Professional Documents
Culture Documents
February 2013
Revision 0.5
Intel Confidential
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED,
BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS
PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER
AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS
INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR
INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in
personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION,
YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS,
OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE
ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR
DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS
SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS
PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the
absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future
definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The
information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to
deviate from published specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained
by going to: http://www.intel.com/design/literature.htm
Lead-free: 45nm product is manufactured on a lead-free process. Lead is below 1000 PPM per EU RoHS directive (2002/95/EC,
Annex A). Some EU RoHS exemptions for lead may apply to other components used in the product package. Halogen-free:
Applies only to halogenated flame retardants and PVC in components. Halogens are below 900 PPM bromine and 900 PPM
chlorine.
Code names featured are used internally within Intel to identify products that are in development and not yet publicly announced
for release. Customers, licensees and other third parties are not authorized by Intel to use code names in advertising, promotion
or marketing of any product or services and any such use of Intel's internal code names is at the sole risk of the user.
Intel Identity Protection Technology (Intel IPT), Intel Management Engine (Intel ME), Intel Management Engine Interface (Intel
MEI), Intel Core™, Intel vPro™, Intel Services, Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other
countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2013, Intel Corporation. All rights reserved.
Contents
1 Introduction .....................................................................................................5
1.1 What is Intel® IPT? .................................................................................5
1.2 Intel® IPT System Architecture .................................................................6
1.2.1 Protected Transaction Display (PTD) Components ..........................7
1.2.2 NFC for eCommerce and Authentication (Tap-to-Pay) Components ...8
2 Platform Preparation for Intel® IPT Usage ........................................................... 10
3 Firmware Tools Support ................................................................................... 11
3.1 Flash Imaging Tool (FITC) ..................................................................... 11
3.1.1 ODM ID ................................................................................. 11
3.1.2 PAVP ..................................................................................... 11
3.1.3 NFC* ..................................................................................... 12
3.1.4 FPT – Flash Programming Tool .................................................. 12
3.1.5 TXEINFO ................................................................................ 12
4 OS Integration and Software Components .......................................................... 13
4.1 Client-side Architecture ......................................................................... 13
®
5 Intel IPT Compliance Validation ....................................................................... 15
Figures
Figure 1-1. Intel® IPT System Architecture ...........................................................6
Figure 3-1. How to Configure ODM ID ................................................................ 11
Figure 3-2. How to enable PAVP ........................................................................ 12
Figure 3-3. ODM ID Slot 1 Value ....................................................................... 12
Figure 4-1. Client Architecture .......................................................................... 13
Figure 5-1. Intel® IPT System Architecture ......................................................... 15
Revision History
1 Introduction
This document covers the Intel® Identity Protection Technology (Intel® IPT) platform
integration process for OEMs. It describes the technology, enablement flow, software
components and testing overview.
The figure above shows the Intel® IPT architecture and ISV’s client/server components
used for the OTP, Protected Transaction Display and NFC card reader.
Intel® IPT Client Middleware includes the PTD DLL component which manages the
Protected Transaction Display (PTD) interactions between applications and the
platform. It provides an interface for allowing applications to initialize secure graphics
sessions and for generating encrypted images to be displayed on the screen. It also
stores user mouse click co-ordinates to be forwarded to the embedded app for
processing.
PTD Embedded App – Responsible for generating images, encrypting them with the
PAVP stream key; and analyzing user’s click co-ordinates.
Intel is working with ISVs in order to integrate the Intel® IPT client/server components
and develop the complete e2e solution for Tap-to-Pay.
The payment service providers develop the embedded NFC applet running in Intel®
TXE. On the server side, the service provider integrates the Intel® IPT server
components that are used during the provisioning process.
