256-bit AES encryption broken in SandForce SSD controllers

When SandForce announced the SF-2000 SSD controller family, it touted the controller’s ability to encrypt data with a 256-bit AES algorithm. The previous generation of SandForce controllers did 128-bit AES encryption, but the new chip added a second hardware engine with AES-256 support. Trouble is, the SF-2000 controller’s 256-bit encryption doesn’t work properly. Although the latest SandForce controllers encrypt data using AES, they do so using only 128 bits.

We just got off the phone with SandForce, who we contacted in order to better understand this issue. A company representative told us the SF-2000 controllers retained their AES-128 support because the US government doesn’t allow products with 256-bit encryption to be sold to some countries. Sounds like the mechanism that determines whether the controller uses 128- or 256-bit encryption is broken, although SandForce wouldn’t go into specifics for "security reasons." The firm did say the problem exists in hardware and requires accompanying firmware changes. SandForce characterized the necessary hardware tweak as a "manufacturing step" rather than a re-spin of the silicon.

The flaw was unearthed by a security audit, and Intel takes some credit for identifying the problem in a specification update regarding its 520 Series SSDs. This discovery was made recently, according to SandForce, which again cited security concerns when we pressed for more details. We get the sense this issue has been known for days rather than weeks, though.

Intel has already announced it will be offering refunds to affected users until October 1. Kingston will have an exchange program and  will cover the cost of shipping for customers who request a swap. We’ve reached out to a couple of other SandForce partners about their plans and are waiting for details.

The various drive makers will be responsible for taking care of their customers. SandForce wouldn’t discuss its arrangements with partners due to non-disclosure agreements surrounding the contracts involved.

While it’s disappointing to hear of another problem related to SandForce-based SSDs, relatively few folks need to be worried about this particular problem. 128-bit AES encryption is deemed appropriate (PDF) for the US government’s "secret" designation, and only information classified as "top secret" must be encoded with stronger (192- or 256-bit) encryption. Most SandForce users probably don’t make use of their drives’ encryption capabilities at all. Those who do can look forward to fixed drives becoming available "soon," according to SandForce.

Comments closed
    • thefumigator
    • 7 years ago

    Please donate your faulty sandforce SF-2000 drive here. I pay shipping and Handling costs. Contact me.

    Meh, sandforce rocks all the way. I like the Mushking Chronos drives

    • Plazmodeus
    • 7 years ago

    I didnt realise that any of my various Sandforce based products even had encryption. Why would this matter to me?

    • ew
    • 7 years ago

    OCZ’s response.

    [quote<]No problems here. Situation normal. Nothing wrong with any of our drives.[/quote<]

    • rrr
    • 7 years ago

    Another reason to make me glad I went Marvell with Crucial M4.

      • MadManOriginal
      • 7 years ago

      So you use AES-256 on your M4?

        • rrr
        • 7 years ago

        No. I don’t need it. If I would, I’d use TrueCrypt.

          • MadManOriginal
          • 7 years ago

          So the fact that you have a Marvell and not a Sandforce based drive is completely irrelevant in terms of the level of AES support.

            • NeelyCam
            • 7 years ago

            Yeah – sounds like selection bias, looking for any and all possible reasons to feel good about one’s buying decision.

            • BobbinThreadbare
            • 7 years ago

            I don’t think that’s what selection bias is.

            • willmore
            • 7 years ago

            Isn’t that confirmation bias?

            • NeelyCam
            • 7 years ago

            That makes more sense

            • rrr
            • 7 years ago

            Not when you take past SF bugs into account, particularily in OCZ drives.

            • MadManOriginal
            • 7 years ago

            Aaaand right here: [quote<]particularily OCZ ones[/quote<] is where you lose what credibility remained. There were no 'particularly OCZ' Sandforce issues, the same issues were apparent on all Sandforce-based drives which used the Sandforce-supplied firmware.

            • rrr
            • 7 years ago

            And as a paying customer, I don’t give a flying ****, whose fault it was. It could be army of leprechauns, if product is faulty – no buy. Companies can point fingers at each other as long as they want, but sale is lost and money goes to the competition.

            Though obviously, issue of my credibility in your eyes is even less important than pointing out, who’s to blame.

