TECHNOLOGY FOR CHANGE

Unclonable RFIDs Authenticate Electronic Fingerprints

R. Colin Johnson | Date: 03-04-10 | Comments

Counterfeiting radio-frequency identification (RFID) tags is possible today by cloning an exact copy of the chip inside the tag. To thwart counterfeiters, Verayo has invented "electronic fingerprints" that work like an electronic passport to make RFID tags unclonable.

Cloning chips today involves reverse engineering their innards, then mass-producing them for applications where OEMs cannot tell the original from the clone. But what if chips had a physically unclonable function (PUF) inside�an electronic "fingerprint" whose unique characteristics could uniquely identify it? That would solve the counterfeiting problem with the electronic version of "biometrics," which is exactly the business of Verayo (San Jose, Calif.).

RFID-based transit passes are authenticated like an electronic passport by reading their encrypted electronic fingerprint and comparing it to the fingerprint you get from interrogating the chip.

Using technology licensed from the Massachusetts Institute of Technology (MIT), Verayo uses PUFs to secure custom chips for the military, field-programmable gate arrays (FPGAs) for industry, and now RFID tags for consumer-oriented markets like the transit tickets you merely wave at a train-platform turnstile to gain entry.

"Our chips with PUF electronic fingerprints exploit unavoidable variations in the chip fabrication process that can uniquely identify each chip," says Verayo�s Vice President of Marketing and Business Development Vivek Khandelwalhese. "Since these manufacturing process variations are impossible to control, model or replicate, the chips are effectively unclonable."

Verayo was founded in 2005 by MIT electrical engineering professor Srini Devadas, who invented the technology, along with Tom Ziola, former vice president and general manager of MSN-TV at Microsoft, and with seed funding from Khosla Ventures, a company started by the founding chief executive officer of Sun Microsystems, Vinod Khosla. Verayo has been operating on Defense Advance Research Project Agency (DARPA) contracts to supply secure unclonable chips to the military. Now the company wants to move into standard products with its M4H unclonable RFID tags.

Verayo's authentication scheme works like an electronic passport, where your fingerprint is scanned, encrypted and stored back onto the passport. When presented to customs, the inspector decrypts the fingerprint from the electronic passport, and compares it to the fingerprint he just collected from you. If they match, your identity is authenticated.

And likewise for Verayo's electronic passport. The electronic fingerprint from the PUF circuit in an RFID-based transit pass, for instance, is scanned, encrypted and stored back onto the RFID card. When it is presented at a train platform, the transit authority decrypts the fingerprint and compares it to the response just collected from the RFID tag. If they match, the transit pass is authenticated.

"With an electronic passport, you extract the fingerprint, decrypt it, then compare it with the results from scanning your finger. If they match, then the person's identity is authenticated," Khandelwalhese explains. "We use the same method to identify whether our RFID tags are authentic by comparing their response to a challenge to what we get by extracting the electronic fingerprint from the tag and decrypting it."