SandForce SF-2000 Controllers Limited to 128-Bit Encryption

The issues were identified during routine quality audits that LSI's SF-2000 Series Controllers don't operate at its specified Advanced Encryption Standard (AES) 256-bit encryption. The controller operates at only 128-bit encryption, but there's no need to panic. The SandForce SSDs are protected by two separate encryption engines, a 256-bit engine on the front end and another 128-bit engine on the back end. It is the front end 256-bit engine that currently works at only 128-bit encryption.

LSI is working with all parties to correct the problem and enable full 256-bit AES encryption on the respective SSDs. In fact, LSI says that "the necessary hardware and firmware updates are currently in process to enable full 256-bit encryption for those customers who need it."

Intel and Kingston have provided official responses to the issue to address concerns of its users. Intel is offering a refund and has updated its specification sheet to reference AES 128-bit encryption. Kingston states that its customers will be "taken care of" and will be able to swap out drives when true 256-bit AES encryption becomes available. This points more of a hardware issue that can't simply be corrected by a firmware update. We have reached out to OCZ Technology for a response but at the time of the story release, no official response has been issued with regards to its SF-2000 Series based SSD drives.     

Intel's Official Response:

As part of ongoing quality assurance, Intel Corporation has discovered a limitation of the AES (Advanced Encryption Standard) encryption feature in the Intel SSD 520 Series, code-named Cherryville. Intel has published a Specification Update for the Intel SSD 520 Series product, updating the specification from AES 256-bit encryption to AES 128-bit encryption. Other Intel Solid-State Drives with data encryption, such as Intel SSD 320 Series, also feature AES 128-bit encryption.The AES feature in the Intel SSD 520 Series, when used in combination with a strong user and master HDD password (if supported, consult your system manufacturer), helps secure the data from access by anyone that does not know the password. AES 128-bit refers to the length of the key used for data encryption. In the Intel SSD 520 Series, the key length is 128 bits. The higher the number of bits in a key, the stronger the level of encryption. Intel believes AES 128-bit encryption meets the data encryption requirements of most customers.Intel stands behind its products and is committed to product quality, and is working to bring full AES 256-bit encryption to future products. If, however, our customers are not satisfied with the 128-bit encryption in an Intel 520 Series SSD purchased before July 1, 2012, they can contact Intel customer support prior to October 1, 2012 to return their product and Intel is offering to provide a full refund of the purchase price. For further information or questions about this specification change, consumers should contact Intel Customer Support.

Kingston's Official Response:

Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, along with LSI, its SSD processor partner, have recently been in discussions related to the encryption capabilities of the SF-2000 platform. It was discovered that the ’self encrypting’ feature that Kingston markets on both the SSDNow V+200 and KC100 lines runs in 128-bit AES encryption mode, not the originally stated 256-bit mode. Both AES modes encrypt and secure the data on the SSD from unauthorized access ? just to different encryption standards.Kingston is working with LSI to correct this and to ensure that future production of the aforementioned drives delivers 256-bit AES encryption mode.Feedback from Kingston’s customer base regarding the SSDNow V+200 and KC100 model SSDs does not indicate that the encryption feature is critical or widely used in most deployments. Kingston’s teams will work closely with customers who require 256-bit AES encryption to ensure that they are taken care of, and are able to swap out their current drives for ones with the correct encryption level when it becomes available. Kingston customers with further questions are encouraged to contact Kingston technical support for additional clarification.Kingston will notate the 128-bit AES encryption mode going forward on all literature to avoid confusion until the issue is remedied. Please note that this issue affects all manufacturers of SSDs utilizing the SF-2000 family of products and is not a Kingston-centric issue. Kingston believes in the importance of a great customer experience and will continue to communicate openly with our valued customer base.

  • sixdegree
    It's always good to see companies address their costumers' dissatisfaction with such great care. I hope more vendors follow Intel and Kingston step.
    Reply
  • A Bad Day
    Well, at least they're admitting the problem and offering services. I'd wish more companies would follow Intel's and Kingston's step.
    Reply
  • josejones
    Is this an issue with Mushkin SSD's too?
    Reply
  • This is not an issue at all. You shouldn't be using AES-256 anyway (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf and http://www.schneier.com/blog/archives/2009/07/another_new_aes.html). This is now 3 years old.
    The problem lies with the key scheduling algorithm, which affects AES-256, but not AES-128.
    It's simply badly designed. It looked OK at first, but it's 3 years past it's sell-by date.
    As a result of the design error, AES-128 has a best-known attack complexity of 2^128, but AES-256 has an attack complexity of only 2^119.
    Both are safe from known brute-forcing today, but AES-256 has a *smaller* margin of safety than AES-128.
    Reply
  • jdamon113
    Boring
    Reply
  • rantoc
    A Bad DayWell, at least they're admitting the problem and offering services. I'd wish more companies would follow Intel's and Kingston's step.
    Agreed, at least they don't try to sweep the problem under the rug and provide a comedian solution for the issues once the truth got out. Intel handle hardware issues nicely, this and early SB were both handled nicely and show that they care about their customers... unlike some other company's, no need to mention them. Some shady company's get caught over and over while gambling with quality and worst of all is how their fanboy(esses) remain loyal to the company that pisses on them is well beyond me.
    Reply
  • applegetsmelaid
    Only 128-bit encryption? Now I feel like a sucker.
    Reply
  • eddieroolz
    Let the firmware updates flow in!
    Reply
  • freggo
    Nice for them to address the issue and not trying to sweep it under the rog. But I think it is fair to say that for most of us it does not matter. Not exactly Bond style secrets on our drives; unless you include the various future 'Bond Girls' of course :-)

    Reply
  • dragonsqrrl
    CryptoGeekThis is not an issue at all. You shouldn't be using AES-256 anyway (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf and http://www.schneier.com/blog/archi aes.html). This is now 3 years old.The problem lies with the key scheduling algorithm, which affects AES-256, but not AES-128.It's simply badly designed. It looked OK at first, but it's 3 years past it's sell-by date.As a result of the design error, AES-128 has a best-known attack complexity of 2^128, but AES-256 has an attack complexity of only 2^119.Both are safe from known brute-forcing today, but AES-256 has a *smaller* margin of safety than AES-128....bad link dude.
    Reply