NL
university researchers disclose delusion of security blanket delivered by
popular self encrypting SSDs
Editor:- November 8, 2018 -
Researchers at Radboud University, in the
Netherlands have recently
published
a paper - self-encrypting
deception: weaknesses in the encryption of SSDs (pdf).
The authors
conclude - "we found that many hardware implementations of full disk
encryption in SSDs have critical security weaknesses, for many models allowing
for complete recovery of the data without knowledge of any secret... This
challenges the view that hardware encryption is preferable over software
encryption. We conclude that one should not rely solely on hardware encryption
offered by SSDs."
After discovering the ineffectiveness of the
protection offered by the encryption hardware in the models affected - the
authors alerted the authorities and agreed to wait 6 month before publishing
their paper so as to enable the manufacturers - whose products had been tested
(Micron and Samsung confirmed the vulnerability issues) to work on firmware
updates.
The paper also examines commonly held assumptions about the
security of encryption engines in various states when analyzed from particular
attack directions. ...read the
artice (pdf)
Editor's comments:- as with all
aspects of SSD design
- the correlation between what the customer expects and what does actually
happen in the real world depends on the quality of the designers and the
verification process. That's why it's not unusual in mission critical projects
using industrial
SSDs for the customer verification process to take longer in elapsed time
than it took to design the original SSD.
See also:-
Why consumers should
expect to see more flaky SSDs (2009)
dust to dust and SSD data sanitization
Editor:-
October 2, 2018 - Is there an opposite concept to data recovery? - is how I
approached the tail end of a long blog - written during the 2018 hurricane
season - which looked back at many things I had
learned
about the capabilities of the data recovery market in my 19 years or so of
easy access to them in my role as a storage blogologist. SSD analyst /
futurologist sounds better.
Is there an opposite concept to data
recovery?
It was rhetorical question - to which I immediately appended
a ready made answer which I had used here on StorageSearch.com several times
before to
link disparate themes which in my view sometimes needed reminders that they
were - in extremis - unwillingly linked.
You may have your own
retorts. But mine - aiming swiftly I thought to end an already long blog - was
this...
"Yes. The flip side to data recovery is fast purge SSDs
and disk sanitizers."
There aren't any prizes if you thought of
similar answers.
I thought that was that and a good enough ending -
but then a reader from an SSD / HDD sanitization services company contacted me
about the blog.
He said I could share what we had talked about. So I
added our conversation and some links to the end of my retrospective data
recovery blog - where it fits in more snugly than it may appear to do right
here and now. Anyway you can
read it
here.
new report lists malware attack vectors for memory in
processors
Editor:- June 14, 2018 -
Security
Issues for Processors with Memory is a new report (90 pages, $975) by Memory Strategies International
with ramifications (I had to use that word) for the memoryfication of processors
market.
The report includes a comprehensive list of the dimensions in
which security can be attacked and outline of design mitigation directions.
Among other things the scope includes:- "Issues of volatile
vs. non-volatile memory for cache and main memory involve consideration of
security hazards. Cryptography in multicore coprocessor systems are an issue.
Security of data on network buses is critical for military, medical and
financial systems with remedies suggested for replay attacks..." ...see more
about this report
See also:-
optimizing
CPUs for use with SSD architectures
How do banks use big memory systems to detect and prevent fraud?
Editor:-
January 9, 2017 - In the early 2000s I started hearing stories from vendors
of
ultrafast SSDs
about how their fast memory systems were helping banks to not only ease the
choke points in their transactions but also provide insights into fraud
prevention.
A new white paper GridGain
Systems provides a good introduction and synthesis of
the
various roles of in-memory computing in accelerating financial fraud detection
and prevention (pdf) which includes many named bank examples.
This paper describes how in memory computing provides the low latency data
sharing backbone which is needed to enable pattern detection for fradulent
activity to be assessed in real-time while at the same time enabling genuine
transactions to proceed quicky.
Among other things, the paper says...
"The
move from disk to memory is a key factor in improving performance. However,
simply moving to memory is not sufficient to guarantee the extremely high memory
processing speeds needed at the enterprise level... Clients who have implemented
the GridGain In-Memory Data Fabric to detect and prevent fraud in their
transactions have found that they can process those transactions about 1,000
times faster." ...read
the article (pdf)
Maxim samples deep cover security chip
Editor:-
October 5, 2016 - A nonvolatile, decrement-only counter with authenticated read
and tiny amount - 8Kbits - of EEPROM for user data, keys, and certificates
are part of an interesting
DeepCover
Secure Authenticator chip which is now sampling and was
announced
today by Maxim .
new memories, new questions about data security
Editor:-
August 4, 2016 - the need to manage data risk when recycling hard drives,
SSDs and other storage devices is well known. But what about so called "volatile
memory" like DRAM?
We've become accustomed to seeing crossover
architecture concepts between storage and memory as the market progresses
towards more
complex memory systems and enterprise storage.
Interesting security
questions arise when virtual RAM becomes implemented by memories such as
flash and other alternative
nvms. And what about DRAM itself?
It was those thoughts which led
to my new blog -
is data
remanence a new risk factor in persistent memory?
FIPS makes for health compliant SSDs
Editor:- July
28, 2016 - A new
blog
by Micron -
discusses FIPS 140-2 validation in its
range
of SAS SSDs.
The author - Anne Haggar, Product
Marketing Leader, Micron says (among other things)...
"We are
finding that U.S. federal agencies arent the only organizations that are
interested in the extra security these drives provide. Companies in health care
and financial services who face stiff fines for non-compliance and huge risks if
they have a data breach are adding FIPS 140-2 compliance to their requirements."
...read
the article
Virtium offers encryption in all its industrial SSD form factors
Editor:-
June 28, 2016 -
Virtium today
announced self-encrypting drive features as options throughout all the form
factors in its StorFly range of industrial SSDs.
"These
support multiple SATA form factors, including 2.5", 1.8", Slim SATA,
mSATA, M.2, and CFast. Additionally, they support all 3 StorFly reliability
classes CE (MLC), XE (industrial-grade MLC) and PE (SLC)" said Scott Phillips,
VP of marketing at Virtium.
more about the security features
Virtium
SED uses random AES encryption keys that are generated at product initialization
(leveraging the drive controller's integrated random number generator), which
are hashed and then stored within the drive itself. They are used in conjunction
with the integrated AES encryption engine to encrypt and store the host data on
the NAND flash without burdening the host system.
The encryption keys
are non-retrievable and cannot be changed without the complete loss of the data
on the SSD. Virtium's new StorFly SEDs are Trusted Computing Group Opal
2.0-compatible and support hardware and software initiated crypto-erase and
block-erase features that satisfy requirements of the National Institute of
Standards and Technology Special Publication 800-88 Revision 1 Guidelines for
Media Sanitization. These features are persistent through power interruption
cycles.
what goes on inside AES encrypted SSDs?
Editor:- May
6, 2016 -
Securing
SSDs with AES Disk Encryption - by C.C. Wu, VP Innodisk - is a
new article published on Electronic
Design.
Among other things in this very detailed and
educational article Wu cautions readers about the limitations of encrypted
SSDs...
"As strong as the 256-bit AES encryption is on encrypted
SSDs, it only protects data at rest, i.e., when the system is turned off. To
protect data in flight, data-loss-prevention (DLP) techniques, use of secure
communication protocols, and other security measures must be taken." ...read
the article
what's a military SSD?
Editor:- April 18, 2016 -
what's a military SSD? Unlike other parts of the SSD market such as where
SSDs designed for one market can be redeployed into another (consumer technology
drives placed in arrays and wrapped around by enough
RAM,
RAID and
software to enable
their safe use for enterprise arrays) you'd think that the determination of what
is a military SSD should be quick and relatively unambiguous.
So when
we ask the next question - what is a military SSD company? That should be even
easier to decide.
I've long believed it would be useful to compile
and publish a simple frills-free list of military SSD companies which readers
could use a guide for their own follow-up research. You can see more about
my progress on this editorial project in my new
home page blog -
a
simple list of military SSD companies (how hard can it be to compile one?)
