[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on "BULLRUN")

[Jerry Leichter]

On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote:
> I'm a lot more worried about FDE (full disk encryption) features on modern disk drives, for all the obvious reasons.
> 
If you're talking about the FDE features built into disk drives - I don't know anyone who seriously trusts it.  Every "secure disk" that's been analyzed has been found to be "secured" with amateur-level crypto.  I seem to recall one that advertised itself as using AES (you know, military-grade encryption) which did something like:  Encrypt the key with AES, then XOR with the result to "encrypt" all the data.  Yes, it does indeed "use" AES....

There's very little to be gained, and a huge amount to be lost, be leaving the crypto to the drive, and whatever proprietary, hacked-up code the bit-twiddlers who do driver firmware decide to toss in to meet the marketing requirement of being able to say they are secure.  Maybe when they rely on a published standard, *and* provide a test mode so I can check to see that what they wrote to the surface is what the standard says should be there, I might change my mind.  At least them, I'd be worrying about deliberate attacks (which, if you can get into the supply chain are trivial - there's tons of space to hide away a copy of the key), rather than the nonsense we have today.

> And if I wanted to be truly paranoid, I'd worry about HSMs to
> 
Now, wouldn't compromising HSM's be sweet.  Not that many vendors make HSM's, and they are exactly the guys who already have a close relationship with the CI (crypto-industrial) complex....
                                                        -- Jerry


> /ji

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130906/58587933/attachment.html>