Detailed Description

Intel AMT uses the Transport Layer Security (TLS) protocol to provide endpoint authentication and communications privacy across a public network (see Intel AMT and Security Considerations).

The TLS protocol includes the following types of authentication:

   Server Authentication – Only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated. This means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating.

   Mutual Authentication – The next level of security in which both ends of the “conversation” are sure with whom they are communicating.

When Intel AMT is configured for mutual authentication, it validates incoming client certificates based on the root of trust configured.

Additionally, when configured to do so, Intel AMT can verify that the leaf certificate Common Name (CN) field of an incoming certificate matches a predefined FQDN suffix as an additional security check. See Change the Trusted FQDN Common Name for the steps used to provide Intel AMT the predefined suffixes.

Most changes made via the AMT_TLSSettingData class are not applied until AMT_SetupAndConfigurationService.CommitChanges is invoked. An exception to this is changing the Trusted FQDN Common Name, where CommitChanges is not required.

 End of Support of TLS 1.0 and TLS 1.1

In Intel AMT Release 12.0, support was added for TLS version 1.2 and support was removed for TLS version 1.0.

Starting from Intel CSME 15.0 firmware for desktops, and Intel CSME 16.0 firmware for all platforms, Intel has removed support for TLS 1.1. TLS 1.1 can no longer be used to connect to Intel AMT. Customers should use TLS 1.2.



See Also:

   Setup and Configuration Using PSK

   Setup and Configuration Using PKI

   Certificate Management

   Network Administration


Copyright © 2006-2022, Intel Corporation. All rights reserved.