RFID Congress Masterclass: Passive UHF RFID Basics

International RFID Congress
Masterclass
-
October 2015
Claude Tételin, PhD
Chief Technical Officer

Agenda
• Part 1: Passive UHF RFID: Back to basics
• Part 2: Introduction to Privacy Impact Assessment

Part 1: Passive UHF RFID: Back to basics
 Air Interface
 Interrogator-to-Tag (R=>T) communications
 Tag-to-Interrogator (T=>R) communications
 Read Range evaluation
 Logical Interface
 Tag memory
 Sessions
 Tag states and slot counter
 New Gen2V2 features
Agenda
3

Reader -> Tag: Carrier wave (860-960MHz) is modulated
Double side band Modulation: DSB-ASK
Single side band Modulation: SSB-ASK
Phase reversal Modulation: PR-ASK
Data Encoding: PIE (Pulse Interval Encoding)
Tag -> Reader: Carrier wave is backscattered
Amplitude or Phase
Data Encoding FM0 or Miller Modified with sub-carrier
Radio Interface

Basic Operations:
Select: allows to select special tags among a bigger population. Only tags
that fit the selection criteria will answer to the reader’s commands (EPC,
TID, special features, …)
Inventory: allows to identify all the previously selected tags
Access: allows to communicate with one particular inventoried tag
Radio Interface

Modulation DSB or SSB-ASK
(R=>T) communications

Modulation PR-ASK

Modulation: parameters

Data Encoding: PIE
Tari: length (µs) of a logical ‘0’
6,25 µs < Tari < 25 µs
Question: what are the max/min available data rates?

Answer:
Max Data rate: Lenghts of Data-0 (Tari) and Data-1 have to be minimum.
Tari min = 6,25µs
Data-1 = 1,5 x Tari = 9,375µs
Probability of Data-0 and Data-1 are equal
Average bit length: (6,25+9,375)/2 = 7,8125 µs
Data Rate = 1/7,8125 µs = 128 kbit/s
Min Data rate: Lenghts of Data-0 (Tari) and Data-1 have to be maximum
Tari max = 25µs
Data-1 = 2 x Tari = 50µs
Probability of Data-0 and Data-1 are equal
Average bit length: (25+50)/2 = 37,5 µs
Data Rate = 1/37,5 µs = 26,6 kbit/s
Radio Interface

R->T Preamble
Rtcal: allows the tag to know reader data rate and to derive the decoding
threshold (pivot)
Trcal: allows an Interrogator to specify the Tag’s backscatter link frequency
(its FM0 datarate or the frequency of its Miller subcarrier)

Emission RF spectrum masks
<- Basic
Dense reader mode ->

Two different backscattering states:
High Level: the tag backscatters RF power
Low level: the tag absorbs RF power
Warning: Amplitude of observed signal could be reversed when incident
and reflected waves are out of phase.
Modulation: ASK or PSK (Tag manufacturer has the choice)
Data Encoding and Data rates: FM0 or Miller Subcarrier (chosen by
interrogator with: TRCal (FM0, Miller 2, 4 or 8) and Divide Ratio (8 or
64/3))
A Tag shall measure the length of TRcal, compute BLF (Backscatter Link
Frequency), and adjust its T=>R link rate to be equal to BLF
(T=>R) communications
𝐵𝐿𝐹 =
𝐷𝑅
𝑇𝑅𝑐𝑎𝑙 𝑥 𝑀

T=>R link rate calculation examples:
Example 1:
Suppose Tari = 6,25µs, RTcal = 2,5 Tari, TRcal = 2 RTcal, M=1 and DR=64/3.
Compute BLF
TRcal = 2 x 2,5 x 6,25 µs = 31,25 µs
BLF = (64/3) / (31,25µs x 1) = 682 kHz
BLF too far from center frequency ! In EU (ETSI) regulations
Example 2: .
Suppose Tari = 25 µs, RTcal = 3 Tari, TRcal = 3, RTcal, M=1 and DR=8.
Derive BLF
TRcal= 3 x 3 x 25µs = 225µs
BLF = 8 / (225µs x 1) = 35 kHz
BLF too near from center frequency. Poor Signal to Noise ratio.

Data Encoding FM0 (bi-phase space) :
FM0 is based on phase transitions (whatever amplitude levels)
Data 1: 1 transition in the end of symbol
Data 0: 1 transition in the mid of the symbol and another at the end
Data rates : from 40 to 640 kbit/s

Miller Encoding:
Based on phase transitions (whatever the amplitude levels)
Data 1: 1 transition in the middle of symbol
Data 0: 1 transition at the end of symbol if followed by another Data-0

Subcarrier Miller Encoding:
In ISO 18000-63 and EPC C1G2, Miller
encoding is used with a subcarrier. This allows
the backscattered signal to be shifted from
the interrogator’s carrier wave. This allows to
have a better signal to noise ratio.
The subcarrier (BLF) value is between 40 and
640 kHz.
Data Rates are between 5 and 320 kbit/s

Communications R->T->R (inventory)
Query command gives to the tag all necessary parameters (Data rates
(DR), nb of time slots, filters, …)
Selected tags backscatter a 16-bit random number (RN16)
If the tag is the only one sending RN16 in a given time slot, there is no
collision and the interrogator acknowledges (ACK) RN16.
After that, tag backscatters PC word and EPC code
Timings