Apple and FBI case demonstrated difficulties of SSD data recovery
Editor:-
March 3, 2016 - If anyone still had doubts about how difficult it is to recover
data from an encrypted SSD in the absence of a universal back-door key - the
proposition has been lent weight by the recent story rippling around the
world's news media about the FBI's efforts to force Apple to assist in
unlocking iphones. In the unlikely event you don't know what I'm talking about
-
click
here to see summaries of the unfolding story.
Data recovery
techniques have
multiple uses and many of them originated as part of intelligence and law
enforcement data gathering activities.
Defeating data recoverability is
a primary objective of
security and
autonomous data
destruction design techniques used in many
military SSDs.
Kingston toughens up USB range with IronKey
editor:-
February 8, 2016 - Kingston
today
announced
it has acquired the USB technology and assets of IronKey from Imation.
Implementing the XTS-AES Standard for SSDs on Xtensa Processors
Editor:-
February 5, 2016 - "An XTS-AES engine based on the Xtensa processor can
provide performance that rivals most hardware solutions, but retains the ease of
design and flexibility found in software based solutions."
That's
the summary of a paper -
Implementing
the XTS-AES Standard on Xtensa Processors (pdf) - which is one of several
resources in a new set of the
SSD Bookmarks
today on the home page of StorageSearch.com
The
new set of bookmarks were suggested by Neil Robinson
who is Product Marketing Director, Tensilica Processor IP, Cadence.
how fast is fast erase?
Editor:- January 26, 2016 - When it comes to
SSD security - how
fast is fast erase?
Over the years I've reported
many
examples of this (erase) and also other methods of
data
destruction the rule of thumb has been:- the bigger the capacity of
the drive - the more time in seconds it takes (and more electrical energy
too).
A
press
release today from Foremay suggests a
fast and scalable sanitization route may come from what they call "crypto
erase" - which renders all data scrambled, scattered and useless.
It's
fast. Takes only a second to complete the crypto erase of a Foremay SED SSD with
capacity of up to 20TB.
This erase can be triggered by a command or a user presettable
threshold of failed access attempts.
Commenting on the benefits of
intrinsic hardware encryption instead of relying on software and aside from
the obvious performance - Foremay says hardware encryption is far more secure
because software can be corrupted...
"Information security on
SSD drives has become increasingly important to all users, particularly in
government, defense, financial and medical industries," said Jack Winters, Foremay's
CTO and cofounder.
Editor's comments:- The effect - I guess -
is a bit like the accidental predicament of needing
data recovery for
a damaged and unsupported encrypted SSD. But a deliberate erase like this
will be more systematic and probably doesn't have a single mode recovery
lever.
|
. |
 |
. |
Cache latency is key to
side-channel attack technique which can breach cloud server security walls
Editor:-
October 29, 2015 - Cache jitter and latencies are more than simply
performance
quality issues - they can be the root of
security
vulnerabilities too.
The juxtaposition of these concepts in colocated
cloud servers presents
risks which were reported
recently by researchers at Worcester
Polytechnic Institute.
The research team used a combination of
techniques to first create a virtual machine on the same Amazon cloud server as
a target machine (a technique known as co-location). They then used the
co-located machine to spy on the target. By observing how it accessed
information in memory, they could determine when it was retrieving its RSA key.
Then by charting the timing of the memory access they were able to deduce the
key's actual numeric sequence. ...read the summary
new ORG - Drive Trust Alliance seeks sponsors
Editor:-
August 10, 2015 - if you didn't think there were already enough
ORGs related to the storage
market - then a new one today has been proposed by
Coughlin
Associates and (new to me) Bright
Plaza, Inc.
The Drive
Trust Alliance at http://www.drivetrust.com (which currently redirects
to http://www.brightplaza.com/products/#tdta) is "an alliance of companies,
organizations, and individuals that will benefit from cost efficiencies in
marketing on-going education and the creation and support of open source
software for managing Self-Encrypted Drives".
