How secure is the RFID
pouli
Posts: 15
Hello everybody,
first of all I have to clear out that I am not an expert in the field and the aim of this question
is to clear out some misconceptions that I may have.
I would like to ask how secure do you think that the RFID Card reader module is?
Is it possible someone to still the ID of a passive card ?
What about is someone is able to "read" the ID while I use the card to open a door ?
Is someone manages to have physical access to the module, how easy it is to "bypass" or "emulate" the card reading process ?
Could we have better security by using active tags ?
Parallax provides active tags ?
Thank you in advance,
Pouli
first of all I have to clear out that I am not an expert in the field and the aim of this question
is to clear out some misconceptions that I may have.
I would like to ask how secure do you think that the RFID Card reader module is?
Is it possible someone to still the ID of a passive card ?
What about is someone is able to "read" the ID while I use the card to open a door ?
Is someone manages to have physical access to the module, how easy it is to "bypass" or "emulate" the card reading process ?
Could we have better security by using active tags ?
Parallax provides active tags ?
Thank you in advance,
Pouli
Comments
2) "read the ID while I use the card"? Yes. Someone with a very sensitive receiver and a good sized loop antenna standing next to you could do it. The loop antenna could be hidden under clothing and the other equipment could be made to fit in a pocket or pockets.
3) Someone with physical access to the module could easily bypass, record, do anything with the card reading process. Very few security systems are secure in any way if you can't control physical access.
4) Parallax does not provide active tags. Active tags don't necessarily provide more (or less) security than passive tags. It all depends on your situation.
Remember that RFID tags are mostly intended to provide an inexpensive way to identify items wirelessly over short distances (a few inches) with a tag attached and people/critters carrying a tag. They're used to identify pets, farm animals, pallets. They're used as an electronic key for cars, dwellings, offices. Their use as a key can provide modest access security, but a determined sophisticated thief can overcome that.
But, in summary, no, the Parallax setup probably isn't secure. The cards just have a serial number that they reply with when queirred, so if you can duplicate the serial number with some sort of gadget, then it would be possible to fool the system. The system is probably safe from scanning tag numbers, since there are billions and each number is transmitted to the host controller at slow speeds (9600 bps?). As for the module security, I wouldn't use it past the level of home security. The transmission of the card number from the reader is just a serial link, which would be easy to hack into and just start reading the numbers (or even transmitting your own). Of course, you could add some sort of antitampering device, but that's just covering up the problem, not solving it.
It's unlikely that you could get eves droppers on the conversation between the tag and the reader, since the whole system is so low in power. As for active tags, yes, you could get better security by allowing for more processing power (aka, encryption and database management) but that comes at the cost of size and price. Parallax does not sell active RFID setups.
Also, are there any plans for parallax to make an RFID writer?
What I like most with parallax is the quality products, easy to use and their forums.
I am thinking of the following solutions:
1. Like the passports with RFID we could have something like a Basic Access Control (BAC)
but this would require either a keypad to enter a password or a scanner medium that would scan something on the card
a kind of password.
2. A much better idea I think is to use an algorithm like the one that is used at rsa.com for RSA secure IDs.
This would generate different codes every 60 seconds.
This both chips would be synchronised and geenerate the same code.
If we had a much then access would be granted.
I thought of using a mobile (progam alrady exists as an applet) for this and somehow connect it with the other chip.
Bluetooth is quite slow I think and raises the cost.
a serial interface would be ideal but then I have the problem of how to "hack" the mobile in order to communicate serially with a Javelin or propeller for example.
The other problem is how feasible is to implement such an algorithm with Javelin or Propeller.
For example is it feasible to implement an AES algorithm ?
Such algorithms exists for J2SE already open source.
I am sure though that a different algorithm not so complex could be easily implemented (symmetric/one known key)
with these chips.
But the chip that I would produce as a key would be very expensive and quite big.
On the other hand the RSA secure IDs are small.
I would appreciate if you could help me in this list of ideas and posibly point me out some references
that I am currently missing.
I am trying to fidn out an economic way to implement high grade security with parallax chips.
Thank you,
Pouli
Parallax is a hobby company, not a security company. While their products are probably secure enough for personal use, they are pretty wide open to anybody with some resources and determination. They almost certainly won't be developing any sort of BAC or other cryptographic techniques into their products. You could implement various security plans in the various chips that Parallax sells, but that just covers up the fact that the RFID reader isn't very secure to begin with. You won't be able to use the reader with cards that use secure protocols, either. In summary, if you really need a highly secure system, it would be better to get an RFID system that is designed for that from the start, that has cryptography on both sides of the reader (RFID side and serial side). You'd also want to drop the Parallax uCs, since there isn't any protection against somebody opening up the chip and watching things happen as the chip runs.
@Jimi
I doubt that there will be a RFID writer from Parallax (although I don't have any sort of basis for that except a guess). The cheapest RFID cards have the serial number hard wired into the chip. To make the card writable makes it that much more expensive.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Don't worry. Be happy
Bluetooth is quite slow I think and raises the cost.
a serial interface would be ideal but then I have the problem of how to "hack" the mobile in order to communicate serially with a Javelin or propeller for example.
The other problem is how feasible is to implement such an algorithm with Javelin or Propeller.
For example is it feasible to implement an AES algorithm ?
Such algorithms exists for J2SE already open source.
I am sure though that a different algorithm not so complex could be easily implemented (symmetric/one known key)
with these chips.
But the chip that I would produce as a key would be very expensive and quite big.
On the other hand the RSA secure IDs are small.
I would appreciate if you could help me in this list of ideas and posibly point me out some references
that I am currently missing.
Kerja Keras Adalah Energi Kita
iklan gratis
Just strap a solar panel on the roof and your good to go!
100mA really isn't that much for a car battery, but if you can pulse the RFID reader once every half of a second you can effectively use a fraction of that 100mA with just good power management in software as well as in hardware.
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe
IC Layout Engineer
Parallax, Inc.