Collisions and empty time slots
QueryRep indicates to uninventoried tags that they have to decrement
their slot counter
A tag only backscatters RN16 when slot counter is 0
Timings

The Friis equation:
 Isotropic antenna:
20Copyright CNRFID
Pr : power intercepted by a surface Σ at a R
(W)


4
64,1
2
 For a dipole
²4
Pr
R
Pe



Read Range Evaluation
Radiated Power

The Friis equation:
 Real antenna:
21Copyright CNRFID
Pr : Power intercepted by a surface Σ at a distance R
Equivalent Isotropic Radiated
Power (Peirp)
(W) 2
..4
1
R
GPP eer

Radiated Power

The Friis equation:
 RFID system:
22
 2
..4
1
R
GPP bsbst

tbsbst G
R
GPP  2
2
)..4( 



.4
. 2
tG

Tag antenna
Gain: Gt
Interrogator
antenna Gain:
Gbs
Power at
Interrogator
antenna: Pbs
Power
received by
the tag: Pt

Additional losses:
 Polarization (θpol)
 Antenna efficiency (θantenna)
 Approx. 25% of the feeding power is lost
 Impedance Matching (θmatching)
 Between RFID chip and tag antenna
23
matchingantennepoltbsbst G
R
GPP 









2
)..4(

Example 1: FCC regulations
 We can derive the max tag activation distance Rmax :
24Copyright CNRFID
antennepolmatching
t
tbsbs
P
GGP
R 



min_
2
2
max
.).4(
...
matchingantennepoltbsbst G
R
GPP 









2
)..4(
8,07,01
1060).4(
)33,0(64,14
62
2
max 


 
W
W
R

mR 49,6max 
f = 915 MHz ; Peirp = Pbs. Gbs = 4 W ; Pt_min = 60 μW
Θpol = 1 ; Gt = 1,64 ; Θmatching = 0,8 ; Θantenne = 0,7

Example 2 : ETSI regulations
 We can derive the max tag activation distance Rmax :
25Copyright CNRFID
f = 869 MHz ; Perp = 2 W = 3.28 Weirp ; Pt_min = 60 μW
Θpol = 1 ; Gt = 1,64 ; Θmatching = 0,8 ; Θantenne = 0,7
antennepolmatching
t
tbsbs
P
GGP
R 



min_
2
2
max
.).4(
...
8,07,01
1060).4(
)35,0(64,128.3
62
2
max 


 
W
W
R

mR 2.6max 

 Power backscattered by the tag:
 Assume that all the intercepted power is reflected by
the tag. (OK, that’s stupid but it will allow us to derive
the maximum power received by the interrogator):
Copyright CNRFID 26







 22
..4
1
..4
1
R
G
R
GPP tbsbsbsr



Where Σ is the equivalent surface of the interrogator and
 the equivalent surface of the tag antenna.

 Power backscattered by the tag:
 Remember:
27
 22
..4
1
..4
1
R
G
R
GPP tbsbsbsr






.4
.2
tG

  44
4
22
..4
..
R
GGPP tbsbsbsr





.4
.2
bsG


 Example: Derive the ratio Pr-bs/Pbs :
R = 3m ; Gbs = 10 ; RCS = 0,0214 m² ; f = 868 MHz
28
433
2
2
..4
...
R
RCSGPP bsbsbsr



43
22
43
22
3.).4(
0214,0.35,0.10
3.).4(
..


 RCSG
P
P bs
bs
bsr
dB
P
P
bs
bsr
8,5710.63,1 6
 

 Forward Link
 Tag/IC power requirements:
IC sensitivity: power required to wake-up the IC (not the tag!)
RIP: received isotropic power: power required to wake-up the tag
29
)(
2
1(max)
5)(
%30
matchingconjugateRIPP
dBRIPdBmP
RIPP
chip
chip
chip



Link Budget

 Forward Link
 Tag/IC power requirements:
30
Link Budget

 Forward and Reverse Link
 Tag modulation efficiency (m):
-3dB: ON/OFF keying modulation
-3dB: Tag antenna / IC matching (re-radiation)
Total: -6dB (m=0,25)
 Receiver sensitivity:
Minimum power that the reader can detect
31
Link Budget

Perfect case:
32
Link Budget

 Read range limited by tag performance
33
Link Budget

 Read Range limited by interrogator performance
34
Link Budget

 Tag / IC overdrive:
When IC power is over IC minimum required power,
Modulation efficiency drops to 10-15%
Because: IC consumes constant energy so tag detunes
M = -12dB (m=0,25)
Copyright CNRFID 35
Link Budget

Old vs New ICs: read range is limited by reader performances
Copyright CNRFID 36
Link Budget

New ICs with Old readers: Surprinsing results !!!!!!!
Copyright CNRFID 37
Link Budget

• Tag memory organization
• 4 logical memory banks
• Reserved memory: (can be read-locked)
• kill password shall be stored at memory addresses 00h to 1Fh
• 32-bit “Kill” password allows a Tag to be permanently silenced
• The default Kill password value is zero
• The Kill command will only execute if the password has been set, i.e. is non-zero
• access password shall be stored at memory addresses 20h to 3Fh.
• It allows the tag to be in the secured state.
• A tag in the secured state can execute all Access commands (eg. Writing to
locked blocks)
Logical interface - Memory

