Spyrus Hydra Privacy Card Series II
SummaryYou don't need a 100-headed monster to control sensitive data that needs to be transported from the computer. You just need one Hydra PC. In the May issue (beginning on pg. 50), we looked at tools to manage the USB ports on a PC. Among those tools are some encrypted USB thumb drives. These are great tools as far as they go, but for real industrial strength protection look into the just released Hydra Privacy Card II from Spyrus.
This product addresses a variety of difficult scenarios. For example, suppose that you have an employee who wants to steal your customer database and offer it to a competitor as an inducement to hire them. With typical memory sticks, the rogue employee simply downloads the database onto the memory stick and takes it home. If it is encrypted, even if the memory stick is confiscated it won’t reveal its contents. However, with Hydra, unless specifically authorized, the device won’t work in any computer except the one for which it was set up. The data is useless anywhere, except where it is supposed to be.
Hydra is a high security, one GB data encryption tool that runs from the USB port on your computer. However, besides being able to transport data securely, Hydra can work with other Spyrus products to provide such services as strong authentication and support for smart cards and digital certificates. Hydra is not just a USB memory stick. It is a fully functional computer, only slightly larger than a typical memory stick, that executes strong encryption at a variety of levels.
First, since it is an active device, Hydra requires a powered USB port. The device stores encrypted data on a standard one GB miniSD or miniSDHC memory card. The card can be removed from the Hydra easily and replaced with another for multiple blocks of secure storage. Most important, however, Hydra can support storage of classified data under U.S. government standards. Spyrus designed Hydra for validation under FIPS 140-2 Level 3, making it suitable for virtually any commercial application.
Cryptographically, Hydra supports AES, ECC (Elliptic Curve Cryptography), SHA-2, SHA-512 and ECC-521. Default key lengths are ECC P-384, AES-256 and SHA-384.
controls don’t stop there. Because you can authorize the device
explicitly for the computers on which it is allowed to be used, there
is no fear of losing the Hydra and exposing the data on it. The
pass-phrase, or PIN in Hydra-speak, is never stored on the device or
the computer. When the PIN is set up, it is hashed and
the encryption key is derived from the hash. When the user enters a PIN, the process is reversed. The encryption key itself is encrypted on the Hydra only, providing very strong security.
One very useful capability of the Hydra is that it not only can encrypt data to the device, you can use the Hydra to encrypt data to your PC with the same encryption strength. Without the Hydra in the USB port, your data cannot be unencrypted. Because the key is stored on the Hydra, even a stolen PC is not a worry. PINs can be very long and can consist of any combination of alphanumeric and special characters.
There are access levels for the user and for the administrator, and the product comes with a simple admin tool to help set up the Hydra and manage it. The host authorization code — the code that authorizes the Hydra on multiple PCs — can be up to 256 characters long.
We tested the Hydra using a simple set of encryption tests and forensic analysis of the miniSD card. We tested functionally for residue after ungracefully removing the Hydra from the USB port, and we exercised each of its advertised functions. Our conclusion is that if you are storing sensitive data of any kind — such as personally identifiable information, as an example — this is an extremely secure way to do it. The device is physically tamper-resistant and it destroys the encryption keys after a predetermined number of failed PIN attempts rendering the data stored on the device unrecoverable.
separates the encryption device from the computer, and you must
authorize the device explicitly for the computers with which you want
to use it, the Hydra has some advantages over whole disk encryption.
Because it can work with other Spyrus products, full data security
schemes can be devised that fit well in a corporate environment. Spyrus
tells me that they are working on a tool to manage an enterprise full
of Hydras centrally along with all of the usual enterprise management
capabilities for managing encryption across a large organization.
Spyrus claims that Hydra is the "strongest encryption solution
commercially available," and we believe that likely is true.
If you deal with sensitive data, especially on laptops, you need the Hydra.
— Peter Stephenson, with Mike Stephenson
Product: Hydra Privacy Card Series II
Company: Spyrus Inc.
What it does: USB active data encryptor and storage drive for high-security applications.
What we liked: Very high security and flexibility at a reasonable price - three-factor authentication (what you know, what you have and where you are) and ability to encrypt on the device or on the computer with full confidence.
What we didn't like: I've got to pick nits here because this is one of the most useful and well conceived products I've seen in a long time. However, the form factor is a bit large and it really needs enterprise-wide management.