Lenovo’s two-pronged approach to data security

Thorsten Stremlau

Monday 6 February 2017

Thorsten Stremlau, Lenovo’s WW Principal IT Architect, on how Lenovo uses both Intel Authenticate and SGX to take a belt-and-braces approach to data security.

The issue of data security has never been more pressing – both for companies and individuals. Here at Lenovo, we know how important it is to keep your information safe. That’s why we’re pioneering the use of two Intel technologies to ensure our platforms and systems are as secure as possible.

Software Guard Extensions (SGX) and Authenticate are both Intel technologies that feature in Lenovo’s current machines, and will integrate into future ones. If a Lenovo machine runs on Intel’s Skylake or Kaby Lake architecture, you know it will work with these technologies.

The idea behind SGX and Authenticate isn’t new, but the technology has only just caught up to allow them both to be realised. Basically, they provide a hardware-level security solution, which offers more protection than a software-based solution.

A hardware-based solution is more secure because it doesn’t allow a hacker to gain access to the system at the root level. If a hacker can do that, they can access everything on the system. These root attacks are very common because there are vulnerabilities that allow for ‘privilege escalation’. SGX and Authenticate can protect you from that kind of attack.

Taking AMT to the next level

The technology used by SGX and Authenticate is an expansion of Intel Active Management Technology (AMT). This is a tiny computer that runs within your device and is dedicated to tasks like systems management and security. When you turn your computer on or off, this little Intel AMT chip continues to run in the background and allows you to keep securing the system but also connect to it and perform all sorts of diagnostics.

Intel Authenticate: Locking your credentials

Authenticate is the first line of defence, protecting your credentials on the system by providing a lock mechanism within the AMT chip. This means credentials are stored in a secure enclave on the hardware itself. A system lacking AMT would store credentials on the HDD, or somewhere else accessible to anyone who gains root access.

Authenticate only releases credentials when certain criteria are met – for example, when you can prove you haven’t been compromised by entering a password. You can also implement multi-factor authentication, like a combination of password, biometric signature (such as a fingerprint) and smart card. That way you can prove who you say you are and that you haven’t been compromised. Corporations use Intel Authenticate to protect their virtual private network (VPN) solutions, as well as their login credentials to applications and confidential business data.

SGX: Removing the man in the middle

SGX is the backup defence and kicks in once credentials have been released. This is because once they have been passed on to the application, they’re still not secure. A hacker with root access or higher privilege access to the system can perform what’s known as a ‘man in the middle attack’ and steal the credentials once they’re being used by the application – but not with SGX.

As soon as the credentials are released, the CPU generates a secure key within the AMT subsystem that encrypts the part of the memory dedicated to the application that processes the credentials. That way, even if the operating system or the application is compromised, the hacker can’t access the part of the app processing the credentials – that’s now happening in a secure enclave within the memory.

This bolsters security twofold. Not only must the user prove their identity in order for AMT to release the credentials, but the app must prove it hasn’t been modified by rogue software by running within the SGX enclave.

As an added benefit, it’s far more efficient than what most companies currently use, which is a virtualised operating system or virtualised application environment. These use a lot of resources, while SGX barely impacts a machine’s performance.

Where they’re used

SGX is useful in a host of different aspects within applications. It can be used for anything dealing with confidential information, or for proving data hasn’t been modified in the time taken to transfer it from a device to your database. If the data must be confidential or you have to prove its integrity, SGX can help.

At Lenovo, we use SGX to further secure the fingerprint reader software in our systems. So once you authenticate using the fingerprint reader, the result is processed using SGX technology.

It’s key to remember that neither SGX nor Authenticate are bulletproof – every defence has the potential to be hacked. The goal of a good security solution, however, is to make it financially unviable for hackers to even try. Both Authenticate and SGX raise the bar and make it difficult for hackers to compromise it.


Building the next-gen data centre

Where traditional and web-scale apps co-exist