Delkin Blog

Industrial Flash Storage Encryption and Security Features

 

In many industrial flash storage applications, data security is a critical consideration.  In industries such as healthcare, transportation, and automation, as well as governmental and military applications, sensitive data is stored, and if accessed by unintended parties, the security risks can be enormous.

Over time, developments have been made in technology that allows flash storage to provide reliable encryption and security.

 

Data Protection

Early HDD’s adopted a security command set allowing a drive to be “locked”, denying access to the data using standard ATA commands.  This form of low-level security provided rudimentary protection for a drive, however, said drive could be disassembled and data recovered from the media directly, thus bypassing the software lock mechanism.  This form of data recovery is not trivial, but also not outside the abilities of most data recovery firms.

These same techniques can be extended to an SSD, in that if the drive is locked, the FLASH chips can be removed, and the data read directly.  This process is also non-trivial and further compounded by the fact that SSD firmware does not store data sequentially in FLASH chips as it is on an HDD, thus data would need to be reassembled.  Again, not an impossible task depending on the determination of the group performing the recovery.

Drives have since adopted methods of encrypting the data directly on the drive which confounds the standard data recovery methods above.  A data recovery service would, after recovering the raw data, be required to have the KEY to unencrypt the data.

 

Encryption in Place

Encrypting data directly on the drive aids in preventing physical data recovery, however, once a system is running and the drive is “open” the attached host would be free to read the entire drive, thus not preventing an insider attack and offload of the entire drive contents.

 

Encryption in Flight

To prevent an insider data breach of an open drive, an encryption in flight method is required.  Software packages for many operating systems have been adopted that perform the data decryption on the fly, rather than allowing the drive to perform the function.  The data is read and written to the drive as encrypted data, the drive is unaware that the data is encrypted or not encrypted.

 

Encryption Standards

The most common method of encrypting data directly on a drive is Advanced Encryption Standard 256 (AES-256), which is not considered a broken coding method like AES-128.  Within the AES-256 standard there are several popular variations, each providing higher security, but with each increase there is a corresponding reduction in data performance to and from the drive.

Variations in order of complexity

  • Electronic Code Book (ECB)
    • The simplest of the encryption modes, named after conventional physical codebooks. The message is divided into blocks, and each block is encrypted separately.

 

  • Cipher Block Chain (CBC)
    • A more complex mode, where each block of plaintext is altered with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point.

 

  • Xor–encrypt–xor based Tweaked-codebook mode with ciphertext Stealing (XTS)
    • Another notch up in complexity, data is altered using similar techniques as CBC, however, it is not limited to fixed sized blocks

 

Encryption Keys

AES-256 is considered to be bidirectional, in that data can be decrypted once it has been encrypted.  Methods like SHA-256 merely generate a HASH that is not reversible, it can only be verified.

In order decrypt data that was encrypted with AES-256, the decrypt hardware or software needs to be aware of the “KEY” value(s) with which the data was encrypted.  Typically in XTS, 2 keys are employed, one is a 256-bit (32 bytes) key that performs the encryption, and one is a 128-bit (16 byte) “tweak” value, that begins the transformation of the first block.  Subsequent blocks use a developed tweak from the previous data.

Not knowing either of these 2 sets of values is fatal to being able to decrypt the data.

These keys are known only to the drive.

 

Unlocking an Encrypted Drive to be Read

In order to command the drive to begin providing data that is decrypted, the host system is required to authenticate itself.

When a drive is used for the first time, fresh from the factory, it is in not “provisioned”, in that the data is encrypted on the drive but not “locked”.  This allows the host to freely read and write the data on the drive in its encrypted/decrypted state.

The encryption keys are provisioned at the time of manufacture; however, the authentication keys are not.  A host system would provide a set of authentication keys allowing that specific host to gain access to the encrypted data.

Once the Authentication keys are provisioned, data reads are either prevented or the data remains encrypted, while writes are always prevented.

These authentication keys are symmetrical, in that both the host and the drive are configured to have these keys.  These key(s) are typically 256-bits in length.

In order to “unlock” the drive, a handshake method needs to be adopted to verify that both the host system and the drive have the same keys.  ATA drives often adopt the OPAL2.0 style of key management

Non-ATA drives, such as a USB stick, or an SD card, or even ATA drives in an embedded application, can adopt a proprietary method of authentication.  Such as a Challenge Handshake Authentication Protocol (CHAP).  A CHAP protocol would be such that a host requesting access to the drive would request a “challenge”.   This challenge would be a small fixed size block of data.  This data would be encrypted with the known authentication key(s) and returned to the drive.  The drive then decrypts the returned data and compares to the original data.  If they match, then it is verified the keys are symmetric and the drive is unlocked.

A common extension to a CHAP protocol would be utilizing an incrementing Initialization Vector, which would further tweak the encryption/decryption of the challenge data.

It is important that the symmetric Authorization keys are protected and not transmitted to the drive “in the open” due to the ability to monitor the interface bus and capture the keys.  This is not a trivial operation, but not outside the abilities of determined data miners.

 

Determining the right security solution for a given application can be a complex challenge, involving multiple hardware suppliers and key software components.  Let Delkin help you identify and implement the solution that will keep your data or your customers’ data secure.

 

ORDER DELKIN INDUSTRIAL FLASH STORAGE TODAY through our distribution partner Newark.

For Europe Contact Our Partner Farnell

 

Contact

  • This field is for validation purposes and should be left unchanged.

Related Posts

Temperature Considerations for SSD- Hot Climate
The Benefits of Industrial Temperature for Industrial Applications

  Flash storage solutions come in two categories—commercial and industrial. These two product grades are...

Digital Gaming Applications
Industrial CompactFlash (CF) Cards: The Perfect Fit for Gaming Applications

  Behind the bright lights and ringing sounds of casinos are the flash storage cards...

A Case Study in Application Design That Considers Technological Advancements

  When designing state-of-the-art technological applications, designers and engineers are faced with a major challenge—creating...

Healthcare Industrial Flash Storage
Modernize Your Healthcare Data Storage with Industrial Flash

  The healthcare community relies heavily on tech for daily functions, from reading test results...

Delkin Industrial Application Lifecycle Management
Product Life Cycle Management FAQs

  When it comes to flash storage, developing a world-class application isn’t enough. Life cycle...

Person on laptop evaluating SMART data
Customer Success Story: Enhance Embedded Memory with SMART Cards

Flash storage offers a modernized opportunity to store and access data at a high...

Ruggedized SSDs- Technology for Industrial Users: What You Need to Know

  SSDs are so ubiquitous today that you may be surprised to learn that they...

Delkin Devices Technical Support: We’re Here to Help

  Delkin Devices is a global industrial Flash memory and storage provider with the best...

Power Fail
Understanding Power Failures in Flash Storage

  The Cost of Power Failures  For industrial applications, the cost of power failures can be...

Ruggedized SSDs- Technology for Industrial Users: What You Need to Know

  SSDs are so ubiquitous today that you may be surprised to learn that they...