Information technology (IT) organizations have become adept at selectively allowing access to file servers and other important resources to only particular trusted hosts. For example, a typical corporate policy will allow only company-owned and -supported laptops to be attached to a corporate network. Personal laptops, on the other hand, are not permitted the same access. Often the host media access control (MAC) address is used as a filtering mechanism to deny network access.
The recent widespread availability of low-cost flash memory has led to a proliferation of what are referred to herein as transient storage devices (TSDs). Often equipped with a universal serial bus (USB) interface, these key fob sized devices are available in capacities up to several gigabytes. Such devices may also be referred to as personal portable storage devices or USB flash drives. These simple devices tend to offer no security features of their own. This means that an employee may bridge the gap between trusted resources and an untrusted host by copying the data onto a TSD and then onto the untrusted host. Some enterprise IT administrators have begun to block the use of TSDs altogether to avoid this problem.
Recently, the Institute of Electrical and Electronics Engineers (IEEE) has formed a working group specifically to address this problem. The IEEE 1667 committee is looking at ways to authenticate hosts and TSDs to prevent the sort of breach described above. An early draft of the committee's work suggests a public-key approach. In this model, some measure of access control is provided by performing entity authentication. In addition, as is often found in secure networking standards, it is assumed that within a particular trust domain, any device that can be authenticated is automatically authorized to access the requested resources. In this case, the resource would be read or write access to a TSD.
Unfortunately, a public-key approach to TSD access presents some problems. For example, the cryptographic functions required for implementation of the public-key approach can be expensive in terms of communication bandwidth, circuit area, computation time, and power consumption. Also, a public-key model may require home and small business users to obtain digital certificates either purchased at retail or from a self-administered certifying authority, which can be costly and inconvenient.
It is therefore apparent that a need exists for a simple and effective approach to authentication of TSDs and other peripherals which avoids the drawbacks of public-key cryptography in this context.