Encrypted Drives

XTS - The Key to the Best Encryption

It takes more than a certificate to have the most secure USB drive encryption. Kingston's ultra-secure encrypted USB Flash drives, DataTraveler® 4000G2 and DataTraveler Vault Privacy 3.0, feature 256-bit AES hardware-based encryption utilizing XTS block cipher mode. XTS provides greater data protection over other block cipher modes, such as CBC and ECB.

The following details the security advantages of the DT4000G2 and DTVP30 encrypting USB Flash storage devices.

Full-Disk Encryption AES Block-Cipher Modes of Operation

AES, or Advanced Encryption Standard, is a block cipher that encrypts blocks of data in 128 bits. To encrypt anything larger than 128 bits, AES uses a block cipher mode. There are many different AES block cipher modes that are part of the AES specification. The simplest block cipher mode is Electronic Code Book (ECB). Cipher Block Chaining (CBC) addresses security weaknesses with ECB and is one of the most common modes used in portable encrypting Flash drives. XTS is one of the newest modes and provides stronger data protection over ECB and CBC. The following is a brief description of these block cipher modes.

Electronic Code Book (ECB). This cipher mode simply repeats the AES encryption process for each 128-bit block of data. Figure 1 depicts data encryption using ECB mode. Each block is independently encrypted using AES with the same encryption key. For decryption, the process is reversed. With ECB, identical blocks of unencrypted data, referred to as plain text, are encrypted the same way and will yield identical blocks of encrypted data (cipher text). This cipher mode is not ideal since it does not hide data patterns well. Figure 2 is an example that demonstrates the major security vulnerability with this cipher mode.

Electronic Code Book (ECB)
Figure 1

The unencrypted image is shown on the left. The image on the right shows what the cipher text might look like when using other encryption modes such as CBC or XTS. The center image clearly demonstrates the vulnerability associated with ECB. Since identical image pixel patterns within the encryption block are encrypted in such a manner that they yield identical cipher blocks, the original image bleeds through.


Clearly, identical blocks of data should not be encrypted in a manner that yields the same cipher text. As a result, the ECB block cipher mode is considered weak security and is not recommended for use.

Original Image

Encrypted using ECB mode

Figure 2

Encrypted using other mode

Cipher Block Chaining (CBC). As discussed, the primary weakness with ECB is a result of identical data blocks being encrypted in a manner that produces identical cipher text. The goal is to achieve an encryption method that encrypts each block using the same encryption key, while resulting in different cipher text, even when the plain text for 2 or more blocks is identical. Cipher Block Chaining was designed to achieve this result. Figure 3 is a depiction of CBC cipher mode.

An initialization vector (IV) of 128 bits is generated and combined with the plain text of the first block in a sector. This data is combined using the Exclusive OR (XOR) function. The resulting 128 bits of data are then encrypted using the AES encryption algorithm and stored in the media. The resulting cipher text is passed on to the next block where it is combined with the plain text for that block, encrypted and stored. This process of chaining is repeated for each block in the sector. The process ensures that blocks of identical data result in completely different cipher text. As a result, CBC is much more secure than ECB and is considered to be suitable for most security applications. CBC is widely used in many encrypted Flash drives.

Electronic Code Book (ECB) - Encryption
Figure 3

AES-XTS Block Cipher Mode. Originally specified as IEEE Std 1619-2007, NIST added XTS to the list of AES block cipher modes in 2010. XTS is the newest block cipher mode and is the cipher mode used by DataTraveler 4000G2 and DataTraveler Vault Privacy 3.0. It was designed as a stronger alternative to other available block cipher modes such as CBC. It eliminates potential vulnerabilities associated with some of the more sophisticated side channel attacks that could be used to exploit weaknesses within other modes. Figure 4 is a simplified block diagram for XTS mode.

