Slashdot Mirror
World's First "Unclonable" RFID Chip
An anonymous reader writes to tell us that a new RFID chip from Verayo claims to be unclonable through the use of the new Physical Unclonable Functions (PUF), sort of an electronic DNA for silicon chips. "Basic passive RFID chips can be easily cloned by copying the data residing on one chip to another. Verayo's PUF-based RFID chips cannot be cloned, and provide a very strong and robust authentication mechanism. No other chip or device can be disguised as the original chip, even if the data is copied from one Verayo RFID chip to another."
Uncloneable today - cloned tomorrow...
And this time we really mean it!
Dewey, what part of this looks like authorities should be involved?
Verayo launched the worldâ(TM)s first unclonable silicon chip â" the Vera X512H RFID chip. This new RFID chip is based on recently announced breakthrough technology called Physical Unclonable Functions (PUF). PUF technology is a type of electronic DNA or fingerprinting technology for silicon chips that makes each chip unclonable. Verayoâ(TM)s PUF-based RFID technology offers
So, is it unclonable?
Let's have a pool to see when it's cloned. I got by the end of the year by a Stanford student.
Forgive me for my ignorance (and I haven't RTFA), but my understanding of RFID is the only way to tell what an RFID device is is by listening to it broadcast. Well, if you listen to a device broadcast enough, particularly if you listen in on a conversation between it and what it's supposed to talk to...doesn't it then become relatively simple to create your own RFID device that broadcasts all the same things as the original chip, and responds in all the same ways to input?
Seems to me it's just another instance of "DRM doesn't work," only in this case all the communication between supposedly secure nodes literally has to take place in the open air...
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
Shouldn't this article have been posted in the Humor section? I know I got a chuckle out of it.
You never really know how close to the edge you can go until you fall off.
From the same folks that brought you the unsinkable ship.
I'd take your bet, but odds are, it's already been cloned.
If you can read this, I forgot to post anonymously.
in 3, 2, 1....
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Let's have a pool to see when it's cloned. I got by the end of the year by a Stanford student
My money is on MIT. They can use that super grocery cart and warcart the new RFID into oblivion.
Bearded Dragon
Hmm, Im batting for an MIT student, and I bet that Dan Bernstein (slightly obscure reference) will offer $500 dollars if ANYONE can clone it!
Most obvious mechanism is that the chip has sufficient intelligence to be able to cryptographically identify itself using public key cryptography, and the keypair is embedded on the chip at the manufacturing stage.
Would work beautifully, but it's completely broken the day someone manages to get the private key out of it.
Alright, Kingrames for cloned now by anyone.
You conduct overheard conversations all the time and have no issue with considering them "secure": namely via SSL/TLS encryption. All that's necessary to create an RFID that can't be completely duplicated is for the chip to hold on to more information than it broadcasts, and then only reveal that information in a clever way (asymmetric encryption). A well coded challenge-response handshake can allow the reader and chip to conduct a conversation that is 'unique' and cannot be easily duplicated later on. Sure, there is the potential for it to be improperly coded, or downright misrepresented. However, don't count it as a failure before it's even seen the light of day.
Come on! What's happened to Caltech, Georgia Tech, and Texas A&M?
But he'll refuse to pay out when it has been cloned!
1. Incredible claim
2. Investors
3. Profit!
Somehow there's a product or service, but it's really corollary to the process...
uncloneable == not possible to hack therefore !valid ...
?
beware he who denies you access to information for in his mind, he already deems himself to be your master (SMAC-ish)
"DNA" is unclonable why, exactly?
From the illustration, it looks like a simple challenge response mechanism. All I have to say is: duh!
So they finally added some form of authentication. This is what smart cards were supposed to be when I first heard about them 10 years ago. Simple RFID was never intended to be used for something secure: it was meant to replace bar codes or magnetic strips.
What you are talking about is a passive RFID device, like most offense keycards from the 80's and early 90s. RFID nowadays is more complex, with the devices having a small computer chip in it that is actually powered up by the RFID. Having this chip allows secure encryption between the device and the terminal such that sniffing in on the conversation should get you no further than sniffing on a properly negotiated SSH session will.
The hole in the scheme of course is, if the crook gets his hands on the keyfob for a short period of time, it is the same as having your SSH private key, and he can clone the chip in the keyfob and return the original without you even knowing.
