Dark Reading

A lightweight encryption technology that uses a one-time, self-destructing encryption key will land on RFID chips sometime next year, according to the firm that developed it.

Tutarus already sells the technology for the Defense Department and other government agencies for encryption projects outside of RFID, and its technology is found in email encryption programs for Outlook, as well as file security applications.

"We are a key management system, not a new form of encryption," says Ray Clayton, CTO for Tutarus. Tutarus's so-called Secure Random Key (SRK) technology uses the AES encryption algorithm, with 256-bit keys. The goal is to provide a simple encryption solution that doesn't require extra processing or store the keys where they can be cracked or stolen, according to Tutarus.

"We randomly create a key, encrypt the data and then destroy the key," Tutarus' Clayton says. "The encryption and decryption process is not taking place on the RFID chip... We are thinking about putting our [decryption] process on the 'gun' that needs to read that RFID chip. The gun would then decrypt it and present it to the user."

RFID security has been under the microscope for the past year or so as hackers have had a virtual field day, easily cracking and cloning RFID cards, and using SQL injection to dupe a card reader into opening the building to a stranger. Even the newer VeriChip locater technology can be cloned, and many RFID-based passports come with weak encryption. Part of the problem is that many RFID systems are deployed without security or authentication on the part of the cardholder. (See RFID Under Attack Again.)

Encryption is considered the missing link for securing data stored on RFID tags and cards. But the processing requirements of encrypting and decrypting public/private keys has been a major factor impeding the adoption of encryption for RFID.

"I've done a couple of pretty big RFID audits [lately] and issues with encryption keep coming up," says Joshua Perrymon, hacking director for PacketFocus Security Solutions, who says Tutarus's technology sounds promising for efficiently encrypting RFID.

RFID vendor SecureRF will begin general shipping its LIME Tag RFID tags that use public key encryption. Louis Parks, CEO of SecureRF, says his firm's technology takes up a smaller mathematical footprint than most encryption methods, handling the processing on the chip.

"Each tag has a unique private/public key pairing," Parks says. "Most people today are encrypting the data on a PC and putting the encrypted data on the RFID card, then decrypting it by taking it off and decrypting it on a PC. But the danger of that is copying the encrypted data and putting it on a rogue tag... You don't know if it's real or fake." (See SecureRF Intros Secure RFID Tag.)

Meanwhile, Tutarus' Clayton says the advantage of his firm's symmetric key approach is that every chip has its own key, and you don't need any separate machines to do the key processing.

Tutarus plans to begin testing its technology for RFID in the next two months, and will build a prototype. Clayton says he's not sure yet just how it will be packaged or its pricing, but the idea would be to place it in a generic chip.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.