150 likes | 166 Views
Explore the history, standards, and security issues of RFID technology. Learn about risk-based assessment, design-based assurance, and the development of security standards. Discover the key points in adopting the "design for assurance" paradigm and the importance of risk-based development in security functions.
E N D
Security paradigms and RFID RFID03_03 Scott W CADZOW C3L Footer text (edit in View : Header and Footer)
Security and standards development • Risk based assessment • Design based assurance Footer text (edit in View : Header and Footer)
History of RFID • Origins not terribly well documented • Henry Stockman, 1948 • Mario Cardullo (US Patent 3,713,148) in 1973 • Charles Walton (US Patent 4,384,288) in 1983 • Standards development • ISO, base standards • ETSI?? • ITS active, passive transponders, road pricing Footer text (edit in View : Header and Footer)
Standards (not radio) • ISO 14223/1 • Radio frequency identification of Animals, advanced transponders – Air interface • ISO 14443 • HF (13.56 MHz) standard used as the basis of RFID-enabled passports under ICAO 9303. • ISO 15693 • HF (13.56 MHz) standard, used for non-contact smart payment and credit cards. • ISO 18000-7 • UHF (433 MHz) industry standard for active RFID products • ISO 18185 • Industry standard for electronic seals for tracking cargo containers Footer text (edit in View : Header and Footer)
Security issues in RFID • Well documented • Aired in previous RFID workshops • Tracking – traffic analysis • Masquerade may result • Physical weaknesses • Chip can be broken • Antenna can be broken • Antenna can be easily masked • Religious fervour ??? • Weird claim of RFID as mark of the beast (Revelation 13:16) Footer text (edit in View : Header and Footer)
“System” Objective Objective Objective !! Existing Standards Existing Standards Function Function Function Function Function Function Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement
Paradigm to be adopted • Design for assurance • Advancement of ITU-T 3 stage method • Development in line with Common Criteria (ISO/IEC 15408) • Use of ETSI EG 202 387 as basis • Development of Protection Profiles using ES 202 382 as template • Risk analysis as fundamental key in development • ETSI TS 102 165-1 as the root document • Objective and requirements engineering • Key to success being developed in TISPAN WI-07027 • Security architecture and countermeasure analysis • Using key capabilities from ISO/IEC 15408-2 Footer text (edit in View : Header and Footer)
Definitions to be going on with • Objectives • Broad intention of system (WHAT) • Functions • Abstract grouping of features • Requirements • Implementation detail (HOW)
Understanding of security • A Threat, enacted by a Threat Agent, may lead to an Unwanted Incident breaking certain pre-defined security objectives • Aim is to avoid Unwanted Incidents • Countermeasures restrict the ability of threat agents to operate
Where we need to go Summary Footer text (edit in View : Header and Footer)
Key points • Adoption of “design for assurance” paradigm • Risk based development of security functions • Distribution of risk based on least cost loss function • Cryptographic development with SAGE as partners • Systems security development with TISPAN and OCG-Sec as partners Footer text (edit in View : Header and Footer)
Thanks for listening • Scott CADZOW • Scott @ Cadzow . com Footer text (edit in View : Header and Footer)