The SandForce SF-2000 controller, used in SSDs from Kingston, Intel and others, has been found to support only AES-128 rather than the claimed AES-256.
LSI subsidiary SandForce has been forced to admit that its SF-2000 solid-state drive (SSD) controller has a flaw in its security implementation which sees the Advanced Encryption Standard (AES) key length limited to 128 bits, from the 256 bits claimed at launch.
SandForce's controllers are a common sight in the storage industry, and find their way into products from the likes of Intel and Kingston. When the latest SF-2000 controller was launched, SandForce and all its multitudinous customers made much of the integrated AES-256 encryption engine included therein.
That turns out to have been a mistake: a security audit, prompted by quality assurance tests on Intel's SandForce SF-2000-based SSD 520 Series drives, has discovered that the encryption system is limited to 128 bit keys.
That's a serious blow to the claimed security of the devices: every time a single bit is removed from the length of the key, the keyspace halves: a loss of 128 bits, therefore, results in a keyspace significantly smaller than was originally intended.
SandForce's various customers are quick to point out that, while AES-128 is definitely less secure than AES-256, it's still considered secure enough for most uses. 'Intel believes AES 128-bit encryption meets the data encryption requirements of most customers.,
' the company claims in a product update
for its affected SSD 520 Series, pointing out that 'other Intel Solid-State Drives with data encryption, such as Intel SSD 320 Series, also feature AES 128-bit encryption
' by design.
Kingston has also spoken up about the flaw, which affects its SSDNow V+200 and KC100 drives. 'Both AES modes [AES-128 and AES-256] encrypt and secure the data on the SSD from unauthorised access,
' the company points out, 'just to different encryption standards. Kingston is working with LSI to correct this and to ensure that future production of the aforementioned drives delivers 256-bit AES encryption mode.
Further, Kingston claims that the flaw affects only a minority of customers, and promises to make things right for those who purchased drives based on the promise of AES-256 support. 'Feedback from Kingston's customer base regarding the SSDNow V+200 and KC100 model SSDs does not indicate that the encryption feature is critical or widely used in most deployments. Kingston’s teams will work closely with customers who require 256-bit AES encryption to ensure that they are taken care of, and are able to swap out their current drives for ones with the correct encryption level when it becomes available.
SandForce, and its parent company LSI, are meanwhile silent on the issue, which is thought to be traced back to the ability for drives to disable AES-256 support in order to qualify for US ITAR licences which are precluded for products featuring certain levels of encryption heading for a selected list of US-ambivalent or actively unfriendly countries.