Homeland Security Officials Refute RFID ReportsBy Jacqueline Emigh
In articles published last week, at least two other publications misidentified the type of wireless technology destined to appear in the DHS' upcoming smart cards, according to Larry Orluskie, a DHS spokesperson.
"Those reports are 100 percent false. Under no circumstances will RFID be deployed," said another official, who works closely with the DHS' smart card project. In fact, the DHS never even considered RFID, the official said, in an interview with CIO Insight.
"RFID tags are simple things, [similar to] to bar codes, for identifying goods that are moving through lines," he told CIO Insight. "RFID is completely incompatible with [ISO/IEC 14443]."
Last week's incorrect news accounts raised a furor among some privacy advocates. Privacy groups had filed comments opposing the use of RFID in federal employee ID cards, according to Lee Tien, senior staff attorney at the EFF (Electronic Frontier Foundation.) "We do not like RFID in any kind of ID document," Tien said this week.
But DHS officials also told CIO Insight this week that, as they see it, RFID's security isn't adequate for use with ID cards, either. "At this point, RFID has no authentication or encryption," said the source deeply familiar with the smart card project. In comparison, the DHS's future card will come with both AES encryption and PKI encryption.
ISO/IEC 14443, the RF protocol actually being adopted by DHS, is one of the specifications spelled out in PIV FIPS 201, a new standard released at the end of February by NIST (National Institute of Standards), according to Curt Barker of NIST's Information Technology Laboratory.
FIPS 201 was written to carry out HSPD-12, a directive issued by President Bush last August that requires the U.S. Secretary of Commerce to create a federal standard for "secure and reliable" ID cards.
PIV stipulates two technologiesone "contactless" and one "contact"as interfaces between the smart card and the reader device. Other specified technologies include an ICC (integrated circuit chip) and biometric mechanisms, digital certificates, private keys, and PINs for security.
ISO/IEC 14443, the contactless interface, has a coverage range of only about 5 inches, as opposed to about 50 inches for RFID, Barker said.
How did reporters for the other publications end up scrambling their facts? One of the other publications apparently misquoted a DHS staffer who spoke at a recent wireless conference in Washington, officials said during the interview.
Some people erroneously think that the acronyms "RF" and "RFID" are synonymous, Orluskie theorized. In fact, RFID is just one of many different RF technologies, each with its own "properties," or characteristics.
Even the 14443 protocol has different variants. The DHS will be using the "Type G" ("Government") modulation scheme, whereas credit card companies such as American Express, MasterCard and Visa have endorsed "Type B." A third scheme is called "Type A."
DHS' forthcoming employee ID cards will adhere to all the specifications outlined in NIST's PIV FIPS 201 document, CIO Insight was told. But the agency will use the contactless interface only with systems aimed at controlling physical access to facilities.
Instead of sliding the card through a slot, for instance, DHS employees will wave it directly in front of an access control device when they arrive at work in the morning.
The DHS cards will also come with an FIPS 201-compliant "contact" interface, but this will be deployed only for controlling access to computer systems.
Fans of contactless interfaces often claim these interfaces are more cost-effective, since they incur less wear and tear on the cards.
Yet not everyone will be mollified to learn that the government will use wireless technology that's different from RFID in its employee ID cards.
"I'm still skeptical," Tien said. "Using authentication and encrypting the data are better than not doing [these things], but the basic vulnerability is RF-broadcasting the data, as opposed to swiping or [using] optical barcodes."
But DHS officials told CIO Insight that the forthcoming smart cards will undergo rigorous security testing by an independent lab before seeing actual implementation at the agency.
Meanwhile, other publications were correct last week in pointing to plans by the DHS to test Bluetooth.
The agency has indeed been looking into a Bluetooth test, CIO Insight was told. Yet if this test does happen, Bluetooth will not be evaluated for access control to computers or buildings, but for connecting PCs to peripheral devices such as PDAs.