RSA Report: RFID -- Dead on Arrival(?)
Posted by K.M. Das
K.M. is blogging from the RSAConference2006 in San Jose this week.
The RSAConference2006 on information security had an extremely distinguished panel discussing cryptography as one of the keynote addresses on Tuesday, February 14, 2006. The panelists included Whitfield Diffie and Martin Hellman (of the Diffie-Hellman-Merkle key exchange protocol) and Ronald Rivest and Adi Shamir (the “R” and the “S” of RSA). Although the discussion ranged over a wide variety of topics, Professor Shamir made one of the most interesting announcements during his initial comments.
Professor Shamir announced that over the last year he, and a student of his at the Weizmann Institute of Science, Israel, has been looking at how to crack encryption schemes on RFID tokens. One of the methods that researchers have developed to crack encryption schemes on smartcards and computers is to study the power consumption of the machines that the cards are being used on. Of course, one can use this method even more simply on computers running various encryption schemes if one can monitor the power consumption of the computer. As Professor Shamir noted, it is a lot easier to break a code by analyzing the power consumption of the device than it is to crack whatever algorithm is being used to generate the code.
Because RFID token do not have a source of power built in, they draw power from the environment (i.e., the reader), Professor Shamir and his student came up with a way of studying how “thirsty” the RFID token was. Once they came up with the method, it did not take them very long to figure out when an RFID token was receiving a “kill signal.” (Most RFID tokens have a built in “kill” code that permanently disables the token so that it stops transmitting information.) Professor Shamir also mentioned that because cell phones have a short-range transmitter it would probably be possible to build a device that a person could use to walk around “killing” RFID tokens, although Professor Shamir did not provide the details and admitted that he had not actually built such a device.
Given the amount of press RFID tokens have received recently, and how integral they are expected to become over the next couple of years in security efforts, Professor Shamir’s announcement today is certainly cause for concern.