Intel® IPT with PKI Technology Overview Page 1 of 26
Intel® Identity Protection Technology with PKI (Intel® IPT with PKI) Technology Overview
White Paper by Paul Carbin Rev 1.0, May 22 2012
Intel® IPT with PKI Technology Overview Page 2 of 26
Legal Notices and Disclaimers
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm%20
No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 3nd gen Intel® Core™ processor enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel® assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com.
Intel, the Intel® logo, Intel® vPro™, and Intel® Core, are trademarks of Intel® Corporation in the U.S. and/or other countries.
Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the U.S. and/or other countries.
* Other names and brands may be claimed as the property of others.
Copyright © 2012 Intel® Corporation. All rights reserved.
Intel® IPT with PKI Technology Overview Page 3 of 26
Table of Contents
1. Preface ............................................................................................................................................................. 4
1.1 Document Scope ............................................................................................................. 4
1.2 Document Organization ................................................................................................... 4
1.3 Intended Audience ........................................................................................................... 4
1.4 Related Links ................................................................................................................... 4
2. Introduction ....................................................................................................................................................... 5
2.1 Intel® IPT with PKI ........................................................................................................... 5
2.2 Protected Transaction Display ......................................................................................... 6
3. Architecture ...................................................................................................................................................... 9
3.1 Architecture Overview ...................................................................................................... 9
3.1.1 Solution Stack ................................................................................................................................... 9
3.1.2 Key and Certificate Storage ............................................................................................................ 12
3.1.3 How do applications use Intel® IPT with PKI? ............................................................................... 12
3.1.4 Third Party Software Vendors......................................................................................................... 13
4. Client Prerequisites and Infrastructure Requirements ................................................................................... 14
4.1 Client Prerequisites ........................................................................................................ 14
4.2 Infrastructure Requirements by Use Case .................................................................... 14
4.2.1 Infrastructure Requirements for SSL Authentication ...................................................................... 14
4.2.2 Infrastructure Requirements for Digitally Signing and Encrypting Email ........................................ 15
4.2.3 Infrastructure Requirements for VPN Authentication ..................................................................... 16
5. Use Cases for using Intel® IPT with PKI ....................................................................................................... 17
5.1 Securely Access a Website Using SSL Authentication ................................................. 18
5.2 Digitally Sign and Encrypt Email .................................................................................... 20
5.3 VPN Authentication ........................................................................................................ 22
5.3.1 Setup the Cisco VPN Client ............................................................................................................ 22
5.3.2 Setup the Juniper VPN Client ......................................................................................................... 23
6. Conclusion ...................................................................................................................................................... 26
Intel® IPT with PKI Technology Overview Page 4 of 26
1. Preface
Intel® Identify Protection Technology (Intel® IPT) is meant to augment security features that allow for user identification and encryption by adding a hardware layer of protection. Intel® IPT with Public Key Infrastructure (PKI) acts as a hardware security module, similar to a Smart Card. However, it is as easy to manage as software PKI deployments. Intel® IPT with protected transaction display further protects PKI certificates with a PIN code entry generated in Intel’s protected audio vision path (PAVP) using Intel’s integrated graphics. Display and entry of the PIN code is handled by secure hardware, making PIN theft very difficult. This document provides an overview of Intel® IPT with PKI and protected transaction display and describes the most common use cases such as secure VPN Login, email/document signing, and secure web access.
1.1 Document Scope
This document provides a technical overview of Intel® IPT with PKI and protected transaction display. It describes the capabilities of both technologies and provides the infrastructure and system requirement needed to implement the technologies.
1.2 Document Organization
Chapter 2.1 and chapter 2.2 describe the technical capabilities of Intel® IPT with PKI and Intel® IPT with protected transaction display respectively, and chapter 4 details the client and infrastructure requirements. Chapter 5 describes the use cases.
1.3 Intended Audience
This document is intended for Information Technology (IT) professionals who wish to learn about the capabilities of Intel® IPT with PKI and Protected Transaction Display.
1.4 Related Links
Intel® Identity Protection Technology:
http://ipt.intel.com/welcome/protect-business-data.aspx Intel® IPT with PKI Use Case Reference Design: http://ipt.intel.com/welcome/protect-business-data.aspx PKI overview: http://en.wikipedia.org/wiki/Public_key_infrastructure
http://searchsecurity.techtarget.com/definition/PKI
Intel® IPT with PKI Technology Overview Page 5 of 26
2. Introduction
2.1 Intel® IPT with PKI
Intel® IPT with PKI uses the Intel® Management Engine (Intel® ME) and 3rd Generation Intel® Core™ i5 or i7 vPro™ processor-powered systems to provide a hardware based security solution. This solution provides enhanced protection of RSA cryptographic keys. The Intel® IPT with PKI software is exposed as a CSP via the Microsoft CryptoAPI software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel® IPT with PKI to:
Securely generate tamper resistant, persistent RSA key pairs in hardware
Generate PKI certificates from hardware protected RSA key pairs
Perform RSA private key operations within a protected hardware environment
Protect key usage via PINs that use the Intel® IPT with PKI protected transaction
display
The hardware enhancements of Intel® IPT with PKI focus on enhanced RSA private key protection. But, the installed CSP can be used for any algorithms typically supported by software based CSPs. Non-RSA operations are performed in software, and provide the same level of protection as existing software based CSPs shipped with Microsoft Windows 7*. Applications based on CryptoAPI should be able to transparently use Intel® IPT with PKI, and derive the benefits of enhanced private key protection with little, if any, modification.
The RSA keys and certificates created by Intel® IPT with PKI support existing PKI usage models. Some typical usage scenarios include:
VPN authentication
Email and document signing
SSL web site authentication
Intel® Identity Protection Technology with Public Key Infrastructure (Intel® IPT with
PKI) includes a Cryptographic Service Provider (CSP) component. This CSP implements
all Microsoft CryptoAPI* functions. These functions can be used in a variety of ways by
any Windows 7 application requiring cryptographic features.
Care must be taken when configuring the CSP and calling the CryptoAPI functions. This
paper explains the available options, and how to securely configure the CSP to take full
advantage of all available enhanced security features.
This paper also outlines some of the physical capabilities and restrictions of the Intel®
IPT with PKI technology that should be considered during the deployment design
process. With this information, corporate IT departments can configure and deploy
Intel® IPT with PKI to meet their organization’s security needs. This paper assumes
general familiarity with the Microsoft CryptoAPI interface and capabilities. Additional
Intel® IPT with PKI Technology Overview Page 6 of 26
information about the Microsoft CryptoAPI interface can be found at the site:
http://technet.microsoft.com/en-us/library/cc962093.aspx.
Intel® IPT with PKI provides an embedded 2nd factor of authentication in the PC to
validate legitimate users to an enterprise. Compared to a hardware security module, a
TPM, or a software-based cryptographic solution, Intel® IPT with PKI is less expensive
than the hardware security module or the TPM, is more secure than the software
cryptographic solution, and is easier to deploy than the hardware security module or the
TPM. The figure below provides a comparison of features and benefits:
2.2 Protected Transaction Display
If RSA keys are created with PIN protection, the Intel® IPT with PKI CSP uses the Intel® IPT with protected transaction display technology. This technology securely captures PIN input and provides enhanced protection against certain classes of screen scraping and malware attacks.
Intel® Identity Protection Technology (IPT) with protected transaction display allows for secure PIN input by allowing the Intel® ME to draw the input window and accept mouse clicks as input. In this way, software running on the main CPU does not have access to what is actually displayed on the screen even though the user can see it. Additionally, number keys on the PIN pad are randomized so that the numbers do not appear in the same position each time the PIN pad is launched. This
Intel® IPT with PKI Technology Overview Page 7 of 26
prevents malware from determining the user’s PIN based on the repetitive position of the mouse clicks.
