Hi Scott,
Thank you for the explanation.
If the true AES key is erased and a new AES key is generated upon 'KeyErase'
command, would you require user to perform partition and format after such
action? Also, since the Security ID is permanently stored inside the FDE drive,
would such new partition and format effectively destroy the new AES key along
with the Security ID?
How would you guarantee that AES key is safe and can not be extracted?
Thank you,
Robert
----- Original Message -----
From: "Scott S" <[EMAIL PROTECTED]>
To: "Robert Wann" <[EMAIL PROTECTED]>; <fde@www.xml-dev.com>
Sent: Friday, November 14, 2008 6:49 AM
Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
drive?
> Hi Robert,
>
> See response below.
>
> Scott
>
> On Thu, 13 Nov 2008, Robert Wann wrote:
>
>> Hi Scott,
>>
>> As the Security ID serves as a default password to unlock the FDE drive
>> inside the Black Armor, am I correct to assume that such unlock action
>> releases the true AES 128-bit key to allow the operation of the FDE drive?
>
> Correct.
>
>>If that's the case, do users require to partition and format the FDE drive
>>>after the default password entry?
>
> No, the password change does not affect the drive format given that the
> password is not the AES key. FYI, from the factory the drive comes
> partitioned and formatted as NTFS.
>
>>What happens to the AES key if user establishes a new password?
>
> Stays the same. The user is just changing the password that unlocks the AES
> key.
>
>>Can user get to generate the AES key or it is a default value stored
>>protected >by the Security ID at default and later at new password entry?
>
> The management software that comes with Black Armor provides a "KeyErase"
> feature. This feature is the same as a cryptographical erase (or crypo-erase)
> of the drive. If you were to perform this action, what is really happening is
> that the original AES key is destroyed, and a new AES key generate by drive
> itself. The AES key is not visible/accessiable to anyone/thing, except the
> drive itself. So yes, the user can generate it, but the user will never get
> to see it.
>
>> When you said the Security ID is also needed when the Black Armor hard drive
>> > needs to be cryptographically erased, exactly what do you mean
>> by "cryptographically erase?"
>
> By this I mean having the "effect" of erasing the drive so that all the data
> is no longer accessiable.
>
>>Is it an action that erases the true AES key or is it an action that erases
>>the previously established user's password?
>
> It is both. When the user does a "KeyErase", few things happens: 1) a new AES
> key is generated 2) the password is "defaulted" to the Security ID 3) the
> user is prompted to enter a new password. 4) the user is prompted to format
> the drive.
>
>> You also said: After the erase, the default password again becomes the
>> Security ID. Does this mean the FDE drive permanently stores the Security ID?
>
> Correct. The Security ID is permanent and does not change. Having said that,
> it's function is very specific and does not affect the data security itself.
> It severs more as an identification. For example, it prevents mallicious
> programs from automatically performing a "KeyErase", because the programs
> can't ID the drive.
>
>
> -------------------------------
>
>>
>> Thank you,
>> Robert Wann
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "Scott S" <[EMAIL PROTECTED]>
>> To: <fde@www.xml-dev.com>
>> Sent: Thursday, November 13, 2008 3:27 AM
>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
>> drive?
>>
>>
>>> Hi Dave,
>>>
>>> Security ID serves two functions:
>>>
>>> 1) It is the default password of the Black Armor. Like the way a user needs
>>> the old password to change to a new password, the Security ID serves as the
>>> old password.
>>>
>>> 2) The Security ID is also needed when the Black Armor hard drive needs to
>>> be cryptographically erased (because the user wants to, or because the user
>>> forgot the password). After the erase, the default password again becomes
>>> the Security ID.
>>>
>>> One of the decision point of developing Black Armor was, what to do when
>>> the user forgets the password. Should the drive become totally useless?
>>>
>>> The arguement for making it into a "brick" if the password is not known is
>>> that is reduces the "steal value" of the device.
>>>
>>> For the Black Armor, if the password is not known, it can be reused. But
>>> first the data needs to be wipeout.
>>>
>>> Scott
>>>
>>>
>>> On Tue, 11 Nov 2008, Dave Jevans wrote:
>>>
>>>>
>>>> I just setup a Seagate/Maxtor Black Armor hardware encrypted drive.
>>>>
>>>> When you setup the device, and before you choose your password, you
>>>> have to enter in a 25 character "Security ID" which looks like a
>>>> software license key, and is printed on the back of the drive's case.
>>>>
>>>> Why would you have to do this? Since it's printed on the outside of
>>>> the case, why doesn't the device already know this serial number
>>>> internally, and why would it care?
>>>>
>>>> Initially my skeptical mind figured this is actually the AES key, or
>>>> a back-door encryption key.
>>>>
>>>> But with more thought, I figured that perhaps it's because the device
>>>> is manufactured in China, and it's a clone prevention technique?
>>>> Maybe the sticker is added to the device when they are packaged in
>>>> the US, and the security ID number is needed to activate the
>>>> encryption? This prevents a Chinese factory from creating clone
>>>> devices using their controller?
>>>>
>>>> Anyone from Seagate on this list that can comment?
>>>>
>>>> _______________________________________________
>>>> FDE mailing list
>>>> FDE@www.xml-dev.com
>>>> http://www.xml-dev.com/mailman/listinfo/fde
>>>>
>>>
>>>
>>> _______________________________________________
>>> FDE mailing list
>>> FDE@www.xml-dev.com
>>> http://www.xml-dev.com/mailman/listinfo/fde
>>>
>
>
_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde
