Lenovo ThinkCentre A51 IDC white paper titled "The Coming of Age of Clien - Page 14
One Element Of A Security Suite - express
View all Lenovo ThinkCentre A51 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 14 highlights
Unlike software encryption, which can't keep a counter, the chip can keep track of login attempts, and it won't let the count-per-time rise too high, interpreting repeated assays as hammering behavior. Each failed attempt increases the length of the delay before a user can try again - up to 28 days. Although this feature can be reset with an administrative passphrase, it functions as a good antihacking mechanism. The user key is not used for signing anything but allows the chip to load keys from elsewhere. Unlike a smart card, the chip can work with multiple certificates (issued, for example, by a senior citizens group, a corporate employer, Microsoft Outlook, American Express, or MasterCard). The number of keys can get quite large since each organization a user might interact with will have its own. ONE ELEMENT OF A SECURITY SUITE With one of the security factors thus based in embedded hardware, dual-factor client security systems can include, as mentioned previously, a biometric authenticator or proximity badge to further hinder identity spoofing and lunchtime attacks. Tied to third-party authentication tools, embedded hardware security can plug some of the more vulnerable holes in the security perimeter. For example, the range of a proximity badge, which operates over a radio frequency link, can be configured from five feet - for really secure - to 30 feet - for still pretty secure protection against lunchtime attacks. In the Targus biometric recognition implementation, a spring-loaded PC Card-based device with a small reader on it pops out with a finger push. The device reads the user's fingerprint, which is used initially to set up access, and if it finds a match, permits log-on. The software included with the device lets the user map any application requiring a password to this surefire authentication system. The security chip, which is now available worldwide, is designed to be used with other security elements. For example, it will not protect against a virus that can wipe the hard disk clean. Firewalls and antivirus software are required for that type of defense. The chip just keeps data private and confidential and provides for PKI operations. IBM and other vendors offer suites of interrelated security products to create a fully secure environment. For example, IPSec protects communications links by securing the Ethernet controller. Another key feature of the IBM-embedded security chip is that it is inexpensive - to the point where IBM has included it in select client systems at no additional charge to the buyer. The company charges about $25 for the chip to commercial buyers, which is less than the cost of the simplest hardware token (e.g., a USB key) and one-half to one-third the cost of the least-expensive smart card. For the degree of utility it provides in de novo installations, nothing else can match it on a price-performance basis. Hardware-based solutions implemented as cards are more expensive - in some cases up to $2,000 - and a perpetrator could put a sniffer on some aftermarket cards. Also, the chip ties the trust to an actual PC rather than to a removable card. The only possible way to hack the chip is by direct physical attack (and even this involves such "high-spook" work that only a very few cryptoanalysts, mostly employed by the dark sectors of governments, can even think of mounting such as assault), which involves sensing voltage changes on the power lead and gives only an indirect view of activity inside the chip. A successful malicious hack cannot be launched remotely. The only penalty that an organization might pay for using encryption of any sort - the IBM chip or another hardware or software implementation - is that the process creates some computing overhead. However, today's PC systems - based on multigigahertz processors, generous and faster memory, and wider and faster system buses - have more than enough power to compensate for this performance "tax." With one of the security factors thus based in embedded hardware, dual-factor client security systems can include, as mentioned previously, a biometric authenticator or proximity badge to further hinder identity spoofing and lunchtime attacks. 14 #3577 ©2003 IDC