The following figures illustrate this. Figure 1 shows what the user will see displayed on the PC’s screen. Note the randomized position of the number keys on the PIN pad in figure 1. Figure 2 shows what software running on the CPU (such as a malicious process implemented by a hacker) would perceive. Note that the hacker cannot see the PIN pad.
Figure 1: Randomized Keypad Example Figure 2: Protected Transaction Display Example
The Intel® IPT with protected transaction display provides several features to enhance protection:
Each time the PIN window is presented, the numeric keypad is randomized. This means that the
mouse click locations used to enter the PIN change every time. Capturing the mouse click pattern
for successful PIN entry cannot be used for subsequent PIN entries (see Figure 1).
The PIN pad area of the screen, used for PIN entry, uses Intel® IPT with protected transaction
display technology. Software based screen scraping or malware attacks that attempt to perform a
screen capture of PIN window cannot view the actual PIN number layout (see Figure 2).
Mouse clicks for the PIN entry are translated and used within the protective hardware. The actual
PIN value is not exposed outside of the hardware.
PIN entry tracks the number of incorrect PIN entry attempts, and at specific intervals will refuse
additional PIN attempts for a specific period of time. This feature minimizes brute force attacks
on the PIN.
Keyboard entry of the PIN is not allowed. This feature minimizes keyboard logger attacks.
Intel® IPT with PKI Technology Overview Page 8 of 26
PINs are assigned at key creation time if the Microsoft CryptoAPI
CRYPT_FORCE_KEY_PROTECTION_HIGH flag is set. The Intel® IPT with PKI CSP allows the
setting of PIN composition policies that are used when creating PIN protected RSA keys.
These settings can be found in the Windows registry. All Intel® IPT with PKI PIN settings are
located at: HKLM\SOFTWARE\Policies\Intel\Intel® IPT with PKI
When a user enters an invalid PIN for a PIN protected key, the Intel® Management Engine
begins an invalid PIN entry counter. After a number of invalid PIN entries, the Intel® IPT with
PKI system will enter a mode where PIN entry is locked out for a specific period of time. This
feature limits the effectiveness of brute force attacks against a key’s PIN. As more invalid PIN
attempts are made, the PIN entry lockout time period increases.
This table shows the lockout time periods for the number of invalid PIN entries.
Number of Incorrect
PIN Attempts
Time (in minutes) before
Next PIN Attempt
1 - 5 0
6 - 8 1
9 - 12 10
13+ 30
The invalid PIN counter will reset to zero 60 minutes after the last invalid PIN attempt. When the hardware is in PIN throttling mode, other operations, such as the usage of a key that is not PIN protected, are not affected.
Based on PIN policy and throttling settings, the following deployment considerations should be taken into account when deploying PIN policies:
PIN recovery: If a PIN is set for a key pair, there is no way to reset the PIN for that
key. If a user forgets the PIN associated with the RSA key, it will effectively render the
key unusable.
PIN minimum unique: Since the PIN creation policy uses both the minimum length
and a number of unique digits, these two policies should work together. To maximize
the available PIN space, the minimum number of unique digits should be less than the
minimum PIN length.
PIN cache timeout: PIN caching provides a better user experience, with a tradeoff in
security. Keep in mind that if PIN caching is turned off, or set for less than 60 minutes,
it is possible a user will be asked to enter their PIN, but the invalid PIN tries counter
has not reset to zero. This would give a user fewer attempts to correctly enter the PIN
before the lockout times take effect.
Intel® IPT with PKI Technology Overview Page 9 of 26
3. Architecture
3.1 Architecture Overview
Brief Description:
Microsoft Cryptographic Service Provider (CSP) implementation/interface
Integrated with Intel® IPT with protected transaction display
Currently runs on Windows 7
3.1.1 Solution Stack
Figure 3 below presents the Intel® IPT with PKI software stack.
