″AppendixA,“U.S.exportregulationsfor ClientSecuritySoftware,”″containsU.S.
exportregulationinformationregardingthesoftware.
″AppendixB,“Passwordandpassphraseinformation,”″ containspassphrase criteria thatcanbeappliedto aUVMpassphrase andrulesfor administratorpasswords.
″AppendixC,“NoticesandTrademarks,”″containslegalnotices andtrademark information.
Who should read this guide
This guideisintendedfor networkor systemadministratorswhosetup
personal-computing securityonIBMclients.Knowledgeof securityconcepts,such aspublickey infrastructure(PKI)anddigitalcertificatemanagementwithin a network environment,isrequired.
How to use this guide
Usethisguidetoinstall andsetuppersonal-computing securityonIBMclients.This guideisacompanionto theClientSecuritySoftwareAdministrator’s Guide,Using Client SecuritywithTivoliAccessManager,andClientSecuritySoftwareUser’s Guide.
©Copyright IBM Corp.2004 vii
This guideandallotherdocumentationfor ClientSecuritycanbedownloadedfrom thehttp://www.pc.ibm.com/us/security/secdownload.html IBMweb site.
References to the Client Security Software Administrator’s Guide
ReferencestotheClientSecurity SoftwareAdministrator’sGuideareprovidedin this document.TheAdministrator’sGuidecontainsinformationaboutusingUser Verification Manager(UVM)andworkingwithUVMpolicy, andinformation about usingtheAdministratorUtilityandtheUserConfigurationUtility.
Afteryouinstallthesoftware,usetheinstructionsintheAdministrator’sGuideto set upandmaintainthesecuritypolicyfor eachclient.
References to the Client Security Software User’s Guide
TheClientSecurity SoftwareUser’sGuide,a companiontotheClientSecurity SoftwareAdministrator’sGuide,containshelpfulinformationabout performinguser taskswithClientSecuritySoftware,suchasusingUVMlogonprotection,creating a digital certificate,andusingtheUserConfigurationUtility.
Additional information
You canobtainadditionalinformationandsecurityproductupdates,whenavailable, fromthehttp://www.pc.ibm.com/us/security/index.htmlIBMWebsite.
Chapter 1. Introduction
SelectThinkPadTMandThinkCentreTM computersareequippedwithbuilt-in
cryptographichardware thatworktogetherwithdownloadablesoftwaretechnologies to provideapowerfullevelofsecurityina clientPCplatform.Collectivelythis hardware andsoftwareiscalledtheIBMEmbeddedSecuritySubsystem(ESS).
Thehardware componentistheIBMEmbeddedSecurityChipandthesoftware componentistheIBMClientSecuritySoftware(CSS).
Client SecuritySoftwareisdesignedfor IBMcomputersthatusetheIBMEmbedded SecurityChipto encryptfilesandstore encryptionkeys.Thissoftwareconsistsof applicationsandcomponentsthatenableIBMclientsystemsto useclientsecurity featuresthroughoutalocalnetwork,anenterprise,ortheInternet.
The IBM Embedded Security Subsystem
TheIBMESSsupportskey-managementsolutions,suchasa PublicKey Infrastructure (PKI),andiscomprisedofthefollowinglocalapplications:
v FileandFolderEncryption(FFE) v PasswordManager
v SecureWindowslogon
v Multiple,configurableauthenticationmethods,including:
– Passphrase – Fingerprint – SmartCard
In ordertoeffectively usethefeaturesof theIBMESSa securityadministrator must befamiliarwithsomebasicconcepts.Thefollowingsectionsdescribebasicsecurity concepts.
The IBM Embedded Security Chip
TheIBMEmbeddedSecuritySubsystemisthebuilt-incryptographichardware technology thatprovidesanextralevelofsecuritytoselectIBMPCplatforms.With theadventof thissecuritysubsystem,encryptionandauthenticationprocessesare transferred frommorevulnerablesoftwareandmovedto thesecureenvironment of dedicatedhardware.Theincreasedsecuritythisprovidesistangible.
TheIBMEmbeddedSecuritySubsystemsupports:
v RSA3PKIoperations,suchasencryptionfor privacyanddigitalsignaturesfor authentication
v RSAkeygeneration
v Pseudorandomnumbergeneration
v RSA-functioncomputationin200milliseconds v EEPROMmemoryforRSAkeypairstorage
v AllTrusted ComputingGroup(TCG)functionsdefinedinTCGMainSpecification version1.1
v Communicationwiththemain processorthroughtheLowPinCount(LPC)bus
©Copyright IBM Corp.2004 1
IBM Client Security Software
IBMClientSecuritySoftwarecomprises thefollowing softwareapplicationsand components:
v AdministratorUtility:TheAdministratorUtilityistheinterfaceanadministrator usestoactivateordeactivatetheembeddedSecuritySubsystem,andtocreate, archive,andregenerate encryptionkeysandpassphrases.In addition,an administratorcanuse thisutilitytoadduserstothesecuritypolicyprovidedby ClientSecuritySoftware.
v AdministratorConsole:TheClientSecuritySoftwareAdministratorConsole enablesanadministratorto configurea credentialroamingnetwork,to createand configurefilesthatenabledeployment,andto createa non-administrator
configurationandrecoveryprofile.
v UserConfigurationUtility:TheUserConfigurationUtilityenables aclientuser tochangetheUVMpassphrase,toenableWindowslogonpasswordsto be recognizedbyUVM,to updatekeyarchives,andtoregisterfingerprints.Auser canalsocreatebackupcopies ofdigitalcertificatescreatedwiththeIBM embeddedSecuritySubsystem.
v UserVerificationManager(UVM): ClientSecuritySoftwareusesUVM to managepassphrasesandotherelementstoauthenticatesystemusers.For example,afingerprintreader canbeused byUVMforlogonauthentication.
ClientSecuritySoftwareenables thefollowing features:
– UVMclientpolicyprotection:Client SecuritySoftwareenablesasecurity administratorto settheclientsecuritypolicy,whichdictateshowa clientuser isauthenticatedonthesystem.
Ifpolicyindicatesthatfingerprintisrequiredfor logon,andtheuserhas no fingerprintsregistered,hewillbegiventheoptiontoregisterfingerprintsas partof thelogon.Also,iftheWindowspasswordisnotregistered,or
incorrectlyregistered,withUVM, theuserwillhave theopportunityto provide thecorrectWindowspasswordaspartof thelogon.
– UVMsystemlogonprotection:Client SecuritySoftwareenablesasecurity administratorto controlcomputeraccessthrougha logoninterface.UVM protectionensures thatonlyuserswhoarerecognizedbythesecuritypolicy areable toaccesstheoperating system.
The relationship between passwords and keys
Passwords andkeysworktogether,alongwithotheroptional authentication devices,to verifytheidentity ofsystem users.Understanding therelationship betweenpasswordsandkeysisvitaltounderstandhowIBMClientSecurity Software works.
The administrator password
Theadministrator passwordisusedtoauthenticateanadministratorto theIBM Embedded SecuritySubsystem.Thispassword,whichmust beeightcharacters long, ismaintainedandauthenticatedinthesecurehardwareconfinesof the embeddedsecuritysubsystem.Onceauthenticated,theadministratorcan perform thefollowingactions:
v Enrollusers
v Launchthepolicyinterface
v Changetheadministrator password
Theadministrator passwordcanbesetinthefollowingways:
v ThroughtheIBMClientSecuritySetupWizard v ThroughtheAdministratorUtility
v Usingscripts
v ThroughtheBIOSinterface(ThinkCentre computersonly)
It isimportanttohave astrategyfor creatingandmaintainingtheadministrator password.Theadministrator passwordcanbechanged ifit iscompromisedor forgotten.
For thosefamiliar withTrustedComputing Group(TCG)conceptsandterminology, theadministrator passwordisthesameastheownerauthorizationvalue.Sincethe administrator passwordisassociatedwiththeIBMEmbedded SecuritySubsystemit issometimes alsoreferredto asthehardware password.
