We live in curious times. People are doing more things online than ever before. Many employees telecommute instead of driving to work. We communicate more often through email. As a result, life is much more convenient. For example, if I am not feeling well or am buried in the snow, I don’t have to choose between infecting my coworkers and tackling a giant pile of tasks that had to wait; instead, it will be business as usual, except I will be at home. I don’t have to hand-carry or use “snail mail” to send or receive sensitive documents anymore; I can get them where they need to be in seconds via email. I, for one, would not want to go back to the way things were. However, all of this convenience comes with a price: It opens the enterprise to additional security risks. In response to this, the industry has come up with some great solutions that companies use to mitigate these risks.
In order to be productive, telecommuting employees must be able to use network resources as if they were physically in the office. This means that all network traffic, including sensitive information, must travel over the internet where it might be snooped. In order to safely access company networks, enterprises set up Virtual Private Network (VPN) connections for their employees to use. VPN connections authenticate the user with a Public Key Infrastructure (PKI) key and login information, and then establish a secure, encrypted connection between the employee and the company network.
Email is a great way to communicate with people both inside and outside of your organization. It delivers almost instantly and you can attach files or documents. However, email can be insecure and email senders can be spoofed. For these reasons, when you send an email you can optionally sign and/or encrypt the email. When you sign an email, you use a PKI key to create a digital signature of the email which is verified by the receiver. This signature confirms to the recipient both that you are the person who sent the email and that the email has not been altered since you sent it. Your email client usually does this process in the background, and will notify you, loudly, if an email’s signature is invalid. Signing prevents an attacker from either sending you an email pretending to be someone you trust, or altering a message sent by someone you trust before it gets to you. Encrypting uses a PKI key to encrypt the email and any attachments, which are decrypted by the sender on the other end. It prevents anyone but who you send the email to from reading it.
The point of commonality between these solutions is the Public Key Infrastructure. PKI key pairs are made up of two parts: the public key and the private key. These two keys are mathematically related so that anything encrypted by the public key can only be decrypted by the private key and anything encrypted by the private key can only be decrypted by the public key. The public key is freely available to anyone who wants it. The private key is kept secret. The strength of this system lies in the fact that people don’t have to share private keys (which could be intercepted) to communicate securely. However, the system is only as secure as the private key. If the private key is compromised, the entire system breaks down. An attacker who steals a person’s private key can impersonate them (through false digital signatures), read their private documents (such as encrypted email), and any number of other equally disturbing things.
Many companies mitigate this risk by using smart cards to provide additional protection for the private key by separating the private keys and sensitive PKI operations from the operating system. Smart cards can store some data and process cryptographic operations on the card. Another security benefit is a second factor of authentication: “Something you have” (a smart card) and “Something you know” (a user PIN). Smart Cards do provide added security, but with added expense of a smart card for each employee and smart card readers for each computer. These cards must be replaced if employees lose them, break them, or run them through the washing machine. All in all, this system, while good, creates added expense and complexity for an organization.
Intel® Identity Protection Technology with public key infrastructure (or Intel® IPT with PKI), is a new product from Intel designed to enhance the security of PKI operations. It uses the Intel® Management Engine (or ME) available on 2012 Intel® vPro™ systems to protect the private key and perform sensitive PKI operations at the firmware level. Protecting the key this way prevents malware or other forms of attack from compromising the private key. You can think about it like a smart card built in to your computer; a smart card that you can’t leave in your pocket and put through the wash (unless you have really big pockets); a smart card that you probably won’t forget (at least not if you remembered your computer). Also, for companies that already use Intel® vPro™ systems and PKI certificates, no additional infrastructure is required, and you can use it out of the box.
Intel® IPT with PKI was designed from the ground up for ease of use. It integrates directly into Microsoft’s CryptoAPI, which is a mature interface for cryptographic operations in the Windows operating system. CryptoAPI is an extensible framework that uses plugins (called Cryptographic Service Providers, or CSPs) to do the actual cryptographic operations. Many applications are designed to work with CryptoAPI, and thus are able to support Intel® IPT with PKI with little to no changes to the program. As far as applications are concerned, Intel® IPT with PKI works the same way as Microsoft’s cryptographic service providers, but the real magic happens behind the scenes. Unlike Microsoft’s implementation, where PKI operations are done within Windows (where they can be snooped by malware), Intel® IPT with PKI works with the ME, which is a small, self-contained platform embedded in the chipset. This platform has an internal processor and some storage space—much like a smart card does—and is completely segregated from the operating system. All sensitive operations that involve the private key are performed at this level and are protected from hackers or malicious software that might try to steal the private key.
As a final security measure, PKI keys can optionally be PIN protected. When you try to use the key, you will be prompted to enter the PIN. This prevents someone from accessing your computer and using one of the Intel® IPT with PKI protected keys without your knowledge. This additional layer of security uses a product called Intel® IPT with protected transaction display, to render a PIN pad on the screen in such a way that the operating system cannot see it. Malicious software like screen scrapers will only see a black square in the area where the PIN pad is displayed. This is a new technology developed by Intel which makes use of Intel branded integrated graphics and Protected Audio Video Path (PAVP) to securely display a PIN pad to the screen. PAVP creates a secure connection from the graphics card to the monitor, bypassing the operating system entirely. It was originally developed to display high definition video from Blu-Ray disks while protecting them from being copied, but can also be used to make passwords secure from host based malware.
Below is a video that shows a Intel(R) IPT with PKI being used to sign an email in Outlook. It also demonstrates the protected transaction display.
Intel® IPT with protected transaction display works by reserving screen space with the operating system, then filling it with an encrypted image that was rendered in the ME. The user can see the image on the screen, but the operating system doesn’t know what is there. The result is that any attempt to snoop at what is on the screen (such as a malicious screen scraper, a hacker mirroring the user’s screen, or even a simple “Print Screen”) will see a black square instead of a protected pin pad. The two real screenshots below demonstrate the concept. The first image is what the user sees, and the second is what a hacker would see.
This is what the user sees. This screenshot was taken specifically using an IP/KVM connection
to a remote computer (essentially, a photograph of the moniter),
otherwise, the PIN-pad would not be visible.
This is what a hacker would see. Actual screenshot using Windows’ Print Screen button while the
Intel® IPT with protected transaction display window was on screen.
To protect against key-logging malware, the user interacts with Intel® IPT with protected transaction display via the mouse only, no keyboard input is accepted. The numbers zero through nine are arranged in a random order, and the user clicks the numbers that make up their PIN. Every time Intel® IPT with protected transaction display is used, the order of these numbers is randomized, making it unlikely that a hacker would guess a PIN simply by location. All of the processing is done in the hardware. This produces a PIN that was never exposed in the clear to the operating system or a hacker.
Over the course of development of IPT with PKI, the engineering team worked closely with Symantec, one of the leaders in managed PKI tools to integrate this product with their solution, The Symantec Managed PKI Service. The collaboration with Symantec allowed Intel® IPT with PKI to be tested with a live piece of software, one that is actually used by the target market. This sort of real-world exposure from day one was important to make sure we weren’t developing something that wouldn’t work or have value in the wild. Intel® IPT with PKI will be distributed with the next release of the Symantec Managed PKI Solution.
Intel® IPT with PKI and Intel® IPT with protected transaction display are two of the Intel® Identity Protection Technology family of products. Another product in this family is Intel® IPT with one-time password (OTP)—a system that uses the ME to provide secure two-factor authentication to websites, such as eBay or PayPal. On the Enterprise side of the fence, Intel® IPT with OTP can be used to make a company’s intranet more secure. By providing the same functionality as one-time password generating tokens issued to employees by enterprises (such as key fobs that periodically generate new passwords), Intel® IPT with OTP can provide the same security without the additional cost of managing and replacing those tokens. The one time passwords generated by OTP can be used in the enterprise environment to help secure access to company websites, VPN connections, and more. The Identity Protection Technology suite represents a collaborative effort between several groups within Intel. PC Client Architecture developed the common infrastructure used by the IPT family of products, the Chipset and SoC IP Group built the protected environment found on the ME, and Business Client Platform Division Engineering developed Intel® IPT with PKI.
It is ironic that while businesses are adopting cloud solutions, accommodating their employees’ needs to work anywhere on any device, the internet is simultaneously becoming more and more unsafe. There is really no such thing as privacy on the internet any more. Attackers are getting more skilled and focused and their tools more advanced. Private information (both business and personal) is now a commodity to be bought and sold to the highest bidder. The only way for an organization to be safe is to continually improve and upgrade their security systems and processes. Intel® Identity Protection Technology with public key infrastructure makes an organization more secure by pulling sensitive information out of the software in to tamper-resistant hardware and gives people the tools to better protect themselves.