Security in a UHF RFID tag

Do we need security in an RFID tag? What do we even mean by security?
In the UHF tags available today there really is no security, in fact in many of the RFID tags that are used in applications today, there is no security. It is not needed, and so there has been no attempts to include it.
The one area that this not true is in the area of financial transactions where the predominant standard is ISO/IEC 14443. This standard (the basis of NFC, Near Field Communications) is a High Frequency (13.56 MHz) standard that includes the capability for encryption of the information on a tag. This capability does not exist for UHF tags – at the moment.
There have been many meetings of the UHF RFID experts to talk about how to add true security to a UHF RFID system.
This majority of RFID applications do not need security. The unique number stored in the tag means nothing to someone reading the tag unless they have access to the databases that explain the meaning of the number. However, some applications want to have more information stored in the tag and some of that information may be sensitive. Hence the need for security.
There are several areas that require the use of security. These include untraceability, loss-identification and/or protection, memory-locking, and privilege-management. To allow some of these to be implemented we also need to add file-management capability.
In order to achieve security, the tag and the reader have to prove to each other that they are allowed to talk. This is called authentication and it is a necessary process before the tag tells the reader any information. This is the first stage of the secure process.
There are several parts to the Authentication process. The tag must declare and prove that it is capable of secure communications. The interrogator must declare that not only is it capable but that it is allowed to access certain information on the tag. There may be information on the tag that not all interrogators are allowed to access, and so there must be a method of creating privilege based access and hence file areas on the tag.
Once the tag and interrogator have authenticated each other, then the secure communication can start. By secure communication we mean the "real-time" encryption of the data that passes between the tag and interrogator. This is not the storing of encrypted data, it is the process where the tag has the ability to encrypt anything it communicates to an interrogator.
The implications of having an encryption engine on board a passive tag are obviously very wide. The loss of power to the tag during the encryption process means that the data does not get secured and transmitted, so a lot of work has to go into the design of these new tags.
One of the areas that the experts have been looking at is what encryption routines should be available.  The group has decided that there should be no restrictions as some applications may only require very simple security while others may need the power of an AES type encryption. the idea is to not include the encryption algorithm informatuon in the air interface standard but to create another document where all the algorithms are detailed.  The manufacturer of the tags would then be able to decide which encryption suite his tags will support.
In ISO, the air interface for UHF type C (ISO/IEC 18000-63) will be the first standard to be created for a secure RFID system. The basis for the security is already included in ISO/IEC 29167-1 which is currently in ballot.  The specific information for each type of tag is then included in the air interface standards (ISO/IEC 18000 series). The standard that will specify the security suites has not yet been decided, but there is a proposal that ISO/IEC 29167 be the home for these suites.
Not all tags will require security, and the extra cost for the tags will not be something that all applications can bear so these specifications will all be optional.
The work has begun to create the standards for this concept, but it will not be complete for a while. In fact we will probably not see the standards published until late in 2012. As the work progresses, I will update the blog with information.

The “new” UHF Standard

UHF RFID has taken off in a big way. Many of us have been saying that RFID is the way of the future and now it is starting to be real. The standard for UHF is ISO/IEC 18000-6 (equivalent to the EPCglobal Gen 2 UHF standard). This standard is one of the air interface standards in the ISO/IEC 18000 series for all of the various frequencies.
ISO/IEC 18000-6 is a very large standard. It is available from ISO for about $306.00 and it contains 470 pages. The standard has information and specifications on four different air interfaces (types A, B, C, and D). Type C is the equivalent of the EPCglobal standard and is now the most prevalent UHF standard.
The latest version of ISO/IEC 18000-6 contains enhancements to the Type C air interface that are not included in the EPCglobal version. These enhancements allow the use of sensors and provide details of battery assisted passive RFID tags.
So with ISO/IEC 18000-6 only having been published in 2010 why am I talking about a new standard?
As I explained above, the standard has grown over the years both in size and in price. This has made it difficult to use and with the new enhancements coming, the decision was taken to split the standard into several parts. The new standard will have five parts as follows:
ISO/IEC 18000 – General information
ISO/IEC 18000-61 – Type A
ISO/IEC 18000-62 – Type B
ISO/IEC 18000-63 – Type C
ISO/IEC 18000-64 – Type D
Part 63 – Type C is the equivalent of the EPCglobal Gen 2 standard and it includes the sensor and battery assist specifications.
The revisions to break the original standard into these parts are currently in progress. The work has just passed the first level of balloting at ISO. This means that early in 2012 the new standards should be approved and we will all be using a new number for the UHF standard.  
If you want to know more about the new enhancements to the standard then watch for another article on this subject.
If you have questions about the new standards or how you can be a part of the standards efforts then let me know.

