SKELETON - ETSI - Excel commands cheat sheet pdf

ERMTG34(10)0024r1TD

Draft ETSI TR 1XX XXX V0.0.1 2 (2010-04

Technical Report

Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN);

RFID;

Coordinated ESO response to Phase 1 of EU Mandate M436

<

Reference

DTR/TISPAN-07044

Keywords

RFID; Security; Privacy

ETSI

650 Route des Lucioles

F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C

Association à but non lucratif enregistrée à la

Sous-Préfecture de Grasse (06) N° 7803/88

Important notice

Individual copies of the present document can be downloaded from:

The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat.

Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at

If you find errors in the present document, please send your comment to one of the following services:

Copyright Notification

Reproduction is only permitted for the purpose of standardization work undertaken within ETSI.

The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute yyyy.

All rights reserved.

DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.

3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.

LTE™ is a Trade Mark of ETSI currently being registered

for the benefit of its Members and of the 3GPP Organizational Partners.

GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.

Logos on the front page

If a logo is to be included, it should appear on the right hand side of the front page.

CEN, CENELEC and ETSI logos to all appear.

Contents

Logos on the front page 3

Intellectual Property Rights 8

Foreword 8

Introduction 8

1 Scope 9

2 References 9

2.1 Normative references 9

2.2 Informative references 9

3 Definitions, symbols and abbreviations 11

3.1 Definitions 11

3.2 Symbols 13

3.3 Abbreviations 13

4 The RFID ecosystem 14

4.1 Overview 14

4.2 Types of RFID Tags 15

4.3 RFID Tag Characteristics 15

4.4 RFID in OSI compliant systems 16

4.5 Radio link performance of RFID 16

4.6 RFID and IoT 17

4.6.1 Privacy concerns 17

5 Analysis 18

5.1 RFID system architecture 18

5.1.1 Taxonomy of terms 18

5.1.2 Ontology of RFID 18

5.2 DPP and Security objectives 22

5.2.1 Summary of method used in analysis 22

5.2.2 Objectives resulting from analysis 26

5.2.3 Generic objectives derived from OECD guidelines 26

5.3 Security analysis and requirements derivation 28

5.3.1 Identity spoofing 29

5.3.2 Tampering with data 29

5.3.3 Repudiation 29

5.3.4 Information disclosure 29

5.3.5 Denial of service 30

5.3.6 Elevation of privilege 30

5.3.7 Other RFID security threats 30

5.3.7.1 RF eavesdropping 31

5.3.7.2 Collision attack 31

5.3.7.3 Tracking 31

5.3.7.4 De-synchronization 32

5.3.7.5 Replay 32

5.3.7.6 Virus 32

5.4 Consumer aspects including interaction 32

5.4.1 Activation 32

5.4.2 Deactivation 32

5.5 Environmental aspects of RFID tags and components 32

5.5.1 RFID hardware end of life considerations 32

5.5.2 Data end of life considerations 32

5.6 Privacy Impact Assessment ( PIA ) outline 33

5.6.1 Role of PIAs 33

5.6.2 Generic versus industry specific PIAs 33

5.6.3 Recommendations for RFID industry specific PIAs 33

5.7 RFID logos and signage 33

5.7.1 For consumer awareness 33

5.7.2 For device marking 33

6 Answer to Requirements of M436 phase 1 33

6.1 Requirements derived from analysis 34

6.2 RFID Logos and signage recommendations 34

6.3 Standards roadmap 34

6.3.1 Available standards 34

6.3.2 Gap analysis and recommendations 35

7 Executive Summary 35

Annex A: Privacy Impact Assessment (PIA) outline 36

A.1 Role of PIAs 36

A.2 Generic versus industry specific PIAs 36

A.3 Recommendations for RFID industry specific PIAs 36

Annex B: RFID logos and signage 38

Annex C: Summary of mandate M436 39

Annex D: Figures from GRIFS report 40

Annex : Bibliography 42

Books 42

GRIFS database extract 42

History 43

Logos on the front page 3

Intellectual Property Rights 7

Foreword 7

Introduction 7

1 Scope 8

2 References 8

2.1 Normative references 8

2.2 Informative references 8

3 Definitions, symbols and abbreviations 9

3.1 Definitions 9

3.2 Symbols 9

3.3 Abbreviations 10

4 The RFID ecosystem 10

4.1 Overview 10

4.2 Types of RFID Tags 11

4.3 RFID Tag Characteristics 11

4.4 RFID in OSI compliant systems 11

4.5 Radio link performance of RFID 11

4.6 RFID and IoT 12

4.7 Privacy concerns 12

5 Analysis 12

5.1 RFID system architecture 12

5.1.1 Taxonomy of terms 12

5.1.2 Ontology of RFID 12

5.1.2.1 With respect to security 12

5.1.2.2 With respect to privacy protection 12

5.2 DPP and Security objectives 12

5.3 Security analysis and requirements derivation 15

5.3.1 Identity spoofing 15

5.3.2 Tampering with data 15

5.3.3 Repudiation 16

5.3.4 Information disclosure 16

5.3.5 Denial of service 16

5.3.6 Elevation of privilege 16

5.3.7 Other RFID security threats 16

5.3.8 RF eavesdropping 17

5.3.9 Collision attack 17

5.3.10 Tracking 17

5.3.11 De-synchronization 17

5.3.12 Replay 17

5.3.13 Virus 18

5.4 Consumer aspects including interaction 18

5.4.1 Activation 18

5.4.2 Deactivation 18

5.5 Environmental aspects of RFID tags and components 18

5.5.1 RFID hardware end of life considerations 18

5.5.2 Data end of life considerations 18

5.6 Privacy Impact Assessment outline 18

5.6.1 Role of PIAs 18

5.6.2 Generic versus industry specific PIAs 18

5.6.3 Recommendations for RFID industry specific PIAs 18

5.7 RFID logos and signage 18

5.7.1 For consumer awareness 18

5.7.2 For device marking 18

6 Requirements for M436 phase 2 19

6.1 Requirements derived from analysis 19

6.2 RFID Logos and signage recommendations 19

6.3 Standards roadmap 19

6.3.1 Available standards 19

6.3.2 Gap analysis and recommendations 20

Annex A: Privacy Impact Assessment outline 25

A.1 Role of PIAs 25

A.2 Generic versus industry specific PIAs 25

A.3 Recommendations for RFID industry specific PIAs 25

Annex B: RFID logos and signage 26

Annex C: Summary of mandate M436 27

Annex : Bibliography 28

History 29

Logos on the front page 3

Intellectual Property Rights 5

Foreword 5

Introduction 5

1 Scope 6

2 References 6

2.1 Normative references 6

2.2 Informative references 6

3 Definitions, symbols and abbreviations 7

3.1 Definitions 7

3.2 Symbols 7

3.3 Abbreviations 7

4 User defined clause(s) from here onwards 7

4.1 User defined subdivisions of clause(s) from here onwards 7

5 Mandate M436 phase 1 analysis results 7

5.1 Terminology analysis 7

5.2 Review of data protection capabilities in RFID 8

5.3 RFID actors with respect to data protection 8

5.4 Privacy and security by design with respect to RFID 8

5.4.1 TVRA of RFID - generic 8

5.4.2 Security requirements 8

5.4.3 PETs and PIAs as countermeasures 11

5.4.3.1 Type 1 tags 11

5.4.3.2 Type 2 tags 11

5.5 Environmental aspects of RFID tags and components 11

Annex A: Privacy Impact Assessment outline 13

A.1 Role of PIAs 13

A.2 Generic versus industry specific PIAs 13

A.3 Recommendations for RFID industry specific PIAs 13

Annex B: RFID logos and signage 14

Annex C: Summary of mandate M436 15

Annex : Bibliography 16

History 17

Intellectual Property Rights

IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server ().

Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.

Foreword

This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN).

Introduction

Scope

The present document provides the results of the coordinated response of the European Standards Organizations (ESOs) to Phase 1 of EC mandate M436 on the subject of Radio Frequency Identification Devices (RFID) in relation to privacy, data protection and information security.

The present document recommends a plan of activities for Phase 2 of EC Mandate M436 as follows:

Identifies the use of existing technical measures described by standardisation in order to promote confidence and trust (by end users organizations and the general public) in RFID technology and its applications; and,

Identifies where new technical measures described by standardisation in order to promote confidence and trust (by end users organizations and the general public) in RFID technology and its applications are required to be developed in the course of phase 2 of the mandate.

In addition the document describes the results of a Threat Vulnerability and Risk Analysis (TVRA) of the use of RFID technology and its applications, including the results of a generic and an industry specific Privacy Impact Assessment (a guide to PIA is given in Annex A).

References

References are either specific (identified by date of publication and/or edition number or version number) or non-specific.

For a specific reference, subsequent revisions do not apply.

Non-specific reference may be made only to a complete document or a part thereof and only in the following cases:

if it is accepted that it will be possible to use all future changes of the referenced document for the purposes of the referring document;

for informative references.

Referenced documents which are not found to be publicly available in the expected location might be found at .

NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity.

Normative references

The following referenced documents are indispensable for the application of the present document. For dated references, only the edition cited applies. For non-specific references, the latest edition of the referenced document (including any amendments) applies.

Not applicable.

Informative references

The following referenced documents are not essential to the use of the present document but they assist the user with regard to a particular subject area. For non-specific references, the latest version of the referenced document (including any amendments) applies.

[i.1] EU Mandate 436: "Standardisation mandate to the European Standardisation Organisations CEN, CENELEC and ETSI in the field of Information and Communication Technologies Applied to Radio Frequency Identification (RFID) and Systems"

[i.2] ISO/IEC 15961 (all parts) : "Information technology - Radio frequency identification (RFID) for item management - Data protocol: application interface".

[i.3] ISO/IEC 15962: "Information technology - Radio frequency identification (RFID) for item management - Data protocol: data encoding rules and logical memory functions".

[i.4] ISO/IEC 15963: "Information technology - Radio frequency identification for item management - Unique identification for RF tags".

[i.5] ISO/IEC 18001: "Information technology - Radio frequency identification for item management - Application requirements profiles".

[i.6] ISO 17363: "Supply chain applications of RFID - Freight containers".

[i.7] ISO 17364: "Supply chain applications of RFID - Returnable transport items (RTIs)".

[i.8] ISO 17365: "Supply chain applications of RFID - Transport units".

[i.9] ISO 17366: "Supply chain applications of RFID - Product packaging".

[i.10] ISO 17367: "Supply chain applications of RFID - Product tagging".

[i.11] UHF Gen 2 Air interface specification

[i.12] HF Gen 2 Air Interface Specification.

[i.13] ISO/IEC 144443 "Identification cards -- Contactless integrated circuit(s) cards -- Proximity cards"

[i.14] ISO/IEC 7816: "Information technology -- Identification cards -- Integrated circuit(s) cards with contacts"

[i.15] ISO/IEC 15693: "Identification cards - Contactless integrated circuit(s) cards - Vicinity cards"

[i.16] ETSI TR 187 010: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Report on issues related to security in identity management and their resolution in the NGN"

[i.17] ETSI TS 187 016: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Identity Management …"

[i.18] ITU-T X.200: "Information technology - Open Systems Interconnection - Basic Reference Model: The basic model"

[i.19] ETSI TS 102 359: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Equipment Information in the Management Information Base (MIB)".

[i.20] ETSI TS 102 209: "Telecommunications and Internet converged Services and Protocols for Advancing Networks (TISPAN); Telecommunication Equipment Identification".

[i.21] ISO/IEC 18000 (all parts): "Information technology - Radio frequency identification for item management".

[i.22] ITU-T Recommendation M.1400 (2004): "Designations for interconnections among operators' networks".

[i.23] ITU-T Recommendation M.3320: "Management requirements framework for the TMN X-Interface".

[i.1] EU Mandate 436: "Standardisation mandate to the European Standardisation Organisations CEN, CENELEC and ETSI in the field of Information and Communication Technologies Applied to Radio Frequency Identification (RFID) and Systems"

[i.2] ETSI TR 187 010: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Report on issues related to security in identity management and their resolution in the NGN"

[i.3] ETSI TS 187 016: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Identity Management …"

[i.4] ITU-T X.200: "Information technology - Open Systems Interconnection - Basic Reference Model: The basic model"

[i.5] ETSI TS 102 359: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Equipment Information in the Management Information Base (MIB)".

[i.6] ETSI TS 102 209: "Telecommunications and Internet converged Services and Protocols for Advancing Networks (TISPAN); Telecommunication Equipment Identification".

[i.7] ISO/IEC 18000 (all parts): "Information technology - Radio frequency identification for item management".

[i.8] ITU-T Recommendation M.1400 (2004): "Designations for interconnections among operators' networks".

[i.9] ITU-T Recommendation M.3320: "Management requirements framework for the TMN X-Interface".

[i.10] ISO/IEC 15961 (all parts) : "Information technology - Radio frequency identification (RFID) for item management - Data protocol: application interface".

[i.11] ISO/IEC 15962: "Information technology - Radio frequency identification (RFID) for item management - Data protocol: data encoding rules and logical memory functions".

[i.12] ISO/IEC 15963: "Information technology - Radio frequency identification for item management - Unique identification for RF tags".

[i.13] ISO/IEC 18001: "Information technology - Radio frequency identification for item management - Application requirements profiles".

[i.14] ISO/DIS 17363: "Supply chain applications of RFID - Freight containers".

[i.15] ISO/DIS 17364: "Supply chain applications of RFID - Returnable transport items (RTIs)".

[i.16] ISO/DIS 17365: "Supply chain applications of RFID - Transport units".

[i.17] ISO/DIS 17366: "Supply chain applications of RFID - Product packaging".

[i.18] ISO/DIS 17367: "Supply chain applications of RFID - Product tagging".

Definitions, symbols and abbreviations

Definitions

For the purposes of the present document, the terms and definitions given in EG 202 387 [ref], ISO/IEC 17799 [ref], ISO/IEC 13335-1 [red] and the following apply:

asset: anything that has value to the organization, its business operations and its continuity

authentication: ensuring that the identity of a subject or resource is the one claimed

availability: property of being accessible and usable on demand by an authorized entity (ISO/IEC 13335-1 [ref])

call: a connection established by means of a publicly available telephone service allowing two-way communication in real time (Directive 2002/58/EC [ref]).

Communication: any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communication service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information (Directive 2002/58/EC [ref]).

Confidentiality: ensuring that information is accessible only to those authorized to have access

Concealable, Removable, Available, Valuable, Enjoyable, and Disposable (CRAVED): a classification scheme to determine the likelihood that a particular type of item will be the subject of theft [ref]

consent (by a user or subscriber): correspond to the data subject’s consent in Directive 95/46/EC (Directive 2002/58/EC [ref]).

CSP operator ??? from 5.2

CWA ???

DPP ???5.2

High Frequency (HF) RFID systems: RFID systems which operate in the frequency band centred around 13.56 MHz

Identifier: a unique series of digits, letters and/or symbols assigned to a subscriber, user, network element, function or network entity providing services/applications

identity: the set of properties (including identifiers and capabilities) of an entity that distinguishes it from other entities

identity crime: generic term for identity theft, creating a false identity or committing identity fraud

identity fraud: use of an identity normally associated to another person to support unlawful activity

identity theft: the acquisition of sufficient information about an identity to facilitate identity fraud

identity tree: the structured group of identifiers, pseudonyms and addresses associated with a particular user’s identity

impact: result of an information security incident caused by a threat and which affects assets

information security incident: an event which is the result of access to either stored or transmitted data by persons or applications unauthorized to access the data

integrity: safeguarding the accuracy and completeness of information and processing methods

Interrogator: Equipment that will activate an adjacent an RIE RFID tag and read its data. It may also modify the information held in an RIE RFID tag.

location data: any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communication service (Directive 2002/58/EC []).

Low Frequency (LF) RFID systems: RFID systems which operate in the frequency band below 135 kHz.

Microwave (µW) RFID systems: RFID systems which operate in the frequency band around 2.45 GHz.

Mitigation: limitation of the negative consequences of a particular event

nonce: arbitrary number that is generated for security purposes (such as an initialization vector) that is used only one time in any security session

non-repudiation: ability to prove an action or event has taken place, so that this event or action cannot be repudiated later

Privacy: the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed (ISO 7498-2 [ref] )

residual risk: risk remaining after countermeasures have been implemented to reduce the risk associated with a particular threat

risk: potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the att acked system or organization

subscriber: an entity (associated with one or more users) that is engaged in a subscription with a service provider. [refer to TS 184 002].

Subscription: the commercial relationship between the subscriber and the service provider [refer to TS 184 002].

Threat: a potential cause of an incident that may result in harm to a system or organization

NOTE 1: A threat comprises an asset, a threat agent and an adverse action of that threat agent on that asset (reference [ref]).

NOTE 2: A threat is enacted by a threat agent and may lead to an unwanted incident breaking certain pre-defined security objectives.

Threat agent: an entity that can adversely act on an asset

traffic data: any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof (Directive 2002/58/EC [ref]).

Ultra High Frequency (UHF) RFID systems: RFID systems which operate within the band 433 MHz to 960 GHz.

Unwanted incident: an incident such as the loss of confidentiality, integrity and/or availability (reference [ref])

user: any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service (Directive 2002/58/EC [ref]).

Value added service: any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof (Directive 2002/58/EC [ref]).

Vulnerability: weakness of an asset or group of assets that can be exploited by one or more threats

NOTE: As defined in ISO/IEC 13335 [ref], a vulnerability is modelled as the combination of a weakness that can be exploited by one or more threats.

Symbols

For the purposes of the present document, the [following] symbols [given in ... and the following] apply:

Abbreviations

For the purposes of the present document, the following abbreviations apply:

AKA Authentication and Key Agreement

CRAVED Concealable, Removable, Available, Valuable, Enjoyable, and Disposable

CSP Communications Service Provider

DPP Data Privacy and Protection

IdM Identity Management

IdP Identity Provider

NGN Next Generation Network

OECD Organisation for Economic Co-operation and Development

PIA Privacy Impact Assessment

RFID Radio Frequency Identification

ToE Target of Evaluation

TSF TOE Security Function

TVRA Threat Vulnerability and Risk Analysis

The RFID ecosystem

Overview

Radio Frequency Identification (RFID) is a technology that allows objects to be "tagged" with an identifier that can be read from a distance using electromagnetism. The item to be read is referred to as the tag, and the item doing the reading is referred to as the reader. The association of tag to object is not strictly part of the RFID system but is considered as a component of the RFID ecosystem. The reader is itself connected to some form of back end processing, such as a logistics goods tracking application, that is also considered as a component of the RFID ecosystem, as is the connecting network.

NOTE: It is the tag that is read and not the object it is attached to. Thus an object with an inappropriate tag attached will be recognised by the system according to the tag and not by any other information.

The operation of the RF part of RFID can be summarised rather crudely by the following sequence of events for passive tags:

Reader requests data from a tag by transmitting and modulating an RF signal

The tag captures the RF power of the RF signal and uses it to power itself

The tag reflects the RF signal in depends of the data to be sent back to the reader

NOTE: Active and battery assisted tags modify the middle and last phase of this sequence.

RFID technology, particularly in its passive incarnation, differs significantly from other radio technologies and this is discussed further later in this clause.

The most simple overview of the ecosystem is shown in Figure 1Figure 1, which can become increasingly complicated when details of the device to tag connection are considered, and of the interconnection of readers to the back end system. It is expected that in the future that the back end system will itself be composed of many interconnected elements (in like manner to the evolution of computing and communications).

[pic]

Figure 11: Simple view of RFID ecosystem (suggest to mark “mechanically fixed” to the line Device-Tag )

Editor's notes:

Use the terms item as opposed to "device" (understanding of the RFID community). What we need to express here is the volatility of the tag-device relationship (i.e. it can move between items/devices)

Should also rename RF link as EM link (to minimise the discussion and comparison to other radio communications systems).

Maybe need to expand the "device to tag" relationship as this can be an active or passive link.

The user concerns are similar to those for Personal Area Networks (e.g., ZigBee) and we need to identify what is different about RFID (also for WiFi, WiMAX, 3G/2G and other wireless platforms).

Need to show many-to-many tag-reader relationships (for all relationships in fact).

Distinguish between tag and transponder too.

The implementation of the RFID ecosystem itself may take many forms. The simplest form, for the purposes of the present document, is one in which all key elements (devices, tags, readers, network connections and back end systems) are under the management of a single entity. This may then be extended in any number of ways that make all key elements of the ecosystem subject to independent management with the interconnections being via public networks. It is in progress to the latter model that this document concentrates.

The reader to tag link is composed of Commands defined in … that determine the action of tag and the nature of the data read from the tag.

Types of RFID Tags

ISO/IEC 19762 [] defines the following type distinctions among RFID The following are type distinctions among RFID tags:

active tag

RFID device having the ability of producing a radio signal

Active tags always have a their own power source

passive tag

RFID device which reflects and modulates a carrier signal received from an interrogator

Passive tags do not contain such power source. As such, they are completely dependent on power from the RFID reader to activate them.

semi-passive tags

Battery assisted passive tags use the same physical communication principle as passive tags, however, contain a power source used to maintain data on the tag between activations from the RFID reader and/or to increase the sensitivity of the receiver.

Active or Passive

Active: contain their own power source.

Passive: do not contain a power source and, as such, are completely dependent on power from the RFID reader to activate them.

Battery assisted: contain a power source used to maintain data on the tag between activations from the RFID reader and/or to increase the sensitivity of the receiver

Read only or read/write

Read only tags: can be initialized only one time.

Read/write tags: can be updated multiple times.

Combined tags: part of the data are locked at any stage of the tag's lifetime, others can be updated multiple times

RFID Tag Characteristics

RFID characteristics include:

Memory size: determines how much information can be stored.

Frequency: a variety of frequencies allocated for RFID are available for different uses.

Size: range from thumbnail to brick.

Antenna size: determines, with the power of the reader, the range at which the tag can be read.

The RF characteristics of the air interface between tag and reader are standardized into RFID tag types in ISO/IEC 18000-n [i.7], where n denotes the part of the ISO/IEC document differentiated by operating frequency.

RFID in OSI compliant systems

The Open Systems Interconnection model defined in ITU-T X.200 [i.4] is the template for design of most modern communications systems. RFID technology is not OSI compliant and as such cannot be deployed in an OSI network as a replacement of any other OSI compliant technology.

Radio link performance of RFID

RFID systems are not deployed as communication systems and the considerations for radio planning that are made in cellular networks (e.g. GSM, UMTS, TETRA) are not rigorously applied in the deployment of RFID systems. However as RF transmissions can be predicted using network coverage tools the incident RF power at any point can be estimated for any installation of an RFID reader.

One of the significant differences between RFID and other active radio technologies is in the required sensitivity to RF signals and effective Bit Error Rate (or Message Error Rate) required to achieve reliable communication. A passive RFID tag is required to scavenge significant power from the RF signal sent by the reader to enable its operation. The power emission from the reader is limited by the RTTE Directive referring to ETSI Standards EN 300 220, EN 300 330 and EN 302 208. This is in contrast with active radio communications technologies (see Table 1Table 1) where the radio transceiver has active modulation and demodulation circuitry to recover signals at the limit of sensitivity, and to amplify the signal content for processing, and subsequent retransmission. Retransmission from an LF or HF tag is achieved by load modulation of its antenna circuit, while it is backscatter for UHF tags.

Table 11: Comparison of RF sensitivity requirements for RFID and other radio technology

|Technology |Maximum |Tag sensitivity / |Tag return |

| |transmit |Tag activation power |signal strength |

| |power | | |

|125 KHz–148 KHz |Passive |Animal tracking (ISO 1174/11785), |2 to 10cm typical; 15 to 30cm possible|

| | |access control, |with special equipment |

| | |OEM applications | |

|13.56 MHz |Passive |EAS (antitheft), |Can range from 5cm to several 2m |

| | |book and document management, |depending on reader hardware and tag |

| | |access control, |type. |

| | |OEM applications. | |

|433 MHz and 2.5 GHz |Active |Highway toll payment systems, |Typically around 10m, but can range up|

| | |vehicle/fleet management, |to hundreds of feet. |

| | |asset tracking. | |

|915 MHz |Passive |Supply chain tracking, |About 10' from a single antenna and |

| | |OEM applications. |20' between two antennas. Longer |

| | | |ranges can be realized with special |

| | | |hardware. |

Analysis

RFID system architecture

Taxonomy of terms

Ontology of RFID

RFID is a composite technology and although the acronym expands to RF Identification this is not sufficient to understand its role in identification and to identity and thence to protection of the privacy of the identity of the holder.

Key assumptions that we need to verify include:

The association of tag to device is managed by the device value chain;

The tag value chain is different to the associated device value chain;

The association of tag to device modifies the value chain of the device;

The device and tag costs are independent;

A tag acts as an identifier by association to a device (thing?);

The device may be identified in other ways so the tag identifier is not uniquely associated to the device identity.

Interception of data transferred over the radio interface is highly likely and thus the tag data should be encoded as a pointer, or if it contains actual personal data, should be encrypted (i.e. the attacker should not be able to gain knowledge of the content of the tag from observation of the intercepted data or its triggering signal).

From the ontology proposed by the ITU-T (see Figure 2) a tag is an entity that asserts a representation of identity of the device (and is an object that is itself physical but may be realised as content (in the software or content leaf)).

[pic]

Figure 2: ITU-T FG IdM Identity Ontology

The linkability concern in RFID systems is that patterns of identifiers or of usage can be derived to give a signature of the holder of the identifiers. If sufficient data is available the derived signature may result in uniquely identifying the holder and thus a real person. The role of Data Protection and Privacy protection is to protect legal and real persons. In the ITU-T ontology these are shown as distinct from objects but the consequence of patterns is that a set of objects may be sufficient to identify a real or legal person even if the identifier belongs to an object.

When considering the taxonomy from the point of view of the identity as opposed to the radio aspects RFID is closely equivalent to any other anonymised identifier where the set of associations to other items is generally held outside the tag. For example a vehicle registration identifier is assigned to the vehicle and the vehicle is registered to a person. Examination of the vehicle (or data in the vehicle) should not reveal the owner, the same holds true for most instances of RFID tags in that examination of the tag data will not reveal the owner of the device (it may though indicate details of the tag value chain and may give some indication of the device value chain). The overall ontology can therefore be simplified to that expressed in Figure 3. In this case there is a clear link between behaviour and the person. In terms of the RFID system this means that even if the tag does not contain personal data or is not intended to be assigned to a specific person there is a risk that by examination only of behaviour a real person can be identified.

[pic]

Figure 3: Very simplified ontology of identity

The simplified ontology can then be expanded on each side, shown in … for behaviour. In this view three new items are introduced: Action; Time; and, Location. In the RFID context actions may be interpreted by the BES and the time and location may be determined by the read action itself.

[pic]

Figure 4: Expansion of simple ontology with respect to behaviour

In terms of links the "Back End System" may be of any size and may be local to the reader (including built into the reader) or remote. The BES may be configured on the fly or be pre-configured. The BES may add data to that read from the tag such as date/time, location of reader and so on.

A fundamental issue in privacy where

In order to develop an ontology we need a set of definitions.

Entity: a real-world object (person, legal entity, device) which has at least one unique identity.

Legal entity: an entity that can be a party to legal contracts

Identity: a set of claims made by one entity about itself

Identifier: a set of data that comprises the claims for an identity

Thus identity can be modelled as the set of identifiers. From a privacy perspective the problem I believe is that whilst the definition of an entity is that is has a unique identity an attacker can guess at that identity with an incomplete set of claims (identifiers). Data mining attacks and many pattern recognition programmes work on the basis that matching a small subset of the claims is sufficient to make a deduction of the identity and hence of the entity. This of course can become increasingly philosophical but is sufficient to identify the attack patterns.

Entity = {Identity#1, Identity#2, … , Identity#m}

Identity#1 = {claim#11, claim#21, …, claim#n1}

Identity#m = {claim#1m, claim#2m, …, claim#nm}

In any one system the set of claims will consist of the same set of meta-data such as name, address and so forth. An assumption is that for the set of claims the probability of collision will be small. The design of data sets for good security has to be designed with high entropy as a goal (essentially if the attacker knows or guesses that the set can take a small set of values the probability of correctly guessing claim N+1 after receiving claim N tends towards 1 whereas for a random dictionary the probability of a correct guess should always be 0.5). Pattern recognition as a means of attacking privacy attacks the entropy of claim sets.

Where an entity has many Identities it is possible that each identity may share claims. This leads to the overlap of identities shown in the Venn diagram. The greater the overlap the greater the opportunity to

[pic]

In an RFID system each tag is a claim belonging to the entity that carries it. The point at which that claim is asserted is on reading. At this point the system may begin to make assertions of its own about the entity thus the set of claims for the entity made by the reader and its back end system may diverge from those of the entity itself. For example the identity associated to the entity from the point of view of the reader may include its location and the time of reading. These new claims modify the identity and need to be separated from the recovered claims (those retrieved by the RFID read operation).

Asserted identity = {recovered claims} ¦¦ {asserted claims}

The content of the tag is the identifier. The identifier may be associated to the device but there is no provable link between the tag and the device – it is assumed that if an identifier of value "x" is read from a tag, and that the tag having that value has been associated with a particular device, then the presence of a tag with that value implies presence of the device.

The physical design of the Simple RFID tag does not create a problem by itself but the use of the data of and on the tag are where the problems lie. The systems in which tags are used have to ensure that the entropy of claim sets is maximised thus minimising the risk of a data mining attack being able to infer the identity of a real person.

With respect to security

With respect to privacy protection

DPP and Security objectives

Summary of method used in analysis

In the context of the present document, security means to be assured that the risk of a weakness being exploited either intentionally or unintentionally is low. The approach taken in the present document is that recommended in EG 202 387 [] and is presented in the format recommended in ES 202 382 [] extended using the approach to risk analysis recommended in TS 102 165-1 [] with consideration in the specification of countermeasures to inherit and specialise the countermeasure patterns given in TS 102 165-2 [].

