Feeds

Secure identity begins at home

Intel identity platform targets PCs

  • alert
  • submit to reddit

The essential guide to IT transformation

If your digital identity is going to mean anything, it has to be secured, and Shelagh Callahan of Intel's Systems Technology Lab thinks that has to start on your PC. She compares the state of identity today to early car designs, each with a different way of starting the engine; today every car has a key and you just have to find the ignition.

"With identity, not only do we not know where to put the ignition key, we don't even know there is a key. We want to make the platform understand what a key is and how you can use it. The intent is to make platforms as capable to understand identities in the future, as they are currently able to understand devices - to know what they are, how to 'load' them, how to find and associate resources, how to delete them, how to establish policy for them and so on."

Too many passwords, over-used identifiers that quickly lose any security they had (how hard is it to find your mother's maiden name?), poor privacy; the way we work with identity on our PCs is full of problems and it isn't flexile enough to actually do what we want it to. "I must know exactly who you are and how to find you but you must be able to be anonymous and I must be able to prove I'm not snooping. How can you be both strongly authenticated and anonymous?"

Single sign-on doesn't solve things, Callahan says. "With most solutions I have to give up control to get sanity." And you'll never get one single sign-on. "Intel won't federate with Amazon or with my local utility company." The only things all the services and suppliers have in common are you - and the devices you use.

The idea of the identity-capable platform is to authenticate to the platform itself on your device, rather than to a remote service. That avoids interception problems; you aren't broadcasting your biometrics or your smartcard authentication. You can prove who you are without handing over the credentials you use to prove it.

Callahan talks about a secure partition on your PC using the Trusted Platform Module chip. You authenticate yourself to the partition using a fingerprint reader, swipe card, mobile phone SIM or other secure methods and the partition provides your identity to remote sites and services, via web services being developed by the Liberty Alliance. There's no need for a site to deploy a Liberty Federation infrastructure to use ICP identities.

As well as authenticating you to services that need to know who you are, the identity platform can authorise you for services that need to know what you're allowed to do but not who you are. It can also introduce one person, service or device to another, again via web services.

If you travel, getting one bill for data connections from your mobile operator is simpler and often cheaper than paying for every hotspot individually - Callahan's team has worked on a prototype system where your mobile phone SIM gives you access to hotspots on your laptop. So if you want to set up a Wi-Fi account using the same identity as your mobile phone, the identity provisioning system can create a new identity that corresponds to the existing identity, using the TPM to lock the credentials to the platform for security. There will also be tools for linking identities (you might want to link a credit card identity to a membership identity so it gets renewed automatically), deleting identities and transporting them to other devices you use.

Services trust the platform because they trust that it's accurate and secure; the platform can assert how trustworthy it is by disclosing which secure method you've chosen to use. For users to trust it they have to be in control of where it identifies them, so there are policies for controlling who can use the authenticated identity claims you provide and what they can use them for.

"To the service providers the platform can act as a full partner in the infrastructure's identity strategy. And for the end user, their platform can safely store their personal information and they can more easily choose what they wish to disclose and to whom," Callahan says. The platform can also store preferences and metadata connected to an identity.

Callahan sees the identity platform inside the PC becoming part of the identity metasystem that Microsoft's Kim Cameron and others are arguing for. Identity selection technologies like Microsoft's CardSpace (formerly InfoCard) could use the platform as a way of storing and authenticating your Information Cards, as could the connection manager for your network association or an identity provider like your ISP, bank or enterprise IT team.

"The identity-capable platform is a strong complement to identity infrastructure, not competition for it," she says. "It is not about providing applications and services, but it is about making sure applications and services (including operating system level applications and services) can depend on consistent, standards-based support of identity functions."

Multi-core chips and virtualisation make it easier to switch from thinking about multi-tasking to envisioning a PC with different partitions and platforms providing secure, isolated services, whether that's identity, the network connection or a third-party maintenance service. The combination of partitions and services is behind all of Intel's current platforms like ViiV and vPro - although the identity platform is still a research project rather than something planned for a specific Intel release. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?