 |
| [Picture from www.hiddn.no] |
A representative from High Density Devices (HDD) participated at Passwords^10, and after that I've been talking to them from time to time. Especially their marketing manager Tormod Fjellgård has been very forthcoming, and granted me the chance to do a review of 2 of their crypto adapters. This is my first review of their USB crypto adapter, and I've warned Tormod that I just might have some critical comments for them. So here we go:
The adapter comes in a small box, here's a picture of the contents:
Here you can see the crypto adapter itself, USB cable with optional 1xUSB connector for more power, a small paper manual, primary and backup user chip card, a zeroing card and a small piece of paper with PIN, PUK and instructions.
 |
| [Sorry for blurring the PIN & PUK codes there.. Bad habit. :-)] |
For my testing I used my own Windows 7 x64 system, standard USB 2.0 ports, a Kingston DataTraveler G3 8GB usb stick, and a LaCie 250GB external USB2 disk. 8 files of equal size, for a total of 3GB were copied to the external device, with and without using the crypto adapter.
Now I won't do this review plastered with screenshots of performance numbers from PCmark, Atto or other benchmark tools. I'm interested in the security as well as usability of the product. Although performance is nice, security can sometimes be of preference over performance. :-)
First looks:
Military grade 90's style. Period. It's big, awkward buttons that you need to press rather hard, and certainly takes up space in any modern ultrabook bag. Simple manual, prints on smartcards clearly states their mission, PIN & PUK printed on the same small piece of paper - in the same box - part of the same shipment... Hmmm. Skeptical.
First looks:
Military grade 90's style. Period. It's big, awkward buttons that you need to press rather hard, and certainly takes up space in any modern ultrabook bag. Simple manual, prints on smartcards clearly states their mission, PIN & PUK printed on the same small piece of paper - in the same box - part of the same shipment... Hmmm. Skeptical.
Installation:
Easy. <1 minute, and you are ready to go. Connect, insert smartcard, type PIN and #, wait a few seconds. Insert Kingston G3, and Windows says a new device has been connected, but needs formatting first. Ok, so I did a quick format, finishing in a few seconds. Hm. I would say that in order to "securely" format any device, you should always to a "slow" format. Oh well, the data that will be saved with AES encryption, according to HDD.
Easy. <1 minute, and you are ready to go. Connect, insert smartcard, type PIN and #, wait a few seconds. Insert Kingston G3, and Windows says a new device has been connected, but needs formatting first. Ok, so I did a quick format, finishing in a few seconds. Hm. I would say that in order to "securely" format any device, you should always to a "slow" format. Oh well, the data that will be saved with AES encryption, according to HDD.
Usage:
I actually did try running Atto for disk benchmarking. It worked as expected without the adapter, but with the adapter the entire test crashed, and I had to reformat the G3. Not good - I wonder if it is a problem that can be recreated - say if you actually were to move a lot of small files back and forth and you end up with crash/reformat?
I actually did try running Atto for disk benchmarking. It worked as expected without the adapter, but with the adapter the entire test crashed, and I had to reformat the G3. Not good - I wonder if it is a problem that can be recreated - say if you actually were to move a lot of small files back and forth and you end up with crash/reformat?
I also tried connecting the LaCie disk, but no luck. Windows didn't see anything, and the disk didn't spin up. Too low power from the crypto adapters USB port? (Yes, I tried with both usb cables connected to my computer for the extra power...)
Performance:
Sorry, but I have to say this... Without the adapter, I get approximately 11,5MB/second write speed, using my 8 files totalling 3GB. With the adapter, write speed is down to approximately 7.6MB/second. Not that much in this setting, but my gut feeling says that the adapter doesn't perform much better with faster devices either? In that case I'm all Truecrypt or Bitlocker, putting my trust into my own passwords.
(Security) Usability:
Where to begin...
1) I can't change the 6-digit PIN or the 16-digit PUK.
I wonder how HDD generate the PINs and PUKs? Separate & isolated environment, true random generator, no people ever get to see the printed codes etc?
2) PIN & PUK printed on the same piece of paper inside the package.
3) Backup card, zeroing card, PIN and PUK "must be kept in a secure place". Uh. Yeah, I can do that. But I still need to bring the user card, and what if I forget my PIN or lose my user card while travelling?
4) Data encryption bound to chip + PIN. Data cannot be accessed by others without them.
5) The chip cards cannot be used for anything else and sticks out - why not just leave it in there permanently? (I've seen cut off chip cards inside card readers many times before)
6) Manual isn't really end-user friendly - unless you are a G33k of course.
The manual says that HDD offers a Key Management System, delivered as a dedicated workstation. I guess that system is just a bit more expensive than the adapter itself, and not something I would purchase for personal use anyway.
Summary:
I can hardly see this USB crypto adapter as part of any standard equipment for anyone travelling around with a laptop. It's just too ... bulky.
It's a "single user" product - but why would I use this at home or at the office for myself, when I have Bitlocker, Truecrypt and other similar technologies at hand? The alternatives offer better performance, multi-factor authentication, and at least (non-certified) compliance with a bunch of standards?
I'm sorry guys. It's a nice idea doing hardware encryption combined with multi-factor authentication, but the wrapping is all wrong. To me this USB adapter is costly, slow & bulky. I can't see how this can give me any better security than other cheaper or even free alternatives available. Go back to square 1 and start over.
--
Oh; and for the FIPS-140 and Common Criteria / Mordac fans out there - this product is for you. ;-)