||Q: Why do I need security for my HDD enclosure?
A: Lost or stolen hardware is always disappointing, but losing data can be disastrous. In addition to the expense of replacing hardware, lost data can result in legal liability, damage to personal or corporate credibility, unplanned administrative costs, and reduced productivity. Organizational and personal files must be kept safe from unwanted thieves, intruders and hackers.
Q: What is the best kind of security, and what security technology do IORAID enclosures adopt?
A: Several security schemes are popularly employed to protect data including:
Password Security This basic OS/Software solution blocks unauthorized data access by requiring a password. While this may be adequate for a coffee break, this form of security is very easy to bypass.
Biometric Security This form of security requires a combination of a unique physical characteristic such as a fingerprint, retinal or vocal signature. While more secure than simple password security, it too can be circumvented, leaving unencrypted data at risk. Biometric security also requires a substantial hardware investment and additional administrative burden.
Hardware Security Hardware Security is by far the most thorough, cost-effective, and easily implemented form of advanced security.
IORAID HDD enclosures employ hardware security to provide reliable security for your stored data. Every bit and byte on the hard drive is protected with strong DES (Data Encryption Standard) or TDES (Triple DES) encryption algorithms. The level of encryption provided depends on your specific model, including:
DES 40-bit encryption strength
TDES 128-bit encryption strength
TDES 192-bit encryption strength
Q: What is “X-Wall LX”, and how does it function?
A: X-Wall LX is the security ASIC (Application Specific Integrated Circuit) that encrypts and decrypts the entire hard drive including boot sector, temp files, swap files and the operating system with real-time performance using the NIST (National Institute of Standards and Technology) certified DES (Data Encryption Standard) and TDES (Triple DES) algorithms.
X-Wall LX sits between the PCI bridge and the device on the IDE interface. It intercepts, interprets, translates, and relays IDE commands & data to and from the disk drives, encrypting the data with DES/TDES 40/64/128/192-bit key strength.
Q: How can X-Wall LX encrypt the entire disk in “real-time”?
A: X-Wall LX is specifically engineered for high speed communications with the disk. It offers 1.6 Gigabit per second or higher real-time performance to all IDE compatible hard drives. Since X-Wall LX hardware chips perform all encryption and decryption tasks, there is no software to cause memory and interrupt overhead. Encryption and decryption is completely transparent to users.
Q: How does X-Wall LX compare with Smart Card and PCMCIA encryption products?
A: X-Wall LX is dramatically faster than PCMCIA or Smart Card solutions, and encrypts the entire hard drive instead of just selected files. There is no possibility that any data or credentials can be left unprotected on the hard drive. Drive locking and boot sector encryption solutions do not encrypt the data, and thus it is vulnerable to attack.
Q: What is “DES/TDES”?
A: DES (Data Encryption Standard) was originally introduced by the NSA (National Security Agency) and IBM and has since become a Federal data encryption standard as defined in FIPS 46-3 (Federal Information Processing Standard). DES works on 64-bit data segments with a 64-bit key of which 8 bits provide parity, resulting in a 56-bit effective length. A variant on DES is TDES, in which the plain text is processed three times with two or three different DES secret keys. With two encryption keys used, the result is an encryption equivalent to using a 112-bit (128-bit) key. With three keys, the result is an encryption equivalent to using a 168-bit (192-bit) key. In practice, with a 128-bit TDES, the plain text is encrypted with the first key, decrypted with the second key, and then encrypted again with the first key.
Q: How secure are DES and TDES?
A: Very secure as both algorithms are completely public, and have been surprisingly resistant to new cryptographic attacks over the last quarter century. Although software DES 56-bit key length is no longer proof against a massive computer attack, for most business applications DES remains adequate.
Q: What is the Secure Key and why use it?
A: The Secure Key serves as user authentication for access control while the ASIC encrypts and decrypts. It contains the DES/TDES “Secret Key” that is used by the ASIC to encrypt or decrypt data. The hard drive must be partitioned and formatted using the Secure Key the first time the hard drive is used. When complete the entire content of the hard drive is associated with the unique Secure Key. The Secret Key is transmitted into the microchip at boot up and is retained in protected volatile memory inside the chip until the power is turned off. This means the secret key cannot be extracted from the chip, and is never stored anywhere else on the machine. Without the key, the protected disk drive cannot be booted and there is no access into the PC. Only a Secure Key containing the identical “Secret Key” can be used for authentication and decryption of the hard drive at power up. Together the Secure Key and security ASIC comprise effective user authentication for access control and encryption for data protection.
Q: How is key length related to security?
A: In general, a larger key length creates a stronger cipher, which means an eavesdropper must spend more time and resources to find the decryption key. For instance, 240 (a DES 40-bit strength) represents a key space of 1,099,511,627,776 possible combinations. While this number seems impressive, it is definitely feasible for a microprocessor or a specially designed ASIC to perform the huge number of calculations necessary to derive the key. Surprisingly an investment of only about US$10,000 investment in FPGA (Field Programmable Gate Arrays) will be able to recover a 40-bit key in 12 minutes. Further, a US$10,000,000 investment in ASIC will be able to recover a 40-bit key in 0.05 seconds. A government agency that can afford investing US$100,000,000 or more will be able to recover a 40-bit key in a miniscule 0.002 seconds. Thus, a 40-bit length cipher offers the bare minimum of protection for your confidentiality and privacy. Fortunately the “work factor” increases exponentially as the key length is increased. For example, an increase of one bit in length doubles the key space, so 241 represents key space of 2,199,023,255,552 possible combinations. A 2112 bit (128-bit) TDES cipher offers extremely strong security (5,192,296,858,534,827,628,530,496,329,220,096 possible combinations) that should resist known attacks for the next 15 to 20 years, considering the advance of semiconductor design and manufacturing.
Q: Can I exchange the encrypted files using a public network?
A: No. IORAID encrypted enclosures are specifically designed to protect “data-at-rest” which is stored on your PC. The DES/TDES encryption engine built inside the X-Wall LX is a symmetric cipher, a “Secret Key” system that does NOT support the Public Key Infrastructure (PKI). Therefore, you will not be able to exchange X-Wall LX encrypted files through a public network, as every file leaving X-Wall interface is clear text.
Q: If the encrypted enclosure malfunctions, will I lose my data?
A: No. Remember that the Secure Key contains the DES/TDES secret key, and the X-Wall security ASIC chip is a generic engine. Consequently, you can simply replace the defective encrypted enclosure with an enclosure of the same encryption length. If this ever occurs; the original Secure Key can be used to access the data on your hard drive.
Q: I am currently using the IORAID enclosure with DES 40-bit strength. Can I upgrade the same disk drive to TDES 128-bit strength?
A: Yes, but two essential steps are necessary:
1. You can order an IORAID 128-bit encrypted enclosure from your supplier. The package you will receive will have a different Secure Key.
2. You must completely backup your hard drive to a safe location. The new IORAID 128-bit encrypted enclosure can then be installed and the data can be restored to the disk drive, using the new Secure Keys. This is necessary because the disk content will be lost due to performing FDISK and FORMAT commands again.
Only one cipher strength can be used on one disk drive.
Note: The above X-WALL ASIC product information is property of eNova and is provided for informational purposes only. eNova retains copyright and ownership of all provided material regarding the eNova X-WALL ASIC.