Security in a UHF RFID tag

Do we need security in an RFID tag? What do we even mean by security?
In the UHF tags available today there really is no security, in fact in many of the RFID tags that are used in applications today, there is no security. It is not needed, and so there has been no attempts to include it.
The one area that this not true is in the area of financial transactions where the predominant standard is ISO/IEC 14443. This standard (the basis of NFC, Near Field Communications) is a High Frequency (13.56 MHz) standard that includes the capability for encryption of the information on a tag. This capability does not exist for UHF tags – at the moment.
There have been many meetings of the UHF RFID experts to talk about how to add true security to a UHF RFID system.
This majority of RFID applications do not need security. The unique number stored in the tag means nothing to someone reading the tag unless they have access to the databases that explain the meaning of the number. However, some applications want to have more information stored in the tag and some of that information may be sensitive. Hence the need for security.
There are several areas that require the use of security. These include untraceability, loss-identification and/or protection, memory-locking, and privilege-management. To allow some of these to be implemented we also need to add file-management capability.
In order to achieve security, the tag and the reader have to prove to each other that they are allowed to talk. This is called authentication and it is a necessary process before the tag tells the reader any information. This is the first stage of the secure process.
There are several parts to the Authentication process. The tag must declare and prove that it is capable of secure communications. The interrogator must declare that not only is it capable but that it is allowed to access certain information on the tag. There may be information on the tag that not all interrogators are allowed to access, and so there must be a method of creating privilege based access and hence file areas on the tag.
Once the tag and interrogator have authenticated each other, then the secure communication can start. By secure communication we mean the "real-time" encryption of the data that passes between the tag and interrogator. This is not the storing of encrypted data, it is the process where the tag has the ability to encrypt anything it communicates to an interrogator.
The implications of having an encryption engine on board a passive tag are obviously very wide. The loss of power to the tag during the encryption process means that the data does not get secured and transmitted, so a lot of work has to go into the design of these new tags.
One of the areas that the experts have been looking at is what encryption routines should be available.  The group has decided that there should be no restrictions as some applications may only require very simple security while others may need the power of an AES type encryption. the idea is to not include the encryption algorithm informatuon in the air interface standard but to create another document where all the algorithms are detailed.  The manufacturer of the tags would then be able to decide which encryption suite his tags will support.
In ISO, the air interface for UHF type C (ISO/IEC 18000-63) will be the first standard to be created for a secure RFID system. The basis for the security is already included in ISO/IEC 29167-1 which is currently in ballot.  The specific information for each type of tag is then included in the air interface standards (ISO/IEC 18000 series). The standard that will specify the security suites has not yet been decided, but there is a proposal that ISO/IEC 29167 be the home for these suites.
Not all tags will require security, and the extra cost for the tags will not be something that all applications can bear so these specifications will all be optional.
The work has begun to create the standards for this concept, but it will not be complete for a while. In fact we will probably not see the standards published until late in 2012. As the work progresses, I will update the blog with information.

The “new” UHF Standard

UHF RFID has taken off in a big way. Many of us have been saying that RFID is the way of the future and now it is starting to be real. The standard for UHF is ISO/IEC 18000-6 (equivalent to the EPCglobal Gen 2 UHF standard). This standard is one of the air interface standards in the ISO/IEC 18000 series for all of the various frequencies.
ISO/IEC 18000-6 is a very large standard. It is available from ISO for about $306.00 and it contains 470 pages. The standard has information and specifications on four different air interfaces (types A, B, C, and D). Type C is the equivalent of the EPCglobal standard and is now the most prevalent UHF standard.
The latest version of ISO/IEC 18000-6 contains enhancements to the Type C air interface that are not included in the EPCglobal version. These enhancements allow the use of sensors and provide details of battery assisted passive RFID tags.
So with ISO/IEC 18000-6 only having been published in 2010 why am I talking about a new standard?
As I explained above, the standard has grown over the years both in size and in price. This has made it difficult to use and with the new enhancements coming, the decision was taken to split the standard into several parts. The new standard will have five parts as follows:
ISO/IEC 18000 – General information
ISO/IEC 18000-61 – Type A
ISO/IEC 18000-62 – Type B
ISO/IEC 18000-63 – Type C
ISO/IEC 18000-64 – Type D
Part 63 – Type C is the equivalent of the EPCglobal Gen 2 standard and it includes the sensor and battery assist specifications.
The revisions to break the original standard into these parts are currently in progress. The work has just passed the first level of balloting at ISO. This means that early in 2012 the new standards should be approved and we will all be using a new number for the UHF standard.  
If you want to know more about the new enhancements to the standard then watch for another article on this subject.
If you have questions about the new standards or how you can be a part of the standards efforts then let me know.

RFID Standards Progress

I was in Atlanta a few weeks ago week for a couple of standards events.

First, there was a meeting of ANSI MH10.8.  It is a subgroup of the MH10 group whose scope is: "To facilitate freight movement within transportation and distribution systems by providing standards for transport-packages and unit-loads, including their dimensions, definitions, terminology, coding, labeling, and performance criteria; and to represent the United States' interests within the scope of ISO/TC 122".

