How can digest authentication password be randomized and retrieved later?

     When Intel released Intel SCS 7.0, it was completely redesigned to become a simple Windows service by  removing the web server and Microsoft SQL Server dependency. However, the innovation that Intel SCS 7.0 brings is not only on software architecture, but also on how it is used to manage Intel® AMT systems.

     An important concept embedded in SCS 7.0 is the Unified Configuration that allows the definition of one deployment package to configure all Intel AMT versions in their network and select the necessary configuration method for each AMT version, i.e. Host Based configuration for AMT  6.2 and beyond and legacy mode (i.e. PKI or PSK) for older version of AMT.

     As you may note, Intel SCS 7.0 doesn’t use a Database to store AMT credentials as used by previous generations, so how can we retrieve the randomized password used for each AMT system?

     Digest Master Password (DMP),  is a method for deriving the AMT password from the  DMP which creates a unique password per device. The management console possessing the DPM attempts to connect to the Intel AMT device, which triggers the response with a digest-challenge. Based on RFC 2617, the digest-challenge contains a realm-value, that is a fixed value generated by the AMT device using a high-entropy random-number-generator, such in theory, is unique per platform. The management console concatenates the realm-value to the username of digest account it wishes to access and calculates the HMAC-SHA256 of the resultant string, using the DMP as HMAC key. Converting the HMAC-SHA256 to BASE64 value, voilà! We have the password!

     To make it easier to understand, let’s put it in an equation:

Administrator password = BASE64 [HMAC-SHA256 (DMP, realm-value & username)]

     Since the realm value does not change for a given AMT device, this result is consistent every time it is calculated.

     The good news of this approach is that if you contract a 3rd party to manage these devices, it’s not necessary to give them access to your password  data base, neither create replication strategies with your ITO - just share the DMP and it will be enough to calculate the individual passwords.

          The weakness of this approach is not so different than the “traditional” way - you still have to periodically change the DMP and consequently each AMT device password as any good security procedure.

Best Regards!