Data Encryption, Security and the Need for a Consumer Storage Device

Introduction

Newly developed digital technologies are changing the way information is exchanged, communicated and stored. This white paper explores the need for a private, portable and secure storage device. Some concepts of data encryption are presented in this paper, and their implementation in a next generation storage product to serve rapidly expanding, multi-billion dollar market segments, such as, secure financial transactions, content distribution, personal medical records and transportation/building security.

Need for a Secure, Consumer Storage Device

Digital technology has been the greatest enabler of products that has spawned significant innovations such as the personal computer, the Internet, e-mail, e-commerce, MP3 music and various forms of entertainment. Remote data access available through the Internet has made us more efficient as information exchange and commerce can be conducted 24 hours a day, 7 days a week. However, with the open arms of the Web come some significant issues of security and trust.

Threats of fraud, eavesdropping and data theft have prevented many from fully embracing the benefits of this new channel. It is estimated that credit card fraud amounts to 28 cents for every $100 charged¹. In addition, personal information needs to be protected on the Web. Each time an e-commerce transaction is completed, important personal financial data is exchanged between the buyer and the seller. With modern technology, this data can be intercepted and utilized to manufacture a credit card, which can be used to make fraudulent purchases. Visa International² estimates that this type of fraud or "skimming" currently amounts to over $2 billion annually in the United States for Visa alone, and will increase dramatically as more organizations and individuals embrace e-commerce.

Digital processing converts text, graphics, audio, video and photographs into a stream of "1"s and "0"s allowing a variety of information to reside in a single medium. This information can be replicated easily, whereby the copy is as good as the original. Take the example of a movie recorded on a DVD disk. An encryption scheme is employed to protect the content, however, the disk is manufactured by a stamping method, and the security measures remain the same across the entire population of disks. Web sites are available on the Internet where one can download a software program to defeat this encryption, and allow easy replication of the content. The cost of accomplishing this is nominal: a PC, access to the Internet and about $5 to purchase a DVD-R medium. The expendable cost to download and copy a movie title from the Internet or another DVD is less than the cost of a theatre ticket!

The ability to record text and photos in the same medium becomes an enabling technology that could allow individuals, for example, to obtain and maintain copies of their medical records. For this application, a portable and secure medium is required where doctor's reports, X-rays, known allergies, medication history and laboratory test results can all be converted into digital format and stored for use in a pharmacy, for medical emergencies, while traveling, or to obtain a second medical opinion.

Corporate security is another area in need of a secure storage solution. Take for example the traveling business executive. They typically carry a 7+ pound Notebook PC just to transport confidential corporate information, product specifications, presentations, and contact names. Today Notebook PC theft is a significant problem, while a heavy device is inconvenient, cumbersome and prone to being left behind after a business meeting. Both situations result in the loss of important trade secrets, which can compromise a corporation's competitive advantages. Additional vertical markets that are currently in need of a secure storage solution include access control, personal authentication and national identification.

Benefits of Encryption

Encryption, or information scrambling technology, is a process by which a message is converted to unreadable form by all except the intended recipient. With digital technology all types of information can be converted into bits, namely, "1"s and "0"s. These can be grouped into 8 bit blocks, or a byte, which can take a value from 0 to 255. Once information is in this form it can be manipulated by mathematical algorithms that randomize it and create data that is totally unlike the initial content. Decryption is an inverse process where scrambled text is converted back to the original message utilizing a reverse process. This can be likened to a jigsaw puzzle. For example, a photograph can be cut into a number of small pieces, the smaller the size of each piece, the larger the randomness of the pieces making up the original photograph. Furthermore, each piece can be tagged with a number, a "key", which would identify its location in the photograph. Successful decryption would require knowledge of the "key" and the methodology utilized to create the tag on each piece.

A variety of encryption/decryption algorithms have been developed and are available such as DES³ , RSA⁴, AES⁵ , PGP,⁶ , with "keys" that can be as large as 4096 bits, or 1.044x10¹²³³ different key combinations. These schemes have been field tested and guarantee a certain level of security. Research is continuing to develop new and improved techniques to increase the randomness of the encrypted data, and provide larger keys that would be harder to crack. The algorithms mentioned earlier can be implemented in hardware, as a dedicated semiconductor device, or in software that operates in the host system.

