RFID // Understanding security of Standard-UID
We are evaluating how to improve security on our RFID System. Our system was reviewed by someone finding the point that there are duplicate Tags we must get rid of.
So the first idea was to read the UID to ensure that the used tag is not a copy of the original one. Basically what I found out is, that the UID is used in different RFID technologies (Legic, Mifare..) as it is specified in the ISO14443.
The manufactures a claiming that the UID is not writeable and unique. I don't understand how the UID is secured to be unique, as it can be read by every device, like smartphones etc. and major coding technologies as mifare classic and legic prime are compromised.
So the point is you can read on different slides, you shouldn't use ONLY the UID as a identfication. I don't understand the reasons for this recommandation to 100%.
Let me describe following imaginary scenario: We are using Legic Readers that are reading the UID of Legic-prime cards. As legic prime's encryption is complete reverse-engineered, the tag can be copied so that there are two cards with the same UID. Or is the enrcryption of the UID different? 2. Is it possible in this scenario, that also the UID of an for e.g. MifareClassic Tag can be read? So copying tags would be even easier?
So reading of Only UID is not secure. Then we got to the point that reading UID + our own ID which is in the for example Legic prime segment would be a solution. Would this be a improvement from a security perspective? Does Legic even offer such capabilities in the Reader?
After this ideas, we got to the idea that we can use a key specified and secured by our own. With this key together with the UID and the ID in the custom segment we could build a SHA-Checksum and use this as identifcation. How is this rated from a security perspective?
