This file represents and organizes security requirements about RFID-related entities or processes.
Most of these requirements have been found in the
Security Analysis Report of the Bridge project
(currently, essentially its
Appendix A).
More requirements from
my report on "security and RFID" (in French) will be
integrated.
The representations are written specialize those of this general ontology about information security and they use the FL notation. (These representations are shown below in the courier font; they are enclosed within the XHTML marks <KR> and </KR> for permitting WebKB-2 to distinguish them from regular text). The creator (or source) of each representation (category or statement) is represented: the identifier "pm" is used for the author of this document and the identifier "bridge" is used for the Security Analysis Report of the Bridge project.
This file (or, more precisely, the representations within this file) has already been loaded in the knowledge base of WebKB-2. Hence, these representations can be queried, navigated and complemented by anyone using WebKB-2 (e.g., click on the hyperlinks below). This ontology reuses the ontology of WebKB-2, i.e. an extension and correction of WordNet 1.7.
Note: in the FT notation, "A < B" means "A is a subtype of B" and
"A > B C D" should be read "A has for subtypes B, C and D".
By definition, if a type X is subtype of a type Y, any instance of X (that is, any object of
type X) is an instance of Y. The form "A > {B C D}" means that the subtypes B, C and D are exclusive,
that is, they are not allowed to share subtypes.
When the creator of a relations (e.g., a subtype relation) between two types is not made explicit - and in this file, relation creators are rarely made explicit - the creator of the relation is implicitely the same as the creator of the source category. For example, a statement of the form "creator1#type > creator2#type2" should be read: "according to creator1, creator1#type has for subtype creator2#type2".
An informal definition for a category can be put into its annotation (unlike a comment, an annotation is not discarded during the parsing and is associated to a particular object). In the FT notation, the form "(^...^)" can be used to represent annotations.
The only value of the representations in this section is to relate the categories
from the above section with those of the following sections, and hence to ease navigation.
pm#process_supporting_the_security_of_some_RFID_related_entity_or_process
< pm#process_supporting_the_security_of_a_particular_object,
> pm#process_supporting_the_security_of_some_RFID_element
pm#process_supporting_some_security_attribute_in_some_RFID_related_entity_or_process ;
pm#RFID_related_entity_or_process < pm#thing_needed_for_some_process,
> { bridge#RFID_tag bridge#RFID_reader bridge#RFID_related_network bridge#RFID_related_application};
pm#process_supporting_the_security_of_some_RFID_element
> {pm#process_supporting_the_security_of_some_RFID_tag
pm#process_supporting_the_security_of_some_RFID_reader
pm#process_supporting_the_security_of_some_RFID_related_network
pm#process_supporting_the_security_of_some_RFID_related_application
};
//Note: in the FT notation, "X relationName: Y [1..*,1..*]" should be read
// "any instance of X has for relationName at least one instance of Y" and
// "any instance of Y has for relationName at least one instance of Y".
pm#process_supporting_the_security_of_some_RFID_tag
object: bridge#RFID_tag [1..*,1..*], //object or pm#object
> bridge#process_supporting_authentication_in_some_RFID_tag
bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag
//not applicable: bridge#process_supporting_the_access_control_of_some_RFID_tag
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag
bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader
bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag
bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag
bridge#process_supporting_interoperability_from/to_some_RFID_tag;
pm#process_supporting_the_security_of_some_RFID_reader
object: bridge#RFID_reader [1..*,1..*],
> bridge#process_supporting_authentication_in_some_RFID_reader
//not applicable: bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_reader
bridge#process_supporting_the_access_control_of_some_RFID_reader
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader
bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader
bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
//not applicable: bridge#process_supporting_the_availability_of_some_RFID_reader
bridge#process_supporting_interoperability_from/to_some_RFID_reader;
pm#process_supporting_the_security_of_some_RFID_related_network
object: bridge#RFID_related_network [1..*,1..*],
> bridge#process_supporting_authentication_in_some_RFID_related_network
bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network
bridge#process_supporting_the_access_control_of_some_RFID_related_network
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network
bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
bridge#process_supporting_the_availability_of_some_RFID_related_network
bridge#process_supporting_interoperability_from/to_some_RFID_related_network;
pm#process_supporting_the_security_of_some_RFID_related_application
object: bridge#RFID_related_application [1..*,1..*],
> bridge#process_supporting_authentication_in_some_RFID_related_application
bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application
bridge#process_supporting_the_access_control_of_some_RFID_related_application
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application
bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application
bridge#process_supporting_the_availability_of_some_RFID_related_application
bridge#process_supporting_interoperability_from/to_some_RFID_related_application;
pm#process_supporting_some_security_attribute_in_some_RFID_related_entity_or_process
> {pm#process_supporting_authentication_in_some_RFID_related_entity_or_process
pm#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_entity_or_process
pm#process_supporting_the_access_control_of_some_RFID_related_entity_or_process
pm#process_supporting_the_integrity_of_information_in/from_some_RFID_related_entity_or_process
pm#process_supporting_the_confidentiality_of_communication_with_some_RFID_related_entity_or_process
pm#process_supporting_the_privacy_of_information_in_some_RFID_related_entity_or_process
pm#process_supporting_the_availability_of_some_RFID_related_entity_or_process
pm#process_supporting_interoperability_from/to_some_RFID_related_entity_or_process
};
pm#process_supporting_authentication_in_some_RFID_related_entity_or_process
> bridge#process_supporting_authentication_in_some_RFID_tag
bridge#process_supporting_authentication_in_some_RFID_reader
bridge#process_supporting_authentication_in_some_RFID_related_network
bridge#process_supporting_authentication_in_some_RFID_related_application;
pm#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_entity_or_process
> bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag
//not applicable: bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_reader
bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network
bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application;
pm#process_supporting_the_access_control_of_some_RFID_related_entity_or_process
> //not applicable: bridge#process_supporting_the_access_control_of_some_RFID_tag
bridge#process_supporting_the_access_control_of_some_RFID_reader
bridge#process_supporting_the_access_control_of_some_RFID_related_network
bridge#process_supporting_the_access_control_of_some_RFID_related_application;
pm#process_supporting_the_integrity_of_information_in/from_some_RFID_related_entity_or_process
> bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network_tag
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application;
pm#process_supporting_the_confidentiality_of_communication_with_some_RFID_related_entity_or_process
> bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader
bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader
bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network
bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service;
pm#process_supporting_the_privacy_of_information_in_some_RFID_related_entity_or_process
> bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag
bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application;
pm#process_supporting_the_availability_of_some_RFID_related_entity_or_process
> bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag
//not applicable: bridge#process_supporting_the_availability_of_some_RFID_reader
bridge#process_supporting_the_availability_of_some_RFID_related_network
bridge#process_supporting_the_availability_of_some_RFID_related_application;
pm#process_supporting_interoperability_from/to_some_RFID_related_entity_or_process
> bridge#process_supporting_interoperability_from/to_some_RFID_tag
bridge#process_supporting_interoperability_from/to_some_RFID_reader
bridge#process_supporting_interoperability_from/to_some_RFID_related_network_tag
bridge#process_supporting_interoperability_from/to_some_RFID_related_application;
A category identifier may include several names separated by "___".
These names are then synonyms.
A name may be shared by several categories (that is, it may have several meanings).
An identifier has a unique meaning. In a category identifier of the form "creator1#X__Y",
"creator1#X" is also an identifier of the same category but "creator1#Y" is not an identifier
of this category.
Below, names such as "id_req_tag_1" are requirement names coming from the
Security Analysis Report of the Bridge project. All the other names have been invented by "pm" to describe (and permit to organize)
processes described in this report.
bridge#process_supporting_authentication_in_some_RFID_tag___id_req_tag_1
> bridge#process_permitting_an_RFID_tag_to_prove_its_identity_to_an_RFID_reader
bridge#process_permitting_an_RFID_tag_to_ask_its_identity_to_an_RFID_reader___TC2
bridge#process_preventing_an_RFID_tag_to_be_moved_to_another_product___TI3
bridge#process_ensuring_that_an_RFID_tag_has_only_one_EPC___TI4
bridge#process_verifying_an_RFID_tag_after_its_writing___TI5
bridge#process_authenticating_an_RFID_tag___TI6
bridge#process_preventing_an_RFID_tag_to_be_cloned___TI7;
bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag___id_req_tag_5
(^A reader that includes signature functionality must request that a tag signs information sent to it. With the signature, a reader can prove that a specific tag has communicated with it.^);
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag___id_req_tag_7
(^Tag must be secured against malicious writing of EPC.^)
> bridge#process_securing_an_RFID_tag_against_the_malicious_writing_of_its_EPC___TI2
bridge#process_protecting_an_RFID_tag_when_moving_from_closed_to_open_loop___TI8
bridge#process_protecting_an_RFID_tag_when_moving_from_open_to_closed_loop___TC4;
bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader___id_req_tag_2
(^Communication between tag and reader must be encrypted for applications that need to prevent eavesdropping of the contact-less channel.^);
bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag___id_req_tag_4
> bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_not_within_company-influence;
bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_not_within_company-influence___TC1
> bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_sold_to_a_final_user___TC3;
bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag___id_req_tag_3___TI1
(^Tags should not be disabled when product is being used by business process.^);
bridge#process_supporting_interoperability_from/to_some_RFID_tag___id_req_tag_8
(^The tag must comply with EPC, maybe with temporary IDs, or restrict access to some protected memory only to authenticated readers. This allows to apply secure tags in standard supply chains but makes secure operation possible (e.g. after POS).^)
> bridge#process_permitting_a_secure_RFID_tag_to_operate_with_existing_insecure_readers___TO1;
bridge#process_supporting_authentication_in_some_RFID_reader___id_req_rea_1___RC3
(^Mechanisms must be in place for an RFID reader to authenticate its identity and function, to tags and network components^);
bridge#process_supporting_the_access_control_of_some_RFID_reader___id_req_rea_6
(^The reader must implement access control on any interfaces that allow the modification of reader operation or access to internal information.^)
> bridge#process_forbidding_corrupted_or_fake_readers_to_access_internal_business___RC2;
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader___id_req_rea_7___R12
(^Injection of data from readers needs to be controlled in order to avoid the data corruption with false information.^)
> bridge#process_permitting_RFID_reader_to_read_and_correctly_transmit_tag_information___RI3
bridge#process_protecting_companies_internal_systems_from_attacks_by_corrupted_malicious_or_fake_RFID_readers___RI1
bridge#process_preventing_an_RFID_reader_to_allow_injection_attacks_from_malicious_tag_data___RO3
bridge#process_preventing_a_compromised_RFID_reader_to_provide_means_to_attack_other_IT_systems___RO2;
bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader___id_req_rea_2
> bridge#process_permitting_an_RFID_reader_to_identify_in_which_way_the_tag_information_is_encoded_and_to_implement_different_protocols_simultaneously___id_req_rea_2
bridge#process_forbidding_corrupted_readers_to_eavesdrop_on_tag_events___RC1;
bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
> bridge#identification_or_use_by_a_RFID_reader_of_the_right_password_or_shared_secret_for_communications
bridge#secure_storage_of_the_secret_information_by_a_RFID_reader;
bridge#identification_or_use_by_a_RFID_reader_of_the_right_password_or_shared_secret_for_communications___id_req_rea_4a
(^The reader must be able to identify which secret should be applied to encoded information. The right password or shared secret should be provided to the right reader with secure communication.^);
bridge#secure_storage_of_the_secret_information_by_a_RFID_reader___id_req_rea_4b
(^The secret information required to decode the tag must be maintained in a secure memory part of the reader. A secret can not be disclosed to the wrong application, user or reader owner.^);
bridge#process_supporting_interoperability_from/to_some_RFID_reader
> bridge#process_supporting_the_compliance_of_some_RFID_reader_with_some_reading_policy
bridge#process_permitting_a_secure_RFID_reader_to_operate_with_secure_and_insecure_RFID_tags;
bridge#process_supporting_the_compliance_of_some_RFID_reader_with_some_reading_policy___id_req_rea_8a
(^It is mandatory to provide a mechanism to guarantee that the RFID reader complies with a specific reading policy in support of fair information practice principles.^);
bridge#process_permitting_a_secure_RFID_reader_to_operate_with_secure_and_insecure_RFID_tags___id_req_rea_8b___RO1
(^Secure reader should be able to operate with secure and insecure RFID tags.^);
bridge#process_supporting_authentication_in_some_RFID_related_network___id_req_net_1
(^Mutual authentication between the parties which takes part in EPC data communication. A large size scalable authentication infrastructure must be used.^)
> bridge#process_authenticating_network_transactions_in_some_RFID_related_network___N17
bridge#process_authenticating_client_queries_in_some_RFID_related_network___NC2
bridge#process_ensuring_that_the_origin_of_event_in_an_RFID_related_network_is_provable___NI3;
bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network___id_req_net_5
(^Data contributions to the system must be signed in order that individual parties can me held accountable for the quality of the data they provide. There must be accountability for data validity (N19)^);
bridge#process_supporting_the_access_control_of_some_RFID_related_network___id_req_net_6
(^Information shares must own the capability to specify the conditions under which they want to share the data. These rules must be managed by sound access controls mechanism.^)
> bridge#process_using_transport_security_to_complement_EPC_network_component_security___NI8___NC5
bridge#process_securing_event_collection_in_some_RFID_related_network___NC1
bridge#process_allowing_companies_to_choose_who_to_