Swiss Army Knife – The Personal Portable Security Device
Blogger: Mark Diodati
I’ve been working with smart cards for a most of a decade, and there is a relatively new spin on the technology that merits discussion – the personal portable security device (PPSD). It combines the USB smart card form factor and USB flash memory on a single platform. Unlike older USB devices that had both components but functioned in a standalone manner, the smart card controls access to the flash memory. The combination is of interest to enterprises, and the payment and mobile communication industries. Vendors that offer PPSDs include Gemalto (Secure Enterprise Guardian) and MXI Security (Stealth MXP). I tested Gemalto’s Secure Enterprise Guardian product.
The combination overcomes the major problems of each technology. For smart cards, it’s limited storage. Smart cards on their own can store a maximum of 256kb of data. USB flash drives can hold up to 8 GB (though the Secure Enterprise Guardian’s current storage capability is considerably smaller at 2GB). The issue with flash memory is security, which is lacking relative to the smart card. The smart card will lock itself after a specific number of invalid PIN attempts. No diagnostic utility can bypass the PIN mechanism, and the smart card chip is physically tamper-resistant, more so than any other authenticator. It’s a great way to provide device-level file encryption, because card component generates and stores the symmetric encryption key. The encryption key never leaves the device. No PIN, no symmetric key, no access to the encrypted files. The PPSD typically has a public area which functions like a traditional USB drive, so you can share files with other people without authenticating.
The PPSD also supports traditional smart card/certificate functionality, so it supports Windows workstation logon, WiFi authentication, mutually authenticated SSL, S/MIME, and digital signatures. The Gemalto PPSD also has a PKCS #11 interface that provides certificate functions for non-Microsoft applications (Firefox and some VPNs), as well as other operating systems (Linux and Mac OS). Both the Gemalto and MXI Security PPSDs work with USB port control products, like Lumension’s Sanctuary Device Control. One inherent limitation exists with PPSDs. They don’t support physical-logical convergence initiatives, which almost always require the ISO 7816 (credit card sized) form factor.
The Gemalto and MXI Security PPSDs also support one-time password (OTP) generation (the PPSD does not have a LCD, so the workstation is required to view the OTP). Gemalto’s OTP generation is OATH-based and the MXI Security's OTP generation is RSA SecurID compatible (which provides broader platform support). The combination of OTP and certificate capability provides the broadest application support for a stronger authenticator. The MXP Stealth product also provides biometric authentication.
The Secure Enterprise Guardian was immediately recognized by my Windows XP machine. The device supports the CCID USB smart card specification, so the installation of the CCID driver was automatic via Windows Update. Gemalto has worked with Microsoft since the release of Windows 2000 to embed its Cryptographic Service Providers (CSP), so they are present in the operating system. A couple of mouse clicks and I was up and running. Net result: this is the closest to a zero software deployment model for smart cards I’ve experienced. When installing the Secure Enterprise Guardian, I was running with administrative privilege when doing the installation, and installation results on a typical enterprise workstation may vary. Windows Vista deployments are simpler as the CCID driver is already present.
The device becomes a mobile, secure storage container for both applications and sensitive data. There’s some intriguing functionality that I have not tested yet. I’m interested to see how PPSDs work with workstation virtualization products (e.g., VMWare ACE or MojoPac).
Some use cases include:
- “Secure” browser (e.g., limited functionality and trusted root list) with mutually authenticated SSL. This combination is already productized by MXI for consumer authentication usage. It should be noted that hardware-based authentication is not currently acceptable to U.S. financial institutions and their retail banking consumers.
- Storage of confidential data, along with the application necessary to access it.
- Microsoft PowerPoint presentations, along with the PowerPoint software.
- S/MIME with Outlook Express or Mozilla Thunderbird and the certificates stored on the smart card.
- Enterprise SSO application and associated SSO credentials
I’m not glossing over the complexity of smart card and file encryption across the enterprise. The authenticator is part of a larger orchestration of smart card management systems, PKI, and key management. Additionally, organizations should consider USB data port security white lists to limit the devices that can be installed on workstations. But so much of stronger authentication is about user acceptance. The PPSD provides the USB mobile storage form factor that users need, so its authentication and data protection capabilities make it a useful Swiss Army Knife.
Comments