Anda di halaman 1dari 4

May 2007

ADVISING USERS ON INFORMATION TECHNOLOGY


Bulletin
SECURING RADIO FREQUENCY inter-enterprise subsystem. Each RFID ITL Bulletins are published by the Information
IDENTIFICATION (RFID) system has different components and Technology Laboratory (ITL) of the National
SYSTEMS customizations so that it can support a Institute of Standards and Technology (NIST).
particular business process for an Each bulletin presents an in-depth discussion
organization; as a result, the security risks of a single topic of significant interest to the
Karen Scarfone, Editor
for RFID systems and the controls information systems community. Bulletins are
Computer Security Division
available to address them are highly issued on an as-needed basis and are
Information Technology Laboratory
varied. The enterprise and inter-enterprise available from ITL Publications, National
National Institute of Standards and
subsystems involve common IT Institute of Standards and Technology, 100
Technology
components such as servers, databases, Bureau Drive, Stop 8900, Gaithersburg, MD
and networks and therefore can benefit 20899-8900, telephone (301) 975-2832. To be
RFID is a form of automatic identification
from typical IT security controls for those placed on a mailing list to receive future
and data capture technology that uses
components. bulletins, send your name, organization, and
electric or magnetic fields at radio
business address to this office. You will be
frequencies to transmit information. An
New Guidelines on RFID System placed on this mailing list only.
RFID system can be used to identify many
types of objects, such as manufactured Security
Bulletins issued since May 2006:
goods and animals. RFID technologies ™ An Update on Cryptographic Standards,
support a wide range of applications— The National Institute of Standards and
Technology (NIST) Information Guidelines, and Testing Requirements, May
everything from asset management and 2006
tracking to access control and automated Technology Laboratory recently published ™ Domain Name System (DNS) Services: NIST
payment. Each object that needs to be new guidelines on protecting RFID Recommendations for Secure Deployment,
identified has a small electronic device systems. NIST Special Publication (SP) June 2006
known as an RFID tag affixed to it or 800-98, Guidelines for Securing RFID ™ Protecting Sensitive Information Processed
embedded within it. Each tag has a unique Systems: Recommendations of the and Stored in Information Technology (IT)
identifier and may also have other features National Institute of Standards and Systems, August 2006
Technology, was written by Tom ™ Forensic Techniques: Helping Organizations
such as memory to store additional Improve Their Responses to Information
information about the object, Karygiannis of NIST, and by Bernard
Eydt, Greg Barber, Lynn Bunn, and Ted Security Incidents, September 2006
environmental sensors, and security ™ Log Management: Using Computer and
mechanisms. Devices known as RFID Phillips of Booz Allen Hamilton. The Network Records to Improve Information
readers wirelessly communicate with the publication recommends practices for Security, October 2006
tags to identify the item connected to each initiating, designing, implementing, and ™ Guide to Securing Computers Using Windows
tag and possibly read or update additional operating RFID systems in a manner that XP Home Edition, November 2006
information stored on the tag. This mitigates security and privacy risks. ™ Maintaining Effective Information Technology
(IT) Security Through Test, Training, and
communication can occur without optical
The guide explains the components and Exercise Programs, December 2006
line of sight. ™ Security Controls for Information Systems:
architectures of RFID systems and the
Revised Guidelines Issued by NIST, January
Every RFID system includes a radio standards for RFID components, such as
2007
frequency (RF) subsystem, which is tags and readers. One section is devoted to ™ Intrusion Detection and Prevention Systems,
composed of tags and readers. The RF an overview of types of RFID applications February 2007
subsystem performs identification and and which RFID technologies are most ™ Improving the Security of Electronic Mail:
related transactions. In many RFID effective for particular applications. Other Updated Guidelines Issued by NIST, March
systems, the RF subsystem is supported by topics covered in the publication include 2007
the major business risks associated with ™ Securing Wireless Networks, April 2007
an enterprise subsystem, which contains
computers running specialized software implementing RFID technology, the
that can store, process, and analyze data various RFID security controls, and an
acquired from RF subsystem transactions. overview of privacy regulations and
RFID systems that share information controls that pertain to RFID systems in
across organizational boundaries, such as federal agencies. Additional sections of the
supply chain applications, also have an publication provide recommendations that
organizations using RFID systems can
2 May 2007
follow throughout the system life cycle, * The general functional objective of the to the specific practices for RFID systems
from initiation through operations to RFID technology (i.e., the application listed in this document. Federal agencies
disposition, and present hypothetical case type); should also use NIST SP 800-37, Guide
studies that illustrate how the concepts and for the Security Certification and
recommendations introduced earlier in the * The nature of the information that the Accreditation of Federal Information
document could work in practice. RFID system processes or generates; Systems, to evaluate their RFID system
and select appropriate security controls.