• UII memory: (or EPC Memory)
• 16 bits StoredCRC at memory addresses 00h to 0Fh
• 16 bits StoredPC at addresses 10h to 1Fh
• UII beginning at address 20h
• XPC_W1 and XPC_W2 (if any) beginning at address 210h
• TID memory:
• 8-bit ISO/IEC 15963 allocation class identifier at memory locations 00h
to 07h (E2h for EPCGlobal)
• information above 07h are for an Interrogator to uniquely identify the
custom commands and/or optional features that a tag supports
• User memory: Optional

• Tag memory organization
2Fh
00h
10h
20h
0Fh
1Fh
2Fh
MSB LSB
Bank 11
Bank 10
Bank 01
Bank 00 RESERVED
UII
TID
USER
StoredCRC [15:0]
UII [15:0]
UII [N:N-15]
…
20h
0Fh
1Fh
MSB LSB
30h 3Fh
Access Passwd [31:16]
…
00h
10h
0Fh
1Fh
MSB LSB
TID [15:0]
…
StoredPC [15:0]
210h 21Fh
…
Optional XPC_W1 [15:0]
…
00h 0Fh
MSB LSB
…
Word 0 of Block 0
00h
10h Kill Passwd [15:0]
Kill Passwd [31:16]
220h 22FhOptional XPC_W2 [15:0]
Access Passwd [15:0]
TID [31:16]

• Protocol Control (PC) word
• Bits 10h – 14h: The length of the UII that a Tag backscatters, in words:
• 00000: Zero word
• 00001: One word (addresses 20h to 2Fh in UII memory)
• 00010: Two words (addresses 20h to 3Fh in UII memory)…
• 00110: Six words (addresses 20h to 7Fh in UII memory) ie. 96 bits EPC
• 11111: 31 words (addresses 20h to 20Fh in UII memory) ie 496 bits EPC
PC
Addr
(hex)
MSB LSB
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
Name L4 L3 L2 L1 L0 UMI XI T EPC Header or ISO AFI H

• Protocol Control (PC) word
• Bit 15h: A User-memory indicator (UMI)
• 0: Tag has no user memory or no information in user memory
• 1: Tag has information in user memory
• Bit 16h: An XPC_W1 indicator (XI)
• 0: Tag has no XPC_W1 or the XPC_W1 is zero valued
• 1: Tag has a nonzero XPC_W1 (custom features, BAP, Sensor, …)
• Bits 17h – 1Fh: A numbering system identifier (NSI)
• bit 17h=0: EPCglobal Application and bits 17h-1Eh are EPC Header and
bit 1Fh is reserved for Hazardous material
• bit 17h=1: ISO application and bits 18h – 1Fh shall contain the entire AFI
defined in ISO/IEC 15961-3

• Example 1:
• PC word = 00110 1 0 0 0110000 1
• L4-L0=00110 => Six words (addresses 20h to 7Fh in UII memory) ie. 96
bits EPC/UII
• UMI=1 => information in user memory
• XI=0 => no XPC word
• T=0 => EPC application => 0110000 is the EPC Header and corresponds
to SGTIN 96
• H=1 => Hazardous material

• Example 2:
• PC word = 01000 1 1 1 XXX01010
• L4-L0=01000 => Height words (addresses 20h to 9Fh in UII memory) ie.
128 bits EPC/UII
• UMI=1 => information in user memory
• XI=1 => XPC word present
• T=1 => ISO application => xxx01010 is the AFI and corresponds to
returnable transport item (See ISO 17364)

• Encodage EPC
Everything is based on EPC code and EPC memory bank
PC word EPC 96 bits

• Encodage EPC
This Unique Number is assigned by GS1 !

• EPC Encoding
EPC Headers
Serialized Global Trade Item Number (SGTIN)
Serial Shipping Container Code (SSCC)
Global Returnable Asset Identifier (GRAI)
US Department of Defense Identifier (DOD)
Global Document Type Identifier (GDTI)
Etc.
EPC Header and Filter in ECP applications is equivalent
to AFI in ISO application…
Header
Coding
Scheme
00101101 GSRN-96
00101110
Reserved for
Future Use
00101111 USDoD-96
00110000 SGTIN-96
00110001 SSCC-96
00110010 SGLN-96
00110011 GRAI-96
00110100 GIAI-96
00110101 GID-96
00110110 SGTIN-198
00110111 GRAI-170
00111000 GIAI-202
00111001 SGLN-195
Etc…

• Basic operations
• Select: which group of tags will respond
• Inventory: identification of single tags
• Access: only used when tags are singulated
• Tag possible states (when inventoried)
• Inventoried flag: A or B (not symetric)
• 'A' state is default when the tag powers up
• 4 independent inventoried flags (one for each
session S0, S1, S2 and S3)
• Selected Flag: SL or ~SL (not symetric)
• Common to all sessions
• Reader may choose to inventory tags with SL
flag asserted, deasserted or both.
Logical interface – Commands & Sessions

• Persistence
• The amount of time the Inventory and Select Flags remain set, even
if the tag loses power
• Persistence times cannot be set by the user
• Can only be approximated
• Depends on Session (A/B flag only)
• Depends on tag manufacturer and product
A B
~SL SL

• Persistence
• Tags must maintain inventoried and SL flag values (persistence
times) even when power is lost
• Sessions serve two purposes
• Determines how often a tag will respond to a query from the reader
• Allows for multiple readers to conduct independent inventories
Flag Tag powered Tag not powered
A/B (Session S0) Indefinite None
A/B (Session S1) 500ms < persistence <5s 500ms < persistence < 5s
A/B (Session S2) Indefinite 2s < persistence
A/B (Session S3) Indefinite 2s < persistence
Select Flag Indefinite 2s < persistence