This company is saying they have a new chip that incorporates physical properties of the chip itself int the encryption somehow such that cloneing it would be recognizable.
Sure, it can allegedly stop them from being cloned, but what about read?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
The gauntlet has been thrown down.
bash: rtfm: command not found
Fine, you have hardware limitations in hardware you control that prevent it from being directly cloned (as of now)... but how does it handle against someone spoofing it or emulating what is expected?
If you make a reader that can detect a difference, you surly can create an emulation device to produce a sample of the difference back.
If it's a matter of a mutating algorithm over time and reads, then it can be spoofed through reverse engineering and bruteforce to discover the seed and algorithm.
So, how do they manufacture these things? Obviously there must be a way to copy them.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
That sounds like a wager to me!
qntm.org
The war for clones, begun they have.
If it is predictable, then there's a series of characters its expected to send under a given condition and it can be cloned.
Otherwise it is random and can not be differentiated from others.
lol: You see no door there!
If they can manufacture them and distribute them in bulk, with unique private keys for each RFID chip, but still have it be cheap enough, then en masse yeah, they'd be un-hackable. In specific single units though, it'd just be a matter of time, as it always is.
All that is of course assuming that they'd actually succeed at implementing the whole mess without leaving exploit gates open.
August 4, 2009
Hackers at the annual DEFCON conference have announced they have succeeded in cloning the "unclonable" RFID chip. Jerry "Botnet" Goldblatt led the effort in defeating the security on the RFID chip. According to Jerry, "Cloning the 'unclonable' RFID chip was even easier than breaking Oracle's 'unbreakable' Linux. It just goes to show that marketing runs IT." The team is now accepting donations of Red Bull, Grey Goose and Hawaiian skunk as they add a module to metasploit to further simplify the attack.
So, is it unclonable like the Titanic was unsinkable?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
In theory (crypto theory), this can be done if the parties communicating have a shared secret piece of data and a crypto algorithm, resistant to reverse-engineering from outside, that enables them to exchange that secret data without eavesdropping, man-in-the-middle attacks, or a brute-force cracking of the crypto algorithm.
This is quite hard to do properly in general, as the plethora of lousy cryptosystems attests. It *can* be done if one has enough processing power (tough for RFID chips that operate from microwatts of someone else's broadcast RF energy) and a good enough encryption algorithm (see "lousy cryptosystems" above).
Of course, if you can duplicate the data content and algorithms of the RFID chip, say by physically dismantling it layer-by-layer with a destructive analysis, you can clone it even if you don't know the shared secret. The article is claiming (without ANY credible evidence, BTW) to have somehow made this impossible, presumably by creating some random-but-repeatable property in the chip that cannot be extracted by analysis for reproduction in a cloned chip. Unless they've come up with something VERY effective, I'd bet on this system being cracked within months just like all the other RFID schemes. The lack of description or references to how their system works smells like bad crypto and security-by-obscurity to me.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
The use of language is strange.
Unclonable: cannot be cloned
DNA: a molecule that clones itself.
Its not the best choice of marketing metaphor.
Its like saying that an event is possibly inevitable.
-Sean
What this boils down to is that each chip is unique in the hardware or hardware+firmware.
In order to clone one, you have to manufacture a new chip. A determined adversary such as a government or a well-heeled competitor with access to electron microscopes and similar technology may be able to clone a particular chip.
They shouldn't advertise "unclonable." Instead, they should advertise "heavily clone-resistant."
One way to make it harder is to embed the unique parts in a tamper=destruct casing, so any attempt to peek inside will cause the circuits to change in a hard-to-reverse-engineer before they can be analyzed.
Even 20 years ago, certain chips used by the military had to be encased in tamper-resistant or at least tamper-evident casing to deter espionage. In order for a particular to chip to be "unclonable," it must not fall into the hands of someone with the will and means to clone it. Making it self-destruct-on-inspection goes a long way to raising the cost of any cloning attempt.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I couldn't guess how soon it'll happen, but I'll tell you what sound it'll make when it does: "PUF"
If it's that far away and offline, how do you know I didn't install one too?
According to their pdf, the chip is manufactured in such a way that each chip has physical flaws due to the manufacturing process that are "impossible" to duplicate. These flaws are then used in a challenge/response mechanism to provide authentication for the chip. Basically, after you manufacture the chip you feed a bunch of challenges into the chip and then record the responses "in a database". Once the chip is deployed, you can issue one of the same challenges and see if the response is the same as what you have stored.
