Lexar SAFE S3000 and SAFE S3000 FIPS FAQs

What does SAFE stand for? 

Secure Access For Enterprise

Why does Lexar offer multiple SAFE solutions? 

Lexar® JumpDrive SAFE S3000 FIPS is specifically engineered for government, military, and enterprise users who require ultra high security to meet agency directives Lexar JumpDrive SAFE S3000 is designed for users looking for enterprise-level security that is scaled to meet the budget and performance demands of small businesses.

What makes Lexar JumpDrive SAFE unique? 

Lexar JumpDrive SAFE combines 3 key elements to provide a secure flash drive.

A) Hardware-based AES 256-bit Encryption on all stored data 
B) Tamper-proof smart card to manage all security critical computations 
C) Rugged metal housing to protect against physical damage

What does FIPS stand for? 

Federal Information Processing Standards. Publicly announced standards developed by the United States Federal government

Why does the Gemalto brand name appear on the application graphical user interface (GUI)? 

Lexar JumpDrive SAFE is jointly developed by Lexar and Gemalto, combining Lexar’s secure solid state storage technology and Gemalto’s .NET smart card technology.

What is the difference between the Lexar JumpDrive SAFE S3000 and Lexar JumpDrive SAFE S3000 FIPS?

Lexar JumpDrive SAFE S3000 FIPS Lexar JumpDrive SAFE S3000
Up to 30MB/sec Read* • Up to 22MB/sec Write* Up to 30MB/sec Read* • Up to 8MB/sec Write*
2, 4, 8GB 2, 4, 8, 16GB
Tamper-resistant rugged, waterproof metal housing Rugged metal housing
FIPS 140-2 Level 3 validated Based on same security level implementation
Certified for Windows Vista® Works with Windows Vista
Desktop-based device management  

Does the encryption reduce the drive performance? 

No, the hardware-based 256-bit AES engine performs on-the-fly encryption and does not impact performance.

Do I need to install a driver and/or software for Lexar JumpDrive SAFE? 

No, the Lexar JumpDrive SAFE is fully plug and play and does not require any drivers or software to be installed on the host computer.

Do I need administrator privileges (on Operating Systems) for Lexar JumpDrive SAFE to work? 

No, the Lexar JumpDrive SAFE does not require administrator privileges to work.

How does encryption protect my data? 

All drive content is encrypted with the NIST standard AES encryption algorithm and stored in ciphered form on the flash memory. The encryption key used to perform the encryption is stored securely on the embedded tamper-proof smart card, protecting it from unauthorized access. Without the knowledge of the encryption key, it is exceedingly difficult to extract the data from the cipher, even if one is able to disassemble the drive to access the flash memory.

Why is hardware-based encryption more secure?

A software-based encryption runs on top, and utilizes the shared memory space of the computer operating system to store such contents as encryption keys. Other processes on the operating system may be able to access the same memory space, and in so doing, compromise security. A hardware-based encryption uses the memory space within the device itself, eliminating the risk of access by other processes external to the flash drive.

How does the smart card protect my data? 

The smart card provides the following protection: 

Tamper-proof storage: Smart cards provide a means of securely storing data on the card. This data can only be accessed through the smart card operating system with authorized access rights. This feature is utilized to store the encryption key, the login password, and the other security parameters. 

Isolation of security-critical computations: Operations involving authentication, key generation, and storage are isolated from other parts of the device and host computer that do not have a “need to know.” These operations are all performed on the smart card only. 

Strong Authentication: The smart card blocks access to JumpDrive SAFE after a predefined set of login attempts have exceeded. The smart card deploys a stringent PKI-based challenge-response process for authentication. This prohibits any unauthorized access to the flash encryption keys and protects the authorized user. The smart card protects against password dictionary attacks through an increasing delay after each incorrect attempt (before the next login can be attempted.)

Why is smart card-based authentication more secure than other methods of authentication? 

The secure microcontrollers used in Gemalto smart cards have security features manufactured into the ICs that thwart attackers from accessing any sensitive information that is stored in the card. Gemalto smart card technology is extremely difficult to duplicate or forge and has built-in tamper protection. Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. This reflects in Common Criteria level EAL 5+ certification achieved by the Gemalto smart card micro-controller. In addition, smart card technology provides secure hardware-based key generation and storage and standard PKI-based challenge-response process to unblock access. Gemalto smart card technology provides security benefits at a number of levels that other hardware-based authentication mechanisms cannot match.

How does the Lexar JumpDrive SAFE S3000 behave if it comes under a password dictionary attack? 

The Lexar JumpDrive SAFE S3000 permits up to 5 login attempts. The Lexar JumpDrive SAFE S3000 also introduces an increasing delay after each incorrect attempt before the next login can be attempted. Once the attempts are exceeded, the device rejects further login attempts until the user provides the correct answer to the security question.

Are copies of the password and cryptographic key saved on the host computer? 

No. Both the password and cryptographic key are stored securely only on the smart card.

What happens if I forget my password? 

The Lexar JumpDrive SAFE S3000 allows password reset once the correct answer is provided to the security question. A new password must be set but no data is erased. If however a user forgets the answer to the security question and exceeds 5 login attempts, the Lexar JumpDrive SAFE S3000 becomes permanently disabled and cannot be recovered.

Does the Lexar JumpDrive SAFE S3000 perform any operations that leave traces on the host computer? 

No. All operations are contained within the drive, leaving no trace on the host machine.

How are the encryption keys generated? 

