Intel® vPro™ Technology

  Section 6 of 12  

Storage Protection with Intel® Anti-Theft Technology - Data Protection (Intel® AT-d)

Intel® AT-d Security Properties

Intel® AT-d provides several security enhancements to traditional DAR solutions, because it is integrated into platform hardware. Intel AT-d uses a hardware RNG seed; the seed is supplied to a key generation algorithm implemented in Intel® Management Engine (Intel® ME) firmware that is compliant with the Federal Information Processing Standard (FIPS). Derived keys rely on entropy and uniqueness properties contained in a chipset key that is created at chipset manufacturing time by blowing fuses. It cannot be modified later.

Generated keys are protected in chipset memory when in use, making them immune to infamous Cold Boot attacks [12] where DRAM can be read even after the system is powered off.

Chipset firmware that implements critical key management, audit, and authentication operations is protected during execution in a hardware-defined isolated environment. Firmware integrity is verified both at the time it is provisioned to the platform and each time it is loaded. If firmware and metadata stored in platform flash memory are tampered with, such tampering is detected and the system may not execute.

Encryption and portions of SATA command decoding are implemented in silicon that has no external dependencies; hence, proper operation is ensured.

Integration of DAR support services in platform hardware ensures data protection policies are consistently applied regardless of OS, application, or storage-device choices. This lowers many operational costs, including IT security, audit, and risk assessment.

  Section 6 of 12  

Back to Top