Lenovo ThinkCentre M50 IDC white paper titled "The Coming of Age of Clien - Page 14

One Element Of A Security Suite

Get Lenovo ThinkCentre M50 PDF manuals and user guides View all Lenovo ThinkCentre M50 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

Unlike software encryption, which can't keep a counter, the chip can keep track of login attempts, and it won't let the count-per-time rise too high, interpreting repeated assays as hammering behavior. Each failed attempt increases the length of the delay before a user can try again - up to 28 days. Although this feature can be reset with an administrative passphrase, it functions as a good antihacking mechanism. The user key is not used for signing anything but allows the chip to load keys from elsewhere. Unlike a smart card, the chip can work with multiple certificates (issued, for example, by a senior citizens group, a corporate employer, Microsoft Outlook, American Express, or MasterCard). The number of keys can get quite large since each organization a user might interact with will have its own. ONE ELEMENT OF A SECURITY SUITE With one of the security factors thus based in embedded hardware, dual-factor client security systems can include, as mentioned previously, a biometric authenticator or proximity badge to further hinder identity spoofing and lunchtime attacks. Tied to third-party authentication tools, embedded hardware security can plug some of the more vulnerable holes in the security perimeter. For example, the range of a proximity badge, which operates over a radio frequency link, can be configured from five feet - for really secure - to 30 feet - for still pretty secure protection against lunchtime attacks. In the Targus biometric recognition implementation, a spring-loaded PC Card-based device with a small reader on it pops out with a finger push. The device reads the user's fingerprint, which is used initially to set up access, and if it finds a match, permits log-on. The software included with the device lets the user map any application requiring a password to this surefire authentication system. The security chip, which is now available worldwide, is designed to be used with other security elements. For example, it will not protect against a virus that can wipe the hard disk clean. Firewalls and antivirus software are required for that type of defense. The chip just keeps data private and confidential and provides for PKI operations. IBM and other vendors offer suites of interrelated security products to create a fully secure environment. For example, IPSec protects communications links by securing the Ethernet controller. Another key feature of the IBM-embedded security chip is that it is inexpensive - to the point where IBM has included it in select client systems at no additional charge to the buyer. The company charges about $25 for the chip to commercial buyers, which is less than the cost of the simplest hardware token (e.g., a USB key) and one-half to one-third the cost of the least-expensive smart card. For the degree of utility it provides in de novo installations, nothing else can match it on a price-performance basis. Hardware-based solutions implemented as cards are more expensive - in some cases up to $2,000 - and a perpetrator could put a sniffer on some aftermarket cards. Also, the chip ties the trust to an actual PC rather than to a removable card. The only possible way to hack the chip is by direct physical attack (and even this involves such "high-spook" work that only a very few cryptoanalysts, mostly employed by the dark sectors of governments, can even think of mounting such as assault), which involves sensing voltage changes on the power lead and gives only an indirect view of activity inside the chip. A successful malicious hack cannot be launched remotely. The only penalty that an organization might pay for using encryption of any sort - the IBM chip or another hardware or software implementation - is that the process creates some computing overhead. However, today's PC systems - based on multigigahertz processors, generous and faster memory, and wider and faster system buses - have more than enough power to compensate for this performance "tax." With one of the security factors thus based in embedded hardware, dual-factor client security systems can include, as mentioned previously, a biometric authenticator or proximity badge to further hinder identity spoofing and lunchtime attacks. 14 #3577 ©2003 IDC

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
14
#3577
'2003 IDC
Unlike software encryption, which can’t keep a counter, the chip can keep track of log-
in attempts, and it won’t let the count-per-time rise too high, interpreting repeated
assays as hammering behavior. Each failed attempt increases the length of the delay
before a user can try again ° up to 28 days. Although this feature can be reset with
an administrative passphrase, it functions as a good antihacking mechanism.
The user key is not used for signing anything but allows the chip to load keys from
elsewhere. Unlike a smart card, the chip can work with multiple certificates (issued,
for example, by a senior citizens group, a corporate employer, Microsoft Outlook,
American Express, or MasterCard). The number of keys can get quite large since
each organization a user might interact with will have its own.
ONE ELEMENT OF A SECURITY SUITE
With one of the security factors thus based in embedded hardware, dual-factor client
security systems can include, as mentioned previously, a biometric authenticator or
proximity badge to further hinder identity spoofing and lunchtime attacks. Tied to
third-party authentication tools, embedded hardware security can plug some of the
more vulnerable holes in the security perimeter. For example, the range of a proximity
badge, which operates over a radio frequency link, can be configured from five feet °
for really secure ° to 30 feet ° for still pretty secure protection against lunchtime
attacks.
In the Targus biometric recognition implementation, a spring-loaded PC Card±based
device with a small reader on it pops out with a finger push. The device reads the
user’s fingerprint, which is used initially to set up access, and if it finds a match,
permits log-on. The software included with the device lets the user map any
application requiring a password to this surefire authentication system.
The security chip, which is now available worldwide, is designed to be used with other
security elements. For example, it will not protect against a virus that can wipe the
hard disk clean. Firewalls and antivirus software are required for that type of defense.
The chip just keeps data private and confidential and provides for PKI operations.
IBM and other vendors offer suites of interrelated security products to create a fully
secure environment. For example, IPSec protects communications links by securing
the Ethernet controller.
Another key feature of the IBM-embedded security chip is that it is inexpensive ° to
the point where IBM has included it in select client systems at no additional charge to
the buyer. The company charges about $25 for the chip to commercial buyers, which
is less than the cost of the simplest hardware token (e.g., a USB key) and one-half to
one-third the cost of the least-expensive smart card. For the degree of utility it
provides in
de novo
installations, nothing else can match it on a price-performance
basis. Hardware-based solutions implemented as cards are more expensive ° in
some cases up to $2,000 ° and a perpetrator could put a sniffer on some
aftermarket cards. Also, the chip ties the trust to an actual PC rather than to a
removable card. The only possible way to hack the chip is by direct physical attack
(and even this involves such "high-spook" work that only a very few cryptoanalysts,
mostly employed by the dark sectors of governments, can even think of mounting
such as assault), which involves sensing voltage changes on the power lead and
gives only an indirect view of activity inside the chip. A successful malicious hack
cannot be launched remotely.
The only penalty that an organization might pay for using encryption of any sort ° the
IBM chip or another hardware or software implementation ° is that the process
creates some computing overhead. However, today’s PC systems ° based on
multigigahertz processors, generous and faster memory, and wider and faster system
buses ° have more than enough power to compensate for this performance "tax."
With one of the
security factors thus
based in embedded
hardware, dual-factor
client security
systems can include,
as mentioned
previously,
a biometric
authenticator or
proximity badge
to further hinder
identity spoofing and
lunchtime attacks.