The appendices in NIST SP 800-98 * The physical and technical environment
provide extensive supplemental at the time RFID transactions occur; NIST’s Recommendations for RFID
information on the terms used in the guide, System Security
and supply listings of in-print and online * The physical and technical environment
resources for further exploration. Other before and after RFID transactions take NIST recommends that organizations
useful listings offer additional information place; and follow these guidelines in planning,
on common RFID standards and their implementing, and maintaining secure
security mechanisms, as well as * The economics of the business process RFID systems:
information on permissible radio exposure and RFID system.
limits. ▪ When designing an RFID system,
Because of the variety of RFID understand what type of application it
NIST SP 800-98 is available from NIST’s applications, RFID security risks and the will support so that the appropriate
website at controls available to mitigate them are security controls can be selected.
http://csrc.nist.gov/publications/nistpubs/8 highly varied. Section 7 of the guide
00-98/SP800-98_RFID-2007.pdf. contains recommendations for security Each type of application uses a different
practices to be applied during each phase combination of components and has a
Who We Are of the RFID system’s life cycle, from different set of risks. For example,
The Information Technology Laboratory (ITL) policy development to operations. protecting the information used to conduct
is a major research component of the National Examples of security controls for RFID financial transactions in an automated
Institute of Standards and Technology (NIST) systems are having an RFID usage policy, payment system requires different security
of the Technology Administration, U.S.
minimizing the storage of sensitive data on controls than those used for protecting the
Department of Commerce. We develop tests
and measurement methods, reference data, tags, restricting physical access to RFID information needed to track livestock.
proof-of-concept implementations, and equipment, and protecting RF interfaces Some of the factors to be considered
technical analyses that help to advance the and tag data. Typically, only a subset of include:
development and use of new information the full range of technologies, risks, and
technology. We seek to overcome barriers to controls is applicable to any given RFID * The general functional objective of the
the efficient use of information technology, and implementation. RFID technology. For example, does the
to make systems more interoperable, easily system need to determine the location of
usable, scalable, and secure than they are Organizations need to assess the risks they an object or the presence of an object,
today. Our website is http://www.itl.nist.gov.
face and choose an appropriate mix of authenticate a person, perform a financial
controls for their environments, taking into transaction, or ensure that certain items are
RFID Applications and Security account factors such as regulatory not separated?
Controls requirements, the magnitude of the threat,
cost, and performance. Federal agencies * The nature of the information that the
RFID technologies are being deployed by should refer to Federal Information RFID system processes or generates. One
many organizations because they have the Processing Standard (FIPS) 199, application may only need to have a
potential to improve mission performance Standards for Security Categorization of unique, static identifier value for each
and reduce operational costs. To achieve Federal Information and Information tagged object, while another application
these goals, RFID systems must be Systems, which establishes three security may need to store additional information
engineered to support the specific business categories—low, moderate, and high— about each tagged object over time. The
processes that the organization is based on the potential impact of a security sensitivity of the information is also an
automating. Applications for RFID breach involving a particular system. NIST important consideration.
technologies are diverse because of the SP 800-53 (as amended), Recommended
wide range of business processes that * The physical and technical environment
Security Controls for Federal Information
exist. Examples of application types are at the time RFID transactions occur. This
Systems, provides minimum management,
asset management, tracking, authenticity includes the distance between the readers
operational, and technical security controls
verification, item matching, process and the tags, and the amount of time in
for information systems based on the FIPS
control, access control, and automated which each transaction must be performed.
199 impact categories. The information in
payment. Important business drivers that NIST SP 800-53 should be helpful to * The physical and technical environment
shape RFID application requirements and organizations in identifying controls that before and after RFID transactions take
the resulting characteristics of RFID are needed to protect networks and place. For example, human and
systems include: systems, which should be used in addition environmental threats may pose risks to
3 May 2007
tags’ integrity while the tagged objects are * Privacy risk. Personal privacy rights or authentication, access control, or
in storage or in transit. Some applications expectations may be compromised if an encryption techniques commonly found in
require the use of tags with sensors that RFID system uses what is considered other business IT systems. RFID standards
can track environmental conditions over personally identifiable information for a specify security features including
time, such as temperature and humidity. purpose other than originally intended or passwords to protect access to certain tag
understood. As people possess more commands and memory, but the level of
* The economics of the business process tagged items and networked RFID readers security offered differs across these
and RFID system. The economic factors become ever more prevalent, organizations standards. Vendors also offer proprietary
for RFID systems are different than those may have the ability to combine and security features, including proprietary
for traditional IT systems. For example, correlate data across applications to infer extensions to standards-based
many RFID tags offer few or no security personal identity and location and build technologies, but they are not always
features; selecting tags that incorporate personal profiles in ways that increase the compatible with other components of the
basic security functionality significantly privacy risk. system. Careful planning and procurement
increases the cost of tags, especially if is necessary to ensure an organization’s
encryption features are needed. Also, the * Externality risk. RFID technology RFID system meets its security objectives.
