7

After reading this forum thread it does not sound like encrypted SSDs provide much protection at all - specifically encryption only occurs between the controller chipset and the NAND storage.

Why is this? Is this a usual disk encryption design? Are there any studies of encrypted SSD hardware? What are the weaknesses and limitations of such a setup, if any? I am particularly interested in key extraction from the controller - is this possible? Is it even necessary, as taking the hard disk in its entirety to another system should mean it is still readable?

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
Sandra Schlichting
  • 201
  • 2
  • 6

2 Answers2

8

Such encryption can be useful to implement a "wipe everything" feature. It is difficult to securely erase things from a SSD (it is already not totally easy with a classic magnetic hard disk, but internal features of the SSD, in particular wear-leveling, make it almost impossible to totally remove all data). With encryption, the problem is much reduced: it is only a matter of erasing the key (and choosing a new one), a mere 128 bits, compared to a dozen gigabytes.

Outside of this secure wipe thing, disk encryption as you describe makes no sense security-wise, because one may assume that an attacker stealing the disk will get the controller with it, including the key... unless the controller does not have the key. This may be a "password-protected disk" in which the encryption key is derived from a password entered at boot-time. If the encryption key is not permanently stored in the disk itself, then encryption at the controller level makes sense because there is little point in doing that in the CPU, unless the attack model supposes that the attacker can spy on the SATA bus. In the realistic model where the attacker is someone who steals the disk (or the whole laptop -- it has better be shut down, not merely put in sleeping mode !), disk encryption is about keeping confidentiality of the data as itself, so encryption has to occur "somewhere" before actual storage, but it can be in the controller.

Of course, nothing says that the encryption is done properly. It is not exactly trivial to go from AES, an algorithm which encrypts 128-bit blocks, to a system which encrypts a whole disk, without leaking information on the encrypted data, while still allowing random read and write access. At least, the "attacker steals the powered down laptop" makes things relatively simple: we do not have to fear active attacks (the attacker does not give the laptop back) and there is no concern about chosen plaintext/ciphertext attacks as well. A simple CTR mode would be fine (I am not claiming that's what any SSD does, only that it would be how I would do it myself).

Community
  • 1
Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • There now exist specialized modes of operation for wide block encryption specifically tuned for disk encryption - see CMC, EME. Of course, actually using them is a whole different matter. – Thomas Sep 02 '12 at 02:06
4

Caution: You are jumping to unwarranted conclusions. The correct conclusion to draw from that forum thread is that one commercially available SSD implements encryption in a stupid way. This by no means implies that all SSDs are flawed or that encryption on SSDs is always pointless.

Detailed answer: There are two kinds of disk encryption: hardware encryption and software encryption.

The difference is in where the encryption is performed. Either can be used securely, as long as it is designed and implemented appropriately. (The OCZ implementation referred to in the forum thread you linked to apparently was not designed and implemented appropriately.)

Software encryption is the easiest to set up and use, from a user's perspective. There are several software products that will perform the full-disk encryption for you, at the software level. For instance, Truecrypt is well-regarded, and PGP also has a well-regarded product. These systems are compatible with SSDs and can be used to encrypt data stored on the SSD. The key is derived from a passphrase that the user enters in, and the key is not stored on the SSD, so there is nothing to extract from the SSD and no way for someone who gains physical access to your SSD to get at your key or data (except by guessing your passphrase).

Hardware encryption requires support from the drive and/or its controller. It is possible to implement hardware encryption in a secure way. For instance, the user can enter a passphrase, and the passphrase can be communicated to the hardware (but never stored in persistent storage) to use as a key for encryption. Unfortunately, there is a history out there of some drive manufacturers who advertise hardware disk encryption, but implement it in a dumb way that negates the security advantages, so it is buyer beware here.

D.W.
  • 98,860
  • 33
  • 271
  • 588