We've Moved

The RFID Security Forum has moved to http://www.securerf.com/RFID-Security-blog/.

All postings prior to 12/1/06 will remain at this Blogger site and have been copied to the new site. Content added after December 1, 2006 will be posted only in the new location.

Thank you to our friends at Google for use of Blogger.

Please visit the the new RFID Security Forum to view all postings.

The response to Bruce Schneier's blog entry is here - http://www.securerf.com/RFID-Security-blog/?p=9

A Strong Dose of RFID

Contributed by Louis Parks:

I just attended the three-day RFID Health Care Industry Adoption Summit sponsored by the National Associations of Chain Drug Stores and the Healthcare Distribution Management Association. This was billed as the single largest pharmaceutical meeting (to date) to discuss and review progress in adopting RFID.

It was very impressive to see attendees from all aspects of the pharmaceutical supply chain because it is going to take everyone working together to deliver a solution.

Many of us think that a pharmaceutical manufacturer makes a drug and ships it to our local pharmacy who then hands it to us. In reality, a drug passes through an average of nine owners/handlers before being dispensed. This very fluid and dynamic supply chain makes it an ideal environment for those looking to make a fast buck through diverging and counterfeiting our drugs. The industry realizes this and it is also one of the reasons the FDA is pushing for the introduction of RFID.

Seeing a real industry dealing with real implementations and real pilots also shows how far we have to go before RFID becomes the standard ubiquitous technology we all are hoping for. Standards, security, what data should be on a tag, who has the data, who can get the data, what network will carry it, when will that network be ready, the affect of RF on some drugs, and who is paying for everything are just a few of the questions being dealt with in real time. You also need to layer in the vendor’s agendas, the FDA, and each state since much of this regulation involves state bodies.

There are no easy answers and it will certainly take several more years before you see general adoption across the supply chain. Regardless, I am very impressed by the effort, commitment, and resources this industry is applying to adopt RFID for everyone’s benefit. I hope other industries think to look at this group for suggestions and direction. The drug industry’s pioneering will shorten the time to adoption for each and every market that follows.

Nip/Tuck comes to RFID

Contributed by Louis Parks:

IBM announced a new method they have patented called Clipped Tag Technology. It is as easy to explain as it is to use. A consumer simply pulls off the RFID antennae from a RFID-enabled tag hung on the outside of an item to shorten the read range. Not clear enough – you can go to the video at http://www.youtube.com/watch?v=95VOxKp0s74&mode=related&search

I applaud IBM for acknowledging the privacy white elephant in the room that too many in our industry have tried to ignore. I also think the simplicity of their idea makes it likely that it will gain some traction. In fact, one Canadian company has already licensed the method and announced a retail tag for immediate availability.

Unfortunately, it is only part of the solution and a few small issues still linger. First, some amount of privacy comes only if the consumer deactivates the tags. How many of you actually cut out those tags that say “remove after purchase”? If you do remember to disable the tag it is not clear what the reduced read range is. Remember, the short read-range RFID tags – think payment cards with only a few inch read-range - have been read from over 150 feet in university tests. This solution also assumes the tags will be accessible. We have been contacted by several consumer manufacturers who want RFID tags inserted in their products – where they can not be accessed - because they are more concerned about the $200B of counterfeit goods that enter their markets each year.

Regardless of any apparent issues with Clipped Tag technology this is still a move in the right direction and will hopefully make its way onto consumer shelves soon. More important, it shows IBM and others recognize that real solutions are necessary now to meet security and privacy needs.

RFID Security: Sooner or Later

Contributed by Louis Parks:
Shannon Kellogg of RSA recently posted a blog http://www.rsasecurity.com/blog/entry.asp?id=1141 where he felt people in Europe and the United States are getting too worked up over the security and privacy issues around RFID. He feels it is too soon to pressure the industry to require safeguards and it is better to let RFID get off the ground and then let the industry deal with it. His attitude is best summed up where he wrote, “…there are legitimate security and privacy concerns around RFID that need to be addressed and the time to do that is sooner rather than later.” He is clear the time is not “now”.

This attitude, from an employee of a company selling security, is a bit of a surprise but really reflects how industry has approached the use of security for decades. It has been all too common for a new technology to ignore security issues in their rush to market - only to deal with the resulting demons for years to come. You can just look at the CD/DVD industry as one of many examples.

