RFID Security & Privacy
National Institute of Standards and Technology

                Tom Karygiannis
              Emai...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
NIST Provides Innovation Infrastructure…

Non-regulatory agency within U.S. Department of
Commerce.

Founded in 1901 as Na...
The NIST Laboratories


                        NIST’s work enables
                           • Science
                 ...
NIST Serves a Broad Customer Base…




                                                                  Pharmaceuticals
 ...
NIST provides innovation infrastructure to…

                      ...facilitate trade




       secure automated
       ...
Research Projects in the Computer Security Division
  Advanced Cryptography (e.g., hash, public key, quantum, light footpr...
How do we measure IT security?
 INFOSEC Research Council Hard Problem
 – Enterprise-level security metrics and composable ...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
RF technology is used in many different applications, such as
satellite TV, radio, cellular phones, radar, GPS, and lately...
A typical Radio Frequency Identification system will contain tags
(transponders) a reader (transceiver) and a host PC that...
Why is RFID an interesting asset tracking and management
technology?
Features of RFID:

   Read/Write Capabilities (some t...
Automatic identification systems mix RFID-unique risks with
traditional information technology and network security risks…...
Adversaries design attacks using three key pieces of information
about RFID systems…
                               Storag...
The radio frequency segment of
RFID systems has several inherent
vulnerabilities to be addressed…

 Monitoring the air int...
Monitoring the RF Interface


  Threat Model: Effective range depends on transponder type,
  frequency, antenna size, powe...
Monitoring the RF Interface


    Countermeasures: Several techniques are under development to
    protect the RFID tag re...
Modifying/Deleting Data On Tags


   Countermeasures: Several techniques are under development to
   protect the authentic...
Modifying/Deleting Data On Tags


   Countermeasures: Password management mechanisms will need
   to be developed before t...
Blocking Access To Tags


   Countermeasures: How can RFID tag data be protected while
   remaining accessible to valid us...
Permanently Disabling Tags


   Threat Model: Permanently disabling tags can cause widespread
   denial-of-service issues…...
Permanently Disabling Tags




   Electronic and physical attacks on tags can take many forms…

         Physical damage
 ...
Permanently Disabling Tags

   Countermeasures: How can users protect their system from
   disruption caused by disabling ...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
NIST RFID Activities
International and domestic RFID standards policy and guidance – U.S. Government
RFID/smart and wirele...
RFID Eavesdropping and Jamming Analysis
 RFID Eavesdropping and Jamming Analysis (Boulder)
  NIST Boulder Electromagnetics...
Counterfeit RFID Detection Counterfeit RFID Detection
 Detect counterfeit RFID tags without modifying manufacturing proces...
Chip-Level RFID Security
                                                                                                 ...
RFID-Assisted Indoor Localization
   Objective: Locate and track first responders moving throughout a building
   Problem:...
International and Domestic RFID Standards Policy and
Guidance

 NIST provides input into developing the U.S. Government’s ...
Integration of RFID with smart and wireless sensor networks

Fixed and mobile sensors are needed to augment RFID
to enhanc...
Technical support to other U.S. Government Agencies


Personal identification documents
– State Dept., DHS and GPO
– Mater...
RFID in the construction industry

   Locate and manage supplies on construction site
   – NIST is now working on a larger...
Manufacturing Extension Partnership (MEP) RFID Community
of Practice

 Manufacturing Extension Partnership has a nation-wi...
Future RFID – organic electronics

Vision: ubiquitous electronics



NIST is providing the integrated measurement and
stan...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
Special Publication 800-98: Guidelines for Securing Radio
Frequency Identification (RFID) Systems

