The future of authentication and transactions over the web (Part 1)

Banks and the payment industry have realized long ago that knowledge is not enough to confirm money transactions through the web. Even apparently strong techniques such as tokens and smartcards have been facing the challenge to deal with Malware and Hacker attacks. Then, to avoid blind signing, institutions have been appealing to external devices, which are likely to fail due to network flaws or challenging user experience.

However, since the second generation of Intel Core family (aka Sandy Bridge) a new security feature was introduced inside processors. I am talking about IPT (Indentity Protection Technology), created by Intel and integrated by companies like InfoSERVER/Tix11. This technology allows small applications to run inside processor, without Operating System (OS) interference. It means, that even if a Operating System  is infected with a virus or malware, the application that runs inside the processor will be isolated.

One of the first applications developed to run inside Sandy Bridge processors was the TOTP algorithm (RFC 6238), the same piece of code that runs inside bank tokens and is used to provide two-factor authentication (aka strong authentication) for sites. In fact, two-factor authentication had become an important topic nowadays, after so many important companies have been compromised by indentity theft problems. Google, Dropbox, Microsoft are among the most important players which have implemented strong authentication based on OTPs (One time passwords). These implementations relies in mobile tokens, software tokens and even sms tokens, with disposable passwords sent to mobile phones by messages. But even these implementations can suffer Man-in-the-middle attacks that can steal OTPs using malicious apps installed in mobile phones and computer operating systems. Also, the old and common hard tokens can have its OTPs stolen when an user is a victim of phishing. Thus, even with a strong authentication, security holes in the Operating Systems can be a threat to every kind of authentication and transaction over the Internet. In this environment, the only promising solution is in the hardware, inside the processor. This is what Intel have done with the introduction of IPT.

But maybe you are making a question: How can I get an OTP from processor and send it to a website? Well the quick answer is: Through Intel Management Engine Components. The complete answer is: Intel Management Engine Components is a bundle of software that enables special features present inside the Management Engine (ME), which is an engine which works integrated with Intel processor and Intel processor chipset. One of these special features is the IPT. One of the best ways to explain the purpose of Management Engine Components, is: It works as an interface, between ME and OS. Thus, is possible to develop applications which communicate with Management Engine Components and then request OTPs from processor, after that this same application can inject the OTP in a website.

With the understanding of how IPT works and how the IPT benefit (such as OTP generation) can be integrated with an common application, is possible to forsee a safer authentication/transactions methods which rely in safe code execution that occurs inside a processor.

This is what I would like to "say" today. In the next article I will give more details of the integration between browser based applications and IPT.

Additional Resources

Intel® Identity Protection Technology (Intel® IPT)

For more complete information about compiler optimizations, see our Optimization Notice.