0

I am using a Samsung Evo 960 NVME SSD. I have encrypted the SSD using its built in hardware encryption features, which follow the tcg opal standard. If I understood correctly, the disk encrypts all data using AES-256. The key for this encryption is called the DEK (disk-encryption-key). The DEK is then encrypted again, using a password provided by me.

An attacker with access to the disk could theoretically extract the (encrypted) DEK from the drive. I would like to estimate how long it would take to crack the encryption of the DEK (so basically to find out my password). Therefore, I would like to know how the DEK is encrypted using my password, so I can estimate how many passwords one could try per second on commodity hardware.

Edit from comment: The question is: How is this key (the DEK) encrypted/generated? Is it a 256-bit hash of the password? If so, which hash method is used?

Gasp0de
  • 133
  • 6

1 Answers1

1

It seems like there is no publicly available information about this specific model of Samsung. However disk encryption of Samsung 840 EVO and Samsung 850 EVO have been studied (among other SSD drives) in this paper. Based on the research Key derivation scheme is built upon:

1 - Key Storage

enter image description here

This key storage is aimed to validate the password and to derive the key :

A password candidate p' is validated by computing PBKDF2(HMAC_SHA256, p', Sverif). Then, the result is compared against the stored PBKDF2(HMAC_SHA256, p, Sverif). If they match, then p = p' is assumed. The derived encryption key is then obtained by computing PBKDF2(HMAC_SHA256, p', Sderiv).

2 - Crypto blob enter image description here

This bloc is 64KB and it holds all information related to disk encryption including DEK:

From password to DEK Samsung’s Opal implementation allows a total number of 9 ranges and 14 passwords to be specified. The password is fed to the validation/derivation function, using slot 478+u, where u is the user id associated with the password. Once the password has been validated, the derived key is then used to decrypt an entry in the password ↔ range mapping table. The entry is located at slot 0 + 27u + 3r, where u is the user id and r is the range number. Finally, the decrypted result is used to decrypt slot 456+r, yielding the DEK for range r

enter image description here

Soufiane Tahiri
  • 2,667
  • 12
  • 27
  • 1
    Yes, but I don't need to crack any 256-bit key. The encrypted key is right there on the drive, and I only need to find out my 10-15 character password to decrypt it. The question is: How is this key encrypted/generated? Is it a 256-bit hash of the password? If so, which hash method is used? – Gasp0de Feb 27 '19 at 14:33
  • I edited my answer, you should have a look at the paper it will give you more insights – Soufiane Tahiri Feb 27 '19 at 15:11
  • Thanks for the detailed answer! This is exactly what I was looking for. – Gasp0de Feb 27 '19 at 15:18
  • You're welcome :) – Soufiane Tahiri Feb 27 '19 at 15:21