Intel® IPT with PKI Technology Overview Page 10 of 26
Figure 3 – Intel® IPT with PKI Solution Stack
The complete software solution stack consists of:
3rd party application linked to the Crypto API
CryptoAPI library (from Microsoft)
Intel® IPT Cryptographic Service Provider (CSP)
Intel® IPT Library
Intel® IPT with PKI Technology Overview Page 11 of 26
Intel® Dynamic Application Loader (DAL) Host Interface Service
Intel® IPT Applet
3.1.1.1 3rd Party Applications
Third party software providers (or ISVs) can develop applications which leverage the hardware based security provided by Intel® IPT with PKI by modifying their code to call the Intel® IPT Cryptographic Service Provider (CSP) via the Microsoft CryptoAPI.
3.1.1.2 Microsoft CryptoAPI
The Microsoft Crypto API is a framework that provides the ability to develop CSPs that plug into the framework. The Crypto API is a DLL that is provided by Microsoft. Intel® developed the Intel® IPT CSP as a DLL that can be plugged into the Crypto API framework. When you make CryptoAPI calls software can select which CSP to use. CryptoAPI provides routines that allow you to enumerate through the CSPs installed on the machine.
The end result is that Intel® does not replace CryptoAPI, nor is CryptoAPI modified in any way, but software that uses CryptoAPI can select the Intel IPT CSP for cryptographic usage.
The typical scenario is that the ISV application creates a crypto context, performs crypto operations, and then closes the context. When the context is creates, the application selects the CSP. In this case, the Intel® IPT CSP is selected.
3.1.1.3 Intel® IPT CSP
There can be multiple CSPs on a machine (Microsoft Windows ships with 4-5 software CSPs, each supporting different cryptographic operations). Applications can select and choose which CSP they want to use, and a default CSP can be configured which is used if no specific CSP is selected. For Intel® IPT with PKI, the Intel® IPT CSP is installed as part of the Intel® IPT with PKI installation process. The installation process installs the software components and makes the appropriate registry entries so the CSP is visible to any application that wants to use it.
3.1.1.4 Intel® IPT Library
The Intel® IPT Library is a DLL that provides the core IPT capabilities and Secure PIN Pad capabilities.
3.1.1.5 Intel® Dynamic Application Loader (DAL) Host Interface Service
The Intel® Dynamic Application Loader (DAL) Host Interface Service is a component of the IPT technologies that is installed with the ME firmware toolkit. It was originally developed for the Intel® IPT with One Time Password (OTP) feature, and are being reused for Intel® IPT with PKI.
The Intel® DAL Host Interface Service is a Windows service. Essentially it’s a communications pipe used to send a command to an applet that runs in the DAL environment on the ME. So you can do things like send and receive. There are some OTP specific commands that can be sent (since it was originally for OTP). For Intel® IPT with PKI, only the Send and Receive command are used. The
Intel® IPT with PKI Technology Overview Page 12 of 26
Intel® DAL Host Interface Service also provides some basic high level formatting of the messages sent and status codes received from the applet.
The Intel® DAL Host Interface Service provides the basic communication service for the applet. So all the Host Interface calls eventually make a Java Host Interface (JHI) call to communicate with Intel® IPT Applet. This is a more basic communications library used to send commands to an applet running on the ME.
The net effect is that if you were writing an ME applet that was NOT an IPT applet, you could use JHI directly to make communication calls to the applet. IPT based applications will use the Intel® DAL Host Interface Service IHA to get the consistent message formatting and error code handling, which in turn calls JHI.
Also, the Intel® DAL Host Interface Service uses the Host Embedded Controller Interface (HECI) as the base mechanism to communicate with the Manageability Engine (ME). Again, because of the higher level communication DLL’s (Intel® IPT DAL Host Interface Service, JHI), ISVs don’t need to be concerned about the communications at that low of a level.