  Special Publication 8...
Goals and Objectives of SP 800-98 - Section 1
  To assist organizations in understanding RFID security risks and what secu...
RFID Technology - Section 2
 Provide an overview of the field of automatic identification and data capture (AIDC)
 technol...
RFID Applications and Requirements - Section 3
  Reviews the core types of RFID applications and the requirements of these...
RFID Risks - Section 4
Business Process Risks – risk that     Factors influencing an
                                     ...
RFID Security Controls - Section 5
 The controls are
                              Example of a Technical Control
        ...
RFID Privacy Considerations - Section 6
  Privacy Principles: introduces Organization for Economic Cooperation and
  Devel...
Recommended Practices - Section 7
       Provides 35 recommendations that follow the system lifecycle from initiation to d...
Case Studies - Section 8

 Case Study #1
 – Topic: Personnel and asset tracking in a health care environment
 – Perspectiv...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
New technologies, new security and privacy
challenges….




                                             46
Accountability, Privacy, Anonymity, Convenience




                                                  47
The Government Watching the Citizens

 More than 600 Chinese cities are launching surveillance systems, including face-
 r...
Citizens Watching the Government




                                   49
New technologies, new security and privacy challenges….




                                          An estimated 11,300 ...
New technologies, new security and privacy challenges….




                                                        “The i...
New technologies, new security and privacy challenges….




                                                              ...
New technologies, new security and privacy challenges….




                              • VOIP 911 Calls -Special
      ...
New technologies, new security and privacy challenges….




                              Terms of TAG USE: Your E-       ...
GPS Child Finder




                   55
Other ITS
Wireless Vehicular Communication                                                                           Commu...
Marine Corp Marathon vs. Marine Deployment

                          What is the difference? Physical
                   ...
What is in the tag? Is it just a number? EPC General Identifier (GID-
96) is the most widely used data format on EPC tags…...
Brave New World or 1984?




                           59
Brave New World or 1984?


    Orwell feared that the truth would be   •   Huxley feared the truth would be
    concealed ...
Presentation Outline
   About NIST

   RFID Security

   NIST RFID Activities

   NIST Guidelines for Securing Radio Frequ...
Contact Information

   Tom Karygiannis, NIST, 100 Bureau Drive, MS 8930, Gaithersburg, MD 20899, USA. Email:
   karygiann...
Upcoming SlideShare
Loading in...5
×

RFID Security

1,032

Published on

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,032
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