operational cost of some basic IT security potentially could represent a threat to non-
controls, such as setting unique passwords RFID networked or collocated systems, More Information
and changing them regularly, may be assets, and people. For example, an
higher for RFID systems because of the adversary could gain unauthorized access NIST SP 800-98 recommends that
logistical challenges in managing security to computers on an enterprise network organizations follow effective practices for
for thousands or millions of tags. through Internet Protocol (IP)-enabled planning, implementing, and managing
RFID readers if the readers are not secure RFID systems as part of a
▪ Effectively manage risk so that the designed and configured properly. comprehensive approach to information
RFID implementation will be successful. security. Many NIST publications assist
Organizations need to assess the risks they organizations in developing that
Like other technologies, RFID technology face and choose an appropriate mix of comprehensive approach. For information
enables organizations to significantly management, operational, and technical about the following publications that are
change their business processes to increase security controls for their environments. linked to RFID security and to other
efficiency and effectiveness. This These organizational assessments should security-related standards and guidelines
technology is complex and combines a take into account many factors, such as issued by NIST, see the web page
number of different computing and regulatory requirements, the magnitude of http://csrc.nist.gov/publications/index.html
communications technologies. Both the each threat, and cost and performance
changes to business process and the implications of the technology or FIPS 140-2, Security Requirements for
complexity of the technology generate operational practice. Cryptographic Modules.
risk. The major risks associated with RFID
systems are as follows: Privacy regulations and guidance are often FIPS 180-2, Secure Hash Standard (SHS).
complex and change over time.
Organizations planning, implementing, or FIPS 198, The Keyed-Hash Message
* Business process risk. Direct attacks on Authentication Code (HMAC).
RFID system components potentially managing an RFID system should consult
could undermine the business processes with the organization’s privacy officer, FIPS 199, Standards for Security
the RFID system was designed to enable. legal counsel, and chief information Categorization of Federal Information and
For example, a warehouse that relies officer. Information Systems.
solely on RFID to track items in its
▪ When securing an RFID system, select FIPS 200, Minimum Security
inventory may not be able to process
orders in a timely fashion if the RFID security controls that are compatible Requirements for Federal Information and
system fails. with the RFID technologies the Information Systems.
organization currently deploys or
* Business intelligence risk. An adversary purchase new RFID technologies that NIST SP 800-30, Risk Management Guide
or competitor potentially could gain support the necessary controls. for Information Technology Systems.
unauthorized access to RFID-generated
To be most effective, RFID security NIST SP 800-34, Contingency Planning
information and use it to harm the interests
of the organization implementing the controls should be incorporated throughout Guide for Information Technology
RFID system. For example, an adversary the entire life cycle of RFID systems— Systems.
from policy development and design to
might use an RFID reader to determine
operations and retirement. However, many NIST SP 800-37, Guide for the Security
whether a shipping container holds
expensive electronic equipment, and then RFID products support only a fraction of Certification and Accreditation of Federal
target the container for theft when it gets a the possible protection mechanisms. Tags, Information Systems.
positive reading. in particular, have very limited computing
capabilities. Most tags supporting asset
management applications do not support
4 May 2007
NIST SP 800-40, Version 2, Creating a NIST SP 800-57, Recommendation on Key NIST SP 800-97, Establishing Wireless
Patch and Vulnerability Management Management, Part 1. Robust Security Networks: A Guide to
Program. IEEE 802.11i.
NIST SP 800-63, Electronic
NIST SP 800-41, Guideline on Firewalls Authentication Guideline. Disclaimer
Any mention of commercial products or reference to
and Firewall Policy. commercial organizations is for information only; it
NIST SP 800-64, Security Considerations
does not imply recommendation or endorsement by
NIST SP 800-47, Security Guide for in the Information System Development NIST nor does it imply that the products mentioned
Interconnecting Information Technology Life Cycle. are necessarily the best available for the purpose.
Systems.
NIST SP 800-83, Guide to Malware
ITL Bulletins via E-Mail
NIST SP 800-48, Wireless Network Incident Prevention and Handling. We now offer the option of delivering your ITL
Security: 802.11, Bluetooth and Handheld Bulletins in ASCII format directly to your e-mail
Devices. NIST SP 800-90, Recommendation for address. To subscribe to this service, send an
Random Number Generation Using e-mail message from your business e-mail
NIST SP 800-50, Building an Information Deterministic Random Bit Generators. account to listproc@nist.gov with the message
Technology Security Awareness and subscribe itl-bulletin, and your name, e.g.,
Training Program. NIST SP 800-92, Guide to Computer John Doe. For instructions on using listproc,
Security Log Management. send a message to listproc@nist.gov with the
NIST SP 800-53 Revision 1, message HELP. To have the bulletin sent to
Recommended Security Controls for NIST SP 800-94, Guide to Intrusion an e-mail address other than the FROM
Federal Information Systems. Detection and Prevention Systems. address, contact the ITL editor at
301-975-2832 or elizabeth.lennon@nist.gov.