You may recall that Intel Identity Protection with One Time Password (OTP) was first introduced last year. It was geared towards embedding hardware based OTP tokens into the platform. This year, the 3rd Generation Core vPro Processors aim to expand Intel IPT with two new features. They are:
- Intel IPT with Private Key Infrastructure (PKI)
- Intel IPT with Protected Transaction Display
For those that don't know, PKI is used for authentication, kind of like a user name and password. However, it uses certificates to authenticate a user. A certificate is kind of like your driver's license. It proves you are who you say you are. A certificate can identify a user, a computer, a document, software, and more. A certificate can also be used when encrypting information. One use for this is when connecting to a VPN. The VPN may ask you for a user name and password, and then may ask for a certificate. So, if someone else figured out your username and password, they still couldn't get in because they don't have your certificate. Other uses include document signing, email signing and encryption, and secure access to web applications.
Today, PKI is in wide use and comes in two flavors; hardware and software. If you've ever seen or used a Smart Card or another Hardware Security Module (HSM), that's hardware PKI. The certificates are stored on the card and the card does all certificate-related (crypto) operations. For software, certificates are stored on the computer and the CPU does all crypto operations through software.
OK, great, but how does Intel IPT with PKI fit into all this? Well, Intel IPT with PKI is essentially a HSM embedded in the platform. This provides the security of an HSM with the cost effectiveness and ease of use of software based certificate management. This is achieved by using the Intel Manageability Engine (ME) to perform all cryptographic operations. In this way, keys are never exposed to software running on the main CPU. Further, all certificates are tied to the platform on which they are created.
The ease of use of Intel IPT with PKI is achieved in a number of ways. First, since keys are tied to the PC hardware, the PC itself becomes part of the authentication scheme. Compare this to a smart card where each card has a cost, and may need to be replaced over time. Further, Intel IPT with PKI software is exposed as a Cryptographic Service Provider (CSP) via the Microsoft CryptoAPI software layer. In other words, software like Internet Explorer, Outlook, Anyconnect, and many more just work with Intel IPT with PKI, no changes required.
Intel® Identity Protection Technology (IPT) with Protected Transaction Display allows for secure PIN input. This is accomplished by allowing the ME to draw the input window and accept mouse clicks as input. In this way, software running on the main CPU does not have access to what is actually on the screen. However, the user can see it. Further, number keys on the PIN pad are randomized such that on ever PIN entry the mouse position will be different.
What the user sees:
What software on the CPU (E.G. process implanted by a hacker) sees:
Since certificates can be password protected, Intel IPT with PKI and Protected Transaction display can be coupled to offer the ultimate in certificate security.
We've partnered with Symantec to offer this feature through their Managed PKI Service. Check out this video to see an example of Intel IPT with PKI in action.