Whilst many standards include aspects of security that encompass the CIA (Confidentiality, Integrity, Availability) grouping the present document considers this CIA grouping in the context of security evaluation in order to provide product owners with confidence that the suite of CIA countermeasures bring the risk to assets to an acceptable level.

A key element of the approach identified in EG 202 387 is that prior to defining the detailed security requirements for a new standard, it is essential to identify:

the purpose of a system implementing the standard;

what level of risk is acceptable to the users of such a system;

how claims for the security of such a system will be evaluated; and

any specific evaluation and assurance requirement required (or likely to be required) by the end users.

As shown in figure 1, all of these aspects contribute to the definition of the security requirements to be specified in the standard and met by a product implementing it.

[pic]

Figure 5: Composition of security requirements

The strong recommendation is that the resulting ETSI security standards that may become the subject of evaluation should state technical security requirements in terms of the security functions defined in ISO/IEC 15408 2 and also be documented as required by the ISO/IEC 15408 3 assurance level required by the project. Key to each of these tasks is the provision of a vulnerability analysis as a means of verifying the role of the security requirements in addressing risk in the specific context. The method for such analysis in the context of this work is described in TS 102 162-1 [] and further examined in Figure 2. Figure 2 shows how the vulnerabilities that surround a system may be attacked by known threats and may be countered by known security countermeasures. In some instances a residual vulnerability may exist even after application of the countermeasure.

[pic]

Figure 6: Threats, risks, vulnerabilities, countermeasures and residual vulnerability

A potential threat is able to cause harm only if there is a corresponding weakness or vulnerability in the system which can be exploited. Thus it is necessary to evaluate threats and to characterize them according to both the likelihood of their occurrence and of the impact the attack has.

The method for writing requirements themselves in the present document is in accordance with the guidance given in TR 187 011 [] which identifies two forms of requirement (functional and detailed) with a structure of " ".

EXAMPLE: For the requirement statement "An RFID tag should respond to a reader command within 78μS" the asset that the requirement applies to is the RFID tag, the stimulus is the command from the reader, and the required response is that the tag should respond within 78μS. The requirement does not state how the asset is expected to achieve compliance as the point of observation is at the RF interface of the tag.

The security analysis follows the process described in TS 102 165-1 [Error! Reference source not found.] as illustrated below.

[pic]

Figure 5.2: Structure of security analysis and development in standards documents

The method for Threat Vulnerability and Risk Analysis (TVRA) defined in TS 102 165-1 [] does not expressly mention privacy. In order for the full scope of NGN related RFID privacy and security requirements to be considered adequately, reference to security in the TVRA method must refer to both privacy and security threats and functional requirements. The TVRA method consists of the following steps:

1) Identification of the security objectives resulting in a high-level statement of the security goals.

NOTE 1: All assumptions made when formulating security objectives should be explicitly stated as these assumptions may dictate the direction and focus of the analysis. The assumptions are to be verified during the analysis and the form of proof illustrated.

NOTE 2: Assumptions include privacy concerns arising both from risk analysis and regulatory input .

2) Specification of the security functional requirements, derived from the objectives developed in step 1.

1) Compilation of an inventory of system assets as defined in TS 102 165-1 [] and in EG 202 057 [].

2) Identification and classification of the vulnerabilities in the system, the threats that can exploit them and the unwanted incidents that may result.

NOTE: Unwanted incident is the term used in Common Criteria and may be used to infer unwanted behaviour of the system.

5) Quantification of the likelihood of occurrence and the impact of the threats.

6) Establishment of the risks.

NOTE 1: The resulting Protection Profile is not formally assessed within ETSI. The addition of a countermeasure changes the system and requires that the TVRA is repeated against the new system and the analysis recorded.

NOTE 2: As a duty of care the analysis should be periodically inspected as the environment in which the devices are used is subject to change (e.g. new attack vectors, changes in technology).

NOTE 3: There should be a clear mapping from objectives (step 1) through functional requirements (step 2) to detailed requirements (step 7).

Objectives resulting from analysis

Generic objectives derived from OECD guidelines

As noted in TR 187 010 [] from

The OECD guidelines identify a number of principles as follows and are documented along with the impact on identity management in TR 187 010 [i.2]. The list that follows is taken from TR 187 010 with additional comments on the impact for RFID systems.

Collection limitation principle

Limits to data collection:

Before collecting personal data - for example, when contracting with the data subject - a CSP operator should obtain the prior and unambiguous consent of the data subject or inform the data subject of the collection of personal data and the indicated purposes of use according to domestic regulations;

If the data subject is aware of the presence of an RFID reader and willingly submits a tag to be read consent may be implied. However if the data subject is unaware of the presence of an RFID reader it is unlikely that consent can be proven.

From the viewpoint of the CSP operator, consent is always required when personal data is used in commercial services. However, in cases of safety and public services, prior explicit consent may not be required although implicit consent is likely to have been given as part of the user's contractual agreement with the service provider.

Data collection methods

A CSP operator should not acquire personal data by fraudulent or other dishonest means.

Data collection without prior consent may be argued to be dishonest.

Data collection without consent

The limits to data collection do not apply to cases in which the handling of personal data is restricted by national regulation.

Exclusion of data capable of identifying an individual from collected data

A CSP operator should take reasonable measures to avoid collecting data from which an individual could be identified by referring to a database in cases where such a possibility exists.

Confirmation of a data subject's consent about data collection

A CSP operator should take suitable measures to confirm the consent of a data subject about data collection.

Data quality principle

A CSP operator should endeavour to keep personal data accurate and up to date within the scope necessary for the achievement of the purposes of use.

Purpose specification principle

Specification of the purposes of use

When handling personal data, a CSP operator should specify the purposes of use of personal data.

Limits on changing the purposes of use

A CSP operator should not change the purposes of use beyond the scope in which new purposes can reasonably be considered to be compatible with the original purposes.

Before a CSP operator changes the purposes of use beyond the scope in which new purposes can reasonably be considered to be compatible with the original purposes, it should inform a data subject of the change or obtain prior and unambiguous consent.

Use limitation principle

Use limitation

A CSP operator should not handle personal data, without obtaining the prior consent of the data subject, beyond the scope necessary for the achievement of the specified purposes of use.

Restriction of disclosure to third parties

A CSP operator should not provide personal data to a third party without obtaining the prior consent of the data subject.

Use without consent

The provisions of the preceding two paragraphs do not apply in cases where the handling of personal data is based on domestic laws. NGN operators should grant access only to law enforcement authorities as authorized by a domestic court order or equivalent legal instrument.

Security safeguards principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use as well as the identity and usual residence of the data collector.

Individual participation principle

An individual may have the right to:

a) obtain from a CSP operator, or otherwise, confirmation of whether or not the CSP operator has data relating to him;

b) have communicated to him, data relating to him

i. within a reasonable time;

ii. at a charge, if any, that is not excessive;

iii. in a reasonable manner; and

iv. in a form that is readily intelligible to him;

c) be given reasons if a request made under (a) and (b) is denied, and to be able to challenge such denial; and

d) challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Accountability principle

A CSP operator should be accountable for complying with measures which give effect to the principles stated above.

In addition to these principles derived from the OECD guidelines, the following can be derived from provisions in the Framework Directive and in existing telecommunications practice:

Equality of regime principle

A CSP operator should not transfer personal data across borders unless the destination has an equivalent privacy regime as the origin

Anonymity principle

A CSP operator should provide the means for users to transact anonymously.

