Guidelines for Securing Radio Frequency Identification (RFID) Systems

Total Page:16

File Type:pdf, Size:1020Kb

Guidelines for Securing Radio Frequency Identification (RFID) Systems Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips NIST Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 April 2007 US Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert C. Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director GUIDELINES FOR SECURING RFID SYSTEMS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Special Publication 800-series documents report on ITL’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-98 Natl. Inst. Stand. Technol. Spec. Publ. 800-98, 154 pages (April 2007) Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii GUIDELINES FOR SECURING RFID SYSTEMS Acknowledgments The authors, Tom Karygiannis of NIST, and Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Phillips of Booz Allen Hamilton, wish to thank Steven Fick, Rick Korchak, Kate Remley, Jeff Guerrieri, Dylan Williams, Karen Scarfone, and Tim Grance of NIST, and Kenneth Waldrop and Beth Mallory of Booz Allen Hamilton. These individuals reviewed drafts of this document and contributed to its technical content. The authors would also like to express their thanks to several experts for their critical review and feedback on drafts of the publication. These experts include V.C. Kumar of Texas Instruments; Simson Garfinkel of the Naval Postgraduate School; Peter Sand of the Department of Homeland Security; Erika McCallister of MITRE; and several professionals supporting Automatic Identification Technology (AIT) program offices within the Department of Defense (DoD), especially Nicholas Tsougas, Fred Naigle, Vince Pontani, Jere Engelman, and Kathleen Smith. During the public comment period we received helpful comments from the following Federal Government agencies: the US Departments of Defense, Health and Human Services, Homeland Security, Labor, and State; the Office of the Director of National Intelligence; the Office of Management and Budget; and the General Services Administration. We also received several helpful contributions from commercial industry, including comments from EPCglobal, VeriSign, and Priway. Finally, the authors wish to thank the following individuals for their comments and assistance: Brian Tiplady, Daniel Bailey, Paul Dodd, Craig K. Harmon, William MacGregor, Ted Winograd, Russell Lange, Perry F. Wilson, John Pescatore, Ronald Dugger, Stephan Engberg, Morten Borup Harning, Matt Sexton, Brian Cute, Asterios Tsibertzopoulos, Mike Francis, Joshua Slobin, Jack Harris, and Judith Myerson. iii GUIDELINES FOR SECURING RFID SYSTEMS Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Document Structure .................................................................................................1-2 2. RFID Technology..............................................................................................................2-1 2.1 Automatic Identification and Data Capture (AIDC) Technology...............................2-1 2.2 RFID System Components ......................................................................................2-2 2.3 RF Subsystem .........................................................................................................2-2 2.3.1 Tag Characteristics.......................................................................................2-3 2.3.2 Reader Characteristics .................................................................................2-9 2.3.3 Tag-Reader Communication ......................................................................2-12 2.4 Enterprise Subsystem............................................................................................2-14 2.4.1 Middleware .................................................................................................2-15 2.4.2 Analytic Systems ........................................................................................2-15 2.4.3 Network Infrastructure ................................................................................2-16 2.5 Inter-Enterprise Subsystem ...................................................................................2-17 2.5.1 Open System Networks..............................................................................2-18 2.5.2 Object Naming Service (ONS)....................................................................2-19 2.5.3 Discovery Service.......................................................................................2-21 2.6 Summary................................................................................................................2-21 3. RFID Applications and Application Requirements .......................................................3-1 3.1 RFID Application Types ...........................................................................................3-1 3.1.1 Asset Management.......................................................................................3-2 3.1.2 Tracking........................................................................................................3-2 3.1.3 Authenticity Verification ................................................................................3-3 3.1.4 Matching .......................................................................................................3-3 3.1.5 Process Control ............................................................................................3-3 3.1.6 Access Control .............................................................................................3-4 3.1.7 Automated Payment .....................................................................................3-5 3.1.8 Supply Chain Management ..........................................................................3-5 3.2 RFID Information Characteristics.............................................................................3-6 3.3 RFID Transaction Environment................................................................................3-7 3.3.1 Distance between Reader and Tag ..............................................................3-7 3.3.2 Transaction Speed .......................................................................................3-8 3.3.3 Network Connectivity and Data Storage.......................................................3-8 3.4 The Tag Environment between Transactions ..........................................................3-9 3.4.1 Data Collection Requirements......................................................................3-9 3.4.2 Human and Environmental Threats to Tag Integrity.....................................3-9 3.5 RFID Economics ....................................................................................................3-10 3.6 Summary................................................................................................................3-11 4. RFID Risks ........................................................................................................................4-1 4.1 Business Process Risk ............................................................................................4-1 4.2 Business Intelligence Risk .......................................................................................4-3 iv GUIDELINES FOR SECURING RFID SYSTEMS 4.3 Privacy Risk .............................................................................................................4-4
Recommended publications
  • Guidelines for Securing Radio Frequency Identification (RFID) Systems
    Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips NIST Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 April 2007 US Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert C. Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director GUIDELINES FOR SECURING RFID SYSTEMS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Special Publication 800-series documents report on ITL’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-98 Natl.
