SAN JOSE, Calif. -- Irreverent and outspoken Adi Shamir makes it a point to announce news at the annual Cryptographer's Panel at the RSA Conference. Tuesday was no exception.
Shamir, professor at the Weizmann Institute of Science and the "S" in RSA, told a packed auditorium during the get-together of crypto hall-of-famers about how he and a student applied side-channel attacks against RFID tags.
Similar attacks against smart cards monitor how power consumption changes as conditions change around a technology. Only thing is, RFID tags have no direct power source to monitor.
Applying the theory, Shamir and his student figured out how to measure the amount of energy the tags consume from the environment by using a directional antenna to monitor the tags' behavior. By sending incorrect bits to a tag, they were eventually able to decipher the tags' kill password and disable them.
"Everyone expects RFID tags to be huge; they're everywhere," Shamir said. "They're going to protect our identities in our passwords. They're going to protect items in stores. The fact is, the first generation is very weak."
The crypto panel featured Shamir; Ron Rivest, Viterbi professor of electrical engineering and computer science at MIT and the "R" in RSA; Whitfield Diffie, Sun Microsystems CSO; and Martin Hellman, professor emeritus of electrical engineering at Stanford University. Diffie and Hellman are co-inventors of public-key cryptography. Rivest, Shamir and Len Adleman wrote
Each uses the panel as a forum to reflect on cryptographic advances and launch predictions for the future of their trade.
One year ago at RSA, Shamir revealed that successful hacks had been launched against the SHA-1 algorithm. SHA-1 has since been cracked twice with researchers theoretically proving that the algorithm is susceptible to collision attacks. Such attacks could make it possible to forge digital certificates, give attackers greater privileges and reduce the security of messages sent over the Internet.
Shamir, however, said not many hash functions implemented in practice had been affected.
"The major crypto result is that this taught us about how to design future hash results to be stronger," Shamir said. "I would say the practical impact [of collision attacks] is still not strong."
Leave it to a cranky cryptographer to take all the fun out of bashing crypto algorithms and the security of RFID tags.
"This was a wake-up call for the crypto community," said Rivest. "We realized the design paradigms we've been using are not the right ones." Rivest suggested the community begin tweaking old designs, and start on a new hash function standard to begin at an upcoming NIST workshop this year.
"I think we should set a goal by 2010 to come up with a standard, maybe have a hash function bakeoff, similar to the AES bakeoff," Rivest said, referring to the contest that resulted in the Advanced Encryption Standard that replaced DES as the industry guide.
SHA-1 took its share of hits in 2005. Prior to that, it was believed it would take 2^80 hash operations to successfully create a collision attack (collisions happen when two messages have the same hash value). Chinese researchers twice reduced that number to 2^63 operations.
Late last year, Microsoft banned SHA-1 for new code--along with its predecessors MD4 and MD5--if SHA-256 is available for the particular platform. "SHA-1 is currently showing some signs of weakness and may be completely insecure in the next few years," Michael Howard, senior security program manager at Microsoft, said in November 2005. "Since customers will use Microsoft products for more than two to three years, it's important we protect them by working now to improve the security of code for the future and banning the SHA-1 algorithm is a step in that direction."
Despite the assault, the crypto panel was adamant that cryptography was still the least vulnerable of security technologies.
"One of the things we've lost sight of is that crytpo has been least hooked into. If the field would catch up to crypto, it would be in much better shape."
Hellman called for a new "gene pool" of development in public key cryptography. He pointed to the work done on Elliptic Curve Cryptography, which uses smaller key sizes and is a more efficient algorithm than RSA, for example. ECC is suited for smaller mobile devices like smart cards and cell phones.