In-Depth
LTO-4 Security: Are Vendors Fibbing or FIPSing?
Marketing can lead IT down a dangerous garden path when it comes to tape encryption standards
Let me preface this column by saying that I believe tape technology, contrary to some analysts, is very much alive and provides significant value to organizations as one of the least expensive and most highly portable modalities for data storage ever conceived. Now having identified myself as firmly in the tape-is-good camp, I can direct your attention to LTO-4 and some concerns raised by what vendors are touting as on-board encryption.
The Linear Tape Open (LTO) Consortium started in the late 1990s as an effort by Seagate, IBM, and HP to dislodge the king of the hill in the midrange tape market, Quantum. Quantum’s Digital Linear Tape (DLT) had, in a short time, managed to reduce to rubble other vendors of so-called open systems tape solutions and enjoyed a virtual stranglehold on midrange tape technology. Early on, you could only buy DLT cartridges from Quantum itself.
Leveraging hype about the inherent evil of monopolies, the three LTO founders proffered their own cartridge formats, Accelis and Ultrium, that would be available from their own companies as well as through multiple media licensees. In other words, you could get the same media from many sources.
Fuzzy free-trade arguments aside, LTO suffered initially from the triumph of marketecture over architecture. The implication in LTO brochures was that many vendors would deliver the same drive technology and the same media, making tape universal. However, significant differences in LTO tape drive products, put there by their manufacturers, made such universality a myth.
Reading an LTO cartridge in an HP drive that had been written in an IBM drive produced unpredictable—and often undesirable—results, due in part to the different "throating" specifications of each vendor’s drive unit. For each manufacturer, the tape cartridge needed to be inserted at a slightly different angle, which often meant that data was recorded differently on the media in one drive when compared to its peer drives. This was worse than the problems commonly found when reading and writing tapes in two copies of the same drive model from the same manufacturer: the variances between LTO drives could result in the total rejection of media recorded in another drive from a different LTO Consortium member.
Wearing my disaster-recovery planning hat, I recall writing that this was the sort of thing that folks had better understand. They would need the same LTO drive type at the recovery site as they used in their production environment or bad things might happen when they went to restore data from tape—universal though the tape cartridge format might be.
Somewhere along the way, I remember being told by LTO spokespersons that this problem was being looked at and would likely be resolved by LTO version 3 (LTO-3). They considered the problem to be important only to engineers who were building tape libraries for sale into the midrange space. Library vendors would need to source all of their drives from only one of the three vendors to avoid insertion problems with robots, but they could still get their media cartridges from any licensed media vendor, which was a good thing.
I suspected LTO of insincerity, if not deliberate spin doctoring, in their marketing, and believed, once Quantum started licensing its DLT tape cartridges to third-party manufacturers, that the market would favor tried-and-true Quantum DLT and its successors. I was wrong.
For many reasons, including channel mismanagement and delays to market and recalls of various SDLT products, DLT and its successors in the SuperDLT family did not prevail. LTO became the dominant tape media format in the midrange within a couple of years, selling over 50 million Ultrium cartridges by 2006 according to folks keeping count within the LTO group. With the acquisition of Certance (Seagate’s former LTO tape product unit) by Quantum, the death knell for DLT and the future for LTO were assured.
The Next Generation: LTO-4
That now brings us to a quick advisory on LTO-4, the latest generation of the universal tape format. LTO-4 doubles the capacity of LTO-3 at 800 GB native per cartridge and increases the read/write speed by 50 percent from 80 MBps in version 3 to 120 MBps in version 4. Increased capacity is partly the result of winding thinner and longer tape on the spindle: LTO-3 tape’s thickness was 8 micrometers while LTO-4’s is 6.6 micrometers, and tape lengths are 680 and 820 meters respectively. However, more density has also been provided on the generation-4 tape courtesy of head element designs introduced in LTO-3 and PRML encoding technology.
Technical specs describe a product that is following its roadmap fairly efficiently—which is what LTO media is certainly doing. A problem that I do see, however, lies with the Consortium’s assertion that LTO-4 provides value-add, in addition to capacity and speed, in the area of on-tape encryption.
