Scott,
Thank you. Speaking of preserving AES key and SecurityID as well as other vital
information, I suspect it is the drive controller and its firmware that
controls the hidden sectors access, not the encryption/decryption ASIC, for the
reasons that the AES key and SecurityID won't get destroyed during another
round of partition and format.
>From reading your remark, It seems to me that AES key is guarded by either
>SecurityID or User's Password, which are all written into the hidden sectors
>controlled by the drive firmware. Your remark "This is part of the FDE
>"enclosed" construct. AES key is only known and used by the drive" does not
>offer the complete security architecture of the FDE drive thus is not
>persuasive.
By the way, are you an employee or affiliate of Seagate?
Thanks,
Robert
----- Original Message -----
From: "Scott S" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, November 15, 2008 6:56 AM
Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
drive?
> Robert,
>
> See response below.
>
> Scott
>
>> If the true AES key is erased and a new AES key is generated upon
>> 'KeyErase' command, would you require user to perform partition and
>> format after such action?
>
> Yes, the user is require setup a new password and format the drive.
>
>> Also, since the Security ID is permanently
>> stored inside the FDE drive, would such new partition and format
>> effectively destroy the new AES key along with the Security ID?
>
> No. Formatting does not affect the AES key and Security ID at all. It is
> in a area protected from any external i/o access. The ASIC chip on the
> drive that is processing the automatic encryption/decryption preserves
> these vital information (and other things) in a way that is totally
> transparent to the user (and OS), once the user has authenticated.
>
>> How would you guarantee that AES key is safe and can not be extracted?
>
> This is part of the FDE "enclosed" construct. AES key is only known and
> used by the drive.
>
> --------------------
>
>
>> ----- Original Message -----
>> From: "Scott S" <[EMAIL PROTECTED]>
>> To: "Robert Wann" <[EMAIL PROTECTED]>; <[email protected]>
>> Sent: Friday, November 14, 2008 6:49 AM
>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
>> drive?
>>
>>
>>> Hi Robert,
>>>
>>> See response below.
>>>
>>> Scott
>>>
>>> On Thu, 13 Nov 2008, Robert Wann wrote:
>>>
>>>> Hi Scott,
>>>>
>>>> As the Security ID serves as a default password to unlock the FDE drive
>>>> inside the Black Armor, am I correct to assume that such unlock action
>>>> releases the true AES 128-bit key to allow the operation of the FDE drive?
>>>
>>> Correct.
>>>
>>>> If that's the case, do users require to partition and format the FDE drive
>>>> >after the default password entry?
>>>
>>> No, the password change does not affect the drive format given that the
>>> password is not the AES key. FYI, from the factory the drive comes
>>> partitioned and formatted as NTFS.
>>>
>>>> What happens to the AES key if user establishes a new password?
>>>
>>> Stays the same. The user is just changing the password that unlocks the AES
>>> key.
>>>
>>>> Can user get to generate the AES key or it is a default value stored
>>>> protected >by the Security ID at default and later at new password entry?
>>>
>>> The management software that comes with Black Armor provides a "KeyErase"
>>> feature. This feature is the same as a cryptographical erase (or
>>> crypo-erase) of the drive. If you were to perform this action, what is
>>> really happening is that the original AES key is destroyed, and a new AES
>>> key generate by drive itself. The AES key is not visible/accessiable to
>>> anyone/thing, except the drive itself. So yes, the user can generate it,
>>> but the user will never get to see it.
>>>
>>>> When you said the Security ID is also needed when the Black Armor hard
>>>> drive > needs to be cryptographically erased, exactly what do you mean
>>>> by "cryptographically erase?"
>>>
>>> By this I mean having the "effect" of erasing the drive so that all the
>>> data is no longer accessiable.
>>>
>>>> Is it an action that erases the true AES key or is it an action that
>>>> erases the previously established user's password?
>>>
>>> It is both. When the user does a "KeyErase", few things happens: 1) a new
>>> AES key is generated 2) the password is "defaulted" to the Security ID 3)
>>> the user is prompted to enter a new password. 4) the user is prompted to
>>> format the drive.
>>>
>>>> You also said: After the erase, the default password again becomes the
>>>> Security ID. Does this mean the FDE drive permanently stores the Security
>>>> ID?
>>>
>>> Correct. The Security ID is permanent and does not change. Having said
>>> that, it's function is very specific and does not affect the data security
>>> itself. It severs more as an identification. For example, it prevents
>>> mallicious programs from automatically performing a "KeyErase", because the
>>> programs can't ID the drive.
>>>
>>>
>>> -------------------------------
>>>
>>>>
>>>> Thank you,
>>>> Robert Wann
>>>>
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Scott S" <[EMAIL PROTECTED]>
>>>> To: <[email protected]>
>>>> Sent: Thursday, November 13, 2008 3:27 AM
>>>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
>>>> drive?
>>>>
>>>>
>>>>> Hi Dave,
>>>>>
>>>>> Security ID serves two functions:
>>>>>
>>>>> 1) It is the default password of the Black Armor. Like the way a user
>>>>> needs the old password to change to a new password, the Security ID
>>>>> serves as the old password.
>>>>>
>>>>> 2) The Security ID is also needed when the Black Armor hard drive needs
>>>>> to be cryptographically erased (because the user wants to, or because the
>>>>> user forgot the password). After the erase, the default password again
>>>>> becomes the Security ID.
>>>>>
>>>>> One of the decision point of developing Black Armor was, what to do when
>>>>> the user forgets the password. Should the drive become totally useless?
>>>>>
>>>>> The arguement for making it into a "brick" if the password is not known
>>>>> is that is reduces the "steal value" of the device.
>>>>>
>>>>> For the Black Armor, if the password is not known, it can be reused. But
>>>>> first the data needs to be wipeout.
>>>>>
>>>>> Scott
>>>>>
>>>>>
>>>>> On Tue, 11 Nov 2008, Dave Jevans wrote:
>>>>>
>>>>>>
>>>>>> I just setup a Seagate/Maxtor Black Armor hardware encrypted drive.
>>>>>>
>>>>>> When you setup the device, and before you choose your password, you
>>>>>> have to enter in a 25 character "Security ID" which looks like a
>>>>>> software license key, and is printed on the back of the drive's case.
>>>>>>
>>>>>> Why would you have to do this? Since it's printed on the outside of
>>>>>> the case, why doesn't the device already know this serial number
>>>>>> internally, and why would it care?
>>>>>>
>>>>>> Initially my skeptical mind figured this is actually the AES key, or
>>>>>> a back-door encryption key.
>>>>>>
>>>>>> But with more thought, I figured that perhaps it's because the device
>>>>>> is manufactured in China, and it's a clone prevention technique?
>>>>>> Maybe the sticker is added to the device when they are packaged in
>>>>>> the US, and the security ID number is needed to activate the
>>>>>> encryption? This prevents a Chinese factory from creating clone
>>>>>> devices using their controller?
>>>>>>
>>>>>> Anyone from Seagate on this list that can comment?
>>>>>>
>>>>>> _______________________________________________
>>>>>> FDE mailing list
>>>>>> [email protected]
>>>>>> http://www.xml-dev.com/mailman/listinfo/fde
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FDE mailing list
>>>>> [email protected]
>>>>> http://www.xml-dev.com/mailman/listinfo/fde
>>>>>
>>>
>>>
> _______________________________________________
> FDE mailing list
> [email protected]
> http://www.xml-dev.com/mailman/listinfo/fde
>
_______________________________________________
FDE mailing list
[email protected]
http://www.xml-dev.com/mailman/listinfo/fde
