Information technology - Privacy capability features of current RFID technologies

The scope of the Technical Report is to identify technical characteristics of particular RFID air interface protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy impact assessment. It also provides information for those operators who provide RFID-tagged items that are likely to be read by customers or other organisations.
This Technical Report provides detailed privacy and security characteristics that apply to products that are compliant with specific air interface protocols, and also to variant models that comply with such standards.
The Technical Report also identifies proprietary privacy and security features which have been added to tags, which are problematic of being implemented in open systems which depend on interoperability between different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability. The gap analysis thus identified can be used to encourage greater standardization.

Informationstechnik - Leistungsmerkmale für den Schutz der Privatsphäre in gegenwärtigen RFID-Technologien

Technologies de l’information - Fonctions de protection de la vie privée dans les technologies RFID actuelles

Informacijska tehnologija - Zmogljivost zaščite osebnih podatkov pri današnjih tehnologijah RFID

Standard CEN/TR 16672 določa tehnične lastnosti posameznih protokolov radijskega vmesnika RFID, ki jih morajo upoštevati izvajalci sistemov RFID pri ocenjevanju vpliva na zaščito osebnih podatkov. Prav tako zagotavlja informacije za tiste izvajalce, ki zagotavljajo elemente, označene z RFID, ki jih utegnejo prebrati stranke ali druge organizacije. To tehnično poročilo zagotavlja podrobne lastnosti zasebnosti in varnosti, ki veljajo za izdelke, skladne z določenimi protokoli radijskega vmesnika, in različice modelov, ki so v skladu s temi standardi. To tehnično poročilo prav tako določa lastnosti lastniške zasebnosti in varnosti, ki so dodane oznakam, kar je problematično pri uporabi v odprtih sistemih, ki so odvisni od medoperabilnosti različnih naprav. Takšne lastniške rešitve so tehnično ustrezne, vendar ovirajo medoperabilnost. Analiza tako odkritih vrzeli se lahko uporabi za spodbujanje večje standardizacije.

General Information

Status
Published
Publication Date
03-Jun-2014
ICS
35.240.60 - IT applications in transport
Technical Committee
CEN/TC 225 - AIDC technologies
Drafting Committee
CEN/TC 225 - AIDC technologies
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
04-Jun-2014
Due Date
25-Feb-2014
Completion Date
04-Jun-2014
Mandate
M/436 - Standardisation mandate to the European Standardisation Organisation CEN, CENELEC and ETSI in the field of information and communication technologies applied to Radio Frequency Identification (RFID) and systems
Ref Project
SIST-TP CEN/TR 16672:2014 - Information technology - Privacy capability features of current RFID technologies

Overview

CEN/TR 16672:2014 - "Information technology - Privacy capability features of current RFID technologies" documents the privacy and security characteristics of RFID air‑interface protocols. Its primary purpose is to identify technical features that operators and manufacturers must consider when carrying out RFID privacy impact assessments. The report also highlights proprietary tag features that, while technically sound, can impede interoperability and suggests gaps where further standardization is beneficial.

Key topics

This Technical Report organizes and explains privacy and security capabilities for RFID systems, including:

  • Access protection features
    • Ranges from no protection to password protection and cryptographic protection
    • Variants such as password timeouts, cover coding (XOR with tag random number) and protocol‑level cryptographic challenge/response
  • Consumer privacy features
    • Unique identifiers (TID / Unique Chip ID / UII)
    • Chip selection with random numbers, reduced read range, untraceable operation, hide, kill, destroy, remove
  • Data security features
    • Read/write protection levels, lock/permalock, using TID for protection, and digital signatures in user memory
  • Tag authentication
    • Methods to verify tag identity: ID-based checks, signatures, password-based schemes
  • Standards support and proprietary features
    • Evaluation of how existing air‑interface standards support these privacy capabilities and identification of proprietary extensions that reduce interoperability

Practical applications

CEN/TR 16672 is a practical reference for organizations involved in deploying or supplying RFID technology:

  • RFID system operators - use the report to assess privacy risks and to choose tags/interrogators that meet privacy requirements.
  • Manufacturers and tag suppliers - evaluate which features to implement for compliance and interoperability.
  • Retailers and supply‑chain managers - configure tag behavior (e.g., kill/hide) to balance functionality and consumer privacy.
  • Privacy officers and auditors - incorporate technical characteristics into formal RFID privacy impact assessments and compliance checks.
  • System integrators and security architects - design interrogator‑tag interactions using appropriate access control and authentication mechanisms.

This Technical Report helps stakeholders make informed choices about RFID air‑interface protocols, configure privacy controls (like read/write locks, cryptographic challenge/response and kill commands), and avoid proprietary approaches that harm interoperability.

Related standards

CEN/TR 16672 is part of Mandate M/436 Phase 2 deliverables and complements other documents, including:

  • EN 16570, EN 16571, EN 16656 (RFID Emblem), CEN/TR 16684, CEN/TS 16685, CEN/TR 16669, CEN/TR 16670, CEN/TR 16671, CEN/TR 16673, CEN/TR 16674.

Keywords: RFID privacy, RFID security, CEN/TR 16672, RFID standards, air‑interface protocols, tag authentication, privacy impact assessment, interoperability.

TP CEN/TR 16672:2014 - Page 3 previewTP CEN/TR 16672:2014 - Page 1 previewTP CEN/TR 16672:2014 - Page 2 previewTP CEN/TR 16672:2014 - Page 4 preview
PreviousNext
Technical report

TP CEN/TR 16672:2014

English language
18 pages
Preview
Preview
e-Library read for
1 day
TP CEN/TR 16672:2014 - Page 3 previewTP CEN/TR 16672:2014 - Page 1 previewTP CEN/TR 16672:2014 - Page 2 previewTP CEN/TR 16672:2014 - Page 4 preview
PreviousNext
Technical report

TP CEN/TR 16672:2014

English language
18 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

CEN/TR 16672:2014 is a technical report published by the European Committee for Standardization (CEN). Its full title is "Information technology - Privacy capability features of current RFID technologies". This standard covers: The scope of the Technical Report is to identify technical characteristics of particular RFID air interface protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy impact assessment. It also provides information for those operators who provide RFID-tagged items that are likely to be read by customers or other organisations. This Technical Report provides detailed privacy and security characteristics that apply to products that are compliant with specific air interface protocols, and also to variant models that comply with such standards. The Technical Report also identifies proprietary privacy and security features which have been added to tags, which are problematic of being implemented in open systems which depend on interoperability between different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability. The gap analysis thus identified can be used to encourage greater standardization.

The scope of the Technical Report is to identify technical characteristics of particular RFID air interface protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy impact assessment. It also provides information for those operators who provide RFID-tagged items that are likely to be read by customers or other organisations. This Technical Report provides detailed privacy and security characteristics that apply to products that are compliant with specific air interface protocols, and also to variant models that comply with such standards. The Technical Report also identifies proprietary privacy and security features which have been added to tags, which are problematic of being implemented in open systems which depend on interoperability between different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability. The gap analysis thus identified can be used to encourage greater standardization.

CEN/TR 16672:2014 is classified under the following ICS (International Classification for Standards) categories: 35.240.60 - IT applications in transport. The ICS classification helps identify the subject area and facilitates finding related standards.

CEN/TR 16672:2014 is associated with the following European legislation: Standardization Mandates: M/436. When a standard is cited in the Official Journal of the European Union, products manufactured in conformity with it benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation.

You can purchase CEN/TR 16672:2014 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Zmogljivost zaščite osebnih podatkov pri današnjih
tehnologijah RFID
Information technology - Privacy capability features of current RFID technologies
Informationstechnik - Leistungsmerkmale für den Schutz der Privatsphäre in
gegenwärtigen RFID-Technologien
Technologie de l’information - Fonctions de protection des données personnelles des
technologies RFID actuelles
Ta slovenski standard je istoveten z: CEN/TR 16672:2014
ICS:
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 16672
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Privacy capability features of current
RFID technologies
Technologies de l'information - Fonctions de protection de Informationstechnik - Leistungsmerkmale für den Schutz
la vie privée dans les technologies RFID actuelles der Privatsphäre in gegenwärtigen RFID-Technologien