RFID Standards Progress

I was in Atlanta a few weeks ago week for a couple of standards events.

First, there was a meeting of ANSI MH10.8.  It is a subgroup of the MH10 group whose scope is: "To facilitate freight movement within transportation and distribution systems by providing standards for transport-packages and unit-loads, including their dimensions, definitions, terminology, coding, labeling, and performance criteria; and to represent the United States' interests within the scope of ISO/TC 122".

The MH10.8 subgroup is responsible for "Coding & Labeling of Unit-Loads". This means bar codes for a lot of the work, but there is an increasing amount of RFID in there. The most well-known standard from MH 10.8 is ANSI MH10.8.2 "Data & Application Identifiers" but the group is responsible for many standards, you can see a full list at below. The meeting in Atlanta spent time reviewing the .1, .7, .12 and .13 documents.

  • MH10.8.1:2006 – Shipping Label Standard
  • MH10.8.2:CM – Data & Application identifier standard
  • MH10.8.3:2002 – Syntax for High Capacity ADC Media
  • MH10.8.4:2002 – RFID Tags for Returnable Containers
  • MH10.8.5 – Retired
  • MH10.8.6:2003 – Product Packaging standard
  • MH10.8.7:2005 – Product Marking standard
  • MH10.8.8:2006 – RFID for Parcels, Packages and Flat Mail
  • MH10.8.9 – Product ID using other than optically readable media
  • MH10.8.10 – RFID for Product Packaging
  • MH10.8.11 – Unit loads and transport packages for North American border crossings
  • MH10.8.12 – Component Marking Standard
  • MH10.8.13 – Label Test Procedures for Bar Code and Two-Dimensional (2D) Label
  • MH10.8.14 – Unique Digital Identifier
  • MH10.8.15 – XML Reader Output from ISO/IEC 15434 formatted AIDC Media

The Data Identifiers standards details the various Data Identifiers that you may use in the numbering of a package to better explain the content of the package. The abstract of the standard says: "This standard provides a comprehensive dictionary of MH 10/SC 8 Data Identifiers and GS1 Application Identifiers, provides for the assignment of new Data Identifiers, as required, and provides a document detailing the correlation, or mapping, of Data Identifiers to Application Identifiers, where a correlation exists."


The second meeting this week was the US TAG to ISO/IEC JTC 1/SC 31. The US TAG (AIDC 1) is responsible for creating the US positions and responding to ballots that are posted related to the work of SC 31. This means that almost every standard related to AIDC is reviewed by this group and the US opinion is developed and posted to the international community. For the latest work in SC 31 you can visit . This web site keeps an updated list of all the RFID related work in the committee.

The big items in RF at the moment include a rework of the ISO/IEC 18000-6 standard (air interface standard for 860-960 MHz). This standard was published in late 2010 and is 470 pages long. It includes four different air interface standards and also how to include battery and sensor support for some of the air interfaces. The new standard will divide the original one into sub-parts so that you can get all the information for a single air interface in one standard without the confusion of the others.

Part 63 is the new standard for what was referred to as ISO/IEC 18000-6 Type C (also known as the EPC UHF Gen 2 standard). All of the new sub parts of this document are now in the first stage (CD) ballot. The various parts are:

  • 18000-6: The general information that relates to all the sub parts
  • 18000-61: Type A
  • 18000-62: Type B
  • 18000-63: Type C
  • 18000-64: Type D

Other RFID work that is happening in SC 31 at this time includes a re-write of ISO/IEC 18000-7 (active RFID at 433 MHz).

The US TAG reviews every document created by SC 31 and provides input to the work. The annual TAG meeting allows the members to get together to review the work of the TAG as well as review the procedures of the group. This year starts the planning for 2012 when the US will host the Plenary of SC 31.


The final meeting during this week was the AIM RFID Experts Group (REG). This group has identified several work items that they are looking at. The first of these is a methodology to allow the testing of RFID equipment in the healthcare environment. Working with various groups and Universities, the REG is reviewing proposed test procedures for both implantable medical devices (such as pacemakers) and medical devices used in a medical environment.

