Attacks/Breaches

11/1/2007
09:38 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Key Management Technology Could Improve RFID Security

Tutarus, SecureRF encrypt RFID data on the chip

A lightweight encryption technology that uses a one-time, self-destructing encryption key will land on RFID chips sometime next year, according to the firm that developed it.

Tutarus already sells the technology for the Defense Department and other government agencies for encryption projects outside of RFID, and its technology is found in email encryption programs for Outlook, as well as file security applications.

"We are a key management system, not a new form of encryption," says Ray Clayton, CTO for Tutarus. Tutarus's so-called Secure Random Key (SRK) technology uses the AES encryption algorithm, with 256-bit keys. The goal is to provide a simple encryption solution that doesn't require extra processing or store the keys where they can be cracked or stolen, according to Tutarus.

"We randomly create a key, encrypt the data and then destroy the key," Tutarus' Clayton says. "The encryption and decryption process is not taking place on the RFID chip... We are thinking about putting our [decryption] process on the 'gun' that needs to read that RFID chip. The gun would then decrypt it and present it to the user."

RFID security has been under the microscope for the past year or so as hackers have had a virtual field day, easily cracking and cloning RFID cards, and using SQL injection to dupe a card reader into opening the building to a stranger. Even the newer VeriChip locater technology can be cloned, and many RFID-based passports come with weak encryption. Part of the problem is that many RFID systems are deployed without security or authentication on the part of the cardholder. (See RFID Under Attack Again.)

Encryption is considered the missing link for securing data stored on RFID tags and cards. But the processing requirements of encrypting and decrypting public/private keys has been a major factor impeding the adoption of encryption for RFID.

"I've done a couple of pretty big RFID audits [lately] and issues with encryption keep coming up," says Joshua Perrymon, hacking director for PacketFocus Security Solutions, who says Tutarus's technology sounds promising for efficiently encrypting RFID.

RFID vendor SecureRF will begin general shipping its LIME Tag RFID tags that use public key encryption. Louis Parks, CEO of SecureRF, says his firm's technology takes up a smaller mathematical footprint than most encryption methods, handling the processing on the chip.

"Each tag has a unique private/public key pairing," Parks says. "Most people today are encrypting the data on a PC and putting the encrypted data on the RFID card, then decrypting it by taking it off and decrypting it on a PC. But the danger of that is copying the encrypted data and putting it on a rogue tag... You don't know if it's real or fake." (See SecureRF Intros Secure RFID Tag.)

Meanwhile, Tutarus' Clayton says the advantage of his firm's symmetric key approach is that every chip has its own key, and you don't need any separate machines to do the key processing.

Tutarus plans to begin testing its technology for RFID in the next two months, and will build a prototype. Clayton says he's not sure yet just how it will be packaged or its pricing, but the idea would be to place it in a generic chip.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • PacketFocus Security Solutions
  • SecureRF Corp.
  • Tutarus Corp.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
    Oh, No, Not Another Security Product
    Paul Stokes, Founder & CEO of Prevalent AI,  8/9/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2017-13106
    PUBLISHED: 2018-08-15
    Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
    CVE-2017-13107
    PUBLISHED: 2018-08-15
    Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
    CVE-2017-13108
    PUBLISHED: 2018-08-15
    DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
    CVE-2017-13100
    PUBLISHED: 2018-08-15
    DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
    CVE-2017-13101
    PUBLISHED: 2018-08-15
    Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.