Security Considerations

The security available in a data storage system is dependent upon the choice of the encryption algorithm, its implementation, the size and management of the key, and the degree of randomness attained by the chosen method. Encryption/decryption is a mathematical process, which can be subjected to an attack utilizing sophisticated computer gear. From a security perspective, an attack is most likely to occur if it nets something of commercial value or create mischief, which would disrupt a government or a commercial organization, or compromise a distribution or an information channel. Furthermore, it should be recognized that hardware and software innovations are continuing to make computers more powerful, more economical, and it is becoming much easier to string a number of them together to create a more powerful machine. A terrorist or an organized crime group can easily implement a system to launch such attacks.

Additionally, once information is encrypted it must be married in some way with the logic and the key that was utilized to create it. Thus, if a data center offers this as a service, it must decide on a specific algorithm, establish an infrastructure to manage the associated encryption keys, and amortize the costs over a population of users. Creating a user group of information, which could have commercial value to a terrorist group. If content is encrypted and delivered in a mass produced medium such as a CD or DVD then the algorithm must be fixed and the key made available to users so long as they continue to view this content. Thereby providing an opportunity for an organized crime group to develop software to defeat this encryption method. Thus, from a security perspective there is a need for a system where, (a) the encryption logic and keys are unique for each storage medium or unit, (b) the algorithm and the key can be economically changed without compromising legal access to the content, and (c) information pertaining to the algorithm or the key is always kept secret, and is never made available or communicated over a public channel.

A Consumer Storage Device

It is possible to conceive of a product where a large storage volume is married to the encryption/decryption hardware, with additional logic to decide what type of information can be transferred under what levels of security. Such a device could be developed economically if it is configured in the form of a Smart Card. The Smart Card has a familiar form factor, is readily transportable and contains a semiconductor device that can house the necessary logic. However, current implementations of Smart Cards have a shortcoming, namely, there is limited on-board memory. Consequently, Smart Cards can only store pointers to data residing on a network. This creates security concerns, namely, (a) data is transferred over a public channel, (b) the amount of data transmitted is limited unless local storage is available, which may or may not be secure, and, (c) a connection to the network is required during the authentication process or during information exchange, which may or may not be available at the moment requested, resulting in consumer frustration.

A secure consumer storage solution would be one where a Smart Card is fabricated with 100+MB of re-write-able storage in addition to the integrated circuit ("IC") at a nominal cost. The advantages of such an approach would be, (a) the device would contain the encryption logic and associated keys, which can be different from one card to another, removing commercial value to justify a concerted attack, (b) the security logic and storage is local to each device, consequently, new and more secure algorithms can be incorporated without impacting the overall system, (c) new cards can be issued annually or over short periods with new codes and modified algorithms, providing little time for the development of algorithms to defeat the system, (d) each card would have sufficient storage to allow local authentication and exchange of information, and (e) the security logic can be programmed to allow access which is time dependent or for a predetermined number of accesses after which the key and the data in the storage volume is randomly erased. In the example of the jigsaw puzzle, this is like removing a number of the pieces from the puzzle, thereby creating holes where other pieces will not fit and the original photograph cannot be recreated. Finally, the product will be compatible with an existing infrastructure, and could have features, such as; data stored in the IC memory can be selectively updated from the larger storage volume to provide information for specific situations. A product such as this could have great commercial appeal, and can be utilized in a variety of markets, and become a secure means to transport and manage personal data.

Conclusions

In this paper some security issues have been presented along with the configuration of a secure consumer storage device. Currently there are a variety of approaches that are being pursued, such as fast storage area networks, secure servers with elaborate "hand-shaking" procedures to protect and deliver content, however, none of these can satisfy security concerns, or the basic human need for a personal storage solution, where,"I can control my information, I can provide access when, where and to whomever I want, and it will always remain secure even if I inadvertently misplace it".

Home | Products | Applications | News | Careers | About Us | Contact Us

©2001 - 2006 StorCard, Inc. Reg. U.S. Pat. & T.M. Off.
Privacy Policy. Contact Webmaster. Website produced by Broadchoice.