Solutions for Portable Security

Given the recent news about a serious password security flaw (see http://www.syss.de/index.php?id=veroeffentlichungen&no_cache=1&L=1) found with some encrypted USB drives I thought it would be a good time to say a few things about authentication.

Let’s start with the very basics.  User authentication is the front line of security.  If authentication is weak, it doesn’t matter how strong your encryption is, or how impenetrable the hardware is that protects the encryption key.  If there is no authentication, there may as well be no encryption at all.  Authentication is the “key to the key” so to speak.

Since the authentication process itself manipulates sensitive information, such as passwords and biometric templates, it only makes sense that it occur in a trustworthy environment.  Even strong, multi-factor authentication becomes weakened and even defeated if the user’s credential information is compromised.  Your managed corporate desktop should be a trustworthy environment.  This is why entering a password to login to your domain normally isn’t a problem.  However the situation is drastically different for a secure flash drive.  Being a portable device, it can be exposed to many untrustworthy environments where malicious software may be capturing keystrokes or passwords in memory. 

The best place for the authentication to occur in such a device is within the hardware.  Of course the more secure the hardware the better.  Some people are suggesting that the FIPS certification is meaningless given that the recent security flaw is associated with FIPS validated devices.   There is nothing wrong with the FIPS process but it must be understood that it only deals with what happens inside the cryptographic boundary and there is much more to consider when looking at overall security (see this blog entry for some more insight http://www.mxisecurity.com/blog/cto/2008/07/14/fips-validated-is-more-than-a-check-box/).

At MXI Security we strive to deliver the best authentication technology in the industry.  Our portable devices are capable of password, biometric, and multi-authentication, all within the secure hardware environment of the device.  You can take these devices anywhere but you will still need to be aware that key loggers can still be a threat as password entry is done from a keyboard.  It’s good practice to change your password to mitigate the efficacy of such attacks (we provide password rules to let you enforce such things as regular changes and password reuse).

Since biometric authentication is done completely on the device it is immune even from key loggers.  For those that want the strongest authentication possible, biometric and password authentication can be combined (2-factor) so that even a compromised password isn’t enough to break in.

If you are interested I have other blogs entries on authentication (see http://www.mxisecurity.com/blog/cto/2008/07/10/is-it-two-factor-or-three-factor-authentication/ and http://www.mxisecurity.com/blog/cto/2008/06/03/beware-of-biometric-images/).

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.