IBM security kit will make portable-PC thieves blue

IBM security kit will make portable-PC thieves blue

Smart Card Security Kit

By John Breeden II

You could break IBM's Smart Card Security Kit in half with two fingers, yet it's stronger than a padlock at protecting data on a notebook computer.

The kit combines a password and 128-bit encryption with a credit card-sized token that slides into a reader for a Type II PC Card slot. No thief'not even an authorized user'can get to data on the hard drive or likely even boot up unless all the kit com-ponents are present and in working order.

Installation was harder than I expected, involving manual driver tweaks that vary with the operating system. I needed seven formatted floppy disks for the installation, an unusual and rather annoying requirement. Once I had resolved the minor hassles, however, the security kit gave excellent performance.

The smart token has a little gold chip at one end. When inserted into the reader, it verifies that the card is the right one for the system. The system then boots to a point just before the user gains access to Microsoft Windows. A screen prompts the user to insert the security token. It must stay in the slot; access cuts off whenever it is removed.

Next the user is prompted for a personal identification number of four, six or eight digits. The default is four, probably long enough to thwart all but a quite persistent'or lucky'thief.

If an incorrect PIN is entered seven times in a row, the reader permanently disables the card on the eighth try. IBM Corp.'s user license specifically notes that cards disabled in this manner are not replaceable under warranty. Anyone who tends to forget PINs needs to be wary of making too many tries.

Safe and sound

A thief who does not know about the strict warranty is going to be surprised to find no way to crack the notebook even with the right card in hand. The card carries a large message warning the notebook owner not to write the PIN on the back. Anyone who does so and then carries the card close to the notebook is essentially leaving the key in the car with a window rolled down.

A skilled hacker could theoretically get around the password and token security but would then run smack into the secondary security wall: Confidential files are locked with 128-bit encryption. To my knowledge, no one has managed to break 128-bit encryption. Maybe it could be done given a few years of supercomputer time.

IBM, in an effort to support forgetful users, has created a back door to the entire security system. This presents some concern to government buyers, though it would be much greater without the encryption wall. If you lose the card or it is stolen while in your wallet, but you still have the notebook, there is a way out.

The initial software installation creates an emergency disk that can bypass the safeguards. IBM recommends leaving this floppy with the systems administrator, far removed from the notebook. The problem is that it opens up a security hole that conceivably could be exploited by a skilled hacker.

In case of card loss, you can also order a new card from IBM, and the company promises overnight service.

A final, cosmetic security component comes in the form of a luggage tag for the notebook carrying case. The tag reads 'Smart card protected' in red letters. To me, it merely calls attention to something special about the computer.

I doubt that for $199 you'll find a more secure notebook security system. It might not keep a thief from grabbing your notebook. But the kit might well keep him from being able to fence it. Armed with this kit and some common sense, you'll have less to worry about when traveling.

Box Score A

Smart Card Security Kit

IBM Corp., Armonk, N.Y.;

tel. 800-772-2227

www.ibm.com

Price: $199

Pros and cons:

+ Compact token security system

+ File encryption for extra security

' Complex installation


Real-life requirements:

Windows 9x, free Type II PC Card slot, multiple floppy disks

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above