Slashdot Mirror
ABIT's Secure IDE Motherboard
Frank Caviggia writes "The Inquirer has a story about ABIT's spiffy new IC7-MAX3 motherboard. Apparently, this motherboard has a feature called 'Secure IDE,' which is marketing-speak for hardware-based encryption ... ABIT goes on to claim that 'Secure IDE' 'will keep government supercomputers busy for weeks and will keep the RIAA away from your Kazaa files.' Pretty bold claims for a motherboard maker ..."
Nothing is ever completely secure, but I could see where this would help some. Genuinely a cool idea, but I'll wait a couple of years to see if it matures some first.
US Democracy:The best person for the job (among These pre-selected choices...)
Here's the bit on secure IDE:
For MAX3, the ABIT Engineers listened to users who were asking for information security. SecureIDE connects to your IDE hard disk and has a special decoder; without a special key, your hard disk cannot be opened by anyone. Thus hackers and would be information thieves cannot access your hard disk, even if they remove it from your PC. Protect your privacy and keep anyone from snooping into your information. Lock down your hard disk, not with a password, but with encryption. A password can be cracked by software in a few hours. ABIT's SecureIDE will keep government supercomputers busy for weeks and will keep the RIAA away from your Kazaa files.
Now, when it says Lock down your hard disk, not with a password, but with encryption... that seems to me that there's a hardware key on the motherboard that prevents the HDD from being read in other machines.
Meaning... that instead of stealing just your hard drive, they have to steal the whole computer? =p
Either that, or there is a password in addition to that. It could probably be gotten around by flashing the BIOS, or just taking the CMOS battery out for a brief stint. Either way, no, I don't imagine the NSA is shaking in fear just now.
How many more comments like this will there be? If you click the stupid link, you see that you need a USB key each time you boot if you want to be able to decrypt the hard drive. They need the MB, the HD, and your key.
ABIT's site shows a little key that contains the decoder.
By following these easy instructions, you too can encrypt your data and swap partitions with Loop-AES. (The instructions are for Linux From Scratch, but they worked fine on my Debian box.) This way, no unencrypted data ever touches the disk; even if your computer is stolen, the thief can't read your data.
As I mentioned here, the key appears to be a USB memory stick put into a proprietary SUB port on some kind of daughter card. There's a diagram here.
US Democracy:The best person for the job (among These pre-selected choices...)
Actually, it seems to do 64bit DES and 128/192 bit Triple DES according to the chipset's manfucaturer Enova Technologies.
Here's a drive bay adapter by same, which uses an external key, I can't tell about the motherboard, though.
I've seen some high-security encryption keys that you basically keep on a keychain with you all the time. They have a "panic button" on them that destroys (either electronically, or physically) the internal memory, making recovery of the encryption key impossible.
Although I havn't seen them, I'd imagine it would be easy to make one with a built-in clock of some sort, so if you didn't correctly utilize the key every so-often, it would automatically self-destruct.
Of course, they're probably rather more expensive than what ABIT is proposing.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Also, here's the key.
Not going to stop the RIAA from catching you (although they'd have difficulty decrypted the drive once they did I guess), but looks moderately useful for protecting a harddrive from theft. I'd love one on a laptop. If someone stole it in an airport or somesuch - at least they couldn't get my data without some effort.
I write code.
Hmm, don't mind me while I keep using a software solution...
/home on my laptop. Otherwise you're SOL...
: //loop-aes.sourceforge.net/loop-AES.README - see example 4
Loop-AES is trivially ease to set up under linux,
and you can have it require a GPG key etc that live on a USB keychain.
If you have my keychain, and you know the password, you can mount
http://sourceforge.net/projects/loop-aes/
http
Something you have and something you know...
Nope. You have to click on the article, and click on the "Secur" picture. THere you will see that the drive connects to a daughter-card thingy, that also has a USB connection, and at the end is a USB keychain--which has your special key.
Why are there only 19 people folding@home for slashdot?
