- casino online slots

LTO-4 Encryption…Again

by Administrator on August 27, 2008

InfoStor leads this month’s issue with a story on LTO4 Encryption.  Good buddy, Mark Ferelli, wrote the piece.

Interestingly, Mark’s interviewees did a shmarmy job of trying to side step the issue, raised in this blog, about the failure of LTO-4’s onboard encryption, based on AES/GCM, to pass muster with FIPS 140-2 Level 3 standards.  According to Mark’s piece, “…while this [FIPS] may be a gold standard for dealing with federal organizations, it may be excessive for many, if not most, companies.”

The piece goes on to explain that rates of key changes and other operational aspects of smaller firms may make compliance with FIPS security standards “overkill.” 

Fair enough.

But with many companies I visit using FIPS standards to provide an iron clad guarantee of encryption compliance, I don’t know if I would dismiss the non-FIPS readiness of LTO-4 so readily.  Are there any agreed-to standards, besides FIPS, that can be referenced to show auditors that you are complying?  Neither Mark, nor his sources, explore this issue.

I’m afraid that this concern doesn’t go away with the wave of LTO’s hand.

{ 5 comments… read them below or add one }

gregr August 28, 2008 at 9:24 am

One of the major benefits of FIPS 140-2 certification is that you can be sure that the encryption algorithms used in the product have been fully vetted.

How many times have we seen an encryption schema get discredited because of a bug in the methodology (just google debian random number)? Sometimes, seemingly small errors in procedure can cause really bad vulnerabilities in encryption solutions. If that were to happen in a tape product, it could get very expensive to resolve.

But you don’t need FIPS 140-2 level 3 in this case, level 1 would be adequate for commercial uses. That is essentially a SW only certification, with no physical security controls.

Just saying the use the xyz algorithm doesn’t tell us anything. The devil is indeed in the details.

Just a thought.

Administrator August 28, 2008 at 12:02 pm


I am not challenging the validity of AES/GCM. A lot smart folks worked on that algorithm.

Heck, I think just about any encryption method secures data better than none at all.

The point I continue to make is that FIPS is being relied upon by a lot of companies as the audit-proof standard upon which they are hitching their encryption strategy. It is the only standard that I am aware of for authenticating a security level.

Could folks get by with level 1? Sure. Could folks get by with levels 2, 3, and 4? Yup.

It just needs to be emphasized that AES/GCM is NOT FIPS level 3 compliant. That nuance may be important to companies that don’t use the same key to encrypt everything. It is being glossed over by the LTO guys.

mattball August 28, 2008 at 2:27 pm

You asked about standards other than FIPS 140-2. Another good standard by which to judge the LTO is IEEE 1619.1-2007, approved last December, and published last May. The LTO consortium was heavily involved in drafting this standard. There was also significant scrutiny of the security of GCM, and the group has created a standard that I’ve heard some cryptographers argue is more secure than NIST SP 800-38D, which specifies GCM as Approved by FIPS 140-2.

I’m hoping in the next little bit to create a web page that lists all the 1619.1-compliant implementations, which would allow users to look at this page when assessing the security of an implementation. I’m hoping to make this service free, making it substantially cheaper than full FIPS 140-2 certification.

Concerning GCM not being level 3 compliant: I do FIPS 140-2 design assistance, and am completely unaware of a level 3 requirement that would preclude use of GCM. Under FIPS 140-2, if an algorithm is approved, it is approved for all levels. Do you have a specific reference that shows GCM is not allowed for a FIPS 140-2 level 3 certification?

I think the level 3 issue is not due to the GCM algorithm choice, but rather the physical limitations of a (near) consumer-class tape drive. Just by having a hole in the front of the tape drive for accepting cartridges is enough to make a level 2 certification hard and level 3/4 (almost) impossible.

As with any interview, it’s hard to get the real truth out — I suspect these details weren’t properly conveyed.

gregr August 28, 2008 at 3:30 pm

Sorry if I wasn’t clear. FIPS is concerned as much with how a particular algorithm is implemented as much as it is in which algorithm is used. Level 1 would ensure that not only is the algorithm in fact AES/GCM as approved (no fancy shortcuts used for example), but that the implementation is sound.

You of course also need to be concerned with key management, but for the tape drive itself, FIPS 140-2 level 1 would provide a high degree of assurance that they haven’t cut some important corners.

As matt said, the issue with level 3 isn’t GCM, it’s physical security. But more practically, it can take 18-24 months to achieve level 2 or 3 approval, and the drives lifespan will be shorter than that. Why chase a cert you can’t achieve? Level 1 on the other hand would apply to the sw, and that could be re-used. Heck, you can even use an already ceretified package like the RSA Toolkit and inherit the FIPS level 1 certification.

tak September 17, 2008 at 6:41 pm

Is there any FIPS compliant tape storage?
I’ve once heard that Enterprise tape system, Sun’s T10000 tape storage and IBM’s 3592 tape storage are FIPS compliant, but couldn’t find necessary information to cfrm.
As a reader of this blog, I wish to find topics on these enterprise tape systems as well and not just on LTOs.

Previous post:

Next post: