Re: RFID Flap Silences Security Researchers

[ddl@danlan.*com (Dan Lanciani)]

In article <cHvKh.8546$wg2.233333@xxxxxxxxxxxxxxxxxxx>, petem001@xxxxxxxxx (Petem) writes:
|
| "Robert L Bass" <no-sales-spam@bassburglaralarms> a icrit dans le message de
| news: vcadnW91BowImmfYnZ2dnUVZ_u-unZ2d@xxxxxxxxxxxxxx
| >> The point is by using a programmer it
| >> becomes possible for a relatively small
| >> box to be capable of compromising
| >> literally millions of systems...
| >
| > It's not that easy.  Any decent system
| > will initiate a lockout timer after three or
| > four consecutive bad RFID codes.
| > Suppose the system uses a 40-bit code.
| > that would require trying upwards of
| > 16,000,000,000,000 codes.  With a
| > lockout timer delaying things by as little
| > as 30 seconds after 4 failed attempts
| > (numbers picked at random), the thief
| > will grow old waiting for one door to open.
|
| One thing that you have to understand here Robert,its that lockout after too
| much bad RFID reading CANNOT be use
|
| if RFID become popular,and that most people come to have one RFID chip on
| them,there would be million of bad RFID credential read every days.....lets
| say a door of a small apartment is right on the street on a busy street like
| here in downtown Montreal,and lets say that RFID reader can read from a few
| feet,the chance that some people passing by the door and having RFID on them
| being high,there would be readings all day long,even worst at night when
| every one come home....
|
| how would you like to have to wait a few minute before coming in your own
| house?

I have always maintained that RFID devices which simply transmit a fixed
serial number with no two-way interaction are not suitable for security.
(Usually when I bring this up someone tells me that the requirements of
residential security are not as stringent as those of a business.  Then
I ask why the lives of my family are less important than some office
supplies.  But I digress. :)  In any case, even if you don't implement my
preferred zero-knowledge-proof (and with the cost of RFID devices coming
down as their available complexity increases I can't see any reason not
to) a minimal handshake allows you to know that the RFID device is
trying (and perhaps failing) to open *this* door.  That in turn allows
for a lockout.

If a manufacturer is bound and determined to minimize cost by using
a one-way interaction (at least at normal read time) you can still implement
a lockout by allowing some programmable bits in the RFID device which are
set to a house code.  Only when the house code matches and the rest of
the code does not match do you start counting failed attempts for a lockout.

Finally, even if you don't do anything sophisticated with the hardware and
are stuck with the above mentioned 40-bit code, you can still implement a
reasonable lockout to protect against brute-force attacks.  Simply count
a failure when, e.g., the top 20 bits match and the lower 20 do not.  (You
do need to be careful not to display different behavior for a failure that
is being counted for lockout purposes since an attacker could use that
information to quickly probe the top 20 bits.  Clearly if would be better
if you had more bits to start with.)

				Dan Lanciani
				ddl@danlan.*com