bit-tech.net

SandForce SF-2000 encryption flaw discovered

SandForce SF-2000 encryption flaw discovered

The SandForce SF-2000 controller, used in SSDs from Kingston, Intel and others, has been found to support only AES-128 rather than the claimed AES-256.

LSI subsidiary SandForce has been forced to admit that its SF-2000 solid-state drive (SSD) controller has a flaw in its security implementation which sees the Advanced Encryption Standard (AES) key length limited to 128 bits, from the 256 bits claimed at launch.

SandForce's controllers are a common sight in the storage industry, and find their way into products from the likes of Intel and Kingston. When the latest SF-2000 controller was launched, SandForce and all its multitudinous customers made much of the integrated AES-256 encryption engine included therein.

That turns out to have been a mistake: a security audit, prompted by quality assurance tests on Intel's SandForce SF-2000-based SSD 520 Series drives, has discovered that the encryption system is limited to 128 bit keys.

That's a serious blow to the claimed security of the devices: every time a single bit is removed from the length of the key, the keyspace halves: a loss of 128 bits, therefore, results in a keyspace significantly smaller than was originally intended.

SandForce's various customers are quick to point out that, while AES-128 is definitely less secure than AES-256, it's still considered secure enough for most uses. 'Intel believes AES 128-bit encryption meets the data encryption requirements of most customers.,' the company claims in a product update for its affected SSD 520 Series, pointing out that 'other Intel Solid-State Drives with data encryption, such as Intel SSD 320 Series, also feature AES 128-bit encryption' by design.

Kingston has also spoken up about the flaw, which affects its SSDNow V+200 and KC100 drives. 'Both AES modes [AES-128 and AES-256] encrypt and secure the data on the SSD from unauthorised access,' the company points out, 'just to different encryption standards. Kingston is working with LSI to correct this and to ensure that future production of the aforementioned drives delivers 256-bit AES encryption mode.'

Further, Kingston claims that the flaw affects only a minority of customers, and promises to make things right for those who purchased drives based on the promise of AES-256 support. 'Feedback from Kingston's customer base regarding the SSDNow V+200 and KC100 model SSDs does not indicate that the encryption feature is critical or widely used in most deployments. Kingston’s teams will work closely with customers who require 256-bit AES encryption to ensure that they are taken care of, and are able to swap out their current drives for ones with the correct encryption level when it becomes available.'

SandForce, and its parent company LSI, are meanwhile silent on the issue, which is thought to be traced back to the ability for drives to disable AES-256 support in order to qualify for US ITAR licences which are precluded for products featuring certain levels of encryption heading for a selected list of US-ambivalent or actively unfriendly countries.

9 Comments

Discuss in the forums Reply
[-Stash-] 12th June 2012, 14:42 Quote
Oops.
Rhydian 12th June 2012, 14:50 Quote
doesnt seem that serious of a flaw. although would be interesting to see if this was a coverup

Sent from my GT-I9100 using Tapatalk 2
Gareth Halfacree 12th June 2012, 14:55 Quote
Quote:
Originally Posted by Rhydian
doesnt seem that serious of a flaw. although would be interesting to see if this was a coverup
Both companies are right to say that AES-128 is still pretty damn secure, but looking at it mathematically for a moment: the keyspace of AES-128 is one 340,282,366,920,938,463,463,374,607,431,768,211,456th that of AES-256. They're both damn secure, but one is *significantly* more secure than the other.
The_Beast 12th June 2012, 15:07 Quote
128 is more than I'll need in the foreseeable future
Griffter 12th June 2012, 16:17 Quote
they knew about this, business' are animals.
rollo 12th June 2012, 20:02 Quote
will put business off buying them banks ect
SaNdCrAwLeR 12th June 2012, 21:38 Quote
Quote:
Originally Posted by rollo
will put business off buying them banks ect

Banks don't buy these...
if they do it's for non high-security systems...
mclean007 13th June 2012, 08:16 Quote
Quote:
Originally Posted by SaNdCrAwLeR
Quote:
Originally Posted by rollo
will put business off buying them banks ect

Banks don't buy these...
if they do it's for non high-security systems...
Or they use a proprietary encryption layer on top of the drive, rather than built in encryption in the SSD itself.
mclean007 13th June 2012, 08:25 Quote
Quote:
Originally Posted by The_Beast
128 is more than I'll need in the foreseeable future
Possibly, but it offers a keyspace 340 trillion trillion trillion times smaller than 256 bit.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums