Securing User Credentials
Controlling access to your PC and its critical data is like locking your front door to deter an intruder. How strong is the lock? Is your key kept secure or simply hidden under the welcome mat? From a hacker's perspective, user credentials are either well secured or they aren't, and you can't afford any middle ground. That's why Dell created the ControlVaultTM solution, an innovative hardware-based security solution that provides a hardened and secure bank for storing and processing user credentials. The ControlVault solution keeps passwords, biometric templates, RSA Secure ID algorithms and security codes within firmware to help keep them locked away from a malicious application attack.
Isolating Security Operations Dell's ControlVault solution helps protect secure operations by isolating them from the Microsoft® Windows® environment and memory, which is not secure. Instead, processing and storage of critical data takes place on a processing and memory chip - helping to provide a protective and secure boundary. This isolation helps remove the processing and storage of identity and biometric information away from unsecured operating systems and physical hard drives.
Dell ControlVault Technical Functions
Securing Encryption Keys
Many applications using encryption will store keys on the hard drive. This is a problem. Even if the encryption key itself is concealed with another key, the encryption key is still on the hard drive and out in the open. Obscurity? Yes. Security? No. Even if the key is hidden among other data, hackers have programs that can search the hard drive and quickly locate the key. For this reason, the ControlVault solution lets applications store keys within the ControlVault-protected boundary. Access to the keys is strictly controlled by an authorization scheme. An application should not be able to access the keys without satisfying the authentication requirements set up by the owner or IT manager of a particular ControlVault chip. And the small memory footprint of Dell's ControlVault chip helps ensure low impact to overall system performance.
Controlling Access To Reference Templates
To verify authentication, a reference template, which is created and stored at the time of enrollment, must be accessed. Applications usually store this template on the hard drive, and expose it to the following threats:
The ControlVault solution helps minimize these threats.
- Modification: A non-authorized user can replace the original reference template.
- Extraction: A template, such as a fingerprint template, can be copied, creating a privacy issue for the user who may want to prevent others from obtaining a digital copy.
Isolating Usage of Keys and Templates
Even if a key or template is stored securely, other solutions subject them to sniffing or modification risks as they are pulled out into the open during a security operation. The ControlVault chip doesn't take these risks. It isolates usage of keys and templates from the host. In some cases, it performs key encryption inside the chip's boundary, so certain types of keys are never exposed to an insecure host. For example, fingerprint templates are not exposed outside the ControlVault security boundary - final matching takes place inside the chip.
Sealing Off Code Execution
Many applications execute their secure operations on the host x86 processor, which exposes it to sniffing of interim values and modification of the final result. In contrast, the ControlVault chip executes operations and stores credentials within its secure boundary. This allows credentials to be secured and helps protect against any inspection or modification of the execution process.
Securing Code Storage
Many applications store code on the hard drive, which makes it vulnerable to an attacker who may replace parts of the code with alternate code to force an unintended result. The ControlVault chip stores the execution code for secure processes within the secure boundary, helping to keep malicious applications from accessing this stored code.
Security tokens and one-time passwords
RSA and Dell have worked together to provide users of the DellTM LatitudeTM E-Family E6500, E6400, E4300 and E4200 laptops with embedded RSA SecurID® software token technology for two-factor authentication to network resources. This technology integration currently provides a high-end multi-purpose hardware-level security for both the storage of RSA SecurID software tokens and one-time password generation.
The RSA SecurID algorithm is embedded within the Dell Latitude laptops' ControlVaultTM hardened firmware chip for storage and processing of user credentials. RSA SecurID software token seeds are securely stored within the firmware to help keep it outside of the attack vector of malicious applications, and the RSA one-time password is also securely generated in the ControlVault chip. End users can conveniently launch the software token with one click using the computer's Dell ControlPoint Security Manager.
This combination of the RSA SecurID software token embedded within the Dell Latitude ControlVault offers the security of a hardware token with the cost effectiveness and convenience of a software token, as administrators will no longer need to replace lost tokens. End users also benefit from a consolidated device because they do not need to have a physical token with them. Additionally, by linking the two-factor authentication method directly to the PC, organizations can help ensure employees are only accessing corporate information from company computers.
How does the ControlVault solution differ from Trusted Platform Module (TPM )?
TPM is a proven technology for system authentication. TPM and ControlVault technologies both store keys and have similar benefits, but the ControlVault solution offers some additional features designed to help improve security. First, the ControlVault chip can store and execute code using a secure processor. The ControlVault solution also supports use of personal authentication (FP, SC, Contactless) to access credentials versus TPM's 160-bit password. The ControlVault chip also stores all credential types to allow single point of migration and supports broad crypto algorithm (i.e. Suite B, native ECC).