RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Similar documents
Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

The What, Who and Why of Contactless Payments

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Smart Cards and Biometrics in Physical Access Control Systems

The What, Who and Why of Contactless Payments

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

What is a Smart Card?

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

The Future is Contactless

ADVANCE AUTHENTICATION TECHNIQUES

NACCU Migrating to Contactless:

RFID SECURITY. February The Government of the Hong Kong Special Administrative Region

rf Technology to automate your BUsiness

Gemalto Mifare 1K Datasheet

Using Contactless Smart Cards for Secure Applications

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Contactless Technology for Secure Physical Access: Technology and Standards Choices

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Radio Frequency Identification (RFID)

Significance of Tokenization in Promoting Cloud Based Secure Elements

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

The Convergence of IT Security and Physical Access Control

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

EMV: A to Z (Terms and Definitions)

RFID Security: Threats, solutions and open challenges

Protected Cash Withdrawal in Atm Using Mobile Phone

Opinion and recommendations on challenges raised by biometric developments

GUIDELINES REGARDING THE PROCESSING OF PERSONAL DATA BY MEANS OF SMART CARDS AND RFID TAGS

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Using RFID Techniques for a Universal Identification Device

RFID BASED VEHICLE TRACKING SYSTEM

Secure Remote Photo Identification With ID card

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

Using Smart Cards for Secure Physical Access

Mobile and Contactless Payment Security

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

Securing Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Enabling Security, Compliance and Efficiency: Achieve Your Federal Identification Credentialing Goals

EMV and Small Merchants:

Longmai Mobile PKI Solution

How To Hack An Rdi Credit Card

Authentication Tokens

Implementation of biometrics, issues to be solved

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

W.A.R.N. Passive Biometric ID Card Solution

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Chapter 15 User Authentication

The Convergence of IT Security and Physical Access Control

How Secure are Contactless Payment Systems?

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Complying with PCI Data Security

Credit Card Fraud The Contactless Generation Kristin Paget

Evolving Bar Codes. Y398 Internship. William Holmes

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Credit Card Processing Overview

Smart Card Technology in U.S. Healthcare: Frequently Asked Questions

Applying the NFC Secure Element in Mobile Identity Apps. RANDY VANDERHOOF Executive Director Smart Card Alliance

PCI and EMV Compliance Checkup

Relay attacks on card payment: vulnerabilities and defences

How To Understand The Power Of An Freddi Tag (Rfid) System

mobile payment acceptance Solutions Visa security best practices version 3.0

Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

Secure Data Exchange Solution

International Journal of Engineering Research & Management Technology

Privacy and Security in library RFID Issues, Practices and Architecture

How To Secure A Paypass Card From Being Hacked By A Hacker

Strengthen RFID Tags Security Using New Data Structure

Smart Card Technology Capabilities

Smart Card: The Computer in Your Wallet

PUF Physical Unclonable Functions

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Guide to Data Field Encryption

Entrust IdentityGuard

CardControl. Credit Card Processing 101. Overview. Contents

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

a GAO GAO INFORMATON SECURITY Radio Frequency Identification Technology in the Federal Government Report to Congressional Requesters

Glossary of Key Terms

Digital Signatures on iqmis User Access Request Form

What Merchants Need to Know About EMV

Trusted Platforms for Homeland Security

Chip Card & Security ICs Mifare NRG SLE 66R35

Mobile Electronic Payments

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Radio Frequency Identification (RFID) An Overview

CHAPTER 1 Introduction 1

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

intertrax MOBILE PIV

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Chapter 1: Introduction

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

Transcription:

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards Many applications are now using radio frequency (RF) technology to automatically identify objects or verify the identity of people. These RF-enabled applications range from tracking animals and tagging goods for inventory control to enabling secure payment and identification. While these applications all use radio waves to communicate information, the RF technology used for each has different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example: RFID tags and labels are used to add value in manufacturing, shipping and object-related tracking. They operate over short to long ranges (e.g., from inches to 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. RF-enabled smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and support a wide variety of security features for critical applications. This technology is also referred to as contactless smart card technology. RF-enabled contactless smart cards comply with international standards for contact and contactless smart card technology (ISO/IEC 7816 and ISO/IEC 14443) and implement security features to protect payment, access and identity applications. RF-enabled applications have differing requirements in their use of RF technology, with RFID tag and RFenabled smart card technologies providing very different capabilities. The figure below illustrates the range of security requirements of different RF-enabled applications and technologies. High Sensitivity of Typical Information Being Stored Low Low Security Requirements High 2

