Intel® Identity Protection

Technology (Intel® IPT)

Enablement
Technical Integration Document for Bay Trail-T platforms

February 2013

Revision 0.5

Intel Confidential

Document Number: 519711

 Introduction

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED,
BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS
PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER
AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS
INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR
INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in
personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION,
YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS,
OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE
ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR
DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS
SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS
PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the
absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future
definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The
information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to
deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained
by going to: http://www.intel.com/design/literature.htm
Lead-free: 45nm product is manufactured on a lead-free process. Lead is below 1000 PPM per EU RoHS directive (2002/95/EC,
Annex A). Some EU RoHS exemptions for lead may apply to other components used in the product package. Halogen-free:
Applies only to halogenated flame retardants and PVC in components. Halogens are below 900 PPM bromine and 900 PPM
chlorine.
Code names featured are used internally within Intel to identify products that are in development and not yet publicly announced
for release. Customers, licensees and other third parties are not authorized by Intel to use code names in advertising, promotion
or marketing of any product or services and any such use of Intel's internal code names is at the sole risk of the user.
Intel Identity Protection Technology (Intel IPT), Intel Management Engine (Intel ME), Intel Management Engine Interface (Intel
MEI), Intel Core™, Intel vPro™, Intel Services, Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other
countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2013, Intel Corporation. All rights reserved.

2 Intel Confidential 519711

Introduction

Contents
1  Introduction .....................................................................................................5 
1.1  What is Intel® IPT? .................................................................................5 
1.2  Intel® IPT System Architecture .................................................................6 
1.2.1  Protected Transaction Display (PTD) Components ..........................7 
1.2.2  NFC for eCommerce and Authentication (Tap-to-Pay) Components ...8 
2  Platform Preparation for Intel® IPT Usage ........................................................... 10 
3  Firmware Tools Support ................................................................................... 11 
3.1  Flash Imaging Tool (FITC) ..................................................................... 11 
3.1.1  ODM ID ................................................................................. 11 
3.1.2  PAVP ..................................................................................... 11 
3.1.3  NFC* ..................................................................................... 12 
3.1.4  FPT – Flash Programming Tool .................................................. 12 
3.1.5  TXEINFO ................................................................................ 12 
4  OS Integration and Software Components .......................................................... 13 
4.1  Client-side Architecture ......................................................................... 13 
®
5  Intel IPT Compliance Validation ....................................................................... 15 

Figures
Figure 1-1. Intel® IPT System Architecture ...........................................................6 
Figure 3-1. How to Configure ODM ID ................................................................ 11 
Figure 3-2. How to enable PAVP ........................................................................ 12 
Figure 3-3. ODM ID Slot 1 Value ....................................................................... 12 
Figure 4-1. Client Architecture .......................................................................... 13 
Figure 5-1. Intel® IPT System Architecture ......................................................... 15 

519711 Intel Confidential 3

 Introduction

Revision History

Document Revision Description Revision Date

Number Number

519711 0.5  Initial release February 2013

4 Intel Confidential 519711

Introduction

1 Introduction
This document covers the Intel® Identity Protection Technology (Intel® IPT) platform
integration process for OEMs. It describes the technology, enablement flow, software
components and testing overview.

1.1 What is Intel® IPT?

Intel® Identity Protection Technology (Intel® IPT) is an integrated chipset-based
security feature which provides a simple way for web sites and enterprises to validate
that a user is logging in from a trusted PC by enabling second factor of authentication
on the platform.

Intel® IPT portfolio includes a variety of security features:

 Intel® IPT with One-Time-Password (OTP) – integration of algorithms from OTP
Independent Software Vendors (ISVs) into the Intel® Management Engine which
enables strong authentication by adding 2nd factor of authentication on top of the
traditional username and password.
 Intel® IPT with Protected Transaction Display (PTD) - User Presence and
transaction verification thru a secure I/O (PAVP protected window not visible to
software/OS). This feature displays output to the user and collects input with
assurance that the OS cannot monitor or tamper the exchange (Requires Intel
graphics or switchable graphics).
 Intel® IPT with Public Key Infrastructure (PKI) – Enables strong user and platform
authentication for enterprise by using PKI certificates embedded into Intel®
Management Engine.
Note: This is an Intel® vPro™ only feature.
 Intel® IPT with Near Field Communication (NFC) – Secured online payments and
authentication using NFC. Enables users to securely access online services and
ecommerce payments by using contactless smart cards on their NFC enabled
tablet, thus bringing in at the same time security and ease of use.

