Thefollowingdiagramprovidesthestructurefortheuserlevelkey:
User Level Key Structure - Enroll User
Trusted Platform Module
Encrypted via derived AES Key
Storage Root Private Key
Storage Root Public Key
User Leaf Private Key
User Base Private Key
User Leaf Public Key
User Base Public Key
Windows PW AES Key
PW Manager AES Key
User Base Private Key
User Base Public Key
If Passphrase
loop n times
User PW/PP
One-Way Hash
One-Way Hash
User Base AES
Protection Key
(derived via output
of hash algorithm)
Auth
Figure2.UserLevelKeyStructure-EnrollUser
Backgroundenrollment
ClientSecuritySolution8.21supportsbackgroundenrollmentforuserenrollmentthatisstarted
automatically.Theenrollmentprocessrunsinthebackgroundwithoutdisplayinganynotications.
Note:Thebackgroundenrollmentisonlyavailableforuserenrollmentthatisstartedautomatically.Foruser
enrollmentthatisstartedmanually,fromthestartmenuorfromtheResetSecuritySettings,adialog
indicatingtheusertowaitfortheuserenrollmentwillstillbedisplayed.
Localadministratorordomainadministratorcanalsoforcethewaitingdialogtobedisplayedbyediting
thefollowingpolicyasbelow:
CSS_GUI_ALWAYS_SHOW_ENROLLMENT_PROCESSING
Orbyeditingthefollowingregistrykeyasbelow:
HKLM\software\policies\lenovo\clientsecuritysolution\GUIoptions\
AlwaysShowEnrollmentProcessing
ThedefaultvalueofAlwaysShowEnrollmentProcessingis0.Whentheaboveregistrykeyissetto0,the
waitingdialogisnotdisplayedforuserenrollmentstartedautomatically.Whenthispolicyissetto1,the
waitingdialogwillalwaysbedisplayedduringuserenrollmentregardlessofhowtheenrollmentisstarted.
Softwareemulation
ToprovideaconsistentexperiencefortheuserwhosecomputerdoesnothaveaTPM,CSSsupportsthe
TPMemulationmode.
TheTPMemulationmodeisasoftware-basedrootoftrust.Thesamefunctionalitiesprovidedbythe
TPM,includingdigitalsignature,symmetrickeydecryption,RSAkeyimport,protection,andrandom
numbergeneration,areavailabletotheuser,exceptthereisdecreasedsecuritybecausetherootoftrustis
softwarebasedkeys.
20ClientSecuritySolution8.21DeploymentGuide
Kommentare zu diesen Handbüchern