This Masterclass is divided in two parts. The first one presents a brief outline of the UHF passive RFID technology (air interface, protocol and new Gen2V2 features). The second one, devoted to Privacy Impact Assessment, presents the European Recommendation and the recently published EN 16571 standard.
2. Agenda
• Part 1: Passive UHF RFID: Back to basics
• Part 2: Introduction to Privacy Impact Assessment
3. Part 1: Passive UHF RFID: Back to basics
Air Interface
Interrogator-to-Tag (R=>T) communications
Tag-to-Interrogator (T=>R) communications
Read Range evaluation
Logical Interface
Tag memory
Sessions
Tag states and slot counter
New Gen2V2 features
Agenda
3
4. Reader -> Tag: Carrier wave (860-960MHz) is modulated
Double side band Modulation: DSB-ASK
Single side band Modulation: SSB-ASK
Phase reversal Modulation: PR-ASK
Data Encoding: PIE (Pulse Interval Encoding)
Tag -> Reader: Carrier wave is backscattered
Amplitude or Phase
Data Encoding FM0 or Miller Modified with sub-carrier
Radio Interface
5. Basic Operations:
Select: allows to select special tags among a bigger population. Only tags
that fit the selection criteria will answer to the reader’s commands (EPC,
TID, special features, …)
Inventory: allows to identify all the previously selected tags
Access: allows to communicate with one particular inventoried tag
Radio Interface
9. Data Encoding: PIE
Tari: length (µs) of a logical ‘0’
6,25 µs < Tari < 25 µs
Question: what are the max/min available data rates?
(R=>T) communications
10. Answer:
Max Data rate: Lenghts of Data-0 (Tari) and Data-1 have to be minimum.
Tari min = 6,25µs
Data-1 = 1,5 x Tari = 9,375µs
Probability of Data-0 and Data-1 are equal
Average bit length: (6,25+9,375)/2 = 7,8125 µs
Data Rate = 1/7,8125 µs = 128 kbit/s
Min Data rate: Lenghts of Data-0 (Tari) and Data-1 have to be maximum
Tari max = 25µs
Data-1 = 2 x Tari = 50µs
Probability of Data-0 and Data-1 are equal
Average bit length: (25+50)/2 = 37,5 µs
Data Rate = 1/37,5 µs = 26,6 kbit/s
Radio Interface
11. R->T Preamble
Rtcal: allows the tag to know reader data rate and to derive the decoding
threshold (pivot)
Trcal: allows an Interrogator to specify the Tag’s backscatter link frequency
(its FM0 datarate or the frequency of its Miller subcarrier)
(R=>T) communications
13. Two different backscattering states:
High Level: the tag backscatters RF power
Low level: the tag absorbs RF power
Warning: Amplitude of observed signal could be reversed when incident
and reflected waves are out of phase.
Modulation: ASK or PSK (Tag manufacturer has the choice)
Data Encoding and Data rates: FM0 or Miller Subcarrier (chosen by
interrogator with: TRCal (FM0, Miller 2, 4 or 8) and Divide Ratio (8 or
64/3))
A Tag shall measure the length of TRcal, compute BLF (Backscatter Link
Frequency), and adjust its T=>R link rate to be equal to BLF
(T=>R) communications
𝐵𝐿𝐹 =
𝐷𝑅
𝑇𝑅𝑐𝑎𝑙 𝑥 𝑀
14. T=>R link rate calculation examples:
Example 1:
Suppose Tari = 6,25µs, RTcal = 2,5 Tari, TRcal = 2 RTcal, M=1 and DR=64/3.
Compute BLF
TRcal = 2 x 2,5 x 6,25 µs = 31,25 µs
BLF = (64/3) / (31,25µs x 1) = 682 kHz
BLF too far from center frequency ! In EU (ETSI) regulations
Example 2: .
Suppose Tari = 25 µs, RTcal = 3 Tari, TRcal = 3, RTcal, M=1 and DR=8.
Derive BLF
TRcal= 3 x 3 x 25µs = 225µs
BLF = 8 / (225µs x 1) = 35 kHz
BLF too near from center frequency. Poor Signal to Noise ratio.
(T=>R) communications
15. Data Encoding FM0 (bi-phase space) :
FM0 is based on phase transitions (whatever amplitude levels)
Data 1: 1 transition in the end of symbol
Data 0: 1 transition in the mid of the symbol and another at the end
Data rates : from 40 to 640 kbit/s
(T=>R) communications
16. Miller Encoding:
Based on phase transitions (whatever the amplitude levels)
Data 1: 1 transition in the middle of symbol
Data 0: 1 transition at the end of symbol if followed by another Data-0
(T=>R) communications
17. Subcarrier Miller Encoding:
In ISO 18000-63 and EPC C1G2, Miller
encoding is used with a subcarrier. This allows
the backscattered signal to be shifted from
the interrogator’s carrier wave. This allows to
have a better signal to noise ratio.
The subcarrier (BLF) value is between 40 and
640 kHz.
Data Rates are between 5 and 320 kbit/s
(T=>R) communications
18. Communications R->T->R (inventory)
Query command gives to the tag all necessary parameters (Data rates
(DR), nb of time slots, filters, …)
Selected tags backscatter a 16-bit random number (RN16)
If the tag is the only one sending RN16 in a given time slot, there is no
collision and the interrogator acknowledges (ACK) RN16.
