Intel® IPT with PKI – Use Case Guide i
Intel ® Identity Protection Technology (Intel ® IPT)
with PKI
Use Case Guide
Version 1.0
Document Release Date: February 29, 2012
Legal Notices and Disclaimers
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR
INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or
“undefined”. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm
No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 2nd gen Intel® Core™ processor enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com.
Intel, the Intel logo, Intel vPro, and Intel Core, are trademarks of Intel Corporation in the U.S. and/or other countries.
Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the U.S. and/or other countries.
Intel® IPT with PKI – Use Case Guide iii
Table of Contents
1 Introduction ... 1
2 Preparing the Computer - Prerequisites ... 2
3 Use Cases for using Intel IPT with PKI ... 3
3.1 Securely Accessing a Website Using SSL ... 4
3.2 Digitally Sign and Encrypt Email ... 5
3.3 VPN Authentication ... 7
Acronyms and Abbreviations
Name Description
CSP Cryptographic Service Provider PIN Personal Identification Number PKI Public Key Infrastructure URL Uniform Resource Locator SSL Secure Sockets Layer VPN Virtual Private Network
1 Introduction
Intel hardware based public/private key crypto support, formerly known as Intel® Identity Protection Technology (Intel® IPT) with PKI, is now available on select 3rd generation Intel® CoreTM vProTM processors. This support is exposed as a Windows Crypto Service Provider.
The Intel® Hardware Cryptographic Service Provider (Intel® CSP) provides a more secure method for certificate-based authentication, encryption, and signing. This document provides a snapshot of the primary use cases: SSL authentication, email signing and encryption, and VPN authentication.
Intel® IPT with PKI – Use Case Guide 2
2 Preparing the Computer - Prerequisites
This section describes the prerequisites for Intel IPT with PKI.
Prerequisite Description
Hardware The system must include a 3rd generation Intel® CoreTM vProTM processor.
Firmware The Firmware of the Intel® Management Engine (Intel® ME) must be version 8.0.0.1351 or later.
Intel® MEI
The Intel® Management Engine Interface (Intel® MEI) must be installed and running. The Intel MEI (also known as “HECI”), is the software interface to the Intel ME. This driver is installed when you install the Intel ME software kit, and is usually located under “System devices” in the operating system.
Intel® IPT with PKI
The computer must support Intel® Identity Protection Technology (Intel® IPT) with PKI.
For more information about configuring Intel IPT with PKI, see the Intel® IPT with PKI Implementation Guide.
PKI Client
The PKI Client software must be installed and running.
For more information about installing and configuring the PKI Client, see the Intel® IPT with PKI Implementation Guide.
PKI Certificate
The PKI certificate must be installed.
For more information about installing the PKI certificate, see the Intel® IPT with PKI Implementation Guide.
3 Use Cases for using Intel IPT with PKI
This section describes how you can use Intel IPT with PKI.
Use Case landing zones:
Use Case Valid Configurations
SSL Authentication to Web Page
Windows Internet Explorer 8 Windows Internet Explorer 9 Chrome
Digitally Sign and Encrypt Email Microsoft Office 2007 Outlook Email Microsoft Office 2010 Outlook Email
VPN Juniper VPN without Pinpad
For more information, see:
• Securely Accessing a Website Using SSL
• Digitally Sign and Encrypt Email
• VPN Authentication
Intel® IPT with PKI – Use Case Guide 4
3.1 Securely Accessing a Website Using SSL
You can use Intel IPT with PKI to securely access a website using SSL. This procedure shows how you can securely access a website that uses the certificate to authenticate the user.
To access the test website:
1. Open a web browser and navigate to a website that supports certificate-based SSL
authentication. The site shown below is a test site that is used for testing and documentation purposes only. It is not available for general use.
2. When prompted to select a certificate, select the certificate that you installed for Intel IPT with PKI.
3. If you protected the certificate with a PIN, the Enter Pin window opens.
4. Enter the PIN that you used when installing the certificate and click OK.
5. After connecting to the website, you will notice in the URL line that the connection is using the https secure protocol, and that the user has been authenticated by the VeriSign certificate.
3.2 Digitally Sign and Encrypt Email
You can use Intel IPT with PKI to digitally sign and encrypt email. This section provides the instructions for both use cases as demonstrated in Microsoft Outlook 2010.
To setup Outlook for Encryption and Digital Signature:
1. Open Outlook and navigate to the E-mail Security tab of the Trust Center:
a. Click the File tab.
b. Click Options. The Outlook Options window opens.
c. From the bottom left side of the Outlook Options window, click Trust Center.
d. Click Trust Center Settings. The Trust Center window opens.
e. From the left side of the Trust Center window, click E-mail Security.
2. Select the Encrypt contents and attachments for outgoing messages check box.
3. Select the Add digital signature to outgoing messages check box.
Intel® IPT with PKI – Use Case Guide 6 To create a Digitally Signed and Encrypted email:
1. In Outlook, create a new email as you normally would, and then click Send.
2. If you protected the certificate with a PIN, the Enter Pin window opens.
3. Enter the PIN that you used when installing the certificate and click OK.
4. Note in the screenshot below that the email is signed and encrypted as indicated by the blue “lock” icon and the red “Digital Signature” icon in the email. You can click the red
“Digital Signature” icon to view the signature certificate details.
3.3 VPN Authentication
You can use Intel IPT with PKI to authenticate into a VPN session. This section provides the instructions for VPN Authentication using the Juniper Junos Pulse VPN Client.
To setup the Juniper VPN Client:
1. Open the Juniper Juno Pulse VPN Client. Click Connect and select the Certificate in the Pulse Connect window.
2. Select the Realm. We will select “Users” in this example.
Intel® IPT with PKI – Use Case Guide 8 3. Enter the username and password and the connection is completed.
4. The screenshots below show the network configuration before and after connecting via the VPN Client. Note in the second screenshot that there is an additional network connection with an IP address of 192.168.1.103. This is the new VPN connection.
Before
After