Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : WAVX Anyone? -- Ignore unavailable to you. Want to Upgrade?

To: Rich Fagan who wrote (7384)	6/10/1999 4:24:00 PM
From: cm	Respond to of 11417

Rich... As you may or may not recall, WAVX has done a deal with (sic) Pollex and, I assume, NEC that will provide a biometric (in this case, I think it's fingerprint-based) security capability. I don't have a link to the exact press release... but I think it would answer (or, at least, address) both your questions. Best Regards, c m

To: Rich Fagan who wrote (7384)	6/10/1999 4:41:00 PM
From: Cosmo Daisey	Read Replies (1) \| Respond to of 11417

More confirmation of the limited maket for WAVX products based on hardware. Software products in the marketplace already have the solution at hand. Also, if you want to put a chip on a boxmakers motherboard you have a tough assignment. One of my contacts designs boards for WebTV devices and part of his job is to make it tiny. Also the "next wave" of internet conectivity is expected to be hand held devices connecting wirelessly using "CDMA" and CDMA is naturally encrypted so the possibility of evesdropping is to the X power. OK pit bulls come on out of your cages. Cosmo

To: Rich Fagan who wrote (7384)	6/10/1999 10:56:00 PM
From: SDR-SI	Read Replies (3) \| Respond to of 11417

Rich, Apologies for taking so long to answer your security questions. The Wave/Embassy open standards "system within a system" concept allows operation at various levels of security and under differing identity infrastructures. Any, none, or all of the following identity infrastructure elements can be combined in a particular system implementation to provide the desired level of security: IDENTITY INFRASTRUCTURE ELEMENTS MEANS OF ANSWERS EXAMPLES OF AUTHORIZATION QUESTION OPERATIONAL IMPLEMENTATIONS =================== ============= ================================ Physical Possession "I have ..." Tokens, smart cards, keys, etc. Operator Identity "I am ..." Biometrics, fingerprint readers, retinal readers, etc. Classified Data "I know ..." Passwords, pin numbers, codes, etc. Possession Equipment Identity "This unit Encoded serial numbers, ID chips, etc. is ..." By combining more than one infrastructure element and requiring a positive response to each and every element, the designer can decrease the probability of false authentication below that provided by any of the individual elements themselves. To answer your questions: > > >Wave Systems is primarily focused on authenticating (establishing identity of) client HARDWARE, correct? < < < Above would be correct if using the Embassy chip itself without any of the additional implementations above. > > >Isn't authenticating/identifying a HUMAN USER, not hardware, what we really want to accomplish? < < < In some applications it is, in which case Embassy allows one or more of the above-noted personal identity security elements to be integrated into the overall system to provide the desired level of personal identity authentication (e.g. do not authenticate until user provides the proper token AND enters a correct password AND has the proper physical hand characteristics). > > >If I've ordered content from somewhere, I want to be able to receive it on any hardware that happens to be convenient and capable, not just on one designated computer. And if I've ordered content for a particular hardware, I want it to be sent only when it is I that is using that hardware.< < < This is the "multiple appliances for one account" problem, which is addressed by the physical implementations which provide the capability of moving the "system within a system" itself from place to place with a smart card or by moving certain key encrypted and stored data (account identity, balance, usage data, etc.) from place to place with a smart card or smart token, and, optionally, also requiring some other identity establishing element to be satisfied. > > >An alternative technique is being pursued by Carver Mead --- recognizing the finger on a touchpad. While that takes it to the person it would require all/most devices to have such a touchpad. There has also been interest in recognizing the retina, but like the touchpad that requires a camera.< < < As noted above either of these elements can be combined into an Embassy-based system. Key additional elements of Embassy include its independently encrypted storage of any required on-board authentication references (e.g. the data elements of the authorized retinal characteristics are themselves recorded and resident within the "system within a system"), as well as metering capability. Because all such authentication data exists only in encrypted form and exists only within the "system within a system", a level of "trust" is established at the client level, which does not exist in other content control systems. I apologize for the length of the above and hope that I have answered your questions and have not created more confusion than I have eliminated. A better understanding of the above can be gained by reviewing the technical sections of the Wave website and by looking over the Wave/Pollex (fingerprint id) press releases and technical data. Steve

To: Rich Fagan who wrote (7384)	6/11/1999 10:50:00 AM
From: Mammon	Read Replies (2) \| Respond to of 11417

Rich: Here's an interview referenced over on RB by HP enterprise security expert Regis Duret in which he points out some security issues with the use of biometrics: dtf.external.hp.com From the article: "A password can be guessed, a smart card can be stolen, and your biometric fingerprint image can be stolen as well, directly from your PC - and that's something people don't often realize. It's very difficult to get your finger, but think about it: when you log in to a PC using fingerprint authentication, you put your finger on a small device, and that device captures an image and sends it to the PC. So it's just a file that people can hack. If somebody can get that file they can log in to your PC anytime they like. Q. So biometric spoofing is not necessarily difficult? Not if you have access to somebody's PC. In biometrics, it's not your fingerprint that they reference, it's a mathematical model of your fingerprint. It's just a file that sits on your hard drive. So if somebody can get access to that file they can send it again - what we call a replay attack. And the fact that biometrics cannot be changed is then an issue. Because if somebody knows your password, I can ask you to change your password. But if somebody has your fingerprint file, I cannot ask you to change your fingerprint."