IronKey a joke ! Lets put it to the test!

Viewing 28 reply threads
  • Author
    Posts
    • #2330
      cyeudoxus
      Participant

      Does anyone have one or would like to buy one so we can put it to the test. Flashy video on the site, good advertising https://www.ironkey.com/
      😮

      Take a look let me know what you think… I do like the part where the AES, cyrpochip w/self destruct to kill the keys ;D For $149.00 for the 4GB I better be able to run it over with a bull dozer and have still be working!

      -cy

    • #17408
      Kev
      Participant

      If it really does everything it claims, I would say it looks nice. Maybe I might get one and play with it.

    • #17409
      Bogwitch
      Participant

      I’ve got a free sample of the Ironkey, it is quite nice.
      Nice tactile feel, solid metal case. The chap I spoke to made some bold claims about it working after being submerged for 24 hours, once dried off but as the internals are epoxy coated, no big suprise.
      Apparently, youtube has a video of one being run over by a bobcat and working afterwards.
      It is supported under XP, Vista and MacOS, so saddos like me that stick to Linux and Win2k are out of luck. I have tested in on the wife’s laptop and it does what it says on the tin.
      There is, apparently, a management verison coming out. This should give to sysadmin the opportunity to set the number of times a password can be attempted before the key is fried. I asked if frying could be avoided completely but the salesman didn’t seem to know.
      I also visited Sandisk with the same requirements. The sandisk stick seems to be reasonably good, too.
      While it is in no way ruggedised like the ironkey it has the benefit (?) of not frying itself. Again, there are two versions, the managed and the unamanaged. Both can be set to block access after ‘n’ attempts, the managed one will be subsequently recoverable, the unmanaged one will need to be reformatted but is not bricked.
      The Sandisk is supported under Win2k, XP and Vista.

      The Ironkey and the Sandisk both claim FIPS 140-2. Unfortunately, neither are going through the process of CAPS approval (UK Govt.) For the Sandisk, there is a different version for the FIPS which has an epoxy coating over the crypto chip to prevent analysis attacks.

      Both are big (physically) compared to their unencrypted counterparts, about the size of a standard disposable lighter.

      The only other difference is that the Ironkey is 128 bit AES and the Sandisk is 256 bit AES.

      One thing that bothers me about both devices is that you are stuck with using the key material that the crypto chip holds. I would like to see a device that allows the crypto manager to reprogram the key with a key that they have generated. The reason for this is twofold. If, as with the Ironkey, the key is fried, the data can still be retrieved. Second, and this is the paranoid in me, if the crypto is added by the manufacturer, would they not keep a record of the key, therefore enabling them to retrieve data should the key find it’s way back to them?

      [Edited for poor typing]

    • #17410
      RoleReversal
      Participant

      Bogwitch,

      nice write up and comparison. I agree that user generated crypto keys would be nice, but it is likely just the paranoia that the manufacturer would be interested in checking all returned devices. However, if the key found it’s way into mainstream then thats another story.

      I’m not sure I like the idea ‘bricking’ the device after ‘x’ failed attempts, seen too many users looking themselves out of wind0ze, might keep that feature for techies only.

      I’d be slightly wary of any manufacturer claiming a standard that it is not going to try and achieve officially. This could be a huge selling factor in the UK after the recent ‘lost’ CD screw-ups…..

    • #17411
      zedcuk
      Participant

      Anyone checked out MXI Security’s devices?  Stealth MXP (Biometric) and passport (non biometric) they seem to offer everything the other two do (AES256 built from the ground up like Ironkey, FIPS for over a year, management software, data destruction option) yet im not seeing them being mentioned anywhere were people are looking at secure USB devices.

    • #17412
      RoleReversal
      Participant

      Zedcuk,

      welcome and thanks for the pointer. I hadn’t come across them before, just checked the site and they look promising, guess I’ve found something to do on my lunch break 🙂

    • #17413
      Bogwitch
      Participant

      Zedcuk,

      Have you had a chance to play with one of these? If so, what did you think?

      Quick update for the Sandisk, disappointing, the password requirement is 3 of the four character sets, length 6-16 characters. If we assume a charater set consisting of 76 characters, this gives us an entropy of 6.25 bits. 6.25*16 gives us 100 bits. Pretty much makes the 256 bit encryption redundant, doesn’t it!

    • #17414
      jason
      Participant

      I see these sorts of devices crop up from time to time, often swiftly followed by a showstopper of a vulnerability. It often seems like you would be better off with a generic USB drive and TrueCrypt.

