))) Security with RFID -
Debunking the Myth

One of the popular myths about RFID is that the technology lacks security and compromises consumer privacy in applications ranging from ID cards to passports. What's missing from the debate is the understanding that RFID tag-to-reader communication can in fact be secured with a variety of existing advanced technologies, and RFID applications are typically extensive transaction-based systems where security is implemented across multiple layers.

Starting with the chip, there are layers of security built into a contactless radio-frequency (RF) based system. Silicon technologies secure the data stored on the chip. Secure cryptographic algorithms protect the transfer of RF data between the chip and reader. Many of the RFID applications TI has developed over the years to protect cars from theft or to speed wireless payment, involve advanced tag-level security encryption and algorithms, as well as sophisticated challenge-response systems that authenticate a tag each time it is used. TI has continued to evolve the security of its RF technology to include National Institute of Standards and Technology (NIST) approved cryptographic algorithms, including Triple DES and SHA-1.

Existing data protection and tamper resistance technologies such as probe protection, resistance to side channel and other invasive attacks (such as differential power analysis attacks) can protect data on an RF chip. Cryptographic technologies such as Message Authentication Coding (MAC), authentication mechanisms, digital signatures and data encryption are implemented in RF chips to address all of the security issues currently being raised including "man in the middle" or data integrity attacks, replay attacks, eavesdropping, snooping or unauthorized access to data, and cloning.

It is important to understand that in any application the contactless RF technology is only one part of the entire system, typically only a single data storage and transmission point. Data from multiple RF tags and application data is stored in centralized databases. The May 2005 GAO report to Congress, "Information Security - Radio Frequency Identification Technology in the Federal Government," addresses RFID system security and states that: "…many of the potential privacy issues associated with RFID are inextricably linked to database security. As in other contexts in which personal information is collected from consumers, a company using RFID to collect information must implement reasonable and appropriate measures to protect that data." Companies and government agencies applying RFID technology for ePassport and ePayment applications must not overlook system-level security.
(source: http://www.gao.gov/new.items/d0551.pdf).

There are hundreds of millions of RF tags used today in consumer applications, including automotive security and retail payment, where security has been raised and addressed to allay consumer concerns. The Internet, which in its early days lacked the security and privacy needed for electronic commerce transactions, has seen acceptance and use grow as companies adopted technologies and policies to ensure secure information transfer. We expect RFID to evolve on a similar path.

The pharmaceutical market is a good example of a new market for RFID that is developing a multi-layered approach to security not focused on only the RF interface. IT security, physical security and label security (overt and covert inks, holograms, etc.) are being applied in the fight against counterfeit drugs. Download TI's white paper, "Securing the Pharmaceutical Supply Chain with RFID and Public-Key Infrastructure (PKI) Technologies," at
http://www.ti.com/rfid/docs/customer/eped-form.shtml.

Historically, concerns around security have been well addressed in RFID applications, making the technology more secure than bar codes, magnetic stripes, or handwritten data that can be more easily copied or forged. With RFID tag and system-level security in place, market acceptance and adoption of RFID technology will rely on user education, familiarity with the technology, and the inclusion of RFID data within corporate privacy policies.