After that, tag backscatters PC word and EPC code
Timings
19. Collisions and empty time slots
QueryRep indicates to uninventoried tags that they have to decrement
their slot counter
A tag only backscatters RN16 when slot counter is 0
Timings
20. The Friis equation:
Isotropic antenna:
20Copyright CNRFID
Pr : power intercepted by a surface Σ at a R
(W)
4
64,1
2
For a dipole
²4
Pr
R
Pe
Read Range Evaluation
Radiated Power
21. The Friis equation:
Real antenna:
21Copyright CNRFID
Pr : Power intercepted by a surface Σ at a distance R
Equivalent Isotropic Radiated
Power (Peirp)
(W) 2
..4
1
R
GPP eer
Read Range Evaluation
Radiated Power
22. The Friis equation:
RFID system:
22
2
..4
1
R
GPP bsbst
tbsbst G
R
GPP 2
2
)..4(
.4
. 2
tG
Read Range Evaluation
Tag antenna
Gain: Gt
Interrogator
antenna Gain:
Gbs
Power at
Interrogator
antenna: Pbs
Power
received by
the tag: Pt
23. Additional losses:
Polarization (θpol)
Antenna efficiency (θantenna)
Approx. 25% of the feeding power is lost
Impedance Matching (θmatching)
Between RFID chip and tag antenna
23
Read Range Evaluation
matchingantennepoltbsbst G
R
GPP
2
)..4(
24. Example 1: FCC regulations
We can derive the max tag activation distance Rmax :
24Copyright CNRFID
antennepolmatching
t
tbsbs
P
GGP
R
min_
2
2
max
.).4(
...
matchingantennepoltbsbst G
R
GPP
2
)..4(
8,07,01
1060).4(
)33,0(64,14
62
2
max
W
W
R
mR 49,6max
f = 915 MHz ; Peirp = Pbs. Gbs = 4 W ; Pt_min = 60 μW
Θpol = 1 ; Gt = 1,64 ; Θmatching = 0,8 ; Θantenne = 0,7
Read Range Evaluation
25. Example 2 : ETSI regulations
We can derive the max tag activation distance Rmax :
25Copyright CNRFID
f = 869 MHz ; Perp = 2 W = 3.28 Weirp ; Pt_min = 60 μW
Θpol = 1 ; Gt = 1,64 ; Θmatching = 0,8 ; Θantenne = 0,7
antennepolmatching
t
tbsbs
P
GGP
R
min_
2
2
max
.).4(
...
8,07,01
1060).4(
)35,0(64,128.3
62
2
max
W
W
R
mR 2.6max
Read Range Evaluation
26. Power backscattered by the tag:
Assume that all the intercepted power is reflected by
the tag. (OK, that’s stupid but it will allow us to derive
the maximum power received by the interrogator):
Copyright CNRFID 26
22
..4
1
..4
1
R
G
R
GPP tbsbsbsr
Where Σ is the equivalent surface of the interrogator and
the equivalent surface of the tag antenna.
Read Range Evaluation
27. Power backscattered by the tag:
Remember:
27
22
..4
1
..4
1
R
G
R
GPP tbsbsbsr
.4
.2
tG
44
4
22
..4
..
R
GGPP tbsbsbsr
.4
.2
bsG
Read Range Evaluation
28. Example: Derive the ratio Pr-bs/Pbs :
R = 3m ; Gbs = 10 ; RCS = 0,0214 m² ; f = 868 MHz
28
433
2
2
..4
...
R
RCSGPP bsbsbsr
43
22
43
22
3.).4(
0214,0.35,0.10
3.).4(
..
RCSG
P
P bs
bs
bsr
dB
P
P
bs
bsr
8,5710.63,1 6
Read Range Evaluation
29. Forward Link
Tag/IC power requirements:
IC sensitivity: power required to wake-up the IC (not the tag!)
RIP: received isotropic power: power required to wake-up the tag
29
)(
2
1(max)
5)(
%30
matchingconjugateRIPP
dBRIPdBmP
RIPP
chip
chip
chip
Link Budget
31. Forward and Reverse Link
Tag modulation efficiency (m):
-3dB: ON/OFF keying modulation
-3dB: Tag antenna / IC matching (re-radiation)
Total: -6dB (m=0,25)
Receiver sensitivity:
Minimum power that the reader can detect
31
Link Budget
32. Forward and Reverse Link
Perfect case:
32
Link Budget
33. Read range limited by tag performance
33
Link Budget
34. Read Range limited by interrogator performance
34
Link Budget
35. Forward and Reverse Link
Tag / IC overdrive:
When IC power is over IC minimum required power,
Modulation efficiency drops to 10-15%
Because: IC consumes constant energy so tag detunes
M = -12dB (m=0,25)
Copyright CNRFID 35
Link Budget
36. Forward and Reverse Link
Old vs New ICs: read range is limited by reader performances
Copyright CNRFID 36
Link Budget
37. Forward and Reverse Link
New ICs with Old readers: Surprinsing results !!!!!!!
Copyright CNRFID 37
Link Budget
38. • Tag memory organization
• 4 logical memory banks
• Reserved memory: (can be read-locked)
• kill password shall be stored at memory addresses 00h to 1Fh
• 32-bit “Kill” password allows a Tag to be permanently silenced
• The default Kill password value is zero
• The Kill command will only execute if the password has been set, i.e. is non-zero
• access password shall be stored at memory addresses 20h to 3Fh.
• It allows the tag to be in the secured state.
• A tag in the secured state can execute all Access commands (eg. Writing to
locked blocks)
Logical interface - Memory
39. • UII memory: (or EPC Memory)
• 16 bits StoredCRC at memory addresses 00h to 0Fh
• 16 bits StoredPC at addresses 10h to 1Fh
• UII beginning at address 20h
• XPC_W1 and XPC_W2 (if any) beginning at address 210h
• TID memory:
• 8-bit ISO/IEC 15963 allocation class identifier at memory locations 00h
to 07h (E2h for EPCGlobal)
• information above 07h are for an Interrogator to uniquely identify the
custom commands and/or optional features that a tag supports
• User memory: Optional
Logical interface - Memory
40. • Tag memory organization
2Fh
00h
10h
20h
0Fh
1Fh
2Fh
MSB LSB
Bank 11
Bank 10
Bank 01
Bank 00 RESERVED
UII
TID
USER
StoredCRC [15:0]
UII [15:0]
UII [N:N-15]
…
20h
0Fh
1Fh
MSB LSB
30h 3Fh
Access Passwd [31:16]
…
00h
10h
0Fh
1Fh
MSB LSB
TID [15:0]
…
StoredPC [15:0]
210h 21Fh
…
Optional XPC_W1 [15:0]
…
00h 0Fh
MSB LSB
…
Word 0 of Block 0
00h
10h Kill Passwd [15:0]
Kill Passwd [31:16]
220h 22FhOptional XPC_W2 [15:0]
Access Passwd [15:0]
TID [31:16]
Logical interface - Memory
41. • Protocol Control (PC) word
• Bits 10h – 14h: The length of the UII that a Tag backscatters, in words:
• 00000: Zero word
• 00001: One word (addresses 20h to 2Fh in UII memory)
• 00010: Two words (addresses 20h to 3Fh in UII memory)…
• 00110: Six words (addresses 20h to 7Fh in UII memory) ie. 96 bits EPC
• 11111: 31 words (addresses 20h to 20Fh in UII memory) ie 496 bits EPC
PC
Addr
(hex)
MSB LSB
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Name L4 L3 L2 L1 L0 UMI XI T EPC Header or ISO AFI H
Logical interface - Memory
42. • Protocol Control (PC) word
• Bit 15h: A User-memory indicator (UMI)
• 0: Tag has no user memory or no information in user memory
• 1: Tag has information in user memory
• Bit 16h: An XPC_W1 indicator (XI)
• 0: Tag has no XPC_W1 or the XPC_W1 is zero valued
• 1: Tag has a nonzero XPC_W1 (custom features, BAP, Sensor, …)
• Bits 17h – 1Fh: A numbering system identifier (NSI)
• bit 17h=0: EPCglobal Application and bits 17h-1Eh are EPC Header and
bit 1Fh is reserved for Hazardous material
• bit 17h=1: ISO application and bits 18h – 1Fh shall contain the entire AFI
defined in ISO/IEC 15961-3
Logical interface - Memory
43. • Example 1:
• PC word = 00110 1 0 0 0110000 1
• L4-L0=00110 => Six words (addresses 20h to 7Fh in UII memory) ie. 96
bits EPC/UII
• UMI=1 => information in user memory
• XI=0 => no XPC word
• T=0 => EPC application => 0110000 is the EPC Header and corresponds
to SGTIN 96
• H=1 => Hazardous material
Logical interface - Memory
44. • Example 2:
• PC word = 01000 1 1 1 XXX01010
• L4-L0=01000 => Height words (addresses 20h to 9Fh in UII memory) ie.
128 bits EPC/UII
• UMI=1 => information in user memory
• XI=1 => XPC word present
• T=1 => ISO application => xxx01010 is the AFI and corresponds to
returnable transport item (See ISO 17364)
Logical interface - Memory
45. • Encodage EPC
Everything is based on EPC code and EPC memory bank
Logical interface - Memory
PC word EPC 96 bits
46. • Encodage EPC
This Unique Number is assigned by GS1 !
Logical interface - Memory
47. • EPC Encoding
EPC Headers
Serialized Global Trade Item Number (SGTIN)
Serial Shipping Container Code (SSCC)
Global Returnable Asset Identifier (GRAI)
US Department of Defense Identifier (DOD)
Global Document Type Identifier (GDTI)
Etc.
EPC Header and Filter in ECP applications is equivalent
to AFI in ISO application…
Header
Coding
Scheme
00101101 GSRN-96
00101110
Reserved for
Future Use
00101111 USDoD-96
00110000 SGTIN-96
00110001 SSCC-96
00110010 SGLN-96
00110011 GRAI-96
00110100 GIAI-96
00110101 GID-96
00110110 SGTIN-198
00110111 GRAI-170
00111000 GIAI-202
00111001 SGLN-195
Etc…
Logical interface - Memory
48. • Basic operations
• Select: which group of tags will respond
• Inventory: identification of single tags
• Access: only used when tags are singulated
• Tag possible states (when inventoried)
• Inventoried flag: A or B (not symetric)
• 'A' state is default when the tag powers up
• 4 independent inventoried flags (one for each
session S0, S1, S2 and S3)
• Selected Flag: SL or ~SL (not symetric)
• Common to all sessions
• Reader may choose to inventory tags with SL
flag asserted, deasserted or both.
