RFID Security

Contributed by Joanne C. Kelleher

GE’s Ecomagination Challenge is a $200 million call to action for businesses, entrepreneurs, innovators, and students to share their best ideas and come together to take on one of the world’s toughest challenges – building the next-generation power grid to meet the needs of the 21st century. SecureRF has submitted an idea to this challenge titled Securing the “Social Network of Devices” – a Safer Smart Grid.

The Smart Grid will form a “social network of devices” that will rival Facebook in size and need for privacy. Current security methods will not protect wireless platforms being proposed. SecureRF, developers of the world’s first linear-based asymmetric cryptography, will develop solutions to keep the Smart Grid secure and private.

One of the prizes is based on a public vote of the 50 word description, and although we aren’t going to spend the time soliciting the several hundred votes needed to get to the # 1 spot, we would like a reasonable showing. GE also has a panel of judges that look at a more in-depth application to award the other prizes. You can help.

Can you please register on the GE site and support our idea with your vote?
http://challenge.ecomagination.com/ct/ct_a_view_idea.bix?c=ideas&idea_id=F80413E7-11CF-4B81-A184-C4B163D14A26

This Challenge is an interesting vehicle for identifying new technologies and partners although we are not sure how the judges will compare something like our submission – “Securing the Grid” – to entries like these:

• Using lightening as an energy source
• Pedal powered mini transit system
• Chimney Generator
• Tire Recycling Plant

Here are excerpts from our longer submission to the judges:

“Cyber security is one of the key technical areas where the state of the art falls short of meeting the requirements of the Smart Grid.” NIST: Smart Grid Cyber Security Strategy and Requirements – Chapter 6.
In developing and deploying a Smart Grid, huge amounts of data will be generated. The utilities and power stations will create data, much of it in real time, as will the wireless meters and devices quickly invading homes and businesses. The Smart Grid, with introduction of wireless meters, and wireless appliances (many not even yet invented!) will add a layer of complexity that cannot be addressed by currently available security methods. Unfortunately, most of the commercially available security solutions are decades old, just like our current power grid.
Just the introduction of synchrophasors, which measure voltage, current, and the grids stability, will send critical data to central stations at the rate of 30 messages a second. This means any security method employed will need to perform in a matter of milliseconds so as to not interfere with this monitoring function.
Additionally, you do not want a hacker monitoring home activities, controlling household devices, or even denying or blocking access to the grid. Without stronger security, the grid will not only be an easy target for hackers, but they will even be able to use the Smart Grid to monitor their handy work in real time.
SecureRF proposes to develop Smart Grid security solutions using public key cryptography, based on our Algebraic Eraser™ (AE), the world’s first linear-based security method. The application of public key methods will be a significant security enhancement to the Smart Grid, including authentication and data protection in wireless meters and secure communications with household appliances and devices.
A PKI solution, based on the AE, will provide a low-power consumption system that delivers high speed implementations, for real-time processing, while maintaining a small computational footprint.

—————————————-

Thank you for your vote of support of our suggestion for a safer Smart Grid.  Voting closes on September 30, 2010.

Contributed by Joanne C. Kelleher

A few weeks ago I posted a blog entry titled “Lack Of Security In Smart-Meter Rollouts.”  This topic continues to get an increasing amount of press, including these two articles:

“Smart” Power Grids a Prime Target in Cyber Warfare in Security Week.
http://www.securityweek.com/smart-power-grids-prime-target-cyber-warfare

Energy Insecurities: The Downside of Being Too Smart in Security Management.
http://www.securitymanagement.com/article/energy-insecurities-downside-being-too-smart-007338

The Security Week article focuses on recent warnings about the lack of security in the Smart grid, including the Pike Research report.

“In the recently-released Cyber War: The Next Threat to National Security and What to Do About It, by Richard Clark and Robert Knake, the power grids are identified as one of the three most important and vulnerable U.S. targets, the other two being the defense department’s IT infrastructure and private telecommunications backbone networks.”

The Security Management article points out how we have been warned about these threats multiple times by the last three presidents.

“In 1998, President Clinton signed a Presidential Directive that established a national program for critical infrastructure protection. This directive stated that the energy sector of the United States was potentially vulnerable to cyberattack and that the United States would take all necessary measures to swiftly eliminate any significant cyber vulnerabilities within this sector.”

The author then does an nice job of reviewing the threats against Advanced Metering Infrastructure (AMI) technology or “smart meters,” intelligent appliances, consumer-level energy management services and green power generation systems.

