You are previewing Platform Embedded Security Technology Revealed : Safeguarding the Future of Computing with Intel Embedded Security and Management Engine.
O'Reilly logo
Platform Embedded Security Technology Revealed : Safeguarding the Future of Computing with Intel Embedded Security and Management Engine

Book Description

Platform Embedded Security Technology Revealed is an in-depth introduction to Intel’s platform embedded solution: the security and management engine. The engine is shipped inside most Intel platforms for servers, personal computers, tablets, and smartphones. The engine realizes advanced security and management functionalities and protects applications’ secrets and users’ privacy in a secure, light-weight, and inexpensive way. Besides native built-in features, it allows third-party software vendors to develop applications that take advantage of the security infrastructures offered by the engine.

Intel’s security and management engine is technologically unique and significant, but is largely unknown to many members of the tech communities who could potentially benefit from it. Platform Embedded Security Technology Revealed reveals technical details of the engine. The engine provides a new way for the computer security industry to resolve critical problems resulting from booming mobile technologies, such as increasing threats against confidentiality and privacy. This book describes how this advanced level of protection is made possible by the engine, how it can improve users’ security experience, and how third-party vendors can make use of it.

It's written for computer security professionals and researchers; embedded system engineers; and software engineers and vendors who are interested in developing new security applications on top of Intel’s security and management engine.

It’s also written for advanced users who are interested in understanding how the security features of Intel’s platforms work.

What you’ll learn

  • The cyber security challenges behind the creation of the embedded security and management engine, and the solutions it presents
  • The pros and cons of enforcing security in the embedded engine
  • Basic cryptography and security infrastructure of the engine
  • Security-hardening features of the engine
  • Handling dynamically loaded applications
  • How anonymous authentication works with enhanced privacy protection
  • Content protection at the hardware level
  • Secure boot with a hardware root of trust
  • Firmware-based TPM
  • Identity protection with a hardware-based, one-time password
  • Table of Contents

    1. Cover
    2. Title
    3. Copyright
    4. About ApressOpen
    5. Dedication
    6. Contents at a Glance
    7. Contents
    8. About the Author
    9. About the Technical Reviewer
    10. Acknowledgments
    11. Introduction
    12. Chapter 1: Cyber Security in the Mobile Age
      1. Three Pillars of Mobile Computing
        1. Power Efficiency
        2. Internet Connectivity
        3. Security
      2. BYOD
      3. Incident Case Study
        1. eBay Data Breach
        2. Target Data Breach
        3. OpenSSL Heartbleed
      4. Key Takeaways
        1. Strong Authentication
        2. Network Management
        3. Boot Integrity
        4. Hardware-Based Protection
        5. Open-Source Software Best Practice
        6. Third-Party Software Best Practice
      5. Security Development Lifecycle
        1. Assessment
        2. Architecture
        3. Design
        4. Implementation
        5. Deployment
      6. CVSS
        1. Limitations
      7. References
    13. Chapter 2: Intel’s Embedded Solutions: from Management to Security
      1. Management Engine vs. Intel AMT
      2. Intel AMT vs. Intel vPro Technology
      3. Management Engine Overview
        1. Hardware
        2. Overlapped I/O
        3. Firmware
        4. Software
      4. Platform and System Management
        1. Software Solutions
        2. Hardware Solutions
        3. In-Band Solutions
        4. Out-of-Band Solutions
      5. Intel AMT Overview
        1. BIOS Extension
        2. Local Management Service and Tray Icon
        3. Remote Management
      6. The Engine’s Evolvement: from Management to Security
        1. Embedded System as Security Solution
      7. Security Applications at a Glance
        1. EPID
        2. PAVP
        3. IPT
        4. Boot Guard
      8. Virtual Security Core: ARM TrustZone
        1. Secure Mode and Nonsecure Mode
        2. Memory Isolation
        3. Bus Isolation
        4. Physical Isolation vs. Virtual Isolation
      9. References
    14. Chapter 3: Building Blocks of the Security and Management Engine
      1. Random Number Generation
      2. Message Authentication
        1. Hash with Multiple Calls
      3. Symmetric-Key Encryption
        1. AES
        2. DES/3DES
      4. Asymmetric-Key Encryption: RSA
        1. Key Pair Generation and Validation
        2. Encryption and Decryption
      5. Digital Signature
        1. RSA
        2. ECDSA
        3. Hardware Acceleration
      6. Other Cryptography Functions
      7. Secure Storage
      8. Debugging
        1. Debug Messaging
        2. Special Production-Signed Firmware Based on Unique Part ID
      9. Secure Timer
      10. Host-Embedded Communication Interface
      11. Direct Memory Access to Host Memory
      12. References
    15. Chapter 4: The Engine: Safeguarding Itself before Safeguarding Others
      1. Access to Host Memory
        1. Communication with the CPU
        2. Triggering Power Flow
      2. Security Requirements
        1. Confidentiality
        2. Integrity
        3. Availability
      3. Threat Analysis and Mitigation
        1. Load Integrity
        2. Memory Integrity
        3. Memory Encryption
        4. Task Isolation
        5. Firmware Update and Downgrade
      4. Published Attacks
        1. “Introducing Ring -3 Rootkits”
      5. References
    16. Chapter 5: Privacy at the Next Level: Intel’s Enhanced Privacy Identification (EPID) Technology
      1. Redefining Privacy for the Mobile Age
        1. Passive Anonymity
        2. Active Anonymity
      2. Processor Serial Number
      3. EPID
        1. Revocation
        2. Signature Generation and Verification
      4. SIGMA
        1. Verifier’s Certificate
        2. Messages Breakdown
      5. Implementation of EPID
        1. Key Recovery
        2. Attack Mitigation
      6. Applications of EPID
      7. Next Generation of EPID
        1. Two-way EPID
        2. Optimization
      8. References
    17. Chapter 6: Boot with Integrity, or Don’t Boot
      1. Boot Attack
        1. Evil Maid
        2. BIOS and UEFI
        3. BIOS Alteration
        4. Software Replacement
      2. Jailbreaking
      3. Trusted Platform Module (TPM)
        1. Platform Configuration Register
      4. Field Programmable Fuses
        1. Field Programmable Fuses vs. Flash Storage
        2. Field Programmable Fuse Task
      5. Intel Boot Guard
        1. Operating System Requirements for Boot Integrity
        2. OEM Configuration
      6. Measured Boot
      7. Verified Boot
        1. Manifests
        2. Verification Flow
      8. References
    18. Chapter 7: Trust Computing, Backed by the Intel Platform Trust Technology
      1. TPM Overview
        1. Cryptography Subsystem
        2. Storage
        3. Endorsement Key
        4. Attestation
        5. Binding and Sealing
      2. Intel Platform Trust Technology
        1. Cryptography Algorithms
        2. Endorsement Key Storage
        3. Endorsement Key Revocation
        4. Endorsement Certificate
        5. Supporting Security Firmware Applications
      3. Integrated vs. Discrete TPM
      4. References
    19. Chapter 8: Unleashing Premium Entertainment with Hardware-Based Content Protection Technology
      1. Rights Protection
      2. DRM Schemes
        1. Device Key Management
        2. Rights Management
        3. Playback
      3. UltraViolet
      4. End-to-End Content Protection
        1. Content Server
        2. License Server
        3. Software Stack
        4. External Display
        5. Weak Points
      5. Intel’s Hardware-Based Content Protection
        1. Protected Audio and Video Path (PAVP)
        2. Device Key Provisioning
        3. Rights Management
      6. Intel Wireless Display
        1. Authentication and Key Exchange
      7. Content Protection on TrustZone
      8. References
    20. Chapter 9: Breaking the Boundaries with Dynamically Loaded Applications
      1. Closed-Door Model
      2. DAL Overview
      3. DAL Architecture
        1. Loading an Applet
        2. Secure Timer
        3. Host Storage Protection
      4. Security Considerations
        1. Reviewing and Signing Process
      5. References
    21. Chapter 10: Intel Identity Protection Technology: the Robust, Convenient, and Cost-Effective Way to Deter Identity Theft
      1. One-Time Password
        1. HOTP
        2. TOTP
      2. Transaction Signing
      3. OTP Tokens
      4. Embedded OTP and OCRA
        1. Token Installation
        2. TOTP and OCRA Generation
        3. Highlights and Lowlights
      5. Protected Transaction Display
        1. Drawing a Sprite
        2. Gathering the User’s PIN Input
      6. Firmware Architecture
      7. Embedded PKI and NFC
      8. References
    22. Chapter 11: Looking Ahead: Tomorrow’s Innovations Built on Today’s Foundation
      1. Isolated Computing Environment
      2. Security-Hardening Measures
      3. Basic Utilities
      4. Anonymous Authentication and Secure Session Establishment
      5. Protected Input and Output
      6. Dynamic Application Loader
      7. Summary of Firmware Ingredients
      8. Software Guard Extensions
      9. More Excitement to Come
      10. References
    23. Index