RFID Security

  1. 1. RFID Security & Privacy National Institute of Standards and Technology Tom Karygiannis Email: karygiannis@nist.gov Georgia Tech November 27, 2007 0
  2. 2. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 1
  3. 3. NIST Provides Innovation Infrastructure… Non-regulatory agency within U.S. Department of Commerce. Founded in 1901 as National Bureau of Standards ~2900 employees Nobel Prize Winner in Physics in 1997, 2001, 2005 NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Provide the measurement “tool box” for the nation – Provide solutions to measurement problems – Try to assure that the necessary measurements and quality are available to meet the nations most significant needs Absolute correctness of results is paramount to NIST Labs. 2
  4. 4. The NIST Laboratories NIST’s work enables • Science • Technology innovation • Trade • Public benefit 3
  5. 5. NIST Serves a Broad Customer Base… Pharmaceuticals Manufacturing Transportation Environmental Technologies Food and nutrition Construction Biotechnology Computer software Law enforcement and equipment 4
  6. 6. NIST provides innovation infrastructure to… ...facilitate trade secure automated banking Integrity of financial transactions electric power metering volume and flow – www.time.gov measurement based billions of hits daily 5
  7. 7. Research Projects in the Computer Security Division Advanced Cryptography (e.g., hash, public key, quantum, light footprint) Inherently Secure, High Assurance, and Provably Secure Systems and Architectures Composable and Scalable Secure Systems Wireless Security Network Measurement and Visualization Tools Secure Distributed Systems Infrastructure for Information Security R&D Security for Quantum Computing Foundations of Measurement Science for Information Systems Biometrics and Cryptographic Identity Verification URL: http://csrc.nist.gov 6
  8. 8. How do we measure IT security? INFOSEC Research Council Hard Problem – Enterprise-level security metrics and composable security metrics Security is an “undecidable” problem – Fundamental Axioms of Security Every system has vulnerabilities. The system owner does not know all of those vulnerabilities. The system owner does not know all of her adversaries’ capabilities. – Net result There is no “consistent” set of metrics for security. For real-world systems we must still try to answer: – How much security is enough? – What are the appropriate metrics? Are there useful metrics? – How can we can compare the relative “insecurity” of two different systems? Two different configurations of the same system? 7
  9. 9. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 8
  10. 10. RF technology is used in many different applications, such as satellite TV, radio, cellular phones, radar, GPS, and lately in automatic identification systems… Radio Frequency Identification (RFID) describes the use of radio signals to provide automatic identification of items and remote data collection RFID is used for applications such as: – Supply Chain & Retail Item Management – Pharmaceuticals, Healthcare – Asset Identification & Tracking – Security Access Control – Electronic Toll Collection – Railway Car Tracking – Financial applications – Animal Tracking 9
  11. 11. A typical Radio Frequency Identification system will contain tags (transponders) a reader (transceiver) and a host PC that controls the operation of the reader… Passive RFID Illustration Identity – Unique RF Energy identifier that links Antenna Reader Tag specific asset item to a specific information set Identify Read/Write Location – Physical TagID Data location of a specific asset Status – Summary of activities performed on a Tag Data specific asset Inventory Tags Read/Write Database RFID Host PC Condition – Physical Data from Tag condition of asset including environmental exposure and tampering Tag Data (Active RFID only) 10
  12. 12. Why is RFID an interesting asset tracking and management technology? Features of RFID: Read/Write Capabilities (some tags) – Ability to add information directly to tags enables each unique asset to carry its own unique history Non-contact Reads – Ability to read tags at a distance, under a variety of environmental conditions, without physical manipulation of the asset Fast Read – Ability to simultaneously read large numbers (1750 tags/sec) of items Embedded Sensors – Ability to directly capture environmental information Automation – Requires less human intervention Authenticity – Each RFID chip is unique and can not be replicated 11
  13. 13. Automatic identification systems mix RFID-unique risks with traditional information technology and network security risks… RFID Extranet Radio Frequency Segment Enterprise IT Segment Extranet Segment • RFID transponders • Reader to RFID middleware • External network (active, passive, or hybrid tags) communications services to support RFID • Antennae • Back-end database/application business process • RFID readers platforms • Many security risks are unique to RFID Traditional IT security risks Network security risks 12
  14. 14. Adversaries design attacks using three key pieces of information about RFID systems… Storage Capacity Tags that have read/write capabilities are generally at higher risk because of on-board data storage Read-only tags supply just an identification number (license plates) and present lower risk Active/ Passive Active/Passive Passive tags have short operating ranges, which lowers their risk Current generations of passive tags generally do not have on-board data storage Storage Operating Operating Range Capacity Range Range is governed by several factors including frequency band, antenna type, and transmission power Active tags generally have a longer range than passive tags and have ranges up to several hundred feet 13
  15. 15. The radio frequency segment of RFID systems has several inherent vulnerabilities to be addressed… Monitoring the air interface Modifying/deleting data on the tag Blocking access to the tag Permanently disabling tags 14
  16. 16. Monitoring the RF Interface Threat Model: Effective range depends on transponder type, frequency, antenna size, power emitted by the reader, and finally the surrounding environment 15
  17. 17. Monitoring the RF Interface Countermeasures: Several techniques are under development to protect the RFID tag read/write process… Confidentiality – Data encryption on the tag – Encrypting data before sending it to tag Authentication – Challenge/response authentication – Improved passwords via persistent state – Hash chaining – Randomized hash lock – One-time authenticators Optimized Air Link Protocols – Randomized tag identity – Anonymous IDs 16
  18. 18. Modifying/Deleting Data On Tags Countermeasures: Several techniques are under development to protect the authenticity of user data on RFID tags… Current security features – RFID tags have very simple logic, usually between 500-5000 total gates on a typical transponder; this leaves very little capacity for advanced security features – Symmetric encryption (e.g., AES, SHA1) not possible on today’s tags – Some high-end tags have implemented stream cipher designs, but no standard low-gate encryption primitives exist in any tag category – Simple password comparisons and XOR comparisons are all that is typically offered today – Cost is such an important driver that the added cost of security features might not be feasible in the near term (except for specialty applications) Future security features – Authenticity, using randomized transaction IDs (for R/W tags) – Advanced authentication – On-board encryption primitives 17
  19. 19. Modifying/Deleting Data On Tags Countermeasures: Password management mechanisms will need to be developed before tag/reader authentication succeeds… Current standards – Several categories of tags allow passwords for protecting data (e.g., READ, WRITE) and command functions (e.g., LOCK, KILL) – These tags all transmit their passwords in the clear between the tag and the reader, making them susceptible to monitoring and replay attacks – Passwords are also stored in the clear on the tag’s memory – This is true for all cards except for certain contactless smartcards used for financial transactions Password management – Currently, no password management mechanism has been defined or implemented in the RFID community – Most RFID implementations use single group passwords for large numbers of tags – By implementing individual passwords for individual tags, a password management mechanism would need to identify unique tags – Therefore password management may be incompatible with privacy objectives 18
  20. 20. Blocking Access To Tags Countermeasures: How can RFID tag data be protected while remaining accessible to valid users? Unlicensed spectrum – Virtually all RFID system operate in unlicensed frequency bands – Non-infringing use is mandated, but not guaranteed; “survival of the fittest” – Unplanned RF issues must be addressed by contingency planning RF engineering – Users must engineer systems to work around known RF issues – RFID read/write processes must be defined in a concept-of-operations document – System must be engineered to support specific scenarios (e.g., tag type, tag mounting, reader type, read orientation and distance) Tag Blocking – Most tags can be blocked from readers by wrapping them in foil or other material – Tags can also be damaged or destroyed easily – The impermanence of tags needs to be accounted for by contingency planning 19
  21. 21. Permanently Disabling Tags Threat Model: Permanently disabling tags can cause widespread denial-of-service issues… The KILL command The LOCK command Electronic attacks Physical attacks 20
