Re: Seagate announces hardware FDE for laptop and desktop machines
On Jun 10, 2009, at 4:19 PM, travis+ml-cryptogra...@subspacefield.org wrote: Reading really old email, but have new information to add. On Wed, Oct 03, 2007 at 02:15:38PM +1000, Daniel Carosone wrote: Speculation: the drive always encrypts the platters with a (fixed) AES key, obviating the need to track which sectors are encrypted or not. Setting the drive password simply changes the key-handling. Implication: fixed keys may be known and data recoverable from factory records, e.g. for law enforcement, even if this is not provided as an end-user service. There was an interesting article in 2600 recently about ATA drive security. It's in Volume 26, Number 1 (Spring 2009). Sorry that I don't have an electronic copy. The relevant bit of it is that there are two keys. One key is for the user, and one (IIRC, it is called a master key) is set by the factory. IIRC, there was a court case recently where law enforcement was able to read the contents of a locked disk, contrary to the vendor's claims that nobody, even them, would be able to do so. All of these statements may be true. The standardization of the command set for encrypting disk drive does has a "set master key" command. If this command does exist, and if the user had software that resets this master password, then the backdoor would have been closed. (I know, there area lot of "ifs" in that sentence.) http://www.dtc.umn.edu/disc/resources/RiedelISW5r.pdf http://www.usenix.org/events/lsf07/tech/riedel.pdf http://www.t10.org/ftp/t10/document.04/04-004r2.pdf and from universities you can access http://ieeexplore.ieee.org/iel5/10842/34160/01628480.pdf https://www.research.ibm.com/journal/rd/524/nagle.html Jim - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Seagate announces hardware FDE for laptop and desktop machines
Reading really old email, but have new information to add. On Wed, Oct 03, 2007 at 02:15:38PM +1000, Daniel Carosone wrote: > Speculation: the drive always encrypts the platters with a (fixed) AES > key, obviating the need to track which sectors are encrypted or > not. Setting the drive password simply changes the key-handling. > > Implication: fixed keys may be known and data recoverable from factory > records, e.g. for law enforcement, even if this is not provided as an > end-user service. There was an interesting article in 2600 recently about ATA drive security. It's in Volume 26, Number 1 (Spring 2009). Sorry that I don't have an electronic copy. The relevant bit of it is that there are two keys. One key is for the user, and one (IIRC, it is called a master key) is set by the factory. IIRC, there was a court case recently where law enforcement was able to read the contents of a locked disk, contrary to the vendor's claims that nobody, even them, would be able to do so. The man in question had his drives sized by the FBI and they read the drives, uncovering emails between the man and his lawyer. He was suing the manufacturer for false advertising. Here are the links from the 2600 article: http://tinyurl.com/atapwd http://tinyurl.com/cmrrse http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml hdparm -security-erase-enhanced in Linux http://www.deadondemand.com/ http://www.vogon-investigation.com/password-cracker.htm -- Obama Nation | My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpvh6qewOZcV.pgp Description: PGP signature
Re: Seagate announces hardware FDE for laptop and desktop machines
> I think the really interesting question is what happens when you lose > a FDE-ed hard drive. Do you still need to publish the incident and > contact potentially affected individuals? If the answer is "no", I'm > sure this technology will be quickly adopted, independently of its > actual implementation. California Senate Bill CA1386 provides a "Get Out of Jail Free" Card if you are using "reasonable" means to protect the confidentiality of data. However you still have to proof it saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
* Ivan Krstić: > On Oct 3, 2007, at 4:39 AM, Florian Weimer wrote: >> But this exhibits an issue with disk-based encryption: you can't >> really know what they are doing, and if they are doing it right. >> (Given countless examples of badly-deployed cryptography, this isn't >> just paranoia, but a real concern.) > > Precisely. If you're keeping secrets from your nosy siblings and > coworkers, hardware FDE is more than adequate. If you have reason to > believe someone skilled and resourceful might really want your data, > you almost certainly have no business using a blackbox encryption > system operating in a way that's not publicly documented -- even if > the system is buzzword-compliant -- and implemented by a company > (hard disk vendor) where crypto is about as far from their core > competency as you can get. I think the really interesting question is what happens when you lose a FDE-ed hard drive. Do you still need to publish the incident and contact potentially affected individuals? If the answer is "no", I'm sure this technology will be quickly adopted, independently of its actual implementation. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On Oct 3, 2007, at 4:39 AM, Florian Weimer wrote: But this exhibits an issue with disk-based encryption: you can't really know what they are doing, and if they are doing it right. (Given countless examples of badly-deployed cryptography, this isn't just paranoia, but a real concern.) Precisely. If you're keeping secrets from your nosy siblings and coworkers, hardware FDE is more than adequate. If you have reason to believe someone skilled and resourceful might really want your data, you almost certainly have no business using a blackbox encryption system operating in a way that's not publicly documented -- even if the system is buzzword-compliant -- and implemented by a company (hard disk vendor) where crypto is about as far from their core competency as you can get. -- Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
* Simon Josefsson: > One would assume that if you disable the password, the data would NOT be > accessible. Making it accessible should require a read+decrypt+write of > the entire disk, which would be quite time consuming. It may be that > this is happening in the background, although it isn't clear. Perhaps this section wasn't updated? A password-based lock method is present in most laptop drives today. But this exhibits an issue with disk-based encryption: you can't really know what they are doing, and if they are doing it right. (Given countless examples of badly-deployed cryptography, this isn't just paranoia, but a real concern.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On Tue, Oct 02, 2007 at 03:50:27PM +0200, Simon Josefsson wrote: > Without access to the device (I've contacted Hitachi EMEA to find out if > it is possible to purchase the special disks) it is difficult to infer > how it works, but the final page of the howto seems strange: > > ... > >NOTE: All data on the hard drive will be accessible. A secure erase >should be performed before disposing or redeploying the drive to >avoid inadvertent disclosure of data. > > One would assume that if you disable the password, the data would NOT be > accessible. Making it accessible should require a read+decrypt+write of > the entire disk, which would be quite time consuming. It may be that > this is happening in the background, although it isn't clear. > It sounds to me as if they are storing the AES key used for bulk > encryption somewhere on the disk, and that it can be unlocked via the > password. Assumption: clearing the password stores the key encrypted with password "" or an all-zeros key, or some other similar construct, effectively in plain text. > So it may be that the bulk data encryption AES key is > randomized by the device (using what entropy?) or possibly generated in > the factory, rather than derived from the password. Speculation: the drive always encrypts the platters with a (fixed) AES key, obviating the need to track which sectors are encrypted or not. Setting the drive password simply changes the key-handling. Implication: fixed keys may be known and data recoverable from factory records, e.g. for law enforcement, even if this is not provided as an end-user service. -- Dan. pgpbW81YLkONk.pgp Description: PGP signature
Re: Seagate announces hardware FDE for laptop and desktop machines
On Tue, 02 Oct 2007 15:50:27 +0200 Simon Josefsson <[EMAIL PROTECTED]> wrote: > > It sounds to me as if they are storing the AES key used for bulk > encryption somewhere on the disk, and that it can be unlocked via the > password. I'd say "decrypted by the password", rather than unlocked, but that's the right way to do it: since it permits easy password changes. It also lets you do things like use different AES keys for different parts of the disk (necessary with 3DES, probably not with AES). > So it may be that the bulk data encryption AES key is > randomized by the device (using what entropy?) or possibly generated > in the factory, rather than derived from the password. > There was this paper on using air turbulence-induced disk timing variations for entropy... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Following up on an old thread with some new information: > Hitachi's white paper is available from: > > http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf ... > The interesting part is the final sentence of the white paper: > >Hitachi will be offering the Bulk Data Encryption option on all new >2.5-inch hard disk drive models launched in 2007, including both the >7200 RPM and 5400 RPM product lines. At the request of the customer, > ^^ >this option can be enabled or not, at the factory, without any impact >on the drive?s storage capacity, features or performance. Interestingly, Hitachi has updated that paragraph in the paper (re-using the same URL), and now it reads: Hitachi will be offering the Bulk Data Encryption option on specific part numbers of all new 2.5-inch hard disk drive products launched in 2007, including both the 7200 RPM and 5400 RPM product lines. For a list of specific