We live in uncertain times. There is no shortage of examples of how the digital age that we live in is becoming increasingly more dangerous for both individuals and companies:                According to the Federal Trade Commission, identity theft is number one crime in America and affects almost 20 thousand new victims each day.        In 2005 alone, data belonging to more than 60 million Americans was hacked, was on lost backup tapes, or was in computers that were stolen.        Wells Fargo lost a single laptop and is said to have paid more than $10 million notifying its customers under California's SB-1386 regulation.        An auditor working for McAfee lost a CD with personal information containing 9,000 of its employees. McAfee's market valuation immediately dropped $600 million.        Outsourcing to countries like India is tempting as a way to reduce costs, but data stolen overseas is being used to blackmail U.S. companies.        Compliance costs for Sarbanes-Oxley are so high that they are measured as a percent of total revenue.        Software, music, and DVD pirating in countries like China is making a mockery of copyright laws.All of these examples have one thing in common—the need to protect data has become extremely urgent. Current technologies like encryption, SSL, and VPNs have been shown to be only partially adequate. Security experts warn that data loss and theft is “just going to continue.”        
Identity management systems, encryption, SSL, VPN's, and other security products are all part of a necessary strategy to protect sensitive data. There is still, however, a gaping hole in this strategy—how can sensitive data be protected when these tools fail? How can firms control sensitive data when a laptop is stolen? Or when data is shared with a trading partner and that trading partner's servers are compromised? Or when a trusted employee becomes a rogue employee? Or when the sensitive data is overseas at an unknown location? Or when copyright material has been cracked and copied in China. Current products have failed to protect against these problems, and the Sarbanes-Oxley Act now holds public company officers personally responsible for the consequences.
Just twenty years ago, disk storage space was so expensive that many companies saved money by not storing the “19” as a part of the year (and the resulting Y2K problem cost companies billions of dollars). Today, disk storage space costs just 30¢ a gigabyte and continues to fall at a rate predicted by Moore's Law. The falling cost of collecting, storing, and transmitting data is the reason why data and digital content problems are “just going to continue”, perhaps at an accelerated rate. This is compounded by the fact that the U.S. is moving from a manufacturing economy to a services economy, and more and more content is being stored in digital form. This is further complicated by an increasing dependence on portable devices and types of media that are easier to lose or have stolen. Our problems in 2006 might one day be considered to be “the good old days.”
Typically, this content is stored and retrieved by an application. Storage is typically a disk drive or semiconductor memory. The application could be a file management system such as a database working with an enterprise human resources system. The application could also be Microsoft® Excel, where the file management system and program are integrated. Other applications could be a DVD device playing a movie, an iPod playing music, a cell phone retrieving phone numbers, or an intelligent navigation system in a car. In all of these examples, the data is stored and retrieved from storage by the application.
Research by Symantec® indicates that an ordinary notebook holds content valued at $972,000 in commercially sensitive data. As devices become more and more portable, it is becoming easier for a perpetrator to steal the storage and application at the same time. Portable devices also increase risks because the application may provide direct access to sensitive data that is stored on central servers.
Current systems fail to address all of the following data security problems:                The sensitive data or digital content in storage may contain personal, corporate, or copyright content. Anyone with access to storage can make a copy of this.        If the sensitive content depends on encryption, a “brute force” attack can be used to decrypt it. In the future, quantum computing may make such attacks trivial. Encryption is also problematic because it is difficult to use in many applications. Phil Zimmerman, the creator of PGP, “only uses encryption occasionally.”        Anyone can make a copy of a paper document without leaving any trace that a copy has been made, and without the knowledge or consent of the document's owner. Any number of copies of the original or new document can be made. The same is true for data and digital content, except that it is easier to copy and transmit instantly to any place in the world.        If a person's or entity's money is stolen, it can only be spent once. If a person's or entity's personal or sensitive data is stolen, it can be used any number of times.        It is very difficult to determine if digital content has been accessed or copied.        It is very difficult to determine where a digital copy came from or where it has been sent.        It is very difficult to determine where or then digital content is being used.        It is very difficult to get additional information about what else a perpetrator has copied or is doing.        There is no way to destroy the copied digital content.        There is no way to destroy the device the digital content is stored on.        It is very difficult to collect payment of copyright content that has been copied.        There is no provision for dealing with unknown future threats.        
Radio frequency identification (RFID) tags are another device that has raised many security and privacy concerns. An RFID tag is an object that can be attached to or incorporated into an object, animal, or person for the purpose of identification using radio waves. RFID tags can be used in dozens of applications, and their potential benefits are huge, especially in regard to consumer products, parts and personal identification cards (e.g., driver's license, passport, security or access cards, credit cards, etc.).
Data may be stored on the tag itself. The advantage is that users do not need to have network access and designers do not need to understand the intricacies of networks, databases, or applications in order to read and process this tag data. The major disadvantage is that unauthorized access to sensitive information on the tag is easily accomplished.
In contrast, central computerized repositories are useful when an RFID tag reader is connected either physically or virtually to these central repositories. In this scenario, tag data only requires a key identifier that allows access to the central repository. The advantage of this approach is that sensitive information need not be placed directly in tag storage. This approach is becoming more attractive for many reasons, including security and privacy problems, and the growth of the Internet and wireless networks is making access to a central repository more and more attractive.
