BlockMaster SafeStick hardware-encrypted USB drive
Review It may make its money shelling shedloads of its security centric USB Flash drives to organisations like the NHS, but Sweden's BlockMaster believes the rest of us likewise need memory sticks with a high level of data protection built in.
Leaving aside for a moment the question of whether you really want to keep confidential personal information on a gadget that's so easy to misplace, it's certainly the case that if you do lose a USB key, you don't want whoever finds it to have a nose through your files.
BlockMaster's SafeStick: small, metal clad and with integrated encryption
Enter BlockMaster's SafeStick, a compact black metal USB Flash drive with on-board hardware encryption which won't mount its storage space until you've correctly entered the password.
Insert it for the first time, and up pops a read-only partition containing the password entry program. Our review unit had had a password pre-set, but it proved easy enough to change it to something with more than eight characters and with at least one captial letter and one number.
Run manually or automatically, SafeStick's access app is a lightweight utility that, beyond opening up the drive's storage and allowing you to change the password, will let you re-lock the SafeStick, reset it to factory state and set an idle period after which it'll lock the storage space automatically. The latter's handy for folk who're likely to unlock the stick and then wander away from the computer they're using, and it's enabled by default.
Handy size for crammed USB ports
The app resides entirely on the SafeStick so there's no need to install any code on the machines you'll be plugging the stick into. Removing the SafeStick from a USB port automatically locks it.
CBC v's ECB mode
Mark 65 17th June 2009 02:59
You are of course right in that CBC mode AES128 is stronger than ECB mode AES256, obviously then the AES256 in CBC mode that SafeStick uses is much stronger than the AES128 bit in CBC mode that the product you mention uses ?
SafeStick also has a two factor authentication token, plus the ability to install ANY application onto the device that you wish, be it a hardened web browser, password manager etc etc
Just one more thing
Just one more thing, I like the idea that the Stick will wipe itself after a user defined amount of incorrect password attempts - if a thief put that in a cracking machine they have 20 attempts to get it right or their efforts were in vein.
my 2 cents
@ Pheet - the website says its FIPS 197 so it must have been certified to meet the fully published AES standard?
Whatever the standard, im sure given the horsepower, time and will, anything can be cracked. Surely an easier way to gain a password from a Bank or Government employee if you REALLY want the data is much simpler - should such people want access to your data bad enough, a threat of violence will do it.
Id rather Government departments, Banks, Corporates NOT stick CD's stuffed with data in the post or leave an unencrypted sticks / pda's / mobile phone's on a train for thieves to get my data, account details etc.. Surely enforcing seamless data encryption is a good thing?
I think some comments may be missing the point of this device as I see it - I dont see it as cheap, single user encryption device - of which there are loads to choose from - although not everyone is techie enough to understand what is good, bad, good value, false sense of security etc..
For the techies there are always other options - including the best one - not storing your data on removable devices anyways.
safe stick is useful to us because we can deploy and manage hundred of sticks from a single web console and KNOW they are all encrypted. Integration with backend AD accounts etc. means we can give sticks to employees, with a fixed password policy - and importantly they can be disabled / wiped / reset / de-activated if lost. Also surely stopping malware spread has to be a good thing for everyone?
We also use the stick to provide 2-factor authentication - it saves us a large fortune not having to deploy / replace additional hardware tokens.
"Ironkey by the way is only 128 bit AES !
Only goes up to 8GB in Storage"
1. If people are happy to access their bank accounts using only 128 bit then they shouldn't be too bothered about their other data. The enterprise version (NHS applicable) even comes with a two factor RSA token.
2. You should also read this publication regarding the "only 128 bit AES" as AES can be implemented in 5 different modes of operation. They chose the one that would allow them to use the shorter key without lessening the security, so that their CBC mode at 128 bit can be more secure than other's ECB mode at 256 bits when encrypting large blocks of data...
3. It's a USB key, how much storage do you really need in this format? For anything more run a laptop with an encrypted drive/partition/data file or truecrypt portable on a USB hard drive. 8GB should be plenty.
4. It's also worth noting that as these devices destruct to protect data it would need to be securely backed up elsewhere and the large the device is the more of a pain in the arse that becomes. The USB drive with truecrypt file could be backed up on it's own but suffers the brute force issues.
AES on an 8051 without hardware assist?
I doubt that. This Intel microcontroller is donkey's years old and was slow even then. However as the host for some on-chip accelerator hardware that might work well.
People have commented about physical attack. But what is the real horse power requirement to break AES. Of course it's possible. But how long?
If your staff absolutely got to have to have a load of sensitve data on their PC right now I think TrueCrypt and proper password management will get a system in place faster and cheaper. This thing looks easy to walk off with or replace with a dummy.
But designing systems which *don't* need all that data on a laptop or USB drive in the first place would be better.
That takes intelligence and commitment (from management). Items in very short supply in the UK business and government communities.