UK and Dutch passports can be hacked using brute force
because they use short keys to protect the information on their
embedded RFID chips, an RFID expert told the European Network and
Information Security Agency (Enisa) this week.
The US had chosen a longer key for its identity documentation
and was thus better protected, security firm RSA's Ari Juels told
Enisa's summer school this week.
Juels said the use of radio frequency identification (RFID) tags
was likely to increase vastly because they were so useful for
tracking things and recording their histories. But privacy,
counterfeit and unauthorised reading concerns needed addressing, he
said.
The tags were getting cheap and powerful enough to carry
"reasonable" protection such as AES encryption and challenge and
response processing, he said.
Key management was the biggest problem, but it could be overcome
by having the tag carry its own key, or rather a part of the key,
he said.
Splitting the key using a technique called dsecret sharing
between several items that were likely to travel together reduced
the risk of the key being discovered, he said.
This allowed a farmer to microchip his herd of cows, but because
each cow carried only part of the key, its identity could not be
discovered unless the rest of the herd was present to complete the
key.
A similar principle could be applied to passports and identity
cards, drugs and other high value items he said.
The use of RFID chips as vehicle anti-theft devices, where the
tag on the key had to match the tag on the car, had cuts thefts by
90%, he said.
The advantage of this was that once the goods were sold or
otherwise ended their journey, the key disappeared, he said.
This solved the retailers' problem of having to "kill" tags at
the point of sale to stop them from being use to trace the
consumer's subsequent journey.