Scott, This is not exactly right. Seagate supports Enterprise SSC on enterprise class Cheetah drives. However, Momentus FDE.1 and FDE.2 are based on the proprietary authentication scheme. I hope Seagate folks can clarify on FDE.3.
The first laptop TCG Opal drive was demonstrated today by Fujitsu in San Francisco and I would like to congratulate Fujitsu team for this great achievement. Dmitry -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott S Sent: Monday, November 17, 2008 4:50 PM To: fde@www.xml-dev.com Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor drive? Robert, My responses were just simplied/"easy to read" answers to your questions. For full technical details, architecture schema of the security, you will need to contact Seagate." I can tell you however, that Seagate's FDE drives (like the one in Black Armor) is based on the trusted storage specs from the Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/Storage/ Scott On Mon, 17 Nov 2008, Robert Wann wrote: > Scott, > > Thank you. Speaking of preserving AES key and SecurityID as well as other vital information, I suspect it is the drive controller and its firmware that controls the hidden sectors access, not the encryption/decryption ASIC, for the reasons that the AES key and SecurityID won't get destroyed during another round of partition and format. > >> From reading your remark, It seems to me that AES key is guarded by either SecurityID or User's Password, which are all written into the hidden sectors controlled by the drive firmware. Your remark "This is part of the FDE "enclosed" construct. AES key is only known and used by the drive" does not offer the complete security architecture of the FDE drive thus is not persuasive. > > By the way, are you an employee or affiliate of Seagate? > > Thanks, > Robert > > > > ----- Original Message ----- > From: "Scott S" <[EMAIL PROTECTED]> > To: <fde@www.xml-dev.com> > Sent: Saturday, November 15, 2008 6:56 AM > Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor drive? > > >> Robert, >> >> See response below. >> >> Scott >> >>> If the true AES key is erased and a new AES key is generated upon >>> 'KeyErase' command, would you require user to perform partition and >>> format after such action? >> >> Yes, the user is require setup a new password and format the drive. >> >>> Also, since the Security ID is permanently stored inside the FDE >>> drive, would such new partition and format effectively destroy the >>> new AES key along with the Security ID? >> >> No. Formatting does not affect the AES key and Security ID at all. It >> is in a area protected from any external i/o access. The ASIC chip on >> the drive that is processing the automatic encryption/decryption >> preserves these vital information (and other things) in a way that is >> totally transparent to the user (and OS), once the user has authenticated. >> >>> How would you guarantee that AES key is safe and can not be extracted? >> >> This is part of the FDE "enclosed" construct. AES key is only known >> and used by the drive. >> >> -------------------- >> >> >>> ----- Original Message ----- >>> From: "Scott S" <[EMAIL PROTECTED]> >>> To: "Robert Wann" <[EMAIL PROTECTED]>; <fde@www.xml-dev.com> >>> Sent: Friday, November 14, 2008 6:49 AM >>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor drive? >>> >>> >>>> Hi Robert, >>>> >>>> See response below. >>>> >>>> Scott >>>> >>>> On Thu, 13 Nov 2008, Robert Wann wrote: >>>> >>>>> Hi Scott, >>>>> >>>>> As the Security ID serves as a default password to unlock the FDE drive inside the Black Armor, am I correct to assume that such unlock action releases the true AES 128-bit key to allow the operation of the FDE drive? >>>> >>>> Correct. >>>> >>>>> If that's the case, do users require to partition and format the FDE drive >after the default password entry? >>>> >>>> No, the password change does not affect the drive format given that the password is not the AES key. FYI, from the factory the drive comes partitioned and formatted as NTFS. >>>> >>>>> What happens to the AES key if user establishes a new password? >>>> >>>> Stays the same. The user is just changing the password that unlocks the AES key. >>>> >>>>> Can user get to generate the AES key or it is a default value stored protected >by the Security ID at default and later at new password entry? >>>> >>>> The management software that comes with Black Armor provides a "KeyErase" feature. This feature is the same as a cryptographical erase (or