Many readers, I’m sure, are aware of the use of RFID tags in such diverse applications as inventory control, as replacements for product bar codes, and as part of payment and identification credentials. I’ve written here before about some of the security issues connected to the use of these devices. Many of these issues arise because typical RFID tags are, in fact, more or less a functional substitute for a bar code or magnetic strip label. The tag can store a certain quantity of data, which can be read by an appropriate reader, but it typically cannot carry out any processing. This means that the counterfeiting of tags is a real potential problem. Data on the tag can be encrypted, but that would, in essence, require all the reader devices to share a global secret. The security track record of such systems (e.g., DVD encryption, cell phone encryption, software copy protection) is not encouraging.
A new MIT spinoff company, Verayo, thinks it has a new approach to solving at least part of this problem. According to an article in Technology Review, the company, and its chief technology officer, Prof. Srini Devadas, have developed a technique for getting an electronic “fingerprint” from individual RFID chips. Because of small, unavoidable variations in the chip material and the manufacturing process, no two chips are exactly alike. Even though they meet the same specifications, there are small artifacts in the way that they process signals that can be measured.
A signal traveling through a simple circuit will go faster or slower depending on these physical variations. By sending a series of signals through, and measuring how fast they travel, [one] can generate a string of numbers unique to each circuit.
Verayo’s technique essentially creates a profile of each chip. That profile, which consists of a configurable number of specific measurements, can then be stored in a central data base, together with a product serial number or some other identification, when the chip is put into service. Later, when the tag is read, its profile can be compared with the stored version to detect counterfeits.
The company says this facility can also be used to generate secret keys for encrypting data. Presumably, this would use a list of profile elements as a list of one-time passwords, again corresponding to a list stored in a central, secured location.
This is a clever idea, and can provide a very useful building block for more secure RFID-based systems. As always, though, the security of the system in which it is used is only as good as its weakest element. Here, clearly, it is essential that the security of the central data base of RFID tag profiles, or fingerprints, is maintained. If it is, then this technology can potentially provide about the same level of security as other one-time password systems.
However, it’s still probably very worthwhile. RFID tags are being used, typically, in applications where their low cost is an important attribute. Being able to get a reasonable level of security without significantly increasing the cost might be of considerable value. If you are trying to prevent people from forging transit passes worth $20 each, it does not make sense to spend $25 to do the job to perfection.