Verified, Certified, Trusted Security Building Blocks – DATASHUR SD Evaluation

By   Professor John Walker
Visiting Professor , Trent University (NTU) | Jan 14, 2022 01:13 pm PST

Prior to the Christmas festivities, I got may hands on a pair of the latest encrypted key solution to come out of the iStorage stable – enter the DATASHUR SD, supplied with a pair of iStorage branded 128 GB, and a 256 GB SDXC cards. Thus, I subjected said items to a review and evaluation over the holiday period – but first, how do I know the supplier?

I first became aware of iStorage when I was commissioned to assist them go through the NCSC (GCHQ) independents security evaluation process, with the objective to have a selection of their products listed under the CPA (Commercial Product Assurance) approved list – for those who are unaware of the CPA programme, the following provides a verbatim high-level description lifted directly from the NCSC Web site:

‘The Commercial Product Assurance was set up to help companies demonstrate that the security functions of their products met defined NCSC standards (known as Security Characteristics). The NCSC uses Assured Service Providers to conduct product testing and assessment’

This scheme is an arduous and costly process which under the submitted scope (criteria), tests and evaluates every feature of the submitted device to assure it (they) do just what it says on the tin – in other words, the claims around the product performance, and in this case, security can be relied upon, and are thus, in my own words Verified Security Budling Blocks which may be Trusted.

An example of the CPA Key Stage evaluation process is shown below at Fig 1 below:

Fig 1 – NCSC CPA Evaluation Process Stages

image 166

For more information of the outline of the NCSC CPA process, please see the URL below:

Under the NCSC CPA scheme, iStorage are a listed vendor who have attained government certifications for a range of PIN authenticated, hardware encrypted, HDDs and SSD’s, which include:

  • FIPS 140-2 Level 2/3
  • NATO Restricted leve

In addition to the above certifications, the most secure and highest capacity encrypted USB flash drives have also been certified to FIPS 140-2/3. See the following URL:

However, as I outlined in a Webinar in 2021, when a user, or organisation are seeking to place their trust in a security product – in this case, and in particular an encryption solution, one may wish to also look to the matter of Defence-in-Depth. Here, in the case of this range of Certified products, you may also notice that they are also designed to comply with the mandated expectations of FIPS-140-2/3 Standards, which again underpin the expectations of what are Verified Security Building Blocks to deliver to the end-purpose security expectations of Trustin the product security and performance.

In the case of the DATASHUR SD which is the subject of the evaluation, the following provides a quick overview of the specification:

  • Common Criteria EAL5+ (Hardware Certified) secure microprocessor
  • AES-XTS 256-bit Hardware Encryption
  • Capacities of 32/64/128/256/512GB – 1TB
  • USB 3.2 Gen 1 SuperSpeed – Type C
  • FIPS 140-3 Level 3 (pending)

With my own independent evaluation of the product, I started at the very basic level with the mode of delivery, and physical security aspects which seek to provision security from the very start by delivering a security solution which is securely sealed by a tamperproof seal – See Fig 2 below:

Fig 2 – Tamperproof Security Seal

image 165

So, what’s in the box. At Fig 3 below, you can see the contents at time of opening the sealed package, which included:

  • 2 x DATASHUR SD Keys
  • 2 x USB C Adapters
  • 1 x 256GB iStorage branded SDXC
  • 1 x 128 iStorage branded SDXC
  • 1 x Printed User Manual
  • 1 x Product Registration/Licence Card

Note 1: The Secure Digital Extended Capacity (SDXC) card is a very small flash memory card that has greater storage capacity than the original SD (Secure Digital) memory cards which make it highly suited to the task of securing volumes of data.

Fig 3 – What’s in the Box?

image 164

The first thing to observe when handling the DATASHUR SD drive is the quality and durability of the physical build – and noticing the seal between the keys-outer casing, and the protected internal components led me to the kitchen sink to, well sink test the device in a bowel of H2o – that’s water to you and me. After leaving the said device submerged for around 10 minutes, I returned to collect it from the watery depths – wiped the outer case with a paper towel, and removed the hopefully protected key – it was dry as a bone, and so ready for the next phase of testing.

