Leichter, Jerry
Wed, 09 Jul 2008 07:54:04 -0700
On Tue, 8 Jul 2008, Perry E. Metzger wrote: | >> Has anyone had any real-world experience with these yet? Are there | >> standards for how they get the keys from the BIOS or OS? (I'm | >> interested in how they deal with zeroization on sleep and such.) | > | > Most manufacturer (will) implement the TCG Storage Specification: | > https://www.trustedcomputinggroup.org/groups/storage/ | > | >> Lastly, anyone have any idea of whether the manufacturers are doing | >> the encryption correctly or not? | > | > I know that Seagate Secure does not use XTS mode, but something CBC | > based. | | Where do they get their IVs from? I have no idea what they actually *do*, but the obvious way to get an IV is to use the encryption of the block number. Guaranteed known to whoever needs to decrypt the disk block, and unique for each disk block. (Using the disk block number itself as the IV is actually reasonably safe, too, though it seems a bit too structured - one can imagine files which have a leading count or even a copy of the disk block number in each disk block leading to an initial zero input to the encryption.) (I think one of Phil Rogoway's papers suggest this kind of approach for a "safe" CBC API: Given an existing CBC API that takes an IP as input, instead build one that takes no explicit IP, but (a) maintains an internal counter; (b) prepends the current counter value to the supplied input and increments the counter; (c) supplies the underlying API with an IP of 0. The modified API can't be abused by accidentally re-using an IP.) | In general, I feel like the only way to really verify that these | things are being done correctly is to be able (in software) to read | the ciphertext and verify that it is encrypted with the right key in | the right mode. The small amount I've heard about the design leads me | to worry that this is not actually possible. Somehow we still haven't learned the lesson that the security can only come from (a) published, vetted algorithms and modes; (b) a way to check that the alleged algorithm is what the "black box" actually implements. Of course, for all you know it implements the algorithm while hiding a copy of the key away somewhere "just in case".... But that's a whole other problem. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]