Intel® vPro™ Technology

Configuring Intel® Active Management Technology

Pre-Shared Key Protocol: Detailed Flow

The starting assumption of the TLS-PSK protocol is that both parties must already share a secret. In our context, we call this shared secret the Provisioning Passphrase (PPS). There is also an associated identifier with each PPS called the Provisioning ID (PID). The PID and PPS are strings of characters comprising capital letters A-Z and numbers 0-9. The PID is 8 characters long and the PPS is 32 characters long. The PPS offers up to 125 bits of entropy.

Sharing of PID and PPS between the configuration server and the Intel® Active Management Technology (Intel® AMT) subsystem is achieved by any of the one-touch methods we described previously in the context of the Asymmetric Key flow: manual configuration through Intel® Management Engine BIOS Extension (Intel® MEBX) or loading of a configuration file with PPS and PID information onto a USB thumb-drive. Sharing can also be done by the system manufacturer.

In these last few sections we describe how symmetric PSK-based configuration works for machines with Intel AMT.

Pre-Shared Key Provisioning Flow
Just as in the asymmetric configuration model, described in the previous section, there’s an initial phase that involves a communication between a software agent and the configuration server, that is similar to the one described for the Asymmetric Key method. The main difference is that there is no need to pass an OTP value between the two parties, since the shared secret key (PPS) is used by the configuration server to authenticate the device with Intel AMT, eliminating the need for an OTP value. The second phase is also straightforward, as it involves a standard TLS-PSK handshake, whereby Intel AMT acts as the TLS server, and the configuration server acts as the TLS client. Per the TLS-PSK RFC, Intel AMT sends the PID as the “PSK_Identity_hint” value within the TLS handshake, allowing the configuration server to locate the matching PPS value and use it in the communication.

Note on Security
It is more secure if every machine is configured with a unique PID/PPS pair; however, in some scenarios, multiple systems are configured with the same PID/PPS pair. This method reduces the number of PID/PPS pairs to be managed and can in this way it be seen as more convenient; however, it is less secure. If, for example, an attacker breaks into the hardware of one machine in that group of machines and acquires the PPS value, then the security of all the machines is compromised.

Back to Top