ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Rocsecure, Rocsafe PX is a smartcard authenticated USB2.0 external storage enclosure that offers real-time full disk encryption capability. The Rocsafe PX is embedded with eNova X-Wall XO-192 TDES 192-bit real-time cryptographic engine that performs full disk encryption to the entire addressable sectors of the hard drive, including boot sector, FAT, and temporary files. There will be no clear text left unprotected. The Rocsafe PX is with standard 2.5" hard drives with an IDE (PATA) interface, and communicates with the host computer via standard USB 2.0 interface. The new version Rocsafe SX will be available late 2007 will be fitted with SATA hard drives. The Rocsafe PX is operating system independent and does not require any software drivers. Cryptographic processing occurs transparently without any loss in disk performance (in Real-Time.) Users simply use their computers as usual with the assurance and complete piece of mind that their data is fully protected in the unfortunate event that their hard drives are stolen or lost.

The Rocsafe PX stores the hard drive cryptographic key (or Secret Key) in Smartcards (two are provided per unit). Smartcard technology is well understood and represents the highest level of security possible for secure data storage. It is vastly more secure than other alternative solutions. The release of the secret key relies solely on the presentation of both the correct smartcard and PIN. The user will need both the smartcard as well as knowledge of associated PIN to be able to access the data in the X-Walled hard drive. The Rocsafe PX enforces two-factor authentication, which is a higher security protection by ensuring that the user possesses both the physical Smartcard and the knowledge of its PIN.

As there is no extra, none volatile memory within the device to hold the functional cryptographic key, the power on reset procedure will also cleans up the key registers of the X-Wall XO-192, making the X-Walled drive inaccessible. As such, the authentication is required on every boot up, or on re-connection of the supplied USB cable (which draws power from the host USB2.0 interface).

After authentication, the drive presents itself to the operating system and the user is granted normal drive access.

Overview

The below illustration is Rocsafe PX , the smartcard authenticated USB storage enclosure.

Smartcard Slot

Two smartcards are supplied with the same cryptographic keys that enable the embedded eNova X-Wall XO-192 cryptographic processor. It follows ISO 7816 standards for smartcard read/write commands. This is the only place that cryptographic keys stay to ensure highest security level. Users need to present the correct smartcard (insert the smartcard to the unit) prior to entering PIN onto the Keypad to release the cryptographic key to eNova X-Wall XO for drive access.

Keypad

Keypad accepts PIN attempts. Users can change the PIN after the initialization of the Rocsafe PX. The number of trails can be set upon manufacturing stage at factory. Repeated failure PIN attempts locks up the entire Rocsafe PX, as only the correct PIN releases the functional cryptographic key to operate the X-Wall XO cryptographic processor.

USB2.0 Interface

Users connect the supplied USB cable from the Rocsafe PX to the host computer USB2.0 interface. This is the transmission path for all data read/write commands to and from the enclosed 2.5" disk drive. The supplied USB cable also draws power from the host computer USB2.0 port and such power serves the entire embedded circuitry of the Rocsafe PX. In most cases, the Rocsafe PX demands no more external power source other than the power drawn from the supplied USB cable. In the case that particular disk drive demands more current (power), users can choose either to hook up the other end of the Y cable (the same USB cable) to other available host computer USB2.0 port to supplement, or use the external power supply (not supplied) for that matter.

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Special features:

Drive compatibility

• 2.5" ATA-6 9.5mm height drives (any capacity)
• UDMA2/4/5/6 models

Authentication

• Supports two-factor authentication via smartcard and PIN

Smartcard

• Supports ISO-7816 T=0 Class B cards

Encryption

• NIST¹ & CSE² certified TDES hardware cipher engine
• Supported key strengths: 192-bits
• Delivers "Real-Time" performance over software encryption

Key Management

• User-configurable PIN
• Admin password for administrative mode

Certifications and Standards

• Designed to meet FIPS 140-2 Level 2
• FCC
• RoHS compliant

Operating Systems

• Operating System independent
• Tested with Windows XP, 2000, ME, 98SE, Mac OS X and Linux
• Keeps data-at-rest confidential by preventing unauthorized access
• Supports Hi-Speed USB/Data transfer speed of up to 480Mbps
• Eliminates platform dependency
• Minimizes total cost of ownership (TCO)
• Plug-and-play connectivity with PC and Macintosh computers
• Requires no additional training