Setting up this secure key was child’s play, and within a few minutes both keys were formatted and fully operational. I then created several folders and populated the drive with data. The next phase was to see how thy operated on different operating systems, the first being an iMac running under macOS Monterey 12.1, the second being a WindowsÔ11 install, updated to KB 5008215 (OS Build 22000.376) running under a Mac Parallels virtualised environment – in both cases, loading and access was lightening quick and stable via the USB C interface.

The security level of the required Pin must be at least 8 digits, and a maximum of 64 digits (if you use the maximum of course, you must promise not to write it down J).

Note 2: Now remembering that we are running under AES 256 on the key within its hardware-based microprocessor, we are secure in the knowledge that our data is sitting in a virtualised Fort Knox container which is virtually impenetrable using brute-force methods. While the old style 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. The only weakness that may be introduced to an unbreakable vault is born out of human weakness, and the way in which the required level of security management is carried out, thus, all the basics apply, with strong passwords, and of course all the other usual stuff around password management and use – you have been warned of the factor of Human Frailty.

Brute Force: What about conducting a physical attack to gain access to the on-board data – don’t even go there. I have already conducted this style of attack on several other iStorage keys, and the results have always been the same – failed access, and a brave little trashed device traveling toward the bin, taking its undisclosed secrets to the Digital Grave remembering here, it is bult to the FIPS standards.

DATASHUR SD – The Collaborative Security Solution: What makes the new DATASHUR SD drive so unique is its ability through the KeyWriter application (see below) to allow cross-secure access to the secured data within a team environment without the need to share passwords (pins) or to compromise the basic tenants of security/policies – making it a truly secure method for team in-house, or remote collaboration which requires access to secured data, and as such providing a solution to both small, medium and corporate teams who require such a robust and secure methodology.

KeyWriter: The patented iStorage DATASHUR SD KeyWriter software clones DATASHUR SDXC flash drives with the same encrypted, encryption key enabling a secondary drive as a backup. In this way,  organisations may also share encrypted iStorage microSDXC Cards with as many authorised users of cloned DATASHUR SD drives as required, without compromising on data security or organisational security policies – making this an ideal secure tool for collaboration.

Why Bother to Encrypt: I am aware that there may still be those who would ask, why bother to encrypt data objects, as they are already secured under the local storage log on controls of say Windows under a User ID and associated strong password – right? Wrong – to gain access to such, considered secure assets it is a simple matter of removing the drive, and plugging it into a USB connected device, such as a USB3.0 TO IDE/SATA interface which is then connected to a PC/Laptop, and as if by magic, those secured assets will be displayed to the unauthorised party – trust me on this, though my work I have done, and demonstrated this well known security flaw on may occasions.

User Cases: When considering some of the known-known user cases I have encountered in recent years, ranging though the SME Communities, Commercials though to Charitable institutions, and other social groups such as the Woman’s Institute and the Rotary who are storing and processing data under the mandated expectations of that good-old security instrument known as GDPR. Whilst many of these user types, in most cases have a GDPR Policy, sadly in the latter two cases they seem to be unaware that by storing the user details on an unprotected laptop they are not compliant with the security expectations of said GDPR. This shortfall I have noticed also spreads over many of those residing in the SME tier – again, who are seemingly happy to wing it, and save a small investment into security technology in the knowledge that the potential fine significantly outweighs the tiny investment required to comply – it is simply astonishing that there are still many in this current insecure digital world who are willing to run the risk!

Conclusion: Considering the world, which is now suffering daily cyber-insecurity events, with the added expectations of sharp-toothed, mandated security legislations such as GDPR, and the new CCPA (California Consumer Privacy Act), there are very few hiding-holes left for those who run insecure to take cover in when that brown stuff hits that big fan. On the upside of course, with cost effective security solutions such as DATASHUR SD, and as a matter of personal choice my favourite encryption solution in the form of a DISKASHUR M2 drive, which all represent High Grade Certified, Trusted Security Building Blocks which are in the reach of all users, from personal use, right up to those within the big-name commercial sector. It may be that some have never been hacked, or had data exposed or compromised by a Ransomware attack, and if that is the case, as a line from the Olivia Rodrigo recording ‘Good 4 You’ says ‘your apathy is like a wound in salt’ – but remember, if some are willing to take the risk and run the gauntlet against the potential impact, then they must accept the consequences when the inevitable happens – if you do spill your milk, don’t cry, as help was, and is at hand in the form of cost effective Verified, Certified, Trusted Security Building Blocks.