Security

When using Intel^® AMT to maintain home PCs remotely, there are some security issues that must be considered.

The first security problem is that home PC users should have full authority to control who is permitted access to their machine and when. To control when the home PC can be connected remotely, this usage model proposes a switch scheme. When the problem occurs on the computer, the user can enable Intel AMT to enable the machine to be connected remotely. After the problem is fixed, the user can disable the remote connection. With such a switch, the user controls the period of remote connection and limits the security risks.

To control who is allowed to access the AMT device, Intel AMT supports the HTTP Digest [2] and Kerberos [3] schemes for the purpose of authentication before allowing access to the system. In the enterprise environment, the Kerberos authentication is used to provide more secure mutual authentication as compared with the HTTP Digest scheme. To make the Kerberos scheme work, the Key Distribution Center (KDC) and domain controller are required to be deployed in the enterprise Intranet, and AMT devices must be configured with Kerberos options such as Service Principle Name (SPN), Service Key, and other data. Furthermore, clock synchronization is required for proper working of the Kerberos protocol. The Kerberos scheme is too complicated to be implemented and deployed for home PC maintenance. In the home PC maintenance scenario, such a powerful authentication scheme is not necessary, since the home PC is only controlled remotely by the MSP technician for a period of time.

Therefore, this usage model uses the HTTP Digest scheme to implement authentication. Intel AMT provides an admin account for the management of the AMT device. Users can configure the admin password. Only the individual who knows this password can access the computer. The process of HTTP Digest authentication in home PC maintenance is as follows:

1. The home PC user configures the password for the admin user account and tells the password to the MSP IT technician.
2. When the IT technician remotely connects to the AMT device through the HTTP protocol, he/she will be required to input the username and password for accessing the AMT device.
3. After inputting the password and username correctly, the IT technician can access the AMT device and manage it.

Another security problem is that the connection between the AMT device and the MSP service should be secure during the remote management period. To solve this problem, Intel AMT uses Transport Layer Security (TLS) [4, 5] to secure the communication over the network. The TLS protocol establishes a secure channel of communication between the client and server and provides authentication and message privacy services. In the AMT management usage scenario, the AMT management service on the PC client is running as a TLS server, while the remote IT management service is running as a TLS client. Moreover, AMT supports a server authentication scheme that enables a remote management service to check the certificate presented by the AMT device. To make TLS authentication work, the AMT device must apply for the certificate from a third-party Certificate Authentication (CA) and generate a <private, public> key pair. However, Intel AMT has no function to process these security operations. There is a provisioning service that applies the certificate, generates keys for the AMT device, and configures them into the AMT device through the Web interface. In the enterprise environment, it is feasible to provision every AMT device before it is deployed on the network. But in the home PC usage scenario this is too complicated to implement.

Therefore, this usage model uses a TLS-PSK (Pre-Shared Key) scheme to ensure the security of the transmission between home PCs and the MSP proxy, and the MSP can choose other more powerful security schemes to ensure a secure connection between the MSP service and proxy (this is not discussed in this paper). In Intel AMT, PSK is referred to as the Provisioning Pass-Phrase (PPS). We, therefore, use the term PPS instead of PSK in the following discussion.

Home PCs and MSP proxies share a symmetric key that is used to encrypt communication data. A PSK must be generated and configured into the AMT device before the remote maintenance process. The PPS should be unique to each home PC to ensure that even if one PPS is stolen, it won't work for other machines. Therefore, in this usage model, the PPS is generated by an algorithm using the password of the admin user account as the seed. This algorithm is then shared between the home PC and the MSP service.

The detailed process to set up a secure connection is as follows:

1. The home PC user configures the admin password and relays it to the IT technician via phone. A PPS is generated based on this password and is configured into the AMT machine.
2. The MSP service uses this password to generate the PPS and store it in the database.
3. The PPS will be included in every management message sent to the MSP proxy, so that the MSP proxy does not have to store the PPS for PC clients.
4. The MSP proxy can get this PPS and use it to encrypt communication with the home PC.

Easy to Use

As the above description indicates, there are some tasks that must be done by users to configure the AMT device, including configuring the admin password, the IP address, the TCP port of the MSP proxy, and the UUID of the AMT device. To make this process easy for a home PC user, this usage model provides users with a very friendly and simplified User Interface (UI) to complete these configurations. A sample UI is shown in Figure 6.

Figure 6: Sample UI
click image for larger view
 

With this UI, the home PC user can easily complete the above steps by doing the following:

1. Reading the UUID of the AMT device.
2. Configuring the password of the admin user.
3. Configuring the IP and TCP port of the MSP proxy.
4. Disabling or enabling remote connection.

There are two means to implement the UI. One is to embed the UI into the BIOS. Using this method, the BIOS need to be modified, and OEMs are required to implement a simplified UI for configuring AMT in the BIOS. For example, the OEM can use the Intel^® Platform Innovation Framework for Extensible Firmware Interface to develop BIOS that provide a simplified UI. However, this method is not flexible, since it depends on the OEM's support. Therefore, in this usage model, another method is presented. A simple application is built in a bootable OS image. MSPs are free to design the unique UI and choose their own encryption methods to generate the PPS.

Intel AMT provides a Host Embedded Controller Interface (HECI) for the local OS to set and change the AMT configuration (refer to Figure 7).

Figure 7: AMT HECI interface
click image for larger view
 

In the AMT machine, the host OS sees the AMT device as a PCI device. The application can configure AMT settings through the HECI driver provided by Intel. In this usage model, the application program implements a user-friendly interface with the APIs provided by the HECI driver. This application program can be stored in a memory disk (maybe a USB bootable disk or a bootable Linux*/Windows* CD) that is provided together with the PC or is provided by MSPs. After the home PC user inserts this disk into the computer, the application program will be started automatically. This application will read the UUID of the AMT device and display it on the UI for the user to read. It will also allow the user to modify the admin password from the UI.

Protection of Personal Data

When establishing the secure connection between the management console and the home PC, security technologies, such as TLS and HTTP Digest are used. However, these technologies only ensure the security of data transfer and that the PC can only be accessed by the MSP. These technologies cannot keep users' personal data private. Home PC users may be concerned that the MSP attendant can access some of their personal data in their hard drive. This has the potential to cause breach of privacy issues and possibly lost or stolen data.

To avoid these risks, Intel^® Virtualization Technology^† (VT) and LaGrande Technology (LT) can be adopted in the future. Intel VT supplies the capability to virtualize the I/O devices and memory. Before the Virtual Machine (VM), (the OSs will run on the VMs), is started, the Virtual Machine Monitor (VMM) will partition and virtualize the devices. The VM will only see the virtualized devices. Therefore we can design one piece of software for home users to enable Intel VT to partition the disk and hide the part that contains users' private data. When the MSP uses the SOL/Integrated Drive Electronics Redirection (IDER) and accesses the user's machine from a remote console, it will only be able to see the virtualized disk after the partition and will not be able to see private data.

Furthermore, Intel LT also can be used to protect users' private data. Users can use the sealed storage capability of Intel LT to encrypt their data. Intel LT provides the ability to encrypt and store keys, data, or other secrets within hardware on the platform. It does this in such a way that these private data can only be released (decrypted) to an executing environment that is the same as the environment in which these data were encrypted. Therefore, after users have encrypted all their personal data by using the sealed storage of Intel LT, even if the MSP technician could steal a user's private data, he/she could not decrypt that data.

^† Intel Virtualization Technology: Intel^® Virtualization Technology requires a computer system with an enabled Intel^® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.