June 29, 2017 at 16:08

Secure flash drive. Myth or reality



    Hello, Habr! Today we will tell you about one of the easiest ways to make our world a little safer.


    A flash drive is a familiar and reliable storage medium. And despite the fact that in recent years, cloud storage more and more displace them, flash drives are still sold and bought a lot. Still, not everywhere there is a wide and stable Internet channel, and in some places and institutions the Internet in general may be banned. In addition, we must not forget that a significant number of people for various reasons are distrustful of all kinds of “clouds”.


    We all got used to flash drives for a long time and many of us remember how first usb mass storage support appeared in Windows 2000 shyly, and then, a little later, in Windows Me. Many people understand how convenient it is to use flash drives now and remember how before we all suffered with unreliable diskettes and impractical optical disks.


    The author of these lines around 2004 was the happiest owner of a nice 128-megabyte media in a fashionable case with a metal insert. He was my faithful companion and keeper of valuable information for me for many years, until I finally lost it along with a bunch of keys to which he was attached.


    And, it would seem, the loss of keys is a fairly ordinary event, which probably happened to everyone, but it made me urgently change all the locks in the house.


    The thing is that in the wilds of the file system of my flash drive lay scans of my passport, just in case (who knows when passport scans can come in handy?). And in combination with the real keys to a real apartment, the registration data turns into an attractive opportunity even for those people who earlier might not even have thought about apartment thefts.


    What did this incident teach me?


    First of all, take care of your things more carefully, and secondly, that any information that can be used even to some extent to the detriment of you should be protected.


    What can flash drives offer in terms of protection?


    The first, most obvious option, flash drives with hardware protection and without external software control, they usually have a keyboard on the case - everything seems to be nice in them, but they cost most of them absolutely wild money, maybe due to their low seriality, or maybe and the greed of sellers. Obviously, due to the high cost, they did not find much distribution.


    The second option is a hinged software protection for a regular flash drive.


    There are many options (you can easily google them), but they all have a clear plus in the form of almost zero cost and inevitable limitations associated with the need to install special software on a computer. But the main minus of the outboard protection is its weakness.


    What is the weakness, you ask.


    But the fact is that any disk encryption program uses the sequence obtained by a special algorithm, for example PBKDF, from the password that you will use to unlock it as an encryption key. And something tells me that it is unlikely that the password, which will often have to be typed, will be long and complicated.


    And if the password is short and simple, then selecting it from the dictionary will not be so difficult.


    An attacker, having captured your encrypted flash drive even for a short time, can copy a cryptocontainer from it. You will think that the data is still safe. But in fact, all this time, someone intensively picks up the key to your container and every minute comes closer to his goal.


    Therefore, if you are not an enemy to yourself, then the password should be “strong”. But since then you will have to type the same “persistent” password many times - this starts to contradict the statement on the previous line.


    What to do - you ask.


    Is it possible to put hardware protection between the protected flash memory and the computer so that it is convenient, reliable and more or less accessible? So that at least you could do without a monster case with hardware buttons.


    It turns out, yes, you can, if you are a Russian manufacturer of electronic signature devices (tokens and smart cards).


    A safe flash drive still exists


    In Rutoken EDS 2.0 Flash devices, flash memory is connected through a special secure controller, the firmware of which, the Rutoken card operating system, is completely developed by the specialists of the Active company (the Rutoken card OS is in the registry of the domestic software of the Ministry of Communications).




    A special control module is built into this firmware, which controls the data streams entering and leaving the USB flash drive.


    And since there has been a functionality in the Rootoken card operating system for centuries that provides access to cryptographic keys of electronic signature by PIN codes, we implemented in it a kind of “gate” that can be opened, closed or opened in a one-way mode (for example, only for reading). This valve is precisely controlled by a PIN code. Without knowing it, this valve cannot be turned.


    Now imagine that such a valve is in the “closed” position by default. And to open it, you need to present a PIN code that only you know. Moreover, the valve automatically closes when you remove the device from the computer. And the number of attempts to enter the wrong PIN code is strictly limited. Moreover, the device is protected from physical hacking and removing flash cards.


    It turns out quite safe, reliable and convenient system. We implemented it in the form of a small management program called “Rutoken Disk”.


    The flash memory of the Rutoken EDS 2.0 device, on which the “Rutoken Disk” works, is divided into 2 areas: one service, for the emulating CD-ROM partition with the control program; the second is for user data.


    When you connect such a device to a computer, you will see two physical disks. The CD-ROM section is immediately readable and automatically mounted, and a nice window also pops up on Windows operating systems.





    The protected section looks like a memory card reader, but without a card inserted in it, there is no access to data.


    However, by launching the application and entering a simple PIN code, you instantly get access to your files.









    The token itself has been sold for many years and the possibility of implementing a protected flash drive in it was originally. The Rootoken application has been downloaded to the token for organizing secure access. Disk.

    Instead of a resume:


    If you trust your information to a regular flash drive, store it like the apple of an eye. In the case of Rutoken EDS 2.0 Flash and Rutoken.Disk, one can be much calmer for the confidentiality of their data. Although it’s never worth it to completely relax.


    I will answer in advance some questions that someone will surely have:


    • GUI for macOS and linux - will be.
    • The ability to open a protected section in read-only mode so that you can safely insert a USB flash drive into the most unpredictable places will be.
    • There will be a button for safely extracting the section so as not to poke the mouse into the tray.

    Leave the remaining questions, suggestions and comments in the comments - we will try to answer all questions.



    Tags:

    Also popular now: