Guidelines for Securing Radio Frequency Identification (RFID) Systems
Total Page:16
File Type:pdf, Size:1020Kb
Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips NIST Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 April 2007 US Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert C. Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director GUIDELINES FOR SECURING RFID SYSTEMS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Special Publication 800-series documents report on ITL’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-98 Natl. Inst. Stand. Technol. Spec. Publ. 800-98, 154 pages (April 2007) Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii GUIDELINES FOR SECURING RFID SYSTEMS Acknowledgments The authors, Tom Karygiannis of NIST, and Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Phillips of Booz Allen Hamilton, wish to thank Steven Fick, Rick Korchak, Kate Remley, Jeff Guerrieri, Dylan Williams, Karen Scarfone, and Tim Grance of NIST, and Kenneth Waldrop and Beth Mallory of Booz Allen Hamilton. These individuals reviewed drafts of this document and contributed to its technical content. The authors would also like to express their thanks to several experts for their critical review and feedback on drafts of the publication. These experts include V.C. Kumar of Texas Instruments; Simson Garfinkel of the Naval Postgraduate School; Peter Sand of the Department of Homeland Security; Erika McCallister of MITRE; and several professionals supporting Automatic Identification Technology (AIT) program offices within the Department of Defense (DoD), especially Nicholas Tsougas, Fred Naigle, Vince Pontani, Jere Engelman, and Kathleen Smith. During the public comment period we received helpful comments from the following Federal Government agencies: the US Departments of Defense, Health and Human Services, Homeland Security, Labor, and State; the Office of the Director of National Intelligence; the Office of Management and Budget; and the General Services Administration. We also received several helpful contributions from commercial industry, including comments from EPCglobal, VeriSign, and Priway. Finally, the authors wish to thank the following individuals for their comments and assistance: Brian Tiplady, Daniel Bailey, Paul Dodd, Craig K. Harmon, William MacGregor, Ted Winograd, Russell Lange, Perry F. Wilson, John Pescatore, Ronald Dugger, Stephan Engberg, Morten Borup Harning, Matt Sexton, Brian Cute, Asterios Tsibertzopoulos, Mike Francis, Joshua Slobin, Jack Harris, and Judith Myerson. iii GUIDELINES FOR SECURING RFID SYSTEMS Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Document Structure .................................................................................................1-2 2. RFID Technology..............................................................................................................2-1 2.1 Automatic Identification and Data Capture (AIDC) Technology...............................2-1 2.2 RFID System Components ......................................................................................2-2 2.3 RF Subsystem .........................................................................................................2-2 2.3.1 Tag Characteristics.......................................................................................2-3 2.3.2 Reader Characteristics .................................................................................2-9 2.3.3 Tag-Reader Communication ......................................................................2-12 2.4 Enterprise Subsystem............................................................................................2-14 2.4.1 Middleware .................................................................................................2-15 2.4.2 Analytic Systems ........................................................................................2-15 2.4.3 Network Infrastructure ................................................................................2-16 2.5 Inter-Enterprise Subsystem ...................................................................................2-17 2.5.1 Open System Networks..............................................................................2-18 2.5.2 Object Naming Service (ONS)....................................................................2-19 2.5.3 Discovery Service.......................................................................................2-21 2.6 Summary................................................................................................................2-21 3. RFID Applications and Application Requirements .......................................................3-1 3.1 RFID Application Types ...........................................................................................3-1 3.1.1 Asset Management.......................................................................................3-2 3.1.2 Tracking........................................................................................................3-2 3.1.3 Authenticity Verification ................................................................................3-3 3.1.4 Matching .......................................................................................................3-3 3.1.5 Process Control ............................................................................................3-3 3.1.6 Access Control .............................................................................................3-4 3.1.7 Automated Payment .....................................................................................3-5 3.1.8 Supply Chain Management ..........................................................................3-5 3.2 RFID Information Characteristics.............................................................................3-6 3.3 RFID Transaction Environment................................................................................3-7 3.3.1 Distance between Reader and Tag ..............................................................3-7 3.3.2 Transaction Speed .......................................................................................3-8 3.3.3 Network Connectivity and Data Storage.......................................................3-8 3.4 The Tag Environment between Transactions ..........................................................3-9 3.4.1 Data Collection Requirements......................................................................3-9 3.4.2 Human and Environmental Threats to Tag Integrity.....................................3-9 3.5 RFID Economics ....................................................................................................3-10 3.6 Summary................................................................................................................3-11 4. RFID Risks ........................................................................................................................4-1 4.1 Business Process Risk ............................................................................................4-1 4.2 Business Intelligence Risk .......................................................................................4-3 iv GUIDELINES FOR SECURING RFID SYSTEMS 4.3 Privacy Risk .............................................................................................................4-4