NIST指南：RFID系统的安全防护

需积分: 10 49 浏览量更新于2024-07-16 收藏 1.32MB PDF 举报

“NIST SP800-98 RFID-2007.pdf”是美国国家标准与技术研究所（NIST）发布的一份关于射频识别（RFID）系统安全的指南，旨在帮助组织理解RFID技术带来的风险，并提供缓解这些风险的安全措施。这份文档提供了实用的、基于现实世界的建议，指导如何初始、设计、实施和操作RFID系统，以减轻安全和隐私风险。文档还介绍了RFID应用、标准和系统组件的背景信息，以协助理解RFID安全风险和控制。该出版物保持独立于特定的硬件平台、操作系统和应用程序，主要关注基于行业和国际标准的RFID系统，但也会提及具有当前标准中未发现的相关安全特性的专有方法。鼓励读者结合供应商出版物和其他资料，进一步探索专有方法。第6节简要概述了适用于联邦机构的隐私法律和法规。隐私问题涉及法律和政策问题，这些问题在引用的文档中有更深入的讨论。安全和隐私问题并非完全分离，例如，保护数据机密性的安全机制也服务于隐私利益。另一方面，用于临时或永久禁用RFID技术的隐私保护方法可能引入安全漏洞，因为这些机制可能被未经授权或预期之外的方式使用。此出版物主要关注资产管理、追踪、匹配、过程控制和供应链中的RFID应用。RFID技术也用于支持个人身份验证、访问控制和自动支付的非接触式智能卡。虽然此文档提供了这些领域的信息，但并未深入探讨非接触式智能卡的具体安全问题。 NIST SP800系列是NIST发布的关于信息安全的特殊出版物，SP800-98是其中关于RFID系统安全的指南，由Tom Karygiannis、Bernard Eydt、Greg Barber、Lynn Bunn和Ted Phillips等人共同撰写。NIST的计算机安全部门隶属于信息技术实验室，致力于通过提供技术领导来推动美国经济并保障公共福利，其工作包括为政府和私营部门提供技术标准和最佳实践，以提升网络安全和保障敏感信息的安全。

GUIDELINES FOR SECURING RFID SYSTEMS

1-2

information relevant to contactless smart card applications, it does not address the advanced

authentication and cryptography features that are incorporated into many of them

This document has been created for executives, planners, systems analysts, security and privacy

professionals, and engineers who are responsible for Federal government business processes or

information technology (IT) systems. Professionals with similar responsibilities outside the government

should also benefit from the information this document provides. The document addresses both the needs

of those considering an RFID implementation and those with an existing RFID system. The document is

also useful for researchers, students, market analysts and others who seek an overview of RFID

technology and related security issues.

1.3 Document Structure

The remainder of this document is organized into seven major sections:

 Section 2 provides an introduction to RFID technology and the major components of RFID systems.

 Section 3 provides an overview of types of RFID applications. It then explains how organizations can

identify application requirements to help determine which RFID technology would be most effective

for a particular application.

 Section 4 discusses some of the major business risks associated with implementing RFID technology.

 Section 5 explains the various RFID security controls, including their benefits and limitations.

 Section 6 provides a brief overview of privacy regulations and controls, particularly as they pertain to

Federal agencies.

 Section 7 provides recommendations that organizations using RFID systems can follow throughout

the system life cycle, from initiation through operations to disposition.

 Section 8 presents two hypothetical case studies that illustrate how the concepts and

recommendations introduced earlier in the document could work in practice.

Readers that are already familiar with RFID and primarily are interested in the security aspects of the

technology may wish to skip Sections 2 and 3 of this document and start with Section 4.

The document also contains several appendices with supporting material:

 Appendix A contains more detailed information on common RFID standards and their security

mechanisms.

 Appendix B contains a glossary.

 Appendix C contains an acronym list.

 Appendix D lists print resources and online tools and resources that may be useful references for

gaining a better understanding of RFID technology and security.

 Appendix E contains information on permissible radio exposure limits.

The distinction between RFID tags and contactless smart cards is becoming more difficult to define because the computing

resources and security functionality of RFID tags is increasing over time. RFID tags and contactless smartcards often use

the same air interface standards and techniques for wireless communication.

SECTION 2: RFID TECHNOLOGY

2-1

2. RFID Technology

This section provides an introduction to RFID technology. It begins with a discussion of the benefits of

RFID relative to other automatic identification and data capture (AIDC) technologies. It then reviews the

basic components of RFID systems and provides background information needed to understand later

material in the document. Readers who already have a strong understanding of RFID technology and

applications can skip this section and the discussion in Section 3 about RFID applications.

