Date: July 3, 2013
Author(s): Brett Thomas
As important as data encryption can be for the home user, it’s even more imperative in the enterprise. The problem? The most effective measures are usually cast aside in lieu of something a little easier to deal with. With the CipherUSB, Addonics hopes to bring “simple” and “most effective” together as one. Does it succeed?
It doesn’t take a very deep search through my article history to know that I’m a big security nut. I live and breathe it for much of my job, given the sensitive data that I work with. These habits have followed me home, with the likes of encrypted drives, encrypted SSH tunnels, HTTPS protocols for all Web-based stuff. It’s not just paranoia anymore, of course… it’s pretty clear at this point (as Edward Snowden has proven) that “they” are listening – to you, to me, to everyone.
This digital, always-on and always-exposed world has led to a new push for security at more than just the major corporation level. Churches, community organizations, small businesses, and even individuals need to start taking more control over their digital fingerprints. However, anyone who has bothered with even the simple concept of PGP for his or her email knows what a pain it can be to truly live and interact with a secure environment.
Addonics Technologies, a company that focuses on storage technologies and enclosures, has aimed to make that simple in the US market with its release of the CipherUSB dongle family. The CipherUSB is designed to provide AES256 ECB or CBC encryption to either entire partitions (FDE, or full-disk encryption) or at the file/folder level (FLE, file-level encryption), and can feature either one-factor or two-factor authentication (we’ll get into that in a second) and optional built-in storage. Pricing, of course, varies by which of those options you choose, but ranges reasonably from $30 to $80.
What’s important and different about the CipherUSB suite isn’t that it encrypts with AES256 or that it has so many options. You can take a stroll through Newegg and see all sorts of encryption-enabled HDD cases, USB drives, and etc. What made us stop and say “I want to look at it,” came down to a promise from Addonics that I’ve never found to be true about encryption: it’s reusable across multiple devices, and it’s easy to use. Coming from a business environment where users constantly want skip or simplify passwords to make them faster to type or bypass one more prompt, where biometrics are too finicky to reliably use, and where nobody can find the same USB stick twice in an hour… many of us have been in that environment. Having something that actually promises to be easy and versatile as well as secure seems like a dream come true.
A brief note about important encryption concepts
Before you can effectively determine your encryption needs, you need to start with an understanding of a few basic encryption concepts. The most basic fact of all is that encryption must be reversible – whatever you encrypt must be able to be decrypted again. This makes encryption much more difficult (and different from) its cousin, the hash, which can (and should!) mangle data to an irrecoverable state.
Other terms of note include:
The CipherUSB Family
So, with the basics covered, let’s take a look at the offering from Addonics. The CipherUSB comes as either a pass-through dongle (which we love) or sealed with flash storage. Whichever you choose, you will have the option for one-factor or two-factor encryption and ECB or CBC algorithms. As noted above, ECB is weaker – and in file-level storage, could even be considered unwise. This is because ECB encrypts every block of every file the same way, meaning that someone with access to a file with a large amount of repeating patterns (or several small files with similar patterns) can possibly begin to deconstruct the key. CBC will make sure this is impossible.
The CipherUSB FDE Passthrough model is the commercial release of the Enova Enigma (Addonics is Enova’s strategic partner for peripheral and storage releases). The crux of the unit is the Enova X-Wall DX chip, which offers hardware-based encryption at up to 40MB/sec throughput. The FLE Passthrough models (I have the ECB single-factor version for testing) sport the same design. Because the FLE requires software to determine which files to encrypt/decrypt, it works only on Windows/Mac (Mac is optional and costs extra), but the FDE design will work on any host system once initialized.
Each CipherUSB model becomes initialized with a password, and that password does not have to be unique. This password is used to develop the actual key (I won’t get into detailing how, for security reasons) that is written via firmware to an otherwise inaccessible EEPROM chip on the device. This string then becomes the key for encrypting/decrypting files through the device. The cipher key will be incredibly strong, as it is a PRODUCT of your password instead of just the password itself padded to the correct key length. It will also never be made available to any host system, as it’s hard-wired directly to the encryption chip and never needs to be loaded into host memory anywhere.