            • MadManOriginal
            • 7 years ago

            And Marvell controllers have a perfect track record…oops, no they don’t – that’s why your biased credibility is important 🙂 What’s most important to me though is facts, and the fact is no major SSD controller has been faultless.

            Man, I am on a [s<]t[/s<]roll!

            • rrr
            • 7 years ago

            And what you do fail to understand is that perfect track record isn’t relevant (or even possible at all!). What is relevant is possible usage patterns, where problems don’t matter or if they do, having them fixed early enough. That’s what Crucial does provide me with and OCZ and other SF drives do not.

            And for the same reason I would not have a problem running pre-B3 P67 mobo with SATA2 bug, because I don’t use that many ports. Yet it doesn’t prevent me from seeing that there are use cases other than mine, where this bug could matter a whole lot.

            You sure like to think of yourself as free of any biases, unfortunately truth is, you certainly aren’t any better. And no one else is.

            • MadManOriginal
            • 7 years ago

            Since you are included in this set: [quote<]And no one else is.[/quote<] then it has come full circle. But back on track - you are wrong about 'OCZ in particular' problems. Really, if you had just admitted you were wrong in saying that in the first place none of this silliness would have happened, although then my afternoon wouldn't have been quite as entertaining.

            • rrr
            • 7 years ago

            You conveniently omit the fact that it also includes you. Hence, your all “omg your so biased!!!11!!!” musings are meaningless.

            I also already noted I don’t care if I’m wrong or right about who caused this, that’s their problem to solve, I pay my money to someone else when I could pay them instead, if they provided product that works. If that offends you, well, you have to solve it on your own too.

            • travbrad
            • 7 years ago

            No SSD controller has a perfect track record of course, but the Crucial M4 drives are widely regarded as one of, if not THE most reliable SSDs you can buy. When it comes to storage, reliability is extremely important. Even if you have backups it’s a hassle RMAing drives and restoring everything to the previous state.

      • indeego
      • 7 years ago

      Last M4 firmware update:
      [quote<]"Improved data protection in the event of unexpected, asynchronous power loss."[/quote<] That is, um, a rather large price to pay versus losing encryption...

        • rrr
        • 7 years ago

        Had it preloaded on a model I bought. Funny, isn’t it?

          • Waco
          • 7 years ago

          The only thing funny is you trying to justify your purchase of the M4 over a SF drive. 🙂

            • rrr
            • 7 years ago

            If that’s how you see it, that’s your problem, not mine.

    • HisDivineOrder
    • 7 years ago

    Every time I look up, there’s some new bug or flaw affecting Sandforce drives. How many more have to happen before users go, “You know, thanks, but no thanks.”

    Seemingly at least a few more. At least OCZ isn’t directly involved this time.

      • internetsandman
      • 7 years ago

      Didn’t people already do that with OCZ memory and PSU’s, and in a smaller way, with PCIe flash storage? I know the SF thing is out of their control, but OCZ really can’t afford any more blights to their name, and they should be offering full refunds AND covering all shipping and handling for customers unsatisfied with what they have, if they want to restore their image among PC enthusiasts.

        • shaq_mobile
        • 7 years ago

        i remember when OCZ used to be my goto brand for cheap memory and their products occupied a position somewhere between gskill and rosewill (cross your fingers and you may get a sweet deal, sorta thing)

        now i just avoid all their products due to their continued lack of gold eggery

    • shaurz
    • 7 years ago

    I would not trust hardware-based encryption like this, better to use long-established and reliable software based solutions even if they might be a tad slower.

    • rmmdjmdam
    • 7 years ago

    Geoff – its not clear from this article, but you sort of implied that AES has been broken. It is EXTREMELY unlikely that this attack has in any way compromised AES, but rather results from some sort of misimplementation of AES by Sandforce, which they could fix with a “manufacturing step”. Only using AES on Sandforce powered SSD’s has been broken prior to the “manufacturing step”.

    So to those saying that AES is broken and that the US government can get through AES-128, we can be cynics all we like, but academic researchers who have been regularly improving attacks against AES since it was published in 1998 have only improved upon the brute force cracking time by a factor of 4. Breaking AES in a significant way is a seriously hard math problem that the leading international academics in the field haven’t come close to yet.

      • CB5000
      • 7 years ago

      Yeah I was thinking the same thing. I was like wtf??!??!?! really AES 256 was broken???? How did they crack it? then I read the article, then I was like… oh lol.

