Intel® Identity Protection Technology (Intel® IPT) provides a more secure environment for RSA SecurID* software token.
This paper presents an overview of the token provider for EMC’s RSA SecurID* software token implemented using Intel® Identity Protection Technology (Intel® IPT) with public key infrastructure (PKI). Intel IPT with PKI provides hardware-enhanced protection of RSA cryptographic keys in specific Intel® Core™ vPro™ processor-powered systems. The token provider for EMC’s RSA SecurID based on Intel IPT provides hardware-enhanced protection of the RSA token seed by using Intel IPT with PKI cryptographic functions to encrypt and sign the token seed. This signed and encrypted token seed is used by the RSA SecurID software token to generate the OTP token. The token provider based on Intel IPT provides an additional layer of protection to the RSA OTP solution. This whitepaper explains how the Intel IPT with PKI hardware-enhanced cryptographic functions are used to provide a more secure environment for RSA SecurID software token.
Intel Core vPro processor technology addresses many IT security and platform management needs through its broad set of security, manageability, and productivity-enhancing capabilities. This technology is built into the new Intel Core vPro processor family, some smaller form-factor devices based on the Intel® Atom™ processor, and some Intel® Xeon® processors.
Among the notable security features included in Intel Core vPro processor platforms is the Intel Identity Protection Technology described in the next chapter. Additional features found on Intel Core vPro processor platforms and platforms based on the 4th generation Intel Atom processor for business include:
To find out more about the features included in Intel Core vPro processor platforms, visit http://intel.com/vpro.
Intel IPT with PKI uses the Intel® Management Engine (Intel® ME) in specific Intel Core vPro processor-powered systems to provide a hardware-based security capability. Intel IPT with PKI provides hardware-enhanced protection of RSA 1024 and 2048 asymmetric cryptographic keys. The Intel IPT with PKI capability is exposed as a crypto service provider (CSP) via the Microsoft CryptoAPI* software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel IPT with PKI to:
Both the RSA key-pair and the PKI certificates generated by Intel IPT with PKI are stored on the hard drive. The RSA keys are first wrapped within the hardware with something called the platform binding key (PBK) before being stored on the hard drive. The PBK is unique for each platform using Intel IPT with PKI and cannot be exported from the Intel ME. When the RSA key is needed, it must be brought back into the Intel ME to be unwrapped.
The hardware enhancements of Intel IPT with PKI focus on enhanced RSA private key protection; but it should be noted that the installed CSP can be used for any algorithms typically supported by software-based CSPs. Non-RSA operations are performed in software and provide the same level of protection as existing software-based CSPs shipped with Microsoft Windows 7 and above. Applications based on CryptoAPI should be able to transparently use Intel IPT with PKI and derive the benefits of enhanced private key protection with little, if any, modification.
The RSA keys and certificates created by Intel IPT with PKI support existing PKI usage models. Some typical usage scenarios include:
Intel IPT with PKI provides a PC-embedded 2nd factor of authentication to validate legitimate users in an enterprise. Compared to a hardware security module, external reader, or a TPM, Intel IPT with PKI can be less expensive and easier to deploy. Compared to a software-based cryptographic product, Intel IPT with PKI is generally more secure. Intel IPT with PKI provides a good balance between security, ease of deployment, and cost.
RSA SecurID software tokens use the same algorithm (AES-128) as RSA SecurID hardware tokens while eliminating the need for users to carry dedicated hardware key fob devices. Instead of being stored in hardware, the symmetric key is securely safeguarded utilizing Intel IPT with PKI. RSA SecurID software authenticators reduce the number of items a user has to manage for safer and more secure access to corporate assets. Software tokens can help the enterprise cost-effectively manage secure access to information and streamline the workflow for distributing and managing two-factor authentication for a global work force. Additionally, software tokens can be revoked and recovered when someone leaves the company or loses a device, eliminating the need to replace tokens.
The Intel IPT-based token provider provides two functions: 1) the initial encryption, signing, and storage of the token seed using a platform binding key when it is provisioned to the system, and 2) the signature validation, decryption, and calculation of the OTP token.
Provisioning the RSA SecurID software token involves the following functions:
Figure 1 – Token Seed Provisioning Architecture
Figure 2 – The Token Storage Devices screen [or UI]
RSA SecurID software OTP token generation involves the following functions:
Figure 3 – Using the hardware-protected token seed to generate the OTP token
The token provider for EMC’s RSA SecurID software token based on Intel IPT provides hardware-enhanced protection of the RSA token seed by using Intel IPT with PKI cryptographic functions to encrypt and sign the RSA SecurID software token seed and bind it to the specific Intel platform.
For more information on Intel IPT with PKI and protected transaction display visit:
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804