• Select
• Allows the reader to select Tags that will take part in the Inventory round
• Parameters:
• Target: The SL or Inventoried flag to select and if Inventoried which of
the four sessions (S0, S1, S2 or S3) to choose
• Action: How matching Tags set the flags (A->B or B->A)
• Mask: A bit string that the Tag compares to a memory location
• MemBank: The memory bank that Mask refers too (EPC, TID, User)
• Pointer: A memory start location for Mask
• Length: The number of bits of memory for Mask
• Truncate: Instructs Tag to return whole or part of the EPC following
Mask
• Multiple Select commands can define the exact Tag population that is to
take part in the Inventory
• Tag shall not answer to Select commands (only set flags as appropriate)

• Session 0
• Tells the tag to reset each time it powers up
• This is referred to as NO PERSISTANCE
• Up power-up, the S0 inventoried flag shall be set to A.
A
A
A
B
collision
acknowledge
B
A B
A B
acknowledge
B
B
B
A
New inventory round
starts with B tags
A tags do not answer
Inventory round
starts with A tags
Once inventoried, tags
change the flag
B tags do not answer
anymore
New incoming tag (A)
does not participate

• Session 1
• Tells the tag to remember that is has talked even when it loses power
• Tag persistence will last a maximum time of 5 seconds whether it has
power or no
A
A
A
B
collision
acknowledge
B
A B
A Backnowledge
B
B
B
A
B tags go back to A
after persistence
(5s max)
and participate again
Inventory round
starts with A tags
change the flag
B tags do not answer
anymore
participates
A

• Sessions 2 or 3
• Tells the tag to remember that is has talked even when it loses power
• Tag persistence will last a minimum of 2 seconds when power is down
A
A
A
B
collision
acknowledge
B
A B
A Backnowledge
B
B
B
A
B tag is energized again
before end of
persistence
(2s min)
and stay in B state
Inventory round
starts with A tags
change the flag
B tags are no more
energized
participates

• Conclusion on sessions
• Session 0 reserved for low tag density and quick tag answer
• Session 1 reserved for high tag density and static configurations
• Sessions 2 & 3 reserved for high tag density and dynamic configurations
• Sessions 2 & 3 are equivalent. They only allow to put 2 different readers
back and forth of a doorway without interference.
• Please test configurations before !

• Inventory
• Inventory process uses a slotted random anti-collision algorithm to
determine which Tags are present
• Command set includes Query, QueryAdjust, QueryRep, Ack and Nak
• Query is used to select Tags for the interrogation process and contains a slot-
counter value (Q = 0 to 15)
• QueryAdjust is used to decrement or increment the Tag’s slot-counter
without changing any other parameters.
• QueryRep instructs Tags to decrement their slot counters and, if slot=0 after
decrementing, to backscatter an RN16 to the Interrogator
• Ack is used to acknowledge a Tag
response. ACK echoes the Tag’s
backscattered RN16
• Nak is used to force a change of
state back to Arbitrate: OUPS! What
is that?

• Tag is a state machine
• Once energized, the tag goes in the Ready state, and on receiving a Query
command will:
• Verify that it is in the selected group and if so, choose randomly a
value between 0 and 2Q -1.
• If he chooses 0, the Tag will immediately transition to the Reply state,
backscattering a 16-bit (RN16) random number.
• If there is no collision (any other tag choose slot 0), the reader
acknowledges with an Ack (containing the same 16-bit random
number).
• This Tag now changes to Acknowledged state and backscatters its PC,
EPC and the 16-bit CRC.
• A reader now sends a QueryAdjust or QueryRep causing the
identified Tag to invert its Inventoried flag ( A-> B, or B -> A) and to
transition to Ready state.
Logical interface – Tag states

• Tag is a state machine
• If a Tag chooses a non-zero value time slot, it will store that number
in its slot-counter and will go in Arbitrate state and await further
commands
• If more than one Tag responds, the reader cannot resolve the
collision and will not send a valid Ack so that each Tag will return to
Arbitrate. These un-acknowledged Tags with slot-counter =0 will
choose a new slot-counter value (between 0 and 2Q-1).
•The reader can issue a QueryAdjust or
QueryRep command which causes
each unresolved Tag to decrement its
slot-counter
• Tags will reply when their slot-
counters get to zero

• Inventory states
Logical interface - States

• Inventory Commands (example)

Logical interface – Access commands
• Access
• Before using Access commands, Reader has to send a Req_RN
(request random number).
• Tag transits from Acknowledge to Open (or Secured if password is 0)
• Tag returns a new random number (RN16) called Handle
• Handle is required as parameter for the following Access commands
• Read
• Write
• Kill
• Access
• BlockWrite
• BlockErase
• Lock
• Use cover-coded data or encrypted data (V2.0.0)
Mandatory
Optional
Mandatory
Open or Secured
State
Secured state only

• Read
• This Access command allows the reader to read part or all Tag’s
Reserved, EPC, TID or User memory
• Write
• This access command allows tag memory location to be changed. This
concerns Reserved, EPC, TID and User memory
• Parameters are:
• handle (RN16)
• MemBank (memory to access)
• WordPtr (address to be written)
• Data (16 bits word to write)
• CRC-16 (CheckSum)
• New handle requested for each Write command
• Data is sent cover-coded or encrypted (new V2.0.0)

