RFID Privacy & Security Implementation - Recent topics & Applications in Japan -

RFID Privacy & Security Implementation - Recent topics & Applications in Japan - 2009.7.2 RYUICHI HATTORI Hitachi, Ltd. Japan Security & Smart ID Solutions Division

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Toward the Standardization 6. Summary

1-1. Corporate Profile of Hitachi., Ltd. Net Sales: 11,227 Billion Yen (US $ 112.3 Billion) Total Assets: 10,530 Billion Yen (US $ 105.3 Billion) Total Employees: 389,752 Number of Subsidiaries: 910 Companies Fortune Global 500 5 th (2007 Sales in Global Electronics, Electrical Equipment and Computer Industries) Stock Exchange Listings: New York, Amsterdam, Frankfurt, Luxembourg, Paris, Tokyo, Osaka, Nagoya, Fukuoka, Sapporo (As of March 31, 2008) Takashi Kawamura President and Chief Executive Officer Founder s Original Motor Repair Shop, Ibaraki Japan 1910 2

1-2. Hitachi Business Field Information & Telecommunication Systems 22 Financial Services 3 10 FY2007:Ended March 31, 2008 Electronic 10 Devices Sales $112.3 billion 15 Logistics, Services High Functional Materials & &Others Components 28 Power & Industrial Systems 12 Digital Media & Consumer Products 3

1-3. Information & Telecommunication Systems Value to Life Value to UbiquitousSociety Information Society Value to Society Consultation Collaboration of New Value for Ubiquitous Information Society with Customers Management Consultation Business Consultation IT Consultation SI/Solution Manufacturing Retail Power/ Transportation Network Bank SI, Outsourcing, Education, Operation, Maintenance Government/ Local Government IT Platform Server Storage Network Middleware Ubiquitous Devices Advanced Technology RFID Security HDD Integration/ Virtualization System Technology 4

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Toward the Standardization 6. Summary

Ubiquitous RFID Applications 2-1. People expect secure & easy access to Network System from anywhere and anytime Car/Railway Mobile Office SD MMC SIM SD MMC Personal Information DVC STB Intranet Information Internet of Things Game Machine Digital contents Map Information E-Tower TV PC SD MMC Audio DVD Telephone IC Card Home Outdoor Street/Shop 6

2-2. EU Recommendations for RFID Privacy European Commission Issues RFID Privacy Recommendations The document, which spells out ways to protect consumers but also allows for flexibility, should help promote greater implementation of RFID technology. May 13, 2009 Industry and consumer organizations around Europe welcomed an official "recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification." Issued this week by the European Commission (EC), the document outlines data privacy objectives suggested for use in the organization's 27 member states. Referenced from RFID Journal http://www.rfidjournal.com/article/articleview/4890/1/1/ 7

2-3. RFID Privacy Law in US Washington State Adopts Second RFID Privacy Law The bill, newly signed by the governor, prohibits scanning RFID tags unless they were provided by the business or agency itself. Apr. 17, 2009 Washington State Governor Christine Gregoire has signed into law a bill prohibiting the scanning of an RFID tag by anyone except the business or agency that issued that tag, with certain exceptions. Referenced from RFID Journal http://www.rfidjournal.com/article/articleview/4802/1/1/ 8

2-4. An Unscientific Article on RFID and Privacy A renowned U.S. magazine has published an article by a well-known opponent of RFID that presents a one-sided view of the privacy and security issues associated with RFID. Aug. 25, 2008 Scientific American by Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN). The article, included in an issue of the magazine entitled The Future of Privacy, raises some legitimate issues. Referenced from RFID Journal http://www.rfidjournal.com/article/articleview/4272/1/2/ 9

2-5. RFID Privacy Guideline in APAC In Japan, the Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI) have issued a non-binding RFID Privacy Guideline based on the national data protection law. In South Korea, the Ministry of Information and Communication has put forward a similar guideline, which would also be non-binding (see OECD 2006). Referenced from RFID Prospectives for Germany http://www.bmwi.de/bmwi/redaktion/pdf/publikationen/rfid-prospectives-forgermany,property=pdf,bereich=bmwi,sprache=de,rwb=true.pdf 10

2-6. RFID Privacy & Security RFID Privacy & Security Related Topics European Commission Issues New RFID Privacy Recommendations US RFID Privacy Law &Anti-Skimming Law CASPIAN RFID Privacy Guideline in Japan & Korea Common Concern against RFID Privacy & Security from Consumer s Point of View. Urgent Requirement to Provide Solution for the Issue in order to Realize Broad Acceptance of RFID Technology Privacy Protection & Data Security Standard may be Needed 11

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Toward the Standardization 6. Conclusion

3-1. Hitachi RFID Secure Approach µ-chip series 860-960MHz (UHF) µ-chip Hibiki 2.45GHz µ-chip µ-chip Hibiki µ-chip ISO/IEC 18000-6 Type C (EPCglobal Gen2) Security - Privacy protection - Industrial memory area protection Hitachi proprietary protocol ROM & Unique ID Network Based µ-chip and the µ-chip Logo are either registered Trademarks or Trademarks of Hitachi,Ltd.in Japan and in other countries. 13

