http://www.eet.com/news/latest/showArti ... =180201688

Cellphone could crack RFID tags, says cryptographer
Rick Merritt
EE Times
(02/14/2006 4:26 PM EST)

SAN JOSE — A well known cryptographer has applied power analysis techniques to crack passwords for the most popular brand of RFID tags.

Adi Shamir, professor of computer science at the Weizmann Institute, reported his work in a high-profile panel discussion at the RSA Conference here. Separately, Ron Rivest, who co-developed the RSA algorithms with Shamir, used the stage of the annual panel to call for an industry effort to create a next-generation hashing algorithm to replace today’s SHA-1.

In recent weeks, Shamir used a directional antenna and digital oscilloscope to monitor power use by RFID tags while they were being read. Patterns in power use could be analyzed to determine when the tag received correct and incorrect password bits, he said.

"The reflected signals contain a lot of information," Shamir said. "We can see the point where the chip is unhappy if a wrong bit is sent and consumes more power from the environment…to write a note to RAM that it has received a bad bit and to ignore the rest of the string," he added.

"I haven’t tested all RFID tags, but we did test the biggest brand and it is totally unprotected,"Shamir said. Using this approach, "a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity," he added.

"I haven't tested all RDID tags, but we did test the biggest brand and it is all totally unprocted," Shamir said. Using this approach, "a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity," he added.

Shamir said the pressure to get tags down to five cents each has forced designers to eliminate any security features, a shortcoming that needs to be addressed in next-generation products.

Separately, cryptographers discussed the weaknesses in the fundamental SHA-1 hashing algorithm that were announced at the group’s panel in 2005. "That was a real wake up call for cryptographers," said Rivest, who is also professor of electrical engineering and computer science at MIT.

"I would like to see a process like the industry conducted for the AES algorithm to work on a new hash function that could be delivered by 2010," Rivest said. "We are skating too close to the edge with the hash functions we use now," he added.

The National Institute of Standards and Technology ran the program that resulted in AES, but complained last year it lacked the resources in the near term to develop a similar program for hash functions.

"My guess is they will get pushed into doing this again," said Rivest in an interview after the panel. "A four-year time frame is probably fine for a technology bake off. There’s no reason to panic," he added.

"If it was brought up by this panel, it will probably spark a fire and the NSA or someone will get something going," said Sheueling Chang, a distinguished engineer in cryptography at Sun Microsystems who attended the panel.