Intel Identity Protection Technology (Intel IPT) with PKI Use Case Guide Version 1.0 Document Release Date: February 29, 2012 Intel IPT with PKI Use Case Guide i
Legal Notices and Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm No system can provide absolute security under all conditions. Requires an Intel Identity Protection Technology-enabled system, including a 2nd gen Intel Core processor enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com. Intel, the Intel logo, Intel vpro, and Intel Core, are trademarks of Intel Corporation in the U.S. and/or other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright 2012 Intel Corporation. All rights reserved. Intel IPT with PKI Use Case Guide ii
Table of Contents 1 Introduction... 1 2 Preparing the Computer - Prerequisites... 2 3 Use Cases for using Intel IPT with PKI... 3 3.1 Securely Accessing a Website Using SSL... 4 3.2 Digitally Sign and Encrypt Email... 5 3.3 VPN Authentication... 7 Acronyms and Abbreviations Name CSP PIN PKI URL SSL VPN Description Cryptographic Service Provider Personal Identification Number Public Key Infrastructure Uniform Resource Locator Secure Sockets Layer Virtual Private Network Intel IPT with PKI Use Case Guide iii
1 Introduction Intel hardware based public/private key crypto support, formerly known as Intel Identity Protection Technology (Intel IPT) with PKI, is now available on select 3rd generation Intel Core TM vpro TM processors. This support is exposed as a Windows Crypto Service Provider. The Intel Hardware Cryptographic Service Provider (Intel CSP) provides a more secure method for certificate-based authentication, encryption, and signing. This document provides a snapshot of the primary use cases: SSL authentication, email signing and encryption, and VPN authentication. Intel IPT with PKI Use Case Guide 1
2 Preparing the Computer - Prerequisites This section describes the prerequisites for Intel IPT with PKI. Prerequisite Hardware Firmware Intel MEI Intel IPT with PKI PKI Client PKI Certificate Description The system must include a 3rd generation Intel Core TM vpro TM processor. The Firmware of the Intel Management Engine (Intel ME) must be version 8.0.0.1351 or later. The Intel Management Engine Interface (Intel MEI) must be installed and running. The Intel MEI (also known as HECI ), is the software interface to the Intel ME. This driver is installed when you install the Intel ME software kit, and is usually located under System devices in the operating system. The computer must support Intel Identity Protection Technology (Intel IPT) with PKI. For more information about configuring Intel IPT with PKI, see the Intel IPT with PKI Implementation Guide. The PKI Client software must be installed and running. For more information about installing and configuring the PKI Client, see the Intel IPT with PKI Implementation Guide. The PKI certificate must be installed. For more information about installing the PKI certificate, see the Intel IPT with PKI Implementation Guide. Intel IPT with PKI Use Case Guide 2
3 Use Cases for using Intel IPT with PKI This section describes how you can use Intel IPT with PKI. Use Case landing zones: Use Case SSL Authentication to Web Page Digitally Sign and Encrypt Email VPN Valid Configurations Windows Internet Explorer 8 Windows Internet Explorer 9 Chrome Microsoft Office 2007 Outlook Email Microsoft Office 2010 Outlook Email Juniper VPN without Pinpad For more information, see: Securely Accessing a Website Using SSL Digitally Sign and Encrypt Email VPN Authentication Intel IPT with PKI Use Case Guide 3
3.1 Securely Accessing a Website Using SSL You can use Intel IPT with PKI to securely access a website using SSL. This procedure shows how you can securely access a website that uses the certificate to authenticate the user. To access the test website: 1. Open a web browser and navigate to a website that supports certificate-based SSL authentication. The site shown below is a test site that is used for testing and documentation purposes only. It is not available for general use. 2. When prompted to select a certificate, select the certificate that you installed for Intel IPT with PKI. 3. If you protected the certificate with a PIN, the Enter Pin window opens. 4. Enter the PIN that you used when installing the certificate and click OK. 5. After connecting to the website, you will notice in the URL line that the connection is using the https secure protocol, and that the user has been authenticated by the VeriSign certificate. Intel IPT with PKI Use Case Guide 4
3.2 Digitally Sign and Encrypt Email You can use Intel IPT with PKI to digitally sign and encrypt email. This section provides the instructions for both use cases as demonstrated in Microsoft Outlook 2010. To setup Outlook for Encryption and Digital Signature: 1. Open Outlook and navigate to the E-mail Security tab of the Trust Center: a. Click the File tab. b. Click Options. The Outlook Options window opens. c. From the bottom left side of the Outlook Options window, click Trust Center. d. Click Trust Center Settings. The Trust Center window opens. e. From the left side of the Trust Center window, click E-mail Security. 2. Select the Encrypt contents and attachments for outgoing messages check box. 3. Select the Add digital signature to outgoing messages check box. 4. From the Default Settings drop-down list, select My S/MIME Settings. 5. Click Publish to GAL. 6. Click OK. The Trust Center window closes. Intel IPT with PKI Use Case Guide 5
To create a Digitally Signed and Encrypted email: 1. In Outlook, create a new email as you normally would, and then click Send. 2. If you protected the certificate with a PIN, the Enter Pin window opens. 3. Enter the PIN that you used when installing the certificate and click OK. 4. Note in the screenshot below that the email is signed and encrypted as indicated by the blue lock icon and the red Digital Signature icon in the email. You can click the red Digital Signature icon to view the signature certificate details. Intel IPT with PKI Use Case Guide 6
3.3 VPN Authentication You can use Intel IPT with PKI to authenticate into a VPN session. This section provides the instructions for VPN Authentication using the Juniper Junos Pulse VPN Client. To setup the Juniper VPN Client: 1. Open the Juniper Juno Pulse VPN Client. Click Connect and select the Certificate in the Pulse Connect window. 2. Select the Realm. We will select Users in this example. Intel IPT with PKI Use Case Guide 7
3. Enter the username and password and the connection is completed. 4. The screenshots below show the network configuration before and after connecting via the VPN Client. Note in the second screenshot that there is an additional network connection with an IP address of 192.168.1.103. This is the new VPN connection. Before Intel IPT with PKI Use Case Guide 8
After Intel IPT with PKI Use Case Guide 9