Skip to main content

Hey, I just found this device on-line called a computer-on-a-stick, which is almost what it sounds like, a computer on a stick. I'd like to try it. Does anyone else have any thoughts on how it would work or does anyone own one? I would really love to know more about it.I also saw Bio USB Flash Drive on that site. I saw it at http:// (It works in the USB drive and stores info.)

Tags

Comments

Cucco Mon, 08/29/2005 - 04:41

Hey Daniel:

This is an interesting concept - one I think that will develop more over time. I should specifically caution you and anyone about the Bio USB Flash drive. There's nothing adverse about using a system like this, but please don't be fooled into thinking it's anything more than it is. The biometrics involved in a system like this are rudimentary at best and incredibly easy to hack. (It's been done by a second grade class in WV as a school project!!)

In other words, feel free to get it, but please don't feel as though you're really getting that much extra protection.

The thing that bothers me is the claim of a free 256 AES encryption module along with each purchase. If this were legitimate, it would drive the cost of this device to a VERY high number. I work for the US Government as my day job and I directly support the Army's Information Assurance division and report to the Department of Defense Biometrics Management Office:
http://www.biometrics.dod.mil/

and I can assure you that,

#1 - military/government uses of AES (or AES3) have not superceded 128 bit strength (1 - b/c of cost, 2 - b/c of non-necessity - the current impossibility to hack 128 AES procludes us from going to higher cypher strengths)
#2 - Any legitimate company creating 256 bit AES algorithms charges an arm and a leg for their licensing and use (and rightly so!)

That to me means either -
1. The company in question here is lying (whether they know it or not)
2. The company is fraudulently claiming specs, etc.

Of course, it's entirely possible or even likely that you work for this company and that this is simply a means of getting your product out there. And while that's a fine marketing strategy, you've come to a forum where people attack folks that do that AND you have some of the brightest Uber-Geeks on the web waiting to find a reason to tear into people/products.

If you don't work for this company, than please disregard the above and welcome to RO!

However, I'll safely assume that, if we don't see additional posts or replies, that this is a one-time post/spam and it will be deleted.

Thanks again for the heads up!

Jeremy :D

Cucco Tue, 08/30/2005 - 02:26

The government may "allow" the 256 bit code, however, none of it has been approved and regulated by FIPS 140-2 documentation. Meaning, the government hasn't wasted its time even trying to approve it for its own use.

Any legitimate provider of 256 bit encryption (AES3 or Blowfish) is very guarded about their product and licenses it at a very high cost. I would be VERY leary of any product which offers this for free.

As for the swipe sensor, this couldn't be further from the truth. First, there is no liveness detection. Second, they are incapable of reading enough minutae points to be deemed high-robustness. Third, as even with the "free encryption software" the minutae itself isn't encrypted from point to point, a "man in the middle" attack or a "replay" attack are the most likely cases for attack. IOW, I could simply send the binary string that makes up your minutae template and bypass the sensor altogether.

Or, I could just be one of the 1 in 100 people who could access the device by nature because the lack of minutae points within the device make it less of a unique identifier.

J.

Cucco Tue, 08/30/2005 - 03:14

Just as a follow on -

I've posted a link below of the FIPS 140-2 (including 140-1 as well) certified cryptographic modules (aka crypto mods). If a company wishes to use strong cryptography, these are the best bets. That doesn't mean that other methods aren't viable, they're just not as strong or tested to be as strong.

You'll find that all cypher strengths are not equal. Many high depth mods are actually no better than say a 64 bit mod (which is nothing to sneeze at, mind you.)

However, considering what it is that I do for my "day job" - I should say that I would be very interested in speaking with these folks to discuss further. Granted, I can't use a product like this in the manner in which they would hope (portable computer on a stick). However, I do have uses for portable memory sticks with biometrics sensors on them. True, the sensor is not a "strong" method of protection, BUT, it is cool and there is something to be said about portraying any technology in a "cool" light. IOW, place these devices (or similar ones) on a General's desk and see how quickly biometrics takes off in the military. (A goal I've been aiming for for some time.)

Here's the link:
http://csrc.nist.gov/cryptval/140-1/1401val.htm

J. :D