519711 Intel Confidential 5

 Introduction

1.2 Intel® IPT System Architecture

Figure 1-1. Intel® IPT System Architecture

The figure above shows the Intel® IPT architecture and ISV’s client/server components
used for the OTP, Protected Transaction Display and NFC card reader.

6 Intel Confidential 519711

Introduction

1. Intel® Trusted Execution Engine (Intel® TXE) provides a mechanism to

dynamically load and run an Applet (OTP/PTD/PKI/NFC Card reader) in the Intel®
TXE operating environment contained in the chipset (PCH).
Note: Only signed (by Intel) apps can run on Intel® TXE.
2. Intel® IPT Client Middleware - An ISV uses the APIs exposed by the Intel® IPT
Client Middleware in their Client application/browser plug-in to communicate with
the Embedded App in Intel® TXE via the Intel® TXEI driver in the OS.
3. ISV Client app (can be an installed application or a Web browser plug-in)
communicates with the ISV server on the cloud for:
a. Intel® IPT Token Activation and OTP Verification
b. Intel® IPT Protected Transaction Display image encrypt/decrypt and user
input verification.
c. Near Field Communication (NFC) card processing for e-commerce
4. An ISV integrates the Intel® IPT Server SW into their ISV Server for enhancing
security during the IPT Token Activation process, Protected Transaction Display
image encryption/decryption and NFC card processing.

1.2.1 Protected Transaction Display (PTD) Components

Figure 1-2. PTD Components

Intel® IPT Client Middleware includes the PTD DLL component which manages the
Protected Transaction Display (PTD) interactions between applications and the
platform. It provides an interface for allowing applications to initialize secure graphics
sessions and for generating encrypted images to be displayed on the screen. It also
stores user mouse click co-ordinates to be forwarded to the embedded app for
processing.

519711 Intel Confidential 7

 Introduction

PTD Embedded App – Responsible for generating images, encrypting them with the
PAVP stream key; and analyzing user’s click co-ordinates.

Protected Transaction Display (PTD) is only supported with Intel graphics.

1.2.2 NFC for eCommerce and Authentication (Tap-to-Pay)

Components
Contactless smart cards using NFC* are considered more secure because of hardware
protections built into the smart card and direct connection to the TXE. Intel® IPT Tap-
to-Pay enables users to securely access online services and e-commerce payments by
simply tapping these cards on their NFC enabled Tablet, thus bringing in at the same
time security and ease of use. These smart cards are considered highly secure
because of the hardware protections built into the smart card. Tap-to-Pay brings
security and ease of use of NFC to online transactions using the Tablet.

Intel is working with ISVs in order to integrate the Intel® IPT client/server components
and develop the complete e2e solution for Tap-to-Pay.

The payment service providers develop the embedded NFC applet running in Intel®
TXE. On the server side, the service provider integrates the Intel® IPT server
components that are used during the provisioning process.

Figure 1-3 (below) demonstrates the general flow of Tap-to-Pay

Note: This is a conceptual flow for illustrative purpose only.

8 Intel Confidential 519711

Introduction

Figure 1-3. eCommerce Flow

Registration:
 User registers contactless credit card via an IPT enabled PC
 IPT provisioning creates a binding between the user’s credit card and PC
 User creates a user profile

Shopping:
 At check-out step, pop-up prompts user to use their stored credit card or required
to tap credit card again
 The Intel® IPT enabled PC communicates securely with the Back-end server and
forwards user profile to auto form-fill check-out
 Websites require no change to connect to payment gateway

519711 Intel Confidential 9

 Platform Preparation for Intel® IPT Usage

2 Platform Preparation for

Intel® IPT Usage
The following describes the requirements from the OEM to prepare the Tablet for
Intel® IPT usage:
 OEM enables the Intel® Trusted Execution Engine in the system firmware.
 In addition to the TXE being turned on, there is one Intel® IPT-specific parameter
in the Intel® TXE image – unique ODM ID (using FITC tool, details in FW Tools
Support section). This parameter is not mandatory but should be configured for
business relations between the OEM and ISV.
 OEM pre-loads the TXEI driver and Intel® IPT Client Middleware (included in the
general Intel® TXE installer). All provided by Intel.
 OEM enables PAVP (Protected Audio and Video Path) in the firmware image which
is required for Protected Transaction Display (PTD).
 For ecommerce using NFC support (Tap-To-Pay), OEM must enable NFC module
and driver.
 OEM runs the Intel® IPT tests on a representative sample of platforms. Intel
provides the necessary test tools and instructions (available as a standalone Intel®
IPT Kit on Intel’s Validation Internet Portal and as part the Tablet test tool).
 OEM may pre-install the OTP ISV client (provided by an ISV).
 On Windows* 8 UI mode, OEM must install the Intel® Experience Center app
which is required for Intel® IPT functionality. The Intel® Experience Center is a
Windows* 8 Store Application provided by Intel to:
 Enhance user messaging - will help users discover, learn about, and launch
Intel applications, while providing a Welcome User Message, and avoiding
individual pop ups. It will also include videos, tutorials and links to the various
Intel applications.
 Allow hardware differentiation - It will include an integrated Windows* Store
Device App (WSDA), which enables hardware access, allowing hardware
differentiation and platform identification
 Allow easy access - It will have a single UI tile for all Intel applications, saving
tile space
For more details about IEC enablement and testing, please refer to IEC
documentation.

10 Intel Confidential 519711

Firmware Tools Support

3 Firmware Tools Support

3.1 Flash Imaging Tool (FITC)

FITC – Used for Intel® TXE FW Configuration. The following parameters are related
to Intel® IPT:

3.1.1 ODM ID
ODM ID used by Intel® Services. This parameter is for tracking which OEM platforms
(brand-wise) Intel® IPT Technology is being used on. This ID is provided by Intel to
the OEM during the development stage.
Located at: TXE Region  Configuration  Setup and Configuration
(see Figure 3-1)

Note: ODM ID is not mandatory but recommended for platform identification between the
OEM and the ISV (e.g., potential for business agreement between OEM & ISV)

Figure 3-1. How to Configure ODM ID

3.1.2 PAVP
PAVP - Protected Transaction Display (PTD) requires Protected Audio Video Path
(PAVP) to be enabled. PAVP configuration: “PAVP Permanently Disabled?” should be
set to “no” in order for PAVP to be enabled on the image.
Located at: TXE Region  Configuration  Features Supported (see Figure 3-2)

519711 Intel Confidential 11

 Firmware Tools Support

Figure 3-2. How to enable PAVP

3.1.3 NFC*
NFC – eCommerce (Tap-n-Pay) requires NFC to be enabled on the platform. For
details about platform preparation for NFC integration please refer to NFC
documentation.

3.1.4 FPT – Flash Programming Tool

FPT – This tool supports the following functions

Note: The examples below are from FPTW but they are also applicable for DOS FPT):
 Retrieve “ODM ID” value. In order to retrieve this parameter from the firmware,
run the following FPT command (this example refers to FPT for Windows):
FPTW.exe -r "ODM ID used by Intel (R) Services”
 Set “ODM ID” value thru the FOV mechanism:
FPTW.exe –u –n “ODM_ID” –v <HEX Value>