Microsem licenses DPA countermeasure technologies from Rambus
Editor:-
January 29, 2015 -
Rambus today
announced
that Microsemi
will serve as reseller in the government and military sectors for certain
differential power analysis (DPA) technologies developed by Rambus's
cryptography research division.
As the first major FPGA company to
license DPA
countermeasures, Microsemi has identified DPA as a significant vulnerability
in chip security, specifically for the mission-critical applications found in
government and military settings.
SSD Encryption Everywhere?
Editor:- August 25, 2014
- the future of SSDs is "self-encryption everywhere!"
That's
the conclusion of a paper -
SSDs
with Self Encryption: Solidly Secure (pdf) - which was presented recently
at the Flash Memory Summit.
The
author Michael Willett
(who has worked as a storage security strategist for various leading
organizations) reviews the threats and business impacts posed by data security
breaches, and compares the performance of HDDs and SSDs both with and without
encryption.
Editor's comments:- while I'd agree that security
inside storage devices is nearly always a good thing - I can think of some
examples in which the opposite is true.
For example:- when scientists
are using SSDs as data loggers which collect raw physical data - particularly
in experiments where due to environmental conditions there is a possibility
that the drives may fail during the experiments.
Drives which are
encrypted pose challenges for
data recovery.
So
disabling encryption - or not having it in the first place - may be a good thing
for this type of application.
The biggest risk posed by losing the
drive in a phsyics experiment - or astronomical observation - is that one of
your colleagues extracts the data before you - but you'd know that by reading
their paper!
On the other hand if the drive fails - and it's still in
your possession - then you can recover the data for yourself - you may change
your career prospects by having captured the details of a rare event.
Cactus adds write disable switch to industrial CFast
Editor:-
April 10, 2014 - Cactus
Technologies today
announced
that it has introduced a new security option - of having a physical
write protect switch - in its
900S
series of industrial SLC CFast SSDs.
It works like this. When
the write protect switch is in the disabled position, the CFast card reads and
writes as normal. When the switch is enabled, the card will read as normal, but
all write attempts are ignored. Data already stored on the card is safe from
overwrite.
"This write protect feature has already been
successfully implemented in the gaming, military and other markets" said
Sai-Ying
Ng, President of Cactus Technologies.
Who's got your keys?
Editor:- April 5, 2014 - "Think
about it" says Chandar
Venkataraman, Chief Product Officer, Druva
- "If your service provider has access to your encryption keys, can you
really say that your data is secure?"
That's just one of the
thought provoking ideas in his new blog -
5
Things You Didn't Know About the Cloud
See also:-
SSD empowered cloud,
SSD enterprise software
Apacer's new waterproof SSD
Editor:- January 28, 2014
-
Apacer says it
wil demonstrate a new "seamless waterproof SSD that operates even when
immersed in water" on Booth #700 at the
DistribuTECH 2014 show which
starts today in San Antonio, TX.
see also:-
industrial SSDs
Microsemi's new SSD for vetronics can erase 256GB in < 8S
Editor:-
May 23, 2013 -
Microsemi
today
announced that it has
secured multiple design-wins for its new Series 200 TRRUST-Stor (rugged self
encrypting, 2.5" SATA SSD with 256GB SLC capacity and
fast purge).
The
company says a full hardware-based erase takes less than 8 seconds. The 200
model has R/W throughput which is twice as fast as the company's earlier
TRRUST-Stor due to a new generation of the company's Armor processor.
Developed to endure harsh environments the new SSD - which has
hardware-implemented AES 256 encryption - can withstand up to 3,000G shock and
30G rms of vibration.
Toshiba samples encrypted SAS SSD
Editor:- January 6,
2013 - Toshiba
says
it's sampling a new range of 2.5"
SAS MLC SSDs - with
self encrypting security
features and on board
sanitization.
The PX02SMQ/U has upto 1.6TB capacity.
Crocus will sample secure fast MRAM controllers in January 2013
Editor:-
November 5, 2012 - Crocus
Technology today
announced
that in January 2013 it will sample 1.2MByte high speed SIMs and small secure
MRAM
controllers. The
fast R/W speeds will enable optimized personalization and over-the-air updates
in NFC-enabled
smartphones.