¹ NIST - The National Institute of Standards and Technology of the United States of America
² CSE - The Communications Security Establishment of the Government of Canada

Highlights

Compatible with USB2.0 with transfer speeds of up to 400 Mbps.		Rocsafe PX are Mac OS, Linux and Windows compatible.		The X-Wall ASIC family is engineered specifically to encrypt/decrypt the entire ATA hard disk including boot sector, operating system, and all swap/spool files without performance loss

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Technical Specifications

Model:	ROCSAFE PX
Drive compatibility	2.5" ATA-6 9.5mm height drives (any capacity) UDMA2/4/5/6 models
Bus Interface	USB 2.0 Hi-Speed
Transfer Rates	Up to 480Mbps
Physical	IDE 44 pin connector USB mini-B receptacle 1.3mm 5VDC jack Smartcard slot Dimensions: 4.8 x 3.1 x 0.89 Inches 122 x 78 x 22 mm (LxWxH) Weight: ~ 0.75 LB - 0.34 Kg
Power	5V 300mA max (excluding power drawn by the HDD) Bus-powered from host via USB Y-cable Self-powered via 5VDC/2A AC adapter
Authentication	Supports two-factor authentication via smartcard and PIN
Smartcard	Supports ISO-7816 T=0 Class B cards
Encryption	NIST & CSE certified TDES hardware cipher engine Supported key strengths: 192-bits
Key Management	User-configurable PIN Admin password for administrative mode
Certifications and Standards	Designed to meet FIPS 140-2 Level 2 FCC RoHS compliant
Operating Systems	Operating System independent Tested with Windows XP, 2000, ME, 98SE, Mac OS X and Linux

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Available Capacities

Part Numbers:	Interface:	Smart Card Included	Capacity:	Cache (Buffer):	Rotational Speed:	Encryption
K26PE5-92	USB	2 x Smartcard	120GB	8MB	5400 rpm	192-Bit Triple DES
K26PF5-92	USB	2 x Smartcard	160GB	8MB	5400 rpm	192-Bit Triple DES

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

The Operation

Here are the steps in a typical power-up sequence:

• Upon connecting to the host PC via the USB cable, the Rocsafe PX will initialize and check if a smartcard has been inserted. At this point in time, the Rocsafe PX is not yet connected logically to the USB interface of the host PC
• Once the smartcard is inserted into the smartcard slot, an LED will blink to prompt the user to enter the PIN
• When the correct PIN is entered, there will be an indicator LED to show that the Rocsafe PX is in the "unlocked" state. The unit will then be logically connected to the host PC USB interface, and the OS will be able to detect and activate the drive
• Once in the "unlocked" state, the Smartcard can be removed from the Rocsafe PX. It will only be needed at next power on cycle, i.e., re-connecting USB cable, removing the external power supply unit, or reset of the host computer.

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Product Images

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

The Design

The following figure indicated the design architecture of Rocsafe PX.

The cryptographic key to operate the embedded X-Wall XO-192 is securely stored on the smartcard and is protected by the PIN. When the user enters the PIN on the Keypad, the key is fetched and rendered through the internal bus of the eNova X-Wall XO-192 for proper cryptographic operations.

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Security Concerns

• Smartcard stores the cryptographic key securely.

The smartcard is not a simple memory device. Any material stored on the smartcard is protected by a PIN without which it is not possible to read out the key. The smartcard is locked up for 8 failed PIN attempts. The number of trials can be adjusted at manufacturing stage.

• Keypad provide PIN entry

The use of keypad on the unit for PIN entry rather than PC's keyboard means that key loggers and Trojans have no access to the PIN.

• Two factors authentication - something you have (smartcard) and something you know (PIN). Two factors authentication represents a sound security access and control method.

Only the correct presentation of the smartcard (something you have) and the PIN attempt (something you know) will release the cryptographic key stored inside the smartcard

• Rocsafe PX offers NIST & CSE certified TDES 192-bit real-time hardware cryptographic strength

In the event of loss or theft of the storage unit, there will be no risk to the data owner as entire drive is encrypted using NIST & CSE certified TDES 192-bit strength. It will be simply a hardware loss only

• The circuitry is covered with special epoxy resin which is none tampered with

The entire embedded circuitry including X-Wall XO-192 is well hidden and can't be tampered with.

