The Trusted Platform Module, together with biometrics, can strengthen notebook security, writes Anthony Allan
Since they are outside the reach of normal corporate IT administration, mobile devices are prone to attack. One of the ways mobile devices can be secured is through a hardware specification known as the Trusted Platform Module (TPM), managed by the Trusted Computing Group. This module is able to protect data and user identities, including storing biometric information securely.
A majority of enterprise-class notebook PCs will embed TPM by 2007. Several suppliers offer integrated fingerprint biometric systems that exploit the TPM, as well as other features that can improve user convenience and reduce operational costs of authentication. TPM use will increase significantly with the adoption of Windows Vista, and 50% of enterprise notebook PCs will use TPM by the end of 2008.
While integrated fingerprint biometric authentication in TPM-embedded notebook PCs does not meet the strategic need for stronger user authentication throughout the enterprise, this technology, along with other authentication capabilities, can provide significant improvements in user convenience and reduced operational costs. Hence, organisations should consider adopting these options in their next refresh cycle.
Late in 2005, Lenovo – which acquired IBM’s Personal Systems Division – announced it had shipped more than one million notebooks with embedded fingerprint-based biometric systems, and several other major notebook PC suppliers already offer similar biometric-enabled notebooks.
Lenovo, Sony and others use a biometric system from Upek that tightly integrates with the onboard TPM for improved security. Fujitsu, HP and others similarly use a biometric system from AuthenTec. These notebook PCs are up to £50 more than an otherwise similar product, but this will fall as volumes increase.
TPM-embedded biometric systems, with reference templates held locally, are more secure than networked biometric systems, because fewer points are exposed to attack.
Biometric authentication is popular with users as an alternative to passwords or discrete hardware tokens as the user has nothing to remember or carry with them. Conversations with suppliers and end-users suggest that this convenience is a key driver to the sales of these notebook PCs. However, biometric authentication is not suited to environments in which many users share a single machine.
The TPM can also be used to provide secure storage for personalised credentials that are used with software one-time password tokens, such as those offered by RSA Security. While storing the credentials on the TPM does not ordinarily give as robust security as holding the credentials on a discrete smart card or USB token, this approach is significantly improved when biometric authentication to the PC is added.
Lenovo and other suppliers exploit the TPM to provide a secure password wallet: encrypted storage for simple passwords for multiple Windows and web applications with single sign-on capability. While these password wallets lack the flexibility, scope (no support for terminal emulators) and centralised management capabilities of enterprise single sign-on products, they offer similar benefits to both the users and the organisation. Where a user need remember only one (primary) password to access multiple systems, password-related helpdesk calls can fall by approximately two-thirds, with cost savings of about £8 per user per year.
Adding stronger primary authentication to single sign-on, such as fingerprints, or better yet, password and fingerprint for two-factor authentication, addresses a key concern: that the user’s entire system becomes available to an attacker if the user’s password is compromised. The TPM can also enhance other best-practice laptop security technologies, such as drive encryption.
Hence, organisations can reduce the risk of masquerade attacks, saving potentially substantial downstream costs, and reducing operational costs. Together these could likely justify the additional cost of the notebooks during a three- or four-year refresh cycle. Nevertheless, some significant challenges remain.
Fingerprints alone may not be sufficiently strong for access to the notebook PCs themselves. Where sensitive information is held on the laptop, encryption is recommended, and a password should be used in addition to provide two-factor authentication – either for initial login or whenever accessing the encrypted files.
However, even when the notebook PC can be configured to demand both password and fingerprint for initial login, it may not be possible to demand this to unlock a notebook PC on standby – a user may need to give only their fingerprint. Hence, drive encryption with a discrete password is strongly recommended where the PC holds high-value corporate information.
Remote access to corporate systems should also require at least both password and fingerprint for initial PC login. Discrete two-factor authentication to the corporate network is strongly recommended for any remote PC. Remote access authentication can exploit the TPM protection of credentials for a software token, but a user may elect to store the one-time password token Pin in the password wallet – the organisation has no control over single sign-on policy. Using a TPM-protected software token is not as strong as using a hardware or smart token, but is less costly and may still be strong enough for some organisations.
Biometric sensors differ in performance. Upek and AuthenTec use different techniques to capture a fingerprint image. Upek uses active capacitance, which reads the print from the skin surface. AuthenTec uses radio frequency, which reads the print from the live skin layer. These technologies will likely have different resistance to different kinds of physical attacks, although neither appears vulnerable to the recently publicised attacks using plastic modelling dough or gelatin.
Organisations must be wary that they are not “locking in” one kind of sensor technology over their notebook PC refresh cycle. This may be important in a scenario where a newly-discovered exploit targets a specific manufacturer. We do not see effective mitigation for this; substituting an alternative peripheral device exposes the system to attacks that a TPM-embedded system is not vulnerable to. This remains the biggest limitation of TPM-embedded biometric systems.
Organisations must also be wary of the problems that some users may have with fingerprint biometrics, because of either physical disability or physiology. It is easy to underestimate the scale of this problem.
The UK Passport Service biometric trials found that only about 80% of the sample population achieved successful verification on fingerprints. Alternative authentication methods must be provided that are at least as strong as password and fingerprint biometrics for users who cannot use fingerprints. Alternative authentication methods must also be provided in case of failure of the embedded biometric system. The usual default fallback is a password, which provides weaker authentication.
Organisations must also note that stronger authentication to the notebook PC does not translate to stronger authentication to the corporate network and downstream applications. These applications still rely on memorised passwords and can be accessed using those passwords from any legacy PC on the network.
Finally, while TPM-enabled systems appear to be relatively secure, systems, templates, credentials, and potentially the corporate infrastructure, would be at risk in the face of an unexpected vulnerability or successful attack on the TPM. For the time being, attacks against the TPM are feasible only when the attacker has uninterrupted physical access to the machine and has the right skills. The risk of this is acceptably small.
Anthony Allan is research vice-president at Gartner
This was first published in April 2006