Security standards for data and networks

There are four zones in an RFID system where security features can be considered and applied:

  • The RFID tag itself: Some levels of security can be built into the tag, with obvious features being the locking of data so that it is permanently encoded, and the inclusion of password matching before permitting subsequent transactions.
  • The air interface protocol, which can support features in the command structure to the tag, such as passwords that can restrict unauthorised access, particularly to write data to the tag. There is also the additional security aspect of unauthorised reading, but most RFID applications (like those of bar code) tend to provide an open access to the reading of data.
  • The RFID interrogator (reader) which, with unauthorised emulation, might provide access to the network containing more sensitive data.
  • The network itself, which some experts consider is fundamentally equivalent to any form of network security, while others argue that RFID data presents a special case. Our view is that it is really the new types of application that present network security problems, especially if security features are implemented at lower levels of the system.

Key relationships with other components

Security has been somewhat of a "Cinderella" feature of RFID systems, generally ignored or reduced to a minor role until recently when its relevance appears to be manifesting itself. We consider the limited number of standards in this area (below) but, for now, we want to focus on some of the basic practicalities.

Apart from features such as locking part of the memory on an RFID tag and low-level password control, there are very few security features built in at the tag level. Also, while most tags do support selective locking, the notable exception in the current state of its standard and device compliance is the ISO/IEC 18000-6C tag. On the other hand, it is the only tag of the published standards that provides support for passwords.

Even with smart cards, the security aspects are often provided as part of a product implementation and can even be proprietary. So, in the recent hacker attack on smart cards, it was not the SC17 standard that came under criticism, but a proprietary product.

Some aspects are independent of tag technology, and the data protocol standards provide advice about encrypting data but retaining object identifier references. Such an approach places very little burden on the RFID system, other than requiring possibly more memory and air transmission time, with all the processing burden carried by the interrogator and higher level systems. We know of no implementations of this feature. We are aware that other mechanisms are being considered for standardisation.

To improve the situation with respect to tag hardware security, a New Work Item has been proposed in SC31 to add security features to RFID tags. The approach that is being adopted is for a separate standard to be defined, which will allow the individual air interface protocol standards to call out features of the security standard for enhanced products.

In the RFID air interface, there is little security other than the link within the reader zone, passwords - where implemented, and ongoing "handshake" of being able to talk to a specific tag. The handshake feature is really to ensure proper communication during authorised communication and while it can be considered a security feature, it does little to protect against unauthorised communication. In fact, most air interface commands are of a very low level bit-based structure that are easy to construct.Even with systems that use passwords, once a communication channel has been established, the assumption is that all subsequent commands exchanged with the particular tag are secure and the password is often not invoked in subsequent commands that are part of the communication chain.

RFID interrogators are often considered to be just another network device and are provided with Internet Protocol (IP) addresses to enable communication. If authentication is not part of the communication process, then it is relatively easy to achieve unauthorised interrogator emulation.

From our limited access to application standards, there is little information in these about security.

Standards

We have identified two ISO standards from JTC1/SC31 that are relevant. Details of these are provided in the annex to this clause and we provide a basic overview here.

  • ISO/IEC TR24729-4 is a Technical Report that is being developed to provide guidelines on Tag Data Security
  • ISO/IEC 24791-5 is intended to provide security advice in the system management arena.

There are obviously many network security standards in place and, without detailed expert knowledge of the particular standards, it is difficult to cite specific ones as being relevant to RFID network systems. However, we would point to the general standardisation area of ETSI as being a prime source for more detailed work to identify relevant security standards.

Significant development areas

As we have already stated, very limited security work has been undertaken and, within SC31 WG4 RFID for Item Management, all the standards are still work-in-progress or even new proposals. In clause 7.3 we indicated that there can be significant misunderstandings about the ability to add new features to an RFID tag technology that is already standardised and has compliant products in the market place. Security features have a direct link to privacy features, even though they might not necessarily be the same. Adding security features to established RFID technology can only be done on an optional basis unless all previous versions of compliant products are considered to be noncompliant. The only way security can be incorporated as a mandatory feature is with the development of a new air interface protocol.

This means that the work to develop standards for security that are only applied retrospectively is, at best, sound advice. One way to overcome this is for application standards to provide additional mandated compliance requirements that result in the selection of RFID products that have security features that are otherwise optional in the technology standard. The advantage of this application mandate approach is that the marketplace can have an influence on the availability of products. There are two constraints on this:

  • Those developing application standards need to have a significantly better understanding of RFID security issues.
  • Until the first technology vendor incorporates security features, an application has a fundamental choice of not adopting RFID or compromising its high standards and downgrading the security aspects. We cite, an example of the lack of power of the end user marketplace, or the lack of understanding by vendors. Many manufacturers of ISO/IEC 18000-6C tags failed to address the requirements of the industrial community by providing encoding capacity in Memory Bank 11, and a larger encoded capacity in Memory Bank 01 (other than that required for basic EPC applications). The fact is that the vendors missed out on two or more years of potential marketplace development in sectors like automotive, baggage handling and other primary sectors. It is only in 2008 that users in these sectors have been able to procure RFID tag products that meet their requirements.

CEN TC225 did propose to the European Commission in May 2007, a project for an RFID standard that addresses security aspects. This was to have a particular focus on identifying weaknesses and gaps in the present standards and technology, and with a view of providing security features elsewhere in the RFID system to help compensate for these. Whilst discussions on this proposal (and others addressing application areas) continued until summer 2008, the Commission decided instead to issue a standardization Mandate3.

This constitutes a more significant initiative – it requests the European Standards Organisations (CEN, CENELEC and ETSI) to prepare an overall framework for future standardization in the field of information and communication technologies applied to RFID systems. We abstract below a paragraph from the Mandate, which aligns with what we have included in this clause:

"Many organisations have a tendency to look at RFID security in the rear view mirror, i.e. rushing to find a solution to a security problem after it has happened. Such behaviour can no longer be contemplated as emerging security threats, combined with the increased use of and dependence on RFID, leave organisations in both the private and the public sectors with an obligation to plan, design and implement clear strategies."

The Mandate is to be implemented in two phases, again abstracting from the Mandate itself:

"Phase 1.
The objective of the first phase is to prepare a complete framework for the development of future RFID standards. This framework will include a detailed standardisation work programme in response to the identified gaps. The standards will refer to all elements of the RFID value chain, from the tags themselves – power levels, reading distances, encryption tradeoffs, to the architectures and services relevant for the networking of tags – security frameworks, object naming, tracking, and addressing, etc. Appropriate use of intermediate results from relevant EU funded projects (including GRIFS, CASAGRAS) shall be made.

Particular attention would need to be given to the likely technological evolutions to be expected in this domain especially in the perspective of the future Internet of Things, and the requirements (including openness and interoperability) to cope with environments where
networked tags offer significant functional capabilities beyond what is state-of-art today. The resulting standardisation work programme will be submitted to the Commission services which will consult the Committee 98/34.

Phase 2.
The objective for the second phase is to implement the standardisation work programme agreed upon in the first phase. The execution of the specific standardisation tasks shall be carried out in close co-operation with all relevant stakeholders."

Within two months of the Mandate being agreed, the European Standards Organisations are expected to identify their arrangements for co-operation to address the Mandate. Then, after a further six months, Phase 1 is intended to be completed, which could well result in specific standards work in the three standards-making bodies.

At the time of writing, the Mandate has been approved by the EU Member States, subject to some detailed amendments to the text that will be taken account of by the Commission. CEN, CENELEC and ETSI will need formally to accept the Mandate, but meanwhile the ESOs are embarking on discussions concerning an appropriate collaboration arrangement to execute the Phase 1 work. This activity will clearly use the present GRIFS Report as one starting point.