• Potential FIPS 140-2 Level 2 or 3 certification

FIPS 140-2 level 2 or 3 certification in Process

• Customized smartcards

Smartcards could be customized with additional engineering evaluations.

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

FAQ

Q: What is Rocsafe PX ?

A: Rocsafe PX is a smartcard authenticated USB external storage enclosure that offers real-time full disk encryption capability to the enclosed 2.5" hard drive. Two factors authentication, the presence of the smartcard and the knowledge of the PIN, is a standard implementation .

Q: How does Rocsafe PX work?

A: The Rocsafe PX works just like a regular external USB drive except that it requires user to authenticate before disk access is allowed. It houses any standard 2.5" IDE drive and offers real-time hardware full disk encryption capability. Only upon successful authentication, does Rocsafe PX allow normal disk access. The embedded eNova X-Wall XO-192 TDES 192-bit real time crypto engine offers transparent cryptographic operations to the entire addressable sectors of the drive, providing NIST & CSE certified TDES strength.

Q: How easy it is to use Rocsafe PX ?

A: The engineering of the Rocsafe PX is simple and strait forward. Simply connect the provided USB cable; Insert the smartcard; then press the PIN on the keypad. There is no additional software to install, making it completely OS independent.

Q: What are the advantages of using Rocsafe PX other USB drive enclosures?

A: The Rocsafe PX offers strong security, period. It does that through an industrial strength smartcard/PIN authentication and eNova X-Wall XO-192 TDES 192-bit real-time cryptographic engine that encrypts the entire drive.

Q: What are the advantages of using smartcard/PIN two factors authentication?

A: Smartcards are a proven technology for secure storage of information. Rocsafe PX stores the secret key (for both encryption and decryption) in smartcards. The secret key will not be released from the smartcard unless a valid PIN attempt releases it. The power of using two factors authentication is obvious as the lost of entire unit is simply a loss of hardware, not the data.

Q: What is two-factor authentication?

A: Two-factor authentication is an authentication protocol that requires two independent methods (something you have and something you know) to establish one's identity and privileges. Rocsafe PX requires both the presence of the correct smartcard (something you have) and PIN (something you know) to enable its functions. In certain applications, the Rocsafe PX can be sent out via regular parcel services and the PIN can then be properly advised through the phone.

Q: What are the advantages of real-time full disk encryption over software encryption solutions?

A: Unlike existing software solutions,

the embedded eNova X-Wall XO-192 encrypts every addressable sector of the enclosed hard drive, including boot sector, FAT and temporary files;

Rocsafe PX i s OS independent;

Rocsafe PX does not involve with tedious and error-prone software installation and configuration. Simply plug in the Rocsafe PX to the host USB2.0 interface; authenticate yourself and you are ready to go;

Rocsafe PX does not require any maintenance or patches thus reduce the total cost of ownership over years;

Rocsafe PX offers no performance degradation while performing TDES 192-bit cryptographic operations.

Q: What happens when Rocsafe PX malfunctions?

A: Every Rocsafe PX is subjected to a stringent quality assurance process prior to shipment. Just in case the unit might suffer electronic malfunctions, simply remove the disk drive and place it over to the other Rocsafe PX that comes with the same cryptographic strength (for instance, TDES 128-bit or 192-bit). Insert smartcard and present the same PIN to access the protected data. However, hard drives have a limited lifetime. As such, users are advised to backup their data regularly.

Q: Is the boot sector encrypted?

A: Yes, Rocsafe PX employs full disk encryption, meaning every addressable sector of your hard drive is encrypted.

Q: Does the process of cryptographic operations decrease drive performance?

A: No. The eNova X-Wall XO-192 cryptographic engine offers real-time no performance loss operation. As a matter of fact, the X-Wall XO-192 engine offers a lot more bandwidth than a USB2.0 connection. As the X-Wall XO-192 is OS independent, the CPU interrupt and memory overhead are completely eliminated.

Q: How strong is the encryption of Rocsafe PX ?

A: Very strong. Rocsafe PX offers NIST (National Institute of Standards and Technology of United States) and CSE (Communication Security Establishment of Canada) certified TDES 192-bit hardware strength.

Q: Can the PIN be changed later without data loss?

A: Yes, the smartcard PIN may be easily changed during the time of authentication without any data loss. Please note that PIN is smartcard specific so changing the PIN with one smartcard does not automatically change the PIN of another. As the Rocsafe PX comes with two smartcards as a standard package, change one PIN does not automatically associate the change of the other. You must manually change the PIN of both smartcards issued to you.

