This paper looks at the various security
products that are shipped with business class HP and Dell laptops. We
cover Trusted Platform Module (TPM), Encryption utilities, and
bio-metrics.
There are several laws and mandates in place that require encryption of confidential data:
etc.....
"Sensitive information, if compromised, could adversely affect the national interest or the conduct of federal initiatives."
Both HP and Dell laptops are shipping with a Trusted Platform Module (TPM) chip. The TPM provides the means for other hardware and software to securely generate and store keys for use in digital certificates and encryption. The TPM also provides the cryptographic engine to perform encryption, decryption, and digital signature operations. This way the keys never leave the TPM chip.
TPM is inherently more secure that current software-based key management because the keys are stored in hardware in an encrypted format. In asymmetric cryptography, as used by TPM enabled applications, the private keys are never exposed to anyone.
Since each TPM chip is unique to a particular device, it is capable of performing platform authentication, thus tying the encryption keys to particular device. It can verify that the system seeking the access is the expected system.
In order to allow users to fully utilize the TPM capabilities Dell and HP and are including TPM Management Suite with their business class laptops. Dell is including the Wave System’s Basic Security Center TPM Management Suite, while HP is shipping their own in-house developed product called HP ProtectTools.
Both of these applications provide a fairly good set of tools to improve the security of the laptop, and making encryption convenient for the user.
Biometric readers included with the business class laptops can be used to make the login process convenient for the users. The users can use very strong password to prevent brute-force attacks against these mobile devices. Instead of keying in the complicated password to logon each time, the user can simply create a bio-metric profile. The bio-metric profile holds the username, password, and the unique biometric signature of the user’s fingers. The biometric profiles are stored encrypted on the laptop using a key generated by the TPM. So when the user needs to logon, they just have to swipe their finger on the biometric reader, and the biometric software checks to see the swiped finger is a match with the finger print stored in the bio-metric. If a match is found, the username and password is released to the OS, and the OS continues with logon process. This process greatly increases the convenience for the users, where they can still use strong and complex password without actually having to type in that password each time to logon. However there is a misconception that bio-metric somehow increases the security of the mobile device. IT DOES NOT!
However there is a misconception that bio-metric somehow increases the security of the mobile device. IT DOES NOT!
All it is does is make the logon process easier and simpler. The bio-metric logon process can always be circumvented by escaping out of the logon sequence, and logging in using the regular username and password. However if the user set a really complex password, a dictionary attack would be impossible, while a brute-force attack would take a very very long time. The user can use a really complex password like ‘3mb55y53curity’, without actually having to type in this password upon each logon. So indirectly biometrics improves the security of the mobile devices when used in conjunction with a complex strong password.
Figure 1 Dell's WaveSystem Security Center allow logon to Windows using Biometrics. This alleviates the need typing in complicated passwords. Alternatively the user can type in the password.
The biometric profile that is stored on the laptop is encrypted using the key generated by the TPM, and can “only” be decrypted by that particular TPM. So in the case of the Hard Drive being stolen, the attacker will not be able to decrypt the bio-metric profile without access to the corresponding TPM.
It does NOT improve the security of the confidential data stored on a device.
It make the logon process convenient for the users. The user can use complex password, but logon by simply swiping their finger on the reader.
SSO and pass-through authentication to other application is possible.
HP comes with Credential Manager which can be used to maintain bio-metric profiles and Single Sign On to other applications. Credential Manager can be used with or without enabling the TPM. If the TPM is enabled the bio-metric profile is tied to that particular mobile device, otherwise the profile is still encrypted but with a key that was generated by Credentials Manager, and is not tied to that mobile device.
Figure 2 HP's Credential Manager can automatically Single Sign On (SSO) to applications like Lotus Notes, SSH Client, VNC, Websites, WebDrive etc
Dell uses the WaveSystem’s Basic Security Center to manage the biometric profile, and to provide Single Sign On to other applications and network resources. WaveSystem offers other products at additional cost which can be used to make the key management and recovery process easier. The EAS product offered by WaveSystem can be used to store biometric profile for each user in the Active Directory in a centralized location. This alleviates the need for the user to create a biometric profile for each device they want to access in an enterprise. The details on other products offering by WaveSystem can be found later in this article.
Figure 3 Dell's Security Center, in addition to providing SSO to the various applications, can also “securely” store addresses and Credit card info. Thus, alleviating the need for the users to enter this information manually.
Both of the above mentioned tools also have the capability to create encrypted vaults, and perform full disc encryption. The ProtectTools suite offered by HP allows the user to create a TPM encrypted vault that can be used to store any type of documents. Since the vault is encrypted by the TPM, it is tied to that particular platform. This prevents access to the data if the hard drive is removed from device. However this tool is limited to providing 1 encrypted vault per physical device.
Figure 3 The encrypted vault in the HP Protect Tools appears as a regular drive on the computer, however everything is encrypted by default in this drive. Since this is a TPM enabled encrypted vault, the contents of this vault can NOT be decrypted on any other device other then the one on which it was created
The WaveSystem’s Basic Security Center provides more functionality in the realm of encrypted vaults. The Security Center allows the encrypted to be shared among other users. With an upgrade to the WaveSystem’s Embassy Suite a total of 23 vaults can be created. The Security Center can also perform Full Disc Encryption, where every bit that goes on the hard drive is encrypted. However the Full Disc Encryption as offered by WaveSystem does not utilize the TPM.
Figure 2 The Encrypted Document Manager Vault that ships with Dell provides more features. It allows for sharing of the encrypted vault with other users
Full Disc Encryption, as mentioned above, provides a mean to encrypt each and every bit of data that goes on the HDD platter. Full Disc Encryption has several benefits as compared to regular file / folder encryption or encrypted vaults.
The following are some benefits of the Full Disc Encryption:
There are multiple tools available in the market that allow for Full Disc Encryption. However they vary greatly. They are divided into two main categories – Hardware based and software based. The hardware based Full Disc Encryption solutions are considerably faster then the software based solutions, and usually produce no overhead for the CPU or the HDD. The software based solutions, while inexpensive, create considerable overhead for the CPU depending on the type of encryption used.
A limited number of Full Disc Encryption solutions also support TPM to tie to encrypted data to a particular platform. While the solutions that ship with HP and Dell laptops do not provide TPM enabled Full Disc Encryption, Secude’s Secure Notebook, a software product, and Seagate’s Momentus FDE.2 HDD, a hardware solution, provide TPM enabled Full Disc Encryption.
|
Product |
Vendor |
Hardware or Software Based |
TPM Enabled |
Secondary
Authentication |
Cost |
|
Software |
No |
Yes |
Free ($0.00) |
||
|
Hardware |
No |
Yes |
??? |
||
|
Software |
No |
Yes (USB Tokens) |
$60.00+ |
||
|
Software |
No |
Yes |
??? |
||
|
Software |
No |
Yes |
??? |
||
|
Software |
No |
Yes |
??? |
||
|
Software / Hardware |
Yes |
Yes |
??? |
||
|
Hardware |
Yes |
Yes |
??? |
||
|
Software |
No |
Yes |
$149.00 - 249.00 |
||
|
Software |
No |
Yes |
??? |
||
|
Software |
No |
Yes |
??? |
||
|
Software |
Yes |
Yes |
$240.00+ |
||
|
Software |
Yes |
Yes |
??? |
||
|
Software |
No |
Yes |
$150.00+ |
||
|
Software |
No |
No |
??? |
||
|
Hardware |
No |
Yes |
$34-$95 for PCI Adaptor |
Table 1 List of Products that support Full Disc
Encryption
When selecting
any encryption product, key management is an extremely important
factor. If the keys are lost, modified, or accidentally
destroyed, the protected information can be lost forever. Old keys and
old encryption mechanisms must be retained for as long as the protected
information is valuable
Due care should be given to how keys
are accessed, how they're managed, where they are located, how they can
be backed up and recovered, and how integrity can be ensured. Most of
the products mentioned in the Table above have some form of centralized
key management capabilities. Select the one that fits you environment
best. For e.g. if you have an Active Directory, select one which can
utilize AD to store the keys. There are others that have stand alone
key backup and restore capability.
In some cases, the symmetric keys
can simply be backed on a floppy and stored in a secure location.
Key Recovery must also be part of
your Business Continuity Planning and Disaster Recovery Planning. The
key should NEVER be backed with the data that it is protecting.
The following Security Core Principles must be applied to the management of the encryption keys
However Full
Disc Encryption (FDE) does NOT replace file / directory level
encryption. This is because once the FDE drive boots up, all the data
is available in a decrypted format. If a hacker is able to connect to
laptop over network while it is turned on, Full Disc Encryption will
not help. However if the individual files are encrypted, the attempt to
steal data over network by the hacker may be averted. In some cases
both file level encryption and full disc encryption are needed.
HP and Dell are doing their best to provide convenient and free tools for users to improve the security of the confidential data stored on a laptops. The users of these business class laptops need to learn more about these free tools, and utilize them in a manner that improves the security of their data. The enterprise need to realize the usefulness of these TPM enabled tools and not ignore the good security benefits they provide.