etsi security worshop rfid data protection and privacy activities in … · 2013-01-16 ·...

16-1-2013

1

CEN/TC 225 ‘AIDC Technologies’ 1

RFID data protection and privacy activities in CEN/TC225

Gerard Dessenne, CEN/TC225/WG5 Chair

ETSI SECURITY WORSHOP


M/436 Mandate

Background documents

• Directive 95/46 EC on Privacy on 23 Nov 1995 and Directive 2002/58 EC on 12 July 2002

• Directive 1999/5/EC (Directive R&TTE) on 9 Mar 1999

• OECD Policy Guidance on RFID 17-18 on June 2008

• M 436 Mandate on 8 December 2008

• Commission Recommandation of 12 May 2009

• PIA Framework from DG/INFSO of 12 February 2010 (1)

(1): Accepted by Article 29 Working Party

16-1-2013

2


M/436 Mandate

Standardization Mandate to the European Standardization Organizations

CEN CENELEC and ETSI

In the field of Information and Communication

Technologies applied to Radio Frequency

Identification (RFID) and systems

DG ENTR/D4 8 December 2008


M/436 Mandate

M/436 Project

• M 436 Mandate divided in two phases:

• Phase 1: Jan 2010 to September 2011 to analyse the gaps in terms of standardization. The deliverable is the document ETSI 187020 of April 2010.

• Phase 2: Jan 2011 to March-May 2014. There are 11 deliverables under the form of EN, TS, TR.

•

16-1-2013

3

M436 Phase 2 Project Teams


• Signage and Emblem

• Chair: Stephane PiquePTA

• RFID Device Privacy

• Chair: Josef Preishuber-PflüglPTB

• Privacy Impact Assessment

• Chair: Claude TetelinPTC

• RFID Penetration testing

• Chair: Jacques HulshofPTD• Extended RFID device security

capability

• Chair: Henk DannenbergPTE


M/436 Project Phase 2Deliverables11 Deliverables in three groups derived from EC

Recommendation of 15th February 2009:

Information, PIA, Technical.• CEN European standard: EN ISO/IEC 29160 Information technology -- Radio frequency identification for item

management -- RFID Emblem

• CEN Technical Specification: Notification of RFID: The information sign to be displayed in areas where RFID

interrogators are deployed

• CEN Technical report: Notification of RFID: Additional information to be provided by operators

• CEN European Standard: Notification of RFID: The information sign and additional information to be provided by

operators of RFID data capture applications

• CEN Technical Report: Privacy: Capability features of current RFID technologies

• CEN Technical Report: RFID PIA analysis for Specific Sectors

• CEN Technical Report: Analysis of PIA methodologies relevant to RFID

• CEN European Standard: RFID privacy impact assessment (PIA) process

• CEN Technical Report Threat and vulnerability Analysis

• CEN Technical Report: Authorisation of mobile phones when used as RFID interrogators

• CEN Technical Specification: Device interface to support ISO/IEC 18000-3 Mode 1 and Mode 3 tags

16-1-2013

4

M436 Project Teams


• Signage and EmblemPTA


• The Common European RFID Notification Signage

system will provide a simple means to notify citizens of

the presence of RFID interrogators in public areas,

including shops, public transport locations, libraries, etc.

• The Signage system will allow citizens to be advised of

the presence of RFID tags placed on or in items,

including contactless bank and public transport cards,

library books, and tags used to assist in warranty,

maintenance and recycling of durable household goods.

Signage: Scope

16-1-2013

5


Signage: Three Deliverables

• TR = Research and Argumentation

• TS = Application: forerunner of EN (2014)

• EN seeks to help EC Enterprises to:

– Comply with existing EU Law on DPP

– Protect their customers

– Protect their reputation


• Three constituting elements

1. Common Notification Emblem

2 Scope and purpose of RFID application

3 How to contact operator/controller

>Points to where more information can be found

• Two general signs

– Areas where readers may be operating (EC Rec 8)

– Tagged items (EC Rec 9)

In both cases: One common European Emblem!

Sign: Definition

16-1-2013

6

The RFID Notification Sign:

Three elements

• Common Emblem

• Purpose of application

• Additional information

RFID Tags may be read in this area forthe purposes of stock control security

and product warranty.

This system is controlled by Van Rees

B.V.