  22. 22. Permanently Disabling Tags Electronic and physical attacks on tags can take many forms… Physical damage – Crushing – Bending – Ripping Electronic damage – Electrostatic discharge (e.g., conveyor belts, label application, transport) – High-energy RF – Microwave ovens… Environmental damage – Most tags have been ruggedized for their environment – Temperature, humidity, shock not normally a problem 21
  23. 23. Permanently Disabling Tags Countermeasures: How can users protect their system from disruption caused by disabling tags? Administrative and Operational Controls – Disallow unauthorized users within the read/transmit range of tags – Ensure that only those users with a need have access and rights to use RFID readers – Regularly audit employees for suspicious activity – Utilize perimeter fencing, guards, and access cards to secure physical entrances – Develop and test contingency plans for responding to this risk Technical Controls – Develop and implement password management plan for KILL and LOCK commands – Permanently LOCK all unused data fields on tags – Validate each tag at multiple points during its life cycle; replace defective tags as they appear – Research will determine if there are any technical solutions to mitigate these vulnerabilities 22
  24. 24. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 23
  25. 25. NIST RFID Activities International and domestic RFID standards policy and guidance – U.S. Government RFID/smart and wireless sensor network standards Technical support for other U.S. Government Agencies RFID in the construction industry Manufacturing Extension Partnership RFID Community of Practice (support for U.S. small and medium-sized manufacturers) Future RFID - organic electronics RFID Eavesdropping and Jamming Analysis Counterfeit RFID Detection Counterfeit RFID Detection Chip-Level RFID security RFID-Assisted Indoor Localization NIST Guidelines 24
  26. 26. RFID Eavesdropping and Jamming Analysis RFID Eavesdropping and Jamming Analysis (Boulder) NIST Boulder Electromagnetics Division Eavesdropping and jamming tests were performed on a High Frequency (HF-13.56 MHz) Radio Frequency Identification (RFID) system. Tests were performed on a Pegoda Type-A reader, and seven different Type-A tags from 4 different manufacturers. Eavesdropping (listening in on a transaction between a reader and tag) was successful up to 15 m. Jamming (incapacitating a transaction between a reader and tag) was successful up to 8 m with 0.3 W using a system that would fit in a suitcase. Additional jamming tests using a system that could be carried on a person’s body were successful at 5m with less than 3 W of power. Used off-the-shelf components. 25
  27. 27. Counterfeit RFID Detection Counterfeit RFID Detection Detect counterfeit RFID tags without modifying manufacturing process. Capturing RFID Electromagnetic Signatures in the field using low cost equipment. Preliminary work indicates that the electromagnetic signatures of RFID tags can be used to uniquely identify the manufacturer of the tag, and perhaps even specific tags fabricated by the same manufacturer. Current feasibility study will quantify the differences between the electromagnetic signatures of RFID tags used in the pharmaceutical industry, determine the repeatability of these signatures, and investigate their dependence on orientation, frequency, field levels, and other factors. M1C1 M1C1 M1C2 M1C2 M2C1 M2C1 M2C2 M2C2 26
  28. 28. Chip-Level RFID Security An IC removed Developing standards for RFID chip-level physical security from an RFID card Assessment of preventative measures Antenna contacts Standards proposals Verification of solution effectiveness Three elements of a physical attack Contact pads for IC initialization Understand the communication protocol and functioning of the IC – Public-domain information – Observing the functioning of the IC Determine passwords and data on the IC Most difficult step – Introduction of logical faults, memory manipulation for the attacker – Physical analysis of the IC Creation of surrogate RFID cards – Could be as simple as reprogramming commercially available RFID cards Using a laptop to mimic a card 27
  29. 29. RFID-Assisted Indoor Localization Objective: Locate and track first responders moving throughout a building Problem: GPS ineffective/unreliable indoors or underground Approach – Place passive RFID tags at key points in buildings (e.g., each doorway, each level of stairwell) – Equip first responders with RFID readers – Transmit RFID tag ID over wireless network to Incident Command for last- known location tracking – Integration with a multihop wireless network (for communication out of building), Preliminary tests in 11-story office building (NIST Admin) Features – Low cost – Localization accuracy to known anchor points – Natural extension with dead reckoning technology to provide tracking between anchor points 28
