Self-Encrypting 2.5-inch Hard Disk Drives Equipped with Wipe ...

Self-Encrypting 2.5-inch Hard Disk Drives Equipped with
Wipe Technology to Reduce Information Security Risks
By YAMAKAWA Teruji, NAKASHIMA Kazuo, ICHIMURA Shotaro
With the increasing volume of data stored in information systems as a result of the expansion of information
and communication technology (ICT), safeguarding the security of information systems is now a crucial issue. In
response to this situation, the Trusted Computing Group TM (TCG) provides a specification for self-encrypting
drives to avoid various security risks including data breaches. The specification defines two functions–pre-boot
mode and multi-locking range–which allow users to consolidate self-encrypting drives via a network.
Toshiba has developed a unique technology that invalidates encryption keys and data when a drive is removed
from its housing or connected to an unauthorized host system. We have implemented this system in our TCGstandard-based
encryption products including self-encrypting 2.5-inch hard disk drives (HDDs).
1 Introduction
In recent years, the value of the data stored in IT equipment such as computers is becoming increasingly high, and
there are now concerns regarding risks relating to information leaks due to the theft or loss of such equipment. In the
United States, the risk of information leaks in the data on copied and printed documents stored in multifunction peripherals
(MFP) was covered by the mass media in 2010 and became a large social issue.
Techniques for encrypting information before storing it have come into use recently to ensure that the information
stored in IT equipment such as PCs, copiers, and scanners—known as “data at rest”—can be safeguarded. Methods of
information encryption can be roughly divided into two types: software encryption and hardware encryption (e.g., encryption
by HDDs). Both types use 256-bit Advanced Encryption Standard (AES) ciphers recommended for their strength and
speed of encryption by the National Institute of Standards and Technology (NIST).
Of the schemes noted above, information safeguards rooted in hardware are standardized and promoted by the
Trusted Computing Group (TCG), a not-for-profit organization formed to standardize information security equipment. For
HDDs, TCG has developed and defined a command interface for encryption to realize information management.
Toshiba has developed the MKxx61GSYG series of HDDs, which implement our proprietary technology for invalidating
encryption keys and data (Wipe Technology) in addition to encryption functionality based on TCG standards. In this report,
we will describe the functions based on TCG standards employed in the MKxx61GSYG series HDDs, as well as give an overview
of Wipe Technology and describe how such technology reinforces the security of systems across their entire life cycles.
2 Functionality Based on TCG’s Opal SSC Specification
In 2009, TCG standardized the Opal Security Subsystem Class (SSC) specification, which describes methods for mobile
HDDs to enable advanced security solutions primarily for enterprise PC environments.
HDDs compliant with the Opal SSC specification can handle data encryption and other high security functions such as
the hierarchical user authority structure, pre-boot mode, and multi-locking range functions which can be executed in combination
with application software.
TOSHIBA Storage Products for ICT Society 20

SPECIAL REPORTS
In the hierarchical user authority structure function, access is controlled with two types of authority, Administrator and
User, which allows passwords for the HDD to be controlled by the application software, whereas in conventional password
control only the Basic Input/Output System (BIOS) (Note 1) was used. Thanks to this function, centralized control is made
possible through the Administrator authority.
Pre-boot mode is a mechanism that allows a dedicated pre-boot space to be initialized when the PC is booted prior to
the system software (OS). A PC using this function executes
user authentication upon boot if data, including user authentication
screen data, is preset in the pre-boot space, preventing
The pre-boot space is Pre-boot space
the OS from being loaded unless the user successfully
including OS startup
visible, but normal data,
data, is not.
The state changes
authenticates. This creates a high security environment in
only after
Disk space
successful user
Disk space
which, for example, the OS of the PC can be loaded only after
(a) Pre-boot mode
(b) Normal mode
the user has authenticated through advanced means such as
biometric identity verification or IC cards (Figure 1).
The multi-locking range function is a mechanism for
Figure 1. Pre-boot mode — The content of the entire disk is visible in normal mode.
In pre-boot mode, only the pre-boot space is shown until authentication is
completed, thus concealing the OS.
using several secure spaces (Note 2) split from an HDD’s disk
space. Each split space is protected with a different cipher
key so that individual users can separately use each space.
This achieves secure data management through the selective
Space A
OS space: Any user can unlock
Space B
User A space: Only regular users of the PC and
use of spaces according to the characteristics of the information
administrators can unlock
Space C
to be recorded, an example of which is protecting data
by separately recording user data and administrator data in
User B space: Only users temporarily using the PC
and administrators can unlock
Space D
Disk space
different spaces (Figure 2).
Administrator space: Only administrators of the PC
in question can unlock
These functions are part of the TCG standards. Products
Figure 2. Example of use of logical block address (LBA) ranges — When
based on such standards enable advanced authentication as
well as central control over a network.
ranges are set for each user, unless a user unlocks his or her range, data
within that range cannot be accessed, thereby protecting user information.
3 Wipe Technology HDDs
3.1 More Intelligent Protection
Because of the establishment of the TCG standards, HDD encryption technology has come to be increasingly recognized
by society at large, but still conventional HDD encryption methods have had a problem: information stored in the
HDDs is password-protected, meaning that if the password is breached information may leak.
In response to this problem, Toshiba has developed Wipe Technology based on our HDD encryption technology in
order to provide a broader method for implementing a security strategy capable of protecting user information more intelligently
while increasing system compatibility. We designed this technology such that encrypted HDDs can automatically
invalidate recorded data, facilitating the following information protection functions:
(1) Prevent corporate information from leaking even if passwords are breached, and
(2) Control encryption keys throughout the system’s life cycle even when the system’s owner changes, such as when
IT administrators change or when the system is sent to a disposal company.
(Note 1)
(Note 2)
The BIOS controls the devices (hardware) connected to a PC and serves as the system responsible for managing requests for access to connected
devices from the OS or application software.
Space protected by ciphers or software designed to guard against dangers such as external attacks, unauthorized entry, or falsifications
TOSHIBA Storage Products for ICT Society 21