3.1.1.6 Intel® IPT Applet
The Intel ® IPT Applet is a Java applet which runs in the ME. The Intel® IPT Applet provide the basic functionality of the Intel® IPT with PKI functionality. If we want to use a key to perform an operation, we send a command via Intel® IPT DAL Host Interface Service to the applet, with the wrapped key. The applet in the ME decrypts the key, performs the operation, and sends the results back.
3.1.2 Key and Certificate Storage
Both the keys and the certificates are stored on the hard drive. For the keys, they are wrapped with something called the Platform Binding Key (PBK) and stored on the hard drive. The PBK is unique for each platform using Intel® IPT with PKI, and cannot be exported from the ME, and in order to use the key, it needs to be brought back into the ME to be unwrapped.
For certificates, it’s up to the application requesting the certificate creation, but in general (and in our case with Symantec’s Managed PKI solution) it is stored in the traditional Windows Certificate Store on the hard drive. Since the certificate has all the public key information (which makes it public), there is no need to protect the certificate, so it is not encrypted.
3.1.3 How do applications use Intel® IPT with PKI?
We do not need to make any changes to applications such as IE or Outlook in order to use the Intel IPT with PKI certificate. Typically there is a setup dialog in the application that allows the user to select the certificate and/or key pair that they want to use for the operation. For example, in Outlook, if you got to File > Options >Trust Center you get to the section where you can specify what key/certificate you want to use for signing and/or encryption (selecting from certificate/key pairs in the Windows certificate store). Once you set up that connection, subsequent usage will use the previously selected certificate/key.
Intel® IPT with PKI Technology Overview Page 13 of 26
3.1.4 Third Party Software Vendors
Third party software vendors (or ISVs) may need to modify their code that selects the Crypto Service Provider (CSP) to allow the selection of the Intel® provided CSP that supports IPT with PKI. From there, existing applications that use PKI based authentication can leverage the certificate secured in the Intel® platform for authentication, signing and encryption. ISV applications that use PKCS will need to be converted to CSP in order to take advantage of IPT with PKI.
Intel® IPT with PKI Technology Overview Page 14 of 26
4. Client Prerequisites and Infrastructure Requirements
Intel® IPT with PKI relies on the Intel® Management Engine firmware kit and specific versions of drivers and firmware to be installed on the client. The infrastructure requirements will vary depending on which use cases are to be used. The sections below provide the client prerequisites as well as the infrastructure requirements for each use case. Details regarding the client prerequisites are provided below. It is also recommended that you read the readme document included with the release of Intel® IPT with PKI.
4.1 Client Prerequisites
This table describes the prerequisites and components that must be installed on the client before you can use Intel® IPT with PKI.
Prerequisite Description
Hardware The system must be a 3rd Generation Intel® Core™ i5 or i7 vPro™ processor-powered system.
Firmware The Firmware of the Intel® Management Engine (Intel® ME) must be version 8.0.0.1351 or later.
Intel® ME Components
The Intel® ME Components composed of the Intel® Management Engine Interface (MEI) driver, the Intel® Management and Security Local Management Service (LMS) and the Intel® Management and Security User Notification Service (UMS) must be installed and running. The Intel® MEI (also known as “HECI”), is the software interface to the Intel® ME. This driver and the LMS and UNS services are installed when you install the Intel® ME software kit.
Intel® IPT with PKI
Intel® Identity Protection Technology with PKI (version 1.0.0 or later) must be installed.
Intel® HD Graphics
Intel® HD Graphic Driver (version 8.15.10.2616 or later) must be installed. The Intel® HD Graphics driver is only required if using the Intel® IPT with protected transaction display.
4.2 Infrastructure Requirements by Use Case
The following three sections present the Infrastructure Requirements necessary for running the three use cases: SSL Authentication, Digitally signing and encrypting Email, and VPN Authentication.
4.2.1 Infrastructure Requirements for SSL Authentication
The chart below provides the infrastructure requirements to use the SSL Authentication use case.
Intel® IPT with PKI Technology Overview Page 15 of 26
Role Requirement
Managed Client The system must be 3rd Generation Intel® Core™ i5 or i7
vPro™ processor-powered system.
Intel® Graphics are required for Intel® IPT with Protected
Transaction Display.
The Managed Client has to have a certificate installed that is
approved for Client Authentication.
Web Server Web Server and web site with a self-signed certificate.
The certificate protected by Intel IPT with PKI must be able to
be trusted by the web server if the website enforces client
authentication.
The web server needs a certificate for SSL, but it does not have
to be self-signed.
4.2.2 Infrastructure Requirements for Digitally Signing and Encrypting Email
The chart below provides the infrastructure requirements to Digitally Sign and Encrypt Email.
Role Requirement
Managed Client The system must be 3rd Generation Intel® Core™ i5 or i7 vPro™
processor-powered system.
Intel® Graphics are required for Intel® IPT with Protected Transaction
Display.
The Managed Client has to have Microsoft Outlook installed, and has to
have an Email Signing and Encryption certificate installed.
Server The Server is only required to host the Exchange email server, all the other
roles are typically performed by other systems.
Intel® IPT with PKI Technology Overview Page 16 of 26
4.2.3 Infrastructure Requirements for VPN Authentication
The chart below provides the infrastructure requirements to use the VPN Authentication use case.
Role Requirement
Managed Client The system must be 3rd Generation Intel® Core™ i5 or i7
vPro™ processor-powered system.
Intel® Graphics are required for Intel® IPT with Protected
Transaction Display.
The Managed Client must have a certificate installed that
is targeted for VPN login.
VPN Appliance VPN Appliance – any brand, tested with Cisco ASA 5505.
This document uses ASA version 8.2
Network Connection Used to connect to the VPN hosted by the VPN Appliance
Intel® IPT with PKI Technology Overview Page 17 of 26
5. Use Cases for using Intel® IPT with PKI
This section provides examples of the three primary use cases: SSL Authentication, Digitally signing and encrypting email, and VPN authentication. For setup and configuration of the of the client and infrastructure for the use cases refer to the Intel® IPT with PKI Use Case Reference Design described in Section 1.4 Related Links.
Use Case landing zones:
Use Case Valid Configurations
SSL Authentication to Web Page IE8, IE9, Chrome
Digitally Sign and Encrypt Email Office 2007/2010 Outlook Email
VPN Juniper VPN without PIN pad
For more information, see:
Securely Access a Website using SSL Authentication
Digitally Sign and Encrypt Email
VPN Authentication
Intel® IPT with PKI Technology Overview Page 18 of 26
5.1 Securely Access a Website Using SSL Authentication
You can use Intel® IPT with PKI to securely access a website using SSL. This procedure shows how you can securely access a website that uses the certificate to authenticate the user.
To access the test website:
1. Open a web browser and navigate to a website that supports certificate-based SSL authentication. The
site shown below is a test site that is used for testing and documentation purposes only. It is not
available for general use.
2. When prompted to select a certificate, select the certificate that you installed for Intel® IPT with PKI.
3. If you protected the certificate with a PIN, the Enter Pin window opens.
4. Enter the PIN that you used when installing the certificate and click OK.
Intel® IPT with PKI Technology Overview Page 19 of 26
5. After connecting to the website, you will notice in the URL line that the connection is using the https
secure protocol, and that the user has been authenticated by the VeriSign certificate.
Intel® IPT with PKI Technology Overview Page 20 of 26
5.2 Digitally Sign and Encrypt Email
You can use Intel® IPT with PKI to digitally sign and encrypt email. This section provides the instructions for both use cases as demonstrated in Microsoft Outlook 2010.
