3

I would like to implement an anti-counterfeiting scheme for tools my company manufactures. This would ideally be done via RFID/NFC tags. However, the environment in which these tags operate would either be behind a heavy firewall or not web-enabled at all. So a database of unique, valid numbers isn't feasible. I'd rather have some sort of generic key programmed to the tag that the software could then verify. However, since all the tags will contain common data, this presents the possibility that a tag could be cloned since the data (or at least a portion of it) on the tag will be identical.

In other words, I am not interested in protecting the contents of the secret message. Rather, I am concerned about ensuring that the tags cannot be cloned and then embedded on other, counterfeit tools.

While AES-128 is high security, I am questioning whether or not this encryption method is cloneable. If so, what other encryption technologies might I want to look into? I've been looking into the Algebraic Eraser and SecureRF, which use a public-key methodology.

audiFanatic
  • 151
  • 4
  • FYI, we are not fans of the Algebraic Eraser. – mikeazo Mar 29 '16 at 19:22
  • So you have some software that is suppose to read the RFID/NFC tags and determine whether or not the tool that the tag is attached to is counterfeit. Is that correct? The environment in which things are operating, however, is that there would be no constant internet access. The reader may have periodic (say once a month) access to the internet, the tools themselves would likely never be "online". Is that correct? – mikeazo Mar 29 '16 at 19:25
  • Wasn't Algebraic Eraser broken in http://eprint.iacr.org/2015/1102.pdf ? – poncho Mar 29 '16 at 19:30
  • @mikeazo They may have internet access, but there's no guarantee. We ship thousands of these "cartridges" a year, so we'd probably have to maintain a local database which is, bleh... – audiFanatic Mar 29 '16 at 20:58
  • @mikeazo Regarding AE, I'm definitely no expert in it cryptography so I'm sure I'm missing lots of things. I'm just a lowly engineer looking to use the technology. But SecureRF did provide me with a number of white papers in rebuttal to the Blackburn attack. I'm not sure of the best way to post those here; I can forward the email unless you can suggest a better way. I'm not trying to make a case for or against the method because I'm definitely not qualified. But for your own interest it might be good. – audiFanatic Mar 30 '16 at 13:30

1 Answers1

1

Basically, there are two ways of doing this: the symmetric and the asymmetric way.

For the symmetric way: you put in a secret key, which can be derived from a master key. In that case it makes sense to have a static, unique UID per card, which you can use to derive a key for the tag with the master key. Then that key is put on the card, and you can then create e.g. a challenge-response protocol for it. The inspection system needs to have the master key and do the derivation as well, so to be able to verify the challenge-response.

Of course somebody being able to steal an inspection system and/or retrieve the master key from it is of course the weak point of the system. A lot of these systems have methods of using a new master key / derived key in case a master key gets stolen (and this is detected).

Of course you can also put on a private key and (card verifiable) certificate, signed by a higher level certificate. That way the inspection system can first read out the certificate, verify it using a parent certificate in a trust store, and then again verify a challenge signed with the private key. Of course, a smart card chip costs more than a chip that implements challenge-response, doubly so if it contains a private key - and therefore an asymmetric co-processor (Montgomery multiplier), because these CPU's are too slow and possibly too vulnerable against side channel attacks.

This is the asymmetric way, and it only requires a trusted public key to be present in the inspection system.

As always, with NFC tags or contactless (smart) cards, the more complex / secure the more expensive. Prices quickly go down on higher volumes though.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313