There's another nice product there as well:
http://www.enovatech.net/html/ps_mobile.htm
It's a mobile HD rack with the key/encryption hardware built-into it. Sounds reasonably secure too. From the site:
- Real-time hardware based encryption with 1-1Gigabit per second throughput and zero performance degradation
- NIST Certified DES 64-bit and TDES 128/192-bit encryption engine
- Automatic transparent operation encrypts entire hard drive bit-by-bit, including Boot Sector and OS
- Portable X-Wall Secure Key for BIOS level user authentication and access control
- Operating System and software independent ; does not require device drivers
Sounds like a nice product. With bandwidth in the gigabit range, it isn't going to be a problem on any mechanical storage device.
Regular DES is pretty weak though... Triple DES is reasonably secure though, assuming those are actually the key-lengths shown, and not just marketingspeak. If the price is right, I could see this type of gear becoming quite popular.
Law enforcement would hate it though. Assuming they couldn't get ahold of the key before it was destroyed, they'd be TSOL as far as getting anything out of the drive.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Looking at their user manual, and specs, here are some corrections to your post:
- No special motherboard needed. This thing plugs in between the ide cable and the driver.
- As with all encryption. Lose the key and you're the proud owner of a high tech paperweight. Not unique to this connector.
- I suspect they mention fdisk because it's commonly used. It's a transparent encryption system, so
card + drive = normal drive
They're just saying to reformat the drive after putting the adapter on.
- Any file system/operating system will do. "Device driver free" too. Again, they're just saying you have to start over.
Also worth noting:
- The encryption card can use an extension cable get the dongle to the outside of the case. So no, you don't have to pop the cover each time you walk away.
- Once you boot up, the key doesn't need to be in any more.
- They give you a backup key too.
You are checking your backups, aren't you?
This is a bit offtopic, but I think it's valuable for anyone wanting to know about encryption - really GOOD encryption when someone's life/freedom may be on the line.
One of the biggest problems with regards to encryption (aside from snakeoil salesmen) is that if someone suspects/knows you're using encryption, they're going to try and get the key out of you. Either by legal means like locking you away in a hole for years until you make with the key, or just resorting to good old fashioned torture to make you cough up the info. Neither option is particularly appealing, so a rather smart solution to the problem was devloped.
Naturally, it's called "Rubberhose" (The website)
The gist of it is that you make a large container file (say, 1gb for example). Inside that container file, are many smaller container files, each one having their own encryption key. You'd have one container with moderate-level stuff that you could "give up" if forced, and another container with the "real good stuff" that you'd get imprisoned/killed if the badguys discovered it.
The interesting way that it works is that in order to get access to the "real good stuff", you need to input the keys to all of the other containers to both decrypt the containers in question, and to fully map the filesystem. No container knows about any other container, nor where it's data is stored inside the 1gb file. Of course the data isn't stored in contigious blocks, and the containers could be fragmented into millions of pieces interwoven with eachother. It's also impossible to "prove" by any means that another container even exists.
So you can open any container and see the info inside it, but all of the containers appear to utilize the entire 1gb of storage space. You never know that anything other than empty space exists in the drive.
It's kind of complex, and I may not have explained it all that well, so before jumping on me, please read up at the website.
It's absolutely elegant, although perhaps not currently easy enough to be utilized by the masses. Still, if I was going into hostile territory, this would be the first thing I got operational on my portable equipment.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Possibly because software encryption kills performance?
AES ceratinly was designed with performance in mind. And it can be implemented efficiently on 8-bit and 32-bit general purpose architectures as well as dedicated hardware. What interests me even more is what mode of operation they are using. I'm researching in modes aimed at disk encryption. It certainly is more complicated than just using CBC and be done with that.
Now if all you wanted to do was ECB mode encryption of the disk, that could be done very efficient in hardware. With 512 byte sectors and 256 bit blocks, you would have 16 blocks per sector, which could be encrypted and decrypted in parallel by 16 independend AES circuits. But of course that is not particular secure.
I have designed a more secure encryption that uses a tree structure on the disk. And involves both hashing and symmetric and assymetric encryption. Obviously it does have a price in terms of disk space, memory requirements, and I/O efficiency. But you get impressive security properties.
I doubt ABIT have done any of that, because the customers probably only want encryption if they can get it for free. Besides it would be stupid anyway considering the ridiculously small key of just 40 bits as mentioned in the specification. They claim it is adequate for general users. I say it is adequate for anybody who doesn't need encryption.
Do you care about the security of your wireless mouse?