XTS uses two AES keys. One key is used to perform the AES block encryption; the other is used to encrypt what is known as a "Tweak Value." This encrypted tweak is further modified with a Galois polynomial function (GF) and XOR with both the plain text and the cipher text of each block. The GF function provides further diffusion and ensures that blocks of identical data will not produce identical cipher text. This achieves the goal of each block producing unique cipher text given identical plain text without the use of initialization vectors and chaining. In effect, the text is almost (but not quite) double-encrypted using two independent keys. Decryption of the data is accomplished by reversing this process. Since each block is independent and there is no chaining, if the stored cipher data is damaged and becomes corrupted, only the data for that particular block will be unrecoverable. With the chaining modes, these errors can propagate to other blocks when decrypted.

Figure 4

Conclusion

AES-XTS provides the DT4000G2 and DTVP30 with greater data security than other offerings on the market. All security functions are contained within the confines of the on-board security processor, providing high-grade security and portability.

Additionally, both of these devices enforce complex password protection and lock down after a specified number of invalid password attempts. Packaged in a rugged waterproof casing, these devices provide the ultimate security and protection for data. All Kingston® enterprise and military grade encrypted drives come with a five-year warranty and free technical support.

Added Value
Secure Customization Program

This program offers the options most frequently requested by customers, including serial numbering, dual password and custom logos. With a minimum order of 50 pieces, the program delivers precisely what your organization needs.
Learn more

Anti-Virus Protection
ESET Anti-Virus

Protect from WannaCry variants. For added peace of mind, anti-virus protection is available on DataTraveler Vault Privacy 3.0. Powered by ESET NOD32® Anti-Virus Engine software, it’s easy to deploy, with no installation required. Protect from malware / ransomware, viruses, spyware, Trojans and other Internet-borne threats.
Learn more

Management Solutions
Management Solutions

Protect from WannaCry variants. Options available to let you or your IT experts centrally manage drives to meet compliance requirements, remotely reset passwords, manage device inventory, enforce policies and more. Available through our partnership with DataLocker. Solutions include IronKey Enterprise management for IronKey drives and SafeConsole management for DataTraveler encrypted drives.
Learn more

Learn More
Government

Organizations are tasked with the challenge of complying with an ever-increasing list of legislative requirements and protocols designed to protect sensitive data in transit and at rest, including:

  • OMB M06-16 mandate
  • Federal Desktop Core Configuration (FDCC) mandates
  • Director of Central Intelligence Directive (CDID) 6/3
  • General Data Protection Regulation, designed to protect sensitive data at rest and in transit

Noncompliance can lead to loss of public trust and strict oversight or costly class-action lawsuits, and for companies that work with government agencies, noncompliance can disqualify them from working on government contracts.

Government agencies can use Kingston® IronKeyTM and DataTraveler® encrypted USB Flash drives to access data from anywhere. Federal law enforcement personnel can review and update case files in the field, while scientists, analysts and forecasters can access data sets from any location with a PC or tablet.

With these trusted Flash drives, contractors can work at agency offices while still having trusted access to data and agencies can maintain operations during disasters by putting critical data in the hands of key personnel.

For easy remote management, IT professionals can enforce access and use policies from a central console. IT can demonstrate best effort to comply with new and unsettled regulations, including the General Data Protection Regulation.

Health Care

Healthcare agencies must comply with data security mandates such as:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH) Act
  • Centers for Medicare & Medicaid Services (CMS) security requirements for Electronic Health Records (EHRs)
  • Evolving ASTM Standards for Medical Device Interoperability

It’s vital for hospitals, healthcare providers, insurers and pharmaceutical companies to take the risk out of mobility and to simplify HIPPA and GDPR audits.

With Kingston IronKey and DataTraveler Encrypted USB drives, doctors can securely and easily access patient data from anywhere. Temporary medical and pharmaceutical personnel can gain trusted access to applications and records when on assignment or working from home.
Clinical trial contributors, managers and auditors can securely enter or review trial data at any location with a PC or tablet, while insurance claims adjusters, examiners and investigators can have unlimited access to records.
Organizations can provide their key personnel with critical data to maintain operations if severe weather or other disasters strike.

The IT department can enforce access and use policies from a central console and demonstrate best effort to comply with new and unsettled regulations, including the GDPR.

