Wave Systems Corp. (fka WAVXQ)

[dude_danny]

Data Security in Flash Devices
July 21, 2010

Sorry if posted...
http://www.glgroup.com/News/Data-Security-in-Flash-Devices-49611.html


Summary
USB drives, SSDs and other flash-based storage devices are used for storing personal and other sensitive data. Eliminating data on flash devices is required to help protect sensitive data. Traditional secure erase on flash creates endurance issues, crypto-erase is preferred. By the use of enhanced secure erase (or crypto-erase) SSDs should be able to be qualified as FIPS 140 complaint, making them available for many military and government applications.


Analysis

Getting rid of sensitive data is an ongoing issue with digital storage devices. Hard disk drives have long been primary storage repositories and technologies have been developed to remove access to data on these drives. There are commands in the SATA interface that can cause a disk drive to erase all of the data on the drive (or drive partition). This erasure is performed by overwriting the prior recorded information. The commands used are “security erase” commands. NIST document 800-88 defines ATA drive secure erase as a method to “purge” data, which provides adequate protection for all but the most sensitive information. Secure erase on a large storage device like today’s 2+ TB HDDs can take a long time since each recorded region must be overwritten.

In the last few years an alternative to overwriting data in hard disk drives, as well as other storage devices, has been developed by the Trusted Computing Group. In this method data is encrypted within a storage device where the encryption key resides in a non-user accessible location. Storage commands, such as SATA commands, can be used to control access to this encrypted data and generally the data can only be accessed by use of a password that allows use of the encryption key to decrypt the data so the user can access and use it. Encrypted mobile HDD for laptops are made by several companies and many expect that encryption will eventually be incorporated into most HDDs.

In an encrypted hard disk drive a special command enabled in the SATA specifications, called “enhanced secure erase” can be invoked that causes the hard disk drive to erase (write over) the key to the encrypted data. After the key is overwritten the data cannot be accessed unless the encryption is broken. With a high enough level of encryption, 256 bit encryption is common today, the encrypted data cannot be decrypted and read by any computer now in existence. Thus although the encrypted data remains on the storage device, it cannot be read.

Compared to conventional secure erase, enhanced secure erase is very quick, only requiring microseconds, and provides good protection of user data. This cryptographic secure erasure is recognized in the latest version of the US government’s FIPS 140, rev. 3 document, which covers security requirements for cryptographic modules.

With the increasing use of flash memory devices such as USB drives and Solid State Drives (SSDs) for primary storage of data, methods are needed to effectively erase and protect sensitive data. Traditional data overwrite techniques will lead to significant endurance and product life issues in flash memory devices since each erase in a flash memory cells shortens the remaining number of times the cell can be erased and reused. For this reason enhanced secure erase using key erasure is the preferred method.

The Trusted Computing Group is working with flash memory companies to incorporate enhanced secure erase in SSDs using onboard encryption. SSDs that can support enhanced secure erase should be able to be certified as FIPS 140 compliant. This is very important to get these products approved for military and other governmental applications.