IronKey a joke ! Lets put it to the test!

[Greedo011]

Been testing Ironkeys for a while. We have just the standard which is good enough for the man or women on the street the New Enterprise version is more controlled and you can created policys with the master ironkey where as your ironkey that you handout will just be like a normal usb device but with encryption and you can control from a management point of view. Tie this in with Securwave and you have a really good platform that is secure.

Rock a doodle doo

[don]

Since the title of this thread reads:

"Lets put it to the test!"

We'll do just that. We have been in touch with IronKey, and they are sending us some product to test. This review has been given to our newest columnist, Mike Murray. Mike is the former head of Neohapsis Labs, so I figure it was a great fit.

No ETA yet, but we'll keep you posted.

Don

PS - Dave from IronKey: Feel free to PM me regarding this review.

[jason]

Did anything ever come of this Don? Or did I just miss it going by?

We have been in touch with IronKey, and they are sending us some product to test.

[virtronic]

Been using a couple of IronKeys for a while.  I think they're great.  Glad to hear from you guys that there's Linux support now.  Been using it on the the MS and Mac boxes ok. I like the idea that only you {and the NSA} can get to your data.

[Dave_IronKey]

Glad you like them Virtronic.  I've met with numerous people in the IA group at NSA, and I still don't see how they are going to be able to get your data :-)  They are engaging in a more detailed review to get to a level of validation that's even stronger than our current FIPS 140-2 Level 2.

Have you guys checked out the latest release of the IronKey Enterprise version, which includes a suite of anti-malware capabilities?

Dave

[twisted_monkey]

1) An IK is only secure "at rest" - i.e. when not plugged into and authenticated on a host. Data is passed in clear across the host USB bus *then* encrypted by the IK.

2) Each IK has a unique serial number etched onto it. No serial number, no key-escrow. Although diagnostic (IK Support) probing of ROM would likely reveal serial number anyway.

3) The length of time taken to user-initialize a new IK is very quick. Does anyone remember how long PGP used to take to generate key-pairs on a host with a substantially faster CPU? It is probable therefore that Key-Pairs are likely installed post assembly. See point (2) above.

4) The Identity Manager (updated) is very good, but auto-archives all info to the "secure IK vaults". This option cannot be disabled it seems. How secure are the vaults?

Overall a very, very useable product. I've implemented IK's both corporately and recommend them privately; for the money and overall security they provided they're as good as anything else out there.

If an IK is used to store anything that becomes of interest to the State, then none of the points raised above become relevant. Google "Camp Delta/Xray".

If one deems the Risk, Probability and Impact of any data/information interception high enough, then ensuring that the host any IK is plugged into is "secure" is essential.

My suggestion:

1) Use VMware to create a VM machine, preferably Linux. Clone it.
2) Install/use Truecrypt within the VM clone to create container file as secure as desired. Use multiple key files, stored on a secondary USB device, in addition to a *lengthy* password. Fill container with "data". www.truecrypt.org
3) Move Truecrypt container to IK. Data is thus encrypted *before* it hits the host USB bus.
4) Shutdown VM clone. Securely Wipe Clone from disk.
5) Start over.

Admin heavy yes, but prevents as best as possible key-recovery and interception of clear data crossing the USB bus to the IK. Even if the target Host/IK become compromised (within reason) data is still held securely within (potentially) the now quadruply encrypted Truecrypt container.

Effort Expended = Results Gained.

IMHO

TM

[ravenmsb]

Bruce Scheier hacked the ironkey with little effort over a year ago stating that the  Deniable File Systems that it uses are actually easier to hack than regular encryption methods.

The average Joe can't hack it but as with any technology it's manageable.

[Andrew Waite]

ravenmsb,

that's not something I was aware of, can you provide a link for further reference?

[keyster]

IronKey has never been hacked, not by Bruce nor anyone else and many have tried.

I think ravensmb has confused the vulnerabilities that Schneier found with DFS and TrueCrypt a year ago. Last June,  Bruce said Deniable File Systems are actually easier to hack than encryption.  IronKey’s encryption is validated at Level 3 of FIPS 140-2.

See http://www.schneier.com/paper-truecrypt-dfs.pdf  or http://blog.ironkey.com/?m=200807  for details. 

[Diluted]

I am the IronKey administrator here at my office.  We are using the Enterprise service, and so far we are very happy with the service and devices.

I have not had the chance to disassemble one or use the Silver Bullet service yet, but the policy definitions are useful and easy to use, and the comfort of knowing that our data is safe even if someone loses the device is great. 

Additionally, if someone leaves or is identified as having stolen data and placed it on a managed key, the ability to stop that person from unlocking the key is useful as well.

Anyone have questions about the Enterprise control panel?

[nonamegsm]

Hi , I have banned/locked but not stealed or so key and decided to disasemble it and make some tests. I have found only this topic about reversing digging this product , if posting to the end of this topic are wrong idea i will start new one ;-) So my discovery are begin from removing one of aluminium sides if key and using some cheap chemicals to remove glue inside key.

[Jamie.R]

This is really interesting topic it look like they also working on a secure app that should be released soon.

@don did EH every get their ironkeys was a review done ?

[don]

Ooh... that was 3 years ago! We gave away 20 IronKeys:

http://www.ethicalhacker.net/content/view/280/8/

and Mike Murray did a review:

http://www.ethicalhacker.net/content/view/259/24/

Don

[Jamie.R]

I must have been taped in a cupboard somewhere.

thanks