Understanding the differences between RFID and RF-enabled smart card technologies is critical in order to correctly assess each technology's fit with a specific application's security and privacy requirements. RFID and RF-enabled smart card technologies comply with different standards, have different operating ranges and widely varying ability to support security features needed by RF-enabled applications. The figure below shows key requirements for common RF-enabled applications and the typical RF technology used for the application. Example applications using RF-enabled contactless smart card technology include: The U.S. FIPS 201 Personal Identity Verification (PIV) card being issued by all Federal agencies for employees and contractors; The new U.S. epassport being issued by the Department of State; The Transportation Worker Identification Credential (TWIC) being issued by the Transportation Security Administration; The First Responder Authentication Card (FRAC) being issued in Department of Homeland Security pilots; Contactless payment cards and devices being issued by American Express, Discover, MasterCard and Visa; Contactless transit fare payment systems currently operating or being installed in such cities as Washington, DC, Chicago, Boston, Atlanta, San Francisco and Los Angeles. The Smart Card Alliance provides a variety of resources to assist organizations in evaluating RF technologies and implementing RF-enabled applications. Additional information about the use of and best practices for RF technologies used in identity applications can be found at http://www.smartcardalliance.org. 3

About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use, and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations, and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the United States and Latin America. The Smart Card Alliance Identity Council is focused on promoting the need for technologies, legislation, and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use. Additional information about the Identity Council and about the use of smart cards for secure identity applications can be found at http://www.smartcardalliance.org. 4

Appendix: RF-Enabled Applications and Technology: Frequently Asked Questions 1) What is a smart card? A smart card is a device that includes an embedded integrated circuit that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface. With an embedded microcontroller, smart cards have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a smart card reader. Smart card technology conforms to international standards (ISO/IEC 7816 and ISO/IEC 14443) and is available in a variety of form factors, including plastic cards, key fobs, watches, subscriber identification modules used in GSM mobile phones, and USB-based tokens. For the purposes of this FAQ, card is used as the generic term to describe any device in which smart card technology is used. 2) What is a contactless smart card? A contactless smart card includes an embedded smart card secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contactless radio frequency (RF) interface. Contactless smart card technology is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Another name for contactless smart card is "RF-enabled smart card." Example applications using contactless smart card technology include: The U.S. FIPS 201 Personal Identity Verification (PIV) card being issued by all Federal agencies for employees and contractors; The new U.S. epassport being issued by the Department of State; The Transportation Worker Identification Credential (TWIC) being issued by the Transportation Security Administration; The First Responder Authentication Card (FRAC) being issued in Department of Homeland Security pilots; Contactless payment cards and devices being issued by American Express, MasterCard and Visa; Contactless transit fare payment systems currently operating or being installed in such cities as Washington, DC, Chicago, Boston, Atlanta, San Francisco and Los Angeles. Contactless smart cards have the ability to securely manage, store and provide access to data on the card, perform on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a contactless smart card reader. Contactless smart card technology and applications conform to international standards (ISO/IEC 14443 and ISO/IEC 7816). Contactless smart card technology is available in a variety of forms in plastic cards, watches, key fobs, documents and other handheld devices (e.g., built into mobile phones). 3) What is an RF-enabled contactless smart card? An RF-enabled smart card conforms to contact and contactless smart card standards (ISO/IEC 7816 and ISO/IEC 14443) and implements security features not achievable with RFID to protect payment, access and identity applications. Security features may include: encryption, hashes and/or digital signature support, dynamic data generation, mutual authentication (with the reader), built-in hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks, PIN and biometric support. Examples include epassports, contactless and EMV credit cards and debit cards, high security ID cards, some transit payment cards and more. 4) What is an RFID tag? Radio frequency identification (RFID) tags are used in a wide range of applications such as: identifying animals, tracking goods through the supply chain, tracking assets such as gas bottles and beer kegs, and controlling access into buildings. RFID tags include a chip that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. Some RFID tags contain read/write memory to store data that can be written to the tag. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader s RF field and transmits its ID to the reader. 5