This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16672:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .7
4 Access protection features .7
4.1 General .7
4.2 Overview of access protection features .7
4.2.1 General .7
4.2.2 No protection .7
4.2.3 Password protection .7
4.2.4 Cryptographic protection .8
4.3 Application of access protection features .9
5 Features to protect Consumer Privacy. 10
5.1 General . 10
5.2 Unique chip ID or Tag ID . 10
5.3 Chip selection with random number. 10
5.4 Reduced read range on the tag . 10
5.5 Untraceable . 10
5.6 Hide . 11
5.7 Kill . 11
5.8 Destroy . 11
5.9 Remove . 11
6 Features to protect Data Security . 11
6.1 Features to protect Read access to the tag data . 11
6.1.1 Protection level . 11
6.1.2 "Normal" Read access . 11
6.1.3 Read (Lock) protection . 11
6.1.4 Data protection using the TID . 12
6.2 Features to protect Write access to the tag data . 12
6.2.1 General . 12
6.2.2 Protection level . 12
6.2.3 "Normal" Write access . 12
6.2.4 Write (Lock) protection . 12
6.2.5 Write protection using the TID . 12
6.2.6 Write protection using a digital signature in User Memory . 13
7 Features for tag authentication . 13
7.1 General . 13
7.2 Verification using the Unique chip ID or Tag ID . 13
7.3 Verification using the Unique chip ID or Tag ID with a digital signature . 13
7.4 Verification using a password . 13
8 Standards support of privacy capability features . 13
9 Proprietary features . 17
Bibliography . 18
Foreword
This document (CEN/TR 16672:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM (2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase.
This Technical Report provides privacy and security characteristics that apply to the relevant standards.
Furthermore it provides an overview of these standards and their respective support of the described features.
1 Scope
The scope of the Technical Report is to identify technical characteristics of particular RFID air interface
protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy
impact assessment. It also provides information for those operators who provide RFID-tagged items that are
likely to be read by customers or other organizations.
This Technical Report provides detailed privacy and security characteristics that apply to products that are
compliant with specific air interface protocols, and also to variant models that comply with such standards.
The Technical Report also identifies proprietary privacy and security features which have been added to tags,
which are problematic of being implemented in open systems which depend on interoperability between
different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability.
The gap analysis thus identified can be used to encourage greater standardization.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
authentication
process of determining whether an entity or data is/are who or what, respectively, it claims to be.
Note 1 to entry: The types of entity authentication referred-to in this document are Tag authentication, Interrogator
authentication, and Tag-Interrogator mutual authentication
2.2
key
value used to influence the output of a cryptographic algorithm or cipher
2.3
KeyID
numerical designator for a secret key
2.4
password
secret value sent by an Interrogator to a Tag to enable restricted Tag operations
2.5
permalock
lock status that is unchangeable
EXAMPLE The memory location is permanently locked or permanently unlocked.
2.6
tag authentication
means for an Interrogator to determine, via cryptographic means, that a tag’s identity is as claimed
2.7
TID
tag ID
unique tag identifier
3 Symbols and abbreviations
For the purposes of this document, the following symbols and abbreviations apply.
UII Unique Item Identifier
4 Access protection features
4.1 General
This clause identifies several features used to protect access as part of the communication protocol between
the interrogator and the tag.
4.2 contains an overview of possible access protection features.
4.3 describes how the protection features can be applied.
4.2 Overview of access protection features
4.2.1 General
This subclause contains a general overview of possible features to protect the access to "resources" on a tag,
like access to data in memory, secret keys, flags, configuration settings etc.
The list is presented in an order-ranking of approximate increasing protection level.
NOTE The ranking is approximate, because not all features are available in some RFID technologies, and there are
associated features that influence the degree of protection, such as read distance and timeouts.
4.2.2 No protection
The lowest protection level is no protection. If there is no protection, all resources on the tags are freely
accessible and can be read and alerted by any interrogator that has access to the tag. This does depend on
the interrogator and the tag supporting the same air interface protocol.
4.2.3 Password protection
4.2.3.1 General
Access to the resources on the tag can be protected with an access password. In this document the password
protection should only be considered as it is protecting the consumer's privacy. To use this feature a copy of
the password needs to be stored in the memory of the tag. When an interrogator requests access to a
resource, it first has to provide the password. The tag will compare the password that is provided by the
interrogator with the copy of the password that is stored in memory. If both copies match the interrogator is
"authenticated" and the tag will provide the interrogator with access to the requested resource. The tag could
also store the "authenticated" status in a flag.
A general weakness of the password feature is that for it to be functional, few stakeholders need to be aware
of its value. As such, passwords have limited contribution in open systems where the organization responsible
for encoding the tag (for example a product manufacturer) has limited knowledge of the specific organization
that will read a particular tag (e.g. which retail store).