"The CT32MLU product family breaks the barrier of traditional
non-volatile memory that
will provide smartcard makers with best-in-class secure element microcontrollers
with a 20 to 30% smaller footprint," said Alain Faburel,
VP security business unit at Crocus Technology.
SSDs or hard drives? - the data forensics differences
Editor:-
October 23, 2012 - When you need to retrieve critical unbacked up data from a
damaged notebook (which you left in the car when you clambered out the
window after realizing that the puddle across the road was much deeper than you
first thought) you call the process "data recovery" - but
when a court seizes a suspect's notebook to try and retrieve data which may have
been deliberately "deleted" - they call it "data forensics"
- either way - in the most demanding cases the experts who work on these tasks
are the same.
SSD Data Recovery
(as opposed to dumb flash memory recovery) is a relatively new market which
didn't exist 5 years ago.
A recent article
Why
SSD Drives Destroy Court Evidence - on a site called
ForensicFocus.com - discusses how
techniques which are essential to the operation of flash SSDs (such as
garbage collection
and wear leveling)
mean that from the forensic viewpoint SSDs yield up potentially much less
deliberately deleted recoverable data than hard drives.
RunCore's video - phone to purge USB SSD
Editor:-
May 22, 2012 - sometimes if I'm watching a movie I realize it's going to be
bad - but in a way which is nevertheless all too fascinating to watch. How bad
it will get? Look! - see it's getting worse - but still taking itself
seriously. So - instead of zapping it like I should - I stay transfixed.
Such bad movies are an artform.
What about promotional videos though?
- on the subject of SSDs...
Mostly these are just time wasting. But
today - in the "so dreadful I kept watching it nearly to the end"
category was a
new video
on YouTube from RunCore about its Xapear SSD.
RunCore was the first
company to haul "phone to
purge capability"
over the cost
chasm which divides military
SSDs over to the
consumer SSD market
- which it did 2
years ago - and the new video is simply about their latest model which
combines RFID with the phone zap technology in an external USB connected SSD.
As a security
concept I was convinced the idea had merit - when I first wrote about it 2
years ago. So I wasn't keen to see another new video about the same topic. But
I'm glad I did - because it's an artform. ...click to
watch video
Samsung enters fast erase SSD market
Editor:-
January 5, 2012 - Samsung
has entered the fast
purge SSD market - which currently numbers about 25 companies.
The
company says that models of its PM810 2.5" SATA SSD family with its Crypto
Erase technology deletes targeted data in a couple of seconds regardless of the
overall volume of data or the capacity of the SSD. These models have been
validated for compliance to
NIST
FIPS 140-2
a new way to kill flash SSD data
Editor:- March 15,
2011 - Pangaea
Media has recently entered the
SSD backup market with a
removable 2.5" SSD
which integrates backup,
encryption and a
completely new (to me) patented
fast purge
technology.
SSD Bookmarks - from Foremay's CTO and co-founder
Editor:-
March 1, 2011 - StorageSearch.com
today published
SSD Bookmarks
- suggested by Jack H
Winters, CTO, Foremay
.
Jack H Winters' suggestions are focused on the topic of
managing data security in flash SSDs (both in working and not working devices).
These links take you on a tour of the published state of the art in fast /
secure SSD data erase and the related issue of SSD encryption.
RunCore launches world's 1st CF card SSD with fast purge
Editor:-
November 9, 2010 -
RunCore has launched
the world's first CF card compatible SSDs with fast (typically 30 seconds)
on-board sanitization
functions.
The fast erase - which is designed to protect confidential
data leaks and thwart any attempts at
data recovery - is
achieved by pressing a button or activating erase pins while the device is
powered. It can be once again used by formatting after the data destruction
process.
Editor's comments:- due to the popularity of the CF
form factor in consumer products many equipment designers have adopted it as a
convenient way of incorporating solid state storage into products in the
industrial, medical and prosumer markets. Without an on-board fast purge feature
- achieving effective
disk sanitization
as a software process in an SSD can take upto 24 hours (depending on disk
capacity). RunCore's industrial CF cards are true SSDs with wear-leveling,
vibration tolerance and low power consumption.
a reader asked me about notebook SSD encryption
Editor:-
June 29, 2010 - a reader asked me some good questions about
notebook SSD encryption.
