As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
A key component of almost every information handling system is the basic input/output system (BIOS). A BIOS may be a system, device, or apparatus configured to identify, test, and/or initialize one or more information handling resources of an information handling system, typically during boot up or power on of an information handling system. A BIOS may include boot firmware configured to be the first code executed by a processor of an information handling system when then information handling system is booted and/or powered on. As part of its initialization functionality, BIOS code may be configured to set components of the information handling system into a known state, so that one or more applications (e.g., an operating system or other application programs) stored on compatible media may be executed by a processor and given control of the information handling system and its various components.
Oftentimes, various settings and parameters associated with a BIOS may be user-configurable, such that a user of an information handling system can configure or customize behavior of the BIOS and/or information handling resources of the information handling system. Because of its important role in the initialization of an information handling system, users often prefer to password protect the BIOS to prevent unauthorized access to the various settings and parameters associated with a BIOS. Similarly, other information handling resources of an information handling system (e.g., storage media such as a hard disk drive) may also be password-protected in order to provide security to prevent unauthorized access to the information handling system, its various components, and/or data stored thereon.
However, because a person may forget a password established for a BIOS or other information handling resource, a password unlock mechanism may exist in order to allow a user to gain access to the information handling resource when authentication credentials are forgotten.
Presently, one approach to unlocking a password for an information handling resource is based upon a master password that is generated from a unique identifier “challenge” associated with the information handling resource (e.g., a serial number or service tag number of the information handling resource or the information handling system in which the information handling resource is disposed). In such approach, a user may communicate the unique identifier to a vendor of the information handling resource (e.g., via telephone, e-mail, World Wide Web form submission, and/or other electronic method) along with information verifying the user's ownership of or authorization to use the information handling system and unlock the password (e.g., social security number, passphrase, birthdate, answer to challenge question, credit card number, or other personal data). Once user ownership or authorization is verified, the vendor may accept the unique identifier, apply a password-generation tool to the unique identifier to generate the master password for the information handling resource, and then communicate such master password to the user, who may input the master password in order to access the information handling resource.
The master password generation implementation may be based on an algorithm based on a shared secret shared between the information handling resource and the vendor's master password generation tool. Such algorithm may be used throughout many generations of information handling resources until it becomes compromised. Such implementation suffers from at least two disadvantages.
First, the input into the algorithm of the master password generation tool is always the same. For example, a particular information handling system with a particular unique identifier (e.g., service tag) will always have the same BIOS master password. Once a user has requested and received the master password from a vendor, that same master password will always unlock the specific information handling resource. This deficiency allows attackers to create lists of master passwords based on unique identifiers (e.g., “rainbow tables”) in order to initiate attacks on information handling systems.
Second, the security of the master password hinges on the obscurity of the shared secret algorithm in the information handling resource. For example, because the BIOS exists on the motherboard and the algorithm must run at boot time to compute the master password for verification purposes, an attacker with access to an in-circuit emulator may snoop the processor and determine the algorithm. This deficiency allows a sufficiently skilled attacker to identify the algorithm and publish his or her findings publicly.