For more information. Contact us on :

Freephone 0800 800 8888Or visit our website

www.vanrees.com/privacy


• What?: The Generic version of the ISO Emblem as per

29160 Standard. Uniqueness all over Europe

• Where? On the sign to be displayed in areas where RFID

interrogators are deployed. Also on items depending on

the result of the PIA

• Purpose: Different from logos that serve the purpose of

communicating a trademark of a proprietary system or a

business application, the Common European RFID

Emblem shall be utilized as a generic emblem to indicate

to the citizens the presence of an RFID application

The Common European Emblem

16-1-2013

7



As defined in the ISO/IEC Standard 29160


Current unresolved issues:

– coexistence of the Common European Emblem and current logos,

especially global systems such as contactless bank cards

Ex: EMV Consortium


16-1-2013

8


• Where?: At an address indicated in the sign

• What?:

– the operator of the application

– the purpose of the application

– the data processed

– a summary of the Privacy Impact Assessment

– the likely risks and the mitigation measures

• Current issues:

– How to resolve the complex situation of multi operators and /or multi

applications

The Additional information:


• RFID Device PrivacyPTB

16-1-2013

9

RFID Device Privacy


TR: Privacy capability features of current RFID technologies

•Access protection features

•Features to protect Consumer Privacy

•Features to protect Data Security

•Features for tag authentication

•Standards support of privacy capability features

•Product support of privacy capability features

Access protection features


REF PRIVACY CAPABILITY FEATURE

ISO

/IE

C14443

ISO

/IE

C15693

ISO

/IE

C18000-2

ISO

/IE

C18000-3

M2

ISO

/IE

C18000-3

M3

ISO

/IE

C18000-4

M1

ISO

/IE

C18000-4

M2

ISO

/IE

C18000-6

1:2

012

ISO

/IE

C18000-6

2:2

012

ISO

/IE

C18000-6

:2004

Am

1:2006

ISO

/IE

C18000-6

3:2

012

ISO

/IE

C18000-6

3R

EV

1

ISO

/IE

C18000-6

4:2

012

ISO

/IE

C18000-7

ISO

/IE

C18092

ISO

/IE

C21481

5.2.1 No protection Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

5.2.2 Password protection N N N N Y N N N N Y Y Y N N N N

5.2.2.1 Password protection with security timeout N N N N N N N N N N N N N N N N

5.2.2.2 Password protection with cover coding N N N N Y N N N N Y Y Y N N N N

5.2.3 Cryptographic protection Y N N N N N N N N N N Y N N Y Y

5.2.3.1 Symmetric-key cryptography Y N N N N N N N N N N Y N N Y Y

5.2.3.2 Public-key cryptography Y N N N N N N N N N N Y N N Y Y

5.3 Application of access protection features Y Y N N Y N N N N Y Y Y N N Y Y

16-1-2013

10

Privacy protection features


REF PRIVACY CAPABILITY FEATURE

ISO

/IE

C14443

ISO

/IE

C15693

ISO

/IE

C18000-2

ISO

/IE

C18000-3

M2

ISO

/IE

C18000-3

M3

ISO

/IE

C18000-4

M1

ISO

/IE

C18000-4

M2

ISO

/IE

C18000-6

1:2

012

ISO

/IE

C18000-6

2:2

012

ISO

/IE

C18000-6

:2004

Am

1:2006

ISO

/IE

C18000-6

3:2

012

ISO

/IE

C18000-6

3R

EV

1

ISO

/IE

C18000-6

4:2

012

ISO

/IE

C18000-7

ISO

/IE

C18092

ISO

/IE

C21481

6.2 Unique chip ID or Tag ID Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

6.3 Chip selection with random number Y N N N N N N N N N N Y N N N N

6.4 Reduced read range on the tag N N N N N N N N N N N Y N N N N

6.5 Untraceable N N N N N N N N N N N Y N N N N

6.6 Hide N N N N N N N N N N N N N N N N

6.7 Kill N N N N Y N N N N Y Y Y N N N N

6.8 (1) Destroy A A A A A A A A A A A A A A A A

6.9 Remove A A A A A A A A A A A A A A A A


• Privacy Impact AssessmentPTC

16-1-2013

11

Privacy Impact Assessment


• Deliverables:

– TR: Analysis of PIA methodologies relevant to RFID

– TR: RFID PIA analysis for specific sectors (retail,

libraries, banking, transportation)

– EN: RFID PIA process

Privacy, Data Protection, Security and RFID


Data Protection, Security and

Privacy

Privacy focuses on the individual not the corporationPrivacy extends beyond the operational domain of the application

Out of domain = other readers both inside and outside the read range of the application’s readers

e.g. from reading tags accidentally to deliberate illicit reading and eavesdropping

.

Data Protection : ensures appropriate collection, consent,

correction and use of data collected by anorganisation from their consumers & users

Data Security : protects all the organisation’s data

including the data about individuals as wellas other operational data held by the

organisation

Privacy : provides an individual’s control

over the use of collected data by organisations and protection from unauthorised collection ofdata from ICT in the individual’s possession

16-1-2013

12

TR: RFID PIA Analysis for Specific Sectors


RFID PIA Framework as basis

Libraries Retail e-Ticketing Banking & Finance

Enabling RFID operators to identify risks

Identification of relevant characteristics per sector

Synthesis and conclusion lead to a generic approach

EN: RFID Privacy Impact Assessment (PIA) process


Key points from Scope

• It provides a standardised set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology.

