Chipmaker Intel is working on an identity authentication
system it will build into its products to provide what it claims is
vastly greater confidence in web-based transactions. But it may be
five years before it is commercially available.
Speaking at
RSA
2008,
Intel
principal engineer Connor Cahill said the company, UK telco
BT and software house
Symlabs had developed a proof of
concept for a possible hardware-based identity authenication
system. Dubbed "Liberty Sim", the technology would create an
"isolated area" on the chip, plus systems to issue and manage
permissions through the lifetime of the machine, and possibly the
user.
Noting that banks no longer trust software-based security
systems, Cahill said banks trusted a security system more if it was
hardware-based. He said the move was needed because, "You can't
trust browsers and operating systems anymore."
But he said the system is not close to commercial production.
One of the weaknesses is provisioning, where it was vital to ensure
that the person and machine being authenticated were real and who
they said they were. "But provisioning is a rare event," he said.
"And if you become suspicious, you can just cancel that Sim."
Other points the partners were debating include whether the user
will have rights over what is held in the isolated area on the
machine. "If you are tracking the machine you don't what the user
to be able to delete or change anything in the isolated area,"
Cahill said.
They were also looking at how permission associated with a user
could be transferred when, for example, they upgraded a
machine.
Cahill said the system could be used for any device that
communicates over a network. "BT sees this in the same way that it
does service provisioning for cellphones," he said.
Cahill used a software emulation of a user registering to use
BT's Openzone wireless
broadband communication system to illustrate the concept.
The user browses to BT Openzone which then conducts a rigorous
sign-up procedure to ensure it is addressing a real person "and not
a script", said Cahill. Once the reality of the user is confirmed,
BT Openzone's identity management server provides an "isolated
area" on the chip in the user's machine with a "Sim".
The user then requests access to BT Openzone services. BT
Openzone asks the Sim in the user's machine to fetch a certificate
from a different server in the BT Openzone authentication server.
Once it recieves the certificate, another application on the user's
machine in the isolated area checks that it has the right Sim and
certificate and grants access to the network.