RETURN

 

Here’s a brief summary of what the Fingerprint Reader and IBM Client Security Software can do for you.  The IBM documentation is somewhat opaque.

  
 

Introduction:
The IBM Client Security Software (“CSS”) is an umbrella term that includes an embedded subsystem and several applications that maximizes the utility of the Security Chip in Thinkpads and other IBM computers. The applications include the Windows Logon Replacement, File and Folder Protection, and Password Manager. The Fingerprint Reader (“FR”) is a separate system that can integrate with CSS, but neither is required for the other to function.

Embedded Security Subsystem:
This is the software heart of CSS. This subsystem registers either local or domain users with the User Verification Manager (“UVM”), and interacts with the security chip to securely store Windows passwords, encryption keys, and passwords for other applications and websites. Registration involves the creation of a strong passphrase, which is wholly different than the Windows password, and is used to authenticate you to the subsystem, thereby authenticating you to all of the above applications. Given the nature of the chip, it is not feasibly possible to extract this information without this password. During installation of the software, there are 3 security levels to choose from. LOW asks you for your passphrase only once, and stores it for access to all of the above applications for the entire session. MEDIUM asks you for it the first time you use any of the above applications, HIGH asks you for it every time you use them. Policies can be set to require certain lengths of passphrases, and to require passphrase changing. Unless an enterprise buys other IBM software, however, there is no central administration of these policies; they must be set for each machine. All stored keys can be archived to ensure that managed passwords and encrypted files can be recovered in case the motherboard dies.

Windows Logon Replacement:
This application essentially replaces the standard Windows Logon. Instead of entering in your Windows password, you enter in your UVM passphrase. Your password is retrieved from secure storage, and is passed along to the Windows security system. For features like authenticating to servers, wireless, and remote access, your Windows password remains resident in memory and is passed along appropriately. It is not necessary, however, to enable this to use File and Folder Protection and the Password Manager.

File and Folder Protection:
This application allows you to encrypt files and folders. It is similar to NTFS Encryption, except that there are no certificates to expire. The very latest version – later than even what comes with the new laptops – allows for encryption and decryption on the fly. You simply right-click a folder and select “protect.” All files in the folder will be encrypted, as will any future files put into that folder. You can open and save any document in the folder like you could any other folder. This will work with, for example, the entire “My Documents” directory. As long as you are logged in, the encryption/decryption keys remain active in memory. That has the interesting implication that as long as you are logged in, anyone who has NTFS permissions to that directory can read the file remotely. (Of course, the directory must still be exposed via a share.) You cannot protect a file on a network share, and if you copy any protected file or folder to a network share, they will be decrypted in the copy. It is possible to encrypt individual files just as it was in the previous version. Right-click the file and select “encrypt.” The file will be encrypted and given a “.$enc$” extension. Although you cannot do this to a file on the network, it is possible to do this locally and copy the file to the network, where it will remain encrypted. It would be possible to take a bunch of documents, zip them, then encrypt the one file, and then store that file on the network. They would be backed up, and an Administrator would be able to read them only if he had access to the key archive mentioned previously.

The File and Folder encryption is not, however, “just like Windows.”  Within an encrypted folder, you cannot move subfolders to a different location.  Instead, you must manually copy the subfolder in its original location and paste it to a the new different location before deleting the subfolder in its original location.  This may be somewhat awkward if you have want to encrypt a folder with a large number of nested subfolders, such as “My Documents.”  See "Hard Drive Encryption"

Password Manager:
This is an application that allows you to store usernames, passwords, and other values for websites and other applications. The store is secured with Embedded Security Subsystem. What is interesting about it is that you can target (literally… you use crosshairs) specific fields on a webpage, and have the manager automatically enter them later.

Fingerprint Reader:
The Fingerprint Reader allows you to perform many actions with the swipe of any one of your fingers. I emphasize swipe because that is more secure than non-swiping fingerprint readers. I believe that the reader device itself has a non-volatile memory store that stores the geometry of the fingerprint, and that this store is also for passwords and passphrases. It can store Windows passwords, power-on and hard disk passwords, and UVM (User Verification Manager, for use with the Embedded Security Subsystem) passphrases. I note that the Security Chip doesn’t have to be enabled in order to do all but the last. I don’t, therefore, know how secure that store is. If you have both the FR and the CSS enabled, then wherever you use a passphrase, you can use your fingerprint. This, however, technically reduces the security of CSS, because the FR must therefore store the passphrase in its non-volatile memory and, again, I don’t know how secure that store is. Also, to be clear and complete, a user’s fingerprint provides access to the passphrase, and the passphrase provides access to Windows. So a user using both the FR and CSS is only as secure as his fingerprint.

IBM Client Security:
The security chip can store a variety of passwords. Essentially, one authenticates to the UVM, and the UVM authenticates you to Windows or whatever. Authenticating to the subsystem is via a passphrase that is separate from your Windows password. Integrating this logon with the Fingerprint Reader works, as far as I can tell, by having the reader store the passphrase, thus decreasing overall security. So, in that case, it goes from the Reader, to the UVM, to Windows. There are 3 security levels that determine when you need to reenter your passphrase (or reswipe your finger). The lowest security level requires you to authenticate only once: when you log in. This software doesn’t interfere with Windows’ remembering usernames and passwords, so you could set it so that you automatically log into a VPN connection. It’s possible, therefore, to create a very strong Windows password, and enter it into the UVM once and forget it. You’d be able to get into Windows using your passphrase or fingerprint, and you’d have one-click access to VPN. You wouldn’t be able to log on to any other laptop if you forget your strong windows password. If we keep password changing policies the same even with this setup, then that could turn out to be a pain. In any case, there’s nothing that the Client Security software can do that would interfere with the domain or other users.

Hard Drive Passwords:
In addition to the above, I feel it worth to mention the Hard Drive Passwords. In short, it’s possible to set a password on the hard drive that will prevent anyone from accessing it without entering the password. (Note that this doesn’t encrypt the drive.) There are two nice features. First, the password follows the hard drive, not the computer. I’ve tested this. I’m confident this also applies to use in another Thinkpad with a 2nd hard drive.  I don’t know what happens if you use the hard drive with a non-Thinkpad, but I think that the hard drive would still not function, based off of what I read. There is, however, at least 1 company that promises full data recovery on these password-protected hard drives for $295. Second, the Fingerprint Reader can store the hard drive password. So all you need to get past bootup would be a swipe of your finger or a hard drive password.

Hard Drive Encryption:
There is software that works with the security chip to encrypt the entire hard drive on the fly, will work with the fingerprint reader, and doesn’t require a forgettable passphrase. It is called SafeGuard Easy, from Utimaco, and sells for about $150. Given the on-the-fly folder protection, this is not warranted for most users.

Server-based control:
Both the FR and the CSS have the ability to work with servers to help manage technical polices and to provide roaming from computer to computer.  The cost, however, may be substantial.