    • Arclight
    • 7 years ago

    Trololololo
    lalala
    Oh-hahaha-ho
    Haha-hehe-ho
    Hohoho-he-ho
    Hahahaha-ho
    Lolololololo
    Lolololololo
    Lolololololo
    Lololo-LOL!
    …………………
    Ohohohoho!
    Lololololol
    Lololo
    Lololo
    Ohohohohooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!

      • NeelyCam
      • 7 years ago

      He died, right?

        • Meadows
        • 7 years ago

        But his memory will live ohohohohon.

    • Goty
    • 7 years ago

    Huh, just ordered a Kingston HyperX today. I wonder how I get in contact with them about a swap?

    • indeego
    • 7 years ago

    This has incredible potential for value. If you purchased that drive on release there are now equivalent drives at near 60-90% of the price you paid, in many cases. If I had one I’d definitely return, take the money, and get a fresh drive.

      • ermo
      • 7 years ago

      I take it you are also a stock market investor, hmm?

        • indeego
        • 7 years ago

        But of course. Then again if you work a job in the United States you are an investor by default without much choice.

          • Arclight
          • 7 years ago

          How so? If you are highered in a company you are awarded or obligated to buy stocks of said company?

            • MadManOriginal
            • 7 years ago

            He probably means 401(k) retirement plans, not necessarily stock in the company for which he works.

            • albundy
            • 7 years ago

            only if the company matches contribution…otherwise, whats the point?

            • indeego
            • 7 years ago

            The point is it’s pre-tax income. Even if you don’t get matching it’s worthwhile to invest in 401K for the pre-tax. In fact single people should be putting [i<]as much as is financially possible[/i<] in pre-tax benefits like 401K/cafeteria plans. Well, unless you like spending your tax money on wars and sub-par education systems. The matching is great. When you start a job, use matching as a measuring stick for how good a company it is. High matching is almost always is a well managed well-funded company treating its employees right.

            • indeego
            • 7 years ago

            If you have a job (legally) in the United states you pay a percentage into the stock market due to pension plans for government employees.

            • BobbinThreadbare
            • 7 years ago

            I think he’s talking about the billions of tax dollars being used to prop up the banks and auto industry.

            • OneArmedScissor
            • 7 years ago

            Trillions, not billions.

      • bcronce
      • 7 years ago

      They said they’ll exchange, not refund.

        • Peldor
        • 7 years ago

        Intel is offering a full refund.

    • DeadOfKnight
    • 7 years ago

    Lol, early adopters make me laugh.

      • ColeLT1
      • 7 years ago

      SF-2000 series was introduced October 2010.

    • tbone8ty
    • 7 years ago

    lol how do I encrypt my SSD?

    j.k. I’ll just google search it

      • albundy
      • 7 years ago

      truecrypt..nuff said.

    • Rageypoo
    • 7 years ago

    Liberty, it all went away after a tiny lil amendment, and reinforced by a plane.

      • Johnny5
      • 7 years ago

      Let’s not get started on this. Let’s talk about the weather instead. Or Right Said Fred’s ‘I’m Too Sexy’. Anything but this, really.

    • UberGerbil
    • 7 years ago

    I assume they are swapping the entire drive, so if you have a well-used SandForce drive, you can take advantage of this program to get one with minty-fresh NAND?

      • ascus
      • 7 years ago

      Might come with new ways to BSOD as well.

        • UberGerbil
        • 7 years ago

        Bonus!

        • Arclight
        • 7 years ago

        Might? Noooo, it will and it’s called Self Destruct for data protection. It’s a “feature” now *wink, wink*.

    • Bensam123
    • 7 years ago

    “A company representative told us the SF-2000 controllers retained their AES-128 support because the US government doesn’t allow products with 256-bit encryption to be sold to some countries.”

    “128-bit AES encryption is deemed appropriate (PDF) for the US government’s “secret” designation…”

    Hmmm…. Anyone see two conflicting ideals here?

      • MadManOriginal
      • 7 years ago

      No…the US govt probably has the computing power to decrypt 128-bit if they want or need to. 256-bit might be a bit too much or take too long. Also, ‘secret’ isn’t really as big of a security measure as the name implies, the majority of classified information falls under ‘secret.’

        • Captain Ned
        • 7 years ago

        There’s a whole universe of security designators ranking above “Secret”. Not that the NSA talks about such things, but I imagine that SCI info isn’t even secure (to NSA standards) with AES-256.

        • Welch
        • 7 years ago

        Most people in the military have a secret clearance. Its required for some of the most mundane of jobs in the service. Its not nearly as hardcore as some people make it out to be. Even the Top Secret nomenclature isn’t the Jason Bourne sort of stuff that people take it to be. Hell one of my friends had a few levels down from the highest Top Secret clearance possible as an I.T. Security guy, and he needed the clearance so he could press Next on a project slide show for some officers… Yay. Then again some of the stuff he came across in his job required higher than 256bit encryption, at a hardware level as well, not software encryption.

        You should also know that the military requires any network housing any data that is considered secret to fiber optic only for the very fact that fiber can’t be spliced liked copper.

        • Bensam123
        • 7 years ago

        That was what I was implying…

      • BobbinThreadbare
      • 7 years ago

      I don’t think ideals is the word you were looking for.

      • Madman
      • 7 years ago

      Isn’t the AES an open source/public domain algorithm? I always thought that it’s used throughout the world? Even for SSL and stuff?

        • ermo
        • 7 years ago

        AES (Advanced Encryption Standard) was selected from a number of proposed candidates as a replacement for triple DES (Data Encryption Standard) by the US Government.

        As I understand it, AES was selected over its fifteen competitors because it was easy to implement in hardware and performed well in software.

        Various implementations exist as AES is a published standard, and cryptographic scientists regularly publish papers describing attacks, the best of which will currently cut the time to recover the secret key by a factor of about 4 compared to a brute force attack.

        AES encryption (CCMP w/128-bit key and 128-bit block size) is mandatory in the WPA2 WiFi network security standard (802.11i) and is thus implemented in silicon in a number of wireless chipsets and is also included in recent x86-64 CPUs. Furthermore, it is used by SSL as well as you observe.

        AES’s use in secure U.S. Gov’t systems requires that the specific implementation is first vetted by NSA for approval — presumably so that the NSA can verify that it is not vulnerable to any of the known attacks etc.

        In other words, SSDs which use SandForce controllers with the flawed 256-bit AES implementation are probably not approved by the NSA for US Gov’t Top Secret use at this point in time…

      • Scrotos
      • 7 years ago

      Just like the US doesn’t allow Intel to build certain fabs in China: [url<]https://techreport.com/discussions.x/12024[/url<] Or the PowerMac G4 being classified as "munitions" or a "supercomputer" and being restricted for export: [url<]http://articles.cnn.com/1999-09-17/tech/9909_17_g4.ban.idg_1_power-mac-g4-export-ban-mhz-g4?_s=PM:TECH[/url<] Or the PS2 being blocked due to military purposes: [url<]http://www.theregister.co.uk/2000/04/18/playstation_2_export_limit_lifted/[/url<] It's hard to keep up with technology when you're a large government or organization. These places just don't want high tech stuff being given to anyone else. That is why we "dumb down" the F-16s that we export. That's why PGP has/had export restrictions as well. I see where you're coming from but just in general, the "good stuff" is always kept away from the "bad guys".

        • OneArmedScissor
        • 7 years ago

        [quote<]I see where you're coming from but just in general, the "good stuff" is always kept away from the "bad guys".[/quote<] It's fun to pretend.

    • chuckula
    • 7 years ago

    [quote<]Intel has already announced it will be offering refunds to affected users until October 1.[/quote<] Looks like Intel is doing the right thing while Sandforce hides behind illusory "national security" concerns.

      • MadManOriginal
      • 7 years ago

      RTFA much? [quote<]SandForce wouldn't discuss its arrangements with partners due to non-disclosure agreements surrounding the contracts involved.[/quote<] At least get the reason they are 'hiding' right.

        • UberGerbil
        • 7 years ago

        Not to mention we have no evidence yet Sandforce is doing anything other than what should be expected of them. They’re working with their customers, who ultimately will work with [i<]their[/i<] customers, which is you and me. Consumers don't buy from Sandforce directly, so they won't be get refunds / exchanges / whatever from Sandforce either.

Pin It on Pinterest

Share This