SPECIAL REPORTS
Developed in the above context, Wipe Technology has the following characteristics:
(1) An applied encryption function solution
(2) Powerful protection against unexpected attacks, such as HDD removal
(3) Protection throughout the system’s life cycle
(4) Instant invalidation that enables cost reduction when disposing of or reusing the system
In August 2010, Toshiba developed what became the first Wipe Technology HDD function, a function for invalidating
data when the power supply is interrupted (known as Wipe1). Our technical presentation evoked a great response, but the
following problems were revealed:
(1) Data was invalidated when the system entered power saving mode,
(2) Power needed to be supplied to the HDD stably even during emergencies including power failures, and
(3) The range of application was limited due to dependence on the status of the power supply.
Thus Toshiba changed directions and began to search for a solution to invalidating data upon removal of the HDD from
the system, not while the HDD remains connected to the system. Eventually we concluded that the HDD needed to include
system authentication, so we developed Wipe2 as detailed below.
To realize Wipe2, we were the first in the world (Note 3) to develop and implement a technology for pairing an HDD with
a system such that the encryption keys are deleted if the pair is split apart, automatically invalidating data. To validate the
pairing, we used system authentication. As this method does not depend on the status of the power supply, it provides for
stable operation and can be applied to a wider range of IT equipment. For example, even after removing the HDD from the
system, data is not invalidated as the system authentication mechanism is able to recognize the removed HDD after it is
reinstalled. However, if the HDD is removed and then connected to a different system (such as a PC) for data analysis, the
HDD will automatically invalidate its data as the system authentication will fail. This is how Wipe2 prevents information
leaks (Figure 3).
Since Wipe2 relies on system authentication to evaluate whether or not data should be invalidated, we needed to
employ a safe authentication scheme. As the scheme for Wipe2, we chose challenge-response authentication, in which
the authentication code transacted between the system and the HDD changes for each authentication. In this way, analysis
of the data is rendered impossible even if the data is intercepted by a third party (Figure 4).
An information leak is prevented
by instant invalidation
Same authentication code every time: Wiretapping risk
The HDD is removed
Unauthorized system
User data attack
Authentication code
(a) Simple authentication code transmission
Authentication code
Figure 3. Operation of wipe technology — Encryption keys are deleted to
invalidate data if the system is connected to a system other than the paired
system.
Authentication code
Challenge (random value)
Response
(authentication code preset for the random value)
Authentication code
Random value
Different response for every authentication: Authentication code analysis by wiretapping is made difficult
(b) Challenge-response authentication
Figure 4. Host authentication methods — The use of challenge-response
authentication reinforces encryption key security.
(Note 3) Survey by Toshiba as of April 2011
TOSHIBA Storage Products for ICT Society 22

SPECIAL REPORTS
3.2 Protection throughout the System’s Life Cycle
Wipe Technology realizes protection against information
leaks throughout the entire life cycle of systems. Even when
the owner changes—such as from IT administrator to user
and ultimately to disposal company—Wipe Technology
ensures strong protection against leaks because the HDD
itself invalidates the data if an abnormality is detected.
As shown in Figure 5, the HDD’s encryption function is
set during production. Upon HDD installation, Wipe
Technology is configured according to each customer’s
system.
Production
Encryption enabled
HDD production
Wipe Technology configured
HDD installed into the
customer’s system
Use by the customer
Disposal
Reuse or disposal
Figure 5. Life cycle of HDD — Only the HDD’s encryption function is set at the
factory. Wipe Technology is not configured until the HDD is installed in the
customer’s system. This allows the customer to choose the functions they
desire. When the HDD is reused or disposed of, the data can be invalidated
instantly.
4 Conclusion
By evolving their encryption function to invalidate data in addition to simply performing encryption, HDDs implementing
encryption functions have become a better adapted security solution.
We believe that we will be able to create still more extensible security solutions by fully taking advantage of pre-boot
mode and the multi-locking range function standardized in TCG’s Opal SSC specification.
Toshiba will continue to contribute to our ICT society by supplying systems that can be used safely and securely.
YAMAKAWA Teruji
Ome Operations-Storage Products
NAKASHIMA Kazuo
Storage Products Div.
ICHIMURA Shotaro
Ome Operations-Storage Products
TOSHIBA Storage Products for ICT Society 23