IBM to offer e-commerce security standard

Big Blue tomorrow will introduce the new chip as standard equipment on the IBM PC 300PL commercial computer and IBM IntelliStation E Pro workstation.

The chip enables users to encrypt data from the client system for security purposes or for use in electronic transactions, such as ordering products or signing contracts.

Data-scrambling technology typically requires a separate piece of hardware, such as a smart card reader, or relies on cryptography provided with the operating system or third-party software.

Using a security chip embedded on a computer's printed circuit board, or motherboard, is an innovation, said analysts. Users get two layers of security as the system depends on the hard-coded security chip and a user PIN code entered using software.

"What is stronger about this is the key pairs themselves are never exposed in public because they're managed inside the chip," explained Phil Hester, chief technology officer of the IBM Personal Systems Group.

IBM's security mechanism uses the public?key, private-key encryption method commonly used for creating digital signatures. Both keys, scrambled numbers and characters created in matched pairs, are required to open an encrypted document or authenticate a digital signature.

Highly secure
Crypto experts consider the public-private key pair method highly secure, and IBM will offer 256-bit key encryption and 1024-bit signature. Because of export restrictions, computers using the security chip will generally not be available outside the United States or Canada.

IBM will not charge extra for the security measure. Big Blue believes the security chip is an e-commerce enabling technology that, offered at no extra cost, will give it an important competitive advantage against rival PC manufacturers.

"IBM the last couple of years has been at the forefront of security technology," said Joe Ferlazzo, analyst with Technology Business Research. "IBM is laying what they hope will be a standard across clients."

The solution will appear on all IBM computer systems, including consumer PCs, over the next year. IBM also plans to license the chip technology to other PC manufacturers.

This first iteration "is aimed strictly at commercial customers, although consumers could go out and buy it," said Hester.

Two basic 300PL models with the chip will be available, each with 64MB of RAM and a 10.1GB hard drive, and 500-MHz Pentium III processor for $1,349 or 450-MHz Pentium III-based for $1,019.

The new 550-MHz Pentium III IntelliStation E Pro, announced today, also comes with the S3 Savage4 Xtreme graphics accelerator, 64MB of memory, and 10.1GB hard drive for $2,049.

The optional Smart Card Security Kit will be available for $169, adding another layer of security. Big Blue expects the embedded chip will be enough security for about 80 percent of customers.

IBM offers a smart card security kit with its portable ThinkPad line targeted at specific markets, such as finance and health care.

Big Blue had originally planned to use Intel's 820 chipset, code-named Camino, in both the PC and workstation but has switched to a competing solution from Via Technologies. Intel cancelled its planned 820 announcement, set for today, after discovering a technical glitch last week. The new systems would have supported Rambus, but will instead be available with SDRAM.

IBM, already a bigger provider of e-commerce solutions, found many customers skittish about online transactions.

"People told us they wanted a trusted environment," said Hester. "When asked, 'what does trust mean to you,' people said it had to be a secure environment and one that they can have confidence in."

IBM found confidence in e-commerce transactions meant satisfying four areas: authentication, verifying the user is who he or she claims to be; privacy; hacker-proof information transfer; and non-repudiation, or being able to prove you are the person authorized to receive and item or document.

Chip-based solution
IBM had been looking seriously at a chip-based solution about the time Intel announced it would introduce chip-tracking technology with the Pentium III processor. Privacy groups raged at Intel's decision, and the company backed down from enabling the monitoring features by default.

Big Blue, taking a lesson from Intel's blunder, worked with privacy groups, such as the Center for Democracy and Technology, on implementing the security chip.

"We found we could create a solution that does not create additional privacy concern, but built on a good security base and lets the user be the ultimate decision-maker," said Hester.

IBM's big payoff may be long term as legislators tackle the prospect legalizing the use of digital signatures for a wide range of electronic transactions.

Since Utah passed the first digital signature legislation in February 1995, states have looked seriously at using them for authenticating transactions between citizens and businesses. States also recognize digital signatures as an essential technology for business-to-business e-commerce.

In July California passed a law giving digital signatures the same weight as those inked with pen.

The federal government also has tackled the issue of digital signatures.

By embedding the encryption technology on the system motherboard, "IBM has jumped way ahead of competitors on this," said Ferlazzo.