back to article Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they've got their hands on the equipment. A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, …

Silver badge

Re: The issue is changing the password...

>Indeed. My understanding is that is how LUKS works.

How about bioctl and CRYPTO? Asking for a friend :)

2
0
Silver badge

Re: The issue is changing the password...

Interesting how you describe quite accurately how encryption on an iPhone works.

8
0
Silver badge
Unhappy

Re: The issue is changing the password...

let's say the encryption key is derived from a math operation on a hash of the password/passphrase and the stored key on the disk. If you change the password, you'd need to re-calculate the stored key. If it's possible to do this from the actual key, that might at least address THIS problem. But a truly secure system might derive the actual key with a 1-way operation (like matrix multiply or similar).

in any case these things _COULD_ be solved in ways that make the system secure, and "not what THEY did".

11
0
Anonymous Coward

Re: The issue is changing the password...

> If the DEK is derived from the user password, changing the user password requires to decrypt and re-encrypt the whole disk with the new key. Thereby I'm not surprised the DEK is separated. What should be derived from the user password is the key protecting the DEK - so changing it would require only a small decrypt/re-encrypt.

Here's the attack introduced by your proposal:

1) Bad Guy gets access to the drive for long enough to get the encrypted DEK

2) Later, Bad Guy figures out passphrase

3) User goes "oh no, Bad Guy has my passphrase, I better change it" and changes passphrase, and changes e.g. all their Internet passwords and other secrets that were stored on that disk.

4) Bad Guy gets access to the drive again... this time they can use the OLD passphrase and the OLD encrypted DEK to get the STILL-CURRENT DEK and access the drive.

5) Now Bad Guy has all the NEW secret data that User created after changing their passphrase

For extra fun, you can swap over steps 2 and 3 - i.e. the Bad Guy might only figure out the passphrase after the user has changed it.

Some people might consider this OK, but it's very counter-intuitive that changing the passphrase doesn't actually get you any security against people who know your old passphrase. And many people won't understand it. It's much simpler (which is more secure) to have changing the password re-encrypt the whole disk.

7
14
Silver badge

Re: The issue is changing the password...

Having the drive manufacturer decide the encryption key means that the user isn't in control.

There is a method/command to trash the existing DEK and generate a new random DEK. A crryptographic disk erasure (or crypto erase) command. This will destroy any existing data on the drive (since you are trashing the key used to encrypt any existing data). But can be done on a brand new drive before putting any data on it, or when you want to re-partition/format the drive anyway.

Therefore the manufacturer won't know the key in this case, although in theory they shouldn't know the DEK on the drive you purchase because before leaving the factory it should be be put into some sort of 'shipping' mode that will generate a new random key when it is next powered on. And, in theory at least (exploits are being found all the time) a generated DEK cannot be extracted from the drive once it is generated.

15
1
LDS
Silver badge

"the process will just take some time"

Decrypting and re-encrypting terabytes of data is often not an option.

15
0
Anonymous Coward

"User goes "oh no, Bad Guy has my passphrase"

The whole system is evidently compromised. You need a new, better system, not a new passphrase. Evidently once you got the decryption key is utterly useless to re-encrypt it with a different password, you don't even need the old password, you can just read data and decrypt them.

Anyway, in your scenario even if you change the DEK the bad guy will be able to get it again, as it has done previously. But in the paper it looks they didn't get the DEK (which could be protected inside the disk) - they just cheated the firmware to access it whatever password they used.

10
0
Gold badge
FAIL

The illusion of security.

Without actual security.

Something people who buy disks should keep in mind.

6
0
Anonymous Coward

Re: The issue is changing the password...

Interesting how you describe quite accurately how encryption on an iPhone works.

AFAIK also done in FileVault..

1
0
Silver badge

Re: The issue is changing the password...

You, literally, have no idea what you are talking about vis-a-vis this attack. At no time is there anything to do with the user's passphrase. None. This is all about convincing the firmware in the disk itself that you are an authorized user to see the decrypted content of the data on the drive.

If there were everything including the stars aligning to establish the user's passphrase, that'd be a different matter. I've the tools (Tesla GPGU) and various Rainbow tables, which I do have, that isn't an attack that will give you much return in terms of cryptological return.

We've short-circuited the entire security stack. THAT is the problem.

3
0
Silver badge

Re: The issue is changing the password...

This is all about convincing the firmware in the disk itself that you are an authorized user to see the decrypted content of the data on the drive.

Basically this. In fact it is another example of a system storing the "password" in plain text. Really the SSD sector encryption key should never be stored in non-volatile memory, hence it should not be possible to simply bypass it by a firmware change. It should be generated on demand from the stored part and the user-supplied pass phrase.

If you need to change your pass-phrase then you decrypt using the old one, check its OK (e.g. CRC as part of the stored 'key') and then re-encrypt using the new pass phrase.

4
0
Anonymous Coward

Re: The issue is changing the password...

"If the DEK is derived from the user password, changing the user password requires to decrypt and re-encrypt the whole disk with the new key."

To me that's the whole idea of the password. Bypass the encryption key or store it somewhere and byebye security.

2
0

Re: The issue is changing the password...

Yes. That’s a risk at high security level.

If you don’t like it, consider a FIPS compliant solution. Not consumer or even enterprise grade, more TLA.

BitLocker is primarily for “I lost my laptop on the train”

2
0
Silver badge
Holmes

All together now....

"PROTECTING YOUR DATA IS OUR FOREMOST CONCERN"

Microsoft trusting these devices to implement Bitlocker has to be the single dumbest thing that company has ever done.

I don't think so, compared to all the security pratfalls over the ages apparently implemented by TOP.SKILLED COMPUTER SCEINTIST this doesn't sound so bad.

17
3
Silver badge
Headmaster

"should not rely solely on hardware encryption"

Always true, not just for SSDs.

No source, no security.

28
3
Silver badge
Devil

Re: "should not rely solely on hardware encryption"

POSIX systems have a cert mechanism for ssh that might work for mounting an encrypted file system using a FUSE file system, as one example...

if it does not already exist, it should.

/me could create one if I wanted to... but do I _NEED_ to?

2
0
Silver badge

Re: "should not rely solely on hardware encryption"

And, because it wasn't mentioned in the article, if you use BitLocker, here are the Group Policies for determining whether it should use Hardware Encryption or not:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

Configure use of hardware-based encryption for fixed data drives

Configure use of hardware-based encryption for operating system drives

Configure use of hardware-based encryption for removable data drives

4
0
Silver badge

Re: the Group Policies for determining whether it should use Hardware Encryption or not

So this isn't "MS didn't write it properly" it's "MS fucked the defaults up"? (By assuming that you bought disks with hardware encryption deliberately?)

2
4

Re: the Group Policies for determining whether it should use Hardware Encryption or not

It's not even that. All MS did was expect hardware vendors to implement the standard properly. Either that or the standard itself is fucked. Hardly Microsoft's fault at all..

9
2
Silver badge

Re: the Group Policies for determining whether it should use Hardware Encryption or not

No Microsoft should have made it so that by default it would only use the hardware encryption on devices if Microsoft had verified and certified that device.

8
6
Silver badge

Re: the Group Policies for determining whether it should use Hardware Encryption or not

Even if that were true, it could've been fine at first then borked (without Microsoft's knowledge) later. Or, in this case, something slipped through which standardization wasn't set up to catch.

0
2
Silver badge

Perhaps its just as well

That I couldn't get the poking HW encryption working on my Samsung 850 EVO then.

The steps Samsung suggest you need to go through, like pulling out certain cables while standing on one leg in a vat of cold porridge were clearly written by someone who'd never seen an M.2 device.

So I've ended up with bitlocker using SW encryption. I suspect there are ways around that too, but the customer who's paying the bill insists on bitlocker on the PC.

There has to be a way for the system to access the disk before getting the password since normally with bitlocker W10 boots first and asks for the password later.

6
0
Silver badge

Re: Perhaps its just as well

So I've ended up with bitlocker using SW encryption. I suspect there are ways around that too, but the customer who's paying the bill insists on bitlocker on the PC.

Well if you know any you should contact Microsoft for a hefty bounty. Bitlocker is very good. The only way "around it" that I know of is if you store a copy of your keys with Microsoft for disaster recovery, which is optional. Basically, if you want to guard against thieves and competitors, it's fine. If you want to guard against the FBI or CIA, keep the keys local (or don't keep a backup at all!).

5
0
Silver badge

Re: Perhaps its just as well

"There has to be a way for the system to access the disk before getting the password since normally with bitlocker W10 boots first and asks for the password later."

There first part of the boot process is stored unencrypted, once it reaches a certain stage it asks for the password to decrypt the rest of the drive.

The unencrypted part is protected by UEFI Secure Boot to prevent tampering.

3
0
Silver badge

Re: Perhaps its just as well

not keeping a backup of keys for you bitlocker drive is very silly. Most enterprise probably backup the keys in AD though.

0
0
Anonymous Coward

Re: Perhaps its just as well

"The only way "around it" that I know of is if you store a copy of your keys with Microsoft for disaster recovery, which is optional. "

Microsoft _claims_ is optional. In real life BitLocker keys are stored automatically to your Microsoft account if you have one. And there's no way to stop that.

1
0

Drive firmware updates?

I wonder if there'll be any firmware updates released, and if these will be able to fix the issue without effectively junking all the data on the drive.

I also wonder what the performance hit is of software vs on-disk-hardware encryption. Newer CPUs have AES instructions built in so unless your processor is already running at 100% it presumably won't be too bad?

BitLocker documentation is here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd

I imagine you'd have to decrypt then re-encrypt the drive after changing this setting, which would be somewhat time consuming.

It'll be interesting to see if/what guidance Microsoft produce on this topic.

5
0

Re: Drive firmware updates?

An update may be OK on a desktop or laptop, but I can't imagine doing this on a large disk array or storage device. Given the problem is at drive level not at the OS layer I would expect the solution to be a bigger issue than the problem.

2
0
Boffin

Re: Drive firmware updates?