3-2. HIBIKI and Secure RFID Project Target 実 施 体 制 Hibiki Project Secure RFID Project ( Aug 2004 ~July 2006) ( Aug 2006 ~Mar 2007 ) Inexpensive RFID RFID (5-yen (5-yen inlay inlay : : <5cent,100Munit/month) <5cent,100Munit/month) Stable Stable Suply Suply (Volume (Volume of of Production, Production, High High Reliability) Reliability) Formation Apply Apply to to global global business (Global (Global Standard) Standard) Core Company Background Requirement for RFID Privacy and Security from Field Studies Outline RFID apply for Manufacture ~ Logistics ~ Retail ~Recycle Cooperate Company YAGI IBM Retail Recycle Logistics Manufacture Privacy Protection Corporate Data Protection 14

3-3. µ-chip HIBIKI Secure Features #1 Global Standard Compliant with EPC Global C1Gen2 / ISO/IEC18000-6 #2 Large Size Memory Total of 2,112bit Memory Tag Memory Map Reserved bank (Security) 256bit UII bank 272bit TID bank 64 bit User Bank 1,536 bit #3 Security Feature Partitionable User Memory Bank Individual Read/Write Protection USER Area Manufactuere Logistics Wholesale Warehouse Retail Store Read Range Control 3m Selectable 30cm 15

3-4. HIBIKI Lightweight Security Concept Manufacture Data Security by password Logistics IC Tag User Bank Area Product Manufacture Logistics Retail Maintenance Retail Privacy Protection IC Tag Control Reading Distance Skimming Control Reading Distance for Privacy Protection customer Recycle Maintenance Lightweight Security enable secure use of RFID in the society and accelerate public acceptance of RFID for SCM/LCM 16

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Toward the Standardization 6. Conclusion

4-1. RFID Activities in Japanese Industry ~2005 2006 2007 2008 2009 2010~ Consumer Electronics IC Tag Consortium SONY, Panasonic, Hitachi etc Guideline Standard Field Trial Maintenance Proof-of-Concept Field Trial Product Safety, Recycling Goal : Roll Out in 2010 Use Case Closed Loop application (Production Control, Warehouse Management) Roll Out 03/1 IC Tag Study Group Publishing Field Trial Smart Shelf Field Trials Recycle/Logistics Standard Specification of RFID tag for Books RFID in Comics Retail Logistics Future Store Use Case Food Crate Logistics Field Trial Shoes Shop Filed Trial Japan-China-Korea International Logistics Automotive Use Case Returnable Container Basic Study of RFID Usage JAPIA, JAMA Paint & Coating Process, Metal Mold Control, Pallet Control Roll Out 18

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Towards Standardization 6. Conclusion

5-1. Standardization Activity ISO29167 working group has started compiling DRAFT as security extension to the ISO18000-6 Type C standard. Hitachi is proposing HIBIKI secure feature for SC31/WG7 activity 2008 2009 2010~ EPCglobal CE IAG Security Requirement Tag Alteration Hardware AG : Security Specification ISO SC31/WG7 (Security), WG4/SG3 (RFID Air Interface) NP WG7: Security HIBIKI Secure Proposal WG7 AdHoc WG7 Established ISO29167 DRAFT CD Vote FCD Vote FDIS Vote 20

1. About Hitachi s ICT 2. RFID Privacy & Security Issue 3. Secure RFID Project & µ-chip Hibiki An practical approach for light weight security 4. RFID Applications in Japan 5. Toward the Standardization 6. Conclusions

6-1. Summary RFID Privacy and Security related Activities in world European Commission Issues New RFID Privacy Recommendations US Several States Adopt RFID Privacy Law &Anti- Skimming CASPIAN RFID Privacy Guideline by METI & MIC Japan etc... Practical Approach Lightweight Security Network based Read-only RFID Secure RFID Protocol ISO Standardization kicked-off Application Needs Security International Logistics Consumer Electronics Publishing Industry Automotive Library etc... 22

6-2. Conclusion EU-Japan Cooperation RFID Privacy & Security Standardization HIBIKI Secure Protocol Practical Approach 23

Thank You!

Appendix

A-1. µ-chip HIBIKI Data Protection USER Bank Memory can be divided into 5 Blocks Each Block Support Block Read/Write Lock ( with Custom Command) Block1 Password USER Bank (total1,536bit) Individual Password Protection for each Memory Block Block5 Password Common Area (256bit) Block1 (256bit) Block2 (256bit) Block3 (256bit) Block4 (256bit) Block5 (256bit) Read lock Write lock Read/Write Lock for each Memory Block 27

A-2. Communication Distance Control Communication distance is Selectable with R/W Custom Command. ID:3F1001 3m Communication Distance Normal Read Range Reduce Communication distance Reactivate Short Range ID:3F1001 20cm 28

A-3. Example : Data Security Write Memory Bank #1 Write Memory Bank #2 Read Memory Bank #1 Read Memory Bank #2 Factory Logistics Wholesale Warehouse Retail Store Reduce Read Distance Consumer Retail Store 製 造 情 報 出 荷 情 報 Manufacturer s Password Memory Bank #1 Memory Bank #2 Memory Bank #3 Memory Bank #4 HIBIKI Memory Mapping Security Bank UII Code Bank Tag Code Bank Manufacturer s Data Area Logistics Data Area Wholesale Data Area Retailer s Data Area Read Dedicated Memory Read /Write Lock control for each memory block Anti-Counterfeit Read Manufacturer s data with provided Password for authentication Unauthorized Seller Data Security Preventing from data skimming by unauthorized seller or personnel 29