Ssummarising the OECD guidelines [] the following objectives apply to all systems:

Access to services should only be granted to users with appropriate authorization

The identity of an user should not be compromised by any action of the system

No action of the system should make a user liable to be the target of identity crime

No change in the ownership, responsibility, content or collection of personal data pertaining to a user should occur without that user's consent or knowledge

Personal data pertaining to a user should be collected by the system using legitimate means only

An audit trail of all transactions having an impact on personal data pertaining to users should be maintained within the system.

Security analysis and requirements derivation

One of tThe main purposes of RFID is to easily identify and track objects by means of their attached RFID tag. The primary problemcharacteristic in RFID is that many tags can be read at a distance (the radio interception range) by readers at known locations, they also provide location at time of read and such information can be used to track tagged items. In addition to tracking objects in a logistics environment RFID tags are also used for access control (e.g. for transport systems), and for linking data to objects (e.g. in object hyperlinking).

Threats are potential events that can cause a system to respond in an unexpected or damaging way. It is useful to categorize threats to determine effective and deployable mitigation strategies. The identification and analysis of RFID relevant security threats (general and application specific) have been carried out according to the STRIDE model [ref], which include the following categories:

Spoofing of identity (masquerade)

Tampering with data (manipulation)

Repudiation

Information disclosure

Denial of service

Elevation of privileges

The following subclauses describe the threat in general terms and illustrate the threat in the RFID context by scenarios. The scenarios are not considered as exhaustive and they are not, at this stage, ranked in terms of viability or impact on the system.

Identity spoofing

Spoofing of identity occurs when an attacker successfully poses as an authorized user of a system (in technical environments this is most often referred to as a masquerade attack).

There are many ways in which such an attack can be achieved, ranging from competitors performing unauthorized scanning of inventory to obtain information on types and quantities of items. The tag identities can then be emulated, e.g., in a large convenience store to “"trick”" customers into purchasing particular products. This is made possible asif a tag cannot distinguish between authorized and unauthorized readers. To the tag, a reader is a reader. Also, the numbering schema used for RFID tags makes up the tag identity and includes information about the manufacturer and possibly the product number. This attack can also be carried out by an attacker with a valid reader or equipment able to eavesdrop on the RF interface.

SCENARIO: Assuming that EPC numbering is used, it is possible for an attacker to pose as an authorized Object Name Service (ONS) user and submit queries of either gathered EPC numbers or random EPC numbers to ONS to determine the exact URL of the database containing the information of a particular EPC number. This way the attacker can successfully obtain information on the association to a particular EPC number and the product type that the tag is attached to.

Tampering with data

Data tampering occurs when an attacker modifies, adds, deletes, or reorders data. The impact of such attacks and range from serious threats as an attacker modifying the tag in a passport to modifying the identity on tags in the supply chain, warehouse or similar disrupting business operations and causing a loss of revenue. For a user, tampering of data may lead to failure to enter a country (passport attacks), wrong identity, somebody masquerading as the user, loss of service, loss of reputation, economical loss and identity fraud.

SCENARIO:

CONCERN: An observed serious problem with the "one of the current security measures the kill" command is that it can also be misused by an attacker as a consequence of the password distribution being difficult to secure, or failure to implement a password. In either case the An attacker may kill tags with a number of consequences ranging resulting in that from the diversion of items are diverted, through loss or theft of items, to business failure (the level of impact depends on the dependency of the impacted business on the RFID technology working properly)t or similar. The worst possible situation in a warehouse would be if the attacker successfully performs an distributed undesirable kill of all or most of the items in the store. If the store has an automatic ordering system associated with the RFID system, this could cause in mass ordering of products already in stock. The attacker could also cause serious confusion and revenue loss by reordering data on tags, such as exchanging a high-priced item’s tag with a lower-priced item’s tag.

Editor's note: To be commented by Mr Ramsch

Repudiation

Repudiation occurs when a user denies an action and no proof exist to prove that the action was performed.

SCENARIO: Attacks include denying receiving a certain pallet, item or similar. It is also possible to carry out an attack where the tag identity (if allowed by weak system design) is changed and then subsequently the original item is no longer associated with its original tag identity resulting in a denial of the possession of a particular item.

Information disclosure

Information disclosure occurs when information is exposed to an unauthorized user. It is a threat to privacy if the information disclosed is of a private or sensitive nature covered by the Data Privacy Protection Act. The most susceptive threats are such as setting up an attack with a bomb in a restaurant that explodes when there are a certain number of persons from the same country or specific countries with RFID-enabled passports detected. It is also possible to targets such attacks to a specific person. This is more a fairy tale. Technically not feasible; ePassports are using HF ISO 14443 ( proximity coupling )

(Note: such attacks were performed with mobile phones which contained explosives )

But again: put the passport into a conductive envelope

SCENARIO: An attacker may track tags and Ssome tags will carry personal information or information that can be used to derive the identity or link behaviour to person. As the RF range often expands that of intended usable, it is possible to eavesdrop on the RF interface and by that obtain information on location, product, identity of tag holder or customer, route travelled, etc. Such information could later be used in blackmail, where an attacker can blackmail an individual for having a certain merchandise in their possession. It would also be possible for a sufficiently powerful directed reader to read tags in a person’s house or car.This statement is technically not feasible. As an RFID expert group we can not support such statements

Denial of service

Denial-of-service denies service to valid users. Denial-of-service attacks are relatively easy to accomplish and difficult to guard against.

SCENARIO#1: Examples of attacks are aAn attacker may killing tags in the supply chain, warehouse or store disrupting business or to prevent check-out of a particular item.

Other attacks include:

SCENARIO#2: An attacker carries a special absorbent tag that is tuned to the same frequencies used by the tags. Instead of switching the impedance in and out of the antenna to modulate the reader signal it would just absorb the energy reducing the amount of reader energy. It could be a passive device. This would decrease the amount of energy available for reading other normal tags.

SCENARIO#3: An attacker removes or physically destroys tags attached to objects. This is used by an attacker to avoid tracking. A thief destroys the tag to remove merchandise without detection.

SCENARIO#4: An attacker shields the tag from being read with a Faraday Cage. A Faraday Cage is a metal enclosure such as a bag lined with aluminium foil that prevents the reader from reading the tag. In the debate over embedding tags in passports, it has been suggested that the passports be inserted into a foil holder to prevent this type of attack

SCENARIO#5: An attacker with powerful readersignal generator jams the reader by creating a more powerful return signal than the signal returned from the tags and thus making the system unavailable to authorized users

Bullet points 2 to 3 can be used by the citizen to protect his privacy data . Point 1 is an issue for ticketing, when you want to keep the public transport card in your purse together with other HF cards

Elevation of privilege

Elevation of privilege occurs when an unprivileged user or attacker gains higher privileges in the system than what they are authorized.

SCENARIO: For example, aA user logging on to the database to determine product information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system. What has RFID to do with that?.

Other RFID security threats

In addition to the threats that can directly be associated with the STRIDE model there are also some RF specific security threats of relevance, as well as some general security threats. The RF specific security threats of relevance are:

RF eavesdropping

Collision attack

Tracking

De-synchronization

The general security threats of relevance are:

Replay

Virus

RF eavesdropping

Since an RFID tag is a wireless device, there exists a risk that the RF signal between tags and readers can be eavesdropped.

Such attacks are made possible as an attacker has the entire radio frequency spectrum to choose from and a set of modulation techniques that can be used. In a RF eavesdropping attack, an attacker uses an antenna to record the signal between a legitimate tag and a reader in the same frequency, the antenna was previously connected to a digital oscilloscope which was used to capture the RF signal picked up by the antenna. Especially, existing passive RFID systems rely on simple modulation schemes using narrowband radio frequencies, so they can be easily eavesdropped.Modulation schemes will be found in the Standards ISO 14443, ISO 15693, ISO 18000-n

NOTE: Such tests have been performed at the German Ministry of Interior yielding a Read range of 2.7 m with an ISO 14443 card ( Reference BSI MARS project )

If the attacker knows the specification of encoding, the signal picked up can have serious implications – used later in other attacks against the RFID system, such as Spoofing attack, Replay attack and Tracking.

There exist various counter measures for that. Mutual authentication and stream cipher are examples.

Collision attack

Collision attacks violate the way in which the reader single out a specific tag for communication. Interference with other radio transmitters may prevent a reader from discovering and polling tags. Tag collision occurs when more than one tag responds to the reader’s interrogation at the same time. Without any coordination among the reader and the tags, the responses from the tags will become illegible to the reader. The attacker acts as one or more tags to respond the query from the reader at the same time hence collision happens. Collision attack is a variant n availability type of DoS attacks (DoS).

However it would be an excellent tool to disguise UHF tags mounted in personal clothing’s : just wear a “tag talks first” and the reader are “blind” Good for privacy !

Tracking

Tracking is a threat directed to the privacy of users. RFID readers in strategic locations can record sightings of unique tag identifiers (or “"constellations”" of non-unique tag identities), which are then associated with personal identities. The problem arises when individuals are tracked involuntarily. Subjects may be conscious of the unwanted tracking (e.g. school kids, senior citizens, and company employees), but that is not always necessarily the case.

NOTE: Some technologies, such as mobile phones, require that the device is always reachable which can be considered as tracking. However this is often perceived as a desirable trade-off and is consensual. If a mobile phone user wishes to be invisible they can choose to switch off their phone and tracking will stop.Mobile phones are much more efficient means for tracking people. Within a restricted area, like a company premises tracking by RFID is feasible via access control. In this case the employees are well aware of tracking. However, mobile phones need to lock into a system and therefore this data cannot be easily accessed without disturbing the mobile phone system, which is recognized by the mobile phone operator and is furthermore a very obvious legel offense against frequency regulations. Mobile phone and other mobile devices have a more severe RF interface: Bluetooth™ and WLAN provide a unique identifier and have significant range >> 10 m.

De-synchronization

De-synchronization refers to the threat of de-synchronizing the identity between a back-end database server and a RFID tag, which may render the tag useless. There are two kinds of operation between the tag and the reader, read and write. The main function of write is to write the identity of the tag. The intension of a de-synchronization attack is to destroy the operation of the write process. In addition, the write operation (like updating identities) may fail in cases where the attacker successfully destabilizes the connection between the tag and the reader or the network.

It is recommended to lock the written identity in the memory of the tag by setting the lock bit.

Replay

Replay attacks aims to consume the computing resources of the tag and the reader. For example, in an attack against an RFID reader, the attacker may gain access to the identity of an RFID tag from previous communication and then replays this identity or communication to the reader forcing it making it to responding according to an outdated communication request.

Are there reports on such an attack ? Yes, therefore stream cipher exists

Virus

RFID virus can be used to manipulate, disclose or maliciously prevent communication between the tag and the reader or the network. Whilst it is reasonable to claim that the payload of an RFID tag is insufficient to carry a virus it is sufficient to carry a trigger or link to a virus. This may be of particular relevance in object hyper-linking scenarios.

Are there serious reports on such an attack ? Generally virusses need more bits, than what is stored in a tag ( 96bit for EPC)

Consumer aspects including interaction

Activation

Deactivation

Environmental aspects of RFID tags and components

RFID hardware end of life considerations

Data end of life considerations

There may be a conflict between end of purpose and the end of the lifetime of data on a tag. For example in the fashion industry clothes are generally sold for a season (winter/summer/spring/autumn) and have a short purpose life (say 6 months). In contrast the data on the tag may reasonably be expected to be able to be retrieved for periods of up to 50 years (if access is only by RF the antenna circuit may degrade at a faster rate).

Privacy Impact Assessment ( PIA ) outline

Role of PIAs

A Privacy Impact Assessment is a tool to determine if the data received by, and processed by, an organisation is dealt with appropriately to regulation and to the business process. In simple terms for data in the system the PIA identifies and specifies the organisational processes undertaken to ensure that the set of principles outlined by the OECD and translated to national or regional law are followed.

Note: Within M436 Para 2 Scope and description of the Mandate a PIA is not explicitly mentioned

Generic versus industry specific PIAs

A generic PIA ( One size fits for all ) will end in a general wording, that has to be interpreted for each application by specialists or even lawyers.

An industry specific PIA is certainly easier to handle, as there are already several proposals to categorise different applications. However this approach may lead to a larger number of PIAs than what can be handled within M436.

Therefor it is proposed to generate a guideline ( or TR ) how to achieve an industry specific PIA based on the document coming from group 29. It should include a questionnaire, conditions for going into operation and the certification authorities.

Recommendations for RFID industry specific PIAs

RFID logos and signage

For consumer awareness

The purpose of logos and signage is to give the user (consumer) confidence that RFID readers are deployed (or not) in the local environment. For consumer confidence this has to be complete and uniform: wherever an RFID reader is deployed for any purpose anybody entering its environment should be able to have clear indications of the presence of the RFID reader and to be able to determine either directly or indirectly the way in which the device is operated. If the device has the ability to selectively read data from tags the signage should clearly and unambiguously indicate the form of the data being gathered from the tags and where further information relating to the processing of that data is undertaken.

For device marking

The purpose of logos and signage on a device is to give the user (consumer) or holder of the device knowledge that the device is RFID tagged and should indicate the status of the tag (i.e. readable or not-readable).

Answer to Requirements of M436 phase 1

The 14 bullet points of Para 2 Phase 1 should be commented separately.

Requirements for M436 phase 2

Requirements derived from analysis

There is a need for a public pen-test to identify and separate theoretical, possible, probable and realistic threats/attacks – This should be addressed in phase 2

There is a need for a standard for RFID privacy and security assurance (based on Common Criteria light) that specify privacy and security levels linked to RFID applications, technology, usage, etc. The different levels should define the activities needed to ensure a sufficient assurance on privacy and security linked to the type of tags, readers involved, the data involved, the purpose of the RFID usage scenarios etc.

EU Commission expect a ISO 9000/14000/27000 approach which are all of them management systems. If we feel we need a CC approach for particular tags or networks that would be a recommendation

RFID Logos and signage recommendations

Standards roadmap

Available standards

This list should be taken from GRIFS ( Paul Chartier ) Perhaps we should put this listing in an Annex It might be easier for updates.

The following lists some of the relevant standards with a brief description, if needed:

ISO/IEC 18000 []:

Part 1: "Reference architecture and definition of parameters to be standardized" -–

Determines the common parameters to be defined in an item identification air interface standard, the method and means of their definition and to provide a common format for their elaboration and definition.

Part 2: "Parameters for air interface communications below 135 kHz" -–

Specifies the physical layer for communications between interrogator and tag.

Part 3: "Parameters for air interface communications at 13,56 MHz".

Part 4: "Parameters for air interface communications at 2,45 GHz".

Part 6: "Parameters for air interface communications at 860 MHz to 960 MHz".

Part 7: "Parameters for active air interface communications at 433 MHz" -–

Defines the air interface for radio-frequency identification (RFID) devices operating as an active RF tag in this band for item management applications.

ISO/IEC 15961 [] -–

Specifies the air interface-independent data protocol.

ISO/IEC 15962 [] -–

Specifies the overall process and the methodologies developed to format the application data into a structure to store on the RF tag.

ISO/IEC 15963 [] -–

Describes numbering systems for the unique identification (unique ID) of RF tags which is required as part of the write operation to RFID tags.

