Manualshelf

HP Client Security Commercial Managed IT Software Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteBook Revolve 810 G2 Tablet
21222324252627282930
HP Client Security Technical Whitepaper
August 2016
747889-002
© Copyright 2016 HP Development Company, L.P.
Synaptics Fingerprint Reader Sensor/Driver (VFS495) 22
11 Synaptics Fingerprint Reader
Sensor/Driver (VFS495)
11.1 Technology
The VFS495 meets the requirements of FIPS140-2, but is not FIPS 140 certified.
The VFS495 uses the following encryption and data security technologies:
Advanced Encryption Standard (AES) hardware block - Encrypts/decrypts data stream with AES-CBC-256 and RSA-2048.
AES cryptography is performed in CBC mode.
Hardware exponentiation block - Performs RSA operations.
Security Hash Algorithm (SHA) hardware block - Calculates SHA1/256, SHA1/256-HMAC on data stream
Physical Unclonable Function (PUF) two PUF hardware blocks 224 bits each - Generates unique 448 bit output for each
VFS sensor, used to generate key material.
One Time Programmable) Memory (OTP) - 1 Kbit OTP memory inside the sensor used to store security and sensor
configuration data.
Random Entropy Source - Noise data from Sensor (analog block) is used as the main source of entropy. Additionally, CPU
clock cycle count can be used to mix up for better entropy.
Secure Sockets Layer (SSLv3) - Communication between the Validity SDK and the sensor are encrypted using SSLv3. The
RSA and AES algorithms and SHA and MD5 operations are used in the SSL Handshake and communications to
authenticate parties, to generate shared keys and secrets, and to secure communications.
All firmware patches for VFS-RSA sensor will be AES-CBC-256 encrypted and RSA-2048 signed before deployment. The
sensor firmware verifies the RSA signature before accepting a patch.
11.1.1 Design
The following Synaptics fingerprint solution embedded security features relate to the HP Client Security, including BIOS and
Drive Encryption:
A HP-signed DLL for use by HP Client Security.
A Validity service.
A WinUSB device driver.
Secure delivery of fingerprint image.
A protected channel for secure communication between Host and Sensor.
A unique RSA-2048 public/private key pair for every sensor.
A unique, random AES-256 key for template database encryption that is invalidated and re-generated on device
ownership change.
Sensors can authenticate a Host and be authenticated by a Host
SecureMatch® - the ability to verify match results on the sensor before any user payload data or credentials are released
to the host.
Provides a Unified Extensible Firmware Interface (UEFI) driver that the BIOS or Drive Encryption environments can call to
implement single-sign on a matching finger swipe.
The UEFI driver only releases the SID on an authenticated SecureMatch®.
Securely extendable firmware for supporting One Time Password (OTP) solutions.