It is amazing to me how little is understood about how hardware security works.
Does anyone understand the concepts of Intel *T technologies (this is ultimately how we should get pretty good trusted execution with scrambled DRAM) This will be required if the main processor is going to be involved in trusted transactions of any kind. FDE is just a simple one. Customers need to bulk encryption in the drive hardware it is a superior solution to any software and always will be. A single chip solution for Encryption Key management and access control is key. This is not really a debate just ask the cell phone industry who migrated to hardware security in the early 90's to global success and the Set top box industry who went to hardware in the late 80's seems like there success speaks for itself. Strong integrity on the pre-boot environment is critical to detect compromise. Seagate does this really well especially on a managed drive and there should still be work done on integrating the Boot integrity capabilities of the TPM and TPM binding of the drive to the platform for some implementations. Most of the preboot code for software solutions is accessible on the drive and can therefore be modified. The Seagate pre-boot image is read only except by admin who has to be verified by the drive controller independent of the windows OS Hiding keys in software only works if there is no reason to break the software. Either because it is cool and everyone write an article or for monetary gain. FDE software just became sufficiently mainstream to get wacked. Steven Sprague CEO Wave Systems Corp.
_______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