The hardware public and private keys
Thebasicpremiseof theIBMEmbedded SecuritySubsystemisthatit providesa strongrootoftrustonaclientsystem.This rootisused tosecureotherapplications andfunctions.Part ofestablishinga rootof trustistocreateahardwarepublic key anda hardwareprivatekey.Apublickeyandprivatekey,togetherreferredto asa key pair,aremathematicallyrelatedinsuchawaythat:
v Anydataencryptedwiththepublickeycanonly bedecryptedwith correspondingprivatekey.
v Anydataencryptedwiththeprivatekeycanonly bedecryptedwith correspondingpublickey.
Thehardware privatekey iscreated,storedandused inthesecure,hardware confinesof thesecuritysubsystem.Thehardwarepublic keyismadeavailablefor various purposes(hencethenamepublickey), butit isneverexposedoutsideof thesecure,hardware confinesof thesecuritysubsystem.Thehardware publicand privatekeysareacriticalpartof theIBMkey-swappinghierarchydescribedina following section.
Hardwarepublicandprivatekeysarecreatedinthefollowingways:
v ThroughtheIBMClientSecuritySetupWizard v ThroughtheAdministratorUtility
v Usingscripts
For thosefamiliar withTrustedComputing Group(TCG)conceptsandterminology, thehardware publicandprivatekeysareknownasthestoragerootkey (SRK).
The administrator public and private keys
Theadministrator publicandprivatekeysareanintegralpartof theIBM
key-swapping hierarchy.Theyalso allowforuser-specificdata tobebackedupand restoredintheeventof systemboardor harddrivefailure.
Administrator publicandprivatekeyscaneither beuniquefor allsystemsorthey can becommon acrossallsystemsor groupsof systems.Itisimportantto notethat theseadministratorkeysmust bemanaged,sohavingastrategyfor usingunique keysversusknownkeysisimportant.
Administrator publicandprivatekeyscanbecreatedinoneof thefollowingways:
v ThroughtheIBMClientSecuritySetupWizard
Chapter1.Introduction 3
v ThroughtheAdministratorUtility v Usingscripts
ESS archive
Theadministrator publicandprivatekeysallowuser-specificdata tobebackedup andrestoredintheeventof asystemboard orharddrivefailure.
User public and private keys
TheIBMEmbeddedSecuritySubsystemcreatesuserpublicandprivatekeysto protectuser-specificdata.Thesekeypairsarecreatedwhenauserisenrolledinto IBMClientSecuritySoftware.Thesekeysarecreatedandmanagedtransparently bytheUserVerificationManager(UVM)componentof IBMClientSecurity
Software.ThekeysaremanagedbaseduponwhichWindowsuserisloggedinto theoperating system.
The IBM key-swapping hierarchy
An essentialelementoftheIBMEmbeddedSecuritySubsystemarchitectureisthe IBMkey-swapping hierarchy.Thebase(orroot)of theIBMkey-swappinghierarchy arethehardwarepublicandprivatekeys.Thehardwarepublicandprivatekeys, called thehardware keypair,arecreatedbyIBMClientSecuritySoftwareandare statistically uniqueoneach client.
Thenext “level”of keysupthehierarchy(abovetheroot)istheadministrator public andprivatekeys,or theadministrator keypair.Theadministratorkeypaircanbe uniqueoneachmachine,orit canbethesameonallclientsora subsetofclients.
Howyoumanage thiskeypairdependsupon howyouwanttomanageyour network.Theadministratorprivatekeyisuniqueinthatit residesontheclient system (protectedbythehardwarepublickey)inanadministrator-definedlocation.
IBMClientSecuritySoftwareenrollsWindowsusersintotheEmbeddedSecurity Subsystemenvironment.Whenauserisenrolled, userpublicandprivatekeys(the user keypair)arecreatedanda newkey″level″iscreated.Theuserprivatekeyis encryptedwiththeadministratorpublickey.Theadministratorprivatekey is
encryptedwiththehardwarepublickey.Therefore,to utilizetheuserprivatekey, theadministrator privatekey(whichisencryptedwiththehardwarepublickey) must beloadedintothesecuritysubsystem.Onceinthechip,thehardwareprivatekey decryptstheadministratorprivatekey.Theadministratorprivatekey isnow ready for useinsidethesecuritysubsystemsothatdatathatisencryptedwiththe correspondingadministrator publickeycanbeswappedintothesecurity subsystem,decryptedandutilized.ThecurrentWindowsuser’sprivatekey
(encryptedwiththeadministratorpublickey)ispassedintothesecuritysubsystem.
