IronKey

IronKey
Type Private
Industry Internet security
Founded 2005
Founder(s) David Jevans
Headquarters Sunnyvale, California
Key people David Jevans (Chairman), Arthur Wong (CEO), Gil Spencer (CTO)
Products IronKey S100, IronKey S200, IronKey D200
Website IronKey

IronKey is an Internet security and privacy company located in Sunnyvale, California that was formed in 2005 by David Jevans, with the stated aim of providing security and privacy solutions to both consumers and enterprises. IronKey's founding was partially funded by the U.S. federal government, with a grant of US$1.4 million through the Homeland Security Research Projects Agency,[1][2][3] and their products have been used extensively by the U.S. government in various areas.[4][5]

Contents

Overview

IronKey manufactures a range of secure USB flash drives, including the IronKey S200 and IronKey D200, which come in three varieties (Basic, Personal, and Enterprise) in sizes ranging from 1 GB to 16 GB (up to 32 GB for the D200). The three versions differ primarily in the software included with them; there are also some hardware differences that prevent the end-user from converting one version to another. All three contain the same level of hardware encryption and are structured with two partitions: an unlocker partition with software handling locking and unlocking, and a secure area. The Basic model has no extra software and is targeted at government and military users, while the Personal includes a portable version of Mozilla Firefox, Identity Manager (an account/password management software), and Secure Sessions. The Enterprise model is intended for corporate and government environments, and is completely configurable by an administrator. As such, it can contain any or all of the software on the Personal edition, along with anti-malware software, RSA, and OTP software.

One of the key design features of the IronKey is a self-destruct mechanism which activates after the user enters his password incorrectly a certain number of consecutive times. On the Personal model ten times is the limit, and on the Enterprise model the count is configurable by the administrator, while the Basic model can be configured to disable this feature entirely. As a safety measure, the device is required to be unplugged and replugged after every three password attempts. After reaching the password limit, the device will delete its encryption keys and instigates a wear level pass on the drive, effectively making the device completely unusable.

A key differentiator of IronKey from software-based encryption solutions is that IronKey's controller does not allow access to the user's data before authentication, even in encrypted form. With a USB drive containing software-encrypted data, full access to the encrypted data is available immediately upon mounting. This allows offline brute-force attacks or cryptanalysis. Instead, with IronKey, the only attack surface available is giving the authentication interface different potential passwords. Because of the (also hardware-based) low limit on password attempts, this makes brute-forcing infeasible. Without getting access to the tamper-resistant hardware, an attacker cannot try hundreds of passwords, let alone the billions required to guess a moderately secure password.

The IronKey S100 has passed FIPS 140-2 Level 2 validation,[6] and the S200 and D200 have passed FIPS 140-2 Level 3 validation.[7] As of July 2009, the latter two were the only[8] USB drives to obtain an Overall Level 3 (although Kingston Technology has stated that Level 3 certification is pending[9] for their DataTraveler 5000 device).

Bundled software

Secure Sessions is an IronKey-customized fork of the open source Tor anonymizer network, offering similar features to end-users of secure and private web browsing by routing network traffic through a random selection of nodes. Unlike Tor, it only uses private servers (around 22 of them) owned by IronKey in several different countries, including the USA, Canada, Denmark, the Netherlands, and the UK. Users are unable to configure themselves as nodes, which means that the entire system would stop working if IronKey ever ceased operations. While use of all private nodes secures users from potential third-party rogue nodes, it requires the user to trust IronKey alone with their traffic. With a single company (IronKey) controlling all the nodes, a court order against IronKey could result in the entire Secure Sessions network being compromised.

Secure Sessions frequently generates new private keys on each server (used to encrypt all traffic), thereby making it very difficult to obtain the keys to decrypt any traffic that may have been captured by a law enforcement or other agency. Some performance enhancements have been added to Secure Sessions and, as with Tor, some traffic restrictions are in place for blocking P2P and other overlay networks that can cause bandwidth saturation.

