Explanation of terms used
(Most of the explanations here are made simple for NON-Computer savvy readers)
USB Device: Also called USB key, USB drive, Thumb drive, Flash drive and Pen drive. It is used to store information (data) and is made up of a case and computer flash chip. It allows, fast transfer of data between physically near computers, backup data, transport sensitive data. A shortcoming of the USB keys is the possibility of it getting stolen and landing in the wrong hands.
Encryption: It is a mechanism by which, when you store information (data) on a USB Drive, the data is jumbled up so that it is not readable without the proper password. This helps to defeat any attempt to read your data without entering the right password. Encryption these days is so good that it is said, if the hackers of the world try to break the encryption using the currently available tools and computing power, it will take them a lot more than your and their life time to break it. A 256-bit AES encryption along with a strong password makes it impossible to get your information.
Tamper Proof: The USB device is filled and sealed with a chemical that makes it very difficult for anyone to open the USB device case and remove the flash chip from inside. Usually doing this destroys the flash chip.
Enterprise Manager: Software that allows managing 1 to 1000’s and more USB keys from a central location. Some of the capabilities of an enterprise manager are:
- Setup and maintain USB key’s in bulk, conveniently and from one software.
- Manage password policies for all managed USB keys
- Remotely disable or terminate USB key’s
- Integrate with existing I.T. infrastructure like active directory
- Unlock locked devices
- Backup your identity management data
Cloud hosted Enterprise Manager: The feature enables the administrator of a USB key to remotely manage it from anywhere using the Internet. Amongst a lot of other capabilities, it allows remote kill of the device.
Enterprise Management Capable: Suggests if the key can be possibly used with an Enterprise Manager to be administered remotely.
Identity Manager: Online password manager helps you to securely store all your online passwords in the key, so that when you access your accounts on an unsecured computer, you do not have to manually type in your passwords. The passwords are automatically filled in using the identity manager feature of the secure key. This features helps defeat keystroke-keylogging spyware.
Secure Web Browsing: Some USB keys come preconfigured with the most popular browser today, Firefox. This can provide you with an ability to encrypt ALL of your web traffic and provide a secure DNS service to help assure that you are not visiting spoofed websites.
Anti-Malware / Anti-Virus protection: Helps protect the data on the USB key from Viruses and Malware present on the computer connected to.
Mac Support: Some of the USB keys are best supported on Windows PC’s. They do however work on Macs as well, but with a reduced feature set.
Limited password retries: A feature that locks/destroys your data on the USB key after a set number of unsuccessful attempts at entering the password. This feature is to discourage attempts at guessing the password by individuals or computer programs.
Remote Lock/Destroy: An optional feature that requires the Enterprise Manager. The feature helps one send a remote command to supported USB keys that enables the USB key to wipe its internal data. This feature is useful in scenarios where the USB key has been stolen or misplaced, or a disgruntled employee fails to return the USB key.
Authorisation restricting offline use: Supported USB keys are configured using Enterprise Manager, to use this feature, so as to allow only X number of times for the USB key to be plugged in to any computer without an Internet connection, before it disallows further use. This is to counter attempts to defeat the remote lock/destroy feature, as the feature requires an Internet connection.
Authorisation controls regarding where the device works: Supported USB keys make sure that they can only be plugged in to authorised computers thus foiling any attempts to access the USB keys on computers where they shouldn’t be used.
Biometric Fingerprint Authentication: Supported USB keys allow two-factor authentication where besides the regular password protection, there is an additional possibility authenticating using fingerprints. This protects against the scenarios where a thief gets hold of your USB key and password.
Virtual Keyboard: The feature gives you the ability to click your password on an onscreen keyboard, rather than type it on a physical keyboard. This is to defeat key-stroke/key-logging attempts at capturing your password.
Zero Software footprint: It means that there will be no trace of your USB key having being connected to any computer.
NIST: National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 1,800 NIST associates (guest researchers and engineers from American companies and foreign nations) complement the staff. In addition, NIST partners with 1,400 manufacturing specialists and staff at nearly 350 affiliated centres around the country. As part of its mission, NIST supplies industry, academia, government, and other users with over 1,300 Standard Reference Materials (SRMs). These artefacts are certified as having specific characteristics or component content, used as calibration standards for measuring equipment and procedures, quality control benchmarks for industrial processes, and experimental control samples. Three researchers at NIST have been awarded Nobel Prizes for their work in Physics: William D. Phillips in 1997, Eric A. Cornell in 2001, John L. Hall in 2005, which is the largest number for any US government laboratory. www.nist.gov
NIST SP800-56A host-device communication: Means the Enterprise Server communicates to the device through a NIST SP800-56A certified, authenticated secure channel. The server directly applies policies to devices for true security and policy immunity to host-resident malware.
Virtual Portable Desktop Capable: This capability means the device comes with a bootable copy of your customised Windows OS and one can boot into a secure environment on any unsecured computer. This feature helps when one needs to be absolutely sure that they can carry out sensitive operations (like banking).
Auto Firmware update: Means the device is capable of updating its own internal software so that it can rid itself of any bugs or incorporate any improvements in capabilities.
AES: AES stands for Advanced Encryption Standard, in the simplest terms it is a format of encryption excepted by industry professionals world wide. The Advanced Encryption Standard (AES) uses keys that have as many as 256 different codes for each piece of information sent, be it letters, numbers, or pixels. What this means is, a computer hacker would have to try millions and millions of different code combinations before he'd even come close to guessing the one being used. Whenever the AES system is used, both computers—the hacking computer and your computer--must have the ability to code and decode information in this format which is nearly impossible. If AES is the form of encryption being used, the people utilising it can rest assured that it is using the most advanced and widely accepted form of encryption available at this point in time.
128-bit encryption: In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm (such as a cipher). An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits.
128 bit encryption indicates that the size of the key used to encrypt the message is 128 bits. 128-bit encryption, used in the 3DES and other algorithms, represents a very strong method of encryption for the foreseeable future.
256-bit encryption: 256-bit encryption use the size of keys up to 256 bits (a specification requirement for submissions to the AES contest) to encrypt the message.
Software encryption: Software encryption provides privacy for data residing on the computer systems disk by using the system CPU to perform encryption/decryption and related cryptographic operations. Software encryption can be used in variety of applications, including encryption of files, directories, or entire disks in mobile or desktop PCs, and for communications security.
Hardware encryption:
Hardware encryption moves the encryption/decryption function inside the hard disk drive. Isolating the encryption functions and keys in the disk drive subsystem, where they are not accessible by the operating system, is advantageous because it protects these security components from root kits and malware.
FIPS 140-2: The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. FIPS 140-2 establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the NIST and the Communications Security Establishment (CSE) for the Canadian government.
FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4".
FIPS 140-2 Level 2: Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorised physical access.
FIPS 140-2 Level 3: In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.