"Well, we were watching Prison Break, and we figured that we can't have that happening all willy-nilly!"
I am sure jolly ole santa clause can clone them in his/her/their workshop.
You do know the elves only make one of each toy and then send them through a cloner that assembles every quark identical to the original, including the elves fingerprints.
The very essence of DNA is self replication.
\u262D = \u5350
Maybe Unclonable(TM) is the brand name.
I wouldn't give it to the end of the year, unless it doesn't come out until xmas time.
Hey, wouldn't a warranty replacement be kind of hard to find?
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Is it ironic to mod this redundant?
This is how DVD encryption was broken. The theory was fine, but there was no way to secure the private keys when they were included in every shipped device. "DVD John" (IIRC) lifted the private key from Xing's player and it was game over for DVD encryption. I believe this happened within six months of when DVD players began shipping.
Then complain that the clone doesn't function according to his definition of the word, and that anyone who cloned it like that was just /asking/ for trouble anyway
Check out my sysadmin blog!
...taunt the hackers...
It totally depends on the actual implementation. Unclonability is certainly possible, in the sense that cloning would require the destruction of the chip and is likely to fail anyway. It would require rather elaborate calculations on the RFID chip though. "Electronic DNA" and "fingerprinting" don't quite sound like the chip uses an internal secret and cryptographic functions to protect the secret. It sounds more like they use an analog implementation detail which differs from chip to chip and is currently "too difficult" to replicate close enough. That is certainly clonable nondestructively, given sufficiently expensive high frequency radio technology.
Why clone it when it is easier to mimic it's output?
Tsukasa: All I really want, is to be left alone...
This sounds suspiciously similar to how DVD's are encrypted. The key is unique to each DVD and then an encryption algorithm was supposed to make the DVD unreadable to law-abiding consumers.
We all know how well that worked out.
It also seems to me that the concept of an unclonable RFID is an oxymoron. On the one hand, a mass-produced electronic device, on the other unique identifiers that are not intrinsic the the manufacturing process. In addition, the chips must work with each other. In short two competing and mutually exclusive imperatives.
What happens when the chip in my iGadget get zapped by my overly precocious 4-year old in the microwave? How can I prove legitimacy?
It is certain to end up in the courts.
on a strict grammatical basis, you have a point.
In terms of how scientists actually use the words "clonable" and "unclonable": clonable means you can get copies of the original DNA molecule to replicate inside a new cell, either from the same organism or a different organism.
In many cases, DNA that is quite happy in one cell type is not happy in another; this was a big problem in the human genome project, as most of the work was done with human dna cloned into E coli, and there is a lot of human dna that is very unhappy in E coli ie, uncloanble.
another part of clonable is that in vivo, most DNA exists as long (> 1e6 bases long) molecules, and most clone (pace BACs, Pacs, YACs, etc) is much shorter. If you chop up DNA, you can remove control sequences, and make the dna unclonable, eg if you had the gene for cell death, which is normally OFF becuase next to the gene is an OFF signal, and you try to clone a piece that lacks the OFF signal, you might kill every cell the dna gets into - functanally, the dna is unclonable.
Heres my theory...
The RFID chip identifies itself with the RFID receiver, allowing to the receiver to lookup the chips encryption keys and respond with a password. Now all communications are encrypted. In order for the chip to communicate it has to encrypt its transmission, so the chip requests the key from a separate chip. The separate chip will only respond with the key if it has the correct password that was received during the handshake.
In order to thwart a brute force attack, the separate chip has a built in delay to prevent multiple failed attempts. Now the key that is returned by this chip is probably some sort of physical fingerprint unique to the chip.
Hybrid Smart cards that do Card To Card Reader security contactlessly and on card crypto can do this now. RFID is fundamentally a type of smart card (a dumb one). Are they now claim to have slapped "RFID" on a (decent) smartcard and claiming an innovation or am I missing something??
If you want unclonable you want a smartcard not an RFID tag. To call the latter RFID is dumb. It is just going to cause confusion.
This chip utilizes PUFs (so called Physically Unclonable Functions). These are currently a hot topic of research, especially in the secure embedded computing community.
The fundamental idea is that a PUF should produce a unique value for a chip, in a repeatable fashion, with a side effect that modification of the chip will be detectable.