Logical interface – Commands & Sessions
49. • Persistence
• The amount of time the Inventory and Select Flags remain set, even
if the tag loses power
• Persistence times cannot be set by the user
• Can only be approximated
• Depends on Session (A/B flag only)
• Depends on tag manufacturer and product
Logical interface – Commands & Sessions
A B
~SL SL
50. • Persistence
• Tags must maintain inventoried and SL flag values (persistence
times) even when power is lost
• Sessions serve two purposes
• Determines how often a tag will respond to a query from the reader
• Allows for multiple readers to conduct independent inventories
Logical interface – Commands & Sessions
Flag Tag powered Tag not powered
A/B (Session S0) Indefinite None
A/B (Session S1) 500ms < persistence <5s 500ms < persistence < 5s
A/B (Session S2) Indefinite 2s < persistence
A/B (Session S3) Indefinite 2s < persistence
Select Flag Indefinite 2s < persistence
51. • Select
• Allows the reader to select Tags that will take part in the Inventory round
• Parameters:
• Target: The SL or Inventoried flag to select and if Inventoried which of
the four sessions (S0, S1, S2 or S3) to choose
• Action: How matching Tags set the flags (A->B or B->A)
• Mask: A bit string that the Tag compares to a memory location
• MemBank: The memory bank that Mask refers too (EPC, TID, User)
• Pointer: A memory start location for Mask
• Length: The number of bits of memory for Mask
• Truncate: Instructs Tag to return whole or part of the EPC following
Mask
• Multiple Select commands can define the exact Tag population that is to
take part in the Inventory
• Tag shall not answer to Select commands (only set flags as appropriate)
Logical interface – Commands & Sessions
52. • Session 0
• Tells the tag to reset each time it powers up
• This is referred to as NO PERSISTANCE
• Up power-up, the S0 inventoried flag shall be set to A.
Logical interface – Commands & Sessions
A
A
A
B
collision
acknowledge
B
A B
A B
acknowledge
B
B
B
A
New inventory round
starts with B tags
A tags do not answer
Inventory round
starts with A tags
Once inventoried, tags
change the flag
B tags do not answer
anymore
New incoming tag (A)
does not participate
53. • Session 1
• Tells the tag to remember that is has talked even when it loses power
• Tag persistence will last a maximum time of 5 seconds whether it has
power or no
Logical interface – Commands & Sessions
A
A
A
B
collision
acknowledge
B
A B
A Backnowledge
B
B
B
A
B tags go back to A
after persistence
(5s max)
and participate again
Inventory round
starts with A tags
Once inventoried, tags
change the flag
B tags do not answer
anymore
New incoming tag (A)
participates
A
54. • Sessions 2 or 3
• Tells the tag to remember that is has talked even when it loses power
• Tag persistence will last a minimum of 2 seconds when power is down
Logical interface – Commands & Sessions
A
A
A
B
collision
acknowledge
B
A B
A Backnowledge
B
B
B
A
B tag is energized again
before end of
persistence
(2s min)
and stay in B state
Inventory round
starts with A tags
Once inventoried, tags
change the flag
B tags are no more
energized
New incoming tag (A)
participates
55. • Conclusion on sessions
• Session 0 reserved for low tag density and quick tag answer
• Session 1 reserved for high tag density and static configurations
• Sessions 2 & 3 reserved for high tag density and dynamic configurations
• Sessions 2 & 3 are equivalent. They only allow to put 2 different readers
back and forth of a doorway without interference.
• Please test configurations before !
Logical interface – Commands & Sessions
56. • Inventory
• Inventory process uses a slotted random anti-collision algorithm to
determine which Tags are present
• Command set includes Query, QueryAdjust, QueryRep, Ack and Nak
• Query is used to select Tags for the interrogation process and contains a slot-
counter value (Q = 0 to 15)
• QueryAdjust is used to decrement or increment the Tag’s slot-counter
without changing any other parameters.
• QueryRep instructs Tags to decrement their slot counters and, if slot=0 after
decrementing, to backscatter an RN16 to the Interrogator
Logical interface – Commands & Sessions
• Ack is used to acknowledge a Tag
response. ACK echoes the Tag’s
backscattered RN16
• Nak is used to force a change of
state back to Arbitrate: OUPS! What
is that?
57. • Tag is a state machine
• Once energized, the tag goes in the Ready state, and on receiving a Query
command will:
• Verify that it is in the selected group and if so, choose randomly a
value between 0 and 2Q -1.
• If he chooses 0, the Tag will immediately transition to the Reply state,
backscattering a 16-bit (RN16) random number.
• If there is no collision (any other tag choose slot 0), the reader
acknowledges with an Ack (containing the same 16-bit random
number).
• This Tag now changes to Acknowledged state and backscatters its PC,
EPC and the 16-bit CRC.
• A reader now sends a QueryAdjust or QueryRep causing the
identified Tag to invert its Inventoried flag ( A-> B, or B -> A) and to
transition to Ready state.
