ISO/IEC 29167-1:2014
(Main)Information technology — Automatic identification and data capture techniques — Part 1: Security services for RFID air interfaces
Information technology — Automatic identification and data capture techniques — Part 1: Security services for RFID air interfaces
ISO/IEC 29167-1:2014 defines the architecture for security services for the ISO/IEC 18000 air interfaces standards for radio frequency identification (RFID) devices. Its purpose is to provide a common technical specification for optional security services for RFID devices that may be used by ISO committees developing RFID application standards. ISO/IEC 29167-1:2014 defines various security features called security mechanisms that can be implemented by a tag depending on the application. A tag may support one, a subset, or all of the specified security mechanisms. For an interrogator it is possible to get information about the security mechanisms that are actually implemented and supported by a tag. Moreover, it has been considered that adding new security mechanisms remains possible. Besides signalling the presence of certain security services, further details of the mechanisms such as utilized encryption algorithm and key length also need to be specified and accessible. ISO/IEC 29167-1:2014 defines the requirements for crypto suites defined in further parts of ISO/IEC 29167 and furthermore defines how crypto suites identifiers are assigned to the various parts of ISO/IEC 29167.
Technologies de l'information — Techniques automatiques d'identification et de capture de données — Partie 1: Services de sécurité pour les interfaces radio RFID
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 29167-1
Second edition
2014-08-15
Information technology — Automatic
identification and data capture
techniques —
Part 1:
Security services for RFID air
interfaces
Technologies de l’information — Techniques automatiques
d’identification et de capture de données —
Partie 1: Services de sécurité pour les interfaces radio RFID
Reference number
ISO/IEC 29167-1:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 29167-1:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 29167-1:2014(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Conformance . 1
3 Normative references . 1
4 Terms and definitions, symbols, and abbreviated terms . 2
4.1 Terms and definitions . 2
4.2 Symbols and abbreviated terms. 2
5 Safeguarding personal privacy and data . 2
5.1 Motivation . 2
5.2 Features of this International Standard . 2
5.3 Safeguarding personal privacy and data on the tag . 3
5.4 Implications of security . 3
6 Security mechanisms . 4
6.1 General . 4
6.2 Untraceability . . 4
6.3 Physical mechanisms . 5
6.4 Cryptographic mechanisms . 5
6.5 Cryptographic suites . 5
7 Discovery mechanisms . 5
8 File management mechanisms . 5
9 Assignment of Crypto Suite Indicators (CSI) . 6
9.1 Relation of CSI and part number . 6
9.2 Example for CSI of an ISO/IEC 29167-n . 7
9.3 Example for CSI of ISO/IEC 18000-63 . 7
9.4 Sources for Crypto Suite Indicators . 7
9.5 Increase number of CSIs for ISO/IEC 29167 . 8
10 Crypto suite template . 8
Bibliography . 9
© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 29167-1:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 31, Automatic identification and data capture techniques.
This second edition cancels and replaces the first edition (ISO/IEC 29167-1:2012) which has been
technically revised.
ISO/IEC 29167 consists of the following parts, under the general title Information technology — Automatic
identification and data capture techniques:
— Part 1: Security services for RFID air interfaces
— Part 10: Crypto suite AES-128 security services for air interface communications
— Part 11: Air interface for security services — Crypto suite PRESENT-80
— Part 12: Crypto suite ECC-DH security services for air interface communication
— Part 13: Air interface for security services — Crypto suite Grain-128A
— Part 14: Air interface for security services — Crypto suite AES OFB
— Part 15: Air interface for security services — Crypto suite XOR
— Part 16: Air interface for security services crypto suite ECDSA-ECDH
— Part 17: Air interface for security services crypto suite cryptoGPS
— Part 19: Air interface for security services crypto suite RAMON
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 29167-1:2014(E)
Introduction
ISO/IEC 29167 describes security as applicable for ISO/IEC 18000. ISO/IEC 29167 is an optional extension
to the ISO/IEC 18000 air interfaces.
The ISO/IEC 18000 series of International Standards on radio frequency identification (RFID) for item
management does not offer strong security of the tag and interrogator data and identity. For example,
the unique item identifiers (UII) of tags are typically transmitted to every other device in the RF field
and can thus be easily tracked. Additionally, sensitive data such as passwords are typically transmitted
over RF without encryption and can easily be intercepted. Moreover, utilized passwords may be short
in length. ISO/IEC 29167 fulfills the need for applications requiring effective security in the handling of
sensitive information including the unauthorized interception and tracking of data and devices.
ISO/IEC 29167 covers the crypto suites for interrogators and tags that have security mechanisms on
board. ISO/IEC 29167 only applies to tags that perform the computations that are required for the
security mechanisms. Tag-to-tag communication is not excluded.
ISO/IEC 29167 covers a number of cryptographic suites designed for protecting application information
transmitted across the RFID air interface, product authentication, and protecting access to resources
on the tag. Suite implementations relative to specific ISO/IEC 18000 series RFID air interface standards,
where relevant, are described in the Annexes of each cryptographic suite. Users should be aware that they
must assess their own risk management needs for their application (e.g. amount of necessary security
features, management of keys, etc.) in order to determine the appropriate suite for implementation.
This part of ISO/IEC 29167 describes a framework to implement security mechanisms used in an RFID
system. The other parts of ISO/IEC 29167 specify individual crypto suites.
© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29167-1:2014(E)
Information technology — Automatic identification and
data capture techniques —
Part 1:
Security services for RFID air interfaces
1 Scope
This part of ISO/IEC 29167 defines the architecture for security services for the ISO/IEC 18000 air
interfaces standards for radio frequency identification (RFID) devices. Its purpose is to provide a
common technical specification for optional security services for RFID devices that may be used by ISO
committees developing RFID application standards.
This part of ISO/IEC 29167 defines various security features called security mechanisms that can
be implemented by a tag depending on the application. A tag may support one, a subset, or all of the
specified security mechanisms. For an interrogator, it is possible to get information about the security
mechanisms that are actually implemented and supported by a tag. Moreover, it has been considered that
adding new security mechanisms remains possible. Besides signalling the presence of certain security
services, further details of the mechanisms such as utilized encryption algorithm and key length also
need to be specified and accessible.
This part of ISO/IEC 29167 defines the requirements for crypto suites defined in further parts of this
International Standard and, furthermore, defines how crypto suites identifiers are assigned to the
various parts of this International Standard.
2 Conformance
In general, it is assumed that all requirements defined in this part of ISO/IEC 29167 shall be fulfilled.
A tag is compliant to this part of ISO/IEC 29167 if it supports one or more of the security mechanisms as
defined in this part of ISO/IEC 29167.
An interrogator is compliant to this part of ISO/IEC 29167 if it supports one or more of the security
mechanisms as defined in this part of ISO/IEC 29167.
The discovery mechanisms are mandatory for interoperability.
3 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 19762 (all parts), Information technology — Automatic identification and data capture (AIDC)
techniques — Harmonized vocabulary
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 29167-1:2014(E)
4 Terms and definitions, symbols, and abbreviated terms
4.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19762 (all parts) and the
following apply.
4.1.1
crypto suite
module for secure data handling that can be utilized by multiple air interfaces due to its modularity
4.2 Symbols and abbreviated terms
PRNG pseudo random generator
TRNG true random generator
5 Safeguarding personal privacy and data
5.1 Motivation
RFID technology enables the processing of data without physical contact or visible interaction between
the interrogator and the tag. Application of the technology can deliver numerous economic and societal
benefits.
RFID applications hold the potential to transfer data relating to an identified or identifiable person who
is being identified directly or indirectly. Furthermore, the potential exists for this technology to be used
to monitor an individual through his/her possession of one or more items that contain a unique RFID
item number. This interaction can happen without the individual concerned being aware of it.
The functionality offered by ISO/IEC 29167 allows RFID applications to provide privacy, integrity,
authenticity and confidentiality of the data on the tag. This functionality includes organization of data
and access control.
ISO/IEC 29167, in combination with ISO/IEC 18000, addresses issues of privacy and security related to
the use of RFID for Item Management. This part of ISO/IEC 29167 provides an overview, while details
will be described in the specific parts of ISO/IEC 29167 in combination with the corresponding parts of
ISO/IEC 18000.
ISO/IEC 29167 extends ISO/IEC 18000 with the following features:
— untraceability;
— authenticity;
— secure access to data and functions,
— encryption.
5.2 Features of this International Standard
The tag features and air interface commands in ISO/IEC 29167 enable the implementation of the
following features in an RFID system:
— Untraceability: by putting the tag in a special mode (called untraceability mode) where the RFID tag
hides all or part of its identity.
2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 29167-1:2014(E)
— Certify authenticity: by using one or more air interface commands a tag can produce a certificate of
authenticity. Verification of this certificate may require additional features such as
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.