Summary slides about LTO-4 from any drive or automation vendor sporting the technology always includes this bullet point: "LTO-4 adds 256-bit AES-GCM drive-level encryption." This is an interesting, if often misunderstood, assertion of the potential use of on-drive encryption as a lower-latency alternative to encrypting data somewhere else in the path on its way to tape. Those who want to encrypt tape data are typically driven to it by regulatory requirements surrounding data privacy, but most regulations do not specify the kind of encryption to be used.
Let’s start at the beginning. LTO-4 tape drives include 256-bit Advanced Encryption Standard, Galois Counter Mode (AES256-GCM) encryption as a native feature to eliminate the performance penalty of software-based encryption and the expense of encryption appliances. LTO Ultrium 4 encryption is specified as part of the LTO Ultrium open-standard format with the AES256-GCM algorithm implemented in the tape drive formatter chip.
Breaking this down into its component parts: AES as a base algorithm only defines the encryption of one 4-byte-by-4-byte array of data using a single key. To design a more practical solution using AES means using one of several available modes of operation. In the LTO-4 standard, the Galois Counter Mode (GCM) is used for tape encryption to provide higher-speed computing. GCM operates by seeding a counter with a random number called an initialization vector (IV). This IV is incremented by one and the output is subjected to the AES encryption algorithm. The AES algorithm provides a stream of encrypted data, which is combined with the real data using an Exclusive OR (XOR) function.
The GCM spec requires that the IV be reset at each record boundary and recorded in the tape format. This is so that on read, the counter can be reset by the IV for that record. Galois-field mathematics is then used to provide authenticated encryption of the message and produces a computed Tag value to provide additional security of the data record. The Additional Authenticated Data (AAD) is also generated and used as a reference to retrieve keys from a key management appliance or from a backup software application.
It is worth noting that the AES-GCM mode used with the HP LTO-4 Tape Drive leverages another mode called CWC, which was itself closely modeled after the AES-CCM transform mode developed to address issues with Wireless LAN Security as part of the IEEE 802.11i security effort. The CWC spec described a general approach for faster software encryption by combining AES-CTR mode encryption with a parallelizable universal hash function to provide authenticated encryption in one pass. Apparently, AES-CCM and CWC were leveraged with AES-GCM rather than other modes (such as AES-CBC or AES-CBC-MAC) at least in part because engineering constraints make CBC modes significantly more expensive to implement in chip hardware, especially with network speeds of 10Gbps or faster in mind.
Passing Muster with Regulators
What all this means is that LTO-4 drives use a fairly pedigreed technique for on-drive encryption. What no one is directly addressing is whether this technique passes muster with the federal regulators.
The general reference for security and encryption in the Federal government is the Federal Information Processing Standard 140-2. Among other things, the standard articulates "security levels" that are often taken by Federal agencies and departments as meaningful references for specifying their own regulations about information security. The important Security Level for regulatory compliance as it pertains to data encryption is level 2.
HP's description of LTO-4 on-drive encryption in its marketing brochures is vague and contradictory. One brochure states that LTO-4 drives from HP have "the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2." The vendor states in other marketing collateral that the Ultrium LTO-4 Tape Drive is expected to be awarded "level 1 compliance with the FIPS 140-2 standard."
The difference may be important. FIPS 140-2 Level 1 compliance is an assertion only that the algorithm is considered secure; it does not indicate that the implementation is secure by any means. FIPS 140-2 level 2 and level 3 are more commonly used to describe "secure implementations."
Many security experts I have been chatting with recently have told me that AES-GCM, which was recently submitted to NIST for review, will not be able to achieve FIPS 140-2 validation beyond level 1 for any of several reasons, which you can read for yourself on the National Institute of Standards and Technology Web site at http://csrc.nist.gov/groups/ST/toolkit/BCM/comments.html. Several posted comments are, in fact, calling for the removal of references to FIPS 140-2 compliance from marketing materials for any product using GCM mode with AES, because GCM is not a FIPS 140-2 compliant algorithm or mode.
Bottom line: FIPS is becoming the de facto standard for ensuring secure implementations of encryption technology and is increasingly referenced by regulators and law-makers. As things currently stand, the use of AES-GCM in LTO-4 drives does not (and may never) deliver a compliance-certified encryption solution. Currently, LTO-4 drive manufacturers using the unapproved mode are from HP and Tandberg. It is unclear from IBM and Quantum literature which mode they implement.
I’ll bet that this is information some vendor marketing departments wished had been encrypted. Your comments are welcome: jtoigo@toigopartners.com.