Friday, April 17, 2009

TWIC Requires Security

I was reading an interesting article over on SecurityManagement.com about the TWIC and complaints from unions and some in Congress that the Coast Guard had gone ahead with the TWIC deadline, but did not yet have TWIC Readers available to make full use of the security provisions of the TWIC. I almost passed the article off as complaining too little too late when I read a reader comment posted by Walt August. He wrote: “These new TWIC cards are built on the FIPS 201 standard. This is the same standard the US federal government employee ID card called the PIV uses. There is a Radio Frequency Identification (RFID) chip in the TWIC card. The federal government employees are issued a FIPS 201 approved shielded card holder when they get their card. No such holder is issued with the TWIC. Workers have to purchase their own to protect their privacy.” He then went on to plug the company that “manufactures the holders for NASA, DOT, and other agencies”, Identity Stronghold. According to the web site these holders block the radio frequency (RF) broadcast of the RFID chip in the TWIC. Of course the TWIC would have to be removed from this holder to be read by the TWIC Reader when they are deployed, but Identity Stronghold claims that this is easy to do, even one handed, with their holders. Now the TWIC does have an RFID chip that allows for remote reading of the information on the chip; that is the whole point of the TWIC. I would assume that there is a significant level of encryption of this data, but any encryption can be broken. I remember reading reports last year of a European student breaking the encryption on another type security card that used RFID technology. There have been reports of US Passport RFID encryption already having been broken. If I had paid good money for a TWIC, I would consider spending a little bit of additional money on protecting the data on that card. I’m not sure that Identity Stronghold is the company that I would buy from; I don’t have the technical information (or knowledge) to make that evaluation. It would be worth looking into. Does anyone out there know if the government or some standards organization has looked at the efficacy of these RF blocking sleeves? I doubt that Consumer Reports® has looked at these devices, but surely someone has.

No comments:

 
/* Use this with templates/template-twocol.html */