HP EliteDesk 800 G1 Ultra-slim PC Client Security Commercial Managed IT Softwa - Page 18

Validity Fingerprint Reader Sensor/Driver VFS495

Get HP EliteDesk 800 G1 Ultra-slim PC PDF manuals and user guides View all HP EliteDesk 800 G1 Ultra-slim PC manuals
Add to My Manuals
Save this manual to your list of manuals

Page 18 highlights

Validity Fingerprint Reader Sensor/Driver (VFS495) Technology  The VFS495 meets the requirements of FIPS140-2, but is not FIPS 140 certified. The VFS495 uses the following encryption and data security technologies:  Advanced Encryption Standard (AES) hardware block - Encrypts/decrypts data stream with AES-CBC-256 and RSA- 2048. AES cryptography is performed in CBC mode.  Hardware exponentiation block - Performs RSA operations.  Security Hash Algorithm (SHA) hardware block - Calculates SHA1/256, SHA1/256-HMAC on data stream  Physical Unclonable Function (PUF) - two PUF hardware blocks 224 bits each - Generates unique 448 bit output for each VFS sensor, used to generate key material.  One Time Programmable) Memory (OTP) - 1 Kbit OTP memory inside the sensor used to store security and sensor configuration data.  Random Entropy Source - Noise data from Sensor (analog block) is used as the main source of entropy. Additionally, CPU clock cycle count can be used to mix up for better entropy.  Secure Sockets Layer (SSLv3) - Communication between the Validity SDK and the sensor are encrypted using SSLv3. The RSA and AES algorithms and SHA and MD5 operations are used in the SSL Handshake and communications to authenticate parties, to generate shared keys and secrets, and to secure communications. All firmware patches for VFS-RSA sensor will be AES-CBC-256 encrypted and RSA-2048 signed before deployment. The sensor firmware verifies the RSA signature before accepting a patch. Design The following Validity fingerprint solution embedded security features relate to the HP Client Security, including BIOS and Drive Encryption:  A HP-signed DLL for use by HP Client Security.  A Validity service.  A WinUSB device driver.  Secure delivery of fingerprint image.  A protected channel for secure communication between Host and Sensor.  A unique RSA-2048 public/private key pair for every sensor.  A unique, random AES-256 key for template database encryption that is invalidated and re-generated on device ownership change.  Sensors can authenticate a Host and be authenticated by a Host  SecureMatch® - the ability to verify match results on the sensor before any user payload data or credentials are released to the host.  Provides a Unified Extensible Firmware Interface (UEFI) driver that the BIOS or Drive Encryption environments can call to implement single-sign on a matching finger swipe.  The UEFI driver only releases the SID on an authenticated SecureMatch®.  Securely extendable firmware for supporting One Time Password (OTP) solutions. 18

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
18
Validity Fingerprint Reader Sensor/Driver (VFS495)
Technology
The VFS495 meets the requirements of FIPS140-2, but is not FIPS 140 certified.
The VFS495 uses the following encryption and data security technologies:
Advanced Encryption Standard (AES)
hardware block - Encrypts/decrypts data stream with AES-CBC-256 and RSA-
2048. AES cryptography is performed in CBC mode.
Hardware exponentiation block - Performs RSA operations.
Security Hash Algorithm (SHA) hardware block - Calculates SHA1/256, SHA1/256-HMAC on data stream
Physical Unclonable Function
(PUF) – two PUF hardware blocks 224 bits each - Generates unique 448 bit output
for each VFS sensor, used to generate key material.
One Time Programmable) Memory (OTP) - 1 Kbit OTP memory inside the sensor used to store security and
sensor configuration data.
Random Entropy Source - Noise data from Sensor (analog block) is used as the main source of entropy.
Additionally, CPU clock cycle count can be used to mix up for better entropy.
Secure Sockets Layer (SSLv3) - Communication between the Validity SDK and the sensor are encrypted using
SSLv3. The RSA and AES algorithms and SHA and MD5 operations are used in the SSL Handshake and
communications to authenticate parties, to generate shared keys and secrets, and to secure communications.
All firmware patches for VFS-RSA sensor will be AES-CBC-256 encrypted and RSA-2048 signed before
deployment. The sensor firmware verifies the RSA signature before accepting a patch.
Design
The following Validity fingerprint solution embedded security features relate to the HP Client Security,
including BIOS and Drive Encryption:
A HP-signed DLL for use by HP Client Security.
A Validity service.
A WinUSB device driver.
Secure delivery of fingerprint image.
A protected channel for secure communication between Host and Sensor.
A unique RSA-2048 public/private key pair for every sensor.
A unique, random AES-256 key for template database encryption that is invalidated and re-generated on device
ownership change.
Sensors can authenticate a Host and be authenticated by a Host
SecureMatch® - the ability to verify match results on the sensor before any user payload data or credentials are
released to the host.
Provides a Unified Extensible Firmware Interface
(
UEFI) driver that the BIOS or Drive Encryption environments can
call to implement single-sign on a matching finger swipe.
The UEFI driver only releases the SID on an authenticated SecureMatch®.
Securely extendable firmware for supporting One Time Password (OTP) solutions.