New directions for removable USB mass storage

Larry Hamid, Memory Experts International

The development and adoption of removable USB mass storage is truly remarkable. Never before has it been so easy to move gigabytes of information around on a portable device that is small enough to clip on to a key chain. Larry Hamid, chief technology officer within the Secure Products Division at Memory Experts International, investigates this burgeoning phenomenon.

Many portable devices have large capacities and can copy data at lightning speed and these days it's hard to buy a USB flash drive with less than 128MB of storage and some devices can achieve data rates greater than 20MB per second.

The technology is so convenient and powerful that we wonder how we could have lived without it. It's unthinkable to use floppy disks for the amount of data that we need to carry around today. While the capacity of a CD-RW might be sufficient, the procedure of inserting and 'burning' simply can't compete with the ease of plugging a flash drive into the USB port.

On the other hand most security officers wish that this technology didn't exist at all. First of all it is a medium that can carry computer viruses and software that shouldn't be used in the corporate environment. Probably more disturbing is that the sheer volume of proprietary information that could leave the corporate environment undetected through these devices is an enormous exposure for corporations.

Corporate executives are losing sleep not knowing how much intellectual property is lost or stolen through this wide, open channel. 'In interviewing Fortune 500 company CIOs and CSOs we found that they have no visibility into the quantity of information that leaves the organization through portable devices such as laptops and USB memory sticks,' says Sean Wray, vice-president of Security Solutions at MobileSecure.

To deal with this issue some organizations have disabled USB ports through the BIOS, while others have gone to the more extreme measure of filling the USB connectors with a thick epoxy adhesive. While this solves the problem it also prevents any beneficial uses of USB mass storage.

But what other functions are there for USB mass storage devices? Besides moving large amounts of data around at lightning speed what else could we be missing by banning their use? Surprisingly there are very compelling advances to be gained in the security industry by properly harnessing the power and protocol of USB mass storage.

As any technology evolves we always see more features and functionality being added to newer models of devices. Sometimes these features are born out of convenience, while other times they stem from necessity.

Cameras on cell phones, for example, are not necessary but they really are handy. On the other hand a subscriber information module (SIM) is a necessary feature to enable the interchangeability of phones without losing the subscriber identity.

USB mass storage devices are evolving and we are starting to see many new features and behaviours that were never conceived when the USB mass storage specification was written. For example many devices today offer encrypted storage so that if you lose your device, the information on it remains safe.

Some flash drives even have fingerprint sensors and processors built in so that biometric authentication of the owner is required before the storage can be accessed. These are examples of some security-driven extensions to the basic functionality of mass storage.

The on-board capabilities of strong cryptography and authentication that we see on some of the more advanced devices are the prime ingredients for a new direction in the evolution of USB mass storage, and that direction is portable identity management with secure storage.

Digital identities take many forms. They can be simple credentials, such as usernames and passwords, or more complex forms such as PKI-based X509 certificates or claims-based assertions in SAML tokens. To be really useful in today's identity infrastructures an identity device must be more than a secure store of static credentials.

It must also be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn't normally associate these operations with USB storage. In fact digital identity functions are very different from mass storage, but that doesn't mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors such as smart cards and, yes, USB key fobs. These could easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device.

The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

A USB mass storage interface has a number of desirable properties. First it is ubiquitous. Practically every PC and operating system in use today supports it natively and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn't matter which vendor or brand of USB memory stick you have, as long as the device implements the specification, it will work.

Portability has been the Achilles' heel of smart cards and USB tokens. Wouldn't it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that the smart card just won't work. In fact the situation is worse than that.

Even when you have deployed a smart card solution with all of the required components and middleware, you'll probably find that the solution won't work with another brand of smart card without swapping in new middleware components. The US government has addressed these interoperability challenges by developing Government Smart Card Interoperability Specification (GSC-IS) so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider.

Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from the lack of widespread adoption of a common specification.

Another advantage of the USB mass storage interface is the bandwidth. The USB 2.0 standard specifies a data rate of 480 Megabits per second for a highspeed device. This opens up a whole new set of possibilities for security operations as much more data can be sent and retrieved than was previously thought possible on devices such as smart cards.

For example instead of sending a hash of a document to be signed the entire document could be sent to the device for processing.

The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high-level application messages through a protocol that is as simple as reading and writing to a file.

Work in developing open specifications to exploit this new direction has already begun. In partnerships with key device manufacturers, Microsoft is currently developing a specification called Portable Security Token Service (PSTS), which will enable file system-based communication to USB devices that can be used as portable credential carriers and generators of SAML tokens in response to WS-Trust requests.

This is part of a digital identity metasystem that will enhance privacy and security of digital identity transactions on the web. WS-Trust, along with other WS-* specifications, are already submitted to OASIS for standardization. With the adoption of InfoCard in new Microsoft operating systems and popular browsers, it will be possible for you to roam to any machine, say at an internet café, and perform a digital identity transaction using your USB digital identity device.

There are still challenges to be addressed to make this direction a reality. Device manufacturers need to design for portability. The installation of drivers and middleware to assist in some of the digital identity computation is not an option. The device itself must be able to process high-level messages, perform cryptographic operations and handle user authentication internally, otherwise portability will be lost.

The development and adoption of standards must continue relentlessly otherwise we will fail to achieve interoperability. Finally the industry must be assured that these new devices are secure. The same types of security validations that are being applied to smart cards and other security modules will be needed. Now that we have seen the new digital identity direction of USB mass storage devices and what it could mean for portability and interoperability, organizations should rethink their decisions to disable USB mass storage.

There are good solutions appearing on the market that can control the use of USB mass storage without disabling them completely. For example many offerings allow you to prevent any unwanted devices from being used except those that are issued or approved by the corporation, and you can even monitor the files that move on and off a device.

Digital identities play a key role in many security applications from single sign-on to PKI to the emerging systems of federated identity. By keeping USB mass storage enabled, corporations can leverage the new breed of USB mass storage-based digital identity devices to enhance and simplify their deployments of digital identity security solutions.