How to make the Tag number of the RFID device appear as a secret number?

Question

I just bought RFID-reader device (USB reader) and with it the Tag cards. These tag cards are meant to be as a secret card that no one should know the number of it even its owner. The problem is the RFID-reader is reading the tag cards code anywhere and it also showing the numbers of the tag code. Is there any way to make the numbers of the tag code appear as a secret number as if you typed in your password? Thank you.

Answer 1

Most cheaper RFID tags are dumbtags which stores a static identification value that can be read by any NFC compatible reader. For these dumbtags, you can simply write an app that captures the code as it's being transmitted (or use one of the hundreds of Android NFC readers). In cases where the reader acts as a Keyboard HID, you can simply open a plain text editor and scan. Such RFID dumbtags have many uses but should never be used for security critical scenarios.

To prevent the internal secret code from being known to the user or from being transmitted to the reader/computer, you need an RFID smarttag that uses asymmetric cryptography so the actual secret is never actually transmitted to the reader. Instead, what happens is that such RFID smarttag computes a one-time use, time-limited code based on an internal secret and this is the code that's transmitted. The internal secret itself is never transmitted out of the tag, and the cryptographic algorithm is such that it's mathematically impossible to reverse calculate the internal secret from the one time codes.

The more secure tags involve a challenge-response protocol, in which the smarttag computes a code that can only be used for that particular transaction, and may also have a small display to review the transaction details before approving them.

These measures are designed to prevent and/or limit damage in the scenario where the reader unit may have been compromised, since the transmitted one time code would only be valid for that transaction only and can't be used for future transactions.

Even higher security tags may even include a keypad where you can type your PIN and are designed to be tamper proof to protect against both compromised reader and stolen tag, since the tag is not usable without the PIN.

Answer 2

As far as I understand, it is possible. But not with any RFID card and not in your described scenario. As you can read here, sebastian-nielsen explains that a specific card can 'decide' not to share its contents with any reader but only with specific readers. So, what you need is a special card that blocks unauthorized readers from accessing its data, rather than a reader that doesn't display the secret. Then, you need special readers who are able to securely read the card accordingly.

You can read more about it here.

Answer 3

There's two methods that you can use to achieve this. But first some background.

Most of these readers interface as a HID keyboard. The data that is read on the tag is interpreted as keystrokes and entered. This allows you to use a reader to supplement manual typing. Allowing a person to either type in their ID or scan it. However this also means that the ID is typed in into whatever field is focused. If the user is focused on a password field, the input will be masked like you want. If the user focuses on any other input, they'll see the ID.

What you're conveying in your setup is that you want the ID code to be read but masked from the user. Instead of them seeing "12345" they should see "•••••". This can be simply achieved by masking your input. However this is still susceptible to having the ID typed into a different field and showing the ID to the user.

If you want exclusivity, you'll need to determine if your RFID reader supports a serial interface. This will allow your application to pull the ID directly from the reader without having it typed in on the screen. However this will only work if you have a desktop application, you don't have access to serial ports in a web page.

Side note: No matter how secret you make your reader, I can always just tap the RFID tag to my phone and read the ID.