PUFs are of 4 main types -
1. Optical - These are the oldest forms of PUFs. They started with physicists trying to use chips as diffraction gratings. You shine a laser at the silicon vias and record the signature of light. These require depackaging the chip in question and are mostly impractical
2. Silicon - Usually implemented as long delay lines, but are sensitive to environmental conditions (mainly temperature & injected faults) There remains an ongoing research attempt to make these better (less reliant on environmental factors)
3. Coating - These are currently considered one of the best forms of PUFs. The topmost layer of the chip has some embedded metal flakes. The bottom layer of the chip has a capacitance sensor. Since the distribution of the metal flakes is random, the capacitance is random and unique to each chip (the resolution of the capacitance sensor is tuned to ensure this). This method has the added advantage that the minute someone tries to attack the chip, by depackaging it, the capacitance changes and the chips data (usually the secret key for an encryption cipher such as AES/DES) can be wiped. The main problem is that it adds a few extra fab steps , which means it increases the cost. Additionally, the first calibration costs more money to do.
4. Intrinsic - These are the current area of research. In particular for FPGAs. As any hardware designer knows, RAM cells are initalized to random values, but most FPGAs have some small logic which resets them all to zero. If we remove that logic, we have a chip, which has a whole bunch of random numbers, which will usually initialize the same way, based on process variation etc. This technique has been shown for FPAGs and will probably be brought over soon to full scale chips.
In order to keep this short, i have omitted a lot of references, but you can find more info, about intrinsic PUFS here.
Actually Phillips does a lot of research with PUFs and I am surprised that Verayo claims to be the first maker of PUF based chips.
Legally obligatory sig : My opinions are my own... etc etc
Okay so it can't be "cloned" but with any RFID chip or any wireless device really, you don't have to clone or fake anything. This makes it sound easier than it is but basically you just record what it beams over wirelessly and then repeat it and tada, it thinks you're the original chip. You don't have to decrypt it or even know what it is you're beaming over, just broadcast exactly what the original one did and it thinks you're that one as long as it doesn't change every time. That could be a problem for passports and those badge sensor things at workplaces. Not so much for chips that don't repeat the same thing over and over though but who uses them for that?
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I doubt it's a problem with most rfid installations since the reader needs to verify the tag against some central database. Thus you can now have a unique private key for each tag while storing the unique public tag in the database. If any private key is retrieved then it can be simply disabled in the database without problems. DVDs can't do this because they need to work on stand-alone non-networked players.
Plan 9 from User Space.
Yeah yeah, and then he'll tell you that qmail is so secure it's never needed patching. The truth is, he's tired of it and will never WANT to patch it.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
I'll take that action, I'm splitting my bet, half to MacGuyver, who does it with lemon juice, a ball of twine and pencil lead, and the other half on Visa and Mastercard, who then patent the process of cloning and sue anyone who tries into oblivion.
"electronic DNA for silicon chips" Do you grasp the full meaning of this people?!?!? THEY CREATED ARTIFICIAL LIFE! And it all started with a humble search for improved RFID...
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
All these claims of "unclonable", "unhackable" etc. are probably untrue. It's sort of like the claims that were made about locks. All that a lock does is to keep the honest man honest. A lock works by delaying the intruder long enough to catch him. If someone wants to overcome your security and has enough time, they will prevail. All that good security does is to buy you some time. If Fort Knox had only the locks and vaults but nobody watching, thieves would eventually get in.
Why, was it developed by djb?
If it reads, we can clone it
I am the richest astronaut ever to win the superbowl.
Seriously.
All one would have to do, provided there is a limited amount of responses (which seems plausible considering it is embedded in the chip), just carpet-bomb the RFID with queries. Burn up all them responses, and "Presto!", useless chip. And THAT could be done while some guy is standing next to you on the subway. Get to work and the fucking thing doesn't function anymore.
Now, if they used a rotating list of responses, the same carpet-bombing would reveal that, eventually resulting in a list of correct responses to queries.
Yay for ineffective technology!
If nothing else, it will inhibit the use of them if people that have them for legitimate uses find them unusable all the time.
if we could take a young child, possessor of the greatest marvel known to biological or computational science, namely a brain, and manage to educate that child so he had a statistically reasonable chance of not growing up to think like a moron?
The specific moronity I have in mind is all or nothing thinking.
