Use control management to effectively avoid RFID potential risks


First, RFID usage strategy

RFID uses a preset policy to regulate the authorized use of RFID rights in the system, and follows this policy to assign different permissions to different roles within the system.?Refer to FIPS 199, Federal Information and Information Systems Security Classification Standard, when developing RFID usage policies.?Usage policies should be consistent with the organization's privacy policy, which deals with issues such as how personal information is stored and how it is shared.?The RFID usage policy should also address privacy issues related to the tag identifier format. The tag identifier format should be selected according to the actual situation of the application scenario.?Pros: This strategy sets the framework for many other security controls.?It provides management with a tool to communicate its expectations for RFID systems and their security.?It enables management to take action on entities that do not comply with the strategy.?Disadvantages: The existence of a strategy does not ensure policy compliance.?Strategies must be combined with the implementation of appropriate business and technical solutions to be effective

Second, IT security strategy

An IT security strategy is one way to achieve the high security goals of a "use policy."?RFID-related IT security policies should cover the various subsystems of RFID, including the network, databases, and applications of enterprise subsystems and inter-enterprise subsystems, and should not be limited to the security of tags and readers in the RFID subsystem.?The IT security strategy of the RFID system should address the following issues:

Access control of RFID information;

Perimeter protection, including port and protocol restrictions for network traffic between enterprise subsystems and between enterprise subsystems and public or extranets;

The security of readers and middleware;

Provide RFID security training to system administrators and operators;

Management of related cryptosystems, including certification authorities and key management.

Advantages: Well-designed security policy control can effectively mitigate the related business risks brought by RFID technology.?These basic strategies provide a specification for individuals who design, implement, use, and maintain RFID systems.?For example, IT strategies help people who design RFID systems or purchase system components to make appropriate decisions.?Similarly, they can help system administrators properly implement and configure software and related network components.?Disadvantages: The existence of a strategy does not ensure policy compliance.?Strategies must be combined with the implementation of appropriate business and technical solutions to be effective.

Third, the agreement with external organizations

When it is necessary to share RFID-related data with external organizations, the organizations involved in sharing need to reach a consensus to form an agreement to the roles and responsibilities of each organization (and in some cases, legal liability). ) Conduct specifications to prevent confusion.?The network connection, the authentication mechanism, the data to be shared, and the way to protect the data during transmission are specified in the protocol.?If an inter-enterprise application requires password sharing across organizations, the protocol should also specify how to generate, store, and share these passwords, as well as specify IT security controls such as authentication methods, access controls, or encryption and decryption methods.?Advantages: Signing a memorandum or memorandum of understanding can greatly reduce the likelihood of subsequent misunderstandings and security breaches.?They enable signers to communicate their security needs while also collaborating on the development and use of RFID systems.?Disadvantages: If the systems and people of the external organization are not fully utilized, it is difficult to monitor the implementation of the agreement by each organization.?As a result, various violations of the agreement may occur.?If the signatory agrees to hire a third party to conduct such an audit, it can be mitigated through an independent audit.

Fourth, minimize sensitive data stored on the label

Minimize sensitive data stored on tags, store their detailed data in a secure enterprise subsystem, and use unique identifiers to retrieve data instead of putting sensitive data on the tag.?advantage

An attacker cannot obtain information from a tag by malicious scanning or eavesdropping;

Performing data encryption and access control in the enterprise subsystem is more cost effective than performing in the RFID subsystem.


An attacker can usually only obtain valuable information from an identifier.?For example, understanding the EPC manager ID and object class bits in some EPC formats may reveal the category information of the object to which the tag corresponds.

Once the data is placed in the enterprise subsystem, the availability of the data will depend on the availability of the network, which will completely cause the data to be unavailable in the event of a network failure.?In addition, retrieving data over the network can also introduce delays over time, which is unacceptable for some immediacy applications.