HP ProtectTools Security Software 2010 - Technical White Paper

or USB storage is disallowed. This means that software designed to bypass the operating system

password protection cannot run if the computer is protected using Pre-Boot Security. Enha nced

Pre-Boot Security makes it possible to setup multiple users as well as multifactor authentication policies

using a password, fingerprint or HP ProtectTools Java C ard.

W hile Pre-Boot security has been available for a number of years, it was never designed for multiuser

environments. In addition, the following factors were commonly cited as the primary reasons for not

using Pre-Boot security:

• La c k of O pera ti ng S ystem i ntegra ti on. Thi s mea nt tha t users wa nting to use pre -boot security would

have to authenticate themselves twice. O nce in pre-boot a nd then a ga in in the opera ting system

• N o secure recovery options. Let’s face it, people lose smartcards and forget passwords. Until now,

there were two ways to recover, and neither option was very appealing. Some computers would

allow password erase via access to the system board, which was not secure. O n other computers,

the system board had to be replaced, and this was usually not covered under warranty.

HP Enha nced Pre-Boot security addresses both these concerns with O ne-Step Logon and HP

SpareKey. Additionally, HP Enha nced Pre-Boot security is centrally manageable wi th

DigitalPersona Pro W orkgroup and DigitalPersona Pro Enterprise, allowing IT managers to

remotely recover users even if unconnected.

One-Step Logon

Enhanced Pre-Boot Security is designed to integrate seamlessly into W indows authentication in order

to provide users with a seamless logon into the operating system. The user authenticates only once.

The logon process uses the provided credentials to authenticate to the Pre-Boot environment, drive

encryption and then all the way into the operating system. From a user’s standpoint it’s the same

HP SpareKey

HP SpareKey is designed allow users to securely log into their operating system account if they forget

their password, lose their java card or for some reason cannot use their fingerprint to login. Users are

asked to enroll into HP SpareKey when they first log in to the notebook. The enrollment process is

easy and requires the user to answer any three questions out of a predetermined list of ten. These

questions are designed to collect information that is unique to the user and does not change over time

(i.e., mother’s maiden name, first school attended, etc.).

Answering the three questions completes the enrollment, and the user is now protected. In the case of

a lost credential or forgotten password, the user can enter HP SpareKey and answer the previously

selected questions. If the answers match, login continues. Upon completion of the login process, the

user is asked to change the login credential with an option to accept or decline.

Answers to HP SpareKey questions are encrypted and cannot be deciphered by an unauthorized

p erson. The b a si c p rocess fo r securi ng the q uesti ons i s a s follo w s:

• Step 1 - Answers to the three questions are concatenated into a single text string, eliminating all

spaces

• Step 2 - The single text string is then used to derive an encryption key using a SHA1 hash function.

This encryption key is mathematically unique to the three answers given by the user.

• Step 3 - The derived encryption key is used to encrypt the login password. The encrypted password

i s then sto red .

Remote r ecovery via central m anagement

On centrally managed systems, HP Enhanced Pre-Boo t secur i ty supp orts O ne Ti me Passw o r d (O TP)

access, allowing IT support to recover remote users even if they are not connected.