Homeland Security Officials Refute RFID ReportsBy Jacqueline Emigh | Posted 2005-03-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The DHS is steaming over articles published elsewhere claiming it will use RFID technology in employee ID cards. Like other U.S. federal agencies, the DHS will deploy a different wireless technology, officials said.U.S. Department of Homeland Security officials have hotly denied reports by some other publications that the agency's upcoming ID cards will use radio-frequency identification. Instead, the DHS will deploy another type of RF technology known as "ISO/IEC 14443," which is soon to be required for all federal employee ID cardsand which carries a far shorter coverage range.
In articles published last week, at least two other publications misidentified the type of wireless technology destined to appear in the DHS' upcoming smart cards, according to Larry Orluskie, a DHS spokesperson.
"Those reports are 100 percent false. Under no circumstances will RFID be deployed," said another official, who works closely with the DHS' smart card project. In fact, the DHS never even considered RFID, the official said.
But DHS officials also said this week that, as they see it, RFID's security isn't adequate for use with ID cards, either. "At this point, RFID has no authentication or encryption," said the source deeply familiar with the smart card project. In comparison, the DHS's future card will come with both AES encryption and PKI encryption.
ISO/IEC 14443, the RF protocol actually being adopted by DHS, is one of the specifications spelled out in PIV FIPS 201, a new standard released at the end of February by NIST (National Institute of Standards), according to Curt Barker of NIST's Information Technology Laboratory.
FIPS 201 was written to carry out HSPD-12, a directive issued by President Bush last August that requires the U.S. Secretary of Commerce to create a federal standard for "secure and reliable" ID cards.
PIV stipulates two technologiesone "contactless" and one "contact"as interfaces between the smart card and the reader device. Other specified technologies include an ICC (integrated circuit chip) and biometric mechanisms, digital certificates, private keys, and PINs for security.
ISO/IEC 14443, the contactless interface, has a coverage range of only about 5 inches, as opposed to about 50 inches for RFID, Barker said.
How did reporters for the other publications end up scrambling their facts? One of the other publications apparently misquoted a DHS staffer who spoke at a recent wireless conference in Washington, officials said during the interview.
Some people erroneously think that the acronyms "RF" and "RFID" are synonymous, Orluskie theorized. In fact, RFID is just one of many different RF technologies, each with its own "properties," or characteristics.
Even the 14443 protocol has different variants. The DHS will be using the "Type G" ("Government") modulation scheme, whereas credit card companies such as American Express, MasterCard and Visa have endorsed "Type B." A third scheme is called "Type A."
DHS' forthcoming employee ID cards will adhere to all the specifications outlined in NIST's PIV FIPS 201 document. But the agency will use the contactless interface only with systems aimed at controlling physical access to facilities.
Instead of sliding the card through a slot, for instance, DHS employees will wave it directly in front of an access control device when they arrive at work in the morning.
The DHS cards will also come with an FIPS 201-compliant "contact" interface, but this will be deployed only for controlling access to computer systems.
Fans of contactless interfaces often claim these interfaces are more cost-effective, since they incur less wear and tear on the cards.
Yet not everyone will be mollified to learn that the government will use wireless technology that's different from RFID in its employee ID cards.
"I'm still skeptical," Tien said. "Using authentication and encrypting the data are better than not doing [these things], but the basic vulnerability is RF-broadcasting the data, as opposed to swiping or [using] optical barcodes."
But DHS officials said that the forthcoming smart cards will undergo rigorous security testing by an independent lab before seeing actual implementation at the agency.
Meanwhile, other publications were correct last week in pointing to plans by the DHS to test Bluetooth.
The agency has indeed been looking into a Bluetooth test. Yet if this test does happen, Bluetooth will not be evaluated for access control to computers or buildings, but for connecting PCs to peripheral devices such as PDAs.