Rethinking USB

Removable USB mass storage is headed in a new direction; corporate execs should sit up and take notice

• By Larry Hamid
• Jan 01, 2006

THE development and adoption of removable USB mass storage is truly remarkable. Never before has it been so easy to move gigabytes of information around on a portable device that is small enough to clip onto a keychain. These devices have large capacities and can copy data at lightning speed.

It's hard to buy a USB flash drive these days with less than 128 MB of storage; some devices can achieve data rates greater than 20 MBps. The technology is so convenient and powerful that we wonder how we could have lived without it before. It's unthinkable to use floppy disks for the amount of data that we need to carry around today. While the capacity of a CD-RW might be sufficient, the procedure of inserting and "burning" simply can't compete with the ease of plugging a flash drive into the USB port.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written.

On the other hand, most security officers wish this technology didn't exist at all. First, it is a medium that can carry computer viruses and software that shouldn't be used in the corporate environment. Probably more disturbing, the shear volume of proprietary information that could leave the corporate environment undetected through these devices is an enormous exposure for corporations. Corporate executives are losing sleep not knowing how much intellectual property is lost or stolen through this wide-open channel.

"In interviewing Fortune 500 company CIOs and CSOs, we found that they have no visibility into the quantity of information that leaves the organization through portable devices such as laptops and USB memory sticks," said Sean Wray, vice president of security solutions at MobileSecure.

To deal with this issue, some organizations have disabled USB ports through the BIOS, while others have gone to the more extreme measure of filling the USB connectors with a thick epoxy adhesive. While this solves the problem, it also prevents any beneficial uses of USB mass storage to be garnered. But what other functions are there for USB mass storage devices? Besides moving large amounts of data around at lightning speed, what else are we missing by banning their use? Surprisingly, there are very compelling advances to be gained in the security industry by properly harnessing the power and protocol of USB mass storage.

As any technology evolves, we see more features and functionality being added to newer models of devices. Sometimes these features are born out of convenience, while other times they stem from necessity. Cameras on cell phones, for example, are not necessary, but they are very handy. On the other hand, a subscriber information module (SIM) is a necessary feature to enable the interchangeability of phones without losing the subscriber identity.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written. For example, many devices today offer encrypted storage, so that if you lose your device, the information on it remains safe. Some flash drives even have fingerprint sensors and processors built in so that biometric authentication of the owner is required before the storage can be accessed. These are examples of some security-driven extensions to the basic functionality of mass storage.

The on-board capabilities of strong cryptography and authentication that we see on some of the more advanced devices are the prime ingredients for a new direction in the evolution of USB mass storage. That direction is portable identity management and secure storage.

Digital Identities Take Many Forms

It also must be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore, it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn't normally associate these operations with USB storage. In fact, digital identity functions are very different from mass storage, but that doesn't mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences, there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is this: Why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors, such as smart cards and USB key fobs. These can easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device. The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

The USB mass storage interface itself has a number of desirable properties. First, it is ubiquitous. Practically every PC and operating system in use today supports it natively, and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn't matter which vendor or brand of USB memory stick you have, as long as the device implements the specification, it will work.

Portability has been the Achilles' heel of smart cards and USB tokens. Wouldn't it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that, the smart card just won't work.

In fact, the situation is even worse than that. Even when you have deployed a smart card solution with all of the required components and middleware, you'll probably find that the solution won't work with another brand of smart card without swapping in new middleware components.

The government has addressed these interoperability challenges by developing the Government Smart Card Interoperability Specification (GSC-IS), so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider. Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from a lack of widespread adoption of a common specification.

Another advantage of the USB mass storage interface is bandwidth. The USB 2.0 standard specifies a data rate of 480 MBps for a high-speed device. This opens up a new set of possibilities for security operations, as much more data can be sent and retrieved than what was previously possible on devices like smart cards. For example, instead of sending a hash of a document to be signed, the entire document could be sent to the device for processing.

The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high-level application messages through a protocol that is as simple as reading and writing to a file.

Work in developing open specifications to exploit this new direction has already begun. In partnerships with key device manufacturers, Microsoft is currently developing a specification called Portable Security Token Service (PSTS), which will enable file system-based communication to USB devices that can be used as portable credential carriers and generators of SAML tokens in response to WS-Trust requests. This is part of a digital identity metasystem that will enhance privacy and security of digital identity transactions on the Web. WS-Trust, along with other WS specifications, has already been submitted to OASIS for standardization. With the adoption of InfoCard in new Microsoft operating systems and popular browsers, it will be possible to roam to any machine and perform a digital identity transaction using a USB digital identity device.

There are still challenges to be addressed to make this direction a reality. Device manufacturers need to design for portability. The installation of drivers and middleware to assist in some of the digital identity computation is not an option. The device itself must be able to process high-level messages, perform cryptographic operations and handle user authentication internally, otherwise portability will be lost. The development and adoption of standards must continue relentlessly, otherwise we will fail to achieve interoperability.

Finally, the industry must be assured that these new devices are secure. The same types of security validations that are being applied to smart cards and other security modules will be needed.

Upon seeing the new digital identity direction of USB mass storage devices, organizations should rethink their decisions to disable USB mass storage. There are good solutions appearing on the market that can control the use of USB mass storage without disabling them completely. For example, many offerings prevent any unwanted devices from being used, except those that are issued or approved by the corporation, and administrators can even monitor the files that move on and off a device.

Digital identities play a key role in many security applications, from single sign-on and PKI, to the emerging systems of federated identity. By keeping USB mass storage enabled, corporations can leverage the new breed of USB mass storage-based digital identity devices to enhance and simplify their deployments of digital identity security solutions.