Recently I came across an article that spoke to an idea that i had back in 1996 when I envisioned a personal device that allowed the consumer to merge their leather wallet, Filofax, mobile phone, walkman and PDA into a single light weight device.
The author of this article talks to the need to create a secure mechanism to authenticate, identify and as appropriate verify that it is I. When we looked to smart cards that was what we where looking to do and the SIM that is inserted into a GSM capable mobile phone is able to offer the security that Kurt Marko seeks.
Has the time come to move forward with my dream?
That was part of the dream that drove the creation of EMV.
Personal Portable Security Devices
Are Pocket-Sized, All-In-One Security Devices Ready For Prime Time?
USB thumb drives have become the sneakernet’s backbone, the result of plummeting prices and burgeoning capacities for flash memory. These tiny wonders are spacious enough to store an OS installation with room to spare for user data; however, they are also inherently insecure. Although vendors have addressed this shortcoming with drives incorporating hardware encryption chips, these haven’t yet achieved mass acceptance. Small USB devices have also become a common vehicle for delivering secure, two-factor user authentication.
Wouldn’t it be nice if secure storage and authentication features were combined into a compact Swiss Army knife of security? A relatively new class of products, PPSDs (personal portable security devices) “combine the flash storage of universal serial bus thumb drives with the access control and secure storage capabilities of the smart card,” says Burton Group Senior Analyst Mark Diodati. “PPSDs leverage the USB form factor, use hardware cryptographic processing to provide smart card and one-time password device services, have secure storage capabilities, and reside in a tamper-resistant container.”
The real security magic comes from the synergistic integration of the two sets of capabilities; for example, users cannot access the flash memory without first providing strong authentication. Diodati adds, “The PPSD overcomes two issue— the limited storage capability of smart cards and the relative insecurity of USB flash drives. Larry Hamid, CTO of MXI Security, says the combination allows “a device that serves multiple security functions.”
Furthering the theme of convergence, PPSDs also incorporate several strong authentication technologies. Like traditional USB tokens, PPSDs embed a certificate-based smart card in hardware; however, they add a software-based OTP (one-time password) generator. Unlike SecurID tokens, most PPSDs don’t sport a display; thus, to generate and view the password, users must plug into a PC’s USB port and run an embedded application. This makes PPSDs problematic for use on public kiosk PCs where the ports are usually disabled. Like USB security tokens or smart cards, PPSDs can hold any number of certificate-based credentials for Windows login or PKI (public key infrastructure).
PPSDs pair their strong authentication features with gigabytes of flash storage. Hardware-based encryption is accomplished via a symmetric algorithm such as AES, and, while standard USB flash drives can be encrypted with software, they are arguably less secure. In addition, PPSDs are tamper-resistant because they use their internal smart card to store encryption keys and an embedded chip to execute the encryption. Some PPSDs also support biometric authentication via an integrated fingerprint reader for added security.
Advantages & Usage Scenarios
Like plain-vanilla flash drives, PPSDs have benefitted from dramatic increases in flash memory density and are available in capacities from 1 to 16GB. Such abundant storage enables some intriguing applications, according to Diodati. He sees PPSDs as an ideal way to protect mobile professionals via solutions such as hosting a complete virtual desktop OS, “hardened” business applications, Web browsers, or SSO (single sign-on) systems.
For example, using software, users can carry a fully customized Windows Desktop environment on a USB stick. Similarly, some let users install and run individual applications directly from a USB drive while leaving no traces behind on the host PC. PPSDs enhance these portable application environments by running them within a much more secure framework.
PPSDs look like the perfect security multitool, so what’s not to like? Unfortunately, according to Diodati, “the functionality of the PPSD comes with a price.” He explains that extensive processes are required to initialize devices for a particular organization, customize and personalize them for users, and bind their security credentials to internal directories. Although vendors provide administrative tools to automate these tasks, Diodati notes these often aren’t the end of the story. “Additionally, a smart card management system is required for most deployments, adding to the cost of the PPSD deployment.”
Cost vs. Alternatives
Aside from the administrative overhead and costs of ancillary software such as a CMS and OTP system, PPSDs themselves aren’t cheap. For instance, 2GB devices run around $150 with 4GB devices pushing $200. Compare that to a 4GB flash drive bundled with software encryption for less than $30, and it’s tough to justify the PPSD’s six-to-one price disadvantage if all one needs is secure storage.
The mobility of today’s workforce opens enterprises up to more security risks, according to Hamid. “You either have to compromise security [or] compromise functionality.” He sees PPSDs as a technology that can make security simpler, more portable, and less burdensome. Hamid believes carrying applications or entire desktop environments on a secure PPSD could emerge as an important new security model for mobile users.
Diodati is equally enthusiastic about the market potential of PPSDs but believes they need further development. “While the PPSD has the opportunity to be a stronger authentication market disruptor, the price must come down.” He’s also concerned about the complexity of PPSD deployment. “The orchestration of smart card management systems, key management/recovery, Active Directory, and PKI will remain a daunting task for most enterprises in the foreseeable future.” Hamid agrees that costs are a problem but promises new product lines “with drastically reduced pricing.”
Although the integration of strong authentication credentials and copious encrypted storage in a key fob-sized device promises to enhance and simplify mobile security while giving new meaning to the notion of a “mobile desktop,” the nascent state of PPSD technology means that it’s more appropriate for evaluation and prototyping than large-scale deployment. As hardware costs continue to plummet and management software matures, PPSDs could revolutionize the mobile security landscape.
by Kurt Marko