[Cryptography] hardware vs software FDE (was Re: Shredding a file on a flash-based file system?)

Perry E. Metzger perry at piermont.com
Fri Jun 20 09:04:21 EDT 2014 

On Thu, 19 Jun 2014 23:37:04 -0400 Darren Lasko <dlasko at ieee.org>
wrote:
> On Thu, Jun 19, 2014 at 5:06 PM, Perry E. Metzger
> <perry at piermont.com> wrote:
> 
> > It is different in a vital respect -- in the software
> > implementation, you can more or less check that everything is
> > working as expected, and you don't have to trust that the drive
> > isn't sabotaging you. That's quite different -- vitally so, I
> > think.
[...]
> However, to your point that "in the software implementation, you
> can more or less check that everything is working as expected,"
> this only holds true if it's open-source (and as we have found
> recently, this is still no guarantee against nasty security
> "flaws"), or if you're willing to reverse-engineer a closed-source
> product (which you could also do with a hardware-based product,
> though likely at a greater expense).

No. You are missing a very vital point.

If the sectors on the drive are encrypted with some particular
algorithm using some particular key, I can check, in a software only
solution, that the sectors are indeed encrypted in that key using
that algorithm. After all, at worst, I can take the drive, plop it in
another machine, and verify the encryption. In the hardware FDE
implementations Seagate is pushing, no ability is provided to access
ciphertext and determine that the right algorithm is in use with the
correct key.

It is actually much worse than that since the hardware implementation
could be doing things like stashing keys in hidden sectors, but one
need not go so far as to worry about that because even the most basic
audit is impossible.


> While it's true that even with a closed-source product you can take
> a look at the ciphertext and verify that you see random-looking
> bits,

No, if they say "this is using AES-256 GCM" I can do more than that.

If your closed source vendor is not telling you what algorithm and
mode they are using, they are of course also doing something
unacceptable and should be excluded from your purchases. It is
acceptable (though not even remotely optimal) if the encryption
implementation is closed source, but it is utterly unacceptable if
its method of operation is not fully disclosed.

Perry
-- 
Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list