topic Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions... in Archive

Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Sat, 26 Mar 2011 15:14:41 GMT

I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:

1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?

2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?

3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?

4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?

5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?

6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?

/Trist

CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Sun, 27 Mar 2011 17:28:21 GMT

I'm not sure but it seems that Intel approach is no differ then SandForce 12xx one. It means: this is ONLY internal encryption with random generated passwords and without user defined passphrese. This solution does NOT increase security against thieves. It speeds secure erasing and add minor layer of security against controller switching (for ATA-pass overriding) and flash memory dumping. Highly rare and uncommon situations these days.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Mon, 28 Mar 2011 07:01:14 GMT

Hmmm in that case it is pretty lame - moving a disk between two controllers is even something I WANT TO BE ABLE TO DO.... it is really the data theft issue one want to address (in particular on laptops)....

/Trist

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Mon, 28 Mar 2011 16:02:49 GMT

The controller switching is rather outdated hack method (mainly for platter drives) based on swapping hdd's electronic board (containing drive's controller and internal bios) to bypass some security methods. It does not concern motherboard controller, the drive's electronics only.

There are IMO much better solutions for securing mass storage these days. Much more flexible then bios-based passwords (with its 8 characters limitation - too small against brute force attacks). All of them are based on preboot authentication (and to be honest they have theirs own issues) but I highly dubt Intel implemented that. We are talking about budget drives.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Mon, 28 Mar 2011 18:44:00 GMT

Hey tristpost,

Just want to let you know that I'm working on answers for you! Everyone else should look for a 320 post sometime today. Thx!

-Scott, Intel Corporation

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Mon, 28 Mar 2011 19:30:55 GMT

Requires BIOS level password setup to enable user-unique encryption.

According to

http://download.intel.com/design/flash/nand/325212.pdf http://download.intel.com/design/flash/nand/325212.pdf

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Mon, 28 Mar 2011 21:12:35 GMT

I would like to know the answer as well. Is the ATA password set in the BIOS directly linked to the key stored in the Intel 320 drive? If not, the encryption feature in the drive wouldn't really be accessable to the user.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Tue, 29 Mar 2011 13:14:51 GMT

Bump for information!

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Tue, 29 Mar 2011 17:41:09 GMT

While many bios seem to have 8 character limitations, is there any technical reason for it? As far as the ATA specs go, up to 32 characters should be fine to use.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Tue, 29 Mar 2011 20:22:53 GMT

@Atavism

AFAIK there in no technical reason for 8 chars limitation. And you are absolutely right. ATA security specification defines 32-bytes for pasphrase. Well... it seems that unofficial bios modding for adding security ATA extensions will be more common these days. This is the only way I can think of... I've lost any hope that my desktop mobo's manufacturer get rid of the essential flaws in its BIOS anytime soon. Adding security module sounds like sci-fi for me and it is unreal for most of us, unfortunately.

/message/119280# 119280 tristpost asked excellent question about passwords linking. This is the clue.

Intel's documentation suggests that AES keys are generated during Secure Erase procedure. And this is understandable. But the thing is: ATA password seems to be unrelated to AES encryption engine which to be honest reverse the proper implementations upside down. In truecrypt (and many soft-based solutions) for instance password is the first and based on it and random or pseudo-random generator (mouse based in truecrypt) final AES keys are obtained.

Intel's paper suggests that in 320 case AES encryption and SATA pass are separated. You can use AES (well you are forced to, but not complaining) and NOT use ATA-pass at the same time. ATA pass is optional.

These two security mechanisms are not nested. They are not nested!

When you crack ATA password AES becomes obsolete and vice-versa. They are not in logical conjunction.

Impications? Well look at the market. Dozens of manufacturers and theirs ATA pass implementations. And you can crack almost any of them. There are specialized commertial firms witch offer ATA pass removal. And all these security implementation are hardware!! ATA pass is stored in drives firmware or data firmware areas!

The only solution to secure such encryption mechanism I can think of is to encrypt (strong encrypt) generated AES keys with ata pass internally.

Otherwise sooner or later some skilled hacker will find "authorization bit" and this whole sophisticated AES will be absolutely useless.

In my opinion this is not looking like enterprice class security. If I'm wrong, feel free to prove otherwise.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 15:19:16 GMT

I'm also interested in this, any word from Intel yet?

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 16:05:14 GMT

Looking forward to your "official" answer. Still mostly speculation in the thread....

/Trist

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 16:39:50 GMT

Hi,

another interesting question is (in my opinion) how the Intel 320-series FDE could work together with a new MacBook Pro (early 2011).

Because there's no BIOS - 'only' EFI.

I'm really looking forward to your answer! (hopefully for all questions in the thread)

/Shiek

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 16:57:55 GMT

Hi SSDelightful . We are still waiting for the answers you promised two days ago. Please respond. Thx

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 18:01:44 GMT

Another interesting question:

What about Intel's FDE and hot-swapping ATA password secured SSD Drive? Is it hot plug/hot swap possible with such security system enabled?

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 18:20:32 GMT

Let's just cut to the chase:

Which of the recently released Intel desktop motherboards support the ATA Password feature.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Wed, 30 Mar 2011 18:43:53 GMT

Lets cut the security thing also:

Are 320-series SSDs FIPS 140-x certified?

I would really appreciate Security Policy Documents from Intel directly.

This is how it looks in case of other manufacturers:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1299.pdf http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1299.pdf

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Fri, 01 Apr 2011 21:09:09 GMT

Why isn't Intel answering our question?

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Fri, 01 Apr 2011 22:54:51 GMT

The thing is that we have some precedences from the past which indicate that the drive could support internal AES128 encryption along with ATA password and NOT be more secure against thieves than conventional typical hdd.It is worth to addmit that ATA password could be set on any drive supporting Security ATA Extension Feature Set and most of the devices available today allow that.

All SandForce 12xx equipped drives offer internal AES128 and at the same time OCZ officially states that in his Vertex2 both mechanisms: ATA pass and AES128 are chained which means that if someone will broke any (whichever) of these two protections the whole security is defeated.

This is unacceptable considering how easy is to broke ATA password. The manufacturers used to save them in plain text (sic) on the firmware areas of their drives. They are not even hashed !!

So the whole matter is not a made up problem.

Clarifications are required.

We all are deeply interested in intel's new 320 series drives and some of us want to use them in the environment which requires security. And before making purchase decision we have to be sure that the confidential data of our firms could not be as easy to retrieve from stolen devices as in the case of competitive products.

Wrong thinking that you are secure is much worse then not being secured at all.

Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata — Sun, 03 Apr 2011 15:46:21 GMT

I believe that the ATA password and the disk encryption system are two totally separate items. All data written to the SSD is encrypted by the disk controller. It operates transparently without any user input. It is also completely useless you can restrict access to the SSD. Setting an ATA password is the key. ATA passwords are well known to be hardware crackable but only if the disk is unencrypted. If the disk is encrypted then the password cannot be recovered. Does the Intel 320 store the ATA password in encrypted form? Presumably it does. If this is indeed the case then data stored on the SSD will be secure.

However, there are two ATA passwords, User and Master. Some computer's BIOS only allow you to set the User password. The manufacturer-set Master password is not accessable. Anyone that knows the manufacturers password will be able to access your data (they may be only able to delete it, depending on whether the ATA security level is set to High or Maximum, a setting you probably do not have access to). Without being able to set a Master password your data is not secure.

The operative words in what I wrote are the first two, I believe. I only believe that what I wrote is correct I don't know for sure. Only Intel can come up with the answers to the questions this topic has asked.

Lew