3.1.5 TXEINFO
TXEINFO – This tool provides information about Intel® TXE Dynamic Application
Loader state which is the infrastructure required for Intel® IPT.
 Run TXEInfoWin.exe to check if Intel® TXE Dynamic Application Loader is available
on the platform (Present / Not Present).
Intel® TXE Dynamic Application Loader state is captured under “FW Capabilities”
section. TXEInfo only shows Intel® TXE Dynamic Application Loader when it is
Present.
TXEInfo output: “Intel® Dynamic Application Loader Present/Enabled”.
 TXEInfo also displays the ODM ID value (called “Slot 1”). Following is the capture:

Figure 3-3. ODM ID Slot 1 Value

12 Intel Confidential 519711

OS Integration and Software Components

4 OS Integration and Software

Components

4.1 Client-side Architecture

Figure 4-1. Client Architecture

519711 Intel Confidential 13

 OS Integration and Software Components

The following software components need to be installed on the platform:

 Intel® Trusted Execution Engine Interface (Intel® TXEI) Driver: This is the
interface used for communication between the host OS components and the Intel®
TXE components (included in the Intel® TXE kit).
 Intel® IPT Client Middleware: Exposes an API that allows communication
between the ISV client and the Embedded App. Intel® IPT middleware is installed
as a component by the general Intel® TXE installer.

These components are provided by Intel. Intel® TXEI driver and Intel® IPT Middleware
are provided thru the Intel® TXE kit and installed during Intel® TXE bring up by the
OEM.

Note: ISVs receive the middleware software component from Intel in order to develop and
validate their client application.
 ISV Client: The ISV provides a client application/web browser plugin which
exposes an interface to the various 3rd Party applications that want to use the IPT
service. The ISV Client/plugin uses Intel® IPT Client Middleware to communicate
with Intel® TXE and/or the Embedded App. This is provided by the ISV to the OEM
or to the end user.
 Embedded App: This component can be an app that implements the OTP Token
Activation and Generation algorithms, an app that generates/opens a Protected
Transaction Display image or an ecommerce/authentication app. This is provided
by the ISV.

14 Intel Confidential 519711

Intel® IPT Compliance Validation

5 Intel® IPT Compliance

Validation
Intel® IPT compliance test kit is available on VIP as a standalone kit (name: Intel® IPT
Kit) to validate the readiness of Intel-provided client components for ISV applications.
The kit includes documentation and Intel® IPT testing tools.

Intel® IPT compliance kit is not designed for stress testing and should be used to
confirm the Intel® IPT functionality only.

Intel® IPT compliance consists of 3 different tests:

1. Intel® IPT Compliance – General IPT tests (see details below)
2. Protected Transaction Display (PTD) Compliance – A windows based graphical tool
showing the Protected Transaction Display image.
3. Intel® IPT Plugin Compliance – An HTML web page that verifies that Intel® IPT
middleware can be reached by the web browser

Figure 5-1. Intel® IPT System Architecture

Tests included in Intel® IPT compliance suite:

 Confirm Intel® TXE firmware includes the Intel® IPT infrastructure (1)

519711 Intel Confidential 15

 Intel® IPT Compliance Validation

 Confirm Intel® IPT Host components are available (MEI driver & Intel® IPT Client
Middleware)(2)
 Confirm that a signed applet can be loaded (2  1)
 Exercise communication channel between Intel® IPT Client Middleware and the
applet (1  2)
 Verify that the certificates required for IPT (EPID) are provisioned into the FW
 Confirm Protected Transaction Display basic functionality
 Confirm Tap & Pay functionality

Notes:
 Non-Intel functionality (3 & 4) is not covered by Intel. ISV is responsible for end-
to-end testing.
 For IPT testing, you must match Production FW with Production parts and Non-
Production FW with Non-Production parts.
 For PAVP testing (required for Protected Transaction Display), you must match
Production FW with Production parts and Non-Production FW with Non-Production
parts.

Test included in PTD test tool:

Confirm the secured output is displayed on the screen (Pin Pad).

Tests included in Plugin compliance test:

Confirm that the Intel® IPT browser plugin load successfully and can call the different
Intel® IPT DLL files.

For detailed validation procedures refer to "Intel® IPT validation doc"

included in the Intel® IPT kit.

16 Intel Confidential 519711