  30. 30. International and Domestic RFID Standards Policy and Guidance NIST provides input into developing the U.S. Government’s positions on both technology and policy aspects of RFID standards and standardization – Participates in the RFID Intra-government Working Group, and leads the Standards sub- committee of this group – Participates in the Dept. of Commerce’s RFID working group – Will coordinate the standards policies of federal government agencies, with those of the private sector, per the National Technology Transfer and Advancement Act – Participates in standards development activities led by the private sector, and will develop standards for federal agencies’ IT security requirements, if so requested. 29
  31. 31. Integration of RFID with smart and wireless sensor networks Fixed and mobile sensors are needed to augment RFID to enhance functionality in applications. IEEE 1451 suite of standards for sensor data interoperability – NIST leadership, IEEE Sensor Technology Technical Committee and Sensor Standards Harmonization Working Group – Self–identification and self-description of sensors via Transducer Electronic Data Sheets containing transducer identification, calibration, correction data, measurement range, and manufacture-related information, etc. – Engagement with ISO JTC 1/SC 31, IEEE TC9, ITU-T Unifying smart and wireless sensor standards and RFID standards is essential to achieve interoperability. Interoperability is the key for success of RFID. 30
  32. 32. Technical support to other U.S. Government Agencies Personal identification documents – State Dept., DHS and GPO – Materials reliability and electromagnetic measurements of e-Passports, including eavesdropping and jamming 31
  33. 33. RFID in the construction industry Locate and manage supplies on construction site – NIST is now working on a larger scale demonstration Automated Construction Testbed – Pick and place assembly – Integration of RFID with robotics and laser scanning systems 32
  34. 34. Manufacturing Extension Partnership (MEP) RFID Community of Practice Manufacturing Extension Partnership has a nation-wide network of centers to provide support to small and medium-sized manufacturers. MEP "RFID With Simulation" training module for MEP Center staff to train their manufacturing clients. – The simulation first compares how parts, inventory and work in process is tracked using a paper-based manufacturing system, then hands-on incorporation of RFID into processes using readers, antennas, tags, equipment and laptops Great interest in RFID from MEP clients 33
  35. 35. Future RFID – organic electronics Vision: ubiquitous electronics NIST is providing the integrated measurement and standards tools needed to accelerate progress in organic electronics. sensor pack – iNEMI roadmap includes RFID power supply Advantages for RFID: processor & display RFID communication – Cost – aiming for $0.01 per tag Electronics: $0.02 – Large volume (billions and billions of tags) – Lower temperature manufacturing (<120°C), printable deposition processes – Cheap integration with other functions (display, sensors, etc.) 34
  36. 36. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 35
  37. 37. Special Publication 800-98: Guidelines for Securing Radio Frequency Identification (RFID) Systems Special Publication 800-series: – The NIST Computer Security Division’s mission includes advising agencies on cost-effective methods to secure federal IT systems – Special Publication 800-series documents report on NIST’s research, guidance, and outreach efforts in computer security NIST focus on RFID security: – RFID is an immature, but rapidly evolving technology that is being widely deployed across the public and private sectors ($4.5 billion market in 2005) – RFID security risks are not well documented – Standard engineering and risk management approaches have yet to be developed for most categories of RFID technology 36
  38. 38. Goals and Objectives of SP 800-98 - Section 1 To assist organizations in understanding RFID security risks and what security controls can help mitigate those risks To provide real world guidance on how to initiate, design, implement, and operate RFID systems that mitigate risks To provide security controls that are currently available on today’s market – Not theoretical controls – Not controls that are in development – Not controls that are not widely available The document is vendor- and platform-independent The document does not address the advanced authentication and cryptographic features that are incorporated in many smart card RFID systems 37
  39. 39. RFID Technology - Section 2 Provide an overview of the field of automatic identification and data capture (AIDC) technologies (which includes RFID) Describes the basic components of an RFID system: – The RF subsystem (depicted below), which performs wireless identification and related transactions wirelessly – The enterprise subsystem, which can store, process, and analyze RF transactions – The inter-enterprise subsystem, which connects enterprise subsystems 38
  40. 40. RFID Applications and Requirements - Section 3 Reviews the core types of RFID applications and the requirements of these applications: Application Type Application Type Purpose of Identification Purpose of Identification Asset management Asset management Determine the presence of an item Determine the presence of an item Tracking Tracking Determine the location of an item Determine the location of an item Matching Matching Ensure affiliated items are not separated Ensure affiliated items are not separated Process control Process control Correlate information with the item for decision-making Correlate information with the item for decision-making Access control Access control Authenticate a person (holding a tagged item) Authenticate a person (holding a tagged item) Automated payment Automated payment Conduct a financial transaction Conduct a financial transaction Application Requirements Application Requirements RFID Information Characteristics RFID Information Characteristics RFID Transaction Environment RFID Transaction Environment Tag Environment between Transactions Tag Environment between Transactions RFID Economics RFID Economics 39
  41. 41. RFID Risks - Section 4 Business Process Risks – risk that Factors influencing an Factors influencing an identified risk identified risk failures of the RFID system will impair the business process that the RFID system automates Business Intelligence Risks – risk EX EX AM AM that an adversary or competitor PL PL EE could obtain unauthorized access or information from the RFID system Privacy Risks – risk to personal privacy Externality Risks – risk to other systems, assets, and people 40
  42. 42. RFID Security Controls - Section 5 The controls are Example of a Technical Control Example of a Technical Control divided into three sections: – Management controls – Operational controls – Technical controls Each control is described by four characteristics: – Control – Applicability – Benefits – Weaknesses 41
  43. 43. RFID Privacy Considerations - Section 6 Privacy Principles: introduces Organization for Economic Cooperation and Development (OECD) privacy principles Federal Privacy Requirements for Federal Agencies – Describes privacy requirements for federal agencies – Describes the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, Section 522 of the Consolidated Appropriations Act of 2005, Administrative simplification requirements of the 1996 Health Insurance Portability and Accountability Act (HIPAA), FISMA, and the OMB memoranda on the implementation of privacy requirements Applicable Privacy Controls: describes 17 privacy control families from the Federal Chief Information Officers (CIO) Council Embedding Privacy Controls: provides guidance on incorporating privacy controls in an RFID system 42
  44. 44. Recommended Practices - Section 7 Provides 35 recommendations that follow the system lifecycle from initiation to disposition LE E Classifies PL MP Provides a Provides a Lists RFID Lists RFID Classifies AM A Provides a Provides a EX EX rationale or rationale or system system practice as practice as recommended or checklist for checklist for Describes a Describes a discussion for the discussion for the components that components that recommended or should consider implementers implementers security practice security practice practice practice are impacted are impacted should consider 43
  45. 45. Case Studies - Section 8 Case Study #1 – Topic: Personnel and asset tracking in a health care environment – Perspectives from the fictional Contagion Research Center (CRC) Case Study #2 – Topic: Supply chain management of hazardous materials – Perspectives from the fictional Radionuclide Transportation Agency (RTA) Each study documents RFID technology as it is used in five life cycle phases: – Initiation – Acquisition/Development – Implementation – Operations/Maintenance – Disposition 44
  46. 46. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 45
  47. 47. New technologies, new security and privacy challenges…. 46
  48. 48. Accountability, Privacy, Anonymity, Convenience 47
  49. 49. The Government Watching the Citizens More than 600 Chinese cities are launching surveillance systems, including face- recognition software, video cameras in Internet cafes, and "behavior-recognition software designed to spot the beginnings of a street protest and notify police." U.S. hedge funds have invested at least $150 million in the industry in the last year; from 2003 to 2010, the industry projects it will grow from $500 million to $43 billion. 48
  50. 50. Citizens Watching the Government 49
  51. 51. New technologies, new security and privacy challenges…. An estimated 11,300 laptop computers, 31,400 handheld computers and 200,000 Mobile Devices - New Security Risks: mobile telephones were left in taxis Risk of Theft or Loss, Limited around the world during the last six Computing Power, Multiple Access months, a survey found on Monday. Points, Mobilit, Lack of User Awareness January 24th, 2005 Reuters. The survey's findings were extrapolated to reflect the total number of taxis in each city. 50
