Wave Systems Corp. (fka WAVXQ)

[awk]

PGP Blogs !!!!!! / ?????

CTO Corner

The Strange Rise and Fall of Hardware Disk Encryption

Tuesday, April 14th, 2009

http://blog.pgp.com:80/index.php/2009/04/the-strange-rise-and-fall-of-hardware-disk-encryption/

It is perhaps a mistake to even talk about hardware as opposed to software anymore. Many devices that we normally think of as hardware are actually computer systems with a CPU, memory, mass storage, and so on. Routers, cell phones, music players, etc. are every bit as much software as hardware. On the other end of the spectrum, software systems are often wrappers around hardware. This is most true with graphics. There's more compute power in a computer's graphics card than there is in its CPU. Almost all of our devices are a mix of software and hardware.

This includes our disk drives, which are a mix of hardware and software as much as anything else is. Years ago, a disk controller would be thought of as a piece of hardware, but today it's a computer system all of its own. In the case of NAS systems and RAID arrays, they are entirely small servers posing as disk drives. (Perhaps most amazingly, the battery in your laptop is also not merely hardware. There's a computer in your battery that controls the way it charges and discharges.)

Recently, hardware disk encryption has appeared in disk products because the CPU on the disk controller has gotten fast enough that it has enough compute power to be able to encrypt disk data with minimal overhead. The result is encryption appearing in the hardware device itself.

Hardware disk encryption has some potential advantages over software encryption because it's being done in the drive. The total system of the computer and this disk drive are a small multiprocessing system with a big processor in the computer and a small processor on the disk. At least in theory, two processors can be faster than one. At least in theory, the two systems can be more secure than one. But in theory, theory is the same as practice, but in actual practice this turns out not to be the case.

Let's look at some of what's going on.
Sometimes, when the hardware folks use word encrypt, the word doesn't mean quite what I think it means. Some testers, particularly Heise Online, have been good at finding that some disk drives that advertise AES encryption use AES to encrypt your password, but


Only an XOR to encrypt the disk

itself, or

just some linear algebra with your password stored in plain text

.
This is deplorable. It's nothing but crypto snake oil. I have one of the drives that only XOR myself, but I didn't use their encryption on it. I bought it because it was very, very cheap and not for its alleged security. If I'd bought it for the security, I'd be justifiably upset.

A number of other drives use real encryption, but in ECB mode. ECB, or "Electronic Code Book" encryption is the weakest form of encryption there is. It merely encrypts every sixteen-byte block with the key, and does not tie blocks together. This leaks a lot of information as all blocks that have the same plaintext have the same ciphertext. For files like XML files that have fixed headers, you can deduce which encrypted disk blocks are the starts of files, for example. With highly structured data, like some images, the encryption can literally be seen through.


You can find a Wikipedia article with excellent pictures to show the weakness of ECB mode here. Unfortunately, even many reputable vendors aren't forthcoming about what mode they're using. Presently, it is safe to assume that an encrypting drive is using ECB or worse, unless there's documentation to say otherwise.

This gives customers the problem of knowing what is in the drive. Encryption is complex, and without the manufacturer saying precisely what is being used, it is impossible for consumers to know if they are getting good crypto, mediocre crypto, or bad crypto. I can't figure it out, myself - if I could, I'd be happy to offer guidance of which drives are worth using and which aren't. Unfortunately, even the new Opal specification from TCG mandates AES, but does not specify the mode of operation a drive must use. It is still possible for an Opal-compliant drive to use AES and still use AES in a way that yields a completely insecure drive.

Even the disks that are actually using encryption (even just ECB mode) increase the latency in the disk I/O by 15-25%. A rule of thumb on this is that it effectively lowers the speed of your disk by one notch on disk speed. A 7200 RPM disk with hardware encryption will run at about the speed of a 5400 RPM disk without encryption. A 5400 RPM encrypting drive will run about at the same speed as a 4200 RPM without encryption. This isn't bad, performance-wise. Most users won't notice it unless you put two drives side-by-side. Nonetheless, if you hear marketing claims that hardware disk encryption has no overhead, they're false. You may not need to worry about the overhead, but it's there, no matter what the marketing may say.