• Kill
• This Access command will permanently disable a tag
• This is a 2 stage command:
• Containing the cover coded 16 MSB of the Kill password
• Containing the cover coded 16 LSB of the Kill password
• Before each Kill command a new handle is requested
• In response to a Kill command, the tag backscatters a handle and
never responds again
• If kill password is 0
(default setting), a tag cannot be killed

• Lock
• This Access command allows a reader to:
• Lock individual passwords, preventing
subsequent reads or writes.
• Lock individual memory banks,
preventing subsequent writes.
• Permalock (permanently lock) the lock
status of passwords or memory banks
• Permalock bits, once set, cannot be
changed
• The lock bits cannot be read directly but
inferred by other memory operations
• The Tag will indicate success, error or
failure
• The Tag has to be in Secured state for the
command to be accepted

• Access
• This optional command will allow a reader to transition a Tag with a
non-zero access password, from an Open to a Secured state.
• This is a 2 stage command:
• Containing the cover coded 16 MSB of the Access password
• Containing the cover coded 16 LSB of the Access password
• BlockWrite
• This optional command will allow a reader to
write multiple blocks to a Tag’s Reserved, EPC,
TID or User memory.
• Data is not sent encrypted
• BlockErase
• This optional command will allow a reader to
erase multiple blocks to a Tag’s Reserved, EPC,
TID or User memory.

Logical interface – Security
• Access and security states

New Gen2V2 features
• Untraecable
•Crypto suites standardized by ISO
(29167-X series)
• No product available right now

Item
Authentication
(NFC)
Long Read
Range (Gen2)
Files & File
Management
(New)
File
Privileges
(New)
Fast
Inventory
(Gen2)
Short Read
Range
(NFC, HF)
Cryptographic
Security
(NFC, HF)
Large Tag
Populations
(Gen2)
Loss
Prevention
(EAS)
G2
Consumer
Privacy
(New)
New Gen2V2 features
• G2 is a superset of all existing RFID technologies
• Existing UHF Gen2 + new concepts/ideas
• HF/NFC concepts
• Legacy EAS concepts
• Backward compatible with Gen 2 v1.2.0

Gen2 Today Definition
Select Select a population of tags
Inventory Inventory selected tags; get their EPCs
Access Read/write/lock tag memory; kill the tag
New in UHF Gen2 V2 protocol = G2
In today’s UHF Gen2 protocol
G2 Enhancements Definition
Anticounterfeiting Authenticate a tag as genuine
Security Modify tag information securely
File Management Create files and assign access privileges
Untraceability Hide tag data to protect consumer privacy
Loss Prevention Use a tag for EAS
New Gen2V2 features

• Reader reads static TID from
tag memory
• Counterfeiter can clone tag
by copying TID
Today’s Gen2 RFID G2 RFID
Read
TID
Challenge (RN)
Response
• Tag computes response from reader’s
random challenge
and tag’s secret key
• Counterfeiter cannot clone tag
without knowing secret key
TID Key
G2 for Cryptographic Anticounterfeiting

Command Function
Challenge Challenges multiple tags simultaneously
Authenticate Performs tag, reader, or mutual authentication
AuthComm Authenticates a tag message with a MAC
SecureComm Encrypts a tag message
KeyUpdate Updates a tag’s stored key
FilePrivilege Alters a reader’s privileges to a file
TagPrivilege Alters a reader’s privileges to the tag
G2 for Cryptographic Anticounterfeiting

Tag Memory
Key Concept: Partition User Memory into Files
Readers have per-file read, write,
and lock privileges
G2 supports up to 1023 files, each of
which can be up to ~2 Mbytes in size
G2 for File Management

Hide none or all
Hide none, unique serialization, or all
Hide none, part , or all
Hide none, part , or all
Tag Memory
Protected by range reduction,
access privileges, or both
Key Concept: Hide Portions of Tag Memory
G2 for Consumer privacy: Untraceable

Part 2: PRIVACY IMPACT ASSESSMENT
 Introduction
 RFID and privacy
 RFID operator
 Legal Environment
 Chart of fundamental rights of European Union
 Directive 95/46/EC and French “Loi Informatique et Libertés”
 Recommendation 2009/387/EC, Mandate M436 et EN 16571
 Future European Regulation
 Privacy Impact Assessment (PIA/EIVP)
 PIA levels
 PIA process: the 9 steps
 Risk Analysis
 Data, Threats, Vulnerabilities, Countermeasures, Residual risk
 EN 16571 / ISO 27005 vs. EBIOS
 EN 16571
 Registration Authority
 CSL/CNRFID Software
Agenda
74

 Privacy is a fuzzy concept but can be summarized…
“the claim of individuals to determine for themselves when, how and to what extent
information about them is communicated to others”
 Information: Personal Data
 Data Protection
 collection, accuracy, protection and use of data collected by an organization
 Data Security
 protection of collected data
 Notion of personal consent
 Opt-In
 Opt-Out
 Personal data and privacy classification
 Physical (body integrity)
 Personal Behaviour (political, religious, sexual,…)
 Personnal communications (phone, emails, social networks, …)
 Personal information (gender, age, …)
 Spatial privacy (locations, travels,…)
Introduction: Privacy concept
75

