Wave Systems Corp. (fka WAVXQ)

[Vacationhouse]

Hard disks spin up new security spec
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=199905342

Rick Merritt
EE Times
(06/19/2007 9:46 AM EDT)


SAN JOSE, Calif. — The ad hoc Trusted Computing Group releases for industry review Tuesday (June 19) a specification for securing storage devices. The spec is expected to become the underpinning of secure disk drives that will become widespread over the next three years.
The draft standard defines a way storage devices can create and protect keys that prevent unauthorized users from accessing data on the device. It enables so-called full-drive encryption, protecting data on any lost storage device as well as a fast-erase capability for users who want to re-purpose a storage device. Users can also leverage the spec to add additional cryptographic protections to any application.

Seagate is already shipping hard disks with so-called full drive encryption and Hitachi Global Storage Technologies has announced a similar product, both mainly targeted at business notebooks.

"We'll have to change a few bits in the interface to meet the spec but [the revised products] will be functionally the same," said Michael Willett, a director of research at Seagate and co-chair of the TCG group's storage committee that drafted the spec.

Willett said he expects most drive makers will begin to roll compliant products within six months, once the version 0.9 of the spec released today becomes officially ratified as a version 1.0.

"This spec applies to all storage devices," Willett said. "All the hard drive makers have taken part but so have makers of tape, optical and flash drives," he added.

Hard drive makers see disk security as a new layer of value they can roll into their devices quickly. The effort, which began as a research project three years ago, is eventually expected to become a standard feature on all drives.

"I expect within about three years all drives will have this capability. That's the road map we are working to internally," said one drive maker who asked to remain anonymous.

Unlike many security specs from the TCG, the storage standard does not require use of a standalone trusted platform module, a chip that generates and securely stores cryptographic keys. Such TPMs are now routinely used on business desktops, notebooks and some servers.

The TCG estimates as many as 100 million computers will ship with a TPM chip this year. A TCG spec for cellphone security actually requires two TPMs, one for protecting carrier data and another for protecting user data.

Instead of a TPM, the storage spec relies on an existing storage controller to generate and manage keys that are securely saved on extra space traditionally available on the storage device. Disk drive makers, for example, typically have access to a secure area of a couple hundred megabytes for storing systems management programs on a typical disk drive.

Currently, drive makers are using custom ASICs that implement 128- or 256-bit AES security. However, within three years that function is expected to be integrated into the hard disk controller.

Although AES has been adopted for initial products, the spec can use any form of encryption. The security is first expected to be used for notebook drives, followed by drives for servers and eventually for all systems.

The 230-page spec mainly defines an approach for secure access to a drive by generating secure commands. At the heart of the method is a basic register structure defined as a table. Through a secure access method, users generate commands that act upon locations in the table.

As part of the spec, TCG worked with ISO T10 and T13 committees who oversee SCSI and ATA command languages to define new commands for a secure send and receive function. Those commands act as containers to send TCG carry protocols, Willett explained.

The TCG security protocols can tie in to systems software features such as the MS-CAPI security applications programming interface used by Windows.

A separate TCG subgroup is now developing a spec for how to handle password and key management functions on servers that might contain a large number of keys. That spec should be complete in about six months, said Willett.