Both Kingston Technologies and IronKey this week announced new models of their USB flash drives, as well as a security certification that clears them for use by US and Canadian government agencies in accordance with the Federal Information Processing Standard 140-2 Level 2.
Kingston announced its new DataTraveler BlackBox USB drive, which uses 256-bit hardware-based AES encryption. IronKey announced an enterprise-class version of its drive, which uses 128-bit hardware-based AES encryption.
Neither 256-bit nor 128-bit AES encryption methods have been broken, nor will they likely be any time soon, experts say.
IronKey's enterprise drive allows central password management and allows admins to define what software runs on the drives, password strength, as well as how many failed log-ins occur before users are permanently locked out of devices. Admins can also control whether end users can perform their own password recovery through authentication questions, which Jevans said is useful for non-technical employees who use flash drive infrequently.
Charles Kolodgy, research director for secure content and threat management products at IDC, said FIPS 140-2 reviews ensure device designs and encryption methods have been performed correctly. "That's the first step ... to validate that the encryption works as advertised," he said.
FIPS (Federal Information Processing Standard) was developed by the US National Institute of Standards and Technology for use by government agencies and their government contractors, but not necessarily by the military, which often requires even higher security standards.
Security technologist and author Bruce Schneier, however, sees security certifications as nothing more than appearances, saying that security is a "lemons" market and the only way you can really guarantee your data will be safe on any given device is by shelling out thousands of dollars for an engineering study.
"It's all about signals, and certifications is one way a seller signals to a buyer that his products are good," Schneier said. "It has nothing to do with whether or not the certification is a good idea or not; it's all about marketing."
Dave Jevans, CEO of IronKey, said getting the IronKey drive FIPS certified took about eight months and required visits by government evaluators who tested the product.
"Effectively, they validate that your encryption algorithms are correct. Then they validate more complicated things like your overall system design," he said.
AES is the successor to the older DES (Data Encryption Standard) and is used by the US government for encrypting secret-level and top-secret-level documents, using the 128-bit and 256-bit strengths respectively.
Both drives use hardware-based encryption, which Kolodgy has said is more secure because in software-based encryption, the keys are placed in the device's memory, so a hacker will know where to look for the keys by their unique format and can target those keys for a brute-force attack.