Logical interface – Tag states
58. • Tag is a state machine
• If a Tag chooses a non-zero value time slot, it will store that number
in its slot-counter and will go in Arbitrate state and await further
commands
• If more than one Tag responds, the reader cannot resolve the
collision and will not send a valid Ack so that each Tag will return to
Arbitrate. These un-acknowledged Tags with slot-counter =0 will
choose a new slot-counter value (between 0 and 2Q-1).
Logical interface – Tag states
•The reader can issue a QueryAdjust or
QueryRep command which causes
each unresolved Tag to decrement its
slot-counter
• Tags will reply when their slot-
counters get to zero
61. Logical interface – Access commands
• Access
• Before using Access commands, Reader has to send a Req_RN
(request random number).
• Tag transits from Acknowledge to Open (or Secured if password is 0)
• Tag returns a new random number (RN16) called Handle
• Handle is required as parameter for the following Access commands
• Read
• Write
• Kill
• Access
• BlockWrite
• BlockErase
• Lock
• Use cover-coded data or encrypted data (V2.0.0)
Mandatory
Optional
Mandatory
Open or Secured
State
Secured state only
62. Logical interface – Access commands
• Read
• This Access command allows the reader to read part or all Tag’s
Reserved, EPC, TID or User memory
• Write
• This access command allows tag memory location to be changed. This
concerns Reserved, EPC, TID and User memory
• Parameters are:
• handle (RN16)
• MemBank (memory to access)
• WordPtr (address to be written)
• Data (16 bits word to write)
• CRC-16 (CheckSum)
• New handle requested for each Write command
• Data is sent cover-coded or encrypted (new V2.0.0)
63. Logical interface – Access commands
• Kill
• This Access command will permanently disable a tag
• This is a 2 stage command:
• Containing the cover coded 16 MSB of the Kill password
• Containing the cover coded 16 LSB of the Kill password
• Before each Kill command a new handle is requested
• In response to a Kill command, the tag backscatters a handle and
never responds again
• If kill password is 0
(default setting), a tag cannot be killed
64. Logical interface – Access commands
• Lock
• This Access command allows a reader to:
• Lock individual passwords, preventing
subsequent reads or writes.
• Lock individual memory banks,
preventing subsequent writes.
• Permalock (permanently lock) the lock
status of passwords or memory banks
• Permalock bits, once set, cannot be
changed
• The lock bits cannot be read directly but
inferred by other memory operations
• The Tag will indicate success, error or
failure
• The Tag has to be in Secured state for the
command to be accepted
65. Logical interface – Access commands
• Access
• This optional command will allow a reader to transition a Tag with a
non-zero access password, from an Open to a Secured state.
• This is a 2 stage command:
• Containing the cover coded 16 MSB of the Access password
• Containing the cover coded 16 LSB of the Access password
• BlockWrite
• This optional command will allow a reader to
write multiple blocks to a Tag’s Reserved, EPC,
TID or User memory.
• Data is not sent encrypted
• BlockErase
• This optional command will allow a reader to
erase multiple blocks to a Tag’s Reserved, EPC,
TID or User memory.
67. New Gen2V2 features
• Untraecable
•Crypto suites standardized by ISO
(29167-X series)
• No product available right now
68. Item
Authentication
(NFC)
Long Read
Range (Gen2)
Files & File
Management
(New)
File
Privileges
(New)
Fast
Inventory
(Gen2)
Short Read
Range
(NFC, HF)
Cryptographic
Security
(NFC, HF)
Large Tag
Populations
(Gen2)
Loss
Prevention
(EAS)
G2
Consumer
Privacy
(New)
New Gen2V2 features
• G2 is a superset of all existing RFID technologies
• Existing UHF Gen2 + new concepts/ideas
• HF/NFC concepts
• Legacy EAS concepts
• Backward compatible with Gen 2 v1.2.0
69. Gen2 Today Definition
Select Select a population of tags
Inventory Inventory selected tags; get their EPCs
Access Read/write/lock tag memory; kill the tag
New in UHF Gen2 V2 protocol = G2
In today’s UHF Gen2 protocol
G2 Enhancements Definition
Anticounterfeiting Authenticate a tag as genuine
Security Modify tag information securely
File Management Create files and assign access privileges
Untraceability Hide tag data to protect consumer privacy
Loss Prevention Use a tag for EAS
New Gen2V2 features
70. • Reader reads static TID from
tag memory
• Counterfeiter can clone tag
by copying TID
Today’s Gen2 RFID G2 RFID
Read
TID
Challenge (RN)
Response
• Tag computes response from reader’s
random challenge
and tag’s secret key
• Counterfeiter cannot clone tag
without knowing secret key
TID Key
G2 for Cryptographic Anticounterfeiting
71. Command Function
Challenge Challenges multiple tags simultaneously
Authenticate Performs tag, reader, or mutual authentication
AuthComm Authenticates a tag message with a MAC
SecureComm Encrypts a tag message
KeyUpdate Updates a tag’s stored key
FilePrivilege Alters a reader’s privileges to a file
TagPrivilege Alters a reader’s privileges to the tag
G2 for Cryptographic Anticounterfeiting
72. Tag Memory
Key Concept: Partition User Memory into Files
Readers have per-file read, write,
and lock privileges
G2 supports up to 1023 files, each of
which can be up to ~2 Mbytes in size
G2 for File Management
73. Hide none or all
Hide none, unique serialization, or all
Hide none, part , or all
Hide none, part , or all
Tag Memory
Protected by range reduction,
access privileges, or both
Key Concept: Hide Portions of Tag Memory
G2 for Consumer privacy: Untraceable
74. Part 2: PRIVACY IMPACT ASSESSMENT
Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
74
75. Privacy is a fuzzy concept but can be summarized…
“the claim of individuals to determine for themselves when, how and to what extent
information about them is communicated to others”
Information: Personal Data
Data Protection
collection, accuracy, protection and use of data collected by an organization
Data Security
protection of collected data
Notion of personal consent
Opt-In
Opt-Out
Personal data and privacy classification
Physical (body integrity)
Personal Behaviour (political, religious, sexual,…)
Personnal communications (phone, emails, social networks, …)
Personal information (gender, age, …)
Spatial privacy (locations, travels,…)
Introduction: Privacy concept
75
76. Citizen use more and more RFID technologies
Ticketing (transportation and events)
Payment (small values w/o PIN code)
Identity (passport, driver licence)
NFC applications…
Citizen are surrounded by RFID tags
Everyday life products (textile, library books,…)
Luxury goods (authentication, certificates,…)
First developed for logistics, inventory, article surveillance, …
Data can identify people directly…
Name, address, etc.