 Citizen use more and more RFID technologies
 Ticketing (transportation and events)
 Payment (small values w/o PIN code)
 Identity (passport, driver licence)
 NFC applications…
 Citizen are surrounded by RFID tags
 Everyday life products (textile, library books,…)
 Luxury goods (authentication, certificates,…)
 First developed for logistics, inventory, article surveillance, …
 Data can identify people directly…
 Name, address, etc.
 Generally secured HF protocols (first use cases)
 Or indirectly
 Unique identifiers (TID, EPC, …)
 Combined with other data, could impact privacy
Introduction: RFID everywhere?
76

Privacy, Security, data
protection
77

Introduction: RFID operator
78
 Definition is given in the Recommendation 2009/387/EC
‘RFID application operator’ or ‘operator’ means the natural or legal person, public
authority, agency, or any other body, which, alone or jointly with others, determines
the purposes and means of operating an application, including controllers of personal
data using a RFID application
 Organizations that read RFID tags…
 … Organizations that write (encode) a tag
 The RFID operator is responsible in implementing a PIA

Privacy: European Regulations
79
 Directive 95/46/CE
 protection of individuals with regard to the processing of personal data and on the
free movement of such data
 Transposed in National French Law: “Loi Informatique et Libertés”
 Chart of fundamental rights of the UE (2000/C 364/01)
 Art. 8, right to the protection of personal data
 Everyone has the right to the protection of personal data concerning him or
her.
 Such data must be processed fairly for specified purposes and on the basis of
the consent of the person concerned or some other legitimate basis laid down
by law. Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified.
 Compliance with these rules shall be subject to control by an independent
authority.
 In France, such authority is CNIL !!!!

Privacy: European Regulations
80
 Recommendation 2009/387/EC
Due to potential massive RFID deployment, the European Commission issued a
Recommendation (May 2009)
« on the implementation of privacy and data protection principles
in applications supported by RFID »
 Title
 Data protection: Not only personal data
 Definition and scope
 All RFID technologies (NFC and contactless smart cards included)
 All kind of application, including… governmental applications, with exceptions
being rare
 For retail sector (direct link to the consumer) there are rules when deactivation of
the tag is required

 Focus on tag deactivation at the Point of Sale
Once the tag leaves the « controlled domain »
 Logic deactivation:
 Secured deactivation (Kill + passwords)
 Unsecured deactivation (Kill with one password for the entire application)
 Reduced read range????
 Hardware:
 Tag destruction (strong electromagnetic wave,…)
 Tag removal
Privacy
(European Recommendation)
81

 Recommendation does not oblige to deactivate the tags at PoS if RFID
operator undertakes a
Privacy Impact Assessment (PIA)
and proves that the risk is limited
 Systematic deactivation (OPT-IN) in case of high level of risk.
 To provide a simple, immediate and free way to disable the tag at PoS (medium
level of risk) (OPT-OUT)
 Privacy Impact Assessment (PIA)
 Identify the impact of the implementation of the application with respect to
personal data and privacy
 PIA has to be undertaken by the RFID operator !
 Level of detail consistent with the level of risk
Privacy
(Recommandation)
82

Privacy, PIA Framework
83
 To help the RFID operators in the PIA process,
European Commission gathers stakeholders
to draft a Framework
 This Framework has been accepted by Art. 29
WP and endorsed by European Commission in
January 2011

Privacy, PIA Framework
84
Framework tries to standardize the PIA process but…
WTF PIA
level?

Privacy: one word on M/436
85
 December 2008: European Commission issued Mandate 436
 Madate is issued to CEN, ETSI and CENELEC (only CEN and ETSI participate)
 Phase 1: propose a gap analysis of existing standards related to RFID, data
protection and privacy protection. A joint technical committee is chaired by CNRFID
 May 2011: phase 1 report underlines that there is no existing standard related to
PIA process and signage (public awareness)
 January 2012: KoM of phase 2: the goal is to publish standards in a 2 year time
frame (only CEN is involved)
 July 2014: publication of 2 major standards
 EN16570: Signage and public awareness
 EN16571: PIA process for RFID applications
 July 2014: CNRFID became the Registration Authority for EN16571

Future European Regulation
86
 Future Regulation on Data Protection
 Supersedes Directive 95/46/CE
 Regulation: no need to transpose it into national law
 Art.33 makes Privacy Impact Assessment Mandatory
 Art. 32a: Respect to risk
The controller, or where applicable the processor, shall carry out a risk analysis of the
potential impact of the intended data processing on the rights and freedoms of the data
subjects, assessing whether its processing operations are likely to present specific risks
 Art. 33: Data Protection Impact Assessment
The controller shall carry out an assessment of the impact of the envisaged processing
operations on the rights and freedoms of the data subjects, especially their right to
protection of personal data
 Art. 33: Describes the minimal requirements …

Future European Regulation
87
 The DPIA shall contain …
 a systematic description of the envisaged processing operations and the
purposes of the processing
 an assessment of the necessity and proportionality of the processing
operations in relation to the purposes
 an assessment of the risks to the rights and freedoms of data subjects
 a description of the measures envisaged to address the risks and minimize
the volume of personal data which is processed
 a list of safeguards, security measures and mechanisms to ensure the
protection of personal data
 a general indication of the time limits for erasure of the different categories
of data
 a list of the recipients or categories of recipients of the personal data

 Introduction
 RFID operator
 PIA levels
 Risk Analysis
 EN 16571 / ISO 27005 vs. EBIOS
 EN 16571
Agenda
88