Finance

Financial services companies are bound to comply with an expanding array of data security regulations and standards, including:

  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act (SOX)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • State Financial Data Privacy Acts
  • European Union Data Protection Directive (EUDPD)

The cost of failing to comply with those regulations is significantly more than the cost of compliance. And failure to comply can impact your business when employees can’t work efficiently.

Kingston IronKey and DataTraveler Encrypted USB drives can help financial teleworkers safely access data and applications from home. Banks, insurers and others can equip contractors to work in the field without investing in notebooks or tablets.

Auditors can gain trusted access to sensitive data when on assignment or when working from home. Claims adjusters, examiners and investigators can have access to data and applications from the field.

In case of severe weather or other disasters, organizations can provide key personnel with access to critical data to maintain operations and the IT department can enforce access and use policies from a central console.

Data Security Center: Technical Papers and Resources
Major Recent Example of an Unencrypted USB breach
USB Breach

Case in point, Heathrow Airport in London (October 30, 2017) uses Unencrypted USB Drives for its non-cloud storage. Unfortunately, they were not standardized on Encrypted USB drives.
Read article

Using and promoting encrypted USB Flash drives in your organization

Get eight useful tips to help your organization keep confidential information confidential and to comply with regulations.
Read article

Neutralizing the USB Threat
Neutralizing the USB Threat

Getting a handle on the slipperiest drives. Do your employees and visitors who connect to your network ever use USB drives?
Read whitepaper

Hardware vs. Software Encryption

See a side-by-side comparison of these two popular data encryption methods.
Read article

Moving beyond compliance: Why “secure enough” isn’t enough
Moving beyond compliance:  Why “secure enough” isn’t enough

Understand the difference between compliance and protection and what each means for your organization’s USB data storage strategy.
Read brief

EU General Data Protection Regulation (EU GDPR) Effective: May 2018
EU General Data Protection Regulation (EU GDPR)

Applies to every organization that processes personal data of EU citizens, will take full effect in May 2018. Organizations to implement and ensure a level of security appropriate to the risk, including…encryption of personal data" (Article 32, Security of processing)
Learn more

USB Alert: Locking Down Your Data
USB Alert: Locking Down Your Data
USB drives can turn up anywhere - putting data at risk. How can IT deal with these risks, without completely forbidding USB drive usage and all its convenience?
Read article
XTS Encryption

All Kingston encrypted drives use XTS encryption, which provides greater data protection over other block cipher modes such as CBC and ECB.
Read article

Encrypted Comparison Chart

View the line up of Kingston’s line of DataTraveler and IronKey Encrypted drives to see which is right for you.
View chart

Changing Password Policies for IronKey and DataLocker Drives
Changing Password Policies for IronKey and DataLocker Drives

A full range of password policies can be changed remotely, using IronKey EMS or SafeConsole.
Watch Video

New York Department of Financial Services (NYDFS - 23 NYCRR 500) Effective: February 2018
NYDFS - 23 NYCRR 500

Applies to every organization in New York that processes corporate / personal data. The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest. (Section 500.15 Encryption of Nonpublic Information.)
Learn more

State of USB Drive Security

Employees can be negligent when using drives, thus putting sensitive data at risk. Establishing and enforcing policies defining the acceptable use of drives can help.
Read brief

Protect against BadUSB

Kingston DataTraveler and IronKey drives use digitally signed firmware which makes them immune to changes to firmware that can allow a USB to become a host agent.
Read brief

Resetting Your Password on IronKey and DataLocker drives
Resetting Your Password on IronKey and DataLocker drives

Passwords can be reset remotely or in person with IronKey EMS or SafeConsole.
Watch Video

Certifications
FIPS Validation

Issued by National Institute of Standards and Technology (NIST), FIPS validation entails coordinated requirements and standards for cryptography modules. By meeting the FIPS standards, Kingston and IronKey encrypted drives assure purchasers that they meet the criteria assigned.

Learn more

Validation FIPS
        Back To Top