Generally secured HF protocols (first use cases)
Or indirectly
Unique identifiers (TID, EPC, …)
Combined with other data, could impact privacy
Introduction: RFID everywhere?
76
78. Introduction: RFID operator
78
Definition is given in the Recommendation 2009/387/EC
‘RFID application operator’ or ‘operator’ means the natural or legal person, public
authority, agency, or any other body, which, alone or jointly with others, determines
the purposes and means of operating an application, including controllers of personal
data using a RFID application
Organizations that read RFID tags…
… Organizations that write (encode) a tag
The RFID operator is responsible in implementing a PIA
79. Privacy: European Regulations
79
Directive 95/46/CE
protection of individuals with regard to the processing of personal data and on the
free movement of such data
Transposed in National French Law: “Loi Informatique et Libertés”
Chart of fundamental rights of the UE (2000/C 364/01)
Art. 8, right to the protection of personal data
Everyone has the right to the protection of personal data concerning him or
her.
Such data must be processed fairly for specified purposes and on the basis of
the consent of the person concerned or some other legitimate basis laid down
by law. Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent
authority.
In France, such authority is CNIL !!!!
80. Privacy: European Regulations
80
Recommendation 2009/387/EC
Due to potential massive RFID deployment, the European Commission issued a
Recommendation (May 2009)
« on the implementation of privacy and data protection principles
in applications supported by RFID »
Title
Data protection: Not only personal data
Definition and scope
All RFID technologies (NFC and contactless smart cards included)
All kind of application, including… governmental applications, with exceptions
being rare
For retail sector (direct link to the consumer) there are rules when deactivation of
the tag is required
81. Focus on tag deactivation at the Point of Sale
Once the tag leaves the « controlled domain »
Logic deactivation:
Secured deactivation (Kill + passwords)
Unsecured deactivation (Kill with one password for the entire application)
Reduced read range????
Hardware:
Tag destruction (strong electromagnetic wave,…)
Tag removal
Privacy
(European Recommendation)
81
82. Recommendation does not oblige to deactivate the tags at PoS if RFID
operator undertakes a
Privacy Impact Assessment (PIA)
and proves that the risk is limited
Systematic deactivation (OPT-IN) in case of high level of risk.
To provide a simple, immediate and free way to disable the tag at PoS (medium
level of risk) (OPT-OUT)
Privacy Impact Assessment (PIA)
Identify the impact of the implementation of the application with respect to
personal data and privacy
PIA has to be undertaken by the RFID operator !
Level of detail consistent with the level of risk
Privacy
(Recommandation)
82
83. Privacy, PIA Framework
83
To help the RFID operators in the PIA process,
European Commission gathers stakeholders
to draft a Framework
This Framework has been accepted by Art. 29
WP and endorsed by European Commission in
January 2011
85. Privacy: one word on M/436
85
December 2008: European Commission issued Mandate 436
Madate is issued to CEN, ETSI and CENELEC (only CEN and ETSI participate)
Phase 1: propose a gap analysis of existing standards related to RFID, data
protection and privacy protection. A joint technical committee is chaired by CNRFID
May 2011: phase 1 report underlines that there is no existing standard related to
PIA process and signage (public awareness)
January 2012: KoM of phase 2: the goal is to publish standards in a 2 year time
frame (only CEN is involved)
July 2014: publication of 2 major standards
EN16570: Signage and public awareness
EN16571: PIA process for RFID applications
July 2014: CNRFID became the Registration Authority for EN16571
86. Future European Regulation
86
Future Regulation on Data Protection
Supersedes Directive 95/46/CE
Regulation: no need to transpose it into national law
Art.33 makes Privacy Impact Assessment Mandatory
Art. 32a: Respect to risk
The controller, or where applicable the processor, shall carry out a risk analysis of the
potential impact of the intended data processing on the rights and freedoms of the data
subjects, assessing whether its processing operations are likely to present specific risks
Art. 33: Data Protection Impact Assessment
The controller shall carry out an assessment of the impact of the envisaged processing
operations on the rights and freedoms of the data subjects, especially their right to
protection of personal data
Art. 33: Describes the minimal requirements …
87. Future European Regulation
87
The DPIA shall contain …
a systematic description of the envisaged processing operations and the
purposes of the processing
an assessment of the necessity and proportionality of the processing
operations in relation to the purposes
an assessment of the risks to the rights and freedoms of data subjects
a description of the measures envisaged to address the risks and minimize
the volume of personal data which is processed
a list of safeguards, security measures and mechanisms to ensure the
protection of personal data
a general indication of the time limits for erasure of the different categories
of data
a list of the recipients or categories of recipients of the personal data
88. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
88
89. Privacy Assets and Data Types
Assets are classified in two categories
Assets that can directly identify individuals
Passport, Medical bracelet, Loyalty card, Venue-based trackable bracelets, …
Assets that when held can identify the individuals