This means that any customer looking at hardware disk encryption cannot know what's in the system because the manufacturers aren't telling us. Even the recent standards like Opal give no guarantee that the crypto will be good. The marketing claims about performance are demonstrably false, so there is much reason for skepticism, even with systems coming from otherwise-reputable manufacturers.

The alternative is to use software encryption. We have our own PGP Whole Disk Encryption, but there are many software disk encryption systems. Software encryption is much faster than hardware encryption. This shouldn't be a surprise. Which CPU is going to be faster, the one in your disk or in your laptop?

Software encryption has better security characteristics, as well; since there is plenty of extra compute power available on any modern PC. We developers can more secure (and thus slower) cryptography. We can also use better key management, better password management, and a better user experience. All of us software people are building our systems so that the overhead of what we do is not noticeable, and since we have more compute power available, we can put better encryption on the drive.

On the minus side, the disadvantage of software encryption is that the keys have to be in memory.

However, there are a number of hardware trends that are changing in the systems that have disk encryption, and these trends in hardware overall favor software encryption.

" Disks are getting faster. Primarily, this is coming from solid-state disks (SSDs). Since the speed of the disk dominates a disk encryption system, faster disks means better performance but worse benchmarks. If you double the speed of the disk, encryption will be a larger percentage of the whole system. This is good for users, but will cause much consternation in people who try to make sense of benchmarks, as an overall improvement can be shown as worsening performance if you do the benchmarks wrong.

" Multi-core systems are proliferating. This is good for software because disk encryption is very parallelizable. Normal disk encryption can benefit by up to eight threads for small I/Os, and more for larger I/Os. The more cores a CPU gets, the faster software encryption will be.

" Intel is putting AES in the CPU. Starting later in 2009, and with an improved architecture in 2010, this will be coming on most standard CPUs. It will increase the speed of AES by up to 10x over doing it in pure software. If you combine multi-core with this, then there can be huge improvements. It is not inconceivable that in the next half-dozen years, software disk encryption might speed up by 100X or more!Most interestingly, the large performance gains will happen in large reads or writes. On small reads and writes, either the hardware improvements or the AES instruction will run at maximum speed, but not both.

" Video cards are becoming general purpose processors. The cryptographer Debra Cook first showed the world how to speed up crypto in a graphics card, and both specialized and general programming systems that use the spare power of graphics cards are coming soon.NVIDIA has its system called CUDA, and they are working with other people on a platform-independent parallel programming system that The Khronos Group administers called OpenCL. Systems that are parallelized can be sped up by some 40-50x when done in the graphics card. This is great news for disk encryption because it is very suitable to parallel processing, and software has many ways to make it faster soon.

" Software is also inevitably cheaper. This is always true - the marginal cost of software is close to zero. Hardware can never do that. The cheapest storage is never going to have hardware in it, because it's always cheaper to leave out the encryption hardware. Software is always buy-once, use everywhere.

" Lastly, the base computer platform is coming with more key management hardware. Software encryption will always have the drawback that it has to have the encryption keys in memory, but there are developments coming to make that more secure. Right now, there are plans coming from the hardware manufacturers like Intel and AMD, the BIOS people like Phoenix, as well as groups like the TCG. These are presently less well-formed than the performance improvements, but it's coming too.

The net effect of these trends is that the advantages that hardware encryption has over software encryption are quite likely at their greatest today. Yes, the encrypting drives will get better, but so will the services that are available on the core computer platform itself. The exponential gains that we get from Moore's Law means that the benefit will come faster and greater on the CPU and its subsystems than it will in the disk drives themselves. These exponential gains will affect the general-purpose systems quicker and more effectively than the special-purpose systems. That's just where all the money and engineering is going.

These trends mean that ironically, the best days of hardware encryption are these present days. In less than a year, they will be in the rear-view mirror, with the advantage going geometrically to software. Doubly ironically, this trend has as its root cause cheap crypto hardware and cheap parallel processing. Hardware disk encryption, we hardly knew ye...