Q: Can I use my Rocsafe PX with various OS?

A: Yes! Rocsafe PX is OS independent. As long as the USB Mass Storage class specification is supported in your specific OS, you may use your purchase with it. Being said, the Rocsafe PX has been tested under Windows XP, 2000, Mac OS and Linux.

Q: What happens if I lose my smartcard?

A: The secret key to operate the cryptographic engine of eNOVA X-Wall XO resides on the smartcards and it is protected by your specific PIN. There are two ways to deal with the issue: 1) If you lose your 1 st card, please continue to use the 2 nd card to access your drive. Meanwhile, purchase an additional pair of cards and follow the instructions in the user's guide to initialize the new smartcards. Please note that new cards will come with new secret key. So please backup your data with your existing smartcard before using the new one; or, 2) work with our engineering team to produce a customized smartcard key management system to allow the same secret key been issued at your convenience.

ROCSAFE PX Smartcard Authenticated USB2.0 External Storage

Enova X-wall Technology

X-Wall®XO Secure Storage with Hardware Encryption – Protects Critical “Data-at-Rest”

Product Overview

The X-Wall XO ASIC ensures privacy and confidentiality of data and credentials stored on the hard drives without degrading system performance. A cryptographic system-controller ASIC operating at the physical layer, the X-Wall XO microchip performs “real-time” encryption of the entire hard disk (including boot sector and operating system) at 1.1Gbit/sec using Federal Government1,2 certified DES and TDES3 algorithms. In contrast to software disk encryption solutions, no clear text including pass phrases is ever stored on the disk drive or held in machine memory. XO’s unique design also completely eliminates any dependency on operating systems or device drivers while functioning automatically and transparently, thereby eliminating user intervention.

Key Features

• Delivers significant performance improvement over traditional software disk encryption solutions
• Provides flexible Key Management Structure to accept versatile authentication mechanisms such as Smart Card, ....Biometrics, Single Sign-On, USB key token, or PIN/Password
• Eliminates platform dependency
• Minimizes Total Cost of Ownership (TCO)
• Requires no users' training

Description

The X-Wall XO chip resides between the motherboard Host IDE and the IDE hard drive. It intercepts and translates IDE commands and encrypts all data in real-time. All data written to the hard drive, including the boot sector, operating system, temp and swap files is automatically and transparently encrypted. Attempts to circumvent security by booting from a floppy disk or by removing the hard drive to be read on a different machine would prove futile since the entire content of the hard drive is encrypted.

Operation

Various authentications mechanisms including Smart Card, Biometrics, Single Sign-On, USB key token, or PIN/Password can be engineered to protect the “Secret Key” required to operate the X-Wall XO. Upon authentication, the “Secret Key” will be delivered through X-Wall XO to enable the operation of encryption and decryption. All existing key management systems maybe put to work without significant system platform change. Access to the disk drive will only be granted upon correct authentication.

Product List

X-Wall®	Encryption Strength	NIST & CSE Certified 100% hardware Cipher Engine	Maximum Throughput	Ultra ATA hard disk support	Ultra ATA hard disk compliance	Protocol & Interface support up to	Package
XO-64	64-bit	DES	1.1Gbit/sec	> 137GB	66,100,133	ATA 6,Mode 6 transfer	128-pin TQFP
XO-128	128-bit	TDES	1.1Gbit/sec	> 137GB	66,100,133	ATA 6,Mode 6 transfer	128-pin TQFP
XO-192	192-bit	TDES	1.1Gbit/sec	> 137GB	66,100,133	ATA 6,Mode 6 transfer	128-pin TQFP

Specifications

• Compatible with all operating systems including MS Windows, Mac OS, Linux, BSD, Unix, SCO Unix and Solaris
• 1.1 Giga bit per second throughput at 66MHz
• Encryption key lengths vary by chip model from 64-bit to 192-bit. All XO chips are pin to pin compatible
• Compatible with all Ultra DMA 66/100/133 hard drives
• Compatible with all motherboards with standard IDE interface
• 128-pin TQFP small form factor package
• Dimensions: 14x14mm, 1.2mm thickness
• Power requirement: +3.0V to +3.6V
• Operating temperature: 0 degrees C to +70 degrees C
• Storage temperature: -55 degrees C to +125 degrees C