Manualshelf

HP Client Security Commercial Managed IT Software Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteBook Revolve 810 G2 Tablet
11121314151617181920
HP Client Security Technical Whitepaper
August 2016
747889-002
© Copyright 2016 HP Development Company, L.P.
HP Client Security Technology 16
7 HP Client Security Technology
HP Client Security consists of the following key security technologies:
7.1 Security and Encryption Strength
HP Client Security’s core host application adheres to a strong security model with the following features:
Execute all secure operations, such as, user authentication, user provisioning, credential management, and policy
configuration from a highly privileged account.
Use Windows ACLs (Access Control List) to protect access to resources, such as registry data.
Generate a PKI key pair to be used by the authentication service in conjunction with cryptographic functions.
Generate the PKI and symmetric keys (UUK) upon enrolling a user. The UUK is not stored in the clear or simply
obfuscated on the hard drive. The key is always protected via a credential. User’s Windows password is used to derive a
key that is then used to encrypt the UUK. Additionally, the key is either encrypted as with the Smart Card or securely
stored in the authentication device as with the secure fingerprint reader. The UUK is only released upon a successful user
authentication. This key in turn encrypts other sensitive user data, the so called “user secrets”. In the end, the secrets are
always protected via user authentication.
Symmetric encryption uses AES with 256-bit keys. Asymmetric encryption leverages RSA algorithms with 2048-bit keys.
Microsoft Enhanced Cryptographic Provider (ECP).
7.2 Design and Services
HP Client Security provides an authentication service to ensure that the user authentication capabilities extend beyond
Windows, and that BIOS and Drive Encryption login pages can participate in user authentication as well. All communication
between the authentication service and authentication environments occurs at the service layer. The authentication service
provides the following functionalities:
Manages the activation and deactivation of the authentication environments (Windows, BIOS, Drive Encryption).
Coordinates the authentication policies and user provisioning data across all authentication environments, thus
facilitating One Step Logon and ensuring that a lockout scenario is avoided.
Enroll users’ credentials.