  52. 52. New technologies, new security and privacy challenges…. “The idea is simple: tell us where you are and we'll tell you who and what is around you. We'll ping your friends with your whereabouts, let you know when friends-of-friends are within 10 blocks, allow you to Video and Camera Phones: SMS Text and VideoPhone broadcast content to anyone within Government agencies, 10 blocks of you or blast messages Cheating in Classroom to your groups of friends.” – corporations, Health dodgeball.com Clubs, prohibit their use. 51
  53. 53. New technologies, new security and privacy challenges…. Mobile Entertainment, Betting, Multiplayer Gaming, Wallet Phone, bots Bluetooth: Bluejacking, Cabir/Caribe Virus Emptying the battery in the phone quicker as it Cell Phone Jammers, tries to beam itself out to other Quiet Cars, Hotels, Bluetooth devices, Cell phones Restaurants, Theaters, running SymbianOS, requires Classrooms users to accept and execute the downloaded package. 52
  54. 54. New technologies, new security and privacy challenges…. • VOIP 911 Calls -Special emergency circuit links the call to Disposable PrePaid Cell the Automatic Number Phone, Disposable, Identification/Automatic Location Anonymity, Inexpensive, Identification database of phone Prepaid reduces risk of Telecom fraud, but numbers, names, and addresses. introduces other security issues. 53
  55. 55. New technologies, new security and privacy challenges…. Terms of TAG USE: Your E- WMATA Smart Trip, GPS: Rental Car Companies, Short Range, Tracks ZPasstag(s) may be used Commercial Fleet time of entry and exit on the vehicle(s) Management, Military, to metro stations, specifically listed on this Consumer Electronics Registered $5, account. Unregistered Anonymous 54
  56. 56. GPS Child Finder 55
  57. 57. Other ITS Wireless Vehicular Communication Communications Equipment 87.5-107.9 MHz FM sub carrier 1575.42 MHz 5.850-5.925 GHz 800 to 900 MHz GPS Receiver Multi-Application OBU/w and 909.75-921.75 MHz 360 degree antenna 1800 to 1900 MHz Toll & Parking 2322.5-2345 MHz (factory installation) Cellular Phone Antenna OBU for XM Radio (connected to the IDB) (Add-on when needed) Satellite Radio band Multiple Bands Infrared Two-way Radio OBU 76-77 GHz (Add-on when needed Collision for super high data Avoidance Radar rates) Interface Devices 1800 to 1900 MHz (Built-in Display, Annunciator, 2.5/3G PCS Phone Computer Microphone, Keypad, etc. (which is connected to the IDB) (factory installation) connected to the Computer, (connected to the IDB) which is connected to the IDB) 56
  58. 58. Marine Corp Marathon vs. Marine Deployment What is the difference? Physical possession, tracking and identification Tell consumer what you will do with the data, and do only that. NIST Inventory Example 57
  59. 59. What is in the tag? Is it just a number? EPC General Identifier (GID- 96) is the most widely used data format on EPC tags… Header 8-bits – Identifies EPC’s version number (256 possible versions) – Will allow the extension of EPCs in the future (different lengths or types of EPCs) EPC Manager 28-bits – Identifies the manufacturer of the product the EPC is attached to (268 million managers) Object Class 24-bits – Identifies a category or class of objects within a manufacturer (16 million object classes) Serial Number 36-bits – Uniquely identifies a product within an object class of a manufacturer (68 billion serial numbers within a class) 58
  60. 60. Brave New World or 1984? 59
  61. 61. Brave New World or 1984? Orwell feared that the truth would be • Huxley feared the truth would be concealed from us. drowned in a sea of irrelevance. • Huxley feared we would become a trivial culture. Orwell feared we would become a captive culture. • Huxley feared that there would be no reason to ban a book, for there would be no one who wanted to read one. Orwell feared those who would ban • Civil libertarians and rationalists books. who are ever on the alert to oppose tyranny "failed to take into account man's almost infinite appetite for distractions". 60
  62. 62. Presentation Outline About NIST RFID Security NIST RFID Activities NIST Guidelines for Securing Radio Frequency Identification New technologies, new security and privacy challenges…. Discussion Contact Information 61
  63. 63. Contact Information Tom Karygiannis, NIST, 100 Bureau Drive, MS 8930, Gaithersburg, MD 20899, USA. Email: karygiannis@nist.gov, Tel. 301-975-4728 Ajit Jilla, Ph. D., Global Standards and Information Group, NIST, 100 Bureau Drive, MS 2100, Gaithersburg, MD 20899-2100. email: ajit.jilla@nist.gov, Tel. 301-975-5089 Dr. David Wollman, Scientific Advisor, Electronics and Electrical Engineering, Coordinator of RFID Activities, email: david.wollman@nist.gov Web URLs: – NIST http://www.nist.gov – Computer Security Division http://csrc.nist.gov/ 62
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×