CollapseAll image

Digest Master Password

To protect against external attacks, the Admin user on each Intel AMT instance should have a unique password. To keep track of these passwords, a management console must maintain a database to map a device-unique identifier to the Intel AMT administrator password.

This creates difficulties when considering multiple applications managing the Intel AMT subsystem for different usages. Since every application maintains its own database, and the applications may be developed by separate software vendors, it becomes difficult to synchronize the administrator password for each device between the different applications.

To simplify this process, Intel recommends use of a Digest Master Password. The Intel AMT Digest Master Password (DMP) is a single password that is synchronized by the IT administrator among the various management software applications. The protocol described here defines a method for deriving the Intel AMT administrator password from the DMP that creates a unique password per device. Using this method, the software application does not need to maintain the password database. It simplifies using multiple applications from multiple vendors to manage the Intel AMT device.

Click here for a snippet that generates a Digest Master Password

You can execute this snippet by inserting it into the execution template found here.

  

function GenerateDMP

{

    $keysize = 128

    # Create random bytes from crypto generator.

    $randomNumberGenerator =[System.Security.Cryptography.RandomNumberGenerator]::Create()

    # Get 16 random bytes.

    $data = New-Object Byte[] ($keysize)

    $randomNumberGenerator.GetBytes($data)

    $dmp =[Convert]::ToBase64String($data)

    return$dmp

}

 

 

Given that unique passwords were calculated for each platform based on a DMP, the following steps show how a console can calculate the password for a selected platform:

1.  The management console attempts to connect to the Intel AMT device, which would trigger the Intel AMT device to respond with a digest-challenge ([RFC2617]).

2.  The digest-challenge message contains a realm-value. This value is a fixed value generated by the Intel AMT device using a high-entropy random-number-generator, such that it is unique per device.

Click here for a snippet that recovers a platform realm value

You can execute this snippet by inserting it into the execution template found here.

  

function GetDigestRealm($hostName,[bool]$tls)

{

    # Ping device to get HTTP headers.

    $url =if($tls -eq $true) { "https://" +$hostName +":16993/wsman" } else { "http://" +$hostName +":16992/wsman" }

 

    $webReq =[System.Net.HttpWebRequest]::Create($url)

    $webReq.Method ="GET"

    $webReq.ContentLength = 0

    $response =$webReq.GetResponse()     

   

    trap[System.Net.WebException]

    {

          # Find authenticate header.

          for ($index = 0;$index -lt $_.Exception.Response.Headers.Count;$index++)

          {

                $headers =  $_.Exception.Response.Headers

                if($headers.GetKey($index).Equals("WWW-Authenticate"))

                {

                      # Get the discovered digest realm string.

                      $realm ='Digest realm="'

                      $value =$headers.Get($index)

                     

                      # Extract the digest realm.

                      $start =$value.IndexOf($realm)

                      $end =$value.IndexOf('"',$start +$realm.Length + 1)                                 

                      return$value.Substring($start +$realm.Length,$end -$start -$realm.Length)

            }

        }

    }

}

 

 

3.  The management console converts the realm value to upper case and removes all white space.

4.  The console concatenates the realm-value to the username of the digest account it wishes to access

5.  The management console calculates the HMAC-SHA256 value of the resultant string, using the DMP as the HMAC key ([SHA], [RFC2104]). This results in a 32-byte long binary value.

6.  The management console calculates the BASE64 value of the 32-byte value generated at step 4 (RFC4648). This results in a 44-character long string. This is the Intel AMT administrator password.

Administrator password = BASE64 (HMAC-SHA256 (DMP, realm-value & username)).

Click here for a snippet that computes an admin password

See the snippet after step 2, above for the GetDigestRealm function.

You can execute this snippet by inserting it into the execution template found here.

  

# Compute the admin password, based on the DMP (digest master password).

# The Administrator password formula: BASE64 (HMAC-SHA256 (DMP, realm-value, username)).

function ComputeAdminPassword($hostName,$dmp)

{

    $realm = GetDigestRealm $hostName $false

    # Compute the hash.

    $data =[Convert]::FromBase64String($dmp)

    # Create HMAC-SHA256 service using the dmp as the key.

    $sha = new-Object System.Security.Cryptography.HMACSHA256

    $sha.Key =$data

    $hashString =$realm +"admin"

    # Compute the hash using the hash string.

    $hash =$sha.ComputeHash([System.Text.Encoding]::ASCII.GetBytes($hashString))

    $adminPassword =[Convert]::ToBase64String($hash)

    return$adminPassword.ToUpper()

}

 

 

7.  Use the password either to set the admin password (see Set Admin User Information and Update Digest User), or to access Intel AMT using the computed value as the password.

Since the realm value does not change for a given Intel AMT device as long as the device is configured, this results in a consistent value every time it is calculated, for a given device.

On the other hand, since the realm-value is unique per Intel AMT device with high probability, the resulting administrator password is also unique per device with high probability.

Maintenance Considerations

Upon initial configuration, the DMP is selected, and a configuration application will configure each Intel AMT device with the calculated administrator password.

The DMP would need to be replaced from time to time. The period of DMP replacement interval depends on the strength of the DMP and the specific IT policy.

When the DMP is replaced, each Intel AMT device needs to be reconfigured with the new administrator password derived from the new DMP. Since this process may take time, there is a period where some of the devices are configured with an administrator password derived from the old DMP, and some are configured with a password derived from the new DMP. 

The management software must be able to accept and use both old and new DMPs for a certain period.

Copyright © 2006-2022, Intel Corporation. All rights reserved.