Attacks/Breaches
11/1/2007
09:38 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Key Management Technology Could Improve RFID Security

Tutarus, SecureRF encrypt RFID data on the chip

A lightweight encryption technology that uses a one-time, self-destructing encryption key will land on RFID chips sometime next year, according to the firm that developed it.

Tutarus already sells the technology for the Defense Department and other government agencies for encryption projects outside of RFID, and its technology is found in email encryption programs for Outlook, as well as file security applications.

"We are a key management system, not a new form of encryption," says Ray Clayton, CTO for Tutarus. Tutarus's so-called Secure Random Key (SRK) technology uses the AES encryption algorithm, with 256-bit keys. The goal is to provide a simple encryption solution that doesn't require extra processing or store the keys where they can be cracked or stolen, according to Tutarus.

"We randomly create a key, encrypt the data and then destroy the key," Tutarus' Clayton says. "The encryption and decryption process is not taking place on the RFID chip... We are thinking about putting our [decryption] process on the 'gun' that needs to read that RFID chip. The gun would then decrypt it and present it to the user."

RFID security has been under the microscope for the past year or so as hackers have had a virtual field day, easily cracking and cloning RFID cards, and using SQL injection to dupe a card reader into opening the building to a stranger. Even the newer VeriChip locater technology can be cloned, and many RFID-based passports come with weak encryption. Part of the problem is that many RFID systems are deployed without security or authentication on the part of the cardholder. (See RFID Under Attack Again.)

Encryption is considered the missing link for securing data stored on RFID tags and cards. But the processing requirements of encrypting and decrypting public/private keys has been a major factor impeding the adoption of encryption for RFID.

"I've done a couple of pretty big RFID audits [lately] and issues with encryption keep coming up," says Joshua Perrymon, hacking director for PacketFocus Security Solutions, who says Tutarus's technology sounds promising for efficiently encrypting RFID.

RFID vendor SecureRF will begin general shipping its LIME Tag RFID tags that use public key encryption. Louis Parks, CEO of SecureRF, says his firm's technology takes up a smaller mathematical footprint than most encryption methods, handling the processing on the chip.

"Each tag has a unique private/public key pairing," Parks says. "Most people today are encrypting the data on a PC and putting the encrypted data on the RFID card, then decrypting it by taking it off and decrypting it on a PC. But the danger of that is copying the encrypted data and putting it on a rogue tag... You don't know if it's real or fake." (See SecureRF Intros Secure RFID Tag.)

Meanwhile, Tutarus' Clayton says the advantage of his firm's symmetric key approach is that every chip has its own key, and you don't need any separate machines to do the key processing.

Tutarus plans to begin testing its technology for RFID in the next two months, and will build a prototype. Clayton says he's not sure yet just how it will be packaged or its pricing, but the idea would be to place it in a generic chip.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • PacketFocus Security Solutions
  • SecureRF Corp.
  • Tutarus Corp.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    5 Security Technologies to Watch in 2017
    Emerging tools and services promise to make a difference this year. Are they on your company's list?
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-7445
    Published: 2015-10-15
    The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

    CVE-2015-4948
    Published: 2015-10-15
    netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

    CVE-2015-5660
    Published: 2015-10-15
    Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

    CVE-2015-6003
    Published: 2015-10-15
    Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

    CVE-2015-6333
    Published: 2015-10-15
    Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.