What is a surprise is that Shannon didn’t see Burt Kaliski’s blog, the Chief Scientist at RSA – the company where Shannon works, of 9/14 http://www.rsasecurity.com/blog/entry.asp?id=1130 where he reported on the vulnerabilities of the VeriChip. The VeriChip is an RFID transponder that is being implanted in humans now – not sooner or later. Burt describes in some detail the ease with which these tags can be cloned (identity theft) and used for tracking individuals without their knowledge. He does suggest a re-encryption scheme that might mitigate some threats of tracking but no more so than simply re-writing the tag identifier.

Something will happen with RFID that will put the industry on the defensive and force it to spend excessive amounts of resources fixing, correcting and responding to critics. RSA is already spending a lot of time and money to help demonstrate the vulnerabilities of this great new technology - and getting some good press in the process. Hopefully the RFID industry will take this input and use it to break the traditional cycle of denial now – rather than sooner or later.

Fair and Balanced?

Contributed by Louis Parks:

The Smartcard Alliance issued a press release this week in attempt to clarify the pitfalls of relying on RFID technology to secure our borders. Unfortunately, its partial views, questionable reference to unrelated events, and failing to address the actual performance needs of the Passport card weaken their argument.

First, it is unclear how much more secure smartcard technology is versus some of the recent developments in RFID. The NY Times lead business article last week pointed out the ease at which some students could gather your identification and credit card number from “smartcard-secure” credit cards. Earlier this year it took a group in Holland just 2 hours to crack the “secure data” gathered off an electronic passport using smart card technology.

The Smartcard Alliance have also missed the mark in questioning our government’s ability to protect our data (part of the proposed border solution). The press release sited the recent data breach at the Department of Veteran Affairs. In fact, this was a case where a Unisys PC went missing that contained some VA billing records. Unisys was a subcontractor and likely under some very strict guidelines for data security that they obviously failed to meet. I don’t think this totally absolves the government from some responsibility but this incident was not a direct failing of a government agency. I could not find a recent failing of this nature so maybe the fix is to simply not contract out the work (sorry for the subliminal pitch for bigger government)?

Finally, the press release failed to mention that Passport Card needs to be read from up to 20 feet away to support the proposed streamlining functions at the border. Smartcard technology can only be read over a few inches. I don’t see how you substitute one function for another without affecting the proposed process.

We don’t have all the answers yet on how Homeland Security and the State Department will secure the Passport Card but we will need factual critical review of any technology presented to decide if it is secure – hopefully it will come from a fair and balanced view.

“Kill Bill”

Louis Parks discusses the Veto of California RFID Bill:

At the end of September, Governor Schwarzenegger vetoed California Bill SB768 which would have introduced limited requirements for security when RFID technology was deployed in a state government setting.

Many herald this as a win for RFID and its use since it eliminates a few potential barriers to deployment. Most of the RFID players and their related action groups lobbied for this veto but it may come back to bite the industry in the end (yes, both meanings).

The public is already skeptical of new technologies like RFID and they are becoming more sensitized to “Privacy” by our media daily. The industry's efforts to fight the need to implement security will also likely be interpreted by the public as not having their best interest at heart. Think of it as joining “big oil” or “Washington lobbyist” – I removed the word “bad” that we all subconsciously insert into those titles when we read them.

There are both technologies and methods that can be deployed today to address security and privacy. The RFID industry needs to start thinking about getting out ahead of this issue and showing they are going to address the public’s concerns or the next bill, written under the growing wind of privacy fears, may be far more punitive and not as easily killed.

“It’s just a number.”

Contributed by Louis Parks:

It seems like just yesterday that I attended one of my first RFID conferences to try and validate the need for security solutions on RFID tags. So it was just over two years ago that I found myself sitting in a session featuring a panel discussion on “RFID Privacy and Security”. The topic seemed important judging by the overflowing attendance but I was not ready to hear EPCglobal, an organization focused on promoting the adoption of RFID – among other things, simply summarize the situation as a “non-issue”. The speaker went on to explain, “It is just a bunch of numbers on the tag so there is no need for security…and there are really no privacy issues at the tag level.”

I have just returned from the EPCglobal US Conference 2006 where I was not surprised to be issued a conference badge – complete with embedded RFID tag. I was VERY surprised to be given a one page document as part of my registration kit explaining that my name, company, address, etc. were all encoded on the tag and available for a reader to capture – any reader. They went to great efforts to explain they were using HF chips (the evil enemy only a few months ago) with short read ranges to help protect our data and that non-RFID badges were available if we preferred. The president of EPCglobal even included a privacy and security disclaimer on the use of the badges in the opening of his keynote address.

