What is the benefit of having FIPS hardware-level encryption on a drive when you can use Veracrypt instead?

Question

The expensive one: https://www.dustinhome.se/product/5010873750/ironkey-basic-s1000

The cheap one: https://www.dustinhome.se/product/5010887912/datatraveler-100-g3

Over 14,000 SEK difference in price. Same company (Kingston). Same USB standard (3). Same storage capacity (128 GB). Same store.

Yet such a massive price difference. All because one is "encrypted"?

I don't want to sound either condescending nor ignorant, but why would even a very rich person pay such a premium for the "encryption"? Is there any benefit to have it in hardware (presumably some kind of integrated micro-computer?) over just formatting the cheap one with VeraCrypt? Is the expensive one far more durable as well?

Won't this thing actually age and become useless in regards to the encryption, whereas with VeraCrypt, you could re-encrypt it since it's all software?

I realize that trusting VeraCrypt in itself is also quite scary, even for me, but I somehow feel more confident about that software than I do about some company "promising" that it's "super duper encrypted with FIPS 140-2 Level 3, 256-bit AES-XTS"... Whatever that means. I doubt many people know.

I want to make clear that I recognize that there may be something I'm fundamentally missing, and that this could be extremely useful for people with a lot of money and no trust in VeraCrypt, or who need the convenience that this (presumably) provides. I'd love to hear a justification since apparently, that "built-in super encryption" costs so much money versus the identical product minus the encryption.

With that price tag, you'd almost expect it to be covered with real gold and gems...

Answer 1

super duper encrypted with FIPS 140-2 Level 3, 256-bit AES-XTS

Yet such a massive price difference. All because one is "encrypted"?

Your question is a bit like comparing a Toyota and a Ferrari and asking "Why the massive price difference. All because one is "fast"?

What is FIPS 140-2 Level 3?

FIPS 140-2 Level 3 is more than just encryption. It requires the device to be tested by a cryptography testing lab that is certified to perform this testing on behalf of the US government. The device must:

• (Level 1) Have its crypto implementations inspected by the testing lab for correctness and backdoors.
• (Level 2) "tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys" (wikipedia). Typically these are fancy versions of "warranty void if broken" stickers that are very hard to get off and put back on without damaging the sticker or the product in a very noticeable way. I've seen some where the sticker is like one of those glow sticks where bending it mixes chemicals and it turns a bright colour.
• (Level 3) The device must be able to detect physical (or software?) tampering and wipe its own data. For a USB stick that probably means that any attempt to cut open the case will result in the device triggering either a software wipe or physical damage that makes it non-functional.

For the sake of completeness: Level 4, the highest level, adds the requirement that devices be resistant to physical attacks that subject the device to temperatures and voltages outside its normal operating ranges. This can lead to attacks like glitching where you manipulate the system clock signal to, for example, double-execute or skip instructions.

Level 3 is difficult to obtain. For rack-mounted servers, I've seen things like the entire motherboard and hard drive submerged in 5 kg of heat-conductive epoxy resin so that it's nearly impossible to remove the RAM sticks or hard drive without destroying them. I've also seen tripwires on the hinges of the server case such that opening the case causes destruction of the chip holding the crypto keys.

I'm not even sure how you would do this on a USB stick. I'm impressed that they got a USB stick past Level 3 testing. Guess: maybe there are tiny wires in the casing and an "intrusion detection" chip with its own battery that is never powered off so that it can monitor for breakage of the wires and trigger a wipe?

Target consumer of this USB stick

You are not the target consumer of this USB stick. You really have no reason to buy it.

Note that like all FIPS standards, FIPS 140-2 is not intended for consumer goods; it is intended soley for internal use by the US Federal Government and companies that it contracts to. This USB stick is intended for people who are doing contract work for the US government and are required by their contracts to keep all data on FIPS 140-2 Level 3 devices, likely because the data they are handling has been classified at a certain security level by the US government or military. Very specialized device for a very small market, hence the price tag.

Answer 2

I've contributed to the development of a crypto-related device that was certified to FIPS standards. It's an extensive, expensive certification process that's really only relevant to specific use cases. FIPS isn't about having the best encryption, it's about having a crypto engine that was independently tested and verified against a known list of security requirements. There were actually instances where we had to bypass security features in order to meet the FIPS testability criteria. For customers that need it, though, that testability is more important than a little bit of additional security. A lot of times, end-users can perform many of the FIPS tests themselves should they ever want to double-check that it's working as expected.

