[FDE] What is the Security ID on a Seagate Maxtor Black Armor drive?

[Dave Jevans]

I just setup a Seagate/Maxtor Black Armor hardware encrypted drive.

When you setup the device, and before you choose your password, you
have to enter in a 25 character "Security ID" which looks like a
software license key, and is printed on the back of the drive's case.

Why would you have to do this? Since it's printed on the outside of
the case, why doesn't the device already know this serial number
internally, and why would it care?

Initially my skeptical mind figured this is actually the AES key, or
a back-door encryption key.

But with more thought, I figured that perhaps it's because the device
is manufactured in China, and it's a clone prevention technique?
Maybe the sticker is added to the device when they are packaged in
the US, and the security ID number is needed to activate the
encryption? This prevents a Chinese factory from creating clone
devices using their controller?

Anyone from Seagate on this list that can comment?

_______________________________________________
FDE mailing list
F...@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde

[Scott S]

Hi Dave,

Security ID serves two functions:

1) It is the default password of the Black Armor. Like the way a user needs the old password to change to a new password, the Security ID serves as the old password.

2) The Security ID is also needed when the Black Armor hard drive needs to be cryptographically erased (because the user wants to, or because the user forgot the password). After the erase, the default password again becomes the Security ID.

One of the decision point of developing Black Armor was, what to do when the user forgets the password. Should the drive become totally useless?

The arguement for making it into a "brick" if the password is not known is that is reduces the "steal value" of the device.

For the Black Armor, if the password is not known, it can be reused. But first the data needs to be wipeout.

Scott

[Garrett M. Groff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott, you said that...
1. "The Security ID is also needed when the Black Armor hard drive needs to
be cryptographically erased" and
2. "...if the password is not known, it can be reused."

That second part--that the device can be re-used if the p/w isn't known--is
true if they still have the default security ID, right? If they lose it,
they're screwed, correct?

G

- ----- Original Message -----
From: "Scott S" <sc...@u.washington.edu>
To: <f...@www.xml-dev.com>
Sent: Wednesday, November 12, 2008 2:27 PM
Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor
drive?

> Hi Dave,
>
> Security ID serves two functions:
>
> 1) It is the default password of the Black Armor. Like the way a user
> needs the old password to change to a new password, the Security ID
> serves as the old password.
>

> 2) (because the user wants to, or because the user forgot the password).

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com
Charset: utf-8

wj8DBQFJGzVJSGIRT5oVahwRAozBAJ4vXEoF5jUUgBwyIqJVTdD24Hn9eQCgoTnz
gZeU0l43ebKoS6iAF19s+Pw=
=vjF6
-----END PGP SIGNATURE-----

[Razi Shaban]

> That second part--that the device can be re-used if the p/w isn't known--is
> true if they still have the default security ID, right? If they lose it,
> they're screwed, correct?
>

>>> have to enter in a 25 character "Security ID" which looks like a

>>> software license key, and is printed on the back of the drive's case.

I'm not sure if this means case as in the HDD itself or the box it
comes in, but if it's the first it would be very difficult to lose. If
it's the second, that's another story.

--
Razi Shaban

[Dave Jevans]

It's printed on the outside of the drive case.

[Scott S]

As pointed out, the Security ID is printed on the black armor itself, so it will be hard to lose it. However, if it is somehow damaged/unreadable (btw there is also a print of a barcode for the Security ID, so it really needs to be damaged!), what then? Well, I think you're stuck. You may need to call Seagate for assitance at that point. But to emphasize, your data is gone not because the Security ID was lost, but because the password was forgotten.

This discussion leads to an interesting implementation, perhaps not originally intended, but nonetheless, available if one chooses... If a user or an institution want to reduce the "steal value" of the Black Armor, one can choose to scrap off the Security ID. And without it, one can not reuse the Black Armor.