We have always been concerned about privacy and what happens to data after it is collected but I guess everyone, including EPCglobal finally, now recognizes that there are security issues that need to be addressed when using RFID…and the sooner the better.

Does SecureRF belong in the Doghouse?

SecureRF Corporation replies to comments in the Schneier on Security blog.

Not to our surprise, Bruce Schneier put SecureRF in the “Doghouse” in his October 9th blog. Bruce provides interesting views and opinions on his blog, often coming from brief observations or encounters with a security or privacy issue. Unfortunately he took the same “brief” approach here and chose to weigh-in with perhaps little more than the memory of meeting the SecureRF founders nearly ten years ago on a different technology and a brief visit to our website. This has led to several incorrect assumptions and statements that were compounded by an additional series of incorrect or misdirected statements from many of Bruce’s readers. Oddly, his blog also revealed a bias for “old and comfortable” math whether it is working or not.

In regards to his quickly penned comments, his remark that SecureRF is “harnessing a relatively obscure area of mathematics: infinite group theory…” is factually incorrect. Group Theory, which includes Infinite Group Theory, dates back to the early 19th century and can be found in most of our math, physics and science of today. It does not come from knot theory. Bruce may have been confused from some earlier, but unrelated work of our founders, that he had been briefed on nearly 10 years ago that pertains to Braids.

We are offering two white papers and request, at the reader’s option, that they enter a name and affiliation for our records. Unlike many other sites we do not require that they complete any field before hitting the submit button, a fact which Bruce may have missed.

Bruce points out that we do not reference a published cryptography paper which is partly true. This is because it usually takes two to three years to get a paper published in a reputable journal on a new breakthrough or claim. One of the white papers offered on our site and available since December 2005 was submitted to a juried publication of the American Mathematical Society - and was accepted for publication in their Contemporary Mathematics series this December. In fact, it is being published less than eight months after its final review/acceptance which we are very proud of. You can get a copy of this publication at http://www.ams.org/bookstore?fn=20&arg1=conmseries&item=CONM-418.

Finally, Bruce’s view that no “New Math is good math” would seem to fly in the face of science and our general approach to innovate and create new and better solutions. It has become quite apparent from recent demonstrations of the weaknesses in many of the older protocols (old math?) that new solutions, likely requiring new math, are badly needed. A recent posting to the Notices of the American Mathematical Society by Susan Landau begs for new math in the form of a hash function.

In regards to the many readers who picked up on Bruce’s incorrect assumptions and proceed to comment here are a few factual responses. One reader correctly points out that a braid-based solution would not be small enough or efficient enough to fit on a passive RFID tag. This is likely correct which is why we do not use it here. It should also be noted that several readers went on to question the security of braids but referenced the work of the Koreans and not our founder’s protocol which is a very different method - with several published papers pointing out that the attacks on the Korean’s method do not work on the braid method of our founders.

Other readers raised issues around the use of the word “geometrically”. This word does not appear anywhere on our site or in our materials but rather comes from the writings of another blogger. A more accurate phrase would be to say that RSA and Elliptic Curve scale quadratically and SecureRF does not.

As one blog commenter put it “…cryptography is a really hard problem…” and we could not agree more. The foundational work that SecureRF is built on comes from decades of work by our founders. We also understand the need for ongoing peer review to ensure the validity of our claims and to continue the development and improvement of our solutions. This is why we have presented our breakthrough to the American, German and Austrian Mathematical societies for review. Our technical white paper, which Bruce has never asked to see, has been requested by and sent to many of the notable names in security and cryptography in the world over the last year. In fact, one of the first things we did after filing our patent was call up RSA and arrange to meet at their offices to show them what we have for their comment and review.

It is unfortunate that Bruce has taken the position of a “nay-sayer” when the cryptography world really needs cheerleaders promoting the research and presentation of new ideas. At last years RSA Conference, Mark Hellman, in his keynote discussion, sadly remarked that if a competition for a new public-key method was held today, similar to NIST’s AES competition, he would be surprised if there was even a single entry. We have chosen to take up this challenge and, at the same time, address the need for better privacy when using RFID-based solutions through our security methods. We look forward to the constructive peer review that will come from the AMS publication and from those who chose to request our white paper - http://www.securerf.com/white.html. Perhaps then it will be appropriate to determine if we are the next best thing since “sliced bread” and should be let out of the doghouse.