The NIST website has a listing of every device that has achieved FIPS certification. Here's a listing for a similar Kingston product. You can see third-party validation certificates for every crypto algorithm used by the device. Plus, there's a "security policy" document that goes into detail about how the encryption system is designed and implemented. You don't have to blindly trust the device or take the manufacturer's word that it's designed well. You can see so for yourself. Multiple third parties have also verified that the documentation matches the implementation, that the implementation was done according to established standards, and that the implementation is free from a very long list of common problems/deficiencies. Customers in security-critical applications need that sort of verifiability and are willing to pay a lot more for it.

Most crypto devices are certified at level 1, which is enough to meet most industry and regulatory requirements that include crypto (PCI DSS, HIPAA, etc). If you're in an industry subject to those requirements, buying something FIPS-certified is an easy way to know that you've met your encryption-related obligations.

Each level is an order of magnitude harder to achieve than the one before it. A level 3 certification is downright impressive. For a USB drive, this probably means that all keys and encryption-related values are stored in a dedicated volatile memory chip with battery backup. The case is constructed so that any attempts to open the case would disconnect the battery, wiping the chip's contents and zeroing out the keys. Some will similarly self-destruct if the temperature or pressure gets too high or low. The manufacturer's page says the drive is "epoxy filled", which usually implies that the epoxy cannot be melted, scraped away, or otherwise removed without either destroying the chips or disconnecting volatile memory from power in the process. By the time you get to level 3, you're protecting against some serious (and uncommon) attack vectors. If you're buying a level 3 device, it's because there's a real chance that someone is trying to freeze the device with liquid nitrogen to pull bits from memory after disconnecting power, to re-wire the hardware without your knowledge to add a clandestine transmitter, or to disassemble the device, dump the flash contents, and try to decrypt it using a supercomputer cluster.

For the normal consumer, you don't need any of that and a device like that is way beyond overkill. You don't have any data valuable enough that someone is going to go to such expensive lengths to try and get at it.

The other big benefit to FIPS certified devices is that they generally support some sort of centralized key management. The FIPS specs have a concept of different users with different privilege levels. A "crypto officer" can do anything crypto-related, and other users may (for instance) be allowed to read and write data but not rekey the data or convert the drive to plaintext. That Kingston drive in particular supports their centralized key management systems, which enables system administrators to securely store and back up keys, manage access permissions, etc. It can even prevent the device from being unlocked unless it's connected to a computer attached to the internal network. Again, these are all features that might be useful if you're running an embassy, but not so much if you're a normal consumer.

If you ignore the FIPS aspect for a moment, there are some real reasons why you might want a device that does hardware-based encryption rather than a software solution:

• Hardware-based encryption can be transparent. You don't need any special hardware or software on the computer it's connected to, everything is self-contained. This is important if you want to use the device somewhere that you can't install software.
• Many times, hardware-based encryption can be accomplished with a negligible or zero performance penalty, where software-based encryption requires extra work from the host's CPU.
• Hardware encryption devices can support additional features, like a "panic button" that wipes the device without requiring it to be attached to a computer.
• Restrictions in software-based encryption are easier to bypass. For example, that encrypted flash drive wipes itself after ten invalid password attempts. With Veracrypt, I could connect your drive to my hacked version of the software that doesn't have that limitation and brute-force my way in. That's not a feasible attack vector if the security is baked into the silicon.

That certainly doesn't mean you need that FIPS level 3 monster, though.

Answer 3

I think it's a case of paying not for the hardware but for the certification. IronKey devices are actually certified (https://www.ironkey.com/en-US/website/certification-and-compliance.html), and FIPS certification is expensive, both in costs paid to the actual certifying lab and from the extra documentation work you have to do (see e.g. https://www.corsec.com/understanding-the-true-cost-of-fips-validation/).

The market for FIPS certified encrypted USB disk is not huge, but there must be some cases where an USB stick is a good fit for the workflow and FIPS certified is needed for regulatory compliance. The few customers needing it end up sharing the cost of certification among themselves.

Answer 4

I think it's more an economy/financial question than a security. If there is a product that you sell millions, and a different model that costs somewhat more to produce, but everything (hardware, firmware, design, certification) is distributed along a very few units, and the logistics adds even more cost, the overall price tag will be higher. Also, there will be a lot of Chinese competitors, but only a few with added security.

Answer 5

None. Hardware-level disk encryption cannot be validated and thereby cannot be trusted. Being advertised as FIPS makes it even worse. FIPS is all about checking compliance boxes (often ones which force the product to be less secure) and says nothing about actual security properties. And even if the disk were doing everything right (they're not), the cleartext data (as well as the key, assuming the host even controls the key) are transferred over the bus, subject to EMF leakage (tempest).

Use Veracrypt or whatever software you trust, and if you have a drive that implements "hardware encryption", make sure your software disk encryption isn't turning itself off and relying on the hardware to (not) do the work.