IBM Embedded Security System and Fingerprint Reader Config

[thoughtdifferent]

Hello all -

Got a question for you all regarding the ESS and fingerprint reader. I have the CSS software installed, the fingerprint software installed, and right now I log on with a fingerprint. That all works just fine. However, when I try to use the password manager with internet explorer (to recall form usernames/passwords), the first time I do it I have to put in my UVM password, and then swipe my finger. The software is pretty confusing, although after enough tinkering I've at least figured out where everything is.

So is it possible to use my fingerprint for any situation that would require my uvm?

Thanks for any help. And yes I did search. Would IBM tech support be any good for this kind of thing? Or should I do something else with my time?

[thoughtdifferent]

Bueller?... Bueller?... Bueller?...

[thoughtdifferent]

Nobody uses this software?

[Ground Loop]

Correct.

I think everyone has tried, at some point, because the hardware is essentially free, and then said "why on earth..."

The whole design of it (the ESS software) seems to be targetted at the Corporate IT department, with several layers of Administrative users, profiles, permissions and archives. The Single User mode is a bit of an afterthought, and it shows.

It doesn't appear to have a "make my life easier" mode, just a "get in my way and add hassle". Instead of just a web login password, you get a fingerprint and password.

Not only that, but it's rather slow -- it takes quite a while to get all the ESS keys fired up and ready.

Software-based encryption (PGP, gpg, and others) are "good enough" for most, and more portable between machines.

I installed it and configured it three times, each more determined than the first, and never really got value from it.

I'd like to use ESS/TPM to verify my boot loader and kernel against tampering, just because that would be cool. Once that's done, I can trust Linux's own encryption which is a lot faster and more configurable.

[thoughtdifferent]

Bummer. Good thing I didn't buy the computer for the fingerprint reader... At least I can log in with my fingerprint. Everyone seems to think that's pretty cool. One of my friends even called my thinkpad a "Spy Computer".

Fingerprint reader aside, does the the rest of the ess do anything unless I set it up? Does encryption that is normally handled via software get transferred over to the chip?

Maybe after I get back from vacation I'll give IBM a call and see what they can do for me. (I'm stubborn too).

Thanks for the reply Ground Loop - I was starting to think I was talking to myself.

[Ground Loop]

As near as I can tell, the FingerPrint reader and ESS are totally separate hardware, and potentially separate software.

The FingerPrint reader sits on the USB bus, while the ESS/TPM module is on the LPC bus (low pin count?).

You can disable the ESS in the BIOS and the fingerprint power-on and WinXP Logon work just fine. So there's the default WinXP logon screen, the ThinkPad FP logon screen, and the ESS logon screen -- all different with different stuff behind the scenes.

I uninstalled the ESS software, and nothing changed -- still just the IBM logon (with FP support)

I know ESS can tie into the fingerprint reader, and use the fingerprint as an authentication token in addition to (instead of?) the user password.

The ESS software, when installed in Simpleton mode, can be used to encrypt files and folders. I think that's all it does. I thought it could encrypt web passwords, but apparently that's only supported under IE, and not entirely there either. There is some tie-in to the "UVM", but I really don't understand it. The FingerPrint scanner has a server running that keeps a virtual token. I think ESS might replace parts of that when it is installed and running -- or it just uses the virtual token, not sure.

ESS is really slow.. I spent a lot of time watching the blue progress bar rotate.

I don't know what to make of it. On the one hand, I've read the white papers and believe that IBM has crafted a really bullet-proof key storage and crypto system. On the other hand, I can't see what value it brings me here in a Windows desktop.

I'd love to use the Random Number Generator under Linux, but alas, neither the ESS RNG nor the Intel chipset RNG is supported -- and that's the most basic start of good encryption. Bummer.

If I could use the ESS as general storage for small bits of my own encrypted data (keys), that would be cool. Doesn't appear to work that way, though.

[mephie]

With the version of ESS you're using (5.4x) the behavior you're encountering is normal. The finger print profiles are stored differently than ESS data. You can log in with just the finger print by using the finger print gina, as you're doing now.

However, the first time you attempt to use an ESS based app, like password manager or right-click encryption, this is also the first time the software is actually retrieving ESS data. For added security, regardless of your security policy within the administrator utility, the first time ESS data is accessed, you'll be asked for your password. After that, it's strictly dictated by your policy. Hence, the first time you use password manager, you have to supply your ESS password. Each subsequent use, just your fingerprint will suffice.

This doesn't apply to the first time each individual app is used, just the first time ESS data is retrieved. For example, if you log on with your finger print, then right-click encrypt a file, you'll be asked for your password. If you then use password manager, your finger print alone will be all that's required.

Hope this info helps.

-Mephie
2373-Q1U / 2525-6NU