Security Standards for the RFID Market

Introducing Emerging Standards IEEE Security & Privacy announces the formation of a new department for the magazine—Emerging Standards. Tim Grance, Ramaswamy Chandramouli, and Rick Kuhn, of the US National Institute of Standards and Technology, and Susan Landau from Sun Microsystems, are the co­ editors of this department, which will concentrate on security issues arising from deployment of new technologies, with a focus on security standards and research challenges. As systems are deployed, security issues must be addressed—not only for the new technology, but also for the technology’s interaction with existing/legacy products and services. This department will highlight security challenges and solutions in the engineering and operation of new technologies as well as significant security concerns in existing technologies and applications. Topics include security solutions that are still evolving and areas where new algorithms are required to address vulnerabilities of existing security solutions. Contributions are welcome on these and other topics related to emerging technologies. retailers such as Great Britain’s Marks & Spencer and Germany’s Metro Group began experimenting with passive RFID tags embedded in indi­ vidual consumer products, and the US Department of Defense and WalMart announced moves to use pas­ sive RFID tags for shipment tracking. Other large retailers fol­ lowed suit, suggesting that RFID technology will become nearly uni­ versal for shipment tracking in the next few years. As RFID tags con­ tinue to decrease in price while offer­ ing increased capabilities, consumers are encountering them in library books, high-end electronics, auto­ mobile tires, and packaging for household items. Efforts are cur­ rently under way within the industry that could provide unique identifiers for every individual item in the retail supply chain. As further evidence of RFID’s growth, the industry’s stan­ dards consortium, EPCglobal, re­ cently awarded Verisign a contract to manage the Object Naming Service (ONS), which will serve as the root directory for the EPCglobal Net­ work, a system that combines passive RFID technology with electronic product codes (EPCs) to enable busi­ ness partners to exchange informa­ tion throughout their supply chains. RFID has also attracted the at­ tention of security researchers and hackers. During the 2004 BlackHat conference in Las Vegas, Lukas Grunwald and Boris Wolf released RFDump (www.rf-dump.org), an open-source tool that allows anyone to read RFID tags designed to the ISO 15693 and 14443 standards as well as proprietary standards used in some smart-card financial transac­ tions. In 2005, researchers at Johns Hopkins University also demon­ strated that an inexpensive toolkit built with a minimal amount of cus­ tomized hardware can brute-force cryptographic keys from one of the most widely sold RFID tags. It’s all about the application It’s not an easy task to design, engi­ neer, implement, and optimize a complex RFID system. When a pas­ sive RFID tag moves down a con­ veyor belt at 20 miles per hour, for example, it has only a split second to capture and use as much power as possible from reader devices that can be more than 10 centimeters away. Thus, the RFID system selected for this type of application will depend on the user’s requirements. Some ap­ plications, however, require higher power demands and a lower toler­ ance for latency, so the RFID sys­ tems’ available power, amount of onboard data storage, radio fre­ quency, and security requirements will vary. For example, let’s say a rancher needs to identify and track individual cattle from the ranch to the process­ ing center. Given that cattle tend to chew off ear tags while in the feedlot, TED PHILLIPS Booz Allen Hamilton