The Trusted Platform Module, together with biometrics,
can strengthen notebook security, writes Anthony Allan
Since they are outside the reach of normal corporate IT
administration, mobile devices are prone to attack. One of the ways
mobile devices can be secured is through a hardware specification
known as the Trusted Platform Module (TPM), managed by the Trusted
Computing Group. This module is able to protect data and user
identities, including storing biometric information securely.
A majority of enterprise-class notebook PCs will embed TPM by
2007. Several suppliers offer integrated fingerprint biometric
systems that exploit the TPM, as well as other features that can
improve user convenience and reduce operational costs of
authentication. TPM use will increase significantly with the
adoption of Windows Vista, and 50% of enterprise notebook PCs will
use TPM by the end of 2008.
While integrated fingerprint biometric authentication in
TPM-embedded notebook PCs does not meet the strategic need for
stronger user authentication throughout the enterprise, this
technology, along with other authentication capabilities, can
provide significant improvements in user convenience and reduced
operational costs. Hence, organisations should consider adopting
these options in their next refresh cycle.
Late in 2005, Lenovo – which acquired IBM’s Personal Systems
Division – announced it had shipped more than one million notebooks
with embedded fingerprint-based biometric systems, and several
other major notebook PC suppliers already offer similar
biometric-enabled notebooks.
Lenovo, Sony and others use a biometric system from Upek that
tightly integrates with the onboard TPM for improved security.
Fujitsu, HP and others similarly use a biometric system from
AuthenTec. These notebook PCs are up to £50 more than an otherwise
similar product, but this will fall as volumes increase.
TPM-embedded biometric systems, with reference templates held
locally, are more secure than networked biometric systems, because
fewer points are exposed to attack.
Biometric authentication is popular with users as an alternative
to passwords or discrete hardware tokens as the user has nothing to
remember or carry with them. Conversations with suppliers and
end-users suggest that this convenience is a key driver to the
sales of these notebook PCs. However, biometric authentication is
not suited to environments in which many users share a single
machine.
The TPM can also be used to provide secure storage for
personalised credentials that are used with software one-time
password tokens, such as those offered by RSA Security. While
storing the credentials on the TPM does not ordinarily give as
robust security as holding the credentials on a discrete smart card
or USB token, this approach is significantly improved when
biometric authentication to the PC is added.
Lenovo and other suppliers exploit the TPM to provide a secure
password wallet: encrypted storage for simple passwords for
multiple Windows and web applications with single sign-on
capability. While these password wallets lack the flexibility,
scope (no support for terminal emulators) and centralised
management capabilities of enterprise single sign-on products, they
offer similar benefits to both the users and the organisation.
Where a user need remember only one (primary) password to access
multiple systems, password-related helpdesk calls can fall by
approximately two-thirds, with cost savings of about £8 per user
per year.
Adding stronger primary authentication to single sign-on, such
as fingerprints, or better yet, password and fingerprint for
two-factor authentication, addresses a key concern: that the user’s
entire system becomes available to an attacker if the user’s
password is compromised. The TPM can also enhance other
best-practice laptop security technologies, such as drive
encryption.
Hence, organisations can reduce the risk of masquerade attacks,
saving potentially substantial downstream costs, and reducing
operational costs. Together these could likely justify the
additional cost of the notebooks during a three- or four-year
refresh cycle. Nevertheless, some significant challenges
remain.
Fingerprints alone may not be sufficiently strong for access to
the notebook PCs themselves. Where sensitive information is held on
the laptop, encryption is recommended, and a password should be
used in addition to provide two-factor authentication – either for
initial login or whenever accessing the encrypted files.
However, even when the notebook PC can be configured to demand
both password and fingerprint for initial login, it may not be
possible to demand this to unlock a notebook PC on standby – a user
may need to give only their fingerprint. Hence, drive encryption
with a discrete password is strongly recommended where the PC holds
high-value corporate information.
Remote access to corporate systems should also require at least
both password and fingerprint for initial PC login. Discrete
two-factor authentication to the corporate network is strongly
recommended for any remote PC. Remote access authentication can
exploit the TPM protection of credentials for a software token, but
a user may elect to store the one-time password token Pin in the
password wallet – the organisation has no control over single
sign-on policy. Using a TPM-protected software token is not as
strong as using a hardware or smart token, but is less costly and
may still be strong enough for some organisations.
Biometric sensors differ in performance. Upek and AuthenTec use
different techniques to capture a fingerprint image. Upek uses
active capacitance, which reads the print from the skin surface.
AuthenTec uses radio frequency, which reads the print from the live
skin layer. These technologies will likely have different
resistance to different kinds of physical attacks, although neither
appears vulnerable to the recently publicised attacks using plastic
modelling dough or gelatin.
Organisations must be wary that they are not “locking in” one
kind of sensor technology over their notebook PC refresh cycle.
This may be important in a scenario where a newly-discovered
exploit targets a specific manufacturer. We do not see effective
mitigation for this; substituting an alternative peripheral device
exposes the system to attacks that a TPM-embedded system is not
vulnerable to. This remains the biggest limitation of TPM-embedded
biometric systems.
Organisations must also be wary of the problems that some users
may have with fingerprint biometrics, because of either physical
disability or physiology. It is easy to underestimate the scale of
this problem.
The UK Passport Service biometric trials found that only about
80% of the sample population achieved successful verification on
fingerprints. Alternative authentication methods must be provided
that are at least as strong as password and fingerprint biometrics
for users who cannot use fingerprints. Alternative authentication
methods must also be provided in case of failure of the embedded
biometric system. The usual default fallback is a password, which
provides weaker authentication.
Organisations must also note that stronger authentication to the
notebook PC does not translate to stronger authentication to the
corporate network and downstream applications. These applications
still rely on memorised passwords and can be accessed using those
passwords from any legacy PC on the network.
Finally, while TPM-enabled systems appear to be relatively
secure, systems, templates, credentials, and potentially the
corporate infrastructure, would be at risk in the face of an
unexpected vulnerability or successful attack on the TPM. For the
time being, attacks against the TPM are feasible only when the
attacker has uninterrupted physical access to the machine and has
the right skills. The risk of this is acceptably small.
Anthony Allan is research vice-president at
Gartner
Read:
Security special report: The changing threat
Read:
Security special report: The internal threat
Read:
Security special report: Who sees your data?
Read:
Security special report: Compliance quandary
Read:
Security special report: Accessing all areas