0 оценок0% нашли этот документ полезным (0 голосов)
62 просмотров4 страницы
An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID technologies support a wide range of applications-everything from asset management and tracking to access control and automated payment. The security risks for RFID systems and the controls available to address them are highly varied.
An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID technologies support a wide range of applications-everything from asset management and tracking to access control and automated payment. The security risks for RFID systems and the controls available to address them are highly varied.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PDF, TXT или читайте онлайн в Scribd
An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID technologies support a wide range of applications-everything from asset management and tracking to access control and automated payment. The security risks for RFID systems and the controls available to address them are highly varied.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PDF, TXT или читайте онлайн в Scribd
Bulletin SECURING RADIO FREQUENCY inter-enterprise subsystem. Each RFID ITL Bulletins are published by the Information IDENTIFICATION (RFID) system has different components and Technology Laboratory (ITL) of the National SYSTEMS customizations so that it can support a Institute of Standards and Technology (NIST). particular business process for an Each bulletin presents an in-depth discussion organization; as a result, the security risks of a single topic of significant interest to the Karen Scarfone, Editor for RFID systems and the controls information systems community. Bulletins are Computer Security Division available to address them are highly issued on an as-needed basis and are Information Technology Laboratory varied. The enterprise and inter-enterprise available from ITL Publications, National National Institute of Standards and subsystems involve common IT Institute of Standards and Technology, 100 Technology components such as servers, databases, Bureau Drive, Stop 8900, Gaithersburg, MD and networks and therefore can benefit 20899-8900, telephone (301) 975-2832. To be RFID is a form of automatic identification from typical IT security controls for those placed on a mailing list to receive future and data capture technology that uses components. bulletins, send your name, organization, and electric or magnetic fields at radio business address to this office. You will be frequencies to transmit information. An New Guidelines on RFID System placed on this mailing list only. RFID system can be used to identify many types of objects, such as manufactured Security Bulletins issued since May 2006: goods and animals. RFID technologies An Update on Cryptographic Standards, support a wide range of applications— The National Institute of Standards and Technology (NIST) Information Guidelines, and Testing Requirements, May everything from asset management and 2006 tracking to access control and automated Technology Laboratory recently published Domain Name System (DNS) Services: NIST payment. Each object that needs to be new guidelines on protecting RFID Recommendations for Secure Deployment, identified has a small electronic device systems. NIST Special Publication (SP) June 2006 known as an RFID tag affixed to it or 800-98, Guidelines for Securing RFID Protecting Sensitive Information Processed embedded within it. Each tag has a unique Systems: Recommendations of the and Stored in Information Technology (IT) identifier and may also have other features National Institute of Standards and Systems, August 2006 Technology, was written by Tom Forensic Techniques: Helping Organizations such as memory to store additional Improve Their Responses to Information information about the object, Karygiannis of NIST, and by Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Security Incidents, September 2006 environmental sensors, and security Log Management: Using Computer and mechanisms. Devices known as RFID Phillips of Booz Allen Hamilton. The Network Records to Improve Information readers wirelessly communicate with the publication recommends practices for Security, October 2006 tags to identify the item connected to each initiating, designing, implementing, and Guide to Securing Computers Using Windows tag and possibly read or update additional operating RFID systems in a manner that XP Home Edition, November 2006 information stored on the tag. This mitigates security and privacy risks. Maintaining Effective Information Technology (IT) Security Through Test, Training, and communication can occur without optical The guide explains the components and Exercise Programs, December 2006 line of sight. Security Controls for Information Systems: architectures of RFID systems and the Revised Guidelines Issued by NIST, January Every RFID system includes a radio standards for RFID components, such as 2007 frequency (RF) subsystem, which is tags and readers. One section is devoted to Intrusion Detection and Prevention Systems, composed of tags and readers. The RF an overview of types of RFID applications February 2007 subsystem performs identification and and which RFID technologies are most Improving the Security of Electronic Mail: related transactions. In many RFID effective for particular applications. Other Updated Guidelines Issued by NIST, March systems, the RF subsystem is supported by topics covered in the publication include 2007 the major business risks associated with Securing Wireless Networks, April 2007 an enterprise subsystem, which contains computers running specialized software implementing RFID technology, the that can store, process, and analyze data various RFID security controls, and an acquired from RF subsystem transactions. overview of privacy regulations and RFID systems that share information controls that pertain to RFID systems in across organizational boundaries, such as federal agencies. Additional sections of the supply chain applications, also have an publication provide recommendations that organizations using RFID systems can 2 May 2007 follow throughout the system life cycle, * The general functional objective of the to the specific practices for RFID systems from initiation through operations to RFID technology (i.e., the application listed in this document. Federal agencies disposition, and present hypothetical case type); should also use NIST SP 800-37, Guide studies that illustrate how the concepts and for the Security Certification and recommendations introduced earlier in the * The nature of the information that the Accreditation of Federal Information document could work in practice. RFID system processes or generates; Systems, to evaluate their RFID system and select appropriate security controls. The appendices in NIST SP 800-98 * The physical and technical environment provide extensive supplemental at the time RFID transactions occur; NIST’s Recommendations for RFID information on the terms used in the guide, System Security and supply listings of in-print and online * The physical and technical environment resources for further exploration. Other before and after RFID transactions take NIST recommends that organizations useful listings offer additional information place; and follow these guidelines in planning, on common RFID standards and their implementing, and maintaining secure security mechanisms, as well as * The economics of the business process RFID systems: information on permissible radio exposure and RFID system. limits. ▪ When designing an RFID system, Because of the variety of RFID understand what type of application it NIST SP 800-98 is available from NIST’s applications, RFID security risks and the will support so that the appropriate website at controls available to mitigate them are security controls can be selected. http://csrc.nist.gov/publications/nistpubs/8 highly varied. Section 7 of the guide 00-98/SP800-98_RFID-2007.pdf. contains recommendations for security Each type of application uses a different practices to be applied during each phase combination of components and has a Who We Are of the RFID system’s life cycle, from different set of risks. For example, The Information Technology Laboratory (ITL) policy development to operations. protecting the information used to conduct is a major research component of the National Examples of security controls for RFID financial transactions in an automated Institute of Standards and Technology (NIST) systems are having an RFID usage policy, payment system requires different security of the Technology Administration, U.S. minimizing the storage of sensitive data on controls than those used for protecting the Department of Commerce. We develop tests and measurement methods, reference data, tags, restricting physical access to RFID information needed to track livestock. proof-of-concept implementations, and equipment, and protecting RF interfaces Some of the factors to be considered technical analyses that help to advance the and tag data. Typically, only a subset of include: development and use of new information the full range of technologies, risks, and technology. We seek to overcome barriers to controls is applicable to any given RFID * The general functional objective of the the efficient use of information technology, and implementation. RFID technology. For example, does the to make systems more interoperable, easily system need to determine the location of usable, scalable, and secure than they are Organizations need to assess the risks they an object or the presence of an object, today. Our website is http://www.itl.nist.gov. face and choose an appropriate mix of authenticate a person, perform a financial controls for their environments, taking into transaction, or ensure that certain items are RFID Applications and Security account factors such as regulatory not separated? Controls requirements, the magnitude of the threat, cost, and performance. Federal agencies * The nature of the information that the RFID technologies are being deployed by should refer to Federal Information RFID system processes or generates. One many organizations because they have the Processing Standard (FIPS) 199, application may only need to have a potential to improve mission performance Standards for Security Categorization of unique, static identifier value for each and reduce operational costs. To achieve Federal Information and Information tagged object, while another application these goals, RFID systems must be Systems, which establishes three security may need to store additional information engineered to support the specific business categories—low, moderate, and high— about each tagged object over time. The processes that the organization is based on the potential impact of a security sensitivity of the information is also an automating. Applications for RFID breach involving a particular system. NIST important consideration. technologies are diverse because of the SP 800-53 (as amended), Recommended wide range of business processes that * The physical and technical environment Security Controls for Federal Information exist. Examples of application types are at the time RFID transactions occur. This Systems, provides minimum management, asset management, tracking, authenticity includes the distance between the readers operational, and technical security controls verification, item matching, process and the tags, and the amount of time in for information systems based on the FIPS control, access control, and automated which each transaction must be performed. 199 impact categories. The information in payment. Important business drivers that NIST SP 800-53 should be helpful to * The physical and technical environment shape RFID application requirements and organizations in identifying controls that before and after RFID transactions take the resulting characteristics of RFID are needed to protect networks and place. For example, human and systems include: systems, which should be used in addition environmental threats may pose risks to 3 May 2007 tags’ integrity while the tagged objects are * Privacy risk. Personal privacy rights or authentication, access control, or in storage or in transit. Some applications expectations may be compromised if an encryption techniques commonly found in require the use of tags with sensors that RFID system uses what is considered other business IT systems. RFID standards can track environmental conditions over personally identifiable information for a specify security features including time, such as temperature and humidity. purpose other than originally intended or passwords to protect access to certain tag understood. As people possess more commands and memory, but the level of * The economics of the business process tagged items and networked RFID readers security offered differs across these and RFID system. The economic factors become ever more prevalent, organizations standards. Vendors also offer proprietary for RFID systems are different than those may have the ability to combine and security features, including proprietary for traditional IT systems. For example, correlate