• In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process.

16-1-2013

13


• RFID Penetration testingPTD


The actual scope of this TR is to consider the threats

and vulnerabilities associated with the characteristics

of RFID technology at the air Interface level covering:

• Threats and attacks scenarios with a false reader

and false tag

• Vulnerabilities

• Mitigation measures

• Attack scenarios

• Penetration tests results (initial and additional)

TR: RFID threat and vulnerability analysis

16-1-2013

14

Initial tests


Reference:

ETSI TR 101 543 V1.1.1(2011-04). “Electromagnetic

compatibility and Radio spectrum Matters (ERM); RFID

evaluation tests undertaken in support of M/436 Phase 1”

Tests carried out at the three principal frequencies with

output power according to regulatory limits:

Low Frequency (< 135 kHz)

High Frequency (13,56 MHz)

UHF (865 – 868 MHz)

Additional tests


Focus on eavesdropping and activation for both HF

and UHF passive technologies.

•UHF Activation distance = f(radiated power)

•HF Activation distance = f(magnetic field,

antenna size)

•UHF/HF Eavesdropping = f(antenna size, reader

sensitivity)

Measurements have be done in a way to maximize

activation and eavesdropping distances (line of sight,

no tilt, aligned polarisations, etc…)

16-1-2013

15


• Extended RFID device security capabilityPTE

TR: Authorization of mobile phones used as RFID interrogators


Extending NFC phones capabilities to read RFID tags

• Read range impacts due to inclusion of ISO/IEC 15693

• Extending NFC read range capabilities

• Security features in the NFC phones

Mobile phones enhanced with UHF RFID readers

• Internet research

• Only Republic of Korea

16-1-2013

16

Preliminary Conclusions


1. Inclusion of ISO/IEC 15693 based new NFC Forum Tag Type will

not have an impact on the read range of the ISO/IEC 15693 or

ISO/IEC 14443 tags and therefore it will not increase the capabilities of NFC phones to capture data without consent

2. The capability to read ISO/IEC 15693 compliant tags might

cause a threat for existing applications that currently use such tags

3. Read range of NFC phones cannot be extended practically

4. UHF capabilities could potentially be a threat for the consumer's privacy. However, availability is very limited

5. Dual band extensions do not add different threats

(than listed for HF or UHF extensions)

TS: Device interface to support ISO/IEC 18000-3 Mode 1 and Mode 3 tags


Initial results of PT-E

− There are several different device interfaces on the market.

Most of them are proprietary to the various reader vendors.

− Reader suppliers consider a device interface with the proposed

features very complex. The proposed handling of data structures

increases complexity even more. Such interface would need a PC

based TCP/IP architecture and cannot be used on most of the

architectures that are being used today.

They do not believe that such kind of high level software interfaces

will help to get a more rapid transformation to more security,

because it is high level and it needs a kind of PC architecture.

16-1-2013

17

PT-E Proposal


• Way forward− Support for both ISO/IEC 18000-3 Mode 1 and ISO/IEC 18000-3 Mode 3

would fit into ISO/IEC 24791-5.

− Following the Vienna agreement, CEN should develop a NWIP for

revision of ISO/IEC 24791-5 to cover ISO/IEC 18000-3 Mode 1 and

ISO/IEC 18000-3 Mode 3 device interfaces.

− If the business need is confirmed on JTC1 level then CEN could initiate

the development of a first WD for this ISO/IEC 24791-5REV1.

• Recommendation: change deliverable into TR− The TR will report the findings of the project team and provide the input

for the NWIP for the revision of ISO/IEC 24791-5.


M/436 Project time schedule: ENs

16-1-2013

18


M/436 Project time schedule: TRs & TSs

# Activities Due date

1 Signature of contract between CEN and the EC T0 2011-12

x … … …

9 Submission of drafts (progress so far) to TC secretary T+11 2012-11

10 Final discussion by TC225 plenary in Brussels T+13 2013-01

11 Submission of interim report to EC T+14 2013-02

12 Submission of final drafts to TC secretary T+18 2013-06

13 Dispatch of final drafts to CCMC for Formal Vote T+18 2013-06

14 Submission to Formal Vote T+21 2013-09

15 Closure of Formal Vote T+24 2013-12

16 Definitive texts TSs and TR available T+25 2014-01

17 Publication TSs and TR by CEN T+28 2014-03

18 Submission of final report to EC T+28 2014-03

That’s all Folks

Thank You


etsi security worshop rfid data protection and privacy activities in … · 2013-01-16 ·...

Documents