Rethinking USB

Removable USB mass storage is headed in a new direction; corporate execs should sit up and take notice

THE development and adoption of removable USB mass storage is truly remarkable. Never before has it been so easy to move gigabytes of information around on a portable device that is small enough to clip onto a keychain. These devices have large capacities and can copy data at lightning speed.

It's hard to buy a USB flash drive these days with less than 128 MB of storage; some devices can achieve data rates greater than 20 MBps. The technology is so convenient and powerful that we wonder how we could have lived without it before. It's unthinkable to use floppy disks for the amount of data that we need to carry around today. While the capacity of a CD-RW might be sufficient, the procedure of inserting and "burning" simply can't compete with the ease of plugging a flash drive into the USB port.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written.

On the other hand, most security officers wish this technology didn't exist at all. First, it is a medium that can carry computer viruses and software that shouldn't be used in the corporate environment. Probably more disturbing, the shear volume of proprietary information that could leave the corporate environment undetected through these devices is an enormous exposure for corporations. Corporate executives are losing sleep not knowing how much intellectual property is lost or stolen through this wide-open channel.

"In interviewing Fortune 500 company CIOs and CSOs, we found that they have no visibility into the quantity of information that leaves the organization through portable devices such as laptops and USB memory sticks," said Sean Wray, vice president of security solutions at MobileSecure.

To deal with this issue, some organizations have disabled USB ports through the BIOS, while others have gone to the more extreme measure of filling the USB connectors with a thick epoxy adhesive. While this solves the problem, it also prevents any beneficial uses of USB mass storage to be garnered. But what other functions are there for USB mass storage devices? Besides moving large amounts of data around at lightning speed, what else are we missing by banning their use? Surprisingly, there are very compelling advances to be gained in the security industry by properly harnessing the power and protocol of USB mass storage.

As any technology evolves, we see more features and functionality being added to newer models of devices. Sometimes these features are born out of convenience, while other times they stem from necessity. Cameras on cell phones, for example, are not necessary, but they are very handy. On the other hand, a subscriber information module (SIM) is a necessary feature to enable the interchangeability of phones without losing the subscriber identity.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written. For example, many devices today offer encrypted storage, so that if you lose your device, the information on it remains safe. Some flash drives even have fingerprint sensors and processors built in so that biometric authentication of the owner is required before the storage can be accessed. These are examples of some security-driven extensions to the basic functionality of mass storage.

The on-board capabilities of strong cryptography and authentication that we see on some of the more advanced devices are the prime ingredients for a new direction in the evolution of USB mass storage. That direction is portable identity management and secure storage.

Digital Identities Take Many Forms

Digital identities can be simple credentials such as usernames and passwords, or more complex forms such as PKI-based X509 certificates or claims-based assertions in SAML tokens. To be really useful in today's identity infrastructures, an identity device must be more than a secure store of static credentials.

It also must be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore, it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn't normally associate these operations with USB storage. In fact, digital identity functions are very different from mass storage, but that doesn't mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences, there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is this: Why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors, such as smart cards and USB key fobs. These can easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device. The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

The USB mass storage interface itself has a number of desirable properties. First, it is ubiquitous. Practically every PC and operating system in use today supports it natively, and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn't matter which vendor or brand of USB memory stick you have, as long as the device implements the specification, it will work.

Portability has been the Achilles' heel of smart cards and USB tokens. Wouldn't it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that, the smart card just won't work.

In fact, the situation is even worse than that. Even when you have deployed a smart card solution with all of the required components and middleware, you'll probably find that the solution won't work with another brand of smart card without swapping in new middleware components.

The government has addressed these interoperability challenges by developing the Government Smart Card Interoperability Specification (GSC-IS), so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider. Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from a lack of widespread adoption of a common specification.

Another advantage of the USB mass storage interface is bandwidth. The USB 2.0 standard specifies a data rate of 480 MBps for a high-speed device. This opens up a new set of possibilities for security operations, as much more data can be sent and retrieved than what was previously possible on devices like smart cards. For example, instead of sending a hash of a document to be signed, the entire document could be sent to the device for processing.

The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high-level application messages through a protocol that is as simple as reading and writing to a file.

Work in developing open specifications to exploit this new direction has already begun. In partnerships with key device manufacturers, Microsoft is currently developing a specification called Portable Security Token Service (PSTS), which will enable file system-based communication to USB devices that can be used as portable credential carriers and generators of SAML tokens in response to WS-Trust requests. This is part of a digital identity metasystem that will enhance privacy and security of digital identity transactions on the Web. WS-Trust, along with other WS specifications, has already been submitted to OASIS for standardization. With the adoption of InfoCard in new Microsoft operating systems and popular browsers, it will be possible to roam to any machine and perform a digital identity transaction using a USB digital identity device.

There are still challenges to be addressed to make this direction a reality. Device manufacturers need to design for portability. The installation of drivers and middleware to assist in some of the digital identity computation is not an option. The device itself must be able to process high-level messages, perform cryptographic operations and handle user authentication internally, otherwise portability will be lost. The development and adoption of standards must continue relentlessly, otherwise we will fail to achieve interoperability.

Finally, the industry must be assured that these new devices are secure. The same types of security validations that are being applied to smart cards and other security modules will be needed.

Upon seeing the new digital identity direction of USB mass storage devices, organizations should rethink their decisions to disable USB mass storage. There are good solutions appearing on the market that can control the use of USB mass storage without disabling them completely. For example, many offerings prevent any unwanted devices from being used, except those that are issued or approved by the corporation, and administrators can even monitor the files that move on and off a device.

Digital identities play a key role in many security applications, from single sign-on and PKI, to the emerging systems of federated identity. By keeping USB mass storage enabled, corporations can leverage the new breed of USB mass storage-based digital identity devices to enhance and simplify their deployments of digital identity security solutions.

This article originally appeared in the January 2006 issue of Security Products, pg. 26.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Survey: Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Mobile Applications Are Empowering Security Personnel

    From real-time surveillance and access control management to remote monitoring and communications, a new generation of mobile applications is empowering security personnel to protect people and places. Mobile applications for physical security systems are emerging as indispensable tools to enhance safety. They also offer many features that are reshaping how modern security professionals approach their work. Read Now

Featured Cybersecurity


New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3