ISO/IEC 18001 [].

• ISO/DIS 17363 []., Supply chain applications of RFID — Freight containers,

ISO/DIS 17364 []. Supply chain applications of RFID — Returnable transport items (RTIs),

ISO/DIS 17365 []. Supply chain applications of RFID — Transport units

ISO/DIS 17366 []. Supply chain applications of RFID — Product packaging, and

ISO/DIS 17367 []. , Supply chain applications of RFID — Product tagging

ISO 18046 Conformance ?

ISO 18 047 Performance ?

ISO 14443 Proximity cards

ISO 15693 Vicinity cards

ISO 10373 -6Test for ISO 14443 cards and epassports

ISO 29160 RFID Emblem

Gap analysis and recommendations

This is the key output of M436 Phase 1 !!!

7 Executive Summary

May be put in front also

Annex A:

Privacy Impact Assessment ( PIA ) outline

A.1 Role of PIAs

The PIA is a process that requires a thorough analysis of potential impacts on privacy and a consideration of measures to mitigate or eliminate any such impacts. The privacy impact is a due diligence exercise, in which the organization identifies and addresses potential privacy risks that may occur in the course of its operations. While PIA's are generally focussed on specific projects, the process is intended to also include an examination of organization-wide practices that have an impact on privacy. Organizational privacy policy and procedures, or the lack of them, can be significant factors in the ability of the public body to ensure that privacy protecting measures are available for specific projects.

A.2 Generic versus industry specific PIAs

As the PIA applies to the organisation …

Organizational Privacy Management

A.3 Recommendations for RFID industry specific PIAs

The principle objective of activities under this task on standards development in association with RFID Privacy Impact Assessment (PIA) is to take due account of established and ongoing activities related to generic PIAs and ensure the development of a specific RFID PIA related process in order to deliver a standard approach to the assessment of RFID implementations throughout Europe. The following action is anticipated.

Building on the ongoing work item on developing a generic PIA framework in the CEN Workshop on Data Protection and Privacy, develop an RFID-specific PIA document, coordinating the activities of key stakeholders as well as contributing towards the development of a future RFID-specific PIA CWA. CWA ???

The proposed RFID PIA document will be reviewed by CEN/WS DPP and other ESO and indutry stakeholders (and the Article 29 Working Party of Data Protection Commissioners).

The STF will edit the RFID PIA document in line with the inputs and comments received from all reviewers, participants and stakeholders. The STF will propose to the CEN/WS DPP:

Changes or additions to the existing generic PIA CWA to result in a revision of the CWA on a generic PIA Framework;

A separate CWA that will describe the RFID PIA.

The output from this task will be the agreed input documents to the CEN WS/DPP with proposals to update the generic PIA framework CWA together with a basis for a new RFID-specific PIA CWA from the CEN WS/DPP. The finalised CWAs are not part of this technical proposal but they will be freely available from CEN.

This means we should not put too much effort from STF 396 into the PIA issue

Annex B:

RFID logos and signage

The present document is intended to take due account of established and ongoing activities related to RFID logos and signage in order to offer standards which offer clear and consistent messages to the general public throughout Europe in raising awareness as well as building confidence in RFID technology and associated applications. Standards need to be developed quickly to support the RFID Recommendation.

The RFID logos and sign standards are to take into account existing and future implementations of this technology in order to not restrict RFID applications. The logos and signs are to be capable of alerting to all elements of an RFID network. The STF will coordinate the activities of key stakeholders and propose activities to the EC concerning the development of the future RFID logos and signage standards.

The STF will develop a list of established and ongoing RFID logos and signage activities and their associated key stakeholders taking into account contributions from the EC RFID Expert Group. The task is to establish a PIA and RFID logos and signage landscape and identify gaps requiring the development of RFID specific PIA processesStandards and the steps necessary to coordinate the delivery of suitable RFID Logos and signs within 12 months of the Recommendation.

The principal objective of the STF will be to overview the established and ongoing activities related to RFID logos and signage and prpose a solution, that can be formed into a CEN Standard.

in order to ensure that standards are available to provide clear consistent messages to the general public throughout Europe in raising awareness as well as building confidence in RFID technology and associated applications. ( sentence already in first paragraph )Further these standards need to be prepared in a timely fashion to support the RFID Recommendation. The RFID logos and signs standards are to take into account existing and future implementations of this technology in order to not restrict RFID applications. The logos and signs are to be capable of alerting to all elements of an RFID network. The following steps are anticipated.

With the agreement of the Co-ordination Group, the STF will consult key stakeholders, propose activities to the EC and execute approved actions which guide the development of future RFID logos and signage standards. The Co-ordination Group will meet the EC stakeholders concerning this issue (e.g. DGs Enterprise and Information Society) every 3 months.

Annex C:

Summary of mandate M436

Annex D:

Figures from GRIFS report

[pic]

Figure 9: Data encoding and application protocol standards: interrelationships

The data and sensor commands and responses are defined in ISO IEC 15961-1 and ISO/IEC 15961-4 respectively. The Part 1 standard supports the encoding to 8 types of tag.

NOTE 15961-4 is still an early stage working draft and not available.

The data management interface standards (ALE for EPCglobal, which only addresses 18000-6C tags; and ISO/IEC 24791-2, which only addresses 3 tag types) are intended support the functional commands in 15961, but with a defined interface protocol. 15961 (in the current published version – but not the new version) did specify a more rigorous interface protocol than ALE / 24791-2, but this was withdrawn because implementations of 15961/15962 can be implemented on the same device. A printer-encoder or hand held device does not need an interface between its component parts. Whereas the general assumption is that the 24791 series supports network implementations, until they cover all the technologies supported by 15961 this will not be the case.

[pic]

Figure 12: Data exchange: interrelationships

This figure shows the links up to the Internet of Things. As with the EPCglobal model, This generic model assumes some form of subscriber authentication. Not all the options for the future depend on a DNS emulation (like ONS), but might exploit more secure approaches even to basic data.

Annex :

Bibliography

Books

The following books give some background to the topics of privacy and security in the use and deployment of RFID.

"Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID"; Author(s): Katherine Albrecht, Liz McIntyre; Publisher: Nelson Current; ISBN -10: 1595550208, ISBN-13: 978-1595550200

"Security in RFID and Sensor Networks (Wireless Networks and Mobile Communications)"; Editor(s): Yan Zhang, Paris Kistos; Publisher: Auerbach Publications; ISBN-10: 1420068393, ISBN-13: 978-1420068399

"How to Cheat at Deploying and Securing RFID"; Author(s): Paul Sanghera, Brad Haines; Publisher: Syngress; ISBN-10: 1597492302, ISBN-13: 978-1597492300

"RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Identification and NFC (Near Field Communication)"; Author: Dr. Klaus Finkenzeller; Publisher: WileyBlackwell; ISBN-10: 0470695064, ISBN-13: 978-0470695067

GRIFS database extract

The annex entitled "Bibliography" is optional.

It shall contain a list of standards, books, articles, or other sources on a particular subject which are not mentioned in the document itselft (see clause 12.2 of the EDRs ).

It shall not include the following:

normative references (such references shall be listed in clause 2.1);

informative references (such references shall be listed in clause 2.2).

Use the Heading 9 style for the title and B1+ or Normal for the text.

: "".

OR

: "".

History

|Document history |

|V0.0.10 |February 2010 |First outline of ToC for STF396 review |

|V0.0.1 |April 2010 |Approved output of TISPAN#24W |

|V0.0.2 |April 2010 |Input to ERM TG34 for review/discussion |

| | | |

| | | |

-----------------------

Identity#1

Identity#2

Identity#3

................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

SKELETON - ETSI

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches