Security on the go
CryptCard and GlobalAdmin provide comprehensive security for mobile products
- By Michelle Speir
- Jun 17, 2002
It's no surprise that security products for mobile computing are hotter than ever. Agencies today are well versed in the problems that come with lost personal digital assistants and notebook computers, especially when stolen data is involved.
The good news is that because of the cutthroat competition, vendors are seeking ways to distinguish themselves in the market by introducing new and improved tools that offer more sophisticated protection for mobile products, along with enhanced user convenience.
One such product is the latest version of Global Technologies Group Inc.'s CryptCard, a PC Card that protects information on notebooks using high-speed encryption and password access control.
When we reviewed this product in 1999, it sold as a stand-alone card with an optional database utility called CCAdmin ("CryptCard: Tight security for the mobile workforce," Oct. 4, 1999).
The latest version, however, is a package deal consisting of one or more CryptCards and a preconfigured, sealed desktop system that runs GlobalAdmin, a centralized administration and management package for the cards. The convenience of this setup is hard to beat: We simply plugged in the desktop system and GlobalAdmin was ready for immediate use.
The GlobalAdmin system is a Microsoft Corp. Windows NT workstation equipped with a PC Card reader. Administrators use this system to program, test and manage the CryptCards as well as create user accounts. Other functions include resetting passwords, generating reports and keeping inventory of the CryptCards by serial number. Also, the cards can be reset and reused, which is both convenient and economical. GlobalAdmin can also be used with smart cards, a function we did not test.
Down to Business
Before a CryptCard is ready to use, an administrator must set up a user account and program the card on the GlobalAdmin system. Then the user must install the card on a notebook.
The first step in readying a card for use is to create a database within GlobalAdmin that will store the information about each programmed card. The process is quick and easy, especially since the program can automatically generate the database backup key and the initial key for the CryptCards, which must be 28 and 14 characters long, respectively. The system can automatically generate the numbers or you can set them manually.
Next, the administrator chooses password options. The system offers smart choices, such as the ability to block user-specified words from being used as passwords, such as the agency's name, the user's own name or something obvious such as "password."
There is also an "erase password." When someone types the erase password at log-in, the entire CryptCard is erased and the keys discarded. To regain access to the notebook, the card must be reset and reprogrammed.
In some cases, the system will flag a too obvious password on its own. When we tried to enter a password that differed from the user name by only one letter, we received a message telling us to choose another password.
After determining password options, administrators set up keys that enable users to exchange information via encrypted floppy disks. Creating and editing keys is simple, and you can create as many as you like.
The next step is to create key groups, which are sets of keys that can be assigned to users. Curiously, you must create them whether or not you have created keys. There is no limit to the number of key groups you can have, and each group can consist of any combination of keys. In other words, the same key can be part of multiple key groups. Users who share the same keys or key groups may exchange encrypted floppy disks.
Administrators must then create user groups, which is simply a matter of naming them. Examples could be "training group" or a department name. This way, users can be organized within the system logically.
The rights that can be assigned to a CryptCard user encompass many options, such as access to the notebook's serial and parallel ports, the ability to read from or write to a floppy disk, and the ability to boot from a floppy.
Encryption options include a 56-bit Data Encryption Standard; 112-bit DES; Single Connector Attachment algorithm for low security and high performance; and 128-bit triple DES Cipher Block Chaining (CBC) mode, the most secure of all. Advanced Encryption Standard will be available in the next release.
We liked GlobalAdmin's ability to create CryptCard profiles. A profile contains a set of rights, encryption options, key groups and user groups. When administrators program multiple cards, they can simply assign a profile to each card and all information is automatically added.
Once a user account is created, a CryptCard can be programmed. This is a simple process that only takes about 30 seconds. Simply insert a CryptCard into the GlobalAdmin system, choose a user and click the program button. You can also enter the card's serial number here for tracking.
If you forget how a card is programmed, you can insert it into the GlobalAdmin system and look up the information, but we think this process could be more intuitive.
Installing the card on a notebook is easy and straightforward. Our first test card was programmed for partial encryption using 112-bit DES CBC. It took only about five minutes to complete this process on a 40G hard drive, but the company does not recommend partial encryption because of security concerns. Full encryption takes much longer, but it's worth the wait, and it's only a one-time process.
The security performance is indeed impressive. The system requires the password even before Windows starts, and the user name cannot be changed. If the card is removed at any time, the notebook screen goes black and the machine becomes useless. During normal use, though, there is no difference in notebook operation.
Different users with different CryptCards can access the same notebook as long as they are programmed as group users within the same group and are assigned to the same key group.
We hit a couple of rough spots. The documentation, for one, is a bit uneven (see box). We also found many of the on-screen labels in the interface to be confusing. What's more, at least one bug-ridden field repeatedly returned an error message.
The Bottom Line
The CryptCard provides extremely tight security for notebook computers, provided that users remember to take the card with them when leaving the notebook unattended. Of course, if the card is left in the notebook and the computer is shut down, the password will still protect the system.
We liked the out-of-the-box functionality of the preconfigured system, although we were less than enthusiastic about the system's interface and documentation. Still, we think the core product is excellent. With some polishing of the software interface and the user manual, this diamond in the rough could truly shine.