Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

The Latest from RSA Labs: The Keys to RFID Privacy

by Dr. Ari Juels on 7/25/2008
Topics: RFID

Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I'd like a good digital signature system... with 20-bit keys" and "I want to use one-time pads for encryption... and I need to compress them." But one of the most challenging I've heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.

Barcode-type RFID tags contain codes that can precisely identify consumer items. (E.g., "This is a 100-count bottle of 45mg Oxycontin® tablets.") Such tags can therefore betray private information about consumers to nearby RFID readers. Barcode-type RFID isn't often on store shelves yet, but may well be soon. Consequently, some in the RFID industry say:

(1) "I want RFID tags that are readable by all of my commercial partners in the supply chain, but..."
(2) "I don't want the item codes to be readable once tags reach consumer's hands."

Many RFID tags respond to a "kill" command--a self-destruct feature for privacy protection that's enabled by a tag-specific password. The two requirements above are achievable if tags are "killed" at the point of sale. But the RFID industry request includes two more requirements:

(3) "I don't want to manage any keys, e.g., kill passwords." (Tags cross geographies and organizations in tortuous ways that thwart good key management.)
(4) "I don't want to require any special physical process to protect tags."

A tall order indeed! And to top it off, the industry is already wedded to an RFID standard tag called EPC (Electronic Product Code) whose technical specifications are largely fixed (and austere).

RSA Labs and ThingMagic LLC have devised what we see as a practical solution to this tricky problem--and similarly to the problem of managing keys for tag authentication. Bryan Parno, an RSA Labs summer intern from Carnegie Mellon University, will be presenting the solution at USENIX Security '08 next week.

The basic idea is simple: We propose storing RFID tags' keys on the tags themselves. It's also counterintuitive: After all, how can keys be used to secure the very devices in which they're stored?

For the answer, have a look at our research paper...

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication