I guess my last post struck a cord with the people at Ironkey. They apparently are really proud of their product, and it's level of security. I will repost their response to my article, but first I want to say something. That article really is aimed at the casual, security conscious, average user. It is by no means intended to suggest that the U.S. Military should lower their security in order to save $110.
Seriously, is money an issue for the U.S. Government? I mean they will spend $3,456 on a friggin' hammer for crying out loud!
Anyway, here is the response from Dave at Ironkey:
Bauer, thanks for your article post. Yes, casual users can use software truecrypt on a regular flash drive for $40. For those who need more security, or who need to deploy encrypted USB to employees or customers, the difference between truecrypt on a cheapo flash drive and an IronKey are:
- Security: IronKey has hardware-enforced password guesses at 10. TrueCrypt can be brute-force password guessed, as there is no way to prevent a password guessing program. Basically any TrueCrypt encrypted data can be cracked with off the shelf freeware password brute force guessing software
- Robustness: The IronKey is an expensive piece because you are getting the most premium USB flash drive on the market. It is waterproof and tamperproof.
- Long Life: Most $40 flash drives use cheap MLC memory which is slow and only lasts for 5,000 write cycles. The IronKey uses the most expensive and highest performance SLC memory. This lasts 100,000 write cycles, and is much faster. This is important if you are running portable apps from your USB drive.
- Works in Enterprises and Governmnet: TrueCrypt requires Admin privileges on Windows XP. This doesn't work in 80% of enterprise and government networks. IronKey spent millions of dollars designing a system that does not require Admin privs or drivers.
- Secure Surfing: Sure you can use the free pubilic experimental TOR network on your $40 flash drive. But then your traffic can be spyed upon by phishers, you can get infected by malware, you can be pharmed by malicious DNS operators. Or you can use the high performance IronKey SecureSessions network. 1 year subscription is part of the purchase price.
- Validated: IronKey is spending a lot of time to get their system FIPS validated by third parties and NIST, which makes this an ideal solution for government and enterprise deployments.
Certainly, TrueCrypt on a cheap MLC flash drive is a good option for a casual user not all that concerned about security or reliability. For other, the IronKey is in a different league of security, reliability and privacy.
You can read about why hardware encryption is superior to software encryption here:
IronKey_Whitepaper-Benefits_of_Hardware_Encryption.pdf
Thank you for the open opportunity to discuss the issues.
Dave @ IronKey
Dave does have a point, you have to admit. Their product is really, really secure!
I do want to point out that Dave throws out the cool buzz word of brute forcing. He is right about that, the Truecrypt password could be attacked using brute force. However if you use a strong enough password, it will take an ungodly amount of time to do it.
Personally, I have a text file that I created by randomly mashing keys. There are over 7000 characters in that text file including upper, lower case and special characters. Somewhere in there contains my password, which is something like 1000 characters long with upper, lower case and special characters. With a password that long, and that complex it would take the worlds most powerful supercomputers something like 10,000,000,000 years to crack using brute force. I don't know about you but if they want to spend that kind of time cracking my password, that is cool. I will be dead by the time they crack it, and I won't care too much at that point. In fact my grandkid's grandkid's will be dead too, and they won't care, so have it!
You don't have to do anything that complex though, you can come up with some kind of oddball sentence, alternate upper and lower case and throw in some special characters and that alone will leave brute forcing useless, something like:
B@u3r-P03er$AvedMeC@$h (Bauer-Power Saved Me Cash for those that don't speak l337)
Actually, I think the best way to crack either method would be to use some form of keylogger, in which case both methods would seem just as secure as the other.
I would also like to point out a feature that Truecrypt has that Ironkey doesn't which is the ability to create a hidden volume inside the encrypted volume incase someone is able to crack your password. I am apparently not the only one that feels that way either. According to Serdar Yegulalp, from SearchWindowsSecurity.com:
IronKey doesn't seem to have a feature I have admired in the open-source cryptography product TrueCrypt. It is the ability to partition a volume into a standard and hidden volume, which would allow you to conceal another volume within the secure files section of the drive. That way, if you are forced to reveal the volume key, you could do so without compromising all of the information on the drive.
So basically what I gather from the whole thing is that the extra money is for the extra bells and whistles, and a better made thumb drive. If you have the money, and you are THAT concerned with whether or not you can submerge your thumb drive in water, then by all means, buy an Ironkey.
NOTE TO IRONKEY: Do you guys really want to change my mind? Send me your Ironkey to test out. I will be happy to write a full review of my findings, and post a retraction if I find you guys are right.