Page: 1

This solution currently does not support the latest revision of RSA SecurID 800 tokens, which is revision D.

RSA Secured Implementation Guide

Last Modified: January 22, 2009

Partner Information Product Information Partner Name Utimaco Safeware AG Web Site www.utimaco.com Product Name SafeGuard© Easy Version & Platform 4.50.3

Product Description

SafeGuard© Easy is a sector based hard disk encryption combined with a secure pre-boot user authentication. SafeGuard Easy© uses transparent encryption to protect the confidentiality of data that is stored on hard disks, floppy disks and removable media in a simple and effective manner. Different algorithms can be selected for encrypting different media, which include AES, Rijndael, XOR, STEALTH-40, IDEA, BLOWFISH, DES and 3DES. Pre-boot Authentication can either be performed by user ID / password or optionally with a security token (2-factor authentication), such as the RSA SID800 token.

Product Category Disk/File Encryption

This solution currently does not support the latest revision of RSA SecurID 800 tokens, which is revision D.

Utimaco SafeGuard Easy

Page: 2

Solution Summary

SafeGuard© Easy uses the RSA Security SID800 Token to perform a two-factor pre-boot authentication, and to derive the disk (media) encryption key from data stored on the token.

For pre-boot authentication the token is accessed directly via low-level communication, without the use of any RSA middleware. Low-level communication is achieved by the implementation of the following two software components:

Utimaco built and supported 16bit real-mode CCID driver developed to support the “reader part” of the token. Utimaco developed interface to the SID800 “smartcard” via APDU (Application Protocol Data Unit) commands to access the private container applet.

Partner Integration Overview RSA Certificate Manager Interoperability n/a Interoperable through RSA Authentication Client Y Interoperable through RSA Sign-On Manager n/a Pre-Boot Authentication Y If Pre-Boot, which tokens are supported? SID800

Page: 3

Product Configuration for Interoperability

Prerequisites

Interoperability between SGE 4.50.3 and the RSA SID800 is dependant on the successful application of the SafeGuard Easy Token Add-On RP. Please contact Utimaco for details on obtaining this release pack.

Installation of SGE 4.50.3 and RSA SID800 Support

Note: The following instructions are intended to prove interoperability and do not suggest optimum configuration. Please contact Utimaco for specific questions regarding enterprise deployment options.

Run the SafeGuard Easy setup program and use following install option users to authenticate with an RSA SID800 authenticator.

1. Select Next.

Page: 4

2. Select “Partitioned Mode” and “Next”.

3. When prompted, restart the PC and run the Utimaco Configuration File Wizard. 4. Under “General”, Change the Token Logon option to “RSA SID800 Token”. 5. Under “General”, Set Password at system start (PBA) to “Yes”.

Page: 5

6. Under “Encryption” set accordingly. For testing and proofs of concept it’s recommended you leave these settings “Not Configured”. They can be turned on once authentication is working correctly.

7. Leave user settings as is for now. You’ll be prompted for a password when you hit next. Enter the passwords for the System and User. Remember both passwords.

Page: 6

8. Select Install. Restart the PC when prompted.

Page: 7

9. Open the Utimaco administration console via the Start Menu.

10. Add a new user and assign a password to the account. 11. Save and exit the SafeGuard Easy Administrator.

Page: 8

Pre-Boot Authentication Process

During the next logon, you will be prompted for the Token Password first and then for a username and password. As this user is required to authenticate with a SecurID USB authenticator, you’ll see the following take place:

The pre-boot application will ask you to provide the Token Password to unlock the SID800. The application will then ask for the username and password used when setting up the account within SafeGuard Easy Administration.

Subsequent logins will require that the user provide only the pin to logon to the pre-boot environment provided the token is inserted into the USB port.

Page: 9

Certification Checklist for 3rd Party Applications

Date Tested: Friday, July 02, 2010

Product Operating System Tested Version RSA SID800 N/A v1 & v2 (1.43) RSA Authentication Client Windows XP SP2 2.01 and 3.01 SafeGuard© Easy Windows XP SP2 4.50.3 SafeGuard© Easy Token Add-on Windows XP SP2 4.50.3 Pre-boot Authentication Result SID800 (Combo Token) DRP = Pass = Fail N/A = Non-Available Function