RFID Security Forum

Monday, October 16, 2006

Does SecureRF belong in the Doghouse?

SecureRF Corporation replies to comments in the Schneier on Security blog.

Not to our surprise, Bruce Schneier put SecureRF in the “Doghouse” in his October 9th blog. Bruce provides interesting views and opinions on his blog, often coming from brief observations or encounters with a security or privacy issue. Unfortunately he took the same “brief” approach here and chose to weigh-in with perhaps little more than the memory of meeting the SecureRF founders nearly ten years ago on a different technology and a brief visit to our website. This has led to several incorrect assumptions and statements that were compounded by an additional series of incorrect or misdirected statements from many of Bruce’s readers. Oddly, his blog also revealed a bias for “old and comfortable” math whether it is working or not.

In regards to his quickly penned comments, his remark that SecureRF is “harnessing a relatively obscure area of mathematics: infinite group theory…” is factually incorrect. Group Theory, which includes Infinite Group Theory, dates back to the early 19th century and can be found in most of our math, physics and science of today. It does not come from knot theory. Bruce may have been confused from some earlier, but unrelated work of our founders, that he had been briefed on nearly 10 years ago that pertains to Braids.

We are offering two white papers and request, at the reader’s option, that they enter a name and affiliation for our records. Unlike many other sites we do not require that they complete any field before hitting the submit button, a fact which Bruce may have missed.

Bruce points out that we do not reference a published cryptography paper which is partly true. This is because it usually takes two to three years to get a paper published in a reputable journal on a new breakthrough or claim. One of the white papers offered on our site and available since December 2005 was submitted to a juried publication of the American Mathematical Society - and was accepted for publication in their Contemporary Mathematics series this December. In fact, it is being published less than eight months after its final review/acceptance which we are very proud of. You can get a copy of this publication at http://www.ams.org/bookstore?fn=20&arg1=conmseries&item=CONM-418.

Finally, Bruce’s view that no “New Math is good math” would seem to fly in the face of science and our general approach to innovate and create new and better solutions. It has become quite apparent from recent demonstrations of the weaknesses in many of the older protocols (old math?) that new solutions, likely requiring new math, are badly needed. A recent posting to the Notices of the American Mathematical Society by Susan Landau begs for new math in the form of a hash function.

In regards to the many readers who picked up on Bruce’s incorrect assumptions and proceed to comment here are a few factual responses. One reader correctly points out that a braid-based solution would not be small enough or efficient enough to fit on a passive RFID tag. This is likely correct which is why we do not use it here. It should also be noted that several readers went on to question the security of braids but referenced the work of the Koreans and not our founder’s protocol which is a very different method - with several published papers pointing out that the attacks on the Korean’s method do not work on the braid method of our founders.

Other readers raised issues around the use of the word “geometrically”. This word does not appear anywhere on our site or in our materials but rather comes from the writings of another blogger. A more accurate phrase would be to say that RSA and Elliptic Curve scale quadratically and SecureRF does not.

As one blog commenter put it “…cryptography is a really hard problem…” and we could not agree more. The foundational work that SecureRF is built on comes from decades of work by our founders. We also understand the need for ongoing peer review to ensure the validity of our claims and to continue the development and improvement of our solutions. This is why we have presented our breakthrough to the American, German and Austrian Mathematical societies for review. Our technical white paper, which Bruce has never asked to see, has been requested by and sent to many of the notable names in security and cryptography in the world over the last year. In fact, one of the first things we did after filing our patent was call up RSA and arrange to meet at their offices to show them what we have for their comment and review.

It is unfortunate that Bruce has taken the position of a “nay-sayer” when the cryptography world really needs cheerleaders promoting the research and presentation of new ideas. At last years RSA Conference, Mark Hellman, in his keynote discussion, sadly remarked that if a competition for a new public-key method was held today, similar to NIST’s AES competition, he would be surprised if there was even a single entry. We have chosen to take up this challenge and, at the same time, address the need for better privacy when using RFID-based solutions through our security methods. We look forward to the constructive peer review that will come from the AMS publication and from those who chose to request our white paper - http://www.securerf.com/white.html. Perhaps then it will be appropriate to determine if we are the next best thing since “sliced bread” and should be let out of the doghouse.

Labels: , , , ,

0 Comments:

Post a Comment

<< Home