[FDE] Scary......
Andreas W. Kuhn
awkuhn at compuserve.com
Fri Feb 22 13:36:18 MST 2008
Yes, users must authenticate themselves directly to the drive using a
password before the drive will unlock and allow the normal OS to boot.
This does not use either the BIOS or the OS to perform the
authentication.
The Seagate FDE drive supports more secure authentication approach
where the authentication to the drive is done using an alternate pre-boot
OS held in a protected area of the drive, and also support new ATA
security commands for Trusted Send and Trusted Receive to protecting
the password.
If the authentication is successful, as determined by the Seagate FDE drive,
then the drive is unlocked and the system is allowed to boot normally.
So with this solution, not only is the authentication done before any foreign
software is allowed to load, the encryption keys are never exposed
outside the protected hardware of the drive itself, including the user
area of the drive or in the OS, which is what these attacks are
exploiting
dan at geer.org dan at geer.org
Fri Feb 22 11:19:04 MST 2008
"Andreas W. Kuhn" writes:
-+-----------------------
| The beauty about the Seagate MOMENTUS FDE.2 is that
| the encryption key never leaves the hard disk. It is
| never in the open. Never.
Yes, I am answering without RTFM, but the key
never leaving the disk then requires something
with which to unlock said key, quite possibly a
password...
And, of course, RTFM is an entirely valid reply.
--dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.xml-dev.com/pipermail/fde/attachments/20080222/6650a646/attachment.html
More information about the FDE
mailing list