The MH10.8 subgroup is responsible for "Coding & Labeling of Unit-Loads". This means bar codes for a lot of the work, but there is an increasing amount of RFID in there. The most well-known standard from MH 10.8 is ANSI MH10.8.2 "Data & Application Identifiers" but the group is responsible for many standards, you can see a full list at below. The meeting in Atlanta spent time reviewing the .1, .7, .12 and .13 documents.

  • MH10.8.1:2006 – Shipping Label Standard
  • MH10.8.2:CM – Data & Application identifier standard
  • MH10.8.3:2002 – Syntax for High Capacity ADC Media
  • MH10.8.4:2002 – RFID Tags for Returnable Containers
  • MH10.8.5 – Retired
  • MH10.8.6:2003 – Product Packaging standard
  • MH10.8.7:2005 – Product Marking standard
  • MH10.8.8:2006 – RFID for Parcels, Packages and Flat Mail
  • MH10.8.9 – Product ID using other than optically readable media
  • MH10.8.10 – RFID for Product Packaging
  • MH10.8.11 – Unit loads and transport packages for North American border crossings
  • MH10.8.12 – Component Marking Standard
  • MH10.8.13 – Label Test Procedures for Bar Code and Two-Dimensional (2D) Label
  • MH10.8.14 – Unique Digital Identifier
  • MH10.8.15 – XML Reader Output from ISO/IEC 15434 formatted AIDC Media

The Data Identifiers standards details the various Data Identifiers that you may use in the numbering of a package to better explain the content of the package. The abstract of the standard says: "This standard provides a comprehensive dictionary of MH 10/SC 8 Data Identifiers and GS1 Application Identifiers, provides for the assignment of new Data Identifiers, as required, and provides a document detailing the correlation, or mapping, of Data Identifiers to Application Identifiers, where a correlation exists."


The second meeting this week was the US TAG to ISO/IEC JTC 1/SC 31. The US TAG (AIDC 1) is responsible for creating the US positions and responding to ballots that are posted related to the work of SC 31. This means that almost every standard related to AIDC is reviewed by this group and the US opinion is developed and posted to the international community. For the latest work in SC 31 you can visit . This web site keeps an updated list of all the RFID related work in the committee.

The big items in RF at the moment include a rework of the ISO/IEC 18000-6 standard (air interface standard for 860-960 MHz). This standard was published in late 2010 and is 470 pages long. It includes four different air interface standards and also how to include battery and sensor support for some of the air interfaces. The new standard will divide the original one into sub-parts so that you can get all the information for a single air interface in one standard without the confusion of the others.

Part 63 is the new standard for what was referred to as ISO/IEC 18000-6 Type C (also known as the EPC UHF Gen 2 standard). All of the new sub parts of this document are now in the first stage (CD) ballot. The various parts are:

  • 18000-6: The general information that relates to all the sub parts
  • 18000-61: Type A
  • 18000-62: Type B
  • 18000-63: Type C
  • 18000-64: Type D

Other RFID work that is happening in SC 31 at this time includes a re-write of ISO/IEC 18000-7 (active RFID at 433 MHz).

The US TAG reviews every document created by SC 31 and provides input to the work. The annual TAG meeting allows the members to get together to review the work of the TAG as well as review the procedures of the group. This year starts the planning for 2012 when the US will host the Plenary of SC 31.


The final meeting during this week was the AIM RFID Experts Group (REG). This group has identified several work items that they are looking at. The first of these is a methodology to allow the testing of RFID equipment in the healthcare environment. Working with various groups and Universities, the REG is reviewing proposed test procedures for both implantable medical devices (such as pacemakers) and medical devices used in a medical environment.

The second work item is a white paper to describe the best way to implement a numbering system in an RFID tag. The paper will describe the various existing numbering methodologies that exist and recommend ways to get the best system for your project.

ther work items that are just starting include:

  • The use of RFID in explosive environments
  • The use of RFID on material handling equipment

If you want to be involved in any of the above work, or would simply like to receive more detailed information, then contact


RFID Standards

How important are the standards in RFID to you? This web site keeps you updated on the major changes that are taking place in RFID Standards but is that enough?

If you are involved in RFID then the standards world should be a major part of your focus. The ability to create products that don't just follow the standard but actually lead the standards is a major competitive advantage. This is why you see so many companies either actively participating or subscribing to standards reports that keep them updated on the work of the committee.

There are many ways to get involved in standards. In most countries there are groups working on RFID Standards. In the United States the mirror organization to ISO/IEC JTC 1/SC 31 is the U.S. TAG (Technical Advisory Group) to SC 31 called ADC1.  The TAG is managed by AIM Inc. (, and you can get more info on the group by emailing for a membership form. Membership gives you the right to participate in all of the work of SC 31. For details of the RFID work see

If you do not want to actively participate in the work, but need to know what is happening, you can take advantage of the reports that are available. High Tech Aid participates in many of the RFID Standards committee.  Steve Halliday Is the convener of ISO/IEC JTC 1/SC 31/WG 4/SG 3 (RFID Air Interface Standards) and is the co-chair of the GS 1 EPCglobal Technical Standards Committee and the Hardware Group. High Tech Aid published monthly reports on the activities of this group and others, and you can subscribe by sending an email to and asking for more information.

1 2 3