Why am I telling you all of that boring stuff? To point out one of the best strengths/weaknesses of the device – any CipherUSB of the same model family, programmed with the same password, can open an encrypted file or device. That makes it incredibly useful in a corporate setting, so long as you choose and protect your passwords carefully – you can share those passwords between groups of people to create simple but highly effective layers of security, and not have access tied to just one device. If a CipherUSB gets lost or stolen, you can just order a new one and be back up and rolling in no time. And as we’ll cover later, programming the device with a new password is very quick and easy, so you don’t need every person on staff to each have their own dongle.
The CipherUSB does come with one other interesting set of features, which I will skip past in my review below because I’m not terribly sure of their usefulness with this device’s target market. The features involve setting write protections on the USB drive that is connected to the device, either to the MBR (master boot record) or the entire device. This allows “auditing” of an external disk without altering it, and (according to the instructions) “protection from viruses”… an interesting feature, but one that I can’t for the life of me think why I would need on a device like this.
Setting up the CipherUSB
To use the dongle, you must connect the CipherUSB to some kind of USB drive (the actual device is immaterial) to initialize it. On Windows, it will auto-mount a read-only partition and ask you to run the initialization tool. Enter a pass-phrase twice, hit the button, and your device is ready to use!
For FDE single-factor authentication, you’re all set now aside from formatting the USB drives you want to use with the dongle. On FDE two-factor authentication, you’ll still need to re-open the program and type your password each time you insert it with an encrypted USB drive into your system, but otherwise you’re ready to roll. That’s it – no drivers, no headaches, no nothing. Insert, and get on with your life – anything saved to the drive will be automatically and transparently encrypted. If the USB drive is connected to a computer without the CipherUSB in between from then on, it will show up solely as an unformatted drive (as Windows won’t even be able to read the partition table). Thus ends the tour of the FDE model (and why we told Addonics we really would rather see the FLE model).
I’ll make one more mention of the FDE units (particularly single-factor models) that I find really slick in a corporate environment, and that’s daisy-chained encryption. Give two differently encoded units to different people, and require both of them present to open a drive – effectively requiring two people to collude in order to edit, copy or otherwise misappropriate the data. This is hardly “revolutionary” security, but it’s seamless, and business people like seamless things. If both units plug into each other (in the right order) and the drive is plugged into that, it will work like nothing is out of the ordinary. Plug either unit in or both in the wrong order, and you’ll see nothing. You can do the same with the FLE models by simply encrypting a file and then encrypting it again under a different key, but it’s really slick how transparent it can be in FDE mode.
In a business environment, FDE can be useful but not nearly as much as being able to encrypt at the file level. After all, to encrypt a disk requires that it be external (and thus usually not backed up properly to the servers in a work environment) and limits the usefulness of that disk aside from the files you want encrypted. Transmitting the file to anyone else will require either giving them the whole disk, or removing the file from its encryption first. In all, it’s hardly a perfect solution – and it’s a big part of the reason why encryption policies in smaller corporate environments can get lax.
In a big office, chances are that there is an IT team creating a secure portal, active directory services, group policy and other tight file controls that allow fine-grained protection. However, small offices routinely utilize a simpler file server or NAS box… and encryption, if used at all, is a basic FDE. Most of the time, careful planning of user rights doesn’t even enter into the plan, much less actually materialize, so employees develop the habit of keeping “in process” and sensitive work on their desktops or USB drives that can be lost or stolen.
The CipherUSB FLE versions are designed to target this problem. By allowing you to encrypt specific files wherever they may reside (on USB, on your HDD or on the server), you can protect your file when you’re done using it, without having to encrypt an entire drive. Need to email a very sensitive document to another office? No problem. Want to make sure your more sensitive files get into the server backups? No worry. You can even share the same dongle between different people by having them re-encode the device when they use it, rather than spend bunches of money on multiple sticks. Change passwords for one-off file security to share between offices. The possibilities are endless on this front.