A technical weakness of the password feature is that the password needs to be transmitted over the air.
Therefore it can easily be intercepted by an intruder, who can then use the password later to also get access
to the same resource. An increased level of protection can be provided if the password is transmitted in
segments, thus requiring more than one interception to capture the entire password.
A practical limitation of password protection is the possibility to find the password with a "brute force" attack;
the interrogator can simply try to find the password starting with binary "0" and then increase the password by
"1" after the tag rejects the request, until it has found the right password.
The protection level of the password feature is a function of its length given that all the communication is at
the binary level. A brute force attack on an 8-bit password can be achieved in 255 attempts, while a 32-bit
password requires 4.3 billion attempts, or over 2 billion attempts on average. While modern computers can
process tens of thousands of passwords a second, a brute force attack on an RFID tag requires a new
command to be generated each time and is therefore limited by the air interface speed. Also, unlike cracking a
password to access a computer system, a password found in one RFID tag might have limited value.
Practically this means that the password features has the best value if it needs to be used only once.
4.2.3.2 Password protection with security timeout
The protection level of the password feature can be improved by implementing a security timeout. The tag can
introduce a time delay before it replies to the interrogator. A long delay will result in a brute force attack taking
a long time.
There are various possibilities, like a configurable delay or a delay that increases with the number of failed
requests.
4.2.3.3 Password protection with cover coding
Cover coding can be used to improve the protection against incepting the password over the air. It obscures
information that it is transmitting to a tag. To cover-code a password, an interrogator first requests a random
number from the tag. The interrogator then performs a bit-wise XOR of the password with this random
number, and transmits the cover-coded string to the tag. The tag uncovers the password by performing a bit-
wise XOR of the received cover-coded string with the original random number and then compares the values
of both copies. XOR based cover coding can be implemented in a state machine, and therefore in a passive
tag.
4.2.4 Cryptographic protection
4.2.4.1 General
Cryptographic protection can be used if the tag is equipped with a processor to perform a cryptographic
calculation and has memory to store a secret key. Before requesting access to a resource, an interrogator first
needs to request a random number from the tag. The interrogator needs to encrypt the random number with
the secret key and return the encrypted secret key to the tag. The tag will use the on-board cryptographic
processor to decrypt the received data with the secret key that is stored in its memory and compare the result
with the random number that it has initially generated. If the numbers match the interrogator is "authenticated"
and the tag will provide the interrogator with access to the resource. The tag could also store the
"authenticated" status in a flag.
An inverse process is that the interrogator sends a random challenge, the tag encrypts it and sends back the
encrypted data to the interrogator. In this case the interrogator decrypts it and can check the originality of the
tag.
A tag could have several secret keys stored on the tag. In that case an interrogator needs to indicate which
key needs to be used for authentication and after a successful authentication the tag could store the number
that has been used.
There are several forms of cryptography. The chief ones are Symmetric-key and Public-key.
4.2.4.2 Symmetric-key cryptography
In Symmetric-key cryptography the interrogator and the tag share the same secret key to encrypt and decrypt
the data.
The main disadvantage of Symmetric-key cryptography is that the secret keys need to be stored in a secret
manner in the infrastructure.
Symmetric key cryptography is also referred to as shared-key, single-key, secret-key, and private-key or one-
key cryptography.
4.2.4.3 Public-key cryptography
Public-key cryptography uses two keys: a public key and a private key. The public and the private key are
different, but mathematically linked. One key encrypts the random number and the other decrypts the cypher
text. Neither key can perform both functions. For authentication of the:
— Tag, the public key is made publicly available and is used by the interrogator to decrypt messages. The
private key is stored in the tag and kept secret;
— Interrogator, the interrogator holds a private key and sends the encrypted message to the tag, which will
decrypt it with the public key to authenticate the interrogator.
For further encryption of the communication it is common to derive the session key from the exchanged
random numbers and use that session key to encrypt/decrypt the message received from / sent to the
interrogator.
Public-key cryptography is also referred to as Asymmetric cryptography.
4.3 Application of access protection features
The right to get access to a resource can be obtained by exchanging a shared-secret, usually a password or a
secret key. After a successful exchange of the shared secret, the interrogator will gain the "authenticated"
status and be granted access to the requested resource. The "authenticated" status could also be stored in a
flag (for later use in the same session), as long as the tag remains in the field of the interrogator.
A tag might have the capability to support several secret keys, for example if there are separately accessible
areas of memory using appropriately set commands for reading and writing to the tag. In these more
sophisticated tag
...


SLOVENSKI STANDARD
01-september-2014
,QIRUPDFLMVNDWHKQRORJLMD=PRJOMLYRVW]DãþLWHRVHEQLKSRGDWNRYSULGDQDãQMLK
WHKQRORJLMDK5),'
Information technology - Privacy capability features of current RFID technologies
Informationstechnik - Leistungsmerkmale für den Schutz der Privatsphäre in
gegenwärtigen RFID-Technologien
Technologie de l’information - Fonctions de protection des données personnelles des
technologies RFID actuelles
Ta slovenski standard je istoveten z: CEN/TR 16672:2014
ICS:
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 16672
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Privacy capability features of current
RFID technologies
Technologies de l'information - Fonctions de protection de Informationstechnik - Leistungsmerkmale für den Schutz
la vie privée dans les technologies RFID actuelles der Privatsphäre in gegenwärtigen RFID-Technologien

This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16672:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .7
4 Access protection features .7
4.1 General .7
4.2 Overview of access protection features .7
4.2.1 General .7
4.2.2 No protection .7
4.2.3 Password protection .7
4.2.4 Cryptographic protection .8
4.3 Application of access protection features .9
5 Features to protect Consumer Privacy. 10
5.1 General . 10
5.2 Unique chip ID or Tag ID . 10
5.3 Chip selection with random number. 10
5.4 Reduced read range on the tag . 10
5.5 Untraceable . 10
5.6 Hide . 11
5.7 Kill . 11
5.8 Destroy . 11
5.9 Remove . 11
6 Features to protect Data Security . 11
6.1 Features to protect Read access to the tag data . 11
6.1.1 Protection level . 11
6.1.2 "Normal" Read access . 11
6.1.3 Read (Lock) protection . 11
6.1.4 Data protection using the TID . 12
6.2 Features to protect Write access to the tag data . 12
6.2.1 General . 12
6.2.2 Protection level . 12
6.2.3 "Normal" Write access . 12
6.2.4 Write (Lock) protection . 12
6.2.5 Write protection using the TID . 12
6.2.6 Write protection using a digital signature in User Memory . 13
7 Features for tag authentication . 13
7.1 General . 13
7.2 Verification using the Unique chip ID or Tag ID . 13
7.3 Verification using the Unique chip ID or Tag ID with a digital signature . 13
7.4 Verification using a password . 13
8 Standards support of privacy capability features . 13
9 Proprietary features . 17
Bibliography . 18
Foreword
This document (CEN/TR 16672:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM (2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase.
This Technical Report provides privacy and security characteristics that apply to the relevant standards.
Furthermore it provides an overview of these standards and their respective support of the described features.
1 Scope
The scope of the Technical Report is to identify technical characteristics of particular RFID air interface
protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy
impact assessment. It also provides information for those operators who provide RFID-tagged items that are
likely to be read by customers or other organizations.
This Technical Report provides detailed privacy and security characteristics that apply to products that are
compliant with specific air interface protocols, and also to variant models that comply with such standards.
The Technical Report also identifies proprietary privacy and security features which have been added to tags,
which are problematic of being implemented in open systems which depend on interoperability between
different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability.
The gap analysis thus identified can be used to encourage greater standardization.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
authentication
process of determining whether an entity or data is/are who or what, respectively, it claims to be.
Note 1 to entry: The types of entity authentication referred-to in this document are Tag authentication, Interrogator
authentication, and Tag-Interrogator mutual authentication
2.2
key
value used to influence the output of a cryptographic algorithm or cipher
2.3
KeyID
numerical designator for a secret key
2.4
password
secret value sent by an Interrogator to a Tag to enable restricted Tag operations
2.5
permalock
lock status that is unchangeable
EXAMPLE The memory location is permanently locked or permanently unlocked.
2.6
tag authentication
means for an Interrogator to determine, via cryptographic means, that a tag’s identity is as claimed
2.7
TID
tag ID
unique tag identifier
3 Symbols and abbreviations
For the purposes of this document, the following symbols and abbreviations apply.
UII Unique Item Identifier
4 Access protection features
4.1 General
This clause identifies several features used to protect access as part of the communication protocol between
the interrogator and the tag.
4.2 contains an overview of possible access protection features.
4.3 describes how the protection features can be applied.
4.2 Overview of access protection features
4.2.1 General
This subclause contains a general overview of possible features to protect the access to "resources" on a tag,
like access to data in memory, secret keys, flags, configuration settings etc.
The list is presented in an order-ranking of approximate increasing protection level.
NOTE The ranking is approximate, because not all features are available in some RFID technologies, and there are
associated features that influence the degree of protection, such as read distance and timeouts.
4.2.2 No protection
The lowest protection level is no protection. If there is no protection, all resources on the tags are freely
accessible and can be read and alerted by any interrogator that has access to the tag. This does depend on
the interrogator and the tag supporting the same air interface protocol.
4.2.3 Password protection
4.2.3.1 General
Access to the resources on the tag can be protected with an access password. In this document the password
protection should only be considered as it is protecting the consumer's privacy. To use this feature a copy of
the password needs to be stored in the memory of the tag. When an interrogator requests access to a
resource, it first has to provide the password. The tag will compare the password that is provided by the
interrogator with the copy of the password that is stored in memory. If both copies match the interrogator is
"authenticated" and the tag will provide the interrogator with access to the requested resource. The tag could
also store the "authenticated" status in a flag.
A general weakness of the password feature is that for it to be functional, few stakeholders need to be aware
of its value. As such, passwords have limited contribution in open systems where the organization responsible
for encoding the tag (for example a product manufacturer) has limited knowledge of the specific organization
that will read a particular tag (e.g. which retail store).
A technical weakness of the password feature is that the password needs to be transmitted over the air.
Therefore it can easily be intercepted by an intruder, who can then use the password later to also get access
to the same resource. An increased level of protection can be provided if the password is transmitted in
segments, thus requiring more than one interception to capture the entire password.
A practical limitation of password protection is the possibility to find the password with a "brute force" attack;
the interrogator can simply try to find the password starting with binary "0" and then increase the password by
"1" after the tag rejects the request, until it has found the right password.
The protection level of the password feature is a function of its length given that all the communication is at
the binary level. A brute force attack on an 8-bit password can be achieved in 255 attempts, while a 32-bit
password requires 4.3 billion attempts, or over 2 billion attempts on average. While modern computers can
process tens of thousands of passwords a second, a brute force attack on an RFID tag requires a new
command to be generated each time and is therefore limited by the air interface speed. Also, unlike cracking a
password to access a computer system, a password found in one RFID tag might have limited value.
Practically this means that the password features has the best value if it needs to be used only once.
4.2.3.2 Password protection with security timeout
The protection level of the password feature can be improved by implementing a security timeout. The tag can
introduce a time delay before it replies to the interrogator. A long delay will result in a brute force attack taking
a long time.
There are various possibilities, like a configurable delay or a delay that increases with the number of failed
requests.
4.2.3.3 Password protection with cover coding
Cover coding can be used to improve the protection against incepting the password over the air. It obscures
information that it is transmitting to a tag. To cover-code a password, an interrogator first requests a random
number from the tag. The interrogator then performs a bit-wise XOR of the password with this random
number, and transmits the cover-coded string to the tag. The tag uncovers the password by performing a bit-
wise XOR of the received cover-coded string with the original random number and then compares the values
of both copies. XOR based cover coding can be implemented in a state machine, and therefore in a passive
tag.
4.2.4 Cryptographic protection
4.2.4.1 General
Cryptographic protection can be used if the tag is equipped with a processor to perform a cryptographic
calculation and has memory to store a secret key. Before requesting access to a resource, an interrogator first
needs to request a random number from the tag. The interrogator needs to encrypt the random number with
the secret key and return the encrypted secret key to the tag. The tag will use the on-board cryptographic
processor to decrypt the received data with the secret key that is stored in its memory and compare the result
with the random number that it has initially generated. If the numbers match the interrogator is "authenticated"
and the tag will provide the interrogator with access to the resource. The tag could also store the
"authenticated" status in a flag.
An inverse process is that the interrogator sends a random challenge, the tag encrypts it and sends back the
encrypted data to the interrogator. In this case the interrogator decrypts it and can check the originality of the
tag.
A tag could have several secret keys stored on the tag. In that case an interrogator needs to indicate which
key needs to be used for authentication and after a successful authentication the tag could store the number
that has been used.
There are several forms of cryptography. The chief ones are Symmetric-key and Public-key.
4.2.4.2 Symmetric-key cryptography
In Symmetric-key cryptography the interrogator and the tag share the same secret key to encrypt and decrypt
the data.
The main disadvantage of Symmetric-key cryptography is that the secret keys need to be stored in a secret
manner in the infrastructure.
Symmetric key cryptography is also referred to as shared-key, single-key, secret-key, and private-key or one-
key cryptography.
4.2.4.3 Public-key cryptography
Public-key cryptography uses two keys: a public key and a private key. The public and the private key are
different, but mathematically linked. One key encrypts the random number and the other decrypts the cypher
text. Neither key can perform both functions. For authentication of the:
— Tag, the public key is made publicly available and is used by the interrogator to decrypt messages. The
private key is stored in the tag and kept secret;
— Interrogator, the interrogator holds a private key and sends the encrypted message to the tag, which will
decrypt it with the public key to authenticate the interrogator.
For further encryption of the communication it is common to derive the session key from the exchanged
random numbers and use that session key to encrypt/decrypt the message received from / sent to the
interrogator.
Public-key cryptography is also referred to as Asymmetric cryptography.
4.3 Application of access protection features
The right to get access to a resource can be obtained by exchanging a shared-secret, usually a password or a
secret key. After a successful exchange of the shared secret, the interrogator will gain the "authenticated"
status and be granted access to the requested resource. The "authenticated" status could also be stored in a
flag (for later use in the same session), as long as the tag remains in the field of the interrogator.
A tag might have the capability to support several secret keys, for example if there are separately accessible
areas of memory using appropriately set commands for reading and writing to the tag. In these more
sophisticated tags different ac
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This article discusses CEN/TR 16672:2014, which focuses on the privacy capabilities of current RFID technologies. The report aims to help operators of RFID systems understand the technical characteristics of RFID protocols that could impact privacy. It also provides information for operators who use RFID-tagged items that may be read by customers or other organizations. The report covers the privacy and security characteristics of compliant products, as well as proprietary features that may hinder interoperability. The analysis can be used to promote greater standardization.

기사 제목: CEN/TR 16672:2014 - 정보 기술 - 현재 RFID 기술의 개인 정보 보호 기능 기사 내용: 기술 보고서의 범위는 RFID 시스템 운영자가 개인 정보 보호 영향 평가를 수행할 때 고려해야 할 특정 RFID 공기 인터페이스 프로토콜의 기술적 특성을 식별하는 것이다. 또한, 고객이나 다른 조직에 읽힐 가능성이 있는 RFID 태그가 제공되는 운영자에게 정보를 제공한다. 이 기술 보고서는 특정 공기 인터페이스 프로토콜을 준수하는 제품 및 이러한 표준을 준수하는 변형 모델에 적용되는 상세한 개인 정보 보호 및 보안 특성을 제공한다. 이 기술 보고서는 또한 태그에 추가된 소유자 개인 정보 보호 및 보안 기능을 식별하며, 서로 다른 장치들 간의 상호 운용성에 의존하는 개방형 시스템에 구현하기에 문제가 있는 사유 임의 솔루션을 식별한다. 이러한 소유자 솔루션은 기술적으로 견고하지만 사실은 상호 운용성을 방해한다. 이를 통해 발견된 간격 분석은 더 큰 표준화를 장려하는 데 사용될 수 있다.

기사 제목: CEN/TR 16672:2014 - 정보 기술 - 현재 RFID 기술의 개인 정보 보호 기능 기사 내용: 이 기술 보고서의 범위는 RFID 시스템 운영자가 개인 정보 보호 영향 평가를 수행함에 있어 고려해야 할 특정 RFID 공기 인터페이스 프로토콜의 기술적 특성을 파악하는 것이다. 이 보고서는 또한 고객이나 다른 조직에 읽힐 가능성이 있는 RFID 태그가 적용된 물품을 제공하는 운영자들에 대한 정보를 제공한다. 이 기술 보고서는 특정 공기 인터페이스 프로토콜에 따라 규격화된 제품뿐만 아니라 이와 같은 표준을 따르는 다양한 모델에 적용되는 개인 정보 보호 및 보안 특성에 대한 상세한 정보를 제공한다. 또한 이 기술 보고서는 태그에 추가된 사유 보안 및 개인 정보 보호 기능을 식별하는데, 이 기능들은 서로 다른 장치 간의 상호 운용성에 의존하는 개방형 시스템에서 구현하는 것이 어렵다. 그러므로 이러한 사유 솔루션들은 기술적으로 강인하더라도 실제로는 상호 운용성을 저해한다. 이렇게 식별된 간극 분석은 표준화를 더욱 촉진하기 위해 사용될 수 있다.

