The FIPS 140-2

Secure Solid-State Drives Safeguard Critical Data

Dec. 5, 2017
Data protection is an important design aspect of many defense electronics systems and can be effectively managed through the use of secure solid-state storage drives.

Download this article as a .PDF

Data security is an important if not always achievable goal for military electronics systems. Those systems are acquiring large amounts of data from multiple sensors simultaneously, at rates sometimes exceeding 30 GB/s. With flash memory as the only practical permanent storage media, solid state drives (SSDs) are now a common system-level component in military systems. System-level designers may specify low-cost, commercial-off-the-shelf (COTS) SSDs to store data in military systems, but are often challenged with providing enough data security in the final system.

As low-cost data storage solutions, COTS SSDs may represent budget savers for advanced military electronics systems. But they then fail to meet nearly all of the performance criteria required by the other electronic components in the system: predictable performance under stressful operating conditions, physical ruggedization, long-term availability from a Defense Microelectronics Activity (DMEA)-accredited supply-chain partner, and trusted security. To avoid catastrophic consequences, security must be incorporated into a military-grade SSD from a system’s design phase—not “bolted-on” as an afterthought to a mass-market consumer data storage product.

Modern military-grade SSDs use advanced encryption standard 256 (AES 256) to encrypt data. The standard was established by the National Institute of Standards and Technology (NIST) in 2001. Protection of stored data in a military electronic system is directly linked to the strength of the data encryption key (DEK), how the DEK is generated, and how the DEK is filled into the SSD.

DEKs used by most COTS SSDs are internally generated. It provides data security, but the internal generation does not permit verification of the randomness or entropy of the DEK. An alternative to using internal, self-generated DEKs for an SSD is to generate the DEK values externally. This can be done by means of systems and algorithms known to create highly random values and using these externally generated DEK values to fill the SSD.

External key fill also provides a very strong security feature. Because the DEK is filled by the host system at every power-on event, an unpowered SSD contains no discoverable key value. COTS SSDs with internally generated and stored DEK values must obscure or encrypt the self-generated DEK. Since the method used to secure the DEK is unknown, it may well be secure, but it is nearly impossible to verify that a COTS SSD is properly protecting the DEK. It might be stored in plain text!

While recovering even a plain-text DEK stored somewhere inside a COTS SSD is most likely beyond the abilities of an everyday computer hacker, it may not be beyond the abilities of state-sponsored cryptographic professionals. Military-grade SSDs encrypt self-generated DEKs and accept password lengths to 64 characters to fully secure them.

Additionally, a military-grade SSD will erase the entire contents of the drive after just a few incorrect password or key fill attempts. Since the requirements for defense applications vary considerably, an SSD that supports several key management techniques, strong passwords, and programmable security features can greatly simplify the security implementation of a defense system.

Unlike consumer or enterprise-grade storage devices used in climate-controlled environments, SSDs used in military systems are deployed in manned and unmanned air, land, and shipborne platforms. The use case for unmanned vehicles presents a unique security challenge: If an unmanned vehicle is captured, no personnel will be available to physically destruct or initiate a process to eliminate the sensitive data valued by the adversary. In this scenario, the contents of the drive should be quickly and automatically erased as soon as a threat is detected.

DEK purge, fast clear, sanitize, and destruct operations triggered by sensors in the host system or anti-tamper circuitry in the SSD are very good ways to assure that highly sensitive data remains protected, provided that the SSD supports these capabilities. While common on military grade SSDs, these features are rare to nonexistent in COTS SSDs.

Protecting Data

Highly sensitive data has historically been protected using Type 1 security memory devices certified by the U.S. National Security Agency (NSA) for securing classified government information. However, the Type 1 security certification process can require several years and millions of dollars to implement. In seeking a better way, the NSA and the Central Security Service (CSS) of the NSA launched the Commercial Solutions for Classified (CSfC) Program.

End-user devices (EUDs) implemented under the CSfC program use two or more layers of CSfC-compliant components and are approved to provide protection for classified, secret, and top-secret data. Part of the protection comes from being powered, and an unpowered CSfC EUD is actually considered unclassified. Validation under the CSfC program provides the system architect with assurance that cryptographic algorithms in the SSD are certified and have passed rigorous testing at an approved NIST and National Information Assurance Partnership (NIAP) laboratory.

Although CSfC validation of a secure SSD represents the pinnacle of third-party testing, various certification approaches can be used to determine the suitability of an SSD for mission-critical applications. At the very minimum, the encryption algorithm should be certified by NIST as properly conforming to the AES algorithm as specified in Federal Information Processing Standard (FIPS) Publication 197, Advanced Encryption Standard. The next level of certification is validation under the NIST Cryptographic Module Validation Program (CMVP) FIPS 140-2. FIPS Publication 140-2 defines a rigorous set of security requirements for cryptographic devices that has gained worldwide acceptance (see photo).

Certainly, for some applications, a COTS SSD may provide the performance, ruggedness, and security required to protect the data. But if a COTS SSD lacks the ruggedness, security, and the properly implemented crypto algorithms required to protect data under the many challenges faced by a military electronics system, a military-grade SSD and its high level of encryption may make a better choice for protecting data in a sensitive military application.

Additional information on protecting sensitive data through the use of secure SSDs is available by downloading the white paper “Safeguarding Mission Critical Data with Secure SSDs,” available at the Mercury Systems website. In addition, more information on SSD encryption technology can be found in an eight-page white paper, “Demystifying Hardware Full Disk Encryption Technology for Military Data Storage,” also available for download from the Mercury Systems website.

Bob Lazaravich, Technical Director

Mercury Systems, Inc.

50 Minuteman Rd., Andover, MA 01810; (978) 256-1300