ISO/IEC TECHNICAL REPORT TR 24729-4 First edition 2009-03-15 Information technology Radio frequency identification for item management Implementation guidelines Part 4: Tag data security Technologies de I'information - ldentification de radiofrequences pour la gestion d'items-Lignes directrices pour la mise en oeuvre. Partie 4: Sécurité des données de repere Reference number ISO/IEC TR 24729-4:2009(E) IEO ISo @ISO/IEC2009 SO/ECTR24729-4:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by IsO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHTPROTECTEDDOCUMENT ? ISO/IEC2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, IsO's member body in the country of the requester. ISO copyright office Case postale 56 : CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland ii @ISO/IEC2009-Allrightsreserved ISO/IEC TR24729-4:2009(E) Contents Page Foreword. Introduction. ...vi 1 Scope 2 Normative references.. 3 Terms and definitions 4 Symbols and abbreviated terms.. .2 5 Background... 5.1 System definition: tag, tag to reader, reader.... 5.2 5.3 Security objectives.... 6 RFID data access security risk assessment..... 6.1 Risk assessment .. 6.2 Probability. 7 Threats 7.1 Skimming data ... 7.2 "Eavesdropping" or“"sniffing" on transmission between tag and reader 7.3 Spoofing .. 7.4 Cioning .... 7.5 Data tampering ... 7.6 Malicious code. 7.7 Denial of access/service... 7.8 Unauthorized killing the tag (electronic or mechanical) . 7.9 Jamming/Shielding... 8 Scenarios...... 8.1 Unsecured access control card, no personal identification number (PiN); No encryption or other security feature....... 8.2 Secured access control card, no PIN; Encrypted or other security features .8 8.3 CustomerLoyaltyCard... .9 8.4 EPC Label (Batch Tag ID only)... 8.5 Contactless Payment, No PIN .... 10 8.6 Contactless Payment, PIN ..... 8.7 Contactless Payment, Biometric or other physical activation .10 8.8 Pharmaceutical e-Pedigree.... 8.9 Example of Impact.... 11 8.10 Summary .. 12 9 Types of security safeguarding countermeasures ... ..13 9.1 Wafer programming (true WORM) 14 9.2 ISo Tag ID verification .... 9.3 License plate... 9.4 Memory lock. 14 9.5 Password protection ... 14 9.6 Authentication .... 14 9.7 Cloaking/Data security (obfuscated ID) 15 9.8 Encryption.... 15 9.9 Limitation of read distance... 15 9.10 10 Threat response “best practices", 16 @ ISO/IEc 2009 - All rights reserved ili