What's the best way to authorize a USB Key

Question

We have an auto update for our software that is installed via USB key (with the auto run). If I wanted to ensure that only authorized USB Keys were used, what's the best way?

Our installer is already signed, and it won't run otherwise. But I'm more wanting to inspect the USB Key for a signed installer, and if it's not there, just ignore, or even "Eject" the USB device.

And I should be able to tell the difference (in code) between a usb storage device, and say a camera, or keyboard.

I'm only wanting to disable non-authorized storage devices.

Thank you for your ideas.

Answer 1

non-authorized storage devices? This depends on how secure you want it to be. For the most secure level, it would consist of:

• special firmware written to the flash drive to get extra "meta info" (read: expensive custom manufacturing of flash drives)
• special windows driver to read that meta info from the flash drive
• your program talking to that device driver to confirm it's authorized.

Or to the least secure level you have these options:

• using a hidden file and a special key(possibly hashed time of last filesystem modification or something?) (dd breakable)
• dropping below the filesystem level and recreating your own very simple filesystem.. (more security through obscurity though and dd could break that)

Also, for the "most secure" option, you really need a more secure way of running the program than auto-run and a device driver(which could be half-baked to make anything appear authorized). Why do you want it to only update from an authorized flash drive anyway?