ISO/IEC TR 24729-4

Area of application: 
Security standards for data and networks
Publisher: 
ISO/IEC
Title: 
Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: RFID guideline on tag data security
Status: 
Published
Publication dates
Date of publication: 
2009
Responsible committee
Committee name: 
SC31/WG4/SG5

This document provides guidance on RFID Security. The RFID system is divided into modules, each having their own security elements. These modules are tag, tag to reader, reader, reader to host, and host (back-end enterprise) system. The scope of this document is restricted to the security aspects of the tag and tag-to-reader communication (identified as 1 through 2 in Figure 1). Although important, it is beyond the scope of this group to address security aspects of the reader-to-host and back-end enterprise modules (identified as 4 through 7 in Figure 1). [The Center for Democracy in Technology (CDT), as of the date of this publication, has released a draft “Privacy Best Practices for Deployment of RFID Technology” (http://www.cdt.org/privacy/20060501rfid-bestpractices.php) that addresses elements 4 through 7. Readers are encouraged to reference the CDT document for further information.]

This document will provide some guidance to systems designers to help them determine potential threats and appropriate countermeasures for modules 1 through 2 in Figure 1. This document is not intended to specifically address consumer privacy concerns. However, since data and personal privacy depend on the use of appropriate security measures, privacy will be addressed in general terms. Data access security provides a measure of personal privacy protection by mitigating the potential for unauthorized reading of data on a tag. However, not all data access security countermeasures provide the same level of protection.

Normative references: 
  • ISO/IEC 15963, Information technology — Radio frequency identification for item management — Unique identification for RF tags
  • ISO/IEC 17799, Information technology — Security techniques — Code of practice for information security management
    Note: ISO/IEC 17799 is a comprehensive set of controls comprising best practices in information security. [http://www.iso-17799.com/]
  • ISO/IEC 19762-1, Information technology — AIDC techniques — Harmonized vocabulary — Part 1: General terms relating to Automatic Identification and Data Capture (AIDC)
  • ISO/IEC 19762-3, Information technology — AIDC techniques — Harmonized vocabulary — Part 3: Radio-Frequency Identification (RFID)
  • ISO/IEC 24791-6, Information technology – Automatic identification and data capture techniques – Radio frequency identification (RFID) for item management – software system infrastructure Part 6: Security Guidance from AIM Global’s RFID Expert Group, RFID — Guidelines on data access security
  • NIST-800-30 – Risk Management Guide for Information Technology Systems [http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf]
  • NIST Special Publication 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems Federal Information Security Management Act (FISMA) [http://csrc.nist.gov/seccert/]
  • Open Web Application Security Project (OWASP) [http://www.owasp.org/index.php/Main_Page]