Airline baggage tag, Tagged employee uniform, Public transport card, Retail product, Library book, …
Privacy Assets are closely related to Personal Data (wherever it is stored)
EN 16571 assesses the “value” of the data on the tag and in the application
Associated Personal Data are classified into 6 categories
PI Personal Identifier (name, email, DNA, …)
PB Personal Behaviour (age, religion, political affiliation…)
TH Tag and Hardware (RFID chip ID, IPV4/6, …)
RV Residual Value (Residual value on loyalty card, travel card, …)
TL Time and Location (start location, route, …)
IT Identity of Things (Unique Item code)
PIA Levels
89
90. Privacy in depth model
This model identifies all of the
layers that need to be considered to
assess the privacy risks associated
with the RFID technology used in
the application
The top four layers are directly
concerned with RFID technology,
whereas the bottom four layers are
concerned with the host computer
and application
PIA Levels
90
91. Asses the PIA Level
91
To assess the
PIA level,
you need to
answer
3 basic
questions
92. What to consider regarding the PIA level?
Level 0: no PIA required
Level 1:
Risk assessment for data types other that PI and PB
Only consider threats on the RFID air-interface
Level 2:
For PI and PB, only consider threats on application layer
For other data types, consider all kind of threats
Level 3:
For PI and PB, consider all kind of threats
Whatever the level, don’t forget to consider the controlled and uncontrolled domains
PIA Levels
92
95. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
95
96. Asset identification and valuation
2 categories of asset
directly identifiable assets, where encoded data includes:
an individual's name
a unique chip ID
any identifier that has a one-to-one relationship with the individual
indirectly identifiable factors specific to the individual's physical, physiological,
mental, economic, cultural or social identity, as included in Directive 95/46/EC for
the definition of person data
The value of the asset is based on the highest value of the associated data types
The value of asset is between 0 and 4 (based on ISO 27005)
EN16571 gives a list (quite exhaustive) of data types and proposes values
Risk Analysis: Asset
96
97. Example of Asset valuation
Membership card with information encoded in the RFID chip and stored in the application
Risk Analysis: Asset
97
98. RFID Threats are mainly based on two different attacks:
Eavesdropping
Tag activation
Eavesdropping
Listening the communication between a tag and an interrogator
Eavesdropping distances are greater than reading distances
Information can be decoded if not cover-coded or encrypted
Tag Activation
RFID tag are operational once energized (no ON/OFF switch)
A fake reader can ask a real tag to backscatter information
Activation distances are greater than reading distances because attacker does not
care Regulation limitations (eg. 2Werp in Europe)
More and more commercial readers are available
At least 250 Million HF readers on smart phones
Many small UHF readers that have USB connections or plug into smart phones
e.g. Arete Pop (1 off price 200€) with a read range of 1 metre
Actual threats are a mix of eavesdropping and tag activation
RFID Threats
98
99. Physical data modification:
unauthorized changing of encoded data on the tag by deleting, modifying or adding
data
Example: changing a product code to gain some financial advantage
Tracking
Continual sequence of unauthorized tag reading
The threat can be deployed with mobile or fixed interrogators
Example: tracking of employees in known zones, tracking of customers,…
Relay Attack
Also known as “Man in the middle” attack
Allow a real tag to communicate with a real reader at long distances
Example: Access a building without authorization
Examples of RFID Threats
99
100. Threats are classified using 2 vectors:
The layer that is attacked (data on the tag, RFID air-interface, RFID reader,
application)
The security requirement (confidentiality, availability, integrity)
The value of the threat is either low, medium or high (ISO 27005)
The value is linked to the complexity and required skill required for implementing
the threat
Threats associated with the data encoded on the RFID tag and the RFID tag
Side Channel attack (confidentiality)
Physical data modification (integrity)
Cloning (integrity)
Tag reprogramming (integrity)
Tag destruction (availability)
…
Risk Analysis: Threats
100
101. Threats associated with the air interface or the device interface communication
Unauthorized Tag Reading (confidentiality)
Eavesdropping or traffic analysis (confidentiality)
Crypto attacks (confidentiality)
Relay, or man-in-the-middle attack (integrity)
Replay attack (integrity)
Noise (availability)
Jamming (availability)
Malicious Blocker Tags (availability)
…
Risk Analysis: Threats
101
102. Threats associated with the interrogator
Side channel attack (confidentiality)
Exhaustion of protocol resources (availability)
De-synchronization attack (availability)
There is no identified interrogator’s threat on data integrity
Threats associated with the host application
Privacy and Data Protection Violations (confidentiality)
Injecting Malicious Code (integrity)
Partial/complete denial of service (availability)
Risk Analysis: Threats
102
103. Vulnerability can be:
Low: it is unlikely or impossible to implement a threat
Medium: it is possible (identified in research documents) to implement a
threat
High: the threat has been exploited in real world
Taking into account the “exposure” time
Asset that is held on a transient basis (less than 50 consecutive days) are
considered as less vulnerable
Vulnerability can be reduced by one level
Example: detachable label on retail product.
