By Larry Hamid
The development and adoption of removable USB mass storage is
truly remarkable. Never before has it been so easy to move
gigabytes of information around on a portable device that is small
enough to clip onto a key chain.
These devices
have large capacities and they can copy data at lightning speed.
It’s hard to buy a USB flash drive these days with less than 128MB
of storage and some devices can achieve data rates greater than
20MB per second. The technology is so convenient and powerful that
we wonder how we could have lived without it. It’s unthinkable to
use floppy disks for the amount of data that we need to carry
around today. While the capacity of a CD-RW might be sufficient,
the procedure of inserting and 'burning' simply can’t compete with
the ease of plugging a flash drive into the USB port.
On the other hand, most security officers wish that this
technology didn’t exist at all.
First of all it is a medium that can carry computer viruses and
software that shouldn’t be used in the corporate environment.
Probably more disturbing is that the shear volume of proprietary
information that could leave the corporate environment undetected
through these devices is an enormous exposure for corporations.
Corporate executives are losing sleep not knowing how much
intellectual property is lost or stolen through this wide open
channel. “In interviewing Fortune 500 company CIOs and CSOs we
found that they have no visibility into the quantity of information
that leaves the organisation through portable devices such as
laptops and USB memory sticks”, according to Sean Wray, VP of
Security Solutions at MobileSecure.
To deal with this issue, some organisations have disabled USB
ports through the BIOS, while others have gone to the more extreme
measure of filling the USB connectors with a thick epoxy adhesive.
While this solves the problem it also prevents any beneficial uses
of USB mass storage to be garnered. But what other functions are
there for USB mass storage devices? Besides moving large amounts of
data around at lightning speed what else could we be missing by
banning their use? Surprisingly, there are very compelling advances
to be gained in the security industry by properly harnessing the
power and protocol of USB mass storage.
As any technology evolves we always see more features and
functionality being added to newer models of devices. Sometimes
these features are born out of convenience, while other times they
stem from necessity. Cameras on cell phones for example, are not
necessary but they really are handy. On the other hand, a SIM
(subscriber information module) is a necessary feature to enable
the interchangeability of phones without losing the subscriber
identity.
USB mass storage devices are evolving and we are starting to see
many new features and behaviors that were never conceived when the
USB mass storage specification was written.
For example, many devices today offer encrypted storage so that
if you lose your device, the information on it remains safe. Some
flash drives even have fingerprint sensors and processors built in
so that biometric authentication of the owner is required before
the storage can be accessed.
These are examples of some security-driven extensions to the
basic functionality of mass storage. The on-board capabilities of
strong cryptography and authentication that we see on some of the
more advanced devices are the prime ingredients for a new direction
in the evolution of USB mass storage. That direction is portable
identity management and secure storage.
Digital identities take many forms. They can be simple
credentials such as usernames and passwords, or more complex forms
such as PKI-based X509 certificates or claims based assertions in
SAML tokens. To be really useful in today’s identity
infrastructures an identity device must be more than a secure store
of static credentials. It must also be able to generate
cryptographic keys, perform digital signature operations, parse
request messages and emit security tokens in standard formats.
Furthermore, it must bind identity operations to an authenticated
user and be able to enforce security policies that have been
defined by security officers.
One doesn’t normally associate these operations with USB
storage. In fact, digital identity functions are very different
from mass storage; but that doesn’t mean that they cannot exist on
the same device, just as digital cameras now exist on cell phones.
Despite the differences there are significant benefits to putting
digital identity functions on a USB mass storage device.
The obvious question that comes to mind is why is it not just a
simple matter of creating a composite device? After all, digital
identity devices already exist in other form factors such as smart
cards and yes, USB key fobs. These could easily be integrated into
the same physical package with relative ease to produce a combined
mass storage/digital identity device. The answer is that the
benefits that we gain go beyond the convenience of having a
multi-functional device and are attributable to using the USB mass
storage protocol itself.
