Robert, My responses were just simplied/"easy to read" answers to your questions. For full technical details, architecture schema of the security, you will need to contact Seagate." I can tell you however, that Seagate's FDE drives (like the one in Black Armor) is based on the trusted storage specs from the Trusted Computing Group: https://www.trustedcomputinggroup.org/specs/Storage/
Scott On Mon, 17 Nov 2008, Robert Wann wrote: > Scott, > > Thank you. Speaking of preserving AES key and SecurityID as well as other > vital information, I suspect it is the drive controller and its firmware that > controls the hidden sectors access, not the encryption/decryption ASIC, for > the reasons that the AES key and SecurityID won't get destroyed during > another round of partition and format. > >> From reading your remark, It seems to me that AES key is guarded by either >> SecurityID or User's Password, which are all written into the hidden sectors >> controlled by the drive firmware. Your remark "This is part of the FDE >> "enclosed" construct. AES key is only known and used by the drive" does not >> offer the complete security architecture of the FDE drive thus is not >> persuasive. > > By the way, are you an employee or affiliate of Seagate? > > Thanks, > Robert > > > > ----- Original Message ----- > From: "Scott S" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Saturday, November 15, 2008 6:56 AM > Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor > drive? > > >> Robert, >> >> See response below. >> >> Scott >> >>> If the true AES key is erased and a new AES key is generated upon >>> 'KeyErase' command, would you require user to perform partition and >>> format after such action? >> >> Yes, the user is require setup a new password and format the drive. >> >>> Also, since the Security ID is permanently >>> stored inside the FDE drive, would such new partition and format >>> effectively destroy the new AES key along with the Security ID? >> >> No. Formatting does not affect the AES key and Security ID at all. It is >> in a area protected from any external i/o access. The ASIC chip on the >> drive that is processing the automatic encryption/decryption preserves >> these vital information (and other things) in a way that is totally >> transparent to the user (and OS), once the user has authenticated. >> >>> How would you guarantee that AES key is safe and can not be extracted? >> >> This is part of the FDE "enclosed" construct. AES key is only known and >> used by the drive. >> >> -------------------- >> >> >>> ----- Original Message ----- >>> From: "Scott S" <[EMAIL PROTECTED]> >>> To: "Robert Wann" <[EMAIL PROTECTED]>; <[email protected]> >>> Sent: Friday, November 14, 2008 6:49 AM >>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor >>> drive? >>> >>> >>>> Hi Robert, >>>> >>>> See response below. >>>> >>>> Scott >>>> >>>> On Thu, 13 Nov 2008, Robert Wann wrote: >>>> >>>>> Hi Scott, >>>>> >>>>> As the Security ID serves as a default password to unlock the FDE drive >>>>> inside the Black Armor, am I correct to assume that such unlock action >>>>> releases the true AES 128-bit key to allow the operation of the FDE drive? >>>> >>>> Correct. >>>> >>>>> If that's the case, do users require to partition and format the FDE >>>>> drive >after the default password entry? >>>> >>>> No, the password change does not affect the drive format given that the >>>> password is not the AES key. FYI, from the factory the drive comes >>>> partitioned and formatted as NTFS. >>>> >>>>> What happens to the AES key if user establishes a new password? >>>> >>>> Stays the same. The user is just changing the password that unlocks the >>>> AES key. >>>> >>>>> Can user get to generate the AES key or it is a default value stored >>>>> protected >by the Security ID at default and later at new password entry? >>>> >>>> The management software that comes with Black Armor provides a "KeyErase" >>>> feature. This feature is the same as a cryptographical erase (or >>>> crypo-erase) of the drive. If you were to perform this action, what is >>>> really happening is that the original AES key is destroyed, and a new AES >>>> key generate by drive itself. The AES key is not visible/accessiable to >>>> anyone/thing, except the drive itself. So yes, the user can generate it, >>>> but the user will never get to see it. >>>> >>>>> When you said the Security ID is also needed when the Black Armor hard >>>>> drive > needs to be cryptographically erased, exactly what do you mean >>>>> by "cryptographically erase?" >>>> >>>> By this I mean having the "effect" of erasing the drive so that all the >>>> data is no longer accessiable. >>>> >>>>> Is it an action that erases the true AES key or is it an action that >>>>> erases the previously established user's password? >>>> >>>> It is both. When the user does a "KeyErase", few things happens: 1) a new >>>> AES key is generated 2) the password is "defaulted" to the Security ID 3) >>>> the user is prompted to enter a new password. 4) the user is prompted to >>>> format the drive. >>>> >>>>> You also said: After the erase, the default password again becomes the >>>>> Security ID. Does this mean the FDE drive permanently stores the Security >>>>> ID? >>>> >>>> Correct. The Security ID is permanent and does not change. Having said >>>> that, it's function is very specific and does not affect the data security >>>> itself. It severs more as an identification. For example, it prevents >>>> mallicious programs from automatically performing a "KeyErase", because >>>> the programs can't ID the drive. >>>> >>>> >>>> ------------------------------- >>>> >>>>> >>>>> Thank you, >>>>> Robert Wann >>>>> >>>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: "Scott S" <[EMAIL PROTECTED]> >>>>> To: <[email protected]> >>>>> Sent: Thursday, November 13, 2008 3:27 AM >>>>> Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black >>>>> Armor drive? >>>>> >>>>> >>>>>> Hi Dave, >>>>>> >>>>>> Security ID serves two functions: >>>>>> >>>>>> 1) It is the default password of the Black Armor. Like the way a user >>>>>> needs the old password to change to a new password, the Security ID >>>>>> serves as the old password. >>>>>> >>>>>> 2) The Security ID is also needed when the Black Armor hard drive needs >>>>>> to be cryptographically erased (because the user wants to, or because >>>>>> the user forgot the password). After the erase, the default password >>>>>> again becomes the Security ID. >>>>>> >>>>>> One of the decision point of developing Black Armor was, what to do when >>>>>> the user forgets the password. Should the drive become totally useless? >>>>>> >>>>>> The arguement for making it into a "brick" if the password is not known >>>>>> is that is reduces the "steal value" of the device. >>>>>> >>>>>> For the Black Armor, if the password is not known, it can be reused. But >>>>>> first the data needs to be wipeout. >>>>>> >>>>>> Scott >>>>>> >>>>>> >>>>>> On Tue, 11 Nov 2008, Dave Jevans wrote: >>>>>> >>>>>>> >>>>>>> I just setup a Seagate/Maxtor Black Armor hardware encrypted drive. >>>>>>> >>>>>>> When you setup the device, and before you choose your password, you >>>>>>> have to enter in a 25 character "Security ID" which looks like a >>>>>>> software license key, and is printed on the back of the drive's case. >>>>>>> >>>>>>> Why would you have to do this? Since it's printed on the outside of >>>>>>> the case, why doesn't the device already know this serial number >>>>>>> internally, and why would it care? >>>>>>> >>>>>>> Initially my skeptical mind figured this is actually the AES key, or >>>>>>> a back-door encryption key. >>>>>>> >>>>>>> But with more thought, I figured that perhaps it's because the device >>>>>>> is manufactured in China, and it's a clone prevention technique? >>>>>>> Maybe the sticker is added to the device when they are packaged in >>>>>>> the US, and the security ID number is needed to activate the >>>>>>> encryption? This prevents a Chinese factory from creating clone >>>>>>> devices using their controller? >>>>>>> >>>>>>> Anyone from Seagate on this list that can comment? >>>>>>> >>>>>>> _______________________________________________ >>>>>>> FDE mailing list >>>>>>> [email protected] >>>>>>> http://www.xml-dev.com/mailman/listinfo/fde >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> FDE mailing list >>>>>> [email protected] >>>>>> http://www.xml-dev.com/mailman/listinfo/fde >>>>>> >>>> >>>> >> _______________________________________________ >> FDE mailing list >> [email protected] >> http://www.xml-dev.com/mailman/listinfo/fde >> _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
