from trusted vendors and are properly tested and certified for FIPS 140-3 compliance. Any agency where there's a need for people to carry data — whether it's military data, legal data or any other type of classified or sensitive data — should be concerned about how to protect it and follow NIST standards.
FEDTECH: What are Some of the Distinct Features of the IronKey Keypad 200 Drive?
KANADJIAN: One of the benefits of the KP200 drive is OS independence — you aren’t limited to Windows, Mac or Linux. It can work with any operating system, including ChromeOS or virtual software. It can also be used to transfer data between two machines that support USB mass storage devices.
The drive’s casing has epoxy covering the internal circuitry that is designed to prevent physical penetration attacks against the chips. The epoxy makes the drives tamper-evident as well as tamper-resistant. This is required to meet the Level 3 security mandated by NIST to protect sensitive government information.
There are two passwords that allow you to have an admin PIN and a user PIN. The key benefit is that you have two ways to access the data in case you forget a password. This is the most common tech support request Kingston gets — how to recover access to a drive if a password is forgotten.
We also have read-only mode protection (also called write-protect). Basically, an admin or user can set either a global or a session-only read-only mode. That means you can log in with the admin password, load data and then set the drive in read-only mode. When you're sharing the information on the drive or transferring it to another system or machine, there's no opportunity for somebody to alter it or load malware on an untrusted system.
There’s also brute-force-attack protection, where the drive counts the number of times you enter a wrong password. If you guess the admin password wrong 10 times in a row, it does what we call a crypto-erase, and the data is lost forever — by design. If the user password is guessed wrong 10 times in a row, the user is locked; but if the admin password is set up, it can be used to recover access to the drive and reset the user password.
FEDTECH: Why was it Important to be First to the Market with a FIPS 140-3-Compliant Product for Your Clients?
KANADJIAN: It was not as important for Kingston to be first as to get it right. We did not rush the process, which took nearly a year, and the NIST lab testing was done on schedule. We did not know this would be the first one to be launched but were happy when it happened. Kingston IronKey drives are more about engineering, rigorous manufacturing and quality control, and the drives are not launched until they meet our criteria.
EXPLORE: Why agencies should pay for servers like they do for cloud.
FEDTECH: How Do Kingston Products Help Agencies Address Some of the Top Security Issues They Face?
KANADJIAN: We focus on mobile data. Our philosophy has always been that we give you a secure cloud in your pocket. We make the drive very secure; it's a closed ecosystem with no need for internet connections. We provide military-grade, hardware-encrypted drives meeting the FIPS 140-3 Level 3 requirements to protect the stored data against attackers, yet it’s easy to use with multi-password support. Our upcoming IronKey D500S drive will feature a more rugged design and new features, such as dual hidden partitions, an industry-first feature on hardware-encrypted drives that will allow government users to have two hidden storage areas on the drive, along with a crypto-erase password that can wipe all data on the drive in an emergency. All of our drives are air-gapped and do not require the internet or phones for authentication – again, by design. I hope that federal customers will be happy with the new drive offerings.
Brought to you by: