Intel SSD 520 / Samsung 840 EVO hardware encryption secure?

[stoked-security]

Hi,
I have been reading up on available information regarding the hardware encrytion available for both the Intel SSD 520 and the Samsung 840 EVO. I must say details are sparse, but I am trying to evaluate if the hardware encryption offered by these SSDs are more/less secure than software FDE like LUKS/Truecrypt. My intention is not to start a discussion on software FDE, but instead focus on the hardware solution.

What I know till now is that both drives encrypt information by default using AES and that the key is stored in the embedded controller. Without a ATA password this encryption is transparant to the user. According to the following blog if an ATA password is set, it will be used to hash the AES key:
http://vxlabs.com/2012/12/22/ssds-with- ... ncryption/

What I don't know if what hashing algorithm is being used, how many rounds of hashing are applied and most importantly if this information is also stored outside the SSD controller. I know this may vary from vendor to vendor, but any more information is welcome.

I have also been also reading some posts on this forum about ATA passwords. From what I understand these passwords are actually being stored on special areas of the disc in a proprietary vendor specific format. This is not part of the ATA specs, but actually a vendor specific extension and special commands or modes are commonly used to set this information. However, I am not sure how much of this still applies to a modern SSD that uses full disc encryption? Is it still possible to access this information using MHDD? Is the ATA password indeed still stored in obfuscated or hashed format somewhere on the disc? Would an offline brute force attack be feasible in case of hashed passwords? I know this is dependant on the length of the ATA password, but also depends on the used hashing algorithm and the rounds of hashing.

Last but not least there is also the NSA ANT catalog, which was recently released and it a sort of internal shopping list. It shows what the NSA was already capable of in 2007. One of the items also involves disc firmware modification:
http://engineeringevil.files.wordpress. ... -19-55.jpg

This brings me to my last question. Is it still possible to update firmware on SSDs that have an ATA password set? If yes, this seems like a perfect way to perform an evil maid type of attack on the hardware FDE.

I know there are a lot of questions in this post, but I hope some of you will be able to shed some light on some of the topics or guide me into the right direction to do further research.

[Doomer]

You also need to be concerned of how exactly the data key(s) is generated. Because no matter how secure is the password hashing, if the key can be easily replicated - it's not secure. Also you don't know if vendor stores a copy of the key encrypted with some kind of "secret" password which is known only to certain people.

Generally speaking if you don't know how exactly the algorithm works inside those drives - you should be concerned. And you can't know it exactly, unless you do firmware/hardware RE on a very deep level. That's not an easy job and it is expensive, so I doubt you would have definitive answer to your question just by asking it on a forum.

In my opinion if you paranoid enough - you should use TrueCrypt, otherwise take vendor's word and assume that even if there is a backdoor, only small number of people knows it even exist and your data is relatively safe.

[HaQue]

Hi,
I don't know the answers to your question. but as you seem interested in the same thinngs I do, I am sure you have seen the talk bunnie did on the SD card Hacking at 30c3.

IMHO the same techniques could be used to gather the info you require, IE monitor the bus, rev eng any software used to communicate with the drive to look for any vendor specific commands outside the specs and rev eng firmware.

one way to asses which is a better/stronger method might be that if any DR company says they can recover data once encrypted, the take that as a mark against and a reason to use truecrypt. BTW truecrypt is getting an audit, I haven't heard if it is completed yet.

The stuff that NSA talked about in '08 makes me wonder what a 2014 ANT would look like! <"Homer simpson drool" "aaaaarrrrrrgggrr">

[stoked-security]

You also need to be concerned of how exactly the data key(s) is generated. Because no matter how secure is the password hashing, if the key can be easily replicated - it's not secure. Also you don't know if vendor stores a copy of the key encrypted with some kind of "secret" password which is known only to certain people.

Generally speaking if you don't know how exactly the algorithm works inside those drives - you should be concerned. And you can't know it exactly, unless you do firmware/hardware RE on a very deep level. That's not an easy job and it is expensive, so I doubt you would have definitive answer to your question just by asking it on a forum.

In my opinion if you paranoid enough - you should use TrueCrypt, otherwise take vendor's word and assume that even if there is a backdoor, only small number of people knows it even exist and your data is relatively safe.

All very valid points. I didn't expect a definitive answer if it is secure, but I figured people who would know best are probably visiting this forum. Maybe some research has already been done that people would like to share. Also I am quite experienced pentester, but not so much at this low level for SSD/HDD. I am also trying to find out if this is an area worth researching and if it would be feasible to do it.

I don't know the answers to your question. but as you seem interested in the same thinngs I do, I am sure you have seen the talk bunnie did on the SD card Hacking at 30c3.

I am half way and still have to finish it. On one hand it is similar on the other hand it is probably more difficult. It seems to me that a SSD or HDD has a more generic software interface through the ATA extensions. Still not for the faint of heart, but maybe you don't need to do so much hardware hacking in this case and my assumption is that it can all be done through software RE and the ATA bus.

one way to asses which is a better/stronger method might be that if any DR company says they can recover data once encrypted, the take that as a mark against and a reason to use truecrypt. BTW truecrypt is getting an audit, I haven't heard if it is completed yet.

Yes, I have been looking for claims like that, but didn't find a clear answer. Some website seem to hint that they are capable of doing this, but the details for which brands and models are sparse.

So, one basic question I still have, can MHDD be used to access the firmware areas of a SSD? A starting point would be to use the vendor tools and change the ATA passwords and dump these areas before and after and see how much changes. Next step would be to RE the software further and see how it communicates with the drive.

[Doomer]

So, one basic question I still have, can MHDD be used to access the firmware areas of a SSD?

The answer is maybe: if there are vendor commands to access FW, if you know the vendor commands and if those commands work in ATA-compatible PIO mode.

Intel 520 is basically SandForce, many people broke their teeth trying to crack that nut. SandForce has been paranoid about protecting their IP, so you probably won't find any important vendor commands in vendor tools and keep in mind that FW updates are encrypted and only decrypted inside the drive. JTAG won't help you either. Also even if you get decrypted code for the drive - their is no publicly available tools to disassemble the code for that CPU.

Samsung is more easy going. Their FW updates are obfuscated but their obfuscation is a joke - can be cracked in an hour. They use ARM CPU - a lot of public disasm tools are available. You could start RE on that one if you like