Have you ever forgotten your password for your work laptop and had to go to your IT guy for help to reset it? Imagine if it was that easy when the data on the hard drive was classified or top secret.
Commercial SSDs use basic ATA password to access drive data. Military and government applications require higher security and therefore basic ATA passwords must be strengthened and sophisticated key management techniques employed. Self-encrypting drives allow for up to 32 character passwords while Mercury drives 64 characters. One technique is to condition the password. By this you can create a unique suffix to the end of a password that changes with each log-in, making the password impossible to hack.
There also are many military key management options that are implemented by the end user and crypto officer. In military applications the keys are generated and stored on separate machines than the storage device holding the classified data. The keys are sent to the device once authentication has occurred as the result of a correct password.
One interesting technique developed by the NSA is external key fill through DS101. Imagine an aircraft carrier in the Arabian Sea with a fighter squadron on board ready for deployment. The Commander has a hand held device which he plugs into a secure network. Through the specialized connector the mission keys are filled into the device from command center in DC. The device is plugged into each fighter jet and the encryption key is sent to the drive to access mission instructions and maps. Through the course of the mission, a jet is shot down and recovered by enemy forces. The system drives are found, but once back in their labs they find the drives are encrypted and the keys are gone.
Even today’s super computers aren’t going to crack the 256 bit encryption key used in these drives. Like the encryption algorithms assurance of proper key management and authentication algorithms are necessary. FIPS-140-2 certification provides this, as do Mercury’s ASURRE-Stor SSDs.
In military applications even with all the advanced methods employed to secure data and eliminate the possibility of decryption, further steps are needed to protect highly sensitive data. Fast erase, sanitization, and self-destruct, which I already discussed, are necessary attributes of military-grade SSDs. Mercury is a pioneer in these areas as well with the fastest erase and sanitize operations of any military-grade SSD. Fast purge wipes the drive’s encryption keys in less than 30ms and fast clear completely erases the NAND flash in 1.5-8 seconds. Sanitization of all blocks, including retired and defective blocks, where the drive is erased, overwritten with random data, then repeated numerous times, depending on the protocol employed, can take 5 minutes to 10s of minutes. These features are custom configurable and can be triggered after a user-defined threshold for authentication attempts has been reached. It could occur after as few as one failed attempt.
Mercury’s ASURRE-Stor SSDs go further with security than any other SSD. It has the National Information Assurance Partnership (NIAP) Common Criteria certification for encryption engine and authorization acquisition for full disk encryption and is the first and only hardware on the NSA’s Commercial Solutions for Classified (CSfC) programs eligible for protection of classified, secret, and top secret data at rest.
I will talk about CSfC in a future blog. Using a SSD with this level of scrutiny on its cryptographic, key management and authentication algorithms means that if that UAV in my earlier example is captured and the SSD removed for data retrieval, (and the answer is…) it would take that enemy hundreds of millions of years to decode the encryption key to access the sensitive data.
With all these safeguards available in SSD hardware, military-grade SSDs like TRRUST-Stor and ASURRE-Stor are the only option for protection of high value military and government data. Though I’ve been told that even with all these layers of security and protection built into secure SSDs, government agencies still grind up many drives…the ultimate method in data protection.