    [Show full text]
  • Itin-Rts-Pia.Pdf
    Date of Approval: February 13, 2018 PIA ID Number: 3185 A. SYSTEM DESCRIPTION 1. Enter the full name and acronym for the system, project, application and/or database. Individual Taxpayer Identification Number -Real Time System, ITIN-RTS 2. Is this a new system? No 2a. If no, is there a PIA for this system? Yes If yes, enter the full name, acronym, PIA ID Number and milestone of the most recent PIA. ITIN-RTS, PIAMS #1244 Next, enter the date of the most recent PIA. 2/17/2015 Indicate which of the following changes occurred to require this update (check all that apply). No Addition of PII No Conversions No Anonymous to Non-Anonymous No Significant System Management Changes No Significant Merging with Another System No New Access by IRS employees or Members of the Public No Addition of Commercial Data / Sources No New Interagency Use Yes Internal Flow or Collection Were there other system changes not listed above? No If yes, explain what changes were made. 3. Check the current ELC (Enterprise Life Cycle) Milestones (select all that apply) No Vision & Strategy/Milestone 0 No Project Initiation/Milestone 1 No Domain Architecture/Milestone 2 No Preliminary Design/Milestone 3 No Detailed Design/Milestone 4A No System Development/Milestone 4B No System Deployment/Milestone 5 Yes Operations & Maintenance (i.e., system is currently operational) 4. Is this a Federal Information Security Management Act (FISMA) reportable system? Yes A.1 General Business Purpose 5. What is the general business purpose of this system? Provide a clear, concise description of the system, application or database, the reason for the system, and the benefits to the IRS to use the information, and how the information will be used.
    [Show full text]
  • Tesi Definitiva
    UNIVERSITA’ DEGLI STUDI DI TORINO FACOLTA’ DI ECONOMIA CORSO DI LAUREA IN ECONOMIA E DIREZIONE DELLE IMPRESE RELAZIONE DI LAUREA INNOVATIVI DISPOSITIVI TECNOLOGICI PER UNA MAGGIORE INFORMAZIONE DEL CONSUMATORE NEL SETTORE AGROALIMENTARE: UNO STUDIO AL SALONE DEL GUSTO 2010 Relatore: Prof. Giovanni Peira Correlatori: Prof. Luigi Bollani Dott. Sergio Arnoldi Candidato: Andrea Gino Sferrazza ANNO ACCADEMICO 2010/2011 Ringraziamenti Ringrazio per la stesura di questo lavoro: - il Prof. Giovanni Peira del Dipartimento di Scienze Merceologiche, per avermi seguito e aiutato durante questo lavoro, fornendomi parte del materiale di studio, indicandomi alcune persone cruciali per la buona riuscita della stesura e per la sua completa disponibilità durante quesi mesi di ricerche; - il Prof. Luigi Bollani, del Dipartimento di Statistica e Matematica applicata “Diego de Castro”, per il suo fondamentale contributo nell’impostazione e nell’elaborazione del questionario, proposto durante il Salone del Gusto 2010; - il Dott. Sergio Arnoldi, coordinatore dell’Area Promozione Agroalimentare della Camera di commercio di Torino, il quale ha messo a disposizione tempo e risorse preziose per questo progetto di ricerca, sempre con molta professionalità e competenza; - il Dott. Alessandro Bonadonna del Dipartimento di Scienze Merceologiche, per avermi fornito preziosi spunti per la trattazione; - tutti coloro che mi hanno supportato nella stesura ed elaborazione del questionario, rendendo possibile il raggiungimento degli obiettivi prefissati nei tempi prestabiliti. Ringraziamenti particolari Il primo ringraziamento va a mia madre, l’unica vera persona che mi ha accompagnato in ogni momento durante il mio percorso di studio. Senza di lei, non avrei potuto raggiungere questo importante traguardo. Questo risultato lo divido con te.