    • #17415
      dalepearson
      Participant

      I also got a sample IronKey a few months ago when we were doing some different reviews on secure media solutions.

      Personally I think its a good device, I like the way it can store its own secure programs, and also provide a method for surfing in a secure manner with what they call the “Secure Sessions Service”.

      The most important bit, they look swish too  ;D
      Seriously though, as said, it does what it says on the tin, great for personal and enterprise usage. Like most things in the IT and Security marketplace, everyone is doing everything. So if your accident prown, and often fall over in puddles, the IronKey is the one for you.

    • #17416
      jason
      Participant

      Looks like they’ve now added support for Linux as well

      https://forum.ironkey.com/showthread.php?t=976

    • #17417
      Dave_IronKey
      Participant

      Thanks everyone for a good discussion.

      The IronKey Enterprise edition has also recently been released. It allows enterprise administrators to recover locked devices, to customize the password strength and self-destruct policies, to manage devices centrally, and to configure which software applications are available on the devices.

      One difference between the IronKey AES encryption and that of others like SanDisk is that IronKey uses the correct mode of AES for large block encryption – cipher-block chaining (CBC).  SanDisk uses Electronic Code Book (ECB) which is not designed for blocks of data larger than about 32 bytes.  Here is a wikipedia entry that discusses the algorithmic differences and has some cool images to show the encryption differences.

      http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

    • #17418
      jason
      Participant

      Welcome Dave! Can you explain to us how the “self destruct” feature works? I’ve been somewhat curious about that, as my asbestos-pocketed pants collection is rather limited.

    • #17419
      Anonymous
      Participant

      @Dave_IronKey wrote:

      One difference between the IronKey AES encryption and that of others like SanDisk is that IronKey uses the correct mode of AES for large block encryption – cipher-block chaining (CBC).  SanDisk uses Electronic Code Book (ECB) which is not designed for blocks of data larger than about 32 bytes.  Here is a wikipedia entry that discusses the algorithmic differences and has some cool images to show the encryption differences.

      http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

      Do you have any numbers on the length of time and tools to actually crack that data via the different types of block cipher operations?  Does anything actually exists to brute force decrypt anything encrypted on an ironkey or something similar?

      If one takes 50 years and the other takes 100 years is there really much of a difference?  I understand that computing power grows…blah blah blah.

      For the average user how “lasting” is any data that would actually be stuck on a thumb, I guess that should drive anyones choices for encryption, not just USB sticks.

    • #17420
      billy786
      Participant

      It looks like a decent piece of kit but forking out $150 for it is abit too much 😉

      ;D

    • #17421
      jason
      Participant

      I’m tempted to get one. Then again if I got one, I’d REALLY want to take it apart and see what was in it.

    • #17422
      Greedo011
      Participant

      Been testing Ironkeys for a while. We have just the standard which is good enough for the man or women on the street the New Enterprise version is more controlled and you can created policys with the master ironkey where as your ironkey that you handout will just be like a normal usb device but with encryption and you can control from a management point of view. Tie this in with Securwave and you have a really good platform that is secure.

      Rock a doodle doo

    • #17423
      Don Donzal
      Keymaster

      Since the title of this thread reads:

      “Lets put it to the test!”

      We’ll do just that. We have been in touch with IronKey, and they are sending us some product to test. This review has been given to our newest columnist, Mike Murray. Mike is the former head of Neohapsis Labs, so I figure it was a great fit.

      No ETA yet, but we’ll keep you posted.

      Don

      PS – Dave from IronKey: Feel free to PM me regarding this review.

    • #17424
      jason
      Participant

      Did anything ever come of this Don? Or did I just miss it going by?

      @don wrote:

      We have been in touch with IronKey, and they are sending us some product to test.

    • #17425
      virtronic
      Participant

      Been using a couple of IronKeys for a while.  I think they’re great.  Glad to hear from you guys that there’s Linux support now.  Been using it on the the MS and Mac boxes ok. I like the idea that only you {and the NSA} can get to your data.

    • #17426
      Dave_IronKey
      Participant

      Glad you like them Virtronic.  I’ve met with numerous people in the IA group at NSA, and I still don’t see how they are going to be able to get your data 🙂  They are engaging in a more detailed review to get to a level of validation that’s even stronger than our current FIPS 140-2 Level 2.

