Thursday, March 31, 2011

Intel SSD's have default AES encryption - worried?


Intel have announced their range of new SSD's with a range of security and data stability tools, the 320 range. The include sizes from 40gig to 600gig (if you have the money!) and my experience is that they are crazy fast. Putting your OS on one of these would make a huge difference to the speed of the overall machine.

However, Intel state that they come with a default AES 128 full disk encryption system which apparently successfully finds the trade off of speed and encryption/decryption. The thought of new machines coming already set up with an AES flavour is enough to make the average digital investigator hang up his mouse and go stack shelves in Salisbury's (small print - other supermarkets also offer shelf stacking opportunities) . Should we be worried?

No.

It is true that the disk, out of the box comes running a AES 128 key providing full disk encryption. However, plug the disk into your machine and it will run with no seeming encryption involved at all? How so? Simply because there is no user key set up as default. To make the encryption 'work' as a security layer the user has to set up an ATA BIOS user password to secure the encryption key. Don't set up a BIOS password, no useful encryption. Excellent!

You can check out the security document here.

Knowing bad guys, and most of us have the misfortune of knowing their computers rather well, they are notoriously mistrusting of encryption and it is unlikely that the computer they buy will come with a big sticker saying how vital it is that they set a BIOS password. Indeed, many people believing that they are experts will read the drive specs, see AES 128 and believe that they are more secure than NASA. All which makes me think I should delete this blog post? Ah well, no one reads it!

10 comments:

Matley said...

Ooops - here's one person who's read it!
Excellent article and a bit of a double edged sword, Nick. How do you get this into the forensic community without alerting the bad guys? Perhaps you need a registered user blog for known colleagues? Or just add it to one of your excellent forensic courses. Keep up the good work!

Matt said...

A BIOS/ATA password won't work, all you have to do is take the drive out, put it in another computer without a BIOS/ATA password and you are in.

Nick Furneaux said...

Hi Matt

Thanks for your comment. Its my understanding that the BIOS passphrase becomes the encryption key and so moving it to a new machine will not provide access to the data, you would need to set the BIOS code as the same.

Cheers, Nick

Alex said...

Thanks for the nice post Nick, please delete it now :)

dean bradman said...

Awesome! Thanks for sharing!
Severely though, this is good sound recommendation and I would add that it’s additionally superior when bloggers reply to comments. This is something I didn’t do once I began my weblog - now I all the time craft some extent of responding; it shows you dedication!
Helik Advisory

Nick Furneaux said...

Thanks for your comments Dean.

john dyssey said...

I’m new to blogging and find this put up very useful. I by no means thought of how your profile is viewed by others.
Thanks for a figures!
http://www.klip.in

james Dean said...

I just read through the entire article of yours and it was quite good. This is a great article thanks for sharing this informative information

Network Support London

HikingMike said...

And if the drive fails... there is no way to recover the data from the flash chips. This leaves data recovery firms out of luck and users who lost their data without any recourse.

Den said...

Sorry but this article doesn't help. It basically only says: If you don't know what you are doing, your fucked. But it doesn't address the the real problem whit this devices encryption (there is absolutely no proof that it works at all)...