Currently, the most common way people verify their digital identity is by using a password. Exceptions often times are found with online banking, where most use a second factor for authentication (e.g. OTP token or even a confirmation code sent to mobile phone), that is costly or inconvenient for user experience, but due to the weakness of password versus value at risk, this kind of approach is accepted and the costs justify the investment. However it is not reality for the vast majority of digital services. Passwords are used to sign in to your PC, webmail, social network, and lots of other places. There is a research conducted by Microsoft Research conducted with half million PC users showing that the average person typically has about 25 online accounts.Are you an average user? In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6, so around 4 passwords are reused across accounts. This is in addition to the tendency of websites to increase password complexities such as mixing lower case with upper case, special characters and numbers. Password reuse probably will increase among websites and cases like those described by Mat Honan (Wired writer) will become even more frequent.
Dealing with username and password leads to a set of interesting challenges. We all want the web to be easy and safe. However, having to remember a dozen of complex passwords generally isn’t easy, and is even harder for websites accessed less frequently. However, using the same easy-to-remember password across multiple sites isn’t safe. The ideal solution here involves somehow finding a way to make it both easy and safe to use all of your different digital identities.
As I already explained in this post in InformationWeek, on how to effectively managing identity in the cloud, I introduced Intel Identity Protection Technology and described about strategies adopted by online banking to increase security and how One Time Password (aka. OTP) as second factor authentication can be used to increase security. However, all these approaches, even those more sophisticated, are based on symmetric key and thereby not resistant against an active man-in-the-middle attack (e.g. phishing).
One alternative is public/private key pairs, i.e. based on Public Key Infrastructure (aka. PKI) – these are the most commonly used methods for protecting network traffic on the Internet today. PKI is based on an asymmetric key – the private key and the public key are different, so the public key should become public in a way proving that it belongs to user and not someone else. Also, the private key must be stored securely where only the user has access. With this method, the website sends a sign-in request to be signed by user’s private key and sent back to website that uses the user’s public key to confirm the user has a private key. So long as the private key is not compromised, this system is resistant against phishing and keylogging attacks. However this method is not widely used on the Internet today due to the high costs associated with having dedicated hardware to protect the private key such as Smart Cards and other associated logistics.
Intel IPT-PKI architecture
Intel Identity Protection Technology (aka. Intel IPT) with PKI uses the Intel Management Engine (aka. Intel ME) and 3rd generation Intel Core vPro processor based systems to provide a hardware-based security solution similar to that of other hardware security modules like Smart Cards. Unlike most hardware security modules, Intel IPT-PKI is designed to be managed as software but hardware resistant against tampering.
The hardware based security is achieved by using the Intel ME to perform all cryptographic operations. This way, the keys are never exposed to software running on the computer’s central processing unit (CPU). Furthermore, all certificates are tied to the platform on which they are created.
As you can see in this diagram, so long as the ME is part of chipset and tied with PC, the user’s PC becomes part of authentication process. Intel IPT-PKI as showed exposes his capabilities as a Cryptographic Service Provides (CSP) via Microsoft CryptoAPI software layer. IPT-PKI can be used to:
- Generate a persistent RSA key pair in hardware;
- Generate PKI certificates, that can be used to identify user possession and password knowledge;
- Perform operation with RSA private key;
- And protect key usage with PIN
Intel IPT-PKI can be used to enhance user identity on several applications such as SSL web site authentication, S/MIME with Microsoft Exchange Server/Outlook client or VPN authentication.
In order to avoid operating system attacks keylogging user’s PIN and replaying automatically this PIN in a MiTB attack, a second IPT building block, Intel IPT Protected Transaction Display (aka. IPT PDT) can be used to create a secure channel between user’s interfaces. (I.e. keyboard, mouse and video, in order that operation system is not able to hook, as I explained in this Brazilian bank case in a previous post.)
If you are looking on how to start using IPT-PKI and IPT-PDT, there is an excellent Use Case Reference Design that explains majority of scenarios and how to configure. The only requirement from client side is a Intel vPro machine with 3rd Core generation and Windows operating system homologated for this particular machine.