The USB mass storage interface itself has a number of desirable
properties. First, it is ubiquitous. Practically every PC and
operating system in use today supports it natively and there are no
device drivers or software to install in order to use a USB flash
drive. This is what makes them so portable and interchangeable. It
doesn’t matter which vendor or brand of USB memory stick you have,
as long as the device implements the specification it will
work.
Portability has been the Achilles’ heel of smart cards and USB
tokens. Wouldn’t it be nice to be able to carry a smart card around
without lugging a reader, device drivers and proprietary
middleware? Without all of that the smart card just won’t work. In
fact the situation is worse than that. Even when you have deployed
a smart card solution with all of the required components and
middleware, you’ll probably find that the solution won’t work with
another brand of smart card without swapping in new middleware
components. The US Government has addressed these interoperability
challenges by developing GSC-IS (Government Smart Card
Interoperability Specification) so that they can deploy smart cards
to federal employees without being tied to one smart card or
middleware provider. Despite these and other enormous efforts on
standards and interoperability, smart cards have suffered from the
lack of widespread adoption of a common specification.
Another advantage of the USB mass storage interface is the
bandwidth. The USB 2.0 standard specifies a data rate of 480
Megabits per second for a high speed device. This opens up a whole
new set of possibilities for security operations as much more data
can be sent and retrieved than what was previously possible on
devices such as smart cards. For example, instead of sending a hash
of a document to be signed, the entire document could be sent to
the device for processing.
The widespread native support and high bandwidth of the USB mass
storage interface enables a digital identity device to be truly
portable and accept high level application messages through a
protocol that is as simple as reading and writing to a file.
Work in developing open specifications to exploit this new
direction has already begun. In partnerships with key device
manufacturers, Microsoft is currently developing a specification
called PSTS (Portable Security Token Service), which will enable
file system based communication to USB devices that can be used as
portable credential carriers and generators of SAML tokens in
response to WS-Trust requests. This is part of a digital identity
metasystem that will enhance privacy and security of digital
identity transactions on the web. WS-Trust, along with other WS-*
specifications are already submitted to OASIS for standardisation.
With the adoption of InfoCard in new Microsoft operating systems
and popular browsers, it will be possible for you to roam to any
machine, say at an Internet café, and perform a digital identity
transaction using your USB digital identity device.
There are still challenges to be addressed to make this
direction a reality. Device manufacturers need to design for
portability. The installation of drivers and middleware to assist
in some of the digital identity computation is not an option. The
device itself must be able to process high level messages, perform
cryptographic operations and handle user authentication internally,
otherwise portability will be lost. The development and adoption of
standards must continue relentlessly otherwise we will fail to
achieve interoperability. Finally, the industry must be assured
that these new devices are secure. The same types of security
validations that are being applied to smart cards and other
security modules will be needed.
Now that we have seen the new digital identity direction of USB
mass storage devices and what it could mean for portability and
interoperability, organisations should rethink their decisions to
disable USB mass storage. There are good solutions appearing on the
market that can control the use of USB mass storage without
disabling them completely. For example, many offerings allow you to
prevent any unwanted devices from being used except those that are
issued or approved by the corporation, and you can even monitor the
files that move on and off a device.
Digital identities play a key role in many security applications
from single sign-on, to PKI, to the emerging systems of federated
identity. By keeping USB mass storage enabled, corporations can
leverage the new breed of USB mass storage-based digital identity
devices to enhance and simplify their deployments of digital
identity security solutions.
Larry Hamid is the Chief Technology Officer, Secure
Products Division at Memory Experts International. The company is
exhibiting at Infosecurity Europe 2006, held 25–27 April 2006 in
the Grand Hall, Olympia,
London.
Now in its 11th year, Infosecurity Europe continues to
provide an unrivalled education programme, new products and
services, over 300 exhibitors and 10,000 visitors from every
segment of the industry.
