[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on "BULLRUN")

Jerry Leichter leichter at lrw.com
Fri Sep 6 14:05:43 EDT 2013

On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote:
> I'm a lot more worried about FDE (full disk encryption) features on modern disk drives, for all the obvious reasons.
If you're talking about the FDE features built into disk drives - I don't know anyone who seriously trusts it.  Every "secure disk" that's been analyzed has been found to be "secured" with amateur-level crypto.  I seem to recall one that advertised itself as using AES (you know, military-grade encryption) which did something like:  Encrypt the key with AES, then XOR with the result to "encrypt" all the data.  Yes, it does indeed "use" AES....

There's very little to be gained, and a huge amount to be lost, be leaving the crypto to the drive, and whatever proprietary, hacked-up code the bit-twiddlers who do driver firmware decide to toss in to meet the marketing requirement of being able to say they are secure.  Maybe when they rely on a published standard, *and* provide a test mode so I can check to see that what they wrote to the surface is what the standard says should be there, I might change my mind.  At least them, I'd be worrying about deliberate attacks (which, if you can get into the supply chain are trivial - there's tons of space to hide away a copy of the key), rather than the nonsense we have today.

> And if I wanted to be truly paranoid, I'd worry about HSMs to
Now, wouldn't compromising HSM's be sweet.  Not that many vendors make HSM's, and they are exactly the guys who already have a close relationship with the CI (crypto-industrial) complex....
                                                        -- Jerry

> /ji

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130906/58587933/attachment.html>

More information about the cryptography mailing list