Identity Manager is a password management tool bundled on the Personal and Enterprise devices. The Identity Manager stores the passwords of a user in an encrypted format within a non-user-accessible area of the device, and connects to Mozilla Firefox and Internet Explorer, allowing automatic logins. This prevents malware from simply copying an account database off the device for a later attack. Passwords are only visible in memory for a matter of seconds while being populated onto the web form. During that time, they are as vulnerable as any other system.

Hardware

All models of IronKey share the same case design. There are two versions of the IronKey (S200 and D200) that come in three different models. The S200 contains RAM using the more expensive and faster SLC, rather than the slower and shorter-lived MLC, which is one of the reasons for the higher price of the S200 compared to the D200, which uses MLC flash. The S200's outer case is silver-metallic in color, while the D200 is gray. IronKey utilizes a strong, metallic outer casing to protect against physical damage, and the internal components are sealed with an epoxy-based potting compound to protect against tampering as well as increase waterproofing, along with increasing the device's strength. Additionally, there is a coating over the chipsets that senses any tampering by a change in the electrical impedance. If the IronKey senses a change, the cryptochip self-destructs the next time power is applied, and an NSA wear level erase of the flash is enacted. It tends to be a bit larger and heavier than most current flash drives, at 75 millimetres (3.0 in) x 19 millimetres (0.75 in) x 9 millimetres (0.35 in), and a weight of 25 grams (0.88 oz).

Encryption

The original version of the IronKey (released in 2005) used AES 128-bit CBC hardware encryption. It was renamed in July 2009 to the S100 to match the release[10][11] of the newer S200, which uses AES 256-bit CBC hardware encryption.

Operating system support

While most of the supporting software (mainly Identity Manager and Secure Sessions) are only available to Windows (specifically Windows 2000 SP4, Windows XP SP2, Windows Vista, and Windows 7) users, the IronKey includes an unlocker for Mac OS X 10.4+, along with a large range of Linux variants. The latest build of the IronKey Unlocker does not require any administrator or root permissions, and installs no extra drivers.

Enterprise

The Enterprise version of the IronKey is intended to allow larger companies and government departments to centrally configure, deploy, and manage their employees' IronKeys through a paid service. Some key features of this service are the abilities to create specific profiles for groups of employees (which allows different users access to different features), to remotely kill or disable an IronKey after it has been deployed, to control whether an IronKey is allowed to be unlocked at remote locations, to add an RSA SecurID app or CryptoCard app to the IronKeys, and to see where the IronKeys are being used on a global map.

Partnerships

Lockheed Martin has partnered with IronKey[12] to produce a bootable version of an IronKey drive, branded the IronClad. IronClad drives combine IronKey hardware with customized virtualization and security software that enables the drives to house and boot an entire operating system, applications and files from the USB drive.

As of October 2011, there does not appear to be ordering or pricing information available to the general public, and the only information seems to be press releases prior to June 2011. Cached pages indicate that this is or will be a custom item, with minimum order quantities in the 200 unit range. No record or review of the IronClad 'in the wild' seems to exist.

Competing products

Secure flash drives have become more common in recent years, following increases in reports of drives and laptops with confidential data being lost or stolen.[13][14][15][16] Most of the larger flash drive manufacturers have released similar products with varying feature sets; some of the more well known examples of which are:

Alternatively, free software-based disk encryption systems can be used with any USB flash drive and provide functionality comparable to IronKey's secure storage.