Anydataneededbyanapplicationthatleveragestheembeddedsecurity
subsystemwouldalsobepassedintothechip,decryptedandleveragedwithinthe secureenvironment ofthesecuritysubsystem.An exampleof thisisaprivatekey used toauthenticatetoa wirelessnetwork.
Whenever akeyisneeded,it isswappedintothesecuritysubsystem.The encryptedprivatekeysareswappedintothesecuritysubsystem,andcan thenbe used intheprotected environmentofthechip.Theprivatekeysareneverexposed or usedoutsideof thishardware environment.Thisprovidesfornearlyanunlimited quantity ofdatato beprotectedthroughtheIBMEmbeddedSecurityChip.
Theprivatekeysareencryptedbecausetheymustbeheavilyprotectedand becausethereislimitedstoragespaceavailableintheIBMEmbeddedSecurity
Subsystem. Onlya coupleofkeyscanbestoredinthesecuritysubsystematany giventime.Thehardwarepublic andprivatekeysaretheonlykeysthatremain storedinthesecuritysubsystemfromboot toboot.In ordertoallowfor multiple keysandmultipleusers,CSSutilizestheIBMkey-swapping hierarchy.Whenever a key isneeded, itisswappedintotheIBMEmbedded SecuritySubsystem.The related,encryptedprivatekeysareswappedintothesecuritysubsystem,andcan then beused intheprotectedenvironment ofthechip.Theprivatekeysarenever exposedorused outsideofthis hardwareenvironment.
Theadministrator privatekeyisencryptedwiththehardwarepublickey.The hardware privatekey,whichisonlyavailable inthesecuritysubsystem,isusedto decrypttheadministrator privatekey.Oncetheadministratorprivatekeyis decryptedinthesecuritysubsystem,auser’sprivatekey(encryptedwiththe administrator publickey)canbepassedintothesecuritysubsystemanddecrypted withtheadministratorprivatekey. Multipleusers’privatekeyscanbeencryptedwith theadministrator publickey.Thisallowsforvirtuallyanunlimitednumberofusers onasystem withtheIBMESS;however,bestpracticessuggestthatlimiting enrollmentto 25userspercomputerensuresoptimalperformance.
TheIBMESSutilizesa key-swappinghierarchywherethehardware publicand privatekeysinthesecuritysubsystemareused tosecureotherdatastoredoutside thechip.Thehardware privatekeyisgeneratedinthesecuritysubsystemand never leavesthissecureenvironment.Thehardware publickeyisavailableoutside of thesecuritysubsystemandisused toencryptor secureotherpiecesofdata suchasaprivatekey.Oncethisdataisencryptedwiththehardware publickeyit can onlybedecryptedbythehardwareprivatekey.Since thehardwareprivatekey isonly availableinthesecureenvironmentof thesecuritysubsystem,theencrypted data canonlybedecryptedandused inthis samesecureenvironment.Itis
important tonotethateach computerwillhavea uniquehardwarepublicand privatekey.TherandomnumbercapabilityoftheIBMEmbeddedSecurity Subsystemensures thateachhardwarekey pairisstatistically unique.
CSS public key infrastructure (PKI) features
Client SecuritySoftwareprovidesallof thecomponentsrequiredtocreateapublic key infrastructure(PKI)inyourbusiness,suchas:
v Administratorcontroloverclientsecurity policy.Authenticatingendusersat theclientlevelisanimportantsecuritypolicyconcern.Client SecuritySoftware providestheinterface thatisrequiredto managethesecuritypolicyof anIBM client.ThisinterfaceispartoftheauthenticatingsoftwareUserVerification Manager(UVM),which isthemain componentofClientSecuritySoftware.
