Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov> ITL BULLETIN FOR MAY 2007 SECURING RADIO FREQUENCY IDENTIFICATION (RFID) SYSTEMS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce RFID is a form of automatic identification and data capture technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID technologies support a wide range of applicationsÂeverything from asset management and tracking to access control and automated payment. Each object that needs to be identified has a small electronic device known as an RFID tag affixed to it or embedded within it. Each tag has a unique identifier and may also have other features such as memory to store additional information about the object, environmental sensors, and security mechanisms. Devices known as RFID readers wirelessly communicate with the tags to identify the item connected to each tag and possibly read or update additional information stored on the tag. This communication can occur without optical line of sight. Every RFID system includes a radio frequency (RF) subsystem, which is composed of tags and readers. The RF subsystem performs identification and related transactions. In many RFID systems, the RF subsystem is supported by an enterprise subsystem, which contains computers running specialized software that can store, process, and analyze data acquired from RF subsystem transactions. RFID systems that share information across organizational boundaries, such as supply chain applications, also have an inter-enterprise subsystem. Each RFID system has different components and customizations so that it can support a particular business process for an organization; as a result, the security risks for RFID systems and the controls available to address them are highly varied. The enterprise and inter-enterprise subsystems involve common IT components such as servers, databases, and networks and therefore can benefit from typical IT security controls for those components. New Guidelines on RFID System Security The National Institute of Standards and Technology (NIST) Information Technology Laboratory recently published new guidelines on protecting RFID systems. NIST Special Publication (SP) 800-98, Guidelines for Securing RFID Systems: Recommendations of the National Institute of Standards and Technology, was written by Tom Karygiannis of NIST, and by Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Phillips of Booz Allen Hamilton. The publication recommends practices for initiating, designing, implementing, and operating RFID systems in a manner that mitigates security and privacy risks. The guide explains the components and architectures of RFID systems and the standards for RFID components, such as tags and readers. One section is devoted to an overview of types of RFID applications and which RFID technologies are most effective for particular applications. Other topics covered in the publication include the major business risks associated with implementing RFID technology, the various RFID security controls, and an overview of privacy regulations and controls that pertain to RFID systems in federal agencies. Additional sections of the publication provide recommendations that organizations using RFID systems can follow throughout the system life cycle, from initiation through operations to disposition, and present hypothetical case studies that illustrate how the concepts and recommendations introduced earlier in the document could work in practice. The appendices in NIST SP 800-98 provide extensive supplemental information on the terms used in the guide, and supply listings of in-print and online resources for further exploration. Other useful listings offer additional information on common RFID standards and their security mechanisms, as well as information on permissible radio exposure limits. NIST SP 800-98 is available from NISTÂs website at http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf. RFID Applications and Security Controls RFID technologies are being deployed by many organizations because they have the potential to improve mission performance and reduce operational costs. To achieve these goals, RFID systems must be engineered to support the specific business processes that the organization is automating. Applications for RFID technologies are diverse because of the wide range of business processes that exist. Examples of application types are asset management, tracking, authenticity verification, item matching, process control, access control, and automated payment. Important business drivers that shape RFID application requirements and the resulting characteristics of RFID systems include: * The general functional objective of the RFID technology (i.e., the application type); * The nature of the information that the RFID system processes or generates; * The physical and technical environment at the time RFID transactions occur; * The physical and technical environment before and after RFID transactions take place; and * The economics of the business process and RFID system. Because of the variety of RFID applications, RFID security risks and the controls available to mitigate them are highly varied. Section 7 of the guide contains recommendations for security practices to be applied during each phase of the RFID systemÂs life cycle, from policy development to operations. Examples of security controls for RFID systems are having an RFID usage policy, minimizing the storage of sensitive data on tags, restricting physical access to RFID equipment, and protecting RF interfaces and tag data. Typically, only a subset of the full range of technologies, risks, and controls is applicable to any given RFID implementation. Organizations need to assess the risks they face and choose an appropriate mix of controls for their environments, taking into account factors such as regulatory requirements, the magnitude of the threat, cost, and performance. Federal agencies should refer to Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, which establishes three security categoriesÂlow, moderate, and highÂbased on the potential impact of a security breach involving a particular system. NIST SP 800-53 (as amended), Recommended Security Controls for Federal Information Systems, provides minimum management, operational, and technical security controls for information systems based on the FIPS 199 impact categories. The information in NIST SP 800-53 should be helpful to organizations in identifying controls that are needed to protect networks and systems, which should be used in addition to the specific practices for RFID systems listed in this document. Federal agencies should also use NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, to evaluate their RFID system and select appropriate security controls. NISTÂs Recommendations for RFID System Security NIST recommends that organizations follow these guidelines in planning, implementing, and maintaining secure RFID systems: -- When designing an RFID system, understand what type of application it will support so that the appropriate security controls can be selected. Each type of application uses a different combination of components and has a different set of risks. For example, protecting the information used to conduct financial transactions in an automated payment system requires different security controls than those used for protecting the information needed to track livestock. Some of the factors to be considered include: * The general functional objective of the RFID technology. For example, does the system need to determine the location of an object or the presence of an object, authenticate a person, perform a financial transaction, or ensure that certain items are not separated? * The nature of the information that the RFID system processes or generates. One application may only need to have a unique, static identifier value for each tagged object, while another application may need to store additional information about each tagged object over time. The sensitivity of the information is also an important consideration. * The physical and technical environment at the time RFID transactions occur. This includes the distance between the readers and the tags, and the amount of time in which each transaction must be performed. * The physical and technical environment before and after RFID transactions take place. For example, human and environmental threats may pose risks to tags integrity while the tagged objects are in storage or in transit. Some applications require the use of tags with sensors that can track environmental conditions over time, such as temperature and humidity. * The economics of the business process and RFID system. The economic factors for RFID systems are different than those for traditional IT systems. For example, many RFID tags offer few or no security features; selecting tags that incorporate basic security functionality significantly increases the cost of tags, especially if encryption features are needed. Also, the operational cost of some basic IT security controls, such as setting unique passwords and changing them regularly, may be higher for RFID systems because of the logistical challenges in managing security for thousands or millions of tags. -- Effectively manage risk so that the RFID implementation will be successful. Like other technologies, RFID technology enables organizations to significantly change their business processes to increase efficiency and effectiveness. This technology is complex and combines a number of different computing and communications technologies. Both the changes to business process and the complexity of the technology generate risk. The major risks associated with RFID systems are as follows: * Business process risk. Direct attacks on RFID system components potentially could undermine the business processes the RFID system was designed to enable. For example, a warehouse that relies solely on RFID to track items in its inventory may not be able to process orders in a timely fashion if the RFID system fails. * Business intelligence risk. An adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system. For example, an adversary might use an RFID reader to determine whether a shipping container holds expensive electronic equipment, and then target the container for theft when it gets a positive reading. * Privacy risk. Personal privacy rights or expectations may be compromised if an RFID system uses what is considered personally identifiable information for a purpose other than originally intended or understood. As people possess more tagged items and networked RFID readers become ever more prevalent, organizations may have the ability to combine and correlate data across applications to infer personal identity and location and build personal profiles in ways that increase the privacy risk. * Externality risk. RFID technology potentially could represent a threat to non-RFID networked or collocated systems, assets, and people. For example, an adversary could gain unauthorized access to computers on an enterprise network through Internet Protocol (IP)-enabled RFID readers if the readers are not designed and configured properly. Organizations need to assess the risks they face and choose an appropriate mix of management, operational, and technical security controls for their environments. These organizational assessments should take into account many factors, such as regulatory requirements, the magnitude of each threat, and cost and performance implications of the technology or operational practice. Privacy regulations and guidance are often complex and change over time. Organizations planning, implementing, or managing an RFID system should consult with the organizationÂs privacy officer, legal counsel, and chief information officer. -- When securing an RFID system, select security controls that are compatible with the RFID technologies the organization currently deploys or purchase new RFID technologies that support the necessary controls. To be most effective, RFID security controls should be incorporated throughout the entire life cycle of RFID systemsÂfrom policy development and design to operations and retirement. However, many RFID products support only a fraction of the possible protection mechanisms. Tags, in particular, have very limited computing capabilities. Most tags supporting asset management applications do not support authentication, access control, or encryption techniques commonly found in other business IT systems. RFID standards specify security features including passwords to protect access to certain tag commands and memory, but the level of security offered differs across these standards. Vendors also offer proprietary security features, including proprietary extensions to standards-based technologies, but they are not always compatible with other components of the system. Careful planning and procurement is necessary to ensure an organizationÂs RFID system meets its security objectives. More Information NIST SP 800-98 recommends that organizations follow effective practices for planning, implementing, and managing secure RFID systems as part of a comprehensive approach to information security. Many NIST publications assist organizations in developing that comprehensive approach. For information about the following publications that are linked to RFID security and to other security-related standards and guidelines issued by NIST, see the web page http://csrc.nist.gov/publications/index.html. FIPS 140-2, Security Requirements for Cryptographic Modules. FIPS 180-2, Secure Hash Standard (SHS). FIPS 198, The Keyed-Hash Message Authentication Code (HMAC). FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. NIST SP 800-30, Risk Management Guide for Information Technology Systems. NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. NIST SP 800-40, Version 2, Creating a Patch and Vulnerability Management Program. NIST SP 800-41, Guideline on Firewalls and Firewall Policy. NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems. NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program. NIST SP 800-53 Revision 1, Recommended Security Controls for Federal Information Systems. NIST SP 800-57, Recommendation on Key Management, Part 1. NIST SP 800-63, Electronic Authentication Guideline. NIST SP 800-64, Security Considerations in the Information System Development Life Cycle. NIST SP 800-83, Guide to Malware Incident Prevention and Handling. NIST SP 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST SP 800-92, Guide to Computer Security Log Management. NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems. NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu May 24 2007 - 22:29:35 PDT