Security Considerations

   The Intel AMT SDK samples based on WinHTTP do not implement a check for Kerberos Mutual Authentication. Although the WinHTTP library always queries Intel AMT for Kerberos Mutual Authentication support, it does not check the result. Intel recommends using TLS Mutual Authentication in combination with Kerberos to compensate for this limitation.

   The replay cache mechanism implemented in the firmware stores the content of the decrypted client authenticator of each new SOAP request to prevent a possible replay attack of a Kerberos token. In some cases, (for example, during stress testing), a SOAP request containing a valid Kerberos Token will be rejected if the replay cache is full or if the cache was lost. The replay cache is purged of authenticators that are beyond the window of the maximum clock tolerance (typically 5 min) each time a new authenticator is received. The clock tolerance can be configured in Intel AMT.

When a token is rejected, the SOAP request will return an error code within an “HTTP 401 Unauthorized” error:
KRB_ERR_GENERIC – “Replay cache is full; Try later”.

   Some Active Directory configurations enable an optional client IP address field in the ticket that allows a server to guarantee that the ticket is used from a specific address only. The Intel AMT firmware does not check this optional field when validating the correctness of the ticket. This was a design decision, since checking the IP would likely cause issues in an environment that uses Network Address Translation (NAT), and provides only minimal additional security, since IP addresses are easily spoofed.

   Intel AMT does not check the Kerberos key version number against the version number in a Kerberos ticket. The version number is incremented by Active Directory when the AMT object password is updated. The management application that requested the password update then updates the Intel AMT platform with a call to the WS-Management method AMT_KerberosSettingData .Put. Two of the parameters to these functions are the master key, which is based on the AMT object password, and the key version. Clients attempting to connect with an Intel AMT platform using a Kerberos ticket based on the previous password will now fail as the Intel AMT firmware does not check for previous versions of the password and will only authenticate connections based on the new password. Client applications should request a new ticket when a connection fails as it may be due to an unexpired ticket not matching an updated password.

See Also:

   Refreshing Expired Tickets

   Notes and Limitations

Copyright © 2006-2013, Intel Corporation. All rights reserved.