Intel’s and Sandforce’s AES-128 encryption is useful, but not for what you think

Last Updated on July 3, 2011 by Dave Farquhar

I spent some time this week with a coworker looking into the AES-128 encryption in current Sandforce and upcoming Intel 320 SSDs, and we’ve concluded it’s no substitute for software full-drive encryption.

This is important, so we’ll talk about it further.

Encryption matters because it’s the only way to really secure a laptop. Encrypt the drive, and a thief is stuck with a laptop that won’t boot or do anything else. If you don’t encrypt the drive, a thief can get to everything you can get to. They have your files, your bookmarks, and everything on it. If you’re wondering how sensitive and embarrassing corporate data ends up on sites like Wikileaks, it’s often because of stolen laptops.

Encrypting desktop computers is more of a luxury than a necessity, but not a bad idea, especially if you can get encryption for free.

Most encryption software has drawbacks. Sometimes it costs money. It always slows down the machine, at the very least. It would be nice to be able to offload it to hardware.

And that’s what the current state of the art in SSDs promises–encryption for free, both in terms of money and CPU cycles. The sales literature, not to mention the influential hardware site Anandtech, says to enable a password on the hard drives to enable AES-128 encryption on them.

The problem is that this password is not used in the encryption in any way.

I’m oversimplifying a bit, but effective encryption requires two pieces. One piece needs to reside on the drive, and one piece somewhere else. It could be a password, known by the user. It could be a plug-in card. But the trouble with this implementation is that the AES key in its entirety is stored on the drive itself. Break the password, and you’re in.

There’s no standardized way that either of us know of to turn that ATA password into a cryptographic key. So that’s why we think they aren’t using it. But ideally, how this should work is that something derived from the password (a hash) becomes part of the AES key. The remainder of the key is stored on the drive, and that plus your hash decrypts the data. With this approach, if you change the password or bust through it, all you see is encrypted data because the hash is missing from the key.

That’s not how it works now. Bust through the password, and you have the data in the clear.

My coworker says busting passwords is easy. Use a bootable disk such as Morphix, and you’re in. I’m not certain, based on my own research, that Morphix or any other software tool works on every drive. Maybe Intel and Sandforce found a way to secure their passwords so that current, known boot disks won’t bust through them. But that’s always a moving target. And ATA passwords (aka hdd passwords) are held in such low esteem that some manufacturers don’t even bother to implement them.

As far as I can tell, the AES encryption as Intel and Sandforce implemented it is good only for data remanance. You can securely erase the drive very easily–all it takes is changing the AES key. The old data isn’t gone, but it’s encrypted with a lost key, so it’s pure gibberish. So secure erases are fast and easy on the memory cells since you don’t have to bother with overwriting each of them. Yet they’re highly effective. It’s an elegant solution to a real problem.

The problem with this elegant solution is that they’re marketing it as something it’s not. It’s a mild security and performance enhancement and nothing more, certainly not a substitute for a product like TrueCrypt or PGP Full Drive Encryption. Because as a substitute for those, it fails miserably. The difference between the two things is rather like the difference between my son’s plastic toy hammer and a sledgehammer. Both have their uses, but it’s ineffective or even dangerous to try to substitute one for the other.

You could also look at it like the difference between the little brass lock that came free with your luggage and the lock on the vault at your bank. It’s enough security to discourage honest people, but that’s it. And it’s not the honest people you need to worry about.

So don’t think you can replace software encryption with the built-in AES 128 on a current (2010-2011 vintage) Sandforce or Intel SSD just by turning on a password. The sales literature says you can, but the datasheets say exactly the opposite. And it’s what’s on the datasheets that counts.

Update: Intel disclosed to us that the password is stored as a non-reversible hash on the drive, and that the password is used in determining the key. More details here. We now believe the Intel 320’s built-in encryption is good enough to protect personal and even corporate data, if your laptop supports the ATA password.

Update 2: Because some people appear to be reading this and coming to the wrong conclusion about Sandforce drives, I want to emphasize that what Intel told us applies only to the Intel drive. Until someone from Sandforce or OCZ comes out with evidence to the contrary, the AES-128 encryption, as implemented in current generation Sandforce-based drives, shouldn’t be considered useful for protecting data.

If you found this post informative or helpful, please share it!

One thought on “Intel’s and Sandforce’s AES-128 encryption is useful, but not for what you think

  • April 4, 2011 at 12:13 pm
    Permalink

    The thing is: the way to deliver password to the drive through ATA pass is not wrong per se. But the implementation on todays hardware is fundamentally skewed. Look at so called: Vendor Specific ATA Commands. There are special sets of commands (outside ATA spec or undocumented modified versions of offcial ATA set) unique to each manufacturer for low level diagnostics and maintenance which are successfully reverse engineered (using dedicated terminals) and used by hackers to get ata passwords (Master and User) or even dumping sector by sector from ATA security locked device. And the manufacturers put them on their hardware. They are responsible for making ATA password system full of holes. Maybe by their ignorance, maybe on purpose. It doesn’t matter. The fact is that these holes are by design and this shady business is being run for years (generations of devices) and without any reactions from critics. But this system could be done right. And not even with much higher price! Now it is a complete disaster security wise. As you stated: nobody cares about it anymore.
    Intel is not responding to the requests for clarifications concerning his implementation. The official documents are mostly marketing BS. I wonder if they manage to get any security certification(s). Do not trust their implementation until that happen.

Comments are closed.