There is not a safe in the world that cannot be opened without its combination or keys. That's why you don't rely on a safe to be perfect. You have burglar alarms, surveillance cameras, and frequent physical checking. A good safe turn out to be highly useful, if you understand its limitations. But even a very good safe can be worse than useless if you believe it to be impenetrable.
Any artifact which is subjected to the scrutiny of hostile ingenuity will fall to that ingenuity. So you don't buy anything with the idea that it is magical unbreakable pixie dust you can sprinkle on a problem. Anybody selling magical unbreakable pixie dust is selling to people they think are morons. So caveat emptor.
Now, if somebody said they are selling clone resistant RFID tags, that's interesting. How resistant? Even just a little resistant may in some cases have a great deal of value, for example where the value of what is protected by the technology exceeds the cost of effort to duplicate it.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
household hacker. and he'll do it with an onion, some gatorade, and a penny.
but the penny has to be REALLY SHINY.
They will never stop until somebody makes the
Wait till Sony gets a hold of this idea. You'll be buying your movies in 1 second clips each stored on a different RFID chip.
DRM, it's for the greater good.
The chip is not a public key crypto device; it looks like it has an unique hashing function built in. The system is based on a manufacturer-controlled database of message and digest values. Once the RFID reader detects this chip, it gets its ID and sends to the manufacturer database; the database sends back a one-time message for the chip to hash (the one-time thing is crucial - it guarantees that a given challenge will not be sent twice, so no replay attack and no MITM on the network connection from the reader to the manufacturer DB). The digest is sent back and if the stored digest and the one returned by the reader match, the chip's identity is confirmed. It seems that the manufacturer builds a database of message / digest values after getting the chip from the vendor treating it as a black box device, and the hashing algorithm never leaves the RFID vendor.
The chip might also be a stateful device, but this would introduce many problems (if the manufacturer DB gets out of sync with the chip, it's useless).
I think that obtaining the original chip (stealing it) would be always easier than duplicating it with this system. To successfully attack it (convince an uncompromised reader that you have the true chip) you would have to:
a) Record all possible responses to all possible challenges from the original chip. I think this is the way the system is particularly resilient to - if the message and response are at least 64 bits long, or there is any delay, then it is impossible.
b) Replicate the chip physically, using a microscope. This is theoretically possible but would be extremely costly, and probably unfeasible.
c) Steal the hashing algorithm from the RFID vendor. This would give you next to nothing if the hashing algorithm used a seed that is never broadcast from the chip (eg. serial # from the picture), so you would have to resort to b) to get it.
d) Steal the C/R database from the manufacturer. This is probably the easiest way, but the manufacturer can't notice or you have to steal the data for very many chips, making revoking them all a major blow for the company.
The main idea here is not being able to construct a fake chip based on data the real chip broadcasts.
Any other ideas?
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
While the physically random properties can't be cloned, any digital system must derive a digitized, binary version of that signature, and that can be cloned.
In the end, this gives you a little extra security relative to just putting a bunch of bits in a PROM, but not much.
So every one of these chips has to be synched with a central database? Good luck speeding up clocking times with that. And if there are multiple databases you surely could also circumvent one to make a chip work for you. Why not just give me a key for anything again? At least that can't be copied just by walking past my pocket.
There is a new contender in the ring!
cat
you get done reading this message, it will have been cloned.
And the Hindenburg!
I parsed puf as puff and I asked myself what were they smoking....
capcha insipid how insightful
I've seen articles like theese before, on slashdot. They have one thing in common, few hours or days later, the completely opossed topic is submited on /.
I claim original poster (OP) allready has a proof that it can be hacked.
How it works?
1. OP accidentally find shocking article (vendor is usually some unknown company)
2. OP search for older, usualy bit boring article which claim oposit and post it here
3. Wait 1 day
4. Post article from #1
5. Profit
a new RFID chip from Verayo claims to be unclonable through the use of the new Physical Unclonable Functions (PUF), sort of an electronic DNA for silicon chips.
DNA is cloneable. In fact, DNA routinely clones itself. Hell, the word "cloning" refers directly to DNA manipulation. Saying uncloneable like DNA is like saying it's unspreadable like peanut butter. The OP should refer to fingerprints, a unique physical assignment that can only be duplicated physically.
The crucial part is that the PUF must be packaged with reading hardware/firmware, such that you can't access the PUF without physically breaking in, disrupting the PUF rendering it invalid. And even if the key was effectively "sampled", the damage should quickly result in the termination of the key's access permissions, before a substitute could do much damage.