2.1 Automatic Identification and Data Capture (AIDC) Technology

Identification processes that rely on AIDC technologies

are significantly more reliable and less

expensive than those that are not automated. The most common AIDC technology is bar code

technology, which uses optical scanners to read labels.

Most people have direct experience with bar

codes because they have seen cashiers scan items at supermarkets and retail stores. Bar codes are an

enormous improvement over ordinary text labels because personnel are no longer required to read

numbers or letters on each label or manually enter data into an IT system; they just have to scan the label.

The innovation of bar codes greatly improved the speed and accuracy of the identification process and

facilitated better management of inventory and pricing when coupled with information systems.

RFID represents a technological advancement in AIDC because it offers advantages that are not available

in other AIDC systems such as bar codes. RFID offers these advantages because it relies on radio

frequencies to transmit information rather than light, which is required for optical AIDC technologies.

The use of radio frequencies means that RFID communication can occur:

 Without optical line of sight, because radio waves can penetrate many materials,

 At greater speeds, because many tags can be read quickly, whereas optical technology often requires

time to manually reposition objects to make their bar codes visible, and

 Over greater distances, because many radio technologies can transmit and receive signals more

effectively than optical technology under most operating conditions.

The ability of RFID technology to communicate without optical line of sight and over greater distances

than other AIDC technology further reduces the need for human involvement in the identification process.

For example, several retail firms have pilot RFID programs to determine the contents of a shopping cart

without removing each item and placing it near a scanner, as is typical at most stores today. In this case,

the ability to scan a cart without removing its contents could speed up the checkout process, thereby

decreasing transaction costs for the retailers. This application of RFID also has the potential to

significantly decrease checkout time for consumers.

RFID products often support other features that bar codes and other AIDC technologies do not have, such

as rewritable memory, security features, and environmental sensors that enable the RFID technology to

record a history of events. The types of events that can be recorded include temperature changes, sudden

shocks, or high humidity. Today, people typically perceive the label identifying a particular object of

interest as static, but RFID technology can make this label dynamic or even “smart” by enabling the label

to acquire data about the object even when people are not present to handle it.

AIDC technologies are also known as Automatic Identification Systems and Automatic Identification Technologies. The

terms “automated” and “automatic” are often used interchangeably.

Other AIDCs include smart cards, optical memory cards, contact memory buttons, and satellite tracking systems.

GUIDELINES FOR SECURING RFID SYSTEMS

2-2

2.2 RFID System Components

RFID systems can be very complex, and implementations vary greatly across industries and sectors. For

purposes of discussion in this document, an RFID system is composed of up to three subsystems:

 An RF subsystem, which performs identification and related transactions using wireless

communication,

 An enterprise subsystem, which contains computers running specialized software that can store,

process, and analyze data acquired from RF subsystem transactions to make the data useful to a

supported business process, and

 An inter-enterprise subsystem, which connects enterprise subsystems when information needs to be

shared across organizational boundaries.

Every RFID system contains an RF subsystem, and most RFID systems also contain an enterprise

subsystem. An RFID system supporting a supply chain application is a common example of an RFID

system with an inter-enterprise subsystem. In a supply chain application, a tagged product is tracked

throughout its life cycle, from manufacture to final purchase, and sometimes even afterwards (e.g., to

support targeted product recalls).

The characteristics of RFID enterprise and inter-enterprise subsystems are very similar to those of any

networked IT system in terms of the types of computers that reside on them, the protocols they support,

and the security issues they encounter.

Sections 2.3 through 2.5 review each of the subsystems in more detail.

2.3 RF Subsystem

To enable wireless identification, the RF subsystem consists of two components:

 RFID tags (sometimes referred to as transponders), which are small electronic devices that are

affixed to objects or embedded in them. Each tag has a unique identifier and may also have other

features such as memory to store additional data, environmental sensors, and security mechanisms.

 RFID readers, which are devices that wirelessly communicate with tags to identify the item

connected to each tag and possibly associate the tagged item with related data.

Both the tag and the reader are two-way radios. Each has an antenna and is capable of modulating and

demodulating radio signals. Figure 2-1 shows a simple RF subsystem configuration.

剩余153页未读，继续阅读

艾米的爸爸

粉丝: 786
资源: 314

NIST指南：RFID系统的安全防护

NIST SP800-88_rev1.pdf

NIST SP800-108.pdf

NIST SP800-100-Mar07-2007.pdf

NIST SP800-76-1_012407.pdf

NIST SP800-73-2_part2.pdf

NIST SP800-87_Rev1-April2008Final.pdf

NIST SP800-73-2_part3_end-point-client-api-final.pdf

NIST SP800-73-2_part1-datamodel-final.pdf

NIST SP800-53-rev2-final.pdf

NIST SP800-160-vol2-draft.pdf

最新资源