Is it E-OK to proceed?
ARLINGTON, VA, Mar 22 – OK, perhaps the most popular American expression ever repeated throughout the world, takes on new meaning when it comes to electronic commerce and communications. Is it OK to trust that unseen person or entity with whom you are communicating via computer at a time when computer-based connectivity has never been so pervasive or so vulnerable?
There’s hardly a financial or data-based transaction conducted today that is not processed electronically. The Internet is only the tip of the iceberg. Use a credit card in a store or restaurant, an ATM machine to withdraw money from your bank account or place an order by phone and you can bet that a computer network is involved in the process. And, you know who likes to test the security of computer networks, don’t you? Hackers. They like it so much, in fact, that reports from the Computer Security Response Team at Carnegie Mellon University show that the incidence of computer break ins is growing at a compounded rate of 123% a year.
“Andrew Jackson, who inadvertently coined the term OK in 1790, had it easy; he just initialed his paper receipt with an O, a K and his initials to authenticate his transactions. The astronauts knew it was safe to proceed with their adventures in space when they received an A-OK from mission control. What we need today is a surefire way for all of us to E-OK, or validate, electronic commerce on and off the Internet,” according to Jeff Minushkin, CEO and founder of Priva Technologies, Inc.
A Universal Standard
Ask a question of a Russian or a Bulgarian, a Japanese person or a resident of a remote Chinese village, even a Berber or Bedouin tribesman, and don’t be surprised if you get an OK in response. It is Stonewall Jackson who is credited with creating the acronym when he tried to abbreviate the term Order Received on a receipt and initialed it O.K. instead of O.R. The shorthand may not have been apt, but it took hold and quickly, in historical terms, became a universal symbol of acceptance.
“What we need in the 21st century is an electronic OK that can be utilized across a variety of technological frontiers,” says Minushkin.
According to him, most computer security techniques today are so focused on keeping people out that they do a poor job of providing a safe and easy way to give an OK to the people you want to let in. “There is no disagreement among the experts that user ID and password systems are too weak to be of much use. The research will also tell you that encryption systems are too cumbersome and/or costly to be universally adaptable. And, off-the-shelf microchip technologies have limited value,” he notes.
Minushkin believes he and his fellow engineers at Priva may have found the “holy grail” of authentication – a way for all parties in a transaction, whether it be an exchange of e-mail or data, a business or financial transaction or a go-ahead for physical and computer access, to prove that it is OK for them to proceed with what they want to do.
How to create a trusted transaction...
The systems available today to prove the identities of individuals who are interacting electronically do a pretty good job of it, but they do not erase all the concerns that may exist. For the most part they use two factors to authenticate a user and even in three-factor systems there’s room for doubt. “That’s because the dynamics of their methodologies are limited,” according to Minushkin.
The experts will tell you that to be sure of the identity of a party in an electronic transaction, you must prove that the device the individual is using to make a connection belongs to the person using it, that the person using the device knows something only the owner of the device knows and that the person using the device is the actual owner of the device. There are a variety of ways to check these verifiers. Some systems use methods that are easy to employ but not very robust. Others use stronger means of authentication, but they can be so cumbersome that the user will bypass the security measures or abort the connection.
“There’s a very good reason for these inadequacies,” says Minushkin.“ It’s because all of the systems out there rely on technologies that were developed for other purposes to create their solutions. Thus, none of them provides the combination of user convenience, robust security, and flexibility that the marketplace demands. Online-only systems forget that people live and work in the physical world, and offline-only solutions ignore the network power of the Internet.
“We solved these issues by creating a patent-pending security transaction platform that is intuitive, portable, extensible, and has the ability to authenticate not only the user but the network to which the user is seeking a connection,” he says.
At the heart of Priva’s Cleared Security Platform™ is a proprietary Application Specific Integrated Circuit [ASIC] that was designed by the company’s engineers explicitly for the purpose of secure authentication. The chip uses a variety of advanced technologies including what Priva calls, Adaptive Morphing TechnologyTM, which offers an important barrier to intrusion, reverse engineering and other security-related exposures by continuously morphing the codes and keys that block, unblock and otherwise govern the information processed by the chip to render it hacker-resistant.
Each of these chips, which can be embedded in cell phones and other types of handheld communications devices or in a special key chain appliance called the ClearedKeyTM, is unique and non-replicable, according to the company.
“The ASIC works in conjunction with a secure, host-based authentication server to create a two-part system with formidable authentication and security dynamics,” Minushkin explains. “Through a series of challenge processes the ClearedTM platform not only proves the identity of the user, the authenticity of the chip he or she is using and that the chip belongs to the user, it also proves that the server, the host-based ClearedHostTM, is legitimate and then it creates a connection that cannot be repudiated. The challenge process changes each time a transaction is initiated enabling the strongest security possible and creating a connection that can be trusted.”
The company points out that the Cleared platform is configured for the use of PIN, biometric or a combination of PIN and biometric identifiers, depending on the level of validation that is required.
Authentic Security
Minushkin predicts that its platform will begin appearing in a variety of applications starting in the first quarter of 2003. “Already the leading provider of enterprise software for financial institutions has announced that it will integrated our new technology into its full service banking platform for teller sign on applications. In addition to financial services, we are developing strategic relationships in the health care, government, consumer services, and OEM sectors to integrate the Cleared platform across a broad spectrum of enterprise applications,” he said.
Meanwhile, the company says it expects its platform to achieve FIPS certification within the next several months significantly increasing the number of organizations and institutions that can use Cleared services. Under the Information Technology Management Reform Act, the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by the NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.
“Independent experts who have studied our approach have said that they believe the Cleared platform has the ability to become a trusted, universal authentication solution with a wide variety of computer and physical access applications. They said that because the platform uses application-specific microchip technology, it offers the highest levels of security available and robust identity verification while eliminating the need to remember passwords and avoiding the problems and weaknesses of current technologies.
“Add to that the fact that it doesn’t require third-party revocation systems or third-party certificate authorities and you have a solution that people will use. And since applications and upgrades happen on the platform’s authentication server, you are able to limit costs by not having to replace the computer chips and to maximize value by enabling an unlimited number of applications,” Minushkin added.
ABOUT PRIVA TECHNOLOGIES
Priva Technologies, Inc. provides a stand-alone, secure authentication solution for the builders, owners and managers of transaction systems that utilize, or should utilize authentication security. These include, applications that provide business-to-business transactions, enterprise security, secure e-mail, single-sign-on, travel reservations, online and offline purchases, payment services, banking, and financial products which are all empowered by user-friendly, highly secure authentication. Unlike other technologies that are notoriously hard to install or scale, have limited flexibility or are difficult for individuals to use, Priva's authentication system easily integrates with all sizes of enterprises and provides clear convenience for consumers. Priva, a privately held Delaware corporation, is headquartered in Arlington, VA, with engineering and technology facilities in Cupertino, CA