Examples include RFID package tracking, pharmaceuticals labeling, inventory management, automatic door locks and more. RFID tags are simple, low-cost and commonly disposable, although this is not always the case such as reusable laundry tags. Generally speaking, there is little to no security on the RFID tag or during communication with the reader. Any reader using the appropriate RF frequency (low frequency: 125/134 KHz; high frequency: 13.56 MHz; and ultra-high frequency: 900MHz) and protocol can get the RFID tag to communicate its contents. (Note that this is not true of car keys which contain a secure RFID tag.) Passive RFID tags (i.e., those not containing a battery) can be read from distances of several inches (centimeters) to many yards (meters), depending on the frequency and strength of the RF field used with the particular tag. RFID tags have common characteristics, including: Low cost designs and high volume manufacturing to minimize investment required in implementation. Minimal security in many applications, with tags able to be read by any compatible reader. Some applications like car keys do have security features, most notably provisions to authenticate the RFID tag before enabling the ignition to start the car. Minimal data storage comparable to bar code, usually a fixed format written once when the tag is manufactured, although read/write tags do exist. Read range optimized to increase speed and utility. 5) Why is it important to distinguish between RFID tags and RF-enabled smart cards? Understanding the differences is critical in order to correctly assess each technology's fit with a specific application's security and privacy requirements. The term RFID is familiar to most people and is often confused with RF-enabled (or contactless) smart cards. RFID tags were designed primarily to track objects at a distance with little or no concern for security. RFID should not be confused with the RF-enabled smart card technology that is used at very short distances to verify an individual's identity or execute payments and to implement secure applications where speed, security, privacy, and data integrity are considered essential. 6) Is RF-enabled and contactless smart card technology the same as RFID technology? No. There is significant confusion in discussions of RF-enabled applications, with contactless smart card technology often incorrectly categorized as 'RFID.' There is a wide range of RF technologies used for a variety of applications -- each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example, the RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip. 7) What security capabilities can contactless smart cards support? Contactless smart cards use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip (see below). Contactless smart cards and readers conform to international standards, ISO/IEC 14443 and ISO/IEC 7816, and can implement a variety of industry-standard cryptographic protocols (e.g., AES, 3DES, RSA, ECC). Contactless smart cards that implement security features are referred to as RF-enabled smart cards. The contactless smart chip includes a smart card secure microcontroller and internal memory and has unique attributes RFID tags lack -- i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF with a contactless reader. Applications using contactless smart cards support many security features that ensure the integrity, confidentiality and privacy of information stored or transmitted, including the following: Mutual authentication. For applications requiring secure card access, the contactless smart cardbased device can verify that the reader is authentic and can prove its own authenticity to the reader before starting a secure transaction. Strong information security. For applications requiring complete data protection, information stored on cards or documents using contactless smart card technology can be encrypted and communication between the contactless smart card-based device and the reader can be encrypted to prevent eavesdropping. Hashes and/or digital signatures can be used to ensure 6

data integrity and to authenticate the card and the credentials it contains. Cryptographically strong random number generators can be used to enable dynamic cryptographic keys, preventing replay attacks. Strong contactless device security. Like contact smart cards, contactless smart card technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis. Authenticated and authorized information access. The contactless smart card s ability to process information and react to its environment allows it to uniquely provide authenticated information access and protect the privacy of personal information. The contactless smart card can verify the authority of the information requestor and then allow access only to the information required. Access to stored information can also be further protected by a personal identification number (PIN) or biometric to protect privacy and counter unauthorized access. Protection against transaction replay. For applications where it is critical that contactless transaction data not be able to be replayed in a fraudulent transaction, contactless smart cards can generate dynamic data every time they are read. Dynamic data generation per read provides logical security and inhibits fraudulent replay of contactless card data that may have been previously read (if the transaction was not protected using one of the techniques described in this question). For example, contactless credit, debit and prepaid payment card data includes a dynamic card verification number (CVC or CVV) or transaction certificate (for an EMV card) that is unique for every transaction. This dynamic data is generated by the contactless card based on a secret key that was stored in its secured memory by the card issuer. This key, along with a random number, transaction counter and a specific algorithm, is used to generate dynamic data every time a contactless payment card is read for a transaction. The same capability exists regardless of the form factor for the contactless smart chip (e.g., card, fob, mobile phone). Support for biometric authentication. For human identification systems that require the highest degree of security and privacy, smart cards can be implemented in combination with biometric technology. Biometrics are measurable physical characteristics or personal behavioral traits that can be used to recognize the identity or verify the claimed identity of an individual. Smart cards and biometrics are a natural fit to provide two- or multi-factor authentication. A smart card is the logical secure storage medium for biometric information. During the enrollment process, the biometric template can be stored on the smart card chip for later verification. Only the authorized user with a biometric matching the stored enrollment template receives access and privileges. Strong support for information privacy. The use of smart card technology strengthens the ability of a system to protect individual privacy. Unlike other technologies, smart card-based devices can implement a personal firewall for an individual, releasing only the information required and only when it is required. The ability to support authenticated and authorized information access and the strong contactless device and data security make contactless smart cards excellent guardians of personal information and individual privacy. It is important to note that information privacy and security must be designed into an application at the system level by the organization issuing the contactless device, card or document. It is critical that issuing organizations have the appropriate policies in place to support the security and privacy requirements of the application being deployed and then implement the appropriate technology that delivers those features. The ability of contactless smart card technology to support a wide array of security features provides organizations with the flexibility to implement the level of security that is commensurate with the risk expected in the application. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information