記事のタイトル:CEN/TR 16672:2014 - 情報技術-現行RFID技術のプライバシー機能 記事の内容:この技術報告書は、RFIDシステムの運営者がプライバシーへの影響評価を行う際に考慮すべき特定のRFIDエアインタフェースプロトコルの技術的特性を特定することを目的としています。また、RFIDタグが顧客や他の組織によって読み取られる可能性がある運営者に対して情報を提供します。 この技術報告書は、特定のエアインタフェースプロトコルに準拠する製品や、それに準拠する変種モデルに適用されるプライバシーやセキュリティの詳細な特性を提供します。 また、タグに追加された所有者のプライバシーやセキュリティ機能も特定し、異なるデバイス間の相互運用性に依存するオープンシステムに実装することに問題のある所有者ソリューションを特定します。これらの所有者ソリューションは技術的には信頼性がありますが、実際には相互運用性を妨げます。このギャップ分析は、より大きな標準化を促進するために活用することができます。

記事タイトル:CEN/TR 16672:2014 - 情報技術 - 現在のRFID技術のプライバシー能力機能 記事内容:この技術報告は、RFIDシステムのオペレーターがプライバシーへの影響評価を行う際に考慮すべき特定のRFIDエアインターフェースプロトコルの技術的特性を識別することを目的としています。また、RFIDタグ付きのアイテムを提供するオペレーターに対しても情報を提供しています。 この技術報告では、特定のエアインターフェースプロトコルに準拠した製品およびこれに準拠した変種モデルに適用されるプライバシーおよびセキュリティの特性について詳細な情報が提供されています。 また、タグに追加されたプライベートセキュリティおよびプライバシー機能も識別していますが、これらの機能は異なるデバイス間の相互運用性に依存するオープンシステムでの実装が困難です。したがって、これらのプロプライエタリなソリューションは技術的には優れているものの、実際には相互運用性を妨げるものとなっています。報告書で特定されたギャップ分析は、標準化を促進するために利用できます。

The article discusses a Technical Report that focuses on the privacy capabilities of current RFID technologies. It aims to help operators of RFID systems in assessing the impact on privacy and provides information for those who use RFID-tagged items. The Report highlights the privacy and security characteristics of compliant products and also identifies proprietary features that hinder interoperability. The gaps identified in the Report can be used to promote standardization.