Risk Analysis: Vulnerability
103
104. 104
Risk value (EN 16571 / ISO 27005)
The initial risk value is easy to compute
105. 105
Risk value (EN 16571 / ISO 27005)
Example: library book
Asset: Unique Identifier linked to book category
(data on the tag): 2
Threat: Tag activation: Medium
Vulnerability: UHF protocol, no encryption: High
Risk Value 5/8
But exposure is less
than 50 consecutive
days
Risk is reduced by one
Risk Value: 4/8
106. Countermeasures are applied in order to
mitigate the risk
Countermeasures are classified:
embedded in the tags and devices (crypto)
available in the technology but require an action by the RFID operator (kill)
independent of the hardware and can be implemented by the RFID operator
(systematic removal of the tag at point of sale)
RFID operator can advise the individual about protecting privacy (please
remove the tag yourself)
Risk Analysis: Countermeasures
106
107. Once countermeasures have been implemented, the risk shall be reevaluated
The basic rule (described in EN 16571) is that:
Implementation of a countermeasure reduces the risk by 1
If RFID operator decides to remove, destroy, or render untraceable a tag
before it moves from the controlled to the uncontrolled domain, then the risk
level goes to zero.
CSL/CNRFID Software is more sophisticated
Countermeasures’ values can be more or less than 1
Implementation of multiple countermeasures on a threat reduces the risk
even more (cumulative effect with non linear equation)
Overall Risk reduction can be more or less than 1
Risk Analysis: Countermeasures
107
108. The risk that has not been canceled (zeroed) is called the residual risk
This residual risk has to be compared to the benefits carried by the application
The residual risk has to be accepted by the stakeholders
The risk has to be reassessed in case of:
significant changes in the RFID application
changes in the type of information process
reports of breaches in similar RFID applications
And every year ….
Risk Analysis: residual risk
108
109. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
109
110. European Registration Authority
Role defined in the standard EN 16571 – PIA process
Privacy Capability Statement
A reference document
Clear and standardized information on product features related to privacy
for: RFID chips, tags and readers
Avoid misinterpretations of technical standards (many optional features)
and commercial manufacturers’ information (incomplete datasheets)
Allow easy comparison of different products
The Registration Authority:
Gathers information from the manufacturers
Provides these information to RFID operators
Is the unique entry point in Europe
Impinj and NXP already declare their UHF products
111. European Registration Authority
Impinj and NXP declare UHF products… More to come
You can download Privacy Capability Statement from the WebSite
112. European Registration Authority
Example of PCS
Impinj M4QT
C:UsersctetelinDesktopUHF PCS - passive RFID chip - Impinj M4QT -
20141217.pdf
113. PIA made easy: a devoted software
Enter Organization’s details
114. PIA made easy: a devoted software
Describe your application
116. PIA made easy: a devoted software
Choose the tags you are using in the application
In case the product is not referenced, an email is automatically sent to
support
118. PIA made easy: a devoted software
You can change the data type value
119. PIA made easy: a devoted software
Only threats that are relevant to the specific RFID protocol and the layer are
presented. These are the threats for 15693 and Tag Data:
The operator can accept or change the EN 16571 suggested values
120. PIA made easy: a devoted softwareRelevantCountermeasuresaredisplayed
121. The countermeasures are linked to threats and impact on risk values varies
Spreadsheet Threat/Countermeasures
PIA made easy: a devoted software
122. The software displays the PIA summary, with details of
Operator details
Application description (overview)
Data on the tag
Countermeasures applied by the operator
Countermeasures the individual should apply
The risk score
Export in various formats e.g. PDF, HTML
More at: http://rfid-pia-en16571.eu
PIA made easy: a devoted software
123. RFID operators have now all the reference texts to undertake a PIA
PIA is a good practice and is not mandatory
European Recommendation
Next step: European Regulation ? All ICT technologies will be covered
PIA is a good way to establish trust between operators and citizen
PIA approach could be spread to other communication and internet technologies
Governments could be a forerunner with ID applications…
Conclusion
123
124. Based on ISO/IEC 29160 : RFID Emblem
One common Emblem (EN 16570)
124
125. Additional Information to be provided by RFID operators
Signalisation (EN 16570)
125
NFC tags may be read in this area for the purpose of easy NFC
Smartphone based professional data exchanges. vCard
application is available on demand and can be embedded in
your visitor badge.
vCard application is operated and controlled by French RFID
National Center (CNRFID)
A Privacy Impact Assessment has been undertaken and validated
by the French Data Protection Authority (CNIL)
PIA summary can be downloaded at
www.centrenational-rfid.com
For more information, please contact us by phone or email:
+33 494 370 937, contact@centrenational-rfid.com Back to presentation
126. Thank you for your attention
ctetelin@centrenational-rfid.com
www.centrenational-rfid.com