crypo-erase) of the drive. If you were to perform this action, what is really happening is that the original AES key is destroyed, and a new AES key generate by drive itself. The AES key is not visible/accessiable to anyone/thing, except the drive itself. So yes, the user can generate it, but the user will never get to see it. >>>> >>>>> When you said the Security ID is also needed when the Black Armor >>>>> hard drive > needs to be cryptographically erased, exactly what do you mean by "cryptographically erase?" >>>> >>>> By this I mean having the "effect" of erasing the drive so that all the data is no longer accessiable. >>>> >>>>> Is it an action that erases the true AES key or is it an action that erases the previously established user's password? >>>> >>>> It is both. When the user does a "KeyErase", few things happens: 1) a new AES key is generated 2) the password is "defaulted" to the Security ID 3) the user is prompted to enter a new password. 4) the user is prompted to format the drive. >>>> >>>>> You also said: After the erase, the default password again becomes the Security ID. Does this mean the FDE drive permanently stores the Security ID? >>>> >>>> Correct. The Security ID is permanent and does not change. Having said that, it's function is very specific and does not affect the data security itself. It severs more as an identification. For example, it prevents mallicious programs from automatically performing a "KeyErase", because the programs can't ID the drive. >>>> >>>> >>>> ------------------------------- >>>> >>>>> >>>>> Thank you, >>>>> Robert Wann >>>>> >>>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: "Scott S" <[EMAIL PROTECTED]> >>>>> To: <fde@www.xml-dev.com> >>>>> Sent: Thursday, November 13, 2008 3:27 AM >>>>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor drive? >>>>> >>>>> >>>>>> Hi Dave, >>>>>> >>>>>> Security ID serves two functions: >>>>>> >>>>>> 1) It is the default password of the Black Armor. Like the way a user needs the old password to change to a new password, the Security ID serves as the old password. >>>>>> >>>>>> 2) The Security ID is also needed when the Black Armor hard drive needs to be cryptographically erased (because the user wants to, or because the user forgot the password). After the erase, the default password again becomes the Security ID. >>>>>> >>>>>> One of the decision point of developing Black Armor was, what to do when the user forgets the password. Should the drive become totally useless? >>>>>> >>>>>> The arguement for making it into a "brick" if the password is not known is that is reduces the "steal value" of the device. >>>>>> >>>>>> For the Black Armor, if the password is not known, it can be reused. But first the data needs to be wipeout. >>>>>> >>>>>> Scott >>>>>> >>>>>> >>>>>> On Tue, 11 Nov 2008, Dave Jevans wrote: >>>>>> >>>>>>> >>>>>>> I just setup a Seagate/Maxtor Black Armor hardware encrypted drive. >>>>>>> >>>>>>> When you setup the device, and before you choose your password, >>>>>>> you have to enter in a 25 character "Security ID" which looks >>>>>>> like a software license key, and is printed on the back of the drive's case. >>>>>>> >>>>>>> Why would you have to do this? Since it's printed on the >>>>>>> outside of the case, why doesn't the device already know this >>>>>>> serial number internally, and why would it care? >>>>>>> >>>>>>> Initially my skeptical mind figured this is actually the AES >>>>>>> key, or a back-door encryption key. >>>>>>> >>>>>>> But with more thought, I figured that perhaps it's because the >>>>>>> device is manufactured in China, and it's a clone prevention technique? >>>>>>> Maybe the sticker is added to the device when they are packaged >>>>>>> in the US, and the security ID number is needed to activate the >>>>>>> encryption? This prevents a Chinese factory from creating clone >>>>>>> devices using their controller? >>>>>>> >>>>>>> Anyone from Seagate on this list that can comment? >>>>>>> >>>>>>> _______________________________________________ >>>>>>> FDE mailing list >>>>>>> FDE@www.xml-dev.com >>>>>>> http://www.xml-dev.com/mailman/listinfo/fde >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> FDE mailing list >>>>>> FDE@www.xml-dev.com >>>>>> http://www.xml-dev.com/mailman/listinfo/fde >>>>>> >>>> >>>> >> _______________________________________________ >> FDE mailing list >> FDE@www.xml-dev.com >> http://www.xml-dev.com/mailman/listinfo/fde >> _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
