Construyendo IDentificación de Radiofrecuencia para el Medio Ambiente Global

Building Radio frequency IDentification for the Global Environment

White Paper RFID Tag Security

Authors: Manfred Aigner (TU Graz), Trevor Burbridge (BT Research), Alexander Ilic (ETH Zurich), David Lyon (GS1-UK), Andrea Soppera (BT Research), Mikko Lehtonen (ETH Zurich)

1

2

PREFACE About the BRIDGE Project BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security, Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu

Disclaimer: Copyright 2008 by (TUGraz, BT Research, ETH Zurich, GS1 UK) All rights reserved. The information in this document is proprietary to these BRIDGE consortium members. This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, devel

opments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consor

tium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

3

CONTENTS 1. Executive Summary 2. Introduction 2.1. The BRIDGE project 2.2. Objectives of The Security Research Group (SRG) 2.3. Scope of the SRG 2.4. Description of Work - Security Analysis and Requirements 2.4.1. RFID Tag Security 2.4.2. Anti-cloning of RFID Tags 2.4.3. Development of an RFID Trusted Reader 2.4.4. Supply Chain Integrity 3. Security Case Studies 3.1. Authentication 3.2 e-Pedigree 3.3 Track and traceability 3.4 Returnable transit units 3.5 Enabling After-Sales and Returns Whilst Protecting Consumer Privacy 4. The Background to RFID Security 4.1 Tag & System Security 4.2 The RFID tag industry today & its future 4.3 Current RFID Security capabilities 4.4 Transponder ID Numbers (TID) RFID Tag Security measures 5.1 Physical protection of a tag 5.2 RFID Tag security requirements RFID Security and Privacy 6.1 Privacy risks 6.2 Data Protection 6.2.1 Collection limitation and security safeguards principle 6.2.2 Data quality principle 6.2.3 Purpose specification principle and Use limitation principle

5.

6.

7. Standards Compliance and Evolution 8. Conclusions Appendix 1 An Introduction to RFID

4

1. Executive Summary RFID is a technology that offers huge potential for change management activities by automating processes and providing accurate, trusted data. Its unique

features include giving each physical object a globally unique digital identity read from a distance without requiring line-of-sight capability, and often without using a battery. These features provide new ways of measuring and integrating the real world into information systems and means RFID offers significant potential to change the way we do business. However, for RFID to reach its potential, greater attention must be paid to its security, which is the role of this work group, The Security Research Group (SRG)

Figure 1: SRG tries to improve the balance between risks and benefits of RFID-based business applications by developing secure RFID solutions

There are three important security scenarios to consider. Firstly, when RFID is implemented to improve an existing business process, it can automate activities and thereby reduce the potential business and security risks caused by human error. Secondly, RFID itself can induce new risks to a process; mostly unlike barcodes, RFID tags will be used in securitysensitive applications such as ticketing, access control and product authentication. Therefore security is needed to keep automated aspects and invisible properties under control, and prevent any risk of the process becoming susceptible to mass abuse. Owing to the high level of automation that RFID provides, a security incident could cause great harm before countermeasures will be effective. Thirdly, as RFID is a data gathering and process measurement technology, it can completely enable new business applications. Activities and actions un

able to previously be accurately measured can now deliver effective metrics. Again, security plays a major role delivering the accountability required to engender trust in the data and activities provided by these applications. These three effects are summed up in Figure 1. From the SRG’s perspective, we must provide security technology that supports RFID’s potential in mitigating existing business and security process risks, while at the same time enabling the inherent security problems of the RFID technology to be managed. We also believe that effective security is not only a necessity for business cases where RFID improves on the existing barcode-based scenario, it also offers a completely new opportunity. Applications that cannot be deployed today because their critical points depend mainly on security will benefit from the technology we develop. Secure RFID solutions will not simply be ‘must-have’; they will be an imperative enabler of powerful applications that can markedly increase organisations’ competitiveness.

5

Usually inseparable from security issues are privacy issues, and as more businesses begin to rely on EPC-based events to manage and to share critical supply chain processes, effective solutions investigated by the BRIDGE project through the SRG must be in place to guarantee control of confidential data and system accountability. Sharing information can increase productivity, but also introduces questions about the use and misuse of information by third parties once information has been disclosed With this in mind, one of t

he key successes of the SRG is the pioneering work done to satisfy privacy requirements through ‘stunning’ the tag as it leaves the store so that it cannot be read outside the store but can be reactivated when the item and tag return to that store/retailer. This means that the consumer’s privacy is protected and one of retail’s major headaches of reverse logistics and returns can be helped as well. Although there have been some concerns that the strength of the password is weak and vulnerable to eavesdropping, the use of cryptographically secure tags can overcome this by implementing a secure deactivation/re-activation custom command. In addition the provision of cryptographic functions on the tag can also allow the re-activation of the tag without prior knowledge of the tag identity. This can be done by structuring a series of challenges to the activating reader that become more and more specific to the individual tag. These developments are an important and lasting outcome of the SRG work. The need for continuous improvement and competitive advantage requires organisations to make informed decisions based on accurate and timely operational data gathered not only in their own facilities, but also provided via unrelated third parties. The prevalence of low-cost ‘track and trace’ data gathering technologies such as RFID is now driving the development of global standards for the sharing of operational data traces. The not-for-profit organisation EPCglobal has already developed a number of important standards (EPC Gen-2/ISO18000-6C, Low-Level Reader

Protocol, Application-Level Events, EPC Information Services, Object Naming Services) and aims to further standardise and complete the EPC Network Architectural Framework to enable the seamless gathering, filtering, and sharing of

...