Also it would be difficult to clone many original keys, since they would have to come into a hacker's physical possession, though it may be easy to make many copies of one key. Kind of moot when it's been cancelled.
Sounds like a step forward, from magnetic strip cards at least!
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
Secure and "Passive RFID" should never be used in the same sentence. Let us completely ignore the fact that the rfid tag is going to have a a finite number of challenge respone pairs which makes this scheme a total joke. You will never see a secure passive rfid system because there isn't enough energy transferred to power a circuit with a scheme complicated enough to pull this off. Active RFID could be secured to the point where it would be effectively uncloneable, but it would still be pretty difficult.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
The fiddle freaks of the world have yet to clone a Stradivarius.
Every bottle of wine tastes different to wine snobs.
In principle it is possible to make absolutely unique items.
In practice you just have to make cloning prohibitively expensive.
So when something's clonable iff you have a spare wafer fab capable of handling interesting geometries and strange substrates, or the signal is clonable iff you're willing to haul around a quarter ton of DSP racks, then it's _practically_ unclonable.
Really you folks, need to be thinking more Stradivarius, or Stevie Ray's Stratocaster, and cogitating on the way your brain can identify a song given just a fraction of a second, to understand how even cheap RFID tags can be made practically unclonable.
And I'm only thinking of passive tags and tiny amounts of power.
Wasn't Ted Glum's talk at COMDEF-2008 fascinating?
how many weeks until this is broken?
But you couldn't just swipe someone's butt
Uh, is that like an ass-swipe? Huh huh huh....
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
I, for one, take all marketing messages at face value.
I don't know what's up with you guys.
Fascist gov'ts drool... maybe this will finally be the chip that goes into our necks?
IT folks designing stuff that cannot be defeated remind me of the Nazi scientists and all those experiments Germany was so interested in that filled our nightmares in the 63 years since.
Why are they (maybe you?) helping them, hmmm?
My money is on MIT, within two weeks.
"No other chip or device can be disguised as the original chip, even if the data is copied from one Verayo RFID chip to another."
So because it can still be copied... is "that" suppose to make us feel more safe?
Oh wait! it's not the original!
blah... I thought the idea was to be copy proof, as well as "safe, and secure data"? Guess not.
And the frist complete, correct, ontopic slashdot pos
2^3 * 31 * 647
"Sure, the boys in Ryan's lab can make it hack-proof. But that don't mean we ain't gonna hack it." -- Pablo Navarro
Unclonable? That's unpossible!
"But this one goes to 11!"
Most of the comments here are from people who are getting tripped up on the market-speak. When they say 'unclonable', most of us here think 'not possible to copy'. And this idea is reinforced with the idea of PUFs, so it's understandable you'd think this way.
However, I think they mean 'not clonable AND still functional'.
See, there's one thing they are doing that other RFID implementors have typically avoided, which is communication with a central database. When you have that, you don't have physical access to the central store, so that is, by itself, a (or the) PUF.
Couple that with read/write storage in the RFID itself, and you have a simple, automated way to make all copies invalid: if you successfully clone a working RFID, if the original is used, the challenge-response counter is incremented in the central database as well as in the original RFID. The clone _cannot_ have the same counter, so it is immediately unusable.
However, if their scheme is mostly that simplistic, then it's ripe for DoS attacks, where you clone an RFID and use the clone before the original can be used again, making the original unworkable.
If there is a defense for such a DoS attack, then they still have an issue: if the central database considers an RFID invalid for any reason (non-malicious, but slow communication with central database causes the RFID to miss its RF power cycle window, perhaps), such that you no longer trust it, is it still an 'id'? If it is, what's all the crypto for? Maybe it's just a sales tool, too?
Anyway, semantics aside, I think someone will prove them wrong in relatively short order.
For crypto products in general, this may always be the case: to me, it seems that there's more unemployed brain power with the right mindset to tackle such problems than there is in employment, in large part, because being employed causes the right mindset to become not-the-right-mindset over time.
eskwayrd = m^2c^4
There is precisely one way to make a device un-clonable, and that is by quantum mechanically entangling it with a central authority. The no-cloning theorem of quantum mechanics then ensures that there is no way to record the state of the system without disturbing it in the process, thus destroying the entanglement. Obviously this is tricky to implement in practice ( read: impossible with existing technology ), and the device could only be identified once, after which its state would be ruined and the entanglement broken, but at least in theory every classical system ( i.e every system not relying on QM ) can be cloned. It may be exceedingly difficult to achieve in practice ( good luck creating two diamonds with the impurities at the same locations in the crystal lattice as an example ), but it is in at least in principle possible.
As we all know, the most unclonable thing in the world happens to be DNA.
Do you mean the new (fan?)twist to the Bio Booster Armor Guyver manga where a handyman builds his own Guyver from stuff from the scrapyard, the chicken farm, at the slaughterhouse and in the McDonalds dumpster? Anyway, why leave out the duct tape?
The Hacker's Guide To The Kernel: Don't panic()!
somebody get Adam Savage!
Implausable to crack != Impossible to crack.
moreover...
MadTigger's 1st law Law of Cryptography: The harder you claim it is to crack, the more people will work to crack it.
HA! I just wasted some of your bandwidth with a frivolous sig!
There's lots of security schemes to protect valuables. Every one of them has been defeated at one point or another except for the FDR Admin. plan to keep the US Gold Depository safe. They stored the gold beside a US Army tank brigade. There's an Air Cav regiment there too now. They could put that gold bullion in a pile in an open field and still nobody will touch it. Nobody is going to screw with the tanks that are right next to the gold.
They said that it used some wrote once ROM, so I'm thinking that they are thinking that since no one could take one of their chips and over write it with the data of another chip completely (b/c of the write once ROM) that it can't be cloned. If this is true then it's totally clone-able since no one ever said that the clone had to even fit into anything resembling the original. I don't know a lot about RFID, so I'm speculating a lot.
This chip might be indeed unclonable, i. e. it cannot be emulated by another chip with the same look and same inner structure. But it's still very much copyable, i. e. it can be emulated by another chip with a different look and/or inner structure.
Think of a mechanical door key made of platinum: A normal locksmith may not be able to clone it since he doesn't have platinum key blanks and his tools are not tuned to process platinum. But he can still copy the key using a usual key blank, and this copy, though not made of platinum and thus not a clone, can still emulate the original key, i. e. opening the respective door.
Since the whole purpose of RFID is contactless access, the chips are usually out of sight during real world usage. That means clonability is nearly irrelevant, emulatability is the real issue.
Perhaps calling it "electronic DNA" was a bad idea if you're going to claim people can't clone it.
If they're using the slight differences that come about in a chip due to the manufacturing process, they're doomed to fail.
The physical characteristics of the chip will change with temperature, humidity, use, time, etc.
All of our digital stuff is run by analog physics, and we have to be very careful to make sure our digital world can tolerate the variations in the analog world. By tapping into the physical characteristics, you end up relying on the random, unpredictable characteristics.
They are not static. They are not to be trusted. TFA mentions making the damn thing reliable, which only means giving the thing a margin of error, probably by reducing the precision at which you measure the chosen physical characteristics and map them to discrete digital values (whether said values are stored or not).
It then becomes a matter of discovering which physical characteristics are used and how. Microscopes, tiny probes, and patience will get you very far in this regard.
Physically encasing the chip in plastic or resin or what have you only slows the process down.
(And yes, all the analog physics is really digital when you go down far enough.)
You mean like the SecureID FOBs?
Where it takes two of them to make a working one, manually disassembling one (destroying the chip) and using solvent on the other (destroying the LCD)?
-- Terry
both cloning and DNA in the same summary and it implying the latter is not possible...
The article wasn't super informative, which is troubling. Even with a very complex physical layer providing a challenge-response tokening system, we're going to have to be able to validate the tokens. That means that there has to be a knowable pattern from challenge to response, stored in the central certifying authority (otherwise, how will you know that my RFID is actually authentic?)
If you've got access to the RFID for a fair amount of time (say, you're sitting at the next table over at a cafe with a laptop), you'll probably have enough time to keep poking the RFID with challenges in order to gauge its responses. Enough responses and you'll have enough data to reverse-engineer the mechanism, right? Even if it's a public-key system, you've got to be using some sort of standard crypto in there.
So, now you've got a lot of data, generated through some cryptosystem, but the system has to be able to run forwards on a very simple chip, while you've got a very complex and powerful computer to reverse it. I'm not particularly excited about those possibilities, even if you are deriving your private key from some truly random bit of noise at the edge of a silicon spray or something.
The shorter version, of course, would be to say, "uncloneable"? Bah. Maybe "difficult-to-clone". But if it runs on electronics and it's not quantum, I'd be VERY hesitant to say "uncloneable".
Every time I read about this sort of claims on this sort of products I am reminded of that genius that was Douglas Adams:
"The Hitch Hiker's Guide to the Galaxy, in a moment of reasoned lucidity which is almost unique among its current tally of five million, nine hundred and seventy-five thousand, five hundred and nine pages, says of the Sirius Cybernetics Corporation product that "it is very easy to be blinded to the essential uselessness of them by the sense of achievement you get from getting them to work at all"."
And, if you'll excuse me if this isn't taken verbatim, as I don't have the books handy:
After the great commotion caused by the air conditioning and phone exchange protests, the Sirius cybernetics corporation was condemned to apply to every one of their appliances a note stating that, if a product can't possibly fail, when it eventually does it will prove almost impossible to fix. And naturally had to modify the Guide headquarters windows so that they could be opened.
Maybe I'm not RTFA'ing right, but this doesn't actually stop anyone from snagging the data from it, like the ones on passports or credit cards.
Who cares if you can't clone an RFID-laden credit card! You don't need a physical card to make fraudulent purchases.
It's the challenges which get rotated, not the responses. Each challenge generates a unique response and you can issue the same challenge to the chip as often as you like, so you can't DOS the chip. They aren't embedded, they're generated on-demand, and there are 2^64 in the top-of-the-line model. You needn't increment the challenge for every incorrect response as the odds of guessing the right 64-bit response are vanishingly low, so you can't DOS the system. An exhaustive interrogation would, at the rate of 1000 per second, take half a billion years, so you can't do that either.
Yay for ill-informed criticism!
Chernobyl 'not a wildlife haven' - BBC News
Hey!
Whats with editing out the operative word from my posts title!?
Foul! Foul!
What the fuck is Guyver. I said MacGuyver, and I didn't fucking stutter. Were you born in the 90's? If so, get back to your homework, son.
How odd, it certainly wasn't intentional. I generally try not to mess with other people's shit :)
Chernobyl 'not a wildlife haven' - BBC News
Its like saying that an event is possibly inevitable.
In statistics, that would be pefectly valid. Assume that you're trying to determine if an event is inevitable or not, but your testing so far has failed to narrow down the confidence interval. Thus you can not say with confidence that it is inevitable nor with confidence say it can be avoided and so it is still possibly inevitable. Obviously it can't both be inevitable and not, but you can certainly have a probability about a probability. Without things like that, math just wouldn't be confusing enough.
Live today, because you never know what tomorrow brings
Sounds like someones marketing department is writing checks they cannot cash.
Got Code?
This I know and is the entire point of what I said. The vault merely provides time for the army to act. In the case of Fort Knox, the response time would be very short.
That'll be 2 grand for your next passport.
RR
Yeah, and the crew of the Titanic used these RFID badges to get into rooms where they applied CSS to DVDs.
Well not yet, but when the tech goes public, I give it a week... MAX before it is.
Just because you can't physically alter one chip into another, because of some hardware id fitted into the device it don't mean that another chip could not emulate the protocol perfectly. So one ship cannot be cloned to another chip of the same type, so what?
[]'s Victor Bogado da Silva Lins
^[:wq
Puff is also a legal term, used by 2nd hand car salesmen to hawk their wares/ push product.
Physical access = game over, even it it conforms to nist, and wrapped in some tough glue and wire.
Scanning lithium nicobate labs, and tunneling deposit/removal devices mean anything can be read - it is just more expensive. Schiener is never stupid enough to say never. It may buy time, but cat/mousetrap means, like say cable decoders, it is just a matter of time, but never NEVER.
If it can be made, it can be unmade.
Either you're joking (but I don't hear any whooshing sound passing over me using my Pringles-can/cut-in-half-balloon-duct-taped-to-opening/sucked-out-air-through-hole-in-the-bottom parabolic antenna enhanced hearing device) or you're consistently mis-spelling MacGyver. And yes, I've watched 'a few' episodes from that show and like them very much, thank you.
For your info, a Guyver refers to the manga by Yoshiki Takaya who just happens to have the same family name as my grandmother. Thanks for asking.
The Hacker's Guide To The Kernel: Don't panic()!
Ring a bell?
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Thank you grammar police. Take your crappy, second rate manga and go enjoy your dictionary.