The second work item is a white paper to describe the best way to implement a numbering system in an RFID tag. The paper will describe the various existing numbering methodologies that exist and recommend ways to get the best system for your project.

ther work items that are just starting include:

  • The use of RFID in explosive environments
  • The use of RFID on material handling equipment

If you want to be involved in any of the above work, or would simply like to receive more detailed information, then contact


The Internet of Things

So what do you think the Internet of Things is? Does your understanding label it as a bottle of milk talking to your refrigerator? It's a lot more than that, and that is why companies like IBM, Cisco, and GE are involved in a very big way.

Some people call it M2M (Machine to Machine), others are talking about the Ubiquitous Sensor Network. They are all variations of the same thing and standards will play a big part in the creation of the Internet of Things.

I have just returned from Wuxi, China, the cente rof the work being done on the Internet of Things in China. Wuxi New District is a planned community with many companies and organizations already have office space in this area. We visited with several of the companies and saw examples of the work they are doing from Cloud Storage to sensing traffic, to monitoring pollution, to tracking power management. We saw examples of new technology face tracking and identification alongside location technology accurate to 15mm.

The next day we attended a Europe-China conference on the Internet of Things and heard speakers from both China and Europe detail the work they are doing in this arena.

Finally I attended several days of meetings of the CASAGRAS2 project ( to discuss projects around the world related to the Internet of Things. I learned that a highly successful academic conference had been held in Wuxi a few days before I arrived. That another academic conference and an educational conference will be held this week in Kuala Lumpur. They have over 300 people signed up for these sessions.

The same group of people will be presenting an educational session at the RFID Journal Live pre-conference in April ( Another group of sessions are being finalized in the South American region in early September, and discussions have started for an event in September in the USA.

What does this have to do with RFID Standards?

RFID is without doubt, a key enabler for the Internet of Things. Standards for the air interface, the data protocols, the security, the communications are all a key part of the system. Many of these will already exist, others will need to be written. Many still need to be identified.

Some of the organizations that will be involved include ISO/IEC JTC 1, AIM, as well as several National Standards organizations. If this is something that is important to you, then you need to get involved now. AIM has an initiative for its members (email: Contact your National Body to learn more about the work in ISO/IEC.

Steve Halliday
Feb 27, 2011

The standards of an RFID system

If you visit What is RFID you will see a basic introduction into the building blocks of an RFID system. But you may now want to know what this means as far as standards are concerned. The page on SC 31 shows all of the RF standards that SC 31 is working on. This includes RFID, RTLS (Real Time Locating Systems), and MIIM (Mobile Item Identification and Management) from both the hardware and data side. We will look at the RFID side to give examples of how the standards system works.

Going back to our three parts of an RFID system:

  1. A tag (or multiple tags), also called as transponder
  2. A reader or interrogator together with antenna
  3. Supporting infrastructure (hardware and software).

We need to see how these parts are covered by the standards.

The first thing that we have to consider is the tag and how it communicates with the reader. This is usually called the Air Interface standard. In RFID the main standard is ISO/IEC 18000 and its various parts. The standard is broken down by frequency to try to simplify the amount of information

  • ISO/IEC 18000 – Air Interface
    • Part 1: Reference architecture and definition of parameters to be standardized
    • Part 2: Parameters for air interface communications below 135 kHz
    • Part 3: Parameters for air interface communications at 13,56 MHz
    • Part 4: Parameters for air interface communications at 2,45 GHz
    • Part 6: Parameters for air interface communications at 860 MHz to 960 MHz
    • Part 7: Parameters for active air interface communications at 433 MHz

Next we have to consider how the data is stored on the tag and how it is interpreted by the reader. This is where we look to:

  • ISO/IEC 15961 – Data protocol
    • Part 1: Application interface
    • Part 2: Registration of RFID data constructs
    • Part 3: RFID data constructs
    • Part 4: Application interface commands for battery assist and sensor functionality
  • ISO/IEC 15962 – Data protocol: data encoding rules and logical memory functions
  • ISO/IEC 15963 – Unique Identification for RF Tag 

Next we need to consider how we talk to the reader and pass the information into the system and infrastructure. The following standards cover this area:

  • ISO/IEC 24791 – Software system infrastructure
    • Part 1: Device management
    • Part 2: Data management
    • Part 3: Application management
    • Part 4: Application interface
    • Part 5: Device interface

There are many other standards that are being worked on by SC 31 but the above breakdown shows the various divisions from a system use point of view.

Finally the work of WG 7 is on File Management and Security. This group is defining the necessary steps to store more information on an RFID tag and how we implement a real security system that can help to protect that data.