See also

References

  1. ^ "SOMETHING VENTURED: Uncle Sam Is Staking Start-Ups" (PDF). VentureWire. March 12, 2008. http://www.levp.com/cat-bin/filexfer/show/031208VentureWireITSEF.pdf?artist_id=365&folder=news_attachments&file=031208VentureWireITSEF.pdf. Retrieved August 5, 2009. 
  2. ^ "10 Hot Security Startups". DarkReading. April 12, 2007. http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208808181. Retrieved August 5, 2009. 
  3. ^ "Command, Control and Interoperability Programs and Projects". Department of Homeland Security. April 2, 2009. http://www.dhs.gov/files/programs/gc_1218474924792.shtm#16. Retrieved August 5, 2009. 
  4. ^ "U.S. Department of Homeland Security - 2010 Budget in Brief" (PDF). Department of Homeland Security. 2009. http://www.iaem.com/committees/governmentaffairs/documents/DHSBudgetinBriefFY2010.pdf. Retrieved August 5, 2009. 
  5. ^ "Department Responsibilities: Maximize Use of Science, Technology and Innovation". Department of Homeland Security. July 22, 2009. http://www.dhs.gov/xabout/gc_1244659918636.shtm. Retrieved August 5, 2009. 
  6. ^ "FIPS 140-2 Validation Certificate" (PDF). NIST. April 11, 2008. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt938.pdf. Retrieved August 11, 2009. 
  7. ^ "FIPS 140-2 Validation Certificate" (PDF). NIST. June 22, 2009. http://cs-www.ncsl.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1149.pdf. Retrieved July 23, 2009. 
  8. ^ "Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules". NIST. July 21, 2009. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. Retrieved July 27, 2009. 
  9. ^ "Kingston Digital Launches New Ultra-Secure USB Flash Drive". PR Newswire. January 27, 2010. http://www.prnewswire.com/news-releases/kingston-digital-launches-new-ultra-secure-usb-flash-drive-82794812.html. Retrieved January 27, 2010. 
  10. ^ Dunn, John (July 16, 2009). "IronKey USB drive gets uncrackable shell". PC World. http://www.pcworld.idg.com.au/article/311283/ironkey_usb_drive_gets_uncrackable_shell. Retrieved August 11, 2009. 
  11. ^ "IronKey Introduces S200 with FIPS Level 3 140-2". IronKey. July 2009. https://www.ironkey.com/S200_Launch. Retrieved July 23, 2009. 
  12. ^ Melanson, Donald (January 19, 2010). "Lockheed Martin introduces 'PC on a stick' flash drive -- yes, Lockheed Martin". Engadget. http://www.engadget.com/2010/01/19/lockheed-martin-introduces-pc-on-a-stick-flash-drive-yes-l/. Retrieved January 21, 2010. 
  13. ^ Dayani, Alison (August 29, 2009). "Laptops containing medical details of Birmingham patients stolen". Birmingham Mail. http://www.birminghammail.net/news/birmingham-news/2009/08/29/laptops-containing-medical-details-of-birmingham-patients-stolen-97319-24559290/. Retrieved September 4, 2009. 
  14. ^ "Possible Loss of Personal Identifiable Information" (PDF). Department of Navy. August 2009. http://www.med.navy.mil/sites/pcola/Documents/Possible%20Loss%20of%20Personal%20Identifiable%20Information/Possible%20Loss%20of%20Personal%20Identifiable%20Information.pdf. Retrieved September 4, 2009. 
  15. ^ "Army Guard to inform members of data loss". Army National Guard. August 4, 2009. http://www.ng.mil/features/identity/default.aspx. Retrieved September 4, 2009. 
  16. ^ Wells, David (July 13, 2009). "Canyons School District Loses USB Drive with Sensitive Employee Info". FOX13NOW. http://www.fox13now.com/news/kstu-canyons-school-district-loses-usb-drive-conta,0,110917.story. Retrieved September 4, 2009. 
  17. ^ CoolComputing (2010-01-27). "Kingston DataTraveler 5000 Secure USB Flash Drives Unveiled". CoolComputing. http://www.coolcomputing.com/article.php?sid=3622. Retrieved 2010-05-08. 

http://web.archive.org/web/20100924042018/http://www.lockheedmartin.com/products/ironclad/

External links