v Encryptionkeymanagementforpublickeycryptography.Administrators createencryptionkeysfor thecomputer hardwareandtheclientuserswithClient SecuritySoftware.Whenencryptionkeysarecreated,theyareboundto theIBM embeddedSecurityChipthroughakey hierarchy,whereabase levelhardware keyisusedto encryptthekeysaboveit,includingtheuserkeysthatare associatedwitheachclientuser. EncryptingandstoringkeysontheIBM
embeddedSecurityChipadds anessentialextra layerof clientsecurity,because thekeysaresecurelyboundto thecomputerhardware.
v Digitalcertificatecreationandstoragethat isprotectedby theIBM embeddedSecurityChip.Whenyouapplyfor adigitalcertificatethatcanbe usedfor digitallysigningorencryptingane-mailmessage,ClientSecurity Softwareenablesyouto choosetheIBMembeddedSecuritySubsystemasthe cryptographicserviceproviderfor applicationsthatusetheMicrosoftCryptoAPI.
Theseapplicationsinclude InternetExplorerandMicrosoftOutlookExpress.This
Chapter1.Introduction 5
ensuresthattheprivatekeyof thedigitalcertificateisencryptedwiththeuser’s publickeyontheIBMembeddedSecuritySubsystem.Also, Netscapeuserscan choosetheIBMembeddedSecuritySubsystemastheprivatekeygeneratorfor digitalcertificatesused forsecurity.ApplicationsthatusethePublic-Key
CryptographyStandard(PKCS)#11,suchasNetscapeMessenger,cantake advantageoftheprotectionprovidedbytheIBMembeddedSecuritySubsystem.
v TheabilitytotransferdigitalcertificatestotheIBM embeddedSecurity Subsystem.TheIBMClientSecuritySoftwareCertificateTransferTool enables youtomovecertificatesthathavebeencreatedwiththedefaultMicrosoftCSPto theIBMembeddedSecuritySubsystemCSP.Thisgreatlyincreasesthe
protectionaffordedto theprivatekeysassociatedwiththecertificatesbecause theywillnowbesecurelystoredontheIBMembeddedSecuritySubsystem, insteadof onvulnerablesoftware.
Note: DigitalcertificatesprotectedbytheIBMembeddedSecuritySubsystem CSPcannotbeexported toanotherCSP.
v Akeyarchiveandrecoverysolution.Animportant PKIfunctioniscreatinga keyarchivefromwhich keyscanberestorediftheoriginalkeysarelostor damaged.IBMClientSecuritySoftwareprovidesaninterfacethatenablesyouto establishanarchiveforkeysanddigitalcertificatescreatedwiththeIBM
embeddedSecuritySubsystemandtorestorethesekeysandcertificatesif necessary.
v Fileandfolderencryption.File andfolderencryptionenablesa clientuserto encryptordecryptfilesorfolders.Thisprovidesanincreasedlevelof data securityontopoftheCSSsystem-securitymeasures.
v Fingerprintauthentication.IBMClientSecuritySoftwaresupports theTargus PCcardfingerprintreader andtheTargusUSBfingerprintreaderfor
authentication.ClientSecurity Softwaremustbeinstalledbefore theTargus fingerprintdevice driversareinstalledfor correctoperation.
v Smartcardauthentication.IBMClientSecuritySoftwaresupports certainsmart cardsasanauthenticationdevice.Client SecuritySoftwareenablessmart cards tobeusedasa tokenof authenticationfora singleuseratatime. Eachsmart cardisboundto asystem unlesscredentialroamingisbeingused.Requiringa smartcardmakesyour systemmoresecurebecausethis cardmustbeprovided alongwithapassword, whichcanbecompromised.
v Credentialroaming.Credentialroaming enablesanauthorizednetwork userto useanycomputeronthenetworkasthoughitwashisownworkstation.Aftera userisauthorizedtouseUVMonanyClientSecuritySoftware-registeredclient, hecanthenimporthispersonal datatoanyother registeredclientinthe
credentialroamingnetwork.Hispersonaldataisthenupdatedautomatically and maintainedintheCSSarchiveandonanycomputer towhichit wasimported.
Updatestothispersonal data,suchasnew certificatesor passphrasechanges, areimmediatelyavailableonallothercomputersconnectedtotheroaming
Updatestothispersonal data,suchasnew certificatesor passphrasechanges, areimmediatelyavailableonallothercomputersconnectedtotheroaming