part numbers that include the Bulk Disk Encryption feature or for more information on how to use the encryption feature, see the ?How To Guide? for Bulk Data Encryption Technology available on our website. The How To Guide includes screen shots from BIOS configuration. The disk appear to be using the standard ATA BIOS password lock mechanism. The guide is available from: http://hitachigst.com/tech/techlib.nsf/products/Travelstar_7K200 http://hitachigst.com/tech/techlib.nsf/techdocs/F08FCD6C41A7A3FF8625735400620E6A/$file/HowToGuide_BulkDataEncryption_final.pdf Without access to the device (I've contacted Hitachi EMEA to find out if it is possible to purchase the special disks) it is difficult to infer how it works, but the final page of the howto seems strange: Disable security For an end user to disable security (i.e., turn off the password access control): 1. Enter the BIOS and unlock the drive (when required, BIOS dependent). 2. Find the security portion of your BIOS and disable the HDD user password, NOT the BIOS password. The master password is still set. ... NOTE: All data on the hard drive will be accessible. A secure erase should be performed before disposing or redeploying the drive to avoid inadvertent disclosure of data. One would assume that if you disable the password, the data would NOT be accessible. Making it accessible should require a read+decrypt+write of the entire disk, which would be quite time consuming. It may be that this is happening in the background, although it isn't clear. Another interesting remark is: Note that the access method to the drive is stored in an encrypted form in redundant locations on the drive. It sounds to me as if they are storing the AES key used for bulk encryption somewhere on the disk, and that it can be unlocked via the password. So it may be that the bulk data encryption AES key is randomized by the device (using what entropy?) or possibly generated in the factory, rather than derived from the password. /Simon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Leichter, Jerry wrote: First off, it depends on how the thing is implemented. Since the entire drive is apparently encrypted, and you have to enter a password just to boot from it, some of the support is in an extended BIOS or some very early boot code, which is "below" any OS you might actually have on the disk. If I had to guess, I would suggest they were using the ATA "secure" hd password api, and really providing security rather than the firmware-lock usually associated with such passwords. That would allow you to retrofit it to a lot of laptops which already use that functionality, in a plug-and-play manner. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Dave Korn wrote: On 07 September 2007 21:28, Leichter, Jerry wrote: Grow up. *If* the drive vendor keeps the mechanism secret, you have cause for complaint. But can you name a drive vendor who's done anything like that in years? All DVD drive manufacturers. That's why nobody could write a driver for Linux until CSS was cracked, remember? It wasn't the mechanism that was secret so much as the key. CSS was supposed to protect someone else's data. You wouldn't give the key to *your* drive away, would you? /ji - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Seagate announces hardware FDE for laptop and desktop machines
On 07 September 2007 21:28, Leichter, Jerry wrote: > Grow up. *If* the drive vendor keeps the mechanism secret, you have > cause for complaint. But can you name a drive vendor who's done > anything like that in years? All DVD drive manufacturers. That's why nobody could write a driver for Linux until CSS was cracked, remember? cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Ivan Krsti? wrote: On Sep 6, 2007, at 6:14 PM, Jacob Appelbaum wrote: other known good implementations of AES128 (CBC? I'm not sure...). Plain AES-CBC is not a great choice for FDE. You can do whatever you'd like to the bits of a given block at the cost of garbling the previous block, which makes binaries a plausible target. Given the size of modern OSes, it might even be an easy one. That's not the threat model; the main use of FDE is to protect the data in a lost/stolen laptop. FWIW, a couple of days ago I got yet another of those letters where a former employer is informing me that they lost my personal data; this time it was AT&T telling me that a laptop with employee benefits on it got stolen. /ji - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
| Date: Thu, 6 Sep 2007 16:00:03 -0600 | From: Chris Kuethe <[EMAIL PROTECTED]> | To: Jacob Appelbaum <[EMAIL PROTECTED]> | Cc: Cryptography | Subject: Re: Seagate announces hardware FDE for laptop and desktop machines | | On 9/6/07, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: | > Seagate recently announced a 1TB drive for desktop systems and a 250GB | > laptop drive. What's of interest is that it appears to use a system | > called DriveTrust for Full Disk Encryption. It's apparently AES-128. | | Yes, but will it work on my UltraSparc? How about my PPC powermac? Or | maybe my OpenBSD laptop? First off, it depends on how the thing is implemented. Since the entire drive is apparently encrypted, and you have to enter a password just to boot from it, some of the support is in an extended BIOS or some very early boot code, which is "below" any OS you might actually have on the disk. Once you get past that, though, it depends on what they provide. If the boot-time password gets stored in the disk firmware and controls all encryption and decryption for the "session", the OS would neither know nor care. If the drivers have to get involved, or you *want* them involved (e.g., because you want to use the disk hardware to do encryp- tion with different sets of keys you assign to different files, partitions, whatever the thing can support) then ... ask for something reasonable: That the interface to the mechanism is published so that someone can write the appropriate drivers. | What's that - I have to use some opaque mechanism to key my drive? Pass. Ah, yes, it's all a conspiracy to make you run Windows. Grow up. *If* the drive vendor keeps the mechanism secret, you have cause for complaint. But can you name a drive vendor who's done anything like that in years? What possible motivation could they have? (In fact, I believe Seagate has said they will publish the specs.) | And how do I know that the drive didn't just store a copy of my | encryption key in NVRAM somewhere which can be retrieved by reading | some magic sequence of negative sectors? And what about a zillion | other paranoid but reasonable concerns? You don't. The general issue of how you can come to trust a piece of cryptographic hardware has been discussed here before, and no one has been able to suggest a way to do it. Guess what: Seagate makes the same point. As one of the two remaining drive vendors who are actually US-based (I forget who the other is), they've pointed out to Congress that it might not be such a good thing if DoD's and Homeland's and the FBI's secure disks were all based on chips and firmware developed overseas (and particularly in China). They bring this up purely for patriotic reasons, of course. If Congress sees fit to provide a bit of protection, well, that's a national policy issue, not Seagate's doing :-) Of course, most of the world's countries will be faced choosing secure devices developed and built in one of 3 or 4 countries, at least the two largest of which have very well developed organizations to, err, develop information in the national interest. Who are you willing to trust? How much are you willing to pay to avoid trusting someone you would rather not trust? Personally, if I were *that* concerned, I'd use an encrypted file system on top of an FDE system, at least for the stuff I considered really sensitive. -- Jerry | CK | | -- | GDB has a 'break' feature; why doesn't it have 'fix' too? | | - | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] | | - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On Sep 6, 2007, at 6:14 PM, Jacob Appelbaum wrote: other known good implementations of AES128 (CBC? I'm not sure...). Plain AES-CBC is not a great choice for FDE. You can do whatever you'd like to the bits of a given block at the cost of garbling the previous block, which makes binaries a plausible target. Given the size of modern OSes, it might even be an easy one. -- Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Jacob Appelbaum <[EMAIL PROTECTED]> writes: > Seagate recently announced a 1TB drive for desktop systems and a 250GB > laptop drive. What's of interest is that it appears to use a system > called DriveTrust for Full Disk Encryption. It's apparently AES-128. > > The detail lacking press release is here: > http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=seagate-unveils-new-giants&vgnextoid=6bb0e0e1f0494110VgnVCM10f5ee0a0aRCRD > > The relevant excerpt of it appears to be: > "The Barracuda FDE (full disc encryption) hard drive is the world?s > first 3.5-inch desktop PC drive with native encryption to prevent > unauthorized access to data on lost or stolen hard drives or systems. > Using AES encryption, a government-grade security protocol and the > strongest that is commercially available, The Barracuda FDE hard drive > delivers endpoint security for powered-down systems. Logging back on > requires a pre-boot user password that can be buttressed with other > layers of authentication such as smart cards and biometrics." > > > I found this somewhat relevant paper (though it seriously lacks > important details) on DriveTrust: > http://www.seagate.com/docs/pdf/whitepaper/TP564_DriveTrust_Oct06.pdf > > Has anyone read relevant details for this system? It seems like > something quite useful but I'm not sure that I trust something I can't > review... Hitachi's white paper is available from: http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf (Btw, it contains something as rare as a reasonable threat analysis! At least compared to other advertising materials...) After having acquired the 1TB device, and didn't find any support for this feature, I re-read some information: The interesting part is the final sentence of the white paper: Hitachi will be offering the Bulk Data Encryption option on all new 2.5-inch hard disk drive models launched in 2007, including both the 7200 RPM and 5400 RPM product lines. At the request of the customer, ^^ this option can be enabled or not, at the factory, without any impact on the drive?s storage capacity, features or performance. I wonder how easily it would be to request this for a normal customer. I gave up when my supplier said they didn't offer this configuration. I would be interested to know which key-derivation function they are using, I'm assuming the key is derived from a password, and which AES mode and IV etc. Knowing that may enable you to verify that data is really stored encrypted: buy two devices, set up one to use disk encryption, and swap the logic boards and then read data from the supposedly encrypted disk. As for finding out if they accidentally also write down the AES key on some hidden part of the disk, that may be more difficult... /Simon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
Chris Kuethe wrote: > On 9/6/07, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: >> Seagate recently announced a 1TB drive for desktop systems and a 250GB >> laptop drive. What's of interest is that it appears to use a system >> called DriveTrust for Full Disk Encryption. It's apparently AES-128. > > Yes, but will it work on my UltraSparc? How about my PPC powermac? Or > maybe my OpenBSD laptop? > It seems the the answer would be yes for the laptop at the very least. > What's that - I have to use some opaque mechanism to key my drive? Pass. > It appears to use a firmware implementation. To quote their pdf I linked to before [0]: "DriveTrust technology implements on the drive a cryptographic service provider that provides encryption, hashing, secure storage, decryption, digital signature and random-number generating functions" Though I think that unless they're providing their full firmware code, it's not to be trusted. Though it should be possible to examine the on disk bits with other known good implementations of AES128 (CBC? I'm not sure...). > And how do I know that the drive didn't just store a copy of my > encryption key in NVRAM somewhere which can be retrieved by reading > some magic sequence of negative sectors? And what about a zillion > other paranoid but reasonable concerns? > All the more reason to investigate it. I wonder if they'll provide their firmware if a big enough client were to request it. They also claim to be about open standards: "An open standard is being developed within the Trusted Computing Group." Perhaps one of the Seagate developers is on this list? If not, I think they probably should be... -jacob [0] http://www.seagate.com/docs/pdf/whitepaper/TP564_DriveTrust_Oct06.pdf - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On 9/6/07, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: > Seagate recently announced a 1TB drive for desktop systems and a 250GB > laptop drive. What's of interest is that it appears to use a system > called DriveTrust for Full Disk Encryption. It's apparently AES-128. Yes, but will it work on my UltraSparc? How about my PPC powermac? Or maybe my OpenBSD laptop? What's that - I have to use some opaque mechanism to key my drive? Pass. And how do I know that the drive didn't just store a copy of my encryption key in NVRAM somewhere which can be retrieved by reading some magic sequence of negative sectors? And what about a zillion other paranoid but reasonable concerns? CK -- GDB has a 'break' feature; why doesn't it have 'fix' too? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Seagate announces hardware FDE for laptop and desktop machines
Seagate recently announced a 1TB drive for desktop systems and a 250GB laptop drive. What's of interest is that it appears to use a system called DriveTrust for Full Disk Encryption. It's apparently AES-128. The detail lacking press release is here: http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=seagate-unveils-new-giants&vgnextoid=6bb0e0e1f0494110VgnVCM10f5ee0a0aRCRD The relevant excerpt of it appears to be: "The Barracuda FDE (full disc encryption) hard drive is the world’s first 3.5-inch desktop PC drive with native encryption to prevent unauthorized access to data on lost or stolen hard drives or systems. Using AES encryption, a government-grade security protocol and the strongest that is commercially available, The Barracuda FDE hard drive delivers endpoint security for powered-down systems. Logging back on requires a pre-boot user password that can be buttressed with other layers of authentication such as smart cards and biometrics." I found this somewhat relevant paper (though it seriously lacks important details) on DriveTrust: http://www.seagate.com/docs/pdf/whitepaper/TP564_DriveTrust_Oct06.pdf Has anyone read relevant details for this system? It seems like something quite useful but I'm not sure that I trust something I can't review... -jacob - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