Scott

[Robert Wann]

Hi Scott,

 

As the Security ID serves as a default password to unlock the FDE drive inside the Black Armor, am I correct to assume that such unlock action releases the true AES 128-bit key to allow the operation of the FDE drive? If that's the case, do users require to partition and format the FDE drive after the default password entry? What happens to the AES key if user establishes a new password? Can user get to generate the AES key or it is a default value stored protected by the Security ID at default and later at new password entry?

 

When you said the Security ID is also needed when the Black Armor hard drive needs to be cryptographically erased, exactly what do you mean by "cryptographically erase?" Is it an action that erases the true AES key or is it an action that erases the previously established user's password?

 

You also said: After the erase, the default password again becomes the Security ID. Does this mean the FDE drive permanently stores the Security ID?

 

Thank you,

Robert Wann

 

 

----- Original Message -----

From: "Scott S" <sc...@u.washington.edu>

To: <f...@www.xml-dev.com>

Sent: Thursday, November 13, 2008 3:27 AM

Subject: Re: [FDE] What is the Security ID on a Seagate Maxtor Black Armor drive?

[Scott S]

Hi Robert,

See response below.

Scott

On Thu, 13 Nov 2008, Robert Wann wrote:

> Hi Scott,
>
> As the Security ID serves as a default password to unlock the FDE drive inside the Black Armor, am I correct to assume that such unlock action releases the true AES 128-bit key to allow the operation of the FDE drive?

Correct.

>If that's the case, do users require to partition and format the FDE drive >after the default password entry?

No, the password change does not affect the drive format given that the password is not the AES key. FYI, from the factory the drive comes partitioned and formatted as NTFS.

>What happens to the AES key if user establishes a new password?

Stays the same. The user is just changing the password that unlocks the AES key.

>Can user get to generate the AES key or it is a default value stored protected >by the Security ID at default and later at new password entry?

The management software that comes with Black Armor provides a "KeyErase" feature. This feature is the same as a cryptographical erase (or crypo-erase) of the drive. If you were to perform this action, what is really happening is that the original AES key is destroyed, and a new AES key generate by drive itself. The AES key is not visible/accessiable to anyone/thing, except the drive itself. So yes, the user can generate it, but the user will never get to see it.

> When you said the Security ID is also needed when the Black Armor hard drive > needs to be cryptographically erased, exactly what do you mean
> by "cryptographically erase?"

By this I mean having the "effect" of erasing the drive so that all the data is no longer accessiable.

>Is it an action that erases the true AES key or is it an action that erases the previously established user's password?

It is both. When the user does a "KeyErase", few things happens: 1) a new AES key is generated 2) the password is "defaulted" to the Security ID 3) the user is prompted to enter a new password. 4) the user is prompted to format the drive.

> You also said: After the erase, the default password again becomes the Security ID. Does this mean the FDE drive permanently stores the Security ID?

Correct. The Security ID is permanent and does not change. Having said that, it's function is very specific and does not affect the data security itself. It severs more as an identification. For example, it prevents mallicious programs from automatically performing a "KeyErase", because the programs can't ID the drive.

-------------------------------

[Robert Wann]

Hi Scott,

 

Thank you for the explanation.

 

If the true AES key is erased and a new AES key is generated upon 'KeyErase' command, would you require user to perform partition and format after such action? Also, since the Security ID is permanently stored inside the FDE drive, would such new partition and format effectively destroy the new AES key along with the Security ID?

 

How would you guarantee that AES key is safe and can not be extracted?

 

Thank you,

Robert

[H M]

Implementation of security to an external retail drive.
 
The 25 character SID is created during production for every FDE drive. It is simply used to verify the possession of the drive.
On a new drive this SID is used as the Master Password to start security management, e.g. create user password, recovery password
Once user sets a password this SID can only be used to secure erase a drive when the user password was lost.
This is special to the Black Armor implementation as the probability that users will forget their passwords is too high. If the user password is lost there is no way to get back data stored on the drive.
In order for Seagate to not get back these drives just for the locked status, the SID can be used to secure erase the drive and make it reuseable.
After Secure erase all user data is gone and the drive starts on next power up as a virgin drive. The management SW on the locked drive is located in a secure, write protected area of the drive. Therefore this drive can be connected to any computer and there has no software to run on this computer which could detect a locked (protected) drive.
User has to partition and format the drive after secure erase as there is no useful data on it any more
 
On a notebook drive the implementation is different. Once a password is set the SID is no password any longer. On a secure erase as well the data in the locked drive mode would be cleared and the drive reset to unlocked state.
 
In order to run secure erase you need a valid password for the drive. On Black Amor SID is for reuseability purpose.
 
The AES key that is randomly generated on every secure erase, never leaves the drive and is unknown to Seagate. The drive encrypts always all data written to the media and decrypts it during read. The access to data means you can provide a valid password when powering up the drive.
 
 
HM

[Dave Jevans]

My Black Armor came up pretty much instantaneously after I entered my
password, and didn't require formatting. This leads me to believe it
is pre-formatted at the factory. That requires the AES key to be
generated in the factory rather than when the user first initialized
the device. Is this the case?

[Scott S]

Robert,

See response below.

Scott

> If the true AES key is erased and a new AES key is generated upon

> 'KeyErase' command, would you require user to perform partition and
> format after such action?

Yes, the user is require setup a new password and format the drive.

> Also, since the Security ID is permanently
> stored inside the FDE drive, would such new partition and format
> effectively destroy the new AES key along with the Security ID?

No. Formatting does not affect the AES key and Security ID at all. It is
in a area protected from any external i/o access. The ASIC chip on the
drive that is processing the automatic encryption/decryption preserves
these vital information (and other things) in a way that is totally
transparent to the user (and OS), once the user has authenticated.

> How would you guarantee that AES key is safe and can not be extracted?

This is part of the FDE "enclosed" construct. AES key is only known and
used by the drive.

--------------------

[Simson Garfinkel]

Dave,

Considering that it takes about a millionth of a second to generate an
AES key, I don't think that you can tell much from the fact that it
came up instantaneously after you entered your password.

The fact that it came up instantly without formatting means that it
had a FAT32 filesystem on it.

My guess is that the system has per-device session key and that the
key is then encrypted with your password. But that's just a guess.
There are lots of ways to build such a system.

[Robert Wann]

Scott,

 

Thank you. Speaking of preserving AES key and SecurityID as well as other vital information, I suspect it is the drive controller and its firmware that controls the hidden sectors access, not the encryption/decryption ASIC, for the reasons that the AES key and SecurityID won't get destroyed during another round of partition and format.

 

From reading your remark, It seems to me that AES key is guarded by either SecurityID or User's Password, which are all written into the hidden sectors controlled by the drive firmware. Your remark "This is part of the FDE "enclosed" construct. AES key is only known and used by the drive" does not offer the complete security architecture of the FDE drive thus is not persuasive.

By the way, are you an employee or affiliate of Seagate?

 

Thanks,

Robert

[Scott S]

Robert,

My responses were just simplied/"easy to read" answers to your questions.
For full technical details, architecture schema of the security, you
will need to contact Seagate." I can tell you however, that Seagate's
FDE drives (like the one in Black Armor) is based on the trusted
storage specs from the Trusted Computing Group:
https://www.trustedcomputinggroup.org/specs/Storage/

Scott

[Dmitry Obukhov]

Scott,

This is not exactly right. Seagate supports Enterprise SSC on enterprise
class Cheetah drives. However, Momentus FDE.1 and FDE.2 are based on the
proprietary authentication scheme. I hope Seagate folks can clarify on
FDE.3.

The first laptop TCG Opal drive was demonstrated today by Fujitsu in San
Francisco and I would like to congratulate Fujitsu team for this great
achievement.

Dmitry