Re: Seagate announces hardware FDE for laptop and desktop machines
On Jun 10, 2009, at 4:19 PM, travis+ml-cryptogra...@subspacefield.org wrote: Reading really old email, but have new information to add. On Wed, Oct 03, 2007 at 02:15:38PM +1000, Daniel Carosone wrote: Speculation: the drive always encrypts the platters with a (fixed) AES key, obviating the need to track which sectors are encrypted or not. Setting the drive password simply changes the key-handling. Implication: fixed keys may be known and data recoverable from factory records, e.g. for law enforcement, even if this is not provided as an end-user service. There was an interesting article in 2600 recently about ATA drive security. It's in Volume 26, Number 1 (Spring 2009). Sorry that I don't have an electronic copy. The relevant bit of it is that there are two keys. One key is for the user, and one (IIRC, it is called a master key) is set by the factory. IIRC, there was a court case recently where law enforcement was able to read the contents of a locked disk, contrary to the vendor's claims that nobody, even them, would be able to do so. All of these statements may be true. The standardization of the command set for encrypting disk drive does has a set master key command. If this command does exist, and if the user had software that resets this master password, then the backdoor would have been closed. (I know, there area lot of ifs in that sentence.) http://www.dtc.umn.edu/disc/resources/RiedelISW5r.pdf http://www.usenix.org/events/lsf07/tech/riedel.pdf http://www.t10.org/ftp/t10/document.04/04-004r2.pdf and from universities you can access http://ieeexplore.ieee.org/iel5/10842/34160/01628480.pdf https://www.research.ibm.com/journal/rd/524/nagle.html Jim - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
OT: Presentation on Effectively and Securely Using the Cloud Computing Paradigm
NIST has published a working draft of the Cloud Computing Security presentation: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html Both of the documents on this page are excellent read for anyone interested in Cloud Computing. Some of the Security Advantages mentioned in the presentation are: Shifting public data to a external cloud reduces the exposure of the internal sensitive data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks Possible Reduction of CA Activities (Access to Pre-Accredited Clouds) Simplification of Compliance Analysis Data Held by Unbiased Party (cloud vendor assertion) Low-Cost Disaster Recovery and Data Storage Solutions On-Demand Security Controls Real-Time Detection of System Tampering Rapid Re-Constitution of Services Advanced Honeynet Capabilities What are your thoughts on these benefits? Thanks Saqib http://www.capital-punishment.us - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: padding attack vs. PKCS7
travis+ml-cryptogra...@subspacefield.org wrote: http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/ Towards the end of this rather offbeat blog post they describe a rather clever attack which is possible when the application provides error messages (i.e. is an error oracle) for PKCS7 padding in e.g. AES CBC-encrypted web authenticators that allows an adversary to attack the crypto one octet at a time. I think this attack can be attributed to Klima and Rosa: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format. V. Klima and T. Rosa. http://eprint.iacr.org/2003/098.pdf -James signature.asc Description: OpenPGP digital signature
SHA-1 in 2**52
Differential Path for SHA-1 with complexity O(2**52) Cameron McDonald, Philip Hawkes, and Josef Pieprzyk Macquarie University http://eprint.iacr.org/2009/259.pdf -- I)ruid, CĀ²ISSP dr...@caughq.org http://druid.caughq.org signature.asc Description: This is a digitally signed message part
