Is the U3 Smart Drive Encryption Any Good?

Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"

PC Magazine Review

[tgtanman]

PCMag did a review of the U3 technology (though the review is almost a year old)

u3 just doesn't work

[cliffhanger407]

U3 doesn't work any better than any other encryption. in fact, if anything, a corporate level encryption is always going to have better product quality control than U3. Plus, U3 doesn't work on probably 50% of the machines i have to put it into (tech support=putting in jump drive 50+ times a day), which means that if it doesn't work then there's no way to get it unencrypted. Basically any computer system which doesn't permit access to the AppData folder means it doesn't load the U3 software. (It claims it doesn't install anything, but it's definitely there). The other thing is that there are a lot of programs which just don't like U3 and will crash it even if you have the right permissions. Plus, it doesn't work on mac or linux.

Re:u3 just doesn't work

[tropicdog]

"Plus, U3 doesn't work on probably 50% of the machines"

I totally agree, in many Corporate environments these are going to be functionally useless. A recent helpdesk case I worked on involved one of these U3 drives. Because U3 basically creates a partition that tells Windows that it is a read only CDROM format, CD burning software would not function at all and Windows (Win2000 in this instance with limited user rights applied) totally locked up until the U3 drive was removed.
Management gave me a 1GB version to use on the job. I was annoyed with the auto-launch feature it provided and promptly searched for and downloaded the U3 removal utility. I gained the space that U3 occupied on the drive and can use it on any computer in our environment w/o problems.

TrueCrypt is not for USB sticks

[kasperd]

TrueCrypt makes use of tweakable block ciphers. The idea with tweakable block ciphers is good, but it is no magic bullet. And unfortunately TrueCrypt reuse the tweaks every time the same sector is overwritten, which means the proofs for security of tweakable block ciphers does not apply to TrueCrypt. Depending on the attack scenario this may a threat. Using a USB stick is going to make this problem worse.

It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.

I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.

My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.