Security, within the context of RFID technology, refers to unauthorized access or modification of data either (1) on the RFID tag, (2) from the air interface of the transmission from tag to host, or (3) from the host itself. This definition of security is associated with technology to prevent access or modification of data. Examples may include encryption algorithms, password authentication schemes, hardware configuration architectures, firewalls, etc.
Privacy typically refers to the ethics associated with access or modification of sensitive information. In this case, privacy refers to policy or guidelines, rather than technology. In other words, privacy addresses the question “Does someone (individual, organization) have the right to access or modify another individual's personal, financial, or otherwise sensitive information?”
Now referring to FIGS. 33A, 33B AND 33C various RFID tags and reading systems in accordance with the prior art are illustrated. Applications may access RFID tags in many ways. The following illustrates three different ways they may be used to track, for example, passports.
In FIG. 33A, a RFID tag 3300 is like an electronic bar code that is read by the reader 3302 to get the key 3304. The key 3304 is then used by an application 3306 to access storage 3308 to get additional information about a passport. Note that the key 3304 and storage 3308 collectively contain sensitive information, such as passport number, name, address, photo, etc. This data is at risk of theft and abuse.
In FIG. 33B, the RFID tag 3310 contains a key 3304 and data 3312. The key 3304 and data 3312 are both read by the reader 3302 to get the passport number, name, address, photo, etc. In this case, no additional information is required. Note that both the key 3304 and data 3312 contain sensitive information that is a security risk.
In FIG. 33C, the key 3304 and data 3312 are read by the reader 3302 to get the passport number, name, photo, etc. The key is also used by the application 3306 to access storage 3308 to get additional information, such as whether this person is on a specific watch list. This is the most challenging combination, where key 3304, data 3312 and storage 3308 are all at risk.
From its initial conception, RFID technology has had security problems. The primary concern is still the illicit tracking of RFID tags, which poses a risk to individuals, companies, and government policymakers. There is opposition to RFID technologies for many reasons that include:                The purchaser not being aware of the presence of the tag or have the ability to remove it.        The tag being read at a distance without the knowledge of the individual.        A tagged item being paid for by credit card or in conjunction with use of a loyalty card, then being tied to a unique ID of that item to the identity of the purchaser.        The EPCglobal system, a standard for world-wide adoption and standardization of electronic product code technology, creates globally unique serial numbers for all products. This is a risk because it again ties unique ID of that item to the identity of the purchaser.        
In spite of the billions of dollars that have been invested in RFID technologies and security, problems still persist. Various efforts have been tried, and they all increase tag costs:                “Rolling code” changes a tag value after each scan, thus reducing the usefulness of observed responses.        “Challenge-response authentication” interacts with the reader before sensitive information is transmitted. These tags have dramatically higher costs and power requirements than simpler tags. Some manufacturers use cryptographic tags using weakened or proprietary encryption schemes which cannot resist sophisticated attacks. This results in a weak, proprietary encryption scheme to perform the challenge-response protocol.        Other cryptographic protocols are still in the research stage. One major problem making RFID tags more secure is s shortage of computational resources within the tag itself. Cryptography requires more resources than are available in most lost cost RFID tags. Some devices can locally jam RFID signals by interrupting a standard collision avoidance protocol, allowing the tag to prevent scanning under certain circumstances.        Traditional cryptographic functions used by virtually all manufacturers today have one thing in common—they all run in quadratic time. That is, they require the multiplication and division of large numbers to deliver secure results. These methods require computational levels that grow exponentially as the cryptographic key size increases, requiring system resources that often outstrip the processing limits found on RFID tags or embedded computing platforms,Additional tag security means additional tag costs. With billions of tags needed each year, the cost of RFID tags is critical. Moreover, increasing tag complexity may also decrease tag security due to buffer overflow bugs, denial-of-service attack on the tags, air interface vulnerabilities, storing more data on the tag that is then at risk, or permitting the tags to be altered. In addition, RFID tags are susceptible to cloning, eavesdropping, skimming and spoofing.        
Various intervention methods have also been proposed to disable or partially disable the RFID tag at the point-of-purchase. One method is a “Clipped Tag” that gives consumers the option to disable RFID tags on items they purchase without eliminating the possibility that the tags could be used later to expedite product returns or recalls. After purchasing a tagged item, a consumer would tear the Clipped Tag label along the perforations to remove a portion of the tag's antenna, reducing its transmission capability. Unfortunately, this puts the security burden on consumers to understand, locate, and tear the tag. Another method is a “kill switch” that protects consumers by disabling a RFID tag at the point-of-sale. Finally, the RFID tag can be removed at the point-of-purchase.
The common fault with all of these developments is that tags continue to pose a security risk to manufacturers, retailers, and consumers. They contain or have references to sensitive data or information. This illustrates the common weakness of all of the current technologies and why the myriad attempts to conduct illegal surveillance on the technologies are possible and likely to occur.
Accordingly there is a need for a way to make RFID tags more secure: (1) to prevent theft, protect the privacy of the tag holder, and prevent vandalism of tags; (2) at the lowest possible cost; (3) without making their design more complex by ensuring that data is never at risk when security fails; (3) without the need for consumer education or intervention; (4) without the need for industry self-regulation or new government laws; (5) while supporting the interests of industry groups and their members; (6) while assuring consumers and advocacy groups that personal information will always be controlled by consumers; (7) while ensuring the security of databases containing detailed information about consumers' purchasing habits; (8) by baking security into each tag; and (9) all the time, without the need for shielding, distance control, or user training.