1、BSI Standards PublicationPD CEN/TR 16669:2014Information technology Device interface to supportISO/IEC 18000-3PD CEN/TR 16669:2014 PUBLISHED DOCUMENTNational forewordThis Published Document is the UK implementation of CEN/TR 16669:2014.The UK participation in its preparation was entrusted to Technic
2、al Committee IST/34, Automatic identification and data capture techniques.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct a
3、pplication. The British Standards Institution 2014.Published by BSI Standards Limited 2014ISBN 978 0 580 83894 1ICS 35.240.60Compliance with a British Standard cannot confer immunity from legal obligations.This Published Document was published under the authority of the Standards Policy and Strategy
4、 Committee on 30 June 2014.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dPD CEN/TR 16669:2014TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 16669 June 2014 ICS 35.240.60 English Version Information technology - Device interface to support ISO/IEC 18000-3 Te
5、chnologies de linformation - Interface de prise en charge dISO/CEI 18000-3 pour les appareils Informationstechnik - Gerteschnittstelle zur Untersttzung von ISO/IEC 18000-3 Mode 3 tags This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC
6、 225. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
7、Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitat
8、ion in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 16669:2014 EPD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 2 Contents Page Foreword 4 Introduction .5 1 Scope 6 2 Normative references 6 3 Terms and definitions .6 4 Symbols and Abbreviations .6 5 Executive Summ
9、ary .7 6 Evaluation privacy protection level of ISO/IEC 18000-3 Mode 3 .7 6.1 General 7 6.2 Technology does not depend on a persistent tag id for air interface communications 8 6.3 Support of standardized access passwords 8 6.3.1 ISO/IEC 18000-3 Mode 3 tags 8 6.3.2 Kill password 9 6.3.3 Access passw
10、ord.9 6.4 Support of the Kill function. .9 6.5 Conclusion .9 7 Industry feedback on the need for the device interface 9 7.1 General 9 7.2 General description of system architecture for Library Management Systems 10 7.3 Feedback on various quotes to justify the development of a device interface . 11
11、7.3.1 General . 11 7.3.2 Need for a device interface standard 11 7.3.3 Migration from old to new technology . 11 7.3.4 Inertia associated with any attempt to standardize the device interface 12 7.3.5 Additional security features built into the device interface. 12 7.3.6 Delaying for two years will r
12、esult in a lost opportunity? 12 7.3.7 Leaving operators to choose between the technologies . 12 7.3.8 Standardized device interface to be incorporated into the PIA? . 12 7.3.9 Conclusion 13 8 Industry feedback on features of the device interface as listed in the scope 13 8.1 General . 13 8.2 Feature
13、s of the device interface as listed in the scope 13 8.3 GS1/EPCglobal LLRP and ISO/IEC 24791 14 8.4 Conclusion 15 9 Threats through memory content in library RFID tags . 15 9.1 Analysis . 15 9.2 Conclusion 15 Annex A (Informative) Industry representatives . 16 A.1 Libraries . 16 A.1.1 KopGroep Bibli
14、otheken 16 A.1.2 Stadtbibliothek Hannover 16 PD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 3 A.2 Library RFID System Integrators . 17 A.2.1 Bibliotheca . 17 A.2.2 Nedap 17 A.3 Providers of ISO/IEC 18000-3 readers . 18 A.3.1 Feig . 18 A.3.2 Tagsys Europe . 18 Bibliography 19 PD CEN/TR 16669:2014CEN/TR 16
15、669:2014 (E) 4 Foreword This document (CEN/TR 16669:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC technologies”, the secretariat of which is held by NEN. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or
16、 CENELEC shall not be held responsible for identifying any or all such patent rights. This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The other deliverables are: EN 16570, Information technology Notification of RFID The information sign and addit
17、ional information to be provided by operators of RFID application systems EN 16571, Information technology RFID privacy impact assessment process EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem (ISO/IEC 29160:2012, modified) CEN/TR 16684, Informati
18、on technology Notification of RFID Additional information to be provided by operators CEN/TS 16685, Information technology Notification of RFID The information sign to be displayed in areas where RFID interrogators are deployed CEN/TR 16670, Information technology RFID threat and vulnerability analy
19、sis CEN/TR 16671, Information technology Authorisation of mobile phones when used as RFID interrogators CEN/TR 16672, Information technology Privacy capability features of current RFID technologies CEN/TR 16673, Information technology RFID privacy impact assessment analysis for specific sectors CEN/
20、TR 16674, Information technology Analysis of privacy impact assessment methodologies relevant to RFID PD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 5 Introduction In response to the growing deployment of RFID systems in Europe, the European Commission published in 2007 the Communication COM(2007) 96 RFI
21、D in Europe: steps towards a policy framework. This Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding fundamental values such as health, environment, data protection, privacy and security. In December
22、 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being exe
23、cuted in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187 020, which was published in May 2011. Phase 2 is concerned with the execution of the standar
24、disation work programme identified in the first phase. This Technical Report is related to the development of a Technical Specification to define the device interface to support ISO/IEC 18000-3 Mode 3 tags. The proposed Technical Specification on a device interface was intended to support two high f
25、requency air interface protocols; ISO/IEC 18000-3 mode 1 that has been established and used for 15 years and ISO/IEC 18000-3 mode 3 that is just emerging. The assumption was that ISO/IEC 18000-3 mode 3 would offer greater security and that the protection of the privacy would be better served by it.
26、The proposed device interface is intended as a serious attempt to bring greater control to this highly used air interface protocol. In addition, by developing a device interface that supports both air interface protocols, there is the potential to assist in the migration from the older, and (suggest
27、ed) less secure, technology to a newer and (assumed) more robust technology. Robustness, in this case, is not only of benefit to the operator of the system but also to end users who come into daily contact with the technologies. In the exploration phase to start with the preparations for the Technic
28、al Specification the project team encountered a challenge to translate the specifics of the required device interface features into practical specifications. First it was not clear why ISO/IEC 18000-3 mode 3 would offer greater security to protect the privacy of the consumers. Second it was not obvi
29、ous to which “application” the reader should connect and how the proposed device interface would contribute to improving the privacy protection of the consumer. Therefore the project team decided to consult the industry to get their feedback on the proposed standard for a device interface. The devic
30、e interface is aimed at supporting ISO/IEC 18000-3 technology. The Library industry is by far the largest market for the ISO/IEC 18000-3 tags. Therefore this Technical Report will focus on the value that the proposed device could offer to improve the protection of the privacy of the consumer of the
31、European Library Industry. This Technical Report describes the project teams approach to resolve the challenges. Clause 6 described the evaluation of the privacy protection level of 18000-3 Mode 3. Clause 7 describes the feedback of the industry on the need for the device interface. Clause 8 describ
32、es the feedback of the industry on features of the device interface as listed in the scope. Clause 9 points to some potential threats caused by some of the memory content in library RFID tags. Annex A contains the list of industry representatives who have contributed to the creation of this report.
33、Clause 5 draws the conclusions. PD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 6 1 Scope The scope of this Technical Report is to assess the need to develop a Technical Specification to define an interface that provides RFID system control components with low-level access to RFID interrogators for the pu
34、rpose of optimising RFID data access and control operations. 2 Normative references Not applicable. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 air interface complete communication link between an Interrogator and a Tag including the phys
35、ical layer, collision-arbitration algorithm, command and response structure, and data-coding methodology 3.2 contactless pertaining to the achievement of signal exchange with and supplying power to the card without the use of galvanic elements (i.e., the absence of an ohmic path from the external in
36、terfacing equipment to the integrated circuit(s) contained within the card) 3.3 interrogator (also known as reader) a transmitter/receiver that reads the contents of RFID tags in the vicinity 3.4 RFID tag an electronic identification device that is made up of a chip and antenna 4 Symbols and Abbrevi
37、ations AFI Application family identifier CRC-5 5 bit Cyclic redundancy check CRC-16 16 bit Cyclic redundancy check (calculated on power-up) CRC-16c 16 bit Cyclic redundancy check (calculated in transmission) CW Continuous Wave ERC European Radiocommunications Committee ETSI European Telecommunicatio
38、ns Specifications Institute HF High frequency LMS Library Management System PC Protocol Control RF Radio frequency SRD Short Range Devices PD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 7 TID Tag-identification or tag identifier, depending on context UHF Ultra High Frequency UID Unique device IDentifier
39、UII Unique Item Identifier XPC Extended Protocol Control XTID Extended TID indicator (see version 1.3 and above of the EPCglobalTMTag Data Standards) 5 Executive Summary The three “assumed“ security features of ISO/IEC 18000-3 mode 3 do not provide any improvement for the protection of the consumers
40、 privacy. The differences between ISO/IEC 18000-3 Mode 1 and Mode 3 are on the physical layer and on the memory addressing. Mode 3 in comparison to Mode 1 does not provide any additional feature that could be used to improve consumer privacy. The device interface will not help to improve the privacy
41、 protection of the European citizen. The feedback from the representatives of the European Library Industry in Clause 7 makes clear that the industry sees neither an advantage nor a need for the proposed standard for it will not improve the privacy protection of the citizen in any way. Besides the f
42、act that the proposed standard will not help to improve the privacy protection of the citizen, the cost of developing and implementing such interface in the existing infrastructure of the RFID Application Software or Library Management Systems would be prohibitive. Therefore CEN/TC 225 Project Team
43、E recommends dropping the development of the proposed device interface standard. 6 Evaluation privacy protection level of ISO/IEC 18000-3 Mode 3 6.1 General The description of Deliverable Task E.4 states: There is one event that might completely change the situation: the introduction of ISO/IEC 1800
44、0-3 Mode 3 air interface protocol and tags. This technology is still in its infancy, but has been developed as the high frequency equivalent of the ISO/IEC 18000-6 Type C technology. It offers higher performance, greater security, and the attributes of medium range reading that has proved acceptable
45、 for many applications. As examples ISO/IEC 18000-3 Mode 3 offers three features not supported by the established high frequency RFID tags: 1) the technology does not depend on a persistent tag id for air interface communications; 2) it supports standardized access passwords; 3) it supports a kill f
46、unction. This is remarkable, because key difference of ISO/IEC 18000-3 Mode 3 versus ISO/IEC 18000-3 Mode 1 is the speed of reading so that more items could be scanned per second. Mode 3 does not offer any more features that can be used to protect the privacy of the consumer. This clause describes t
47、he evaluation if the assumed security features. PD CEN/TR 16669:2014CEN/TR 16669:2014 (E) 8 6.2 Technology does not depend on a persistent tag id for air interface communications ISO/IEC 18000-3 Mode 1 and ISO/IEC 18000-3 Mode 3 have a different way of collision resolution, but in both case the end
48、result is a constant reply that always returns the same number for the tag. Mode 1 tags always return the UID, Mode 3 tags always return the UII. Figure 1 illustrates the interaction between an interrogator and a tag for mode 3 tags. Figure 1 Interaction between interrogator and tag While the UII co
49、uld be empty for the purpose of the anti-collision the TID memory is defined to contain unique information, where read access cannot be prevented. 6.3 Support of standardized access passwords 6.3.1 ISO/IEC 18000-3 Mode 3 tags ISO/IEC 18000-3 Mode 3 tags do support passwords, but they have no relevance for the protection of the consumers privacy. The memory of a Mode 3 tag is logically separated into four distinct banks, as shown in Figure 2. Figure 2 Memory map of ISO/IEC 18000-3 mode 3 tags PD CEN/TR 16669:2014CEN/TR 16669:2