[p2p-hackers] Verifying Claims of Full-Disk Encryption in Hard ?Drive Firmware

Tom Ritter tom at ritter.vg
Tue Nov 15 05:19:18 PST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Misdirected a reply to Eugen instead of the list a week ago.  I don't think this
will correctly reply, because I wasn't subscribed to this list at the time.

> Without wanting to sound too facetious, and mostly out of curiosity, what does FIPS 140 have to do with the threat modelling you've done?  It doesn't address the vast majority of the stuff you've listed, so the threat-modelling is kind of a non-sequitur to "starting with FIPS 140".  If you wanted to deal with this through a certification process you'd have to go with something like the CC (and an appropriate PP), assuming the sheer suckage of working with the CC doesn't tear a hole in the fabric of space-time in the process.

I used whatever documents I could find to get as much information
about the drive as possible.  That was the marketing material (which
obviously didn't help much), and the FIPS-140 document (which did have
some technical information).  If I could use the Common Criteria or
Protection Profile document, I'd love to - but I'm not sure how to get
those or go about requesting them (besides just calling and asking.)

I may be naive, having never dealt with FIPS validation, but I kind of
hoped/assumed that things that were insecure wouldn't be approved.
I'm using insecure casually, basically meaning "If I steal your
laptop, can I recover your data for under a couple thousand dollars?'
If that is possible, and within the reach of a hobbyist (or organized
crime, minor government, etc) - I would expect it not to be approved.
And if it was approved, I'd expect the approval to be in error.

Maybe I'm wrong about the approval process - I've never been involved
with it.  I'm just approaching it from the perspective of 'Should I
trust this?' and using the FIPS-140 approval to gain a little intel
and make a good starting point for a hard drive to start with.

- -tom
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk7CZtIACgkQJZJIJEzU09tXGgCfWGpYlVM6ckNLHXWWTcb2iQ/m
bB8An0Dou7yNwxoL4jbEX9iLVJd4FF/K
=tZFi
-----END PGP SIGNATURE-----

More information about the cypherpunks-legacy mailing list