The encryption keys are generated by the smart card’s Random Number Generator (RNG) and are stored securely in the smart card’s non-volatile memory. The keys are not stored in the flash memory or the host computer, or transmitted across the USB port.

How is the Lexar JumpDrive SAFE S3000 password protected? 

The login password is hashed before being transmitted to Lexar JumpDrive SAFE S3000, and then stored in the tamper-proof smart card. The password validation uses challenge-response process combining with zero-knowledge transfer mechanism. The authentication is performed on the smart card only; there is no way to retrieve the stored password from the smart card. Access is granted only when password has been validated by the smart card. If login attempts are exceeded, the device rejects further login attempts.

Does the Lexar JumpDrive SAFE S3000 support complex passwords? 

The JumpDrive SAFE S3000 supports complex passwords, but does not enforce it. The main reason for a complex password is to deter software-based password dictionary attacks. The SAFE S3000 defeats such attacks with the smart card. The smart card permits only a limited number of login attempts and introduces an increasing delay after each incorrect attempt before the next login can be attempted.

How do I get the login application to start automatically?

When you insert your JumpDrive SAFE S3000 - FIPS to your PC, the login application should run automatically. However, this cannot happen under the following circumstances:

  • The JumpDrive SAFE S3000 - FIPS is already connected when you start the PC or reboot the PC.
  • The PC is running Windows 2000
  • You are logged on to Windows as a guest.
    If none of the above is the case, the AutoPlay feature is likely deactivated.

Solution 1
Activate the AutoPlay feature. See “AutoPlay” on page 3 of the userguide 

Solution 2
If AutoPlay is already activated, you will need to start the application manually by double-clicking the file ”JumpDriveS3000_PC.exe” in the JumpDrive drive.

Why does a “reboot PC” message appear the first time I insert the JumpDrive SAFE to my PC?

After inserting the JumpDrive SAFE S3000 to your computer, Windows displays a message asking you to restart your PC. This may happen when a new JumpDrive SAFE is inserted for the first time 

There is no need to restart the PC. Click Cancel to close the message.

I do not see drive letter assigned to the JumpDrive SAFE. What should I do?

The JumpDrive SAFE S3000 is attempting to use a drive letter that is already assigned to other drives (such as a network mapped drive.) This may be common in a corporate environment.

Solution 1
If you are using Windows Vista, please update to Service Pack 1 (SP1). This issue should not occur with Windows SP1.

Solution 2
If you are using a different version of Windows, change the drive letter of your JumpDrive SAFE to enable a correct drive display.Here are the steps reassign the drive letters for your JumpDrive SAFE:
1. Insert your JumpDrive SAFE 
2. Right-click My Computer and select Manage on the pull down menu to open the Computer Management window
3. Under Computer Management (Local) > Storage, select Disk Management
4. Look for the JumpDrive SAFE drive that has a drive letter in conflict.
5. Right click the drive and select Change drive letters and paths\
6. Click Change button
7. In the drop down box, select an unused drive letter and click OK

The “Safely Remove Device” feature is not working. What should I do?

The “Safely Remove Device” feature may not work if the JumpDrive SAFE is being used by other applications.

(All versions of Windows)
Check that all applications using the JumpDrive SAFE are closed (such as Windows Explorer)Lock the JumpDrive SAFE, and then try safely removing the JumpDrive again.

Windows 2000
The “safely remove device” feature is not supported on Windows 2000. 
You should take the following precautions before removing your JumpDrive:
Before removing the JumpDrive SAFE, ensure there is no active operation (the blue LED is not blinking). 
Close all applications that were using the JumpDrive SAFE.
Lock the JumpDrive SAFE. Once it is locked, it is safe to remove the JumpDrive.

Solution 1 Vista (recommended)
Download Vista SP1 from the Microsoft Web site.

Solution 2 Vista
Request the hotfix provided by Microsoft. For more information, refer to article 937454 in the Microsoft Knowledge base.

"Windows Vista is telling me to scan and fix a drive. What should I do?

After unlocking the JumpDrive SAFE, Windows Vista displays a message asking the user to scan and fix the drive.

This is a Windows Vista issue that happens if the JumpDrive was not safely removed previously when connected to a computer running Windows XP. There is no need to scan and fix the drive. Simply continue without scanning.

MAC - I am unable to connect more than one JumpDrive SAFE to the same computer simultaneously. What can I do?

If more than one JumpDrive SAFE is connected to the same Mac computer, you are unable to assess both simultaneously.

This feature is not currently supported on Mac computers. It is however supported on Windows-based computers.

The application screen remains open even after I remove the JumpDrive SAFE.

This issue occurs only in the Mac Leopard OS. When you remove the JumpDrive SAFE, the application does not exit and the window remains open. If you attempt to use the application, it will exit with an error.

After removing the JumpDrive SAFE, manually close the application window.

MAC - The Application Support directory remains open even after removing the JumpDrive SAFE.

This issue occurs only in the Mac Leopard OS. When you insert the JumpDrive SAFE, Finder automatically opens the Application Support directory and this window remains open, even after removing the device.

When you remove the JumpDrive SAFE, manually close the Application Support directory.

I formatted the JumpDrive SAFE using the Mac Disk utility and now the drive does not operate correctly.

This issue occurs only in the Mac Tiger OS. 

If you reformat your JumpDrive SAFE with the Mac Disk Utility, choose MS-DOS as the operating system. If the JumpDrive SAFE was formatted to a Mac OS, it will no longer operate correctly on a Windows-based computer.