Crypto-RF Devices
RFID With 64-bit Embedded Cryptographic Engine
Atmel® Corporation (www.atmel.com) announces the world's first 13.56 MHz RFID devices with a 64-bit embedded cryptographic engine, dual authentication capability, and up to 64 Kbits of memory, each with up to 16 individually configurable sectors.
Atmel's CryptoRF® devices are ideal for proximity applications that represent cash transactions (bus passes, loyalty and access cards, pre-paid phone cards), require a permanent record of the chain of ownership (pharmaceuticals), or are prone to counterfeiting (intellectual property, prescription drugs, high value consumer items, software, building access).
Secure, dynamic mutual authentication capability
Conventional RFID tags can be copied using a low cost RFID tag reader and used to create fake tags for making of counterfeit product labels or cash cards. Even password protected RFID tags can be cloned because the password can be captured during a transaction or simply read from the device.
In contrast, CryptoRF devices have a 64-bit embedded hardware encryption engine; four sets of non-readable; 64-bit authentication keys; and four sets of non-readable, 64-bit session encryption keys. Rather than using passwords that are easily captured during contactless transactions, CryptoRF devices use the authentication keys, session encryption keys and a random number to generate a unique identity or "cryptogram" for each transaction. The host reader and the CryptoRF device must both be able to duplicate each other's cryptograms before any data can be accessed or written. The authentication keys and session encryption keys are completely inaccessible, even to the owner of the device. Since a unique cryptogram is generated for each transaction, a cryptogram that has been intercepted during a transaction cannot be used to effect a second transaction.
The host reader reads an existing cryptogram from the CryptoRF, combines it with a random number, and then generates a new cryptogram and a new session encryption key, which it keeps. The host then generates a second 64-bit number called a "challenge" based on the old cryptogram. It sends the "challenge" and a random number to the CryptoRF device. If the CryptoRF can recreate the "challenge" using the random number, it accepts the host as authentic and generates a new cryptogram for itself. The host then authenticates the device by comparing its new cryptogram to that of the device. If the host and device cryptograms match, the device is deemed to be authentic. The host and device may then use the session encryption key to encrypt subsequent communications after establishing a trusted session.
Only an authentic host can read information from a CryptoRF device. The likelihood of a "fake" device creating the appropriate cryptogram is about one in a quintillion. Each CryptoRF device gets a unique set of diversified authentication keys. Fuse bits are blown to permanently lock the security information in the device, guaranteeing they can never be read. Because the keys are diversified, an authentication key learned from one CryptoRF device will be useless with any other CryptoRF device. In the extremely unlikely event that the secrets from one device become known, they cannot be used with any other device.
Chain of ownership tracking
CryptoRF devices are available with EEPROM densities from 1-Kbit to 64-Kbits of user memory to accommodate a wide range of information storage and cost requirements. The user memory itself may be divided into as many as 16 separate sections, each of which can be customized to allow different levels of read and write access, including read and write, read-only, one-time-programmable, and completely inaccessible by anyone. A complete history of the ownership, distribution, and disposition of a product can be contained on the CryptoRF device.
Dual authentication supports cash-equivalent cards
Uniquely, CryptoRF devices allow two completely independent users, each of which has its own separate authentication key to access the same section of the memory. This feature is useful for applications such as cards used in cash-transactions, for example pre-paid phone cards or bus passes.
|
