[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: RFID Flap Silences Security Researchers

Subject: Re: RFID Flap Silences Security Researchers
From: ddl@danlan.*com (Dan Lanciani)
Date: 17 Mar 2007 06:31:42 GMT
Newsgroups: comp.home.automation
References: <O4WdnaEHTIQ-6GTYnZ2dnUVZ_tijnZ2d@xxxxxxx> <i4GdndKfwcXp62bYnZ2dnUVZ_sqdnZ2d@xxxxxxxxxxx>

In article <i4GdndKfwcXp62bYnZ2dnUVZ_sqdnZ2d@xxxxxxxxxxx>, no-sales-spam@bassburglaralarms (Robert L Bass) writes:
| > Ideally the system should use a zero
| > knowledge proof...
|
| I don't get your meaning.  Please elaborate.

In the abstract, a zero knowledge proof allows you to prove that you
know a secret without disclosing that secret or even any (much) information
that would allow someone else to appear to know the secret.  There are
various well-understood ways to accomplish this.  It really doesn't matter
which one you use (well, as long as it isn't one that has been shown to
be flawed).  Google the term if you want the underlying details of some
of the algorithms.

| > Rolling codes are a clever hack to get
| > some security in a one-way environment, but
| > there is really no need to resort to them here.
|
| They add another layer in front of the would-be
| hacker.

A zero knowledge proof provides a superset of their functionality.

| > | True but it's actually simpler than that.  Since
| > | the range is limited, any received transmission
| > | of the same protocol could be treated as an
| > | attempt.
| >
| > This still leaves you open to denial of service
| > attacks.  Not a big problem now, you may say
| > (as likely thought the developers of tcp/ip about
| > SYN floods), but why set yourself up for trouble
| > if you don't have to?...
|
| Agreed.  There's always a compromise between
| security and convenience.

There is no need to compromise in this case.

| The safer we make the
| system from hacking the easier it becomes for
| someone to hassle us.

No, a properly implemented zero knowledge proof system makes it both
harder to hack the system and harder to hassle us.  Again, this technology
is well understood and used--at least where the purveyors consider real
security important.  As an example, the smart cards used to authorize
satellite television decoder boxes have used a zero knowledge proof handshake
since their inception.  (In case you are concerned about computing power,
available RFID cpus these days are more powerful than smart cards were back
then.)

Now of course, the same companies (more or less) that recognize the
critical need to prevent satellite signal piracy with appropriate
crypto will tell you that residential alarm/access control can get by
with the simplest fixed code systems.  You can decide for yourself
whether they have consumers' best interests at heart.

				Dan Lanciani
				ddl@danlan.*com

Follow-Ups:
- Re: RFID Flap Silences Security Researchers
  - From: Robert L Bass

References:
- RFID Flap Silences Security Researchers
  - From: Robert Green
- Re: RFID Flap Silences Security Researchers
  - From: Robert L Bass

Prev by Message: Re: leviton vizia RF switches (Z-wave)
Next by Message: Re: leviton vizia RF switches (Z-wave)
Previous by thread: Re: RFID Flap Silences Security Researchers
Next by thread: Re: RFID Flap Silences Security Researchers
Index(es):
- Message
- Thread

comp.home.automation Main Index | comp.home.automation Thread Index | comp.home.automation Home | Archives Home