To setup Outlook for Encryption and Digital Signature:
1. Open Outlook and navigate to the E-mail Security tab of the Trust Center:
a. Click the File tab.
b. Click Options. The Outlook Options window opens.
c. From the bottom left side of the Outlook Options window, click Trust Center.
d. Click Trust Center Settings. The Trust Center window opens.
e. From the left side of the Trust Center window, click E-mail Security.
2. Select the Encrypt contents and attachments for outgoing messages check box.
3. Select the Add digital signature to outgoing messages check box.
4. From the Default Settings drop-down list, select My S/MIME Settings.
5. Click Publish to GAL.
6. Click OK. The Trust Center window closes.
Intel® IPT with PKI Technology Overview Page 21 of 26
To create a Digitally Signed and Encrypted email:
1. In Outlook, create a new email as you normally would, and then click Send.
2. If you protected the certificate with a PIN, the Enter Pin window opens.
3. Enter the PIN that you used when installing the certificate and click OK.
4. Note in the screenshot below that the email is signed and encrypted as indicated by the blue “lock”
icon and the red “Digital Signature” icon in the email. You can click the red “Digital Signature” icon to
view the signature certificate details.
Intel® IPT with PKI Technology Overview Page 22 of 26
5.3 VPN Authentication
You can use Intel® IPT with PKI to authenticate into a VPN session. This section provides the instructions for VPN Authentication using both the Cisco VPN Client and the Juniper Junos Pulse VPN Client.
5.3.1 Setup the Cisco VPN Client
1. Open the Cisco AnyConnect VPN Client. From the pull down list of VPN providers, select the
provider nearest you. Or, type in the address of your VPN provider. Click Connect. AnyConnect will
automatically select the certificate for VPN use.
2. If you protected the certificate with a PIN, the Enter Pin window opens.
3. Enter the PIN that you used when installing the certificate and click OK.
4. The screenshots below show the network configuration before and after connecting via the VPN Client.
Note in the second screenshot that there is an additional network connection with an IP address of
192.168.1.201. This is the new VPN connection.
Intel® IPT with PKI Technology Overview Page 23 of 26
Before
After
5.3.2 Setup the Juniper VPN Client
1. Open the Juniper Juno Pulse VPN Client. Click Connect and select the Certificate in the Pulse
Connect window.
Intel® IPT with PKI Technology Overview Page 24 of 26
2. Select the Realm. We will select “Users” in this example.
3. Enter the username and password and the connection is completed.
Intel® IPT with PKI Technology Overview Page 25 of 26
4. The screenshots below show the network configuration before and after connecting via the VPN Client.
Note in the second screenshot that there is an additional network connection with an IP address of
192.168.1.201. This is the new VPN connection.
Before
Intel® IPT with PKI Technology Overview Page 26 of 26
After
6. Conclusion
Intel® IPT with PKI is easy to deploy, inexpensive, very secure. Enterprise and businesses can utilize Intel® IPT with PKI and Intel® IPT with Protected Transaction Display (PTD) to increase security, decrease cost, and ease deployment issues.
Intel® IPT with PKI is a two-factor authentication process for business enterprise that only validates a legitimate user, not malware, when logging in from a trusted PC. This Intel® technology is available only on 3rd generation Intel® Core™ i5 and i7 vPro™ processors (including Ultrabooks™). Intel® IPT with PKI uses PKI certificates stored in the chipset to authenticate the user with the server, and to encrypt and digitally sign documents.
Intel® IPT with PTD is also available on 3rd generation Intel® Core™ i5 and i7 vPro™ processors creates a non-spoofable, trusted path for user input and display output. Utilizing the built-in graphics chipset from Intel®, Intel® IPT with PTD enables the PC to display information and receive user input with the assurance that the operating system cannot monitor or tamper with the transaction. PTD also protects PC display from malware scraping and proves the presence of a human at the PC, thus reducing many of the most sophisticated attacks on user accounts, Internet businesses and financial institutions. PTD technology can be integrated into solutions using Intel IPT with OTP or PKI.