All of this is accomplished through the auto-mounted tool that initialized the device in the first place (kudos to Addonics for keeping it simple – there is exactly one EXE). What it lacks in attractiveness (really, this is about as horrible of a GUI as far as aesthetics go as you can get), it largely makes up for in simplicity. There are really only a couple things of note – a big pair of icons (lock and unlock) in the upper left, a directory tree on the left and a files window pane on the right. Navigate through the left to the directory you want, drag the files on the right to the big lock icon, and watch them be appended with an “.Addonics” extension. Want to do a whole folder at once? No problem – right click on it on the left pane, select “Folder Encrypt” and it will encrypt all of the files in the directory. It’s worth noting here that for some reason, this process is not recursive and will not encrypt files in subsequent directories contained in this one.
That’s it. The file is encrypted and won’t be able to be opened without a similarly encoded CipherUSB.
What, you were expecting more? The point was simplicity… and Addonics NAILS it.
For extra safety, inserting the two-factor model will require the password used to initialize it each time before you can begin using the device at all. However, the same thing can be accomplished on the single-factor models simply by changing the password to something generic after you’re done using it. Personally, I’d rather the convenience of single-factor with the ability to switch it up on-the-fly than having to do passwords every time.
You can’t please everyone…
What Addonics nails in simplicity, it misses in polish. The software is outright painful to look at, and for its effort to include one or two highly unusual operating systems for any type of business environment (Windows 98-2000 and Mac), it has sacrificed one of the greatest things available on the desktop today – Drag and Drop.
File encryption could (and should) be seamless and not require the horrendous tree navigational system that this software has. It could be even simpler than it is – a hot-spot “widget” on the desktop that you can drag a file onto one part of to encrypt, or another part to decrypt. The software demands local administrator privileges to run (presumably because you’re hooking the Windows File API), so it could easily have a cleaner interface… it’s hardly like Addonics is using TK bindings for tons of cross-platform support (No FLE Linux support, even as a command-line… which also makes very little sense given what’s here). All of the password changing functions could be accessible from the Windows taskbar while the software is open. I’d say it’s just poorly thought-out, except that I’m not sure it even WAS thought of… aside from one logo change, the interface is identical to the reference software which Enova designed.
An additional interface annoyance is the “Encrypt folder” issue. If my project has lots of subdirectories (which most of what I do does), I want to drag a parent folder to a “lock” icon and have everything in that folder encrypted. I don’t care how you go about it: recurse the subdirectories and encrypt every file individually, or zip the whole directory and encrypt the zip (less optimal but still functional). Again, if you already have API hooks that require administrative privileges, this just isn’t hard.
Going further down that little rabbit hole, why not just create a small installer with a right-click context menu as “Encrypt… “, or at least present that as an option? We’re looking for simplicity for the user here. Any person using a device like this is liable to use it multiple times on the same system. I detest clutter on my OS and I love the zero-fingerprint that the CipherUSB leaves behind… but if you’re already calling administrative privileges every time the device is inserted, why not just let an Administrator install a small program or service so that it doesn’t need the autorun (which is an annoying, annoying “feature,” by the way)? Leave the self-contained “No install” version on there for systems that the user doesn’t want to clutter.
If you really want to push driver-less, self-contained hardware decoding with a multi-platform interface, I’m all for it… but then there is simply no reason to not include a very simple bit of Linux CLI connectivity. And if it’s not going to be platform agnostic, then pick your biggest platform and do it right (preferably without requiring admin privileges every time, which is a security risk unto itself). I love multi-platform functionality, but in the business world there exist two major types of systems: Windows desktops, and Linux Servers. I am a Mac user and a Linux desktop user, and even I have to come to grips with that. A Mac interface is nice, but it’s probably 5% of the audience at best – and that 5% would probably be willing to front the cost to have a better looking interface with tighter integration anyhow (since we’re already being charged $10 extra).
I’m also not a fan of the “.Addonics” extension added to encrypted files. Sure, it seems like harmless (if a little shameless) self-promotion, but let’s consider this from a security perspective. If I get a hold of one of your encrypted files, the first thing I’m going to do is Google for what the blankity-blank an “Addonics” file is. That’s going to pull up the company name, instantly. I know the file is encrypted, so I go to the “Products/Encryption” area of the page. There sits the CipherUSB and a bunch of hard drive enclosures, and I know I’m looking at an individual file and not an HDD. So in about thirty seconds of effort, I’ve already nailed down your encryption to a CipherUSB FLE pass-through device. My only decision left is ECB vs CBC, and if I order one of each then all that’s left is scripting a simple link to brute-force passwords. We’ve suddenly turned AES256 encryption into nothing more than a very rudimentary password-cracking, all because someone wanted to do a bit of brand promotion. This extension should default to some nebulous string that is user-modifiable and can be changed with the password, both to help ID files internally encrypted by different passwords (if the company so chooses), and to protect the encryption device from being known to an outside agent. Yes, the user could rename the extension afterwards… but what a pain, particularly for lots of files!
Finally, the device takes a full 20 seconds on two different machines before it is actually functionally active (due to mounting the autorun partition and initializing the X-Wall chip), and the USB drive behind it tries to connect first. Depending on when in the cycle Windows polls the USB drive, the dongle sometimes tells Windows that the drive is unformatted (as if expecting FDE). I think this is because the same chip allows both FDE and FLE – it needs to initialize fully to determine which mode it’s in. Granted, this is minor in the grand scheme of things, but is another little thing that maybe could (and probably should) be polished.
Though my above points are certainly things that I hope Addonics takes to heart, I have to give the company some serious points for adding a product to its lineup that does exactly what it’s supposed to do – make storage encryption simple. If the password strings themselves are complex enough and protected appropriately, the devices can be programmed once and handed out to staff as needed.
Throughout all of this review, I haven’t really touched much on the subject of price, and that’s because it’s frankly negligible for what the CipherUSB actually offers. ECB FLE models cost $39.95, and CBC is $69.95. Add $10 to either if you want Mac compatibility as well. For the convenience and the fact that you don’t need one device per person or per storage device, this is practically a steal.
Is there room for improvements? Yes, and some of them really need to be made (like the file extension issue). The software should be redesigned for its target market, but it does work. Overall, the device lacks polish, not function. However, the couple glaring flaws it has are very large indeed, impacting both usability and security – which are the two things it’s supposed to have.
All of this puts me in an unfortunate position as a reviewer – If Addonics puts just a little more work in (even if only to handle the file extension issue), the CipherUSB CBC FLE would be a no-brainer recommendation. As it stands right now, though, it’s some great hardware with promise if only someone would clean up the UI… and that’s a little harder to swallow, since the hardware isn’t designed by Addonics. In fact, the only real place Addonics can actually add to the value chain here and leave its own mark (aside from just being the best company to market Enova’s device in a different country) is the software, so skipping this is just a bitter pill overall.
We’ve contacted Addonics to see what’s coming up, and the company has stated that it does intend to improve the application. For the time being, though, I can’t really give a firm “recommended” or “avoid this.” If what you want is simple but strong encryption without any bells or whistles and you’re willing to develop a strong enough passphrase that it can’t get bruteforced, you needn’t look farther than the CipherUSB. However, a little extra work by Addonics would go a long way to turning this from “does what it says on the label” to “you really should be using one of these.”
tl;dr: If you’re not using Linux, not picky about the interface and you don’t mind the unchangeable “.Addonics” giveaway file extension, the simple-to-use security of the CipherUSB is incredibly versatile and well worth the low price. However, there’s a lot of room for improvement in the software itself, and the file extension can be a security risk that reduces powerful AES256 encryption to a basic dictionary attack.
Copyright © 2005-2018 Techgage Networks Inc. - All Rights Reserved.