data across applications to infer extensions to standards-based many RFID tags offer few or no security personal identity and location and build technologies, but they are not always features; selecting tags that incorporate personal profiles in ways that increase the compatible with other components of the basic security functionality significantly privacy risk. system. Careful planning and procurement increases the cost of tags, especially if is necessary to ensure an organization’s encryption features are needed. Also, the * Externality risk. RFID technology RFID system meets its security objectives. operational cost of some basic IT security potentially could represent a threat to non- controls, such as setting unique passwords RFID networked or collocated systems, More Information and changing them regularly, may be assets, and people. For example, an higher for RFID systems because of the adversary could gain unauthorized access NIST SP 800-98 recommends that logistical challenges in managing security to computers on an enterprise network organizations follow effective practices for for thousands or millions of tags. through Internet Protocol (IP)-enabled planning, implementing, and managing RFID readers if the readers are not secure RFID systems as part of a ▪ Effectively manage risk so that the designed and configured properly. comprehensive approach to information RFID implementation will be successful. security. Many NIST publications assist Organizations need to assess the risks they organizations in developing that Like other technologies, RFID technology face and choose an appropriate mix of comprehensive approach. For information enables organizations to significantly management, operational, and technical about the following publications that are change their business processes to increase security controls for their environments. linked to RFID security and to other efficiency and effectiveness. This These organizational assessments should security-related standards and guidelines technology is complex and combines a take into account many factors, such as issued by NIST, see the web page number of different computing and regulatory requirements, the magnitude of http://csrc.nist.gov/publications/index.html communications technologies. Both the each threat, and cost and performance changes to business process and the implications of the technology or FIPS 140-2, Security Requirements for complexity of the technology generate operational practice. Cryptographic Modules. risk. The major risks associated with RFID systems are as follows: Privacy regulations and guidance are often FIPS 180-2, Secure Hash Standard (SHS). complex and change over time. Organizations planning, implementing, or FIPS 198, The Keyed-Hash Message * Business process risk. Direct attacks on Authentication Code (HMAC). RFID system components potentially managing an RFID system should consult could undermine the business processes with the organization’s privacy officer, FIPS 199, Standards for Security the RFID system was designed to enable. legal counsel, and chief information Categorization of Federal Information and For example, a warehouse that relies officer. Information Systems. solely on RFID to track items in its ▪ When securing an RFID system, select FIPS 200, Minimum Security inventory may not be able to process orders in a timely fashion if the RFID security controls that are compatible Requirements for Federal Information and system fails. with the RFID technologies the Information Systems. organization currently deploys or * Business intelligence risk. An adversary purchase new RFID technologies that NIST SP 800-30, Risk Management Guide or competitor potentially could gain support the necessary controls. for Information Technology Systems. unauthorized access to RFID-generated To be most effective, RFID security NIST SP 800-34, Contingency Planning information and use it to harm the interests of the organization implementing the controls should be incorporated throughout Guide for Information Technology RFID system. For example, an adversary the entire life cycle of RFID systems— Systems. from policy development and design to might use an RFID reader to determine operations and retirement. However, many NIST SP 800-37, Guide for the Security whether a shipping container holds expensive electronic equipment, and then RFID products support only a fraction of Certification and Accreditation of Federal target the container for theft when it gets a the possible protection mechanisms. Tags, Information Systems. positive reading. in particular, have very limited computing capabilities. Most tags supporting asset management applications do not support 4 May 2007 NIST SP 800-40, Version 2, Creating a NIST SP 800-57, Recommendation on Key NIST SP 800-97, Establishing Wireless Patch and Vulnerability Management Management, Part 1. Robust Security Networks: A Guide to Program. IEEE 802.11i. NIST SP 800-63, Electronic NIST SP 800-41, Guideline on Firewalls Authentication Guideline. Disclaimer Any mention of commercial products or reference to and Firewall Policy. commercial organizations is for information only; it NIST SP 800-64, Security Considerations does not imply recommendation or endorsement by NIST SP 800-47, Security Guide for in the Information System Development NIST nor does it imply that the products mentioned Interconnecting Information Technology Life Cycle. are necessarily the best available for the purpose. Systems. NIST SP 800-83, Guide to Malware ITL Bulletins via E-Mail NIST SP 800-48, Wireless Network Incident Prevention and Handling. We now offer the option of delivering your ITL Security: 802.11, Bluetooth and Handheld Bulletins in ASCII format directly to your e-mail Devices. NIST SP 800-90, Recommendation for address. To subscribe to this service, send an Random Number Generation Using e-mail message from your business e-mail NIST SP 800-50, Building an Information Deterministic Random Bit Generators. account to listproc@nist.gov with the message Technology Security Awareness and subscribe itl-bulletin, and your name, e.g., Training Program. NIST SP 800-92, Guide to Computer John Doe. For instructions on using listproc, Security Log Management. send a message to listproc@nist.gov with the NIST SP 800-53 Revision 1, message HELP. To have the bulletin sent to Recommended Security Controls for NIST SP 800-94, Guide to Intrusion an e-mail address other than the FROM Federal Information Systems. Detection and Prevention Systems. address, contact the ITL editor at 301-975-2832 or elizabeth.lennon@nist.gov.