Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2007
09:38 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Key Management Technology Could Improve RFID Security

Tutarus, SecureRF encrypt RFID data on the chip

A lightweight encryption technology that uses a one-time, self-destructing encryption key will land on RFID chips sometime next year, according to the firm that developed it.

Tutarus already sells the technology for the Defense Department and other government agencies for encryption projects outside of RFID, and its technology is found in email encryption programs for Outlook, as well as file security applications.

"We are a key management system, not a new form of encryption," says Ray Clayton, CTO for Tutarus. Tutarus's so-called Secure Random Key (SRK) technology uses the AES encryption algorithm, with 256-bit keys. The goal is to provide a simple encryption solution that doesn't require extra processing or store the keys where they can be cracked or stolen, according to Tutarus.

"We randomly create a key, encrypt the data and then destroy the key," Tutarus' Clayton says. "The encryption and decryption process is not taking place on the RFID chip... We are thinking about putting our [decryption] process on the 'gun' that needs to read that RFID chip. The gun would then decrypt it and present it to the user."

RFID security has been under the microscope for the past year or so as hackers have had a virtual field day, easily cracking and cloning RFID cards, and using SQL injection to dupe a card reader into opening the building to a stranger. Even the newer VeriChip locater technology can be cloned, and many RFID-based passports come with weak encryption. Part of the problem is that many RFID systems are deployed without security or authentication on the part of the cardholder. (See RFID Under Attack Again.)

Encryption is considered the missing link for securing data stored on RFID tags and cards. But the processing requirements of encrypting and decrypting public/private keys has been a major factor impeding the adoption of encryption for RFID.

"I've done a couple of pretty big RFID audits [lately] and issues with encryption keep coming up," says Joshua Perrymon, hacking director for PacketFocus Security Solutions, who says Tutarus's technology sounds promising for efficiently encrypting RFID.

RFID vendor SecureRF will begin general shipping its LIME Tag RFID tags that use public key encryption. Louis Parks, CEO of SecureRF, says his firm's technology takes up a smaller mathematical footprint than most encryption methods, handling the processing on the chip.

"Each tag has a unique private/public key pairing," Parks says. "Most people today are encrypting the data on a PC and putting the encrypted data on the RFID card, then decrypting it by taking it off and decrypting it on a PC. But the danger of that is copying the encrypted data and putting it on a rogue tag... You don't know if it's real or fake." (See SecureRF Intros Secure RFID Tag.)

Meanwhile, Tutarus' Clayton says the advantage of his firm's symmetric key approach is that every chip has its own key, and you don't need any separate machines to do the key processing.

Tutarus plans to begin testing its technology for RFID in the next two months, and will build a prototype. Clayton says he's not sure yet just how it will be packaged or its pricing, but the idea would be to place it in a generic chip.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • PacketFocus Security Solutions
  • SecureRF Corp.
  • Tutarus Corp.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Florida Town Pays $600K to Ransomware Operators
    Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
    Pledges to Not Pay Ransomware Hit Reality
    Robert Lemos, Contributing Writer,  6/21/2019
    AWS CISO Talks Risk Reduction, Development, Recruitment
    Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-10133
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
    CVE-2019-10134
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
    CVE-2019-10154
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
    CVE-2019-9039
    PUBLISHED: 2019-06-26
    The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
    CVE-2018-20846
    PUBLISHED: 2019-06-26
    Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).