    [Show full text]
  • National HIV Surveillance System (NHSS) Attachment 9. Data Security
    National HIV Surveillance System (NHSS) Attachment 9. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Centers for Disease Control and Prevention, 2011. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action Suggested Citation: Centers for Disease Control and Prevention. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Atlanta (GA): U.S. Department of Health and Human Services, Centers for Disease Control and Prevention; 2011 This report was prepared by Security and Confidentiality Guidelines Subgroup of CDC’s NCHHSTP Surveillance Work Group: Patricia Sweeney, Sam Costa; Division of HIV/AIDS Prevention Hillard Weinstock , Patrick Harris, Nicholas Gaffga; Division of STD Prevention Kashif Iqbal; Division of Viral Hepatitis Lilia Manangan, Suzanne Marks; Division of TB Elimination Gustavo Aquino; Office of the Director, NCHHSTP This publication lists non-federal resources in order to provide additional information to consumers. The views and content in these resources have not been formally approved by the U.S. Department of Health and Human Services (HHS). Listing these resources is not an endorsement by HHS or its components.
    [Show full text]
  • Full Page Version
    Volume V, Number 1 Spring 2019 Journal of Health and Human Experience Needed, A New Woodstock The photograph on the front cover is by Heinrich Klaffs. Journal of Health and Human Experience The Journal of Health and Human Experience is published by The Semper Vi Foundation. Journal of Health and Human Experience Volume V, No. 1 PrefaceJournal of Health and Human Experience General Information The Journal of Health and Human Experience is published by The Semper Vi Foundation, a 501(c)(3) public charity. The Journal is designed to benefit international academic and professional inquiry regarding total holistic health, the arts and sciences, human development, human rights, and social justice. The Journal promotes unprecedented interdisciplinary scholarship and academic excellence through explorations of classical areas of interest and emerging horizons of multicultural and global significance. ISSN 2377-1577 (online). Correspondence Manuscripts are to be submitted to the Journal Leadership. Submission of a manuscript is considered to be a representation that it is not copyrighted, previously published, or concurrently under consideration for publishing by any other entity in print or electronic form. Contact the Journal Leadership for specific information for authors, templates, and new material. The preferred communication route is through email at [email protected]. Subscriptions, Availability and Resourcing The Journal is supported completely by free will, charitable donations. There are no subscription fees. Online copies of all editions of the Journal are freely available for download at: http://jhhe.sempervifoundation.org. To make a donation, contact: [email protected]. You will be contacted in reply as soon as possible with the necessary information.
    [Show full text]
  • HP Proximity Card Readers, It’S Easy Technologies and Support the Wide Range of to Secure Networked Printers Mobile Devices
    Solution brief Enhance security and improve productivity with unified printer authentication across your organization HP proximity, smart card, and Bluetooth® Low Energy (BLE)/ NFC-enabled card readers What if you could… • Help protect confidential documents by releasing print jobs only to the right user? • Enhance the security of networked printers by easily and accurately authenticating users? • Support a wide variety of proximity and smart cards, and digital credentials on mobile devices with one reader? • Leverage the flexibility and accessibility of mobile credentials for secure print release on HP MFPs and printers? • Meet Health Insurance Portability and Accountability Act (HIPAA) privacy requirements for access to patient records? With HP's proximity card readers with mobile credential support—you can. Multicard authentication for Network security for the world’s HP printers most secure MFPs and printers1 Unified, enterprise-wide access control no HP printers and MFPs are the most secure longer has to be cumbersome or expensive. printing devices in the world.1 But it’s easy Now you can protect confidential information for customers to overlook the fact that these HP card readers support and manage access to printing and imaging network-connected devices serve as access devices by enabling user authentication through points to the corporate network. As with any proximity cards, smart cards, access cards, badges, and digital credentials network endpoint, organizations need to on mobile devices. HP dual frequency card actively control who has physical access and and digital credentials on readers incorporate multiple communication how. With HP proximity card readers, it’s easy technologies and support the wide range of to secure networked printers mobile devices.
    [Show full text]
  • Reviewing Privacy in an Information Society*
    REVIEWING PRIVACY IN AN INFORMATION SOCIETY* SPIROS SIMITISt I. THE QUEST FOR A CONCEPT Privacy is an old and venerable subject.1 Generations of lawyers, judges, and legal scholars have explored its different aspects. The num- ber of cases is countless, the list of statutes long and impressive.2 Yet, * Originally delivered as the second Thomas Jefferson Lecture at the University of Pennsylvania Law School on October 28, 1985. The University of Pennsylvania Law Review would like to thank Hermann Knott and Franz Tepper, 1987 LL.M. candidates at the University of Pennsylvania Law School, for reviewing most of the German language material cited in this article. t Professor of Civil and Labor Law, Johann Wolfgang Goethe-Universitit, Frankfurt am Main; Data Protection Commissioner, State of Hesse, Federal Republic of Germany. 1 See, e.g., Griswold v. Connecticut, 381 U.S. 479 (1965) (identifying zones of individual privacy guaranteed by the United States Constitution); Millar v. Taylor, 98 Eng. Rep. 201, 242 (K.B. 1769) ("It is certain every man has a right to keep his own sentiments, if he pleases: he has certainly a right to judge whether he will make them public, or commit them only to the sight of his friends."); B. MOORE, PRIVACY: STUD- IES IN SOCIAL AND CULTURAL HISTORY (1984) (examining the concepts of public and private in various societies including 4th century B.C. Athens, ancient Hebrew society as reflected in the Old Testament, and ancient China at the age of the "hundred philos- ophers," 551 B.C. to 233 B.C.). See generally Warren & Brandeis, The Right to Pri- vacy, 4 HARV.
    [Show full text]
  • Unlocking the Smart Card
    Episode Four: Unlocking the Smart Card This is an excerpt from Unlocked — an ASSA ABLOY podcast series on campus security. Unlocked explores the security issues and challenges that colleges and universities face as they strive to create a safe and secure learning environment. Visit intelligentopenings.com/unlocked to hear more. How We Got Smart Before diving into the current broken cards and physical wear on the credential technologies, it helps to readers. Prox solved these problems. understand where we came from. Lower maintenance costs, increased In 1960, a young engineer from IBM user convenience, and new options named Forrest Parry invented the for form factors like fobs made the magnetic stripe card. Once prox card a winner. But the low- ubiquitous on campus doors, more frequency proximity technology is reliable and secure technologies not without its limitations. are quickly eclipsing the mag stripe. Mag stripe cards are simple. A card gets swiped in a reader. That reader then reads a sequence of numbers Outside of higher stored on the stripe of that card. education and If the number matches what’s stored in the access system’s older hotels, hardly Whether installing a new door access database, the door unlocks. system for your campus or upgrading from a legacy system you have a lot of Many campuses still use the mag anyone still uses decisions to make. stripe card for their door access. This is mainly because the cards are mag stripe cards You first must choose the right access inexpensive, the cost to replace the software and locking hardware.
    [Show full text]
  • Google Data Collection —NEW—
    Digital Content Next January 2018 / DCN Distributed Content Revenue Benchmark Google Data Collection —NEW— August 2018 digitalcontentnext.org CONFIDENTIAL - DCN Participating Members Only 1 This research was conducted by Professor Douglas C. Schmidt, Professor of Computer Science at Vanderbilt University, and his team. DCN is grateful to support Professor Schmidt in distributing it. We offer it to the public with the permission of Professor Schmidt. Google Data Collection Professor Douglas C. Schmidt, Vanderbilt University August 15, 2018 I. EXECUTIVE SUMMARY 1. Google is the world’s largest digital advertising company.1 It also provides the #1 web browser,2 the #1 mobile platform,3 and the #1 search engine4 worldwide. Google’s video platform, email service, and map application have over 1 billion monthly active users each.5 Google utilizes the tremendous reach of its products to collect detailed information about people’s online and real-world behaviors, which it then uses to target them with paid advertising. Google’s revenues increase significantly as the targeting technology and data are refined. 2. Google collects user data in a variety of ways. The most obvious are “active,” with the user directly and consciously communicating information to Google, as for example by signing in to any of its widely used applications such as YouTube, Gmail, Search etc. Less obvious ways for Google to collect data are “passive” means, whereby an application is instrumented to gather information while it’s running, possibly without the user’s knowledge. Google’s passive data gathering methods arise from platforms (e.g. Android and Chrome), applications (e.g.
    [Show full text]
  • The Pii Problem: Privacy and a New Concept of Personally Identifiable Information
    \\jciprod01\productn\N\NYU\86-6\NYU603.txt unknown Seq: 1 28-NOV-11 15:01 THE PII PROBLEM: PRIVACY AND A NEW CONCEPT OF PERSONALLY IDENTIFIABLE INFORMATION PAUL M. SCHWARTZ† & DANIEL J. SOLOVE‡ Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can be re-identified. PII and non-PII are thus not immutable categories, and there is a risk that information deemed non-PII at one time can be transformed into PII at a later juncture. Due to the malleable nature of what consti- tutes PII, some commentators have even suggested that PII be abandoned as the mechanism by which to define the boundaries of privacy law. In this Article, we argue that although the current approaches to PII are flawed, the concept of PII should not be abandoned. We develop a new approach called “PII 2.0,” which accounts for PII’s malleability. Based upon a standard rather than a rule, PII 2.0 utilizes a continuum of risk of identification. PII 2.0 regulates informa- tion that relates to either an “identified” or “identifiable” individual, and it estab- lishes different requirements for each category.
    [Show full text]
  • Privacy Faqs
    Privacy Frequently Asked Questions (FAQs) NIH Privacy FAQ (June 2017) Table of Contents Privacy Act .................................................................................................................................................. 1 1. What is Privacy? ................................................................................................................................ 1 2. Why is Privacy Important? ................................................................................................................ 2 3. What are the different Types of Private Information?................................................................... 2 4. When can Social Security Numbers be Collected? ...................................................................... 4 5. Where do Privacy laws Originate? .................................................................................................. 4 6. Why have a Privacy Act? .................................................................................................................. 7 7. What does the Privacy Act do?........................................................................................................ 7 8. Who does the Privacy Act cover and not cover? .......................................................................... 7 9. When is NIH allowed to collect my information? ........................................................................... 8 10. When are a supervisor’s notes considered agency records? ..................................................
    [Show full text]
  • 3 Security Threats for RFID Systems
    FIDIS Future of Identity in the Information Society Title: “D3.7 A Structured Collection on Information and Literature on Technological and Usability Aspects of Radio Frequency Identification (RFID)” Author: WP3 Editors: Martin Meints (ICPP) Reviewers: Jozef Vyskoc (VaF) Sandra Steinbrecher (TUD) Identifier: D3.7 Type: [Template] Version: 1.0 Date: Monday, 04 June 2007 Status: [Deliverable] Class: [Public] File: fidis-wp3-del3.7.literature_RFID.doc Summary In this deliverable the physical properties of RFID, types of RFID systems basing on the physical properties and operational aspects of RFID systems are introduced and described. An overview on currently know security threats for RFID systems, countermeasures and related cost aspects is given. This is followed by a brief overview on current areas of application for RFID. To put a light on status quo and trends of development in the private sector in the context of RFID, the results of a study carried out in 2004 and 2005 in Germany are summarised. This is followed by an overview on relevant standards in the context of RFID. This deliverable also includes a bibliography containing relevant literature in the context of RFID. This is published in the bibliographic system at http://www.fidis.net/interactive/rfid-bibliography/ Copyright © 2004-07 by the FIDIS consortium - EC Contract No. 507512 The FIDIS NoE receives research funding from the Community’s Sixth Framework Program FIDIS D3.7 Future of Identity in the Information Society (No. 507512) Copyright Notice: This document may not be copied, reproduced, or modified in whole or in part for any purpose without written permission from the FIDIS Consortium.
    [Show full text]