As NFC enters the mass market, so too should NFC security
All the stars are in line, and tech industry experts now expect an explosion in the close-range wireless communications technology known generally as Near Field Communicaitons (NFC.) But is it as secure a method of sharing as it could be? According to one company the answer is yes, but cost has been a prohibitive factor up to now.
This week, market research firm iSuppli predicted that the market for NFC chips will grow by a factor of four over the next three years, and NFC chipmaker NXP Semiconductor recently made a prediction that 50 million NFC-enabled consumer devices will enter the market in 2011 alone.
This rapid expansion will be thanks in no small part to the support NFC has received from Google, who incorporated the technology into Android 2.3, and from three of the four major wireless carriers who formed a new joint venture called Isis which focuses on using NFC for mobile banking and "wallet phones."
"Nokia has been carrying NFC phones for the last three years, but now that Google has brought out the Nexus S at a time when smartphones are more popular than they've ever been, you're going to really start seeing these types of solutions in the average consumers' hands," said Vivek Khandelwal, VP of Marketing and Business Development for NFC security company Verayo.
Historically, however, the simple passive RFID components in NFC systems have proven very easy to skim, clone and spoof. This extends even into the chips used in modern US passports which contain an access key to the passport owner's identification. These cards provide very little in the way of security, and a whole industry around RFID shields has sprung up around it. Between July 2008 and March 2010, the State Department has issued more than 2.7 million Passport cards equipped with simple EPC RFID tags.
The problem is that large-scale deployments of RFID tags and readers can get costly, and applying additional layers of encryption can add to the cost.
"Customers have become aware that the most basic RFIDs are susceptible to compromise," Khandelwal said. "They are looking for something more secure than passive RFID, and more affordable than MCU-based smart cards with high-end cryptography."
This middleground is where Verayo wants to step in. The silicon valley company is led and funded by former Sun Microsystems execs, a company which was itself no stranger to RFID technology, and its core offering is an affordable method of authenticating RFID tags using "silicon biometrics."
Verayo's CTO is Dr. Srini Devadas, the Associate head of Electrical Engineering and Computer Science at MIT, and inventor of a technology known as PUF, or "Physical Unclonable Functions," which received its most recent patent (#7,839,278) just one month ago. It is this technology that acts as the cornerstone for Verayo's security offerings.
At a deep enough atomic level, every silicon chip is different, and Verayo's technology isolates these minute variations and uses them to generate a unique "fingerprint" for each chip or RFID tag. These variations simply cannot be cloned by traditional RFID cloning methods, and no personal information can be skimmed from the chip because all that is available is a random key that is useless without the "fingerprint" to authenticate it.
Devadas described it to the International Association for Cryptological Research in the following way:
"The PUF-enabled RFID uses a simple challenge-response protocol for authentication that shifts complexity to the reader or server, and therefore only requires a small number of transistors on the device side. The PUF-enabled processor generates its public/private key pair on power-up so its private key is never left exposed in (on-chip or off-chip) non-volatile storage."
The only hardware that must be endowed with Verayo's PUF system are the ISO 14443-A (13.56MHz) passive chips, and the rest of the identification is taken care of with software on either an NFC reader terminal or smartphone which communicate with the PUF authentication server.
So as NFC enters the mass market, Verayo is looking to supply the security that the mass market can afford to deploy.
"We're telling the world, if you are planning to spend five cents on a plain vanilla RFID, you can get a solution for 5.5 cents that is safe and verified," Khandelwal said.
SEC Disclosure: Tim Conneally is a shareholder in NXP Semiconductor, a company that makes NFC solutions