Attacks/Breaches

11/1/2007
09:38 AM
Connect Directly
Google+
Twitter
RSS
E-Mail

New Key Management Technology Could Improve RFID Security

Tutarus, SecureRF encrypt RFID data on the chip



A lightweight encryption technology that uses a one-time, self-destructing encryption key will land on RFID chips sometime next year, according to the firm that developed it.

Tutarus already sells the technology for the Defense Department and other government agencies for encryption projects outside of RFID, and its technology is found in email encryption programs for Outlook, as well as file security applications.

"We are a key management system, not a new form of encryption," says Ray Clayton, CTO for Tutarus. Tutarus's so-called Secure Random Key (SRK) technology uses the AES encryption algorithm, with 256-bit keys. The goal is to provide a simple encryption solution that doesn't require extra processing or store the keys where they can be cracked or stolen, according to Tutarus.

"We randomly create a key, encrypt the data and then destroy the key," Tutarus' Clayton says. "The encryption and decryption process is not taking place on the RFID chip... We are thinking about putting our [decryption] process on the 'gun' that needs to read that RFID chip. The gun would then decrypt it and present it to the user."

RFID security has been under the microscope for the past year or so as hackers have had a virtual field day, easily cracking and cloning RFID cards, and using SQL injection to dupe a card reader into opening the building to a stranger. Even the newer VeriChip locater technology can be cloned, and many RFID-based passports come with weak encryption. Part of the problem is that many RFID systems are deployed without security or authentication on the part of the cardholder. (See RFID Under Attack Again.)

Encryption is considered the missing link for securing data stored on RFID tags and cards. But the processing requirements of encrypting and decrypting public/private keys has been a major factor impeding the adoption of encryption for RFID.

"I've done a couple of pretty big RFID audits [lately] and issues with encryption keep coming up," says Joshua Perrymon, hacking director for PacketFocus Security Solutions, who says Tutarus's technology sounds promising for efficiently encrypting RFID.

RFID vendor SecureRF will begin general shipping its LIME Tag RFID tags that use public key encryption. Louis Parks, CEO of SecureRF, says his firm's technology takes up a smaller mathematical footprint than most encryption methods, handling the processing on the chip.

"Each tag has a unique private/public key pairing," Parks says. "Most people today are encrypting the data on a PC and putting the encrypted data on the RFID card, then decrypting it by taking it off and decrypting it on a PC. But the danger of that is copying the encrypted data and putting it on a rogue tag... You don't know if it's real or fake." (See SecureRF Intros Secure RFID Tag.)

Meanwhile, Tutarus' Clayton says the advantage of his firm's symmetric key approach is that every chip has its own key, and you don't need any separate machines to do the key processing.

Tutarus plans to begin testing its technology for RFID in the next two months, and will build a prototype. Clayton says he's not sure yet just how it will be packaged or its pricing, but the idea would be to place it in a generic chip.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • PacketFocus Security Solutions
  • SecureRF Corp.
  • Tutarus Corp.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    12 Free, Ready-to-Use Security Tools
    Steve Zurier, Freelance Writer,  10/12/2018
    Most IT Security Pros Want to Change Jobs
    Dark Reading Staff 10/12/2018
    Most Malware Arrives Via Email
    Dark Reading Staff 10/11/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Flash Poll
    The Risk Management Struggle
    The Risk Management Struggle
    The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-18374
    PUBLISHED: 2018-10-16
    XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
    CVE-2018-18375
    PUBLISHED: 2018-10-16
    goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
    CVE-2018-18376
    PUBLISHED: 2018-10-16
    goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.
    CVE-2018-18377
    PUBLISHED: 2018-10-16
    goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.
    CVE-2018-17534
    PUBLISHED: 2018-10-15
    Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.