SDV® FAQ
What is the SDV® and how does it work?
The SDV® is a cryptographic hardware security device which enforces security from power on.
The SDV® asserts absolute control over the hard disk drive at the earliest stage of boot up, rendering any HDD unusable unless the user is authenticated.
Where does the SDV® reside?
The SDV® resides inside the PC. The SDV® sits in the IDE channel, blocking and controlling all access to the HDD.
What operating system does the SDV® run on?
The SDV® is operating system independent and works with any standard ATA HDD.
Will the SDV® slow down the performance of my PC?
The SDV provides the user with HDD data security. Yes, the SDV® will impact HDD access times.
However, the SDV® will not impact on any other PC system functionality. Overall system performance during normal operations will hardly be noticeable.
If I am logged on to the Internet will the SDV® prevent my current open data being corrupted by unauthorised access?
Data on your HDD which is not accessible in your current profile can not be stolen or modified by an attacker.
Data which is in a read only partition within your current profile can not be modified by an attacker.
Data in a read/write partition is open and may be compromised. Therefore, you should limit your Internet access profile to not have access to sensitive data on the HDD.
How many SDV® devices are needed per PC?
The SDV currently only allows one SDV® and one protected HDD per PC. This HDD must be the boot device for the system in order to gain access to the data. The PC may have any number of non-SDV® protected HDD in the PC.
What is unique about how the SDV® provides IT security?
The SDV® ensures total data lock-down and unlike other security methods offers protection from both internal and external threats. The SDV® is 100% hardware-based security, there are no drivers or accessible software components that allow compromise by hackers or crackers.
Can the SDV® be uninstalled and the information then accessed?
SDV®-II allows the SDV to be uninstalled and the HDD returned to an un-encrypted state. SDV®-I does not. In SDV®-I the user would have to back up the entire drive, remove the SDV, reformat the HDD, and copy back the backed up data to the HDD.
What happens if an incorrect password is used?
After three failed attempts, the SDV® will not allow any further authentication. No information stored on the PC will be accessible unless the correct password is used. The PC must be completely powered down to allow the user to authenticate again.
Can I detect whether or not an unauthorized user is trying to access files while the PC is on?
The SDV® has stealth capabilities to track all unsuccessful login attempts as well as any attempts to access information which is protected. All failed attempts at login or accessing the data on the HDD are logged with a time and data stamp. This stamp comes from a real time clock built into the
SDV® so it may not be compromised by an attacker. This log may only be read by the system administrator.
Does the SDV® require a slot for installation?
No, the SDV® doe not require a PC slot for operation. It is designed to mount into the PC using a slot mounting bracket for easy of installation only.
How long does it take to install?
5 minutes for the physical hardware installation. Set up is dependent on the system configuration, number of users, and the physical capacity of the drive. As the entire HDD is encrypted, larger HDD's will require more time to install.
How often does the SDV® need to be updated?
Never. The SDV® is set and forget technology. Unlike software it never needs to be updated, hence it significantly reduces the operating costs of having a secure computer.
Can more than one user access the HDD?
Yes. The SDV® allows for multiple user profiles on the HDD in which they can only see and make changes to their partition(s). SDV® only supports one user at any one time. Multiple users cannot access the HDD at the same time.
Can the product protect secure data even if the whole machine is stolen?
Yes. The entire HDD is encrypted . The SDV® permits total security of data, no matter what is done to the machine or any part of it.
Does the product have a "back door"?
No.
Does the technology apply in the Internet world?
Yes. Especially so if public\Internet access is needed to a machine that contains "secure" data or virus/hacker protection is needed on a PC attached to the Internet and rapid, clean boot, recoverability is important.
What if it breaks?
Since the product has a very low chip count and no moving parts it is highly unlikely that it will ever break. However, if the SDV® is destroyed, there is currently no way to recover it. It is recommended that PC users always maintain current backups of important data regardless of whether or not there is an SDV® installed.
What if the Administration password is lost?
The system administrator would need to take the necessary precautions in line with quality assurance or other company policy of Risk Management. There are no back doors in the design.
Does this technology apply to non PC environments?
Yes. Embedded systems often use a hard disk or other form of stored data. Other features of the product are very important in the embedded systems market. There must be a suitable connection point for the SDV®.
Does this technology/product apply to mainframes?
No. In its present form it applies to PC style computers/ servers etc however the concepts could be applied to mainframe computers if the market supported it. Who has seen it?
Scaled down, confidential, demonstrations to banks, military, governments, telco's, universities, and corporations.
Who owns the technology/I.P.?
Secure Systems Limited (SSL) - 100%.
Is the technology patented?
Yes. Patents have been lodged for various aspects of the SDV® design.
How long in development?
