Manual
Table Of Contents
- Preface
- Chapter 1. Overview
- Chapter 2. Installation
- Chapter 3. Working with Client Security Solution
- Chapter 4. Working with ThinkVantage Fingerprint Software
- Chapter 5. Working with Lenovo Fingerprint Software
- Chapter 6. Best Practices
- Deployment examples for installing Client Security Solution
- Switching Client Security Solution modes
- Corporate Active Directory rollout
- Standalone Install for CD or script files
- System Update
- System Migration Assistant
- Generating a certificate using key generation in the TPM
- Using USB fingerprint keyboards with 2008 ThinkPad notebook computer models (R400/R500/T400/T500/W500/X200/X301)
- Appendix A. Special considerations for using the Lenovo Fingerprint Keyboard with some ThinkPad notebook models
- Appendix B. Synchronizing password in Client Security Solution after the Windows password is reset
- Appendix C. Using Client Security Solution on a reinstalled Windows operating system
- Appendix D. Using the TPM on ThinkPad notebook computers
- Appendix E. Notices
- Glossary
ThefollowingdiagramprovidesthestructurefortheSystemLevelKey:
System Level Key Structure - Take Ownership
Trusted Platform Module
Encrypted via derived AES Key
Storage Root Private Key
Storage Root Public Key
System Leaf Private Key
System Base Private Key
System Leaf Public Key
System Base Public Key
System Base Private Key
System Base Public Key
If Passphrase
loop n times
CSS Admin PW/PP
One-Way Hash
One-Way Hash
System Base AES
Protection Key
(derived via output
of hash algorithm)
Auth
Figure1.SystemLevelKeyStructure-TakeOwnership
EnrollUser
Inordertohaveeachuser’sdataprotectedbythesameTrustedPlatformModule,eachuserwillhavetheir
ownuserbasekeycreated.Thisasymmetricstoragekeycanbemigratedandisalsocreatedtwiceand
protectedbyasymmetricAESKeygeneratedfromeachuser’sWindowspasswordorClientSecurity
passphrase.
ThesecondinstanceoftheUserBaseKeyisthenimportedintotheTrustedPlatformModuleandprotected
bythesystemSRK.WiththeUserBaseKeycreated,asecondaryasymmetrickeycalledtheUserLeafKey
iscreated.TheUserLeafKeyprotectsindividualsecretssuchasthePasswordManagerAESKeyusedto
protectinternetlogoninformation,passwordusedtoprotectdata,andtheWindowspasswordAESKey
usedtoprotecttheaccesstotheoperatingsystem.AccesstotheUserLeafKeyiscontrolledbytheuser’s
WindowspasswordorClientSecuritySolutionpassphraseandisautomaticallyunlockedduringlogon.
Chapter3.WorkingwithClientSecuritySolution21