      Have you guys checked out the latest release of the IronKey Enterprise version, which includes a suite of anti-malware capabilities?

      Dave

    • #17427
      twisted_monkey
      Participant

      1) An IK is only secure “at rest” – i.e. when not plugged into and authenticated on a host. Data is passed in clear across the host USB bus *then* encrypted by the IK.

      2) Each IK has a unique serial number etched onto it. No serial number, no key-escrow. Although diagnostic (IK Support) probing of ROM would likely reveal serial number anyway.

      3) The length of time taken to user-initialize a new IK is very quick. Does anyone remember how long PGP used to take to generate key-pairs on a host with a substantially faster CPU? It is probable therefore that Key-Pairs are likely installed post assembly. See point (2) above.

      4) The Identity Manager (updated) is very good, but auto-archives all info to the “secure IK vaults”. This option cannot be disabled it seems. How secure are the vaults?

      Overall a very, very useable product. I’ve implemented IK’s both corporately and recommend them privately; for the money and overall security they provided they’re as good as anything else out there.

      If an IK is used to store anything that becomes of interest to the State, then none of the points raised above become relevant. Google “Camp Delta/Xray”.

      If one deems the Risk, Probability and Impact of any data/information interception high enough, then ensuring that the host any IK is plugged into is “secure” is essential.

      My suggestion:

      1) Use VMware to create a VM machine, preferably Linux. Clone it.
      2) Install/use Truecrypt within the VM clone to create container file as secure as desired. Use multiple key files, stored on a secondary USB device, in addition to a *lengthy* password. Fill container with “data”. http://www.truecrypt.org
      3) Move Truecrypt container to IK. Data is thus encrypted *before* it hits the host USB bus.
      4) Shutdown VM clone. Securely Wipe Clone from disk.
      5) Start over.

      Admin heavy yes, but prevents as best as possible key-recovery and interception of clear data crossing the USB bus to the IK. Even if the target Host/IK become compromised (within reason) data is still held securely within (potentially) the now quadruply encrypted Truecrypt container.

      Effort Expended = Results Gained.

      IMHO

      TM

    • #17428
      ravenmsb
      Participant

      Bruce Scheier hacked the ironkey with little effort over a year ago stating that the  Deniable File Systems that it uses are actually easier to hack than regular encryption methods.

      The average Joe can’t hack it but as with any technology it’s manageable.

    • #17429
      RoleReversal
      Participant

      ravenmsb,

      that’s not something I was aware of, can you provide a link for further reference?

    • #17430
      keyster
      Participant

      IronKey has never been hacked, not by Bruce nor anyone else and many have tried.

      I think ravensmb has confused the vulnerabilities that Schneier found with DFS and TrueCrypt a year ago. Last June,  Bruce said Deniable File Systems are actually easier to hack than encryption.  IronKey’s encryption is validated at Level 3 of FIPS 140-2.

      See http://www.schneier.com/paper-truecrypt-dfs.pdf  or http://blog.ironkey.com/?m=200807  for details. 

    • #17431
      Diluted
      Participant

      I am the IronKey administrator here at my office.  We are using the Enterprise service, and so far we are very happy with the service and devices.

      I have not had the chance to disassemble one or use the Silver Bullet service yet, but the policy definitions are useful and easy to use, and the comfort of knowing that our data is safe even if someone loses the device is great. 

      Additionally, if someone leaves or is identified as having stolen data and placed it on a managed key, the ability to stop that person from unlocking the key is useful as well.

      Anyone have questions about the Enterprise control panel?

    • #17432
      nonamegsm
      Participant

      Hi , I have banned/locked but not stealed or so key and decided to disasemble it and make some tests. I have found only this topic about reversing digging this product , if posting to the end of this topic are wrong idea i will start new one 😉 So my discovery are begin from removing one of aluminium sides if key and using some cheap chemicals to remove glue inside key.

    • #17433
      Jamie.R
      Participant

      This is really interesting topic it look like they also working on a secure app that should be released soon.

      @don did EH every get their ironkeys was a review done ?

    • #17434
      Don Donzal
      Keymaster

      Ooh… that was 3 years ago! We gave away 20 IronKeys:

      http://www.ethicalhacker.net/content/view/280/8/

      and Mike Murray did a review:

      http://www.ethicalhacker.net/content/view/259/24/

      Don

    • #17435
      Jamie.R
      Participant

      I must have been taped in a cupboard somewhere.

      thanks

Viewing 28 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?