 Privacy Assets and Data Types
 Assets are classified in two categories
 Assets that can directly identify individuals
Passport, Medical bracelet, Loyalty card, Venue-based trackable bracelets, …
 Assets that when held can identify the individuals
Airline baggage tag, Tagged employee uniform, Public transport card, Retail product, Library book, …
 Privacy Assets are closely related to Personal Data (wherever it is stored)
 EN 16571 assesses the “value” of the data on the tag and in the application
 Associated Personal Data are classified into 6 categories
 PI Personal Identifier (name, email, DNA, …)
 PB Personal Behaviour (age, religion, political affiliation…)
 TH Tag and Hardware (RFID chip ID, IPV4/6, …)
 RV Residual Value (Residual value on loyalty card, travel card, …)
 TL Time and Location (start location, route, …)
 IT Identity of Things (Unique Item code)
PIA Levels
89

 Privacy in depth model
 This model identifies all of the
layers that need to be considered to
assess the privacy risks associated
with the RFID technology used in
the application
 The top four layers are directly
concerned with RFID technology,
whereas the bottom four layers are
concerned with the host computer
and application
PIA Levels
90

Asses the PIA Level
91
To assess the
PIA level,
you need to
answer
3 basic
questions

 What to consider regarding the PIA level?
 Level 0: no PIA required
 Level 1:
 Risk assessment for data types other that PI and PB
 Only consider threats on the RFID air-interface
 Level 2:
 For PI and PB, only consider threats on application layer
 For other data types, consider all kind of threats
 Level 3:
 For PI and PB, consider all kind of threats
Whatever the level, don’t forget to consider the controlled and uncontrolled domains
PIA Levels
92

 Introduction
 RFID operator
 PIA levels
 Risk Analysis
 EN 16571 / ISO 27005 vs. EBIOS
 EN 16571
Agenda
95

 Asset identification and valuation
 2 categories of asset
 directly identifiable assets, where encoded data includes:
 an individual's name
 a unique chip ID
 any identifier that has a one-to-one relationship with the individual
 indirectly identifiable factors specific to the individual's physical, physiological,
mental, economic, cultural or social identity, as included in Directive 95/46/EC for
the definition of person data
 The value of the asset is based on the highest value of the associated data types
 The value of asset is between 0 and 4 (based on ISO 27005)
 EN16571 gives a list (quite exhaustive) of data types and proposes values
Risk Analysis: Asset
96

 Example of Asset valuation
Membership card with information encoded in the RFID chip and stored in the application
Risk Analysis: Asset
97

 RFID Threats are mainly based on two different attacks:
 Eavesdropping
 Tag activation
 Eavesdropping
 Listening the communication between a tag and an interrogator
 Eavesdropping distances are greater than reading distances
 Information can be decoded if not cover-coded or encrypted
 Tag Activation
 RFID tag are operational once energized (no ON/OFF switch)
 A fake reader can ask a real tag to backscatter information
 Activation distances are greater than reading distances because attacker does not
care Regulation limitations (eg. 2Werp in Europe)
 More and more commercial readers are available
 At least 250 Million HF readers on smart phones
 Many small UHF readers that have USB connections or plug into smart phones
e.g. Arete Pop (1 off price 200€) with a read range of 1 metre
 Actual threats are a mix of eavesdropping and tag activation
RFID Threats
98

 Physical data modification:
 unauthorized changing of encoded data on the tag by deleting, modifying or adding
data
 Example: changing a product code to gain some financial advantage
 Tracking
 Continual sequence of unauthorized tag reading
 The threat can be deployed with mobile or fixed interrogators
 Example: tracking of employees in known zones, tracking of customers,…
 Relay Attack
 Also known as “Man in the middle” attack
 Allow a real tag to communicate with a real reader at long distances
 Example: Access a building without authorization
Examples of RFID Threats
99

 Threats are classified using 2 vectors:
 The layer that is attacked (data on the tag, RFID air-interface, RFID reader,
application)
 The security requirement (confidentiality, availability, integrity)
 The value of the threat is either low, medium or high (ISO 27005)
 The value is linked to the complexity and required skill required for implementing
the threat
 Threats associated with the data encoded on the RFID tag and the RFID tag
 Side Channel attack (confidentiality)
 Physical data modification (integrity)
 Cloning (integrity)
 Tag reprogramming (integrity)
 Tag destruction (availability)
 …
Risk Analysis: Threats
100

 Threats associated with the air interface or the device interface communication
 Unauthorized Tag Reading (confidentiality)
 Eavesdropping or traffic analysis (confidentiality)
 Crypto attacks (confidentiality)
 Relay, or man-in-the-middle attack (integrity)
 Replay attack (integrity)
 Noise (availability)
 Jamming (availability)
 Malicious Blocker Tags (availability)
 …
101

 Threats associated with the interrogator
 Side channel attack (confidentiality)
 Exhaustion of protocol resources (availability)
 De-synchronization attack (availability)
There is no identified interrogator’s threat on data integrity
 Threats associated with the host application
 Privacy and Data Protection Violations (confidentiality)
 Injecting Malicious Code (integrity)
 Partial/complete denial of service (availability)
102

