Chipmaker Intel is working on an identity authentication system it will build into its products to provide what it claims is vastly greater confidence in web-based transactions. But it may be five years before it is commercially available.
Speaking at RSA 2008, Intel principal engineer Connor Cahill said the company, UK telco BT and software house Symlabs had developed a proof of concept for a possible hardware-based identity authenication system. Dubbed "Liberty Sim", the technology would create an "isolated area" on the chip, plus systems to issue and manage permissions through the lifetime of the machine, and possibly the user.
Noting that banks no longer trust software-based security systems, Cahill said banks trusted a security system more if it was hardware-based. He said the move was needed because, "You can't trust browsers and operating systems anymore."
But he said the system is not close to commercial production. One of the weaknesses is provisioning, where it was vital to ensure that the person and machine being authenticated were real and who they said they were. "But provisioning is a rare event," he said. "And if you become suspicious, you can just cancel that Sim."
Other points the partners were debating include whether the user will have rights over what is held in the isolated area on the machine. "If you are tracking the machine you don't what the user to be able to delete or change anything in the isolated area," Cahill said.
They were also looking at how permission associated with a user could be transferred when, for example, they upgraded a machine.
Cahill said the system could be used for any device that communicates over a network. "BT sees this in the same way that it does service provisioning for cellphones," he said.
Cahill used a software emulation of a user registering to use BT's Openzone wireless broadband communication system to illustrate the concept.
The user browses to BT Openzone which then conducts a rigorous sign-up procedure to ensure it is addressing a real person "and not a script", said Cahill. Once the reality of the user is confirmed, BT Openzone's identity management server provides an "isolated area" on the chip in the user's machine with a "Sim".
The user then requests access to BT Openzone services. BT Openzone asks the Sim in the user's machine to fetch a certificate from a different server in the BT Openzone authentication server. Once it recieves the certificate, another application on the user's machine in the isolated area checks that it has the right Sim and certificate and grants access to the network.