PAGE 5
IRONKEY WORKSPACE W500 USER GUIDE
DEVICE SECURITY
Data Encryption Keys
»
AES key generated by onboard Random Number Generator
»
AES key generated at initialization time and encrypted with hash of user password
»
No backdoors: AES key cannot be decrypted without the user password
»
AES key never leaves the hardware and is not stored in NAND flash
Data Protection
»
Windows To Go partition is not accessible until password is verified in hardware
»
Password try-counter implemented in tamper-resistant hardware
»
Once password try-count is exceeded, all data is erased by hardware
»
Secure box architecture accessible only to firmware to store sensitive data and settings
Device Password Protection
»
USB command channel encryption to protect device communications
»
Password-in-memory protection to protect against cold-boot and other attacks
The device password is hashed using salted SHA-256 before being transmitted to the device
firmware over a secure and unique USB channel. It is stored in an extremely inaccessible
location in the protected Cryptochip hardware. The hashed password is validated in hardware
(there is no “getPassword” function that can retrieve the hashed password), and only after the
password is validated is the AES encryption key decrypted. The password try-counter is also
implemented in hardware to prevent memory rewind attacks. Typing your password incorrectly
too many times initiates a permanent “flash-trash” self-destruct sequence, which is run in
hardware rather than using software, ensuring the ultimate protection for your data.
Product specifications
For details about your device, see “Device Info” in the IronKey Control Panel settings.
Specification
Details
Capacity*
Up to 32GB, 64GB, 128GB
Dimensions
82mm X 21.1mm X 9.1mm
Weight
1.12 oz (32 grams)
Operating Temperature
0C, 70C
Operating Shock
16G rms
Hardware Encryption
•
Data: 256-bit AES (CBC mode)
• Hardware: 256-bit AES
• Hashing: 256-bit SHA
