Contactless cards: Know your enemy (and your friends)
- By William Jackson
- Sep 06, 2006
Inside out: The inner workings of a smart card.
Recent controversy over the use of radio frequency communications in government documents has spurred the smart-chip industry to form yet another coalition.
The Secure ID Coalition was announced at the National Conference of State Legislators in August. Founding members include card makers Gemalto Inc. of Washington and Oberthur Card Systems of Rancho Dominguez, Calif., and chip makers Infineon Technologies North America Corp. of San Jose, Calif., Philips Semiconductors NV of Amsterdam, and Texas Instruments Inc.
They are all also members of the Smart Card Alliance, and the message of the two groups is the same: Contactless digital technology can be secure as well as efficient. The difference: The Secure ID Coalition is a lobbying organization.
'Where we will engage, where the Smart Card Alliance can't, is in Congress,' said James Sheire, manager of government programs for Philips. 'That's where they cannot tread and we can.'
Contactless ID is a 'hot new technology' being driven by government, Sheire said. The Common Access Card, Personal Identity Verification card and electronic passports have adopted RF communication between the chip and a reader.
Well-publicized privacy concerns over RFID tag technology and a high-profile debate on which RF technology should be used in the Western Hemisphere Travel Initiative spurred formation of the coalition. Industry wants to ensure that legislators hear their point of view directly.
A large part of the group's mission is to explain the differences between two sets of protocols using different parts of the RF spectrum. The ISO 14443 family, in the high-frequency range, is commonly used in cards read by proximity or short-range readers. The ISO 18000 family uses the shorter wavelengths of the ultra-high frequency and is commonly found in RFID tags used to track materials.
'This is all contactless technology,' said Tres Wiley, director of e-documents for Texas Instruments. Because they all use RF communications, they have certain characteristics in common.
But the characteristics of the frequencies the technologies use define the strengths and weaknesses of each. Texas Instruments makes both chips, and Wiley said he has no axe to grind in the dispute between them.
In general, more security now is available on the HF proximity platforms, making them more appropriate for sensitive data.
'There are vendors proposing solutions we consider inappropriate for security and privacy concerns, especially for government IDs,' Sheire said.
Signal range and penetration with a given amount of power depend in part on the wavelength for each technology. Effective antenna length is a function of wavelength, and HF transmitters require longer antennas. That means power drops off quickly with range in small HF devices. For this reason, HF proximity readers usually have an intended range of no more than four inches. UHF readers, used to track inventory, can work well up to 32 feet.
'A little bit of power goes a lot farther,' with UHF, Wiley said.
UHF also does not go through ionic liquids, which are organic salts, as well as HF. Because the human body is largely saltwater, processors carried on your person, like an access card, work better with HF.
The shorter range of HF technologies means that surreptitiously reading a chip or eavesdropping on a transaction between chip and reader is more difficult. This is one of the reasons why applications with sensitive data, such as ID cards and passports, have tended to use HF. Longer-range RFID tags, which can be more easily scanned, tend to carry less data and less-sensitive information.
For these reasons, there has been more concentration on security features such as access control and encryption for HF proximity devices. That does not mean that security on UHF tags is not possible, but that encryption takes power.
'It hasn't been done today,' Wiley said. 'Can you do it? Yes. But nothing is free; there will be trade-offs. You would lose some of that range.'
In the end, neither technology is perfect or perfectly safe.
'You choose the one that gives the best performance,' Wiley said.
How much thought has been given to these technology choices? More in some cases than in others. Payment systems offered by major credit card companies have been 'well thought out,' Wiley said. The e-passport 'is pretty well thought out.' The Western Hemisphere Travel Initiative? 'I think that's one that has not been well thought out.'
The real risk in any system is not the technology, but how it is used, Wiley said.
'The threat that deserves the most attention is using the system for ways it was not originally intended,' he said. 'Security vulnerabilities will come about because it is used in ways for which it was not designed.'
Wiley said this threat is real, but that it is a policy issue rather than a technology issue. With proper planning, he said, electronic documents can be created that are more secure than current paper-only documents.
William Jackson is freelance writer and the author of the CyberEye blog.