RFID in datacenter (was Re: Default Passwords for World WidePackets/Lightning Edge Equipment)
Brandon M. Lapointe
brandon at shrader.net
Wed Jan 13 19:38:39 UTC 2010
I have something akin to experience in this arena at least as it applies
to the ambient RF environment and the security of the data transferred.
As a matter of fact the two usually go hand in hand. The issue that I
usually see is how to protect your new drivers license / passport / ID
badge (with embedded RFID) from someone stopping next to you at a subway
station with an RFID reader hidden in their briefcase, although densely
populated CoLo's wouldn't be much different. The preferred standard is
usually the FIPS 201 standard and is deployed at 13.56Mhz which ensures
you have to be pretty darn near the transceiver to "get a read" but also
makes the problem of ambient (RF) noise pretty much a non-issue. The
issue arises in tags placed so close together that they are in the read
field at the same time causing multiple emitters in the same channel.
Recent implementations have a built in collision avoidance mechanism
that eliminates the issue entirely in my testing (understanding channel
contention for this exercise is at most dozens of transmitters, and
wouldn't scale up to anything larger). These same recent implementations
use 3DES to secure the open-air channel, reducing prevalence of
man-in-the-middle type attacks. Finally, it is common now to retrieve
the encrypted contents of the RFID tags and require that a CA hierarchy
validate both sides of the transaction prior to decryption which can
contain 4K in the data sectors or more.
Brandon L.
-----Original Message-----
From: George Imburgia [mailto:nanog at armorfirewall.com]
Sent: Wednesday, January 13, 2010 12:52 PM
Cc: nanog at nanog.org
Subject: RFID in datacenter (was Re: Default Passwords for World
WidePackets/Lightning Edge Equipment)
On Wed, 13 Jan 2010, Barry Shein wrote:
>> The big advantage of RFIDs is that you don't need line of sight
access
>> like you do with bar codes, they use RF, radio frequency.
>Which is also a big disadvantage in a datacenter. Ever tried to use a
>radio in one?
>The RF noise generated by digital equipment seriously erodes signal
>quality. Considering the relatively weak signal returned from RFID
tags,
>I'd be surprised if you'd get any kind of useful range.
>Has anybody tried it out?
I have something akin to experience in this arena at least as it applies
to the ambient RF environment and the security of the data transferred.
As a matter of fact the two usually go hand in hand. The issue that I
usually see is how to protect your new drivers license / passport / ID
badge (with embedded RFID) from someone stopping next to you at a subway
station with an RFID reader hidden in their briefcase, although densely
populated CoLo's wouldn't be much different. The preferred standard is
usually the FIPS 201 and is deployed at 13.56Mhz which ensures you have
to be pretty darn near the transceiver to "get a read" but also makes
the problem of ambient (RF) noise pretty much a non-issue. The issue
arises in tags placed so close together that they are in the read field
at the same time causing multiple emitters in the same channel. Recent
implementations have a built-in collision avoidance mechanism that
eliminates the issue entirely in my testing (understanding channel
contention for this exercise is at most dozens of transmitters, and
wouldn't scale up to anything larger). These same recent implementations
use 3DES to secure the open-air channel, reducing prevalence of
man-in-the-middle type attacks. Finally, it is common now to retrieve
the encrypted contents of the RFID tags and require that a CA hierarchy
validate both sides of the transaction prior to decryption which can
contain 4K in the data sectors or more.
Brandon L.
More information about the NANOG
mailing list