Microcrypt Technologies Ltd.

Pre-Boot Authenticator

One of the challenges of information security in modern computing systems is the protection of workstations against unauthorized access. The aim of an attacker seeking to gain access to your workstation may be a violation of your privacy (passive attack), as well as purposeful modification or forgery of your information (active attack). As special case of active attack (tamper) can be considered the deliberate injection of a malicious software to a victim machine. Such software is typically used for covert collection of confidential information or even full control of "infected" machine.

As a rule, an operating system (OS) provides the PC protection against an unauthorized access when somebody attempting to log in interactively or remotely, as well as protection against "intrusion" at the network level. However, apart from threats arising during the operation of a workstation (when OS is loaded), there is often a risk that an attacker access to the boot drive. In this case, the attacker has an opportunity to realize the both passive and active tamper. To protect against threats of this class the encryption of logical partitions of HDD (or SDD) are used usually. But if the boot of an OS is done directly from the internal (even encrypted) drive, the threat of an active unauthorized access is still actual, especially if the attacker has a potential access to your boot drive. The only way to protect against such threat is usage of drive encryption solution which is launched from an external trusted media and initiates the boot of OS after successful user validation and integrity control of boot subsystem.

«Pre-Boot Authenticator» is a software-hardware combined system of user authentication before the OS booting. It can be used for booting from an internal or removable drive. This complex provides the two-factor user authentication that based on usage of the individual key carrier (smart card or USB-token) and password access protection. Using a hardware key carrier (with limited attempts count) reduces the "complexity" requirements to the password that the user has to memorize and improves the "reliability" of randomly generated keys used for decryption and integrity control.

The system can be configured to operate by one or more operating systems. The behavior in the absence of an attached key carrier or after entering a wrong password can be configured: boot of the workstation can be either prohibited at all, or the default OS may be loaded instead of the main (protected) one.

The complex supports the following active key carriers:

  • Smart card / USB-token of «GOST Key Keeper» system;
  • Multifunctional smart card «Social Card»;
  • Other smart cards / USB-tokens powered by OS: JavaCard, ACOS, UkrCOS (on request).

By customer request, a list of supported key carriers can be expanded with additional models, as well as the complex can be integrated with third-party encryption solutions.