 Vulnerability can be:
 Low: it is unlikely or impossible to implement a threat
 Medium: it is possible (identified in research documents) to implement a
threat
 High: the threat has been exploited in real world
 Taking into account the “exposure” time
 Asset that is held on a transient basis (less than 50 consecutive days) are
considered as less vulnerable
 Vulnerability can be reduced by one level
 Example: detachable label on retail product.
Risk Analysis: Vulnerability
103

104
Risk value (EN 16571 / ISO 27005)
 The initial risk value is easy to compute

105
Risk value (EN 16571 / ISO 27005)
 Example: library book
 Asset: Unique Identifier linked to book category
(data on the tag): 2
 Threat: Tag activation: Medium
 Vulnerability: UHF protocol, no encryption: High
Risk Value 5/8
 But exposure is less
than 50 consecutive
days
 Risk is reduced by one
 Risk Value: 4/8

 Countermeasures are applied in order to
mitigate the risk
 Countermeasures are classified:
 embedded in the tags and devices (crypto)
 available in the technology but require an action by the RFID operator (kill)
 independent of the hardware and can be implemented by the RFID operator
(systematic removal of the tag at point of sale)
 RFID operator can advise the individual about protecting privacy (please
remove the tag yourself)
Risk Analysis: Countermeasures
106

 Once countermeasures have been implemented, the risk shall be reevaluated
 The basic rule (described in EN 16571) is that:
 Implementation of a countermeasure reduces the risk by 1
 If RFID operator decides to remove, destroy, or render untraceable a tag
before it moves from the controlled to the uncontrolled domain, then the risk
level goes to zero.
 CSL/CNRFID Software is more sophisticated
 Countermeasures’ values can be more or less than 1
 Implementation of multiple countermeasures on a threat reduces the risk
even more (cumulative effect with non linear equation)
 Overall Risk reduction can be more or less than 1
Risk Analysis: Countermeasures
107

 The risk that has not been canceled (zeroed) is called the residual risk
 This residual risk has to be compared to the benefits carried by the application
 The residual risk has to be accepted by the stakeholders
 The risk has to be reassessed in case of:
 significant changes in the RFID application
 changes in the type of information process
 reports of breaches in similar RFID applications
 And every year ….
Risk Analysis: residual risk
108

 Introduction
 RFID operator
 PIA levels
 Risk Analysis
 EN 16571 / ISO 27005 vs. EBIOS
 EN 16571
Agenda
109

European Registration Authority
 Role defined in the standard EN 16571 – PIA process
 Privacy Capability Statement
 A reference document
 Clear and standardized information on product features related to privacy
for: RFID chips, tags and readers
 Avoid misinterpretations of technical standards (many optional features)
and commercial manufacturers’ information (incomplete datasheets)
 Allow easy comparison of different products
 The Registration Authority:
 Gathers information from the manufacturers
 Provides these information to RFID operators
 Is the unique entry point in Europe
 Impinj and NXP already declare their UHF products

 Impinj and NXP declare UHF products… More to come
 You can download Privacy Capability Statement from the WebSite

 Example of PCS
 Impinj M4QT
 C:UsersctetelinDesktopUHF PCS - passive RFID chip - Impinj M4QT -
20141217.pdf

PIA made easy: a devoted software
 Enter Organization’s details

 Describe your application

 Select your Assets

 Choose the tags you are using in the application
 In case the product is not referenced, an email is automatically sent to
support

PIA made easy: a devoted softwareSelectthedatatypes

 You can change the data type value

 Only threats that are relevant to the specific RFID protocol and the layer are
presented. These are the threats for 15693 and Tag Data:
 The operator can accept or change the EN 16571 suggested values

PIA made easy: a devoted softwareRelevantCountermeasuresaredisplayed

 The countermeasures are linked to threats and impact on risk values varies
 Spreadsheet Threat/Countermeasures

 The software displays the PIA summary, with details of
 Operator details
 Application description (overview)
 Data on the tag
 Countermeasures applied by the operator
 Countermeasures the individual should apply
 The risk score
 Export in various formats e.g. PDF, HTML
 More at: http://rfid-pia-en16571.eu

 RFID operators have now all the reference texts to undertake a PIA
 PIA is a good practice and is not mandatory
 European Recommendation
 Next step: European Regulation ? All ICT technologies will be covered
 PIA is a good way to establish trust between operators and citizen
 PIA approach could be spread to other communication and internet technologies
 Governments could be a forerunner with ID applications…
Conclusion
123

Based on ISO/IEC 29160 : RFID Emblem
One common Emblem (EN 16570)
124

Additional Information to be provided by RFID operators
Signalisation (EN 16570)
125
NFC tags may be read in this area for the purpose of easy NFC
Smartphone based professional data exchanges. vCard
application is available on demand and can be embedded in
your visitor badge.
vCard application is operated and controlled by French RFID
National Center (CNRFID)
A Privacy Impact Assessment has been undertaken and validated
by the French Data Protection Authority (CNIL)
PIA summary can be downloaded at
www.centrenational-rfid.com
For more information, please contact us by phone or email:
+33 494 370 937, contact@centrenational-rfid.com Back to presentation

Thank you for your attention
ctetelin@centrenational-rfid.com
www.centrenational-rfid.com

RFID Congress Masterclass: Passive UHF RFID Basics

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à RFID Congress Masterclass: Passive UHF RFID Basics

Similaire à RFID Congress Masterclass: Passive UHF RFID Basics (20)

Plus de CNRFID

Plus de CNRFID (20)

Dernier

Dernier (20)

RFID Congress Masterclass: Passive UHF RFID Basics