Rethinking USB

Removable USB mass storage is headed in a new direction; corporate execs should sit up and take notice

THE development and adoption of removable USB mass storage is truly remarkable. Never before has it been so easy to move gigabytes of information around on a portable device that is small enough to clip onto a keychain. These devices have large capacities and can copy data at lightning speed.

It's hard to buy a USB flash drive these days with less than 128 MB of storage; some devices can achieve data rates greater than 20 MBps. The technology is so convenient and powerful that we wonder how we could have lived without it before. It's unthinkable to use floppy disks for the amount of data that we need to carry around today. While the capacity of a CD-RW might be sufficient, the procedure of inserting and "burning" simply can't compete with the ease of plugging a flash drive into the USB port.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written.

On the other hand, most security officers wish this technology didn't exist at all. First, it is a medium that can carry computer viruses and software that shouldn't be used in the corporate environment. Probably more disturbing, the shear volume of proprietary information that could leave the corporate environment undetected through these devices is an enormous exposure for corporations. Corporate executives are losing sleep not knowing how much intellectual property is lost or stolen through this wide-open channel.

"In interviewing Fortune 500 company CIOs and CSOs, we found that they have no visibility into the quantity of information that leaves the organization through portable devices such as laptops and USB memory sticks," said Sean Wray, vice president of security solutions at MobileSecure.

To deal with this issue, some organizations have disabled USB ports through the BIOS, while others have gone to the more extreme measure of filling the USB connectors with a thick epoxy adhesive. While this solves the problem, it also prevents any beneficial uses of USB mass storage to be garnered. But what other functions are there for USB mass storage devices? Besides moving large amounts of data around at lightning speed, what else are we missing by banning their use? Surprisingly, there are very compelling advances to be gained in the security industry by properly harnessing the power and protocol of USB mass storage.

As any technology evolves, we see more features and functionality being added to newer models of devices. Sometimes these features are born out of convenience, while other times they stem from necessity. Cameras on cell phones, for example, are not necessary, but they are very handy. On the other hand, a subscriber information module (SIM) is a necessary feature to enable the interchangeability of phones without losing the subscriber identity.

USB mass storage devices are evolving, and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written. For example, many devices today offer encrypted storage, so that if you lose your device, the information on it remains safe. Some flash drives even have fingerprint sensors and processors built in so that biometric authentication of the owner is required before the storage can be accessed. These are examples of some security-driven extensions to the basic functionality of mass storage.

The on-board capabilities of strong cryptography and authentication that we see on some of the more advanced devices are the prime ingredients for a new direction in the evolution of USB mass storage. That direction is portable identity management and secure storage.

Digital Identities Take Many Forms

Digital identities can be simple credentials such as usernames and passwords, or more complex forms such as PKI-based X509 certificates or claims-based assertions in SAML tokens. To be really useful in today's identity infrastructures, an identity device must be more than a secure store of static credentials.

It also must be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore, it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn't normally associate these operations with USB storage. In fact, digital identity functions are very different from mass storage, but that doesn't mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences, there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is this: Why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors, such as smart cards and USB key fobs. These can easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device. The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

The USB mass storage interface itself has a number of desirable properties. First, it is ubiquitous. Practically every PC and operating system in use today supports it natively, and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn't matter which vendor or brand of USB memory stick you have, as long as the device implements the specification, it will work.

Portability has been the Achilles' heel of smart cards and USB tokens. Wouldn't it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that, the smart card just won't work.

In fact, the situation is even worse than that. Even when you have deployed a smart card solution with all of the required components and middleware, you'll probably find that the solution won't work with another brand of smart card without swapping in new middleware components.

The government has addressed these interoperability challenges by developing the Government Smart Card Interoperability Specification (GSC-IS), so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider. Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from a lack of widespread adoption of a common specification.

Another advantage of the USB mass storage interface is bandwidth. The USB 2.0 standard specifies a data rate of 480 MBps for a high-speed device. This opens up a new set of possibilities for security operations, as much more data can be sent and retrieved than what was previously possible on devices like smart cards. For example, instead of sending a hash of a document to be signed, the entire document could be sent to the device for processing.

The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high-level application messages through a protocol that is as simple as reading and writing to a file.

Work in developing open specifications to exploit this new direction has already begun. In partnerships with key device manufacturers, Microsoft is currently developing a specification called Portable Security Token Service (PSTS), which will enable file system-based communication to USB devices that can be used as portable credential carriers and generators of SAML tokens in response to WS-Trust requests. This is part of a digital identity metasystem that will enhance privacy and security of digital identity transactions on the Web. WS-Trust, along with other WS specifications, has already been submitted to OASIS for standardization. With the adoption of InfoCard in new Microsoft operating systems and popular browsers, it will be possible to roam to any machine and perform a digital identity transaction using a USB digital identity device.

There are still challenges to be addressed to make this direction a reality. Device manufacturers need to design for portability. The installation of drivers and middleware to assist in some of the digital identity computation is not an option. The device itself must be able to process high-level messages, perform cryptographic operations and handle user authentication internally, otherwise portability will be lost. The development and adoption of standards must continue relentlessly, otherwise we will fail to achieve interoperability.

Finally, the industry must be assured that these new devices are secure. The same types of security validations that are being applied to smart cards and other security modules will be needed.

Upon seeing the new digital identity direction of USB mass storage devices, organizations should rethink their decisions to disable USB mass storage. There are good solutions appearing on the market that can control the use of USB mass storage without disabling them completely. For example, many offerings prevent any unwanted devices from being used, except those that are issued or approved by the corporation, and administrators can even monitor the files that move on and off a device.

Digital identities play a key role in many security applications, from single sign-on and PKI, to the emerging systems of federated identity. By keeping USB mass storage enabled, corporations can leverage the new breed of USB mass storage-based digital identity devices to enhance and simplify their deployments of digital identity security solutions.

This article originally appeared in the January 2006 issue of Security Products, pg. 26.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3