® BOOKS FOR PROFESSIONALS BY PROFESSIONALS Ruan Platform Embedded Security Technology Revealed Platform Embedded Security Technology Revealed is an in-depth introduction to Intel’s platform embedded solution: the security and management engine. The engine is shipped inside most Intel platforms for servers, personal computers, tablets, and smartphones. The engine realizes advanced security and management functionalities and protects applications’ secrets and users’ privacy in a secure, light-weight, and inexpensive way. Besides native built-in features, it allows third-party software vendors to develop applications that take advantage of the security infrastructures offered by the engine. Intel’s security and management engine is technologically unique and significant, but is largely unknown to many members of the tech communities who could potentially benefit from it. Platform Embedded Security Technology Revealed reveals technical details of the engine. The engine provides a new way for the computer security industry to resolve critical problems resulting from booming mobile technologies, such as increasing threats against confidentiality and privacy. This book describes how this advanced level of protection is made possible by the engine, how it can improve users’ security experience, and how third-party vendors can make use of it. It’s written for computer security professionals and researchers; embedded system engineers; and software engineers and vendors who are interested in developing new security applications on top of Intel’s security and management engine. It’s also written for advanced users who are interested in understanding how the security features of Intel’s platforms work. What You’ll Learn: • The cyber security challenges behind the creation of the embedded security and management engine, and the solutions it presents • The pros and cons of enforcing security in the embedded engine • Basic cryptography and security infrastructure of the engine • Security-hardening features of the engine • Handling dynamically loaded applications • How anonymous authentication works with enhanced privacy protection • Content protection at the hardware level • Secure boot with a hardware root of trust • Firmware-based TPM • Identity protection with a hardware-based, one-time password ISBN 978-1-4302-6571-9 53999 Shelve in Software Engineering/Software Development User level: Beginning–Advanced 9781430 265719 For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. Contents at a Glance About the Author ���������������������������������������������������������������������������� xvii About the Technical Reviewer ��������������������������������������������������������� xix Acknowledgments �������������������������������������������������������������������������� xxi Introduction ���������������������������������������������������������������������������������� xxiii ■ Chapter 1: Cyber Security in the Mobile Age ����������������������������������1 ■ Chapter 2: Intel’s Embedded Solutions: from Management to Security ������������������������������������������������������������������������������������ 27 ■ Chapter 3: Building Blocks of the Security and Management Engine ������������������������������������������������������������������������������������������� 57 ■ Chapter 4: The Engine: Safeguarding Itself before Safeguarding Others ������������������������������������������������������������������������������������������� 89 ■ Chapter 5: Privacy at the Next Level: Intel’s Enhanced Privacy Identification (EPID) Technology ������������������������������������������������� 117 ■ Chapter 6: Boot with Integrity, or Don’t Boot ����������������������������� 143 ■ Chapter 7: Trust Computing, Backed by the Intel Platform Trust Technology ��������������������������������������������������������������������������������� 165 ■ Chapter 8: Unleashing Premium Entertainment with Hardware-Based Content Protection Technology ����������������������� 181 ■ Chapter 9: Breaking the Boundaries with Dynamically Loaded Applications �������������������������������������������������������������������������������� 199 v ■ CONTENTS AT A GLANCE ■ Chapter 10: Intel Identity Protection Technology: the Robust, Convenient, and Cost-Effective Way to Deter Identity Theft ������� 211 ■ Chapter 11: Looking Ahead: Tomorrow’s Innovations Built on Today’s Foundation �������������������������������������������������������������������� 227 Index ���������������������������������������������������������������������������������������������� 239 vi Introduction Malware, virus, e-mail scam, identity theft, evil maid, password logger, screen scraper… Cyber security concerns everyone. Computers can be your trusted friends or traitors. The Internet is a scary place. Going on the Internet is like walking the streets of a crime-ridden neighborhood. Cyber criminals work to steal your privacy, money, assets, and even identity. Cyber-attacks are intangible, invisible, and hard to detect. Due to the increasing popularity of mobile devices, the danger is several-fold worse today than it was seven years ago. Technologies that created the security problem as a side effect are supposed to resolve the problem. Prevention is the key—the potential loss and cost of dealing with incidents is simply too high to afford. However, it is more difficult to defend a castle than to build it. The mitigation against cyber-attacks is complicated and involves multiple layers of building blocks: • Algorithm: An algorithm is a set of mathematical calculations that realize a specific cryptographic functionality, such as encryption, digital signature, hashing, and so forth. • Protocol: A protocol is a set of rules and messages that govern the transmission of data between two entities. Security protocols are always built on cryptographic algorithms. • Application: An application is a computer program that accomplishes a specific task, such as authenticating a user to a protected database. Applications are built with algorithms and protocols as the backbone. Algorithms and protocols are often standardized and used across the industry for compatibility and interoperability. On the other hand, applications may be standardized, but in most cases they are invented and deployed by individual vendors to distinguish their products from competitors. Algorithms, protocols, and applications can be realized in software, hardware, or combinations of both. Security measures that are rooted in hardware are more robust than those rooted in software, because attacks against well-designed hardware-based protections not only require advanced expertise, but also cost significant resources. xxiii ■ INTRODUCTION Intel is committed to delivering state-of-the-art solutions for supporting a safe computing environment. The embedded engine built in most Intel platforms today is a major achievement of that effort. It features hardware implementations for standard algorithms and protocols, as well as innovative applications that are exclusively available on Intel products, including: • Privacy safeguard with EPID (enhanced privacy identification) • Strong authentication and secure transaction with IPT (identity protection technology) • Verified boot process • . and many more Thanks to these protections, users are largely shielded from dangers when they are surfing the Web. With peace of mind, people can enjoy all the good things that technologies have to offer. This book takes the readers through an extensive tour of the embedded engine, exploring its internal architecture, security models, threat mitigations, and design details of algorithms, protocols, and interesting applications. The journey begins now. xxiv CHAPTER 1 Cyber Security in the Mobile Age The number of new security threats identified every month continues to rise. We have concluded that security has now become the third pillar of computing, joining energy-efficient performance and Internet connectivity in importance. —Paul S. Otellini This book is an in-depth technical introduction to an embedded system developed and manufactured by Intel Corporation. The embedded system is not an independent product; it is a native ingredient inside most of Intel’s computer product portfolio, which includes servers, desktops, workstations, laptops, tablets, and smartphones. Although not well known to most end users, the embedded system plays a critical role in many consumer applications that people use every day. As such, its architecture, implementation, and security features are worth studying. Depending on the end product in which the embedded engine resides, the engine is denominated differently: • For the embedded system shipped with computing devices featuring Intel Core family microprocessors, it is called the management engine. • For the embedded system shipped with computing devices featuring the Intel Atom system-on-chip (SoC), it is called the security engine. Note that not all Atom platforms use the security engine introduced in this book. For the sake of convenience, this book refers to it as the security and management engine, the embedded engine, or simply the engine. 1 CHAPTER 1 ■ CYBER SECURITY IN THE MOBILE AGE Three Pillars of Mobile Computing In August 2010, Intel announced the acquisition of security giant McAfee. Paul S. Otellini, Intel’s president and CEO at the time, emphasized that “security has become the third pillar of computing” when commenting on the