Feeds

Secure identity begins at home

Intel identity platform targets PCs

  • alert
  • submit to reddit

Boost IT visibility and business value

If your digital identity is going to mean anything, it has to be secured, and Shelagh Callahan of Intel's Systems Technology Lab thinks that has to start on your PC. She compares the state of identity today to early car designs, each with a different way of starting the engine; today every car has a key and you just have to find the ignition.

"With identity, not only do we not know where to put the ignition key, we don't even know there is a key. We want to make the platform understand what a key is and how you can use it. The intent is to make platforms as capable to understand identities in the future, as they are currently able to understand devices - to know what they are, how to 'load' them, how to find and associate resources, how to delete them, how to establish policy for them and so on."

Too many passwords, over-used identifiers that quickly lose any security they had (how hard is it to find your mother's maiden name?), poor privacy; the way we work with identity on our PCs is full of problems and it isn't flexile enough to actually do what we want it to. "I must know exactly who you are and how to find you but you must be able to be anonymous and I must be able to prove I'm not snooping. How can you be both strongly authenticated and anonymous?"

Single sign-on doesn't solve things, Callahan says. "With most solutions I have to give up control to get sanity." And you'll never get one single sign-on. "Intel won't federate with Amazon or with my local utility company." The only things all the services and suppliers have in common are you - and the devices you use.

The idea of the identity-capable platform is to authenticate to the platform itself on your device, rather than to a remote service. That avoids interception problems; you aren't broadcasting your biometrics or your smartcard authentication. You can prove who you are without handing over the credentials you use to prove it.

Callahan talks about a secure partition on your PC using the Trusted Platform Module chip. You authenticate yourself to the partition using a fingerprint reader, swipe card, mobile phone SIM or other secure methods and the partition provides your identity to remote sites and services, via web services being developed by the Liberty Alliance. There's no need for a site to deploy a Liberty Federation infrastructure to use ICP identities.

As well as authenticating you to services that need to know who you are, the identity platform can authorise you for services that need to know what you're allowed to do but not who you are. It can also introduce one person, service or device to another, again via web services.

If you travel, getting one bill for data connections from your mobile operator is simpler and often cheaper than paying for every hotspot individually - Callahan's team has worked on a prototype system where your mobile phone SIM gives you access to hotspots on your laptop. So if you want to set up a Wi-Fi account using the same identity as your mobile phone, the identity provisioning system can create a new identity that corresponds to the existing identity, using the TPM to lock the credentials to the platform for security. There will also be tools for linking identities (you might want to link a credit card identity to a membership identity so it gets renewed automatically), deleting identities and transporting them to other devices you use.

Services trust the platform because they trust that it's accurate and secure; the platform can assert how trustworthy it is by disclosing which secure method you've chosen to use. For users to trust it they have to be in control of where it identifies them, so there are policies for controlling who can use the authenticated identity claims you provide and what they can use them for.

"To the service providers the platform can act as a full partner in the infrastructure's identity strategy. And for the end user, their platform can safely store their personal information and they can more easily choose what they wish to disclose and to whom," Callahan says. The platform can also store preferences and metadata connected to an identity.

Callahan sees the identity platform inside the PC becoming part of the identity metasystem that Microsoft's Kim Cameron and others are arguing for. Identity selection technologies like Microsoft's CardSpace (formerly InfoCard) could use the platform as a way of storing and authenticating your Information Cards, as could the connection manager for your network association or an identity provider like your ISP, bank or enterprise IT team.

"The identity-capable platform is a strong complement to identity infrastructure, not competition for it," she says. "It is not about providing applications and services, but it is about making sure applications and services (including operating system level applications and services) can depend on consistent, standards-based support of identity functions."

Multi-core chips and virtualisation make it easier to switch from thinking about multi-tasking to envisioning a PC with different partitions and platforms providing secure, isolated services, whether that's identity, the network connection or a third-party maintenance service. The combination of partitions and services is behind all of Intel's current platforms like ViiV and vPro - although the identity platform is still a research project rather than something planned for a specific Intel release. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?