by Khalid Maklai, Software Applications Engineer
Intel® Identity Protection Technology (Intel® IPT)  with Public Key Infrastructure (PKI) offers better hardware security by augmenting the features of Intel IPT and by increasing the protection of RSA cryptographic keys. It provides a hardware-based security solution similar to other hardware security modules, such as the Smart Card, and can be managed from a software deployment instead of a hardware security module. Intel IPT with PKI also uses Protected Transaction Display (PTD) to protect PKI certificates/RSA keys with a PIN. Intel IPT with PKI can only be used on systems that have the Intel.®. Management Engine (Intel® ME) and that have third generation or later Intel® Core™ i5 or i7 vPro™ processors or Intel®-based SoC processors.
Intel IPT with PKI software features are exposed as a Cryptographic Service Provider (CSP) via the Microsoft CryptoAPI software layer. Applications that use CryptoAPI libraries should be able to derive the benefits of Intel IPT with PKI with minimal modifications.
This paper focuses on writing apps that allow users to log onto a web page using SSL authentication and use PTD to enter PINs. Intel IPT with PKI enhances the security of the digital certificates issued from a web server, thereby ensuring that the certificates are tied to the hardware device to which they were issued. PTD displays an input window that allows a user to securely enter a PIN via mouse clicks. This input window is displayed by the Intel ME, so the app running on the main CPU is unaware of it.
Figure 1. An SSL authentication scenario
The scenario shown in Figure 1 requires the web server to be configured with a Managed PKI service, which usually takes advantage of a (trusted) Certificate Authority and gives administrators greater control over issuing, renewing, revoking, and managing SSL certificates. Additionally, the certificate hosted by the web server has to be protected by Intel IPT with PKI and does not have to be self-signed.
The Protected Transaction Display (PTD) feature is shown in the following two figures. Figure 2 shows the PIN pad that is displayed by Intel ME which the end user sees on the screen. The number keys on the PIN pad are randomized every time this display is launched.
Figure 2. PIN pad displayed by Intel® Management Engine
Figure 3 shows the same PIN pad that would be perceived by any end-user software running on the CPU. However, the PIN pad in this case is totally blacked out, which helps in preventing any malicious or hacking activity.
Figure 3. PIN pad as perceived by software running on other accessories
As mentioned above, the client in this setup should be a third generation or later Intel Core i5 vPro or i7 vPro processor-based system or an Intel SoC-based system. It should have the Intel IPT with PKI software stack installed, along with a certificate that is approved for client authentication by the server. For PTD, the Intel® HD Graphics driver should also be installed.
Once properly set up, the client should be able to access the web server via most browsers, such as Internet Explorer* v9 or Chrome*. During the authentication process, the end user should be able to select a valid client authentication certificate and access the Microsoft Internet Information Service, which is hosted by the server. Users with valid certificates, issued by the Managed PKI on the server, should be able to view this Internet Information Service page. This certificate must be signed by the root Certificate Authority you imported into the computer store on the web server.
In this paper, you learned how to use Intel IPT with PKI services to protect RSA certificates when authenticating with a web server and how to use PTD to protect PKI certificates/RSA keys with PIN code generation. By deploying an infrastructure like the one described in this paper, enterprises and businesses can utilize IPT with PKI and Protected Transaction Display to increase security, decrease costs, and ease deployment issues.
About the author
Khalid Maklai is a member of the Intel Software and Solutions Group (Intel SSG), Developer Relations Division, High Touch Software Enabling team for the Intel® Atom™ Processor. Before joining Intel SSG, Khalid was responsible for leading and delivering the Intel Identity Protection Technology on Windows* for the PC Client Architecture Group.
 No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a second generation or higher Intel® Core™ processor-enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com.