Registration:
User registers contactless credit card via an IPT enabled PC
IPT provisioning creates a binding between the user’s credit card and PC
User creates a user profile
Shopping:
At check-out step, pop-up prompts user to use their stored credit card or required
to tap credit card again
The Intel® IPT enabled PC communicates securely with the Back-end server and
forwards user profile to auto form-fill check-out
Websites require no change to connect to payment gateway
3.1.1 ODM ID
ODM ID used by Intel® Services. This parameter is for tracking which OEM platforms
(brand-wise) Intel® IPT Technology is being used on. This ID is provided by Intel to
the OEM during the development stage.
Located at: TXE Region Configuration Setup and Configuration
(see Figure 3-1)
Note: ODM ID is not mandatory but recommended for platform identification between the
OEM and the ISV (e.g., potential for business agreement between OEM & ISV)
3.1.2 PAVP
PAVP - Protected Transaction Display (PTD) requires Protected Audio Video Path
(PAVP) to be enabled. PAVP configuration: “PAVP Permanently Disabled?” should be
set to “no” in order for PAVP to be enabled on the image.
Located at: TXE Region Configuration Features Supported (see Figure 3-2)
3.1.3 NFC*
NFC – eCommerce (Tap-n-Pay) requires NFC to be enabled on the platform. For
details about platform preparation for NFC integration please refer to NFC
documentation.
Note: The examples below are from FPTW but they are also applicable for DOS FPT):
Retrieve “ODM ID” value. In order to retrieve this parameter from the firmware,
run the following FPT command (this example refers to FPT for Windows):
FPTW.exe -r "ODM ID used by Intel (R) Services”
Set “ODM ID” value thru the FOV mechanism:
FPTW.exe –u –n “ODM_ID” –v <HEX Value>
3.1.5 TXEINFO
TXEINFO – This tool provides information about Intel® TXE Dynamic Application
Loader state which is the infrastructure required for Intel® IPT.
Run TXEInfoWin.exe to check if Intel® TXE Dynamic Application Loader is available
on the platform (Present / Not Present).
Intel® TXE Dynamic Application Loader state is captured under “FW Capabilities”
section. TXEInfo only shows Intel® TXE Dynamic Application Loader when it is
Present.
TXEInfo output: “Intel® Dynamic Application Loader Present/Enabled”.
TXEInfo also displays the ODM ID value (called “Slot 1”). Following is the capture:
These components are provided by Intel. Intel® TXEI driver and Intel® IPT Middleware
are provided thru the Intel® TXE kit and installed during Intel® TXE bring up by the
OEM.
Note: ISVs receive the middleware software component from Intel in order to develop and
validate their client application.
ISV Client: The ISV provides a client application/web browser plugin which
exposes an interface to the various 3rd Party applications that want to use the IPT
service. The ISV Client/plugin uses Intel® IPT Client Middleware to communicate
with Intel® TXE and/or the Embedded App. This is provided by the ISV to the OEM
or to the end user.
Embedded App: This component can be an app that implements the OTP Token
Activation and Generation algorithms, an app that generates/opens a Protected
Transaction Display image or an ecommerce/authentication app. This is provided
by the ISV.
Intel® IPT compliance kit is not designed for stress testing and should be used to
confirm the Intel® IPT functionality only.
Confirm Intel® IPT Host components are available (MEI driver & Intel® IPT Client
Middleware)(2)
Confirm that a signed applet can be loaded (2 1)
Exercise communication channel between Intel® IPT Client Middleware and the
applet (1 2)
Verify that the certificates required for IPT (EPID) are provisioned into the FW
Confirm Protected Transaction Display basic functionality
Confirm Tap & Pay functionality
Notes:
Non-Intel functionality (3 & 4) is not covered by Intel. ISV is responsible for end-
to-end testing.
For IPT testing, you must match Production FW with Production parts and Non-
Production FW with Non-Production parts.
For PAVP testing (required for Protected Transaction Display), you must match
Production FW with Production parts and Non-Production FW with Non-Production
parts.
Confirm that the Intel® IPT browser plugin load successfully and can call the different
Intel® IPT DLL files.