Did encryption impact performance and endurance? Had I already written about
this in another article he had missed? ...see what I said
Super Talent's Cryptic USB 3 SSD
Editor:- March 2,
2010 - Super
Talent Technology today
announced
imminent availability of a new
encrypted
USB 3
flash SSD - with
upto 256GB capacity.
When I asked for more technical details I was
told the datasheet isn't ready yet. The USB 3.0 SuperCrypt is a true SSD (with
wear-leveling).
Internally the module (95 x 34 x 15.4 mm) is a
SATA SSD with a USB
bridge chip.
Fast Purge flash SSDs
Editor:- September 25, 2009 -
StorageSearch.com today
published a new directory of Fast Purge flash SSDs.
The
need for fast and secure data erase - in which vital parts of a flash SSD or
its data are destroyed in seconds - has always been a requirement in military
projects. Although many industrial SSD vendors are offering their products with
extended "rugged" operating environment capabilities - it's the
availability of fast purge which differentiates "true military" SSDs
which can be deployed in
defense applications.
Most Secure USB Flash Memory Stick
Editor:- July 13,
2009 - IronKey
today announced the launch of its S200 USB flash drive for government and
enterprise customers.
IronKey's CEO David
Jevans said: "The IronKey S200 is the first and only
USB flash drive to achieve
the demanding FIPS 140-2, Level 3 security validation from NIST, giving even
more proof that IronKey is the world's most
secure flash drive. We
are also releasing a suite of new enterprise remote management capabilities,
available over the Internet from the IronKey managed service, or from our
enterprise server software that companies can install and operate themselves."
ZoneLoc Prevents flash SSD Data Walking into the Wrong Hands
Phoenix, Arizona - February
12, 2009 - White Electronic Designs Corp announced a new technology -
ZoneLoc - which automatically desanitizes a flash SSD to military standards
- when the device is moved outside a specified operating zone - to prevent data
falling into enemy hands.
The boundary can be tied to a fixed
location or made to be portable for mobile applications. ZoneLoc has
configurable features and options, including audible warnings, programmable
response times, wireless remote purging and sensitivity modes. Because the
protected device takes its own action, autonomously, security is guaranteed.
...White Electronic
Designs profile, Storage
Security, Disk
Sanitizers
STMicroelectronics Samples Secure e-Passport Microcontroller
Geneva,
Switzerland - November 25, 2008 - STMicroelectronics is sampling a
new microcontroller for secure identity cards.
The ST23YR80, which offers contact and contactless interfaces,
complies with the most advanced security smartcard standards and meets
ICAO requirements for machine readable
travel documents. The EAC (extended access control) e-Passport operation will
be supported in less than 3.5 seconds. The device can also optimize the
operating distance and transaction time by adapting its processor clock speed to
the magnetic field of the application reader It has 80Kbytes of onchip flash
memory to store extra biometric data.
...STMicroelectronics
profile, storage chips |
. |

| |
... |
 |
... |
"Don't use
Self-Encrypting SSDs (if you think you might need a future data recovery)..."
|
That's the "advice" in a blog
SSDs: Flash Technology with
Risks and Side-Effects (August 2013) - by Kroll Ontrack - which
goes on to say -
"This type of encryption is very secure, but
ensures total data loss in the event of a failure. With SEDs, the encryption
keys are only known to the hardware manufacturers and will not be released.
What this means is in the event of a failure, the data is no longer accessible
to professional data
recovery companies". | | |
. |
 |
. |
In June 2006 -
SiliconSystems launched its SiliconDrive Secure family which had the widest
range of available storage security features in a solid state disk. New
features included security zoning (which controlled access rights to
different segments of the disk) in addition to a range of conventional disk
sanitization options. |
SSD Market
History | | |
. |
Why can't SSD's true
believers agree on a single shared vision for the future of solid state
storage? |
the SSD Heresies | | |
. |
|
. |
| |