Secure USB flash drive. Myth or Reality

Hi, Habr! Today we will tell you about one of the easiest ways to make our world a bit safer.

A flash drive is a familiar and reliable information carrier. And despite the fact that lately, cloud storages are replacing them more and more, flash drives are still being sold and bought a lot. Still, not everywhere there is a wide and stable Internet channel, and in some places and institutions the Internet may be banned altogether. In addition, we must not forget that a significant number of people for various reasons with distrust belong to various kinds of "clouds".

We are all accustomed to flash drives for a long time, and many of us remember how shyly there was support for usb mass storage in Windows 2000, and then, a little later in Windows Me. Many people understand how convenient it is to use flash drives now and remember how we all used to suffer with unreliable diskettes and impractical optical disks.

The author of these lines, approximately in 2004, was the happiest owner of a nice 128-megabyte carrier in a modern case with a metal insert. He was my faithful companion and keeper of valuable information for me for many years, until I finally lost it along with the key ring to which it was attached.

And, it would seem, the loss of keys is a rather ordinary event that must have happened to everyone, but it made me urgently change all the locks in the house.

The thing is that in the wilds of the file system of my flash drive lay scans of my passport, made just in case (who knows when passport scans can be useful?). And in combination with the real keys of a real apartment, registration data turns into a tempting opportunity even for those people who previously might not even have thought about apartment theft.

What did this incident teach me?

First of all - be more careful about your things, and secondly - that any information that can be used to protect you, even in some indirect way, can be used to harm you.

What can flash drives offer in terms of protection?

The first, the most obvious option, flash drives with hardware protection and no external software control, they usually have a keyboard on the case - everything seems to be good in them, but they cost a lot of wild money, maybe due to their low volume, and maybe and greed sellers. Obviously, due to the high cost, they did not find any particular distribution.

The second option is mounted software protection for a regular flash drive.

There are many options (you can easily google them), but they all have an obvious plus in the form of almost zero cost and the inevitable limitations associated with the need to install special software on the computer. But the main disadvantage of the mounted protection is its weakness.

What is the weakness - you ask.

The fact is that any program encrypting disks uses the sequence obtained by a special algorithm, for example PBKDF, from the password that you will use to unlock as the encryption key. And something tells me that it is unlikely that a password that will often have to be dialed will be long and complicated.

And if the password is short and simple, then to pick it up in the dictionary will not be so difficult.

An attacker, taking possession of your encrypted flash drive, even for a short time, can copy the cryptocontainer from it. You will still think that the data is still safe. But in fact, all this time someone has been hard at work picking up the key to your container, and every minute comes closer to its goal.

Therefore, if you are not an enemy to yourself, then the password must be “strong”. But since then you will have to repeatedly type the same “strong” password - this starts contradicting the statement on the previous line.

What to do - you ask.

Is it possible to put hardware protection between the protected flash memory and the computer so that it is convenient, reliable and more or less accessible? To at least be able to do without a monstrous body with hardware buttons.

It turns out, yes, you can, if you are a Russian manufacturer of electronic signature devices (tokens and smart cards).

Safe flash drive still exists

In the Rutoken EDS 2.0 Flash devices, the flash memory is connected through a special protected controller, the firmware of which, the Rutoken card operating system, is entirely developed by the Aktiv specialists (the Rutoken card OS is in the register of the Russian Ministry of Communications and Mass Communications).

This firmware has a special control module that controls the data streams entering and leaving the USB flash drive.

And since the Rutoken card operating system from time immemorial has functionality that provides access to cryptographic keys of electronic signature using PIN codes, we have implemented a kind of “gate” in it, which can be opened, closed or opened in one-way mode (for example, for reading). This gate is controlled by a PIN-code. Without knowing it, this valve cannot be turned.

Now imagine that such a valve is by default in the "closed" position. And to open it, you need to show a PIN code that only you know. Moreover, the valve closes automatically when removing the device from the computer. And the number of attempts to enter the wrong PIN-code is strictly limited. Moreover, the device is protected from physical hacking and retrieving a flash card.

It turns out quite safe, reliable and convenient system. We implemented it in the form of a small control program, which is called “Rutoken Disk”.

The flash memory of the Rutoken EDS 2.0 device, on which the Rutoken Disk is running, is divided into 2 areas: one service, for the emulation CD-ROM partition with the control program; the second is for user data.

When you connect such a device to a computer, you will see two physical disks. The CD-ROM partition is immediately readable and automatically mounted, and on Windows operating systems, a nice window also pops up.

')

A protected partition looks like a reader of memory cards, but without a card inserted in it, there is no data access.

However, by launching the application and entering a simple PIN-code, you instantly get access to your files.

The token itself has been sold for many years and the possibility of implementing a secured flash drive in it was originally. But now we have written a handy application, and if one of the readers already has such a device, the Rutoken Disk software can be downloaded from our website and installed on the device according to the instructions .

Instead of a summary:

If you trust your information to a regular flash drive - store it like the apple of your eye. In the case of Rutoken EDS 2.0 Flash and Rutoken.Disk - you can be much calmer for the confidentiality of their data. Although you should never relax completely.

I will answer in advance some questions that someone will definitely have:

• GUI for macOS and linux - will be.
• The ability to open a protected partition in read-only mode to safely insert a USB flash drive into the most unpredictable places will be.
• A button to safely remove the section, so as not to poke the mouse in the tray - will be.

Leave other questions, wishes and remarks in comments - we will try to answer all questions.