Hardening flash storage for ultimate data securityStory
April 14, 2017
Today's flash storage has made it possible to make embedded systems lighter, faster, more energy-efficient, and more compact than ever. With no moving parts, their reliability is unrivaled and they're the perfect storage medium for rugged applications. However, the nature of flash also makes it more difficult to erase data securely than with traditional magnetic storage. Modern wear-leveling algorithms designed to maximize drive life are extremely effective, but also make it difficult to encrypt files individually or ensure data is ever completely erased. All is not lost: Whole-drive encryption enables engineers to provide strong data security, even with modern flash drives. For military applications its benefits are clear, for both securing data as well as securely erasing sensitive data at the push of a button.
In 2001, a U.S. Navy EP-3E Aries II reconnaissance plane collided with a Chinese jet and was forced to land at a Chinese military airfield on Hainan Island. Its crew had only twenty minutes to destroy sensitive data before being ordered off the plane at gunpoint. They resorted to pouring hot coffee into hard disk drives and attacking electronics with axes.
This method was unfortunately insufficient. Data was still recoverable by Chinese computer experts and the event was a significant setback for U.S. intelligence, according to some accounts. In a separate incident a few years later, embarrassed U.S. officials learned from news media that flash drives taken from a military base in Afghanistan were not only being sold in a nearby bazaar, but also still contained secret files that named enemies targeted for kill or capture, and described efforts to remove uncooperative local officials.
Cybersecurity incidents like these show us just how challenging it is to lock down sensitive data – and how damaging it can be when security procedures fail. Military and intelligence professionals are becoming increasingly aware of the need for cyber hardening of information systems, on multiple levels, to protect them from any conceivable threat.
A solid foundation
Securing an embedded system starts with protecting the data itself, so even if an adversary gains access, they will still be stymied by a final, unbreakable bedrock layer of security. Two complementary ways exist for achieving this goal: encrypting the data and destroying the data.
A secure drive’s first line of defense is encryption
The latest secure flash drives can protect all their data with an algorithm that is effectively unbreakable by any known or foreseeable technology: AES 256-bit. Accessing the data on the drive requires two secure keys – effectively very long passwords.
One of the keys is generated by the drive itself, stored in a secure area inside the drive and never revealed to the outside world; the other key is known to the authorized user. The data can only be read with both keys. Attempting to guess the keys, by trying every possible combination, would take trillions of years.
In normal operation, the user’s key is requested whenever the system with an encrypted SSD (solid-state drive, or flash drive) is powered on. Depending on the application, the drive could request re-authorization for other users or to access more sensitive data and operations, or on a timed basis.
AES drives contain hardware that encrypts and decrypts all data in the background, as it is written to the disk, so there is no impact on drive performance. All data stored in the drive is always protected with unbreakable AES 256-bit encryption.
Data access on a “need-to-know” basis
AES drives are compliant with the TCG OPAL 2.0 standard, which allows multiple passwords or keys, each suited for different levels of security clearance and different modes of access to the data.
In a modern scenario, the crew of a reconnaissance aircraft similar to the U.S. EP-3E that was forced down in China might only have a password that permits their onboard sensors to write gathered intelligence data to a secure drive. During their mission, their sensors could freely write data to the drive, but the crew would not possess the password required to read that data back afterward.
The crew would therefore be physically incapable of revealing the data to an enemy. In addition, the drive’s AES 256-bit encryption would prevent enemy access, even if the plane was captured intact. The data can only be read when the aircraft returns safely to base, by personnel with a higher-level password which is not in the possession of the crew on board.
Last resort – erase or destroy
Being able to securely erase or destroy physical data on a drive provides the final layer of defense for a truly robust military information system. If an asset falls into hostile hands, or an adversary gains access by some other means, timely destruction of the data can still frustrate all their efforts and leave them holding a useless piece of hardware that no longer has any secrets to give up.
Self-encrypting drives with built-in mass data-deletion capability also bring more mundane benefits. Most notably, they expedite easy disposal or reallocation of storage media as part of normal operations. A robust data-sanitization policy helps prevent accidental leaks of sensitive data, including personal data covered by national data-protection laws.
Various modes of emergency data deletion can be used separately or together depending on operational requirements, in accordance with the end user’s organizational standards and government regulations.
Initiating a drive erase operation in the field
Emergency drive erase operations can be done either directly through physical action, or remotely. Of course, removing the drive from its enclosure and moving a tiny jumper onto the erase pins is not an appropriate task for a combat or emergency situation – that could take many minutes and require care and manual dexterity. Therefore, a real-world implementation will typically link the erase pins to a more easily-accessible external control. This should be shielded from accidental activation, and perhaps require a key, dual operators, or multiple steps to activate.
Military and intelligence operations are increasingly looking at replacing reconnaissance aircraft, like the U.S. Navy EP-3E involved in the Hainan incident, with remotely-operated drones. While this helps keep valuable personnel out of harm’s way, it perhaps makes data even more vulnerable.
Consider a scenario when a drive full of sensitive data is onboard a drone that is going down over enemy territory. Physical access to the erase jumper pins is impossible. The alternate method of activating erase functions is remotely, via a command sent over the drive’s interface from the controlling computer. Although this course of action might heighten concerns about accidental or malicious activation, good, secure systems design can mitigate these. The built-in ability for a remote erase also makes a programmed erase function possible. For example, a drone could be programmed to wipe its data if it loses contact with its base, or if an unauthorized attempt at physical access is detected.
Multiple data-deletion methods
Innodisk’s data-deletion technologies comprise quick-erase, security erase, and destroy functions. With quick erase, an internal flash-erase command is sent and the data on the flash memory is deleted. Due to concerns that residual data may be left on the drive, a more stringent erase function, called security erase, can be used. Security erase deletes the data by following a more complex series of steps, including erasing and physically overwriting, and possible repetition of these steps. (Figure 1.)
There exist a number of security erase processes, most of which are devised by the U.S. military and intelligence services. The Innodisk drives support many of the standards; the user is able to select the particular standard used.
Figure 1: Drives with AES self-encryption, such as the Innodisk 3MG2-P, use a hardware encryption engine to secure data transparently, without affecting drive performance.
(Click graphic to zoom)
Emergency data deletion
Looking at the time required for various erase modes, quick erase is by far the fastest, typically requiring around five to 10 seconds, depending on disk size and write speed. Security erase requires minutes, or sometimes hours, to completely erase all data. However, because the first step of almost all security erase standards is effectively a quick erase operation, the slower speed of security erase would not seem to add any additional security hazard in those cases.
The “destroy” function is a proprietary process that effectively makes all data unrecoverable, including the firmware, which controls the drive. This function is a physical self-destruct process, which deliberately exceeds every flash chip’s voltage specifications to destroy the hardware. (Figure 2.) The destroy operation is irreversible: Not only is the data made inaccessible, but the drive cannot be repaired and made functional again.
Figure 2: Using high voltage to completely destroy flash cells and firmware, the physical destroy function makes data completely and irreversibly unrecoverable.
(Click graphic to zoom by 1.9x)
Ultimate data security
When we consider the cases of military data breaches such as those in China and Afghanistan discussed earlier, we can see how new security technologies can keep data secure if such incidents occur today. One-button erase technologies built into flash drives enable a busy, combat-stressed crew to quickly erase sensitive data. If or when drives fall intact into hostile hands, encryption can still make the drives unreadable for even the most skilled and determined adversary.
C.C. Wu is vice president of Innodisk and director of the Embedded Flash division. He is a frequent presenter at the annual Flash Memory Summit held in Santa Clara, California, and speaks on the topics of NAND flash technology and embedded systems storage.