Can happen. Dell, as an example of this, publishes update packages that go through every drive in a raid controller updating the firmware. Offline of course. IIRC the firmware is signed.

2
0

This explains it

I always wondered how the hackers on those police dramas are always able to access the bad guy's computer.

35
0
Anonymous Coward

Re: This explains it

They type faster than you and don't use the mouse.

25
0
Trollface

Re: This explains it

They also have the software that puts up 'HACKING PASSWORD' in 196 point red letters.

29
0
Silver badge

Re: This explains it

@ oldtaku

Don't forget the all important "Bypass password" when all else fails

10
0
Anonymous Coward

Re: This explains it

Yeah, but it turns out the “HACKING PASSWORD” is just as fake as the underlying SSD encryption...

Who knew these cop shows would turn out to be so realistic?

17
0
Silver badge

Re: This explains it

They type faster than you and don't use the mouse.

Ahh, so that's why sometimes they have 2 people bashing at the same keyboard, to increase the typing speed.

14
0
Anonymous Coward

Re: This explains it

"Who knew these cop shows would turn out to be so realistic?"

On the other hand, Person of Interest - an excellent show - very much underplayed how easy it is with the right skills and tools to compromise a smartphone, making the show's limitations far greater than real life.

Maybe the didn't want to scare people, or maybe they thought people wouldn't be able to (or want to) accept such an obviously 'fictional' ability.

4
0
Silver badge

Re: This explains it

> They also have the software that puts up 'HACKING PASSWORD' in 196 point red letters.

There is some pretty amazing software available on the internet these days. A lot easier than in days of old.

2
0
Silver badge

Re: This explains it

Ahh, so that's why sometimes they have 2 people bashing at the same keyboard, to increase the typing speed.

Always a favourite: https://www.youtube.com/watch?v=u8qgehH3kEQ

5
0
Silver badge

Re: This explains it

What, those amateurs...? Meh... behold proper pwnage: https://www.youtube.com/watch?v=p_6hxB1OK00

0
0
TRT
Silver badge

Re: This explains it

I was looking for a clip of Robocop's data spike.

2
0
Silver badge
Trollface

Re: This explains it

As cool as that was, it can end in tears - remember how R2D2 and C3PO had to wander around looking for a compatible socket (that isn't just a power socket) after being booted out from the control room? Fingers might be slower, but all you need is a keyboard / terminal...

2
0
TRT
Silver badge

Re: This explains it

I've recently come to wonder if R2D2 got The Death Star pregnant.

1
0
Facepalm

I'm just going to quote the paper - nuff sed

'The drive's contents is still accessible to anyone in possession of the default Master password... which is an empty string.'

10
0
Anonymous Coward

Full Disk Encryption Not Good For SSD

Using full disk encryption on SSD can severely shorten the life expectancy of the SSD. This is because the full disk encryption causes the NANDs on the drive to change state every time they start up the drive. Where I work, they use full disk encryption on SSDs and they have to replace the SSD every 4 years or less. So, if you use full disk encryption on SSDs have a good back regime as you never know when it is going stop working.

3
9
Silver badge
Meh

Re: Full Disk Encryption Not Good For SSD

an SSD-friendly encrypted file system would encrypt file names, path names, etc. from the index, but would not encrypt the block allocation, pointers, indexes, etc. so as to minimize the impact of encryption on re-writes. That way the data would still be encrypted, along with the names, but would not have to re-encrypt large parts of the file system because you changed something.

it would still be possible to determine "this is a large file" and try to decrypt it the hard way, but with a strong enough key... good luck. maybe you could look for file headers as a 'crib' of some kind, but a properly designed algorithm would prevent THAT from working, too.

4
3
Silver badge

Re: Full Disk Encryption Not Good For SSD

Samsung SSDs use the full disk encryption function at all times, even if you've never set the password. It just doesn't require the user to present a passphrase/password first. That's presumably where the null password thing someone else mentioned comes from.

10
0
Silver badge
Megaphone

Re: Full Disk Encryption Not Good For SSD

Ignore everything else. Just "have a good backup regime as you never know when it is going to stop working". That applies to any data storage medium, whether you use encryption or not.

7
1
Silver badge

Re: Full Disk Encryption Not Good For SSD

Just encrypt page-by-page. Doesn't matter what any of the data means.

You have to erase and write by whole pages anyway, so decrypt-append-encrypt-write-erase doesn't add much (any?) flash wear.

Keep the state around so you can keep streaming more data into a page until it's full or power is lost, and there's no extra wear at all.

8
0
Anonymous Coward

Re: Full Disk Encryption Not Good For SSD

So, if you use full disk encryption on SSDs have a good back regime as you never know when it is going stop working.

So, however you store your data have a good back regime as you never know when it is going stop working (sic).

There, FTFY,

2
0
Silver badge

Re: Full Disk Encryption Not Good For SSD

But then you're gonna need a good backup scheme FOR your backup scheme since you never know when Murphy will strike and take out your backup just when you need it. And then you'll need a backup for that, too, and so on. Turtles All The Way Down.

At some point, you're gonna just have to shrug and say, "That's as far as I can go."

2
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018