In an effort to bolster supply chain security for big retail and government customers, software developer Columbitech has added RFID support to its wireless virtual private network suite and software development kits.
“If youre going to secure a network, you need to secure all of it. So were broadening our support,” said Tobias England, Columbitechs vice president of technology.
Swedish-based Columbitech isnt alone in trying to plug RFIDs security holes. Others in this emerging space include Shipcom Wireless Inc., Defywire.com and Sybase, Inc., with its iAnywhere software, analysts say.
Columbitechs include high-profile government names such as the U.S. Army, Navy and Marine Corps, in addition to large North American retail chains, England said in an interview.
Specifically, Columbitech has updated its whole WVPN lineup with security framework enhancements for securing RFID readers, so that customers can securely collect information from RFID tags, according to England.
Products in the lineup include the companys Wireless VPN Suite, which is sold to customers through the reseller channel, as well as separate SDKs for Columbitechs hardware and application software partners.
Columbitech is now certifying RFID readers for compliance and interoperability with its WVPN architecture. “Were agnostic as to hardware vendor,” England said.
To overcome TCPs limitations in the areas of flow control and recovery, Columbitechs architecture uses a session-based instead of IP-based approach, he said.
Implemented above the transport layer of the application stack, the companys WVPN solution is designed to allow for the use of transport proxy mechanisms at the VPN server in case of momentary network problems caused by TCP breakdown or lack of radio coverage, for instance.
The solution uses the WTLS framework in creating an encrypted tunnel between the WVPN server and client, England said. WTLS—a wireless implementation of TLS—defines a set of protocols for encryption, signing and hashing. Essentially, TLS is an enhanced version of SSL 3.0.
Columbitech is deploying DES (56-bit), 3DES (112-bit) and AES (up to 256-bit) for symmetric encryption of payload data; RSA (up to 15,360-bit) for asymmetric encryption during the initial handshake; and either MD5 (128-bit) or SHA (up to 512-bit) for validating data integrity.
For authentication to the WVPN server, Columbitechs architecture lets customers choose any one—or a combination of—the following mechanisms: X.509 or WTLS client certificates; Windows username/password; RADIUS challenge/response or username/password; RSA SEcurID one-time password; Smartcard/CAT card; or biometric ID.
The system also includes a certificate manager and wireless PKI portal, for creating and distributing digital certificates, and an optional gatekeeper component, for simplifying firewall configuration and helping to prevent exposure of the WVPN server on the Internet.
According to England, extending this security framework to RFID comes naturally to Columbitech, a company that specializes in securing wireless networks of various sorts.
“RFID has emerged as a [security] monster. But for us, RFID is not that different from any other wireless network,” he said.
In Europe, Columbitech produces secure GPRS roaming systems for enterprises and telco carriers.
The company is aiming most of its RFID security efforts in North America at retail chains.
England declined to name the companys retail customers. But, he said, some of the chains consist of 5,000 stores or more.
“We were the first to provide strong security for older devices [used in retail stores] on 802.11 networks,” according to England. “Vendors would come to use with some obscure OS made 20 years ago. They wanted to make sure itd run [securely] with everything else on the wireless network.”
Some U.S. military customers will also be using Columbitechs RFID security for inventory management on their wireless networks.
Yet most of the companys work with U.S. military organizations revolves instead around providing strong authentication for wireless (or “contactless”) smart cards adhering to the U.S. federal governments FIPS 140-2 protocol.
The Columbitech WVPN is already certified for FIPS 140-2. It is now in the process of being certified for the U.S. Department of Defenses Common Criteria specification.
Meanwhile, some analysts perceive a greater need for RFID security in military applications than in the retail arena.
“[RFID security] in retail applications has been a little overblown. For the Wal-Marts of the world, RFID is mostly about tracking boxes of stuff. Theres no major security issue,” said Tony Rizzo, an analyst at the 451 Group.
“But on the military side of things, security becomes more important, since RFID is being used in tracking shipments of military hardware.”
Columbitech has “strong roots” in the military because of its close relationship to Symbol Technologies Inc., a maker of RFID and other mobile devices, according to the analyst.
England said that, at this point, Columbitech is also thinking about breaking out its Wireless VPN Suite into a series of smaller products, along the lines of what Check Point Software Technologies Ltd. has done with its product portfolio.
“Then, our [own] portfolio would be somewhat like a smorgasbord,” England said. “Customers could say, I want this, but I dont want that.”
Check out eWEEK.coms for the latest news and analysis of enterprise supply chains.