1. What is the mode of operation for the AES block cipher (e.g., ECB, CBC, CTR, etc)?I had similar questions about Seagate's Full Disk Encryption (FDE) hard drive, and couldn't get any answers there, either. According to AES Certificate #587, Seagate is using Electronic Code Book (ECB) for their FDE. Unfortunately, ECB is a very insecure mode-of-operation, one that I hope NIST eventually withdraws. To visually see what I mean, take a look at the ECB encryption of Tux the penguin. The latest rumors I've heard is that Seagate is moving to cipher-block-chaining (CBC) encryption (a much more secure mode-of-operation) for subsequent encrypting hard disks. Fujitsu will likely take a similar course, although there is expected to be some flexibility in the algorithms.
===> We don't disclose this.
2. How are the 256-bit AES keys managed?
===> We don't disclose this.
3. Is Fujitsu considering NIST FIPS 140-2 certification for this disk drive (like Seagate is doing)?
===> under consideration.
In contrast, tape drive vendors have been much more open about the details of their tape encryption. According to the LTO-Technology page, LTO uses the AES-GCM mode as specified in IEEE P1619.1 (soon to be published as IEEE Std 1619-2007). Sun's T10000 uses AES-CCM, both as specified in P1619.1 and in NIST SP 800-38C. IBM's TS1120 also uses AES-GCM.
So why aren't hard disk vendors disclosing the technical details about their encryption implementation?
Here are my thoughts:
- Hard disk vendors don't think that the mode of encryption is too important because it is difficult to get direct access to the encrypted data (this would require bypassing the firmware or putting the hard disk on a spin stand)
- Hard disk vendors are afraid that weaknesses will be found in their encryption mode, whether real or perceived
- There are no good standards to use for hard disk encryption
While it is true that most users don't understand enough about encryption to even know what a mode-of-operation is, I believe that these details will become increasingly important as buyers become better educated and demand open details about the encryption. Otherwise there is no way to know whether you've been sold snake oil that doesn't actually provide measurable benefits (for example, weak ECB encryption of the entire hard disk using the otherwise strong AES block cipher).
Concerning standards, this is an example of how the late arrival of IEEE 1619 has caused confusion in the storage encryption industry. When IEEE 1619 start about 6 years ago, the goal was to create a strong encryption standard suitable for data storage devices. First came the wide-block EME mode. This mode fell when Antoine Joux found a vulnerability that sent Shai Halevi and Phil Rogaway back to the drawing board. Next was the LRW mode. This fell when Niels Ferguson of Microsoft noted in Crypto 2006 that you can leak the tweak key if encrypted with itself (Microsoft has no control over where the keys are). About this same time, the Trusted Computing Group wanted to endorse LRW (this was dropped). About two years ago during the LRW unrest, Mart Somermaa pointed the group to the XEX mode as proposed by Phil Rogaway. The P1619 group added ciphertext-stealing to this mode and called it XTS-AES.
The XTS-AES algorithm was approved last December by IEEE as part of IEEE 1619-2007, and is nearly published. After it is published, IEEE will submit XTS to NIST for consideration as an Approved Mode of Operation for FIPS 140-2. If NIST accepts XTS, then this will become an excellent mode for hard disk vendors to consider.