As the cryptographic security solutions for low resource devices like RFID can also be used for AMI and other smart grid systems we will continue to follow the development of these systems.

Contributed by Joanne C. Kelleher

PharmaTech, a publication for pharmaceutical manufacturers, reports that the Council of the EU and the European Parliament are amending the current anti-counterfeiting directive to include a requirement for features that enable the identification, authentication and traceability of prescription medicines.

“The only way a specific product can be identified, authenticated and traced effectively throughout the supply chain is to give it a unique identity. As such, serialisation, which assigns a unique identity via a unique identification number to each product through a vehicle such as RFID or 2D barcode, is the only solution that can comply with the directive.”

The article does a nice job defining identification, authentication and traceability and how meeting these three requirements via serialization impacts the packaging process of pharmaceutical manufacturers.

If the EU would like to trace the movement of these drugs through each step of the supply chain, which includes distributors and wholesalers, they would also need an e-Pedigree system.  Designing a successful anti-counterfeiting solution that tracks via e-Pedigree generates even larger issues beyond how manufacturers apply the serialized number.   These issues include RFID security, maintainance and access to a centralized database and patient privacy.  See E-Pedigree Implementation Issues at http://www.securerf.com/RFID-Security-blog/?p=109 for our insights.

PharmaTech.com’s article:

EU anti-counterfeiting legislation on its way
Jul 1, 2010
Pharmaceutical Technology Europe
http://pharmtech.findpharma.com/pharmtech/Manufacturing/EU-anti-counterfeiting-legislation-on-its-way/ArticleStandard/Article/detail/674915?contextCategoryId=40939

Contributed by Joanne C. Kelleher

Smart Grid security covers a wide spectrum of technologies from fences and video cameras at the power generation facilities and substations to securing the data in the embedded systems and metering devices used to monitor and adjust a homeowner’s usage. These Smart Meter security issues have been in the news a lot recently.

Elinor Mills wrote a great article for CNET titled Money trumps security in smart-meter rollouts, experts say. “In a rush to take advantage of U.S. stimulus money, utilities are quickly deploying thousands of smart meters to homes each day–smart meters that experts say could easily be hacked.”

Fred Cohen, chief executive of Fred Cohen & Associates consultancy, painted a scary scenario where people could exploit security holes in smart meters to not only find out when a consumer is away from home to rob the house, but eventually also to shut off power to elevators and air conditioning units, disrupt city lights, and interfere with other critical systems when they are ultimately connected as part of home area networks that link all systems in a building.

Security researcher, and fellow RFID Security Alliance member, Karsten Nohl has inspected one of the smart meters that has been deployed. “We didn’t find any of the security measures you would expect in an embedded device with critical-infrastructure relevance,” he said. “Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection.”

Read the entire article at http://news.cnet.com/8301-27080_3-20007672-245.html?tag=newsLeadStoriesArea.1.

Mills references a new paper from the Cambridge Computer Laboratory, On the security economics of electric metering, which argues that data and security risks are not being sufficiently addressed, while the energy-saving benefits to consumers from smart meters are still not proven. This paper gives background information on the development of the electric system and meters since Edison’s time, current smart grid initiatives and recommendations for the regulation of a future smart meter infrastructure.   

The NY Times in “Anxiety Builds Among Utilities Over the Communications Part of ‘Smart’ Grid” covers the political issues created as “the FCC seeks to use its handle on the nation’s wireless spectrum to speed up the smart grid’s rollout.”

Rep. Ed Markey (D-Mass.), chairman of the House Select Committee on Energy Independence and Global Warming, introduced the “Electricity Consumers’ Right to Know Act” just the FCC Broadband Plan was released. It declares that consumers have a right to access information about their electricity usage and prices from their utilities in a “free, timely and convenient” manner that ensures privacy and data security.

The Smart Grid initiatives, which merge electric utilities – highly regulated at the state level, the Federal Communications Commission and telecommunications industry, the US Department of Energy, Google, and meter and appliance manufacturers like General Electric, Honeywell and Intel, have many issues to overcome and security is just one of them.

Hopefully, unlike with RFID and other products, Smart Grid and smart meter security issues will be addressed during the design stage and prior to rollout.

Contributed by Joanne C. Kelleher

SecureRF Corporation has received its first patent!

The United States Patent and Trademark Office has granted SecureRF U.S. Patent 7,649,999 for the world’s first cryptography method to run in linear time. The patented algorithm provides a key agreement protocol and a method for generating a secret key to facilitate secure communications. This patent broadly covers the foundation of our methods, known as the Algebraic Eraser™, and it is suitable for securing low resources computing devices such as sensors, Smart Grid microcontrollers, and of course, RFID tags.

To give some background about how the Algebraic Eraser fits in to the world of cryptography, we recently wrote this white paper: An Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices

Our patent, titled “Method and apparatus for establishing a key agreement protocol,” can be viewed at http://patft.uspto.gov/ by searching for patent number 7,649,999.

To learn more, read our press release: SecureRF Granted U.S. Patent for Secure Communications Method Targeting Sensors and Wireless Platforms – Cryptographic Solution Suitable for Embedded or Low Resource Computing Devices.

Contributed by Joanne C. Kelleher

What is the difference between private key and public key cryptography?
What is the difference between symmetric and asymmetric cryptography?
What is the difference between Diffie-Hellman (Elliptic Curve) and RSA asymmetric cryptography methods?

Since SecureRF’s Algebraic Eraser™ technology offers a combination of symmetric (i.e. private key or secret key) and asymmetric (i.e. public key) cryptography of the Diffie-Hellman type, we found ourselves having to explain these questions a lot. We couldn’t find a good overview describing these various cryptographic methods and decided to write one ourselves.

We invite you to read our new white paper:

An Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices: An Overview of Public-key Cryptosystems based on RSA, Diffie-Hellman and the Next Generation of Public-key Cryptographic Security for Low-Resource Computing Devices – the Algebraic Eraser™

This was written as an introduction to the topic for business people, engineers and logistics folks. Download it now (no registration required) at http://www.securerf.com/pdf/SecureRF_Security_Intro_White_Paper_May2010.pdf

Please let us know if we didn’t answer your cryptography questions or have any feedback about this paper.

If you want more technical information about how SecureRF’s methods work, you can read Key agreement, the Algebraic Eraser™ and Lightweight Cryptography which was published by the American Mathematical Society in the peer-reviewed book “Algebraic Methods in Cryptography.” A version of this paper is available on SecureRF’s web site at http://www.securerf.com/white.shtml (registration is required).

Contributed by Joanne C. Kelleher

CBS News recently did a story on the data security holes related to digital copiers and multi function printers (MFPs).  A CBS reporter purchased some used machines and worked with security firm to pull out the hard drives and read the data that was stored there. They found medical information from an insurance company, payroll records from a construction firm and sex offender records from a police department. As you can see in the video, it was surprisingly easy for them to obtain private information and it was all done legally, no hacking required.

The security issue around hard drives on MFPs isn’t new. Several manufactures offer encryption, overwrite and other data protection methods on their machines, although the default may be off or there is an extra change for these security functions. Manufacturers also encourage customers to remove the hard disk when turning in their MFPs, although local dealers and leasing agents have not always done so.

Sharp has been conducting a survey about the awareness of these risks for several years and then working to educate their customers. But their results show that there is still a long way to go until people understand that they need to treat their digital copiers and MFPs as computers, rather then old-fashioned mimeograph machines.

Bottom line: Whether using copiers, embedded systems or RFID tags, encryption and other data protection methods can only work if you implement and enable them.

CBS News: Copy Machines, a Security Risk?
http://www.cbsnews.com/video/watch/?id=6412572n

CBS News: Photocopier Fallout: Company Notifies 409,000 of Data Breach
http://www.cbsnews.com/8301-31727_162-20003449-10391695.html?tag=contentMain;contentBody

Real Business at Xerox Blog – CBS Copier Security Investigation & What You Need to Know
http://realbusinessatxerox.blogs.xerox.com/2010/04/20/cbs-copier-security-investigation-what-you-need-to-know/

Sharp Surveys:
Survey Indicates Organizations Underestimate Potential Security Risk Of Copier/Printers: IT Pros Often Unaware of Hard Drive’s Vulnerability to Intruders
May 2001
http://www.allcopyproducts.com/files/ItemFileA174.pdf

Majority Of Americans Are Not Aware That Their Personal And Financial Information May Be At Risk Of Theft
March 2007
http://www.atlantaresources.com/articles/sharp.pdf

Americans Are At A Digital Loss To Protect Personal And Financial Information
April 2008
http://www.scottsborobusiness.com/Files/Press/Sharp_american_security.pdf