SDV® since 1997. Some core technologies since 1990.
Does the SDV® provide any protection of the PC other than the data on the
HDD?
The SDV® does a system integrity check at start up. It will notify the user if the PC's BIOS, MBR, or OS partition has been modified. This will allow the user to take corrective action or accept a
valid modification.
What can the user do if the BIOS , MBR, or OS partition have been
compromised?
The SDV® provides administrative utilities to securely backup the PC's BIOS, MBR, and OS partition. If the user has performed backups, they may be recovered to the previous known secure state. The SDV® resides inside the PC.How does the SDV® ensure data security across partition boundaries?
The SDV® uses different keys to encrypt each partition. If the user does not have access to a particular partition, the user does not have the key to that partition and has no way of accessing the data. Does the SDV® provide protection against the installation of keystroke logging devices or software on the computer?
Software loaded on the PC will not be able to run until after the SDV® has authenticated and therefore will not be able to log keystrokes during authentication. If the attacker is able to physically install a PC independent keystroke logger, the protection offered against this type of attack is provided by using a second level of authentication such as the SKV. Are files copied from the SDV® computer to another computer, such as for
backup, or attached to e-mail messages transmitted encrypted?
This is correct. Currently, all data that the PC sees when it reads from the HDD is in clear text. Data does not leave the SDV® encrypted. The SDV® is designed to secure data on a HDD. It is operating system independent, which means the operating system is unaware of it being there and the SDV® is unaware of the operating system. There are plans to allow encrypted backups of SDV® protected HDD's in future versions.
What are the consequences, if any, of battery failure or removal on the SDV®?
If the SDV® battery fails, the real time clock on the SDV® will not operate correctly and time stamping on any log information after that point will not be correct. That is the only consequence of battery failure, the security of the device is in no way compromised.
Is it possible to change the SDV® encryption algorithm?
We are looking into providing users with the ability to supply their own algorithm in future releases. However, once an HDD is encrypted using a specific algorithm and key, the only way to change would be to back up the entire drive, install a new SDV® with the new algorithm, and copy the backed up image onto the HDD. How does the SKV interface with SDV®?
The SKV provides additional security by adding a second level of authentication for the end user. In order to access the SDV® secured HDD the user would need to know his or her user name pass phrase combination and physically have the SKV. The SDV® and SKV communicate via a proprietary port on the SDV®. The PC does not have access to this communication path. Could another device, such a SmartCard, token or biometric sensor be used in place of or in addition to the SKV?
The SDV® has been designed to accommodate a variety (and multiple) authentication devices in future versions. What protections does SDV® employ against one user re-sizing his hard drive partitions to take up any "unallocated space"? If possible, could this not destroy another user's data?
Any user, including the system administrator, is restricted to accessing the partitions which he or she has read/write or read access. These partition boundaries cannot be crossed by the user. Partitions cannot be resized or modified. Partition tables are protected by the SDV®. Even if the user modifies partition tables within the user access privileges, the original partition information will be restored. To reiterate this very important point, NO user, not even the administrator, can cross partition boundaries. He or she can destroy any data they have write permission to modify. But data which is read only or no access, cannot be modified. Users who successfully log in to SDV® must log in again to Windows. Is this
correct?
This is correct. The SDV® is completely operating system independent. This is a feature of the security provided. The PC may be set up so that no operating system password is required but this is not recommended. Without OS authentication, user specific data related information may be determined by an attacker. A user who logs out of Windows using the Start menu has not logged out of
SDV®. Furthermore, a user who selects Restart from the Windows Start menu has not logged out of SDV®. In both instances, does any new user retains the access permissions of the original SDV® log-in?
Yes, as mentioned in the previous question, the SDV® and operating system are unaware of each other. The SDV® can not prevent a user from not powering down the PC just as the user can not be prevented from leaving the PC without logging out of Windows. There is also very important security reason for the SDV® requiring a power on for user log in. This is to prevent an attack from a user sending randomly generated user name/pass phrase
combinations (e.g. a dictionary attack) through a local application or a network link.
Can the SDV® interact with wake-on LAN NICs and remote log-on to facilitate computer maintenance and administration?
This feature is not currently available but is being considered for future versions of the SDV®. What encryption algorithms does SDV® use?
SDV®-I uses a proprietary encryption algorithm. This is a mass market product and not intended for high security scenarios. The SDV®-II encryption algorithm and key management uses AES encryption. The SDV® literature states that the device can be configured to protect
applications and files as well as drive partitions. How does that work?
The SDV® provides protection of data and applications stored on HDD's at the partition level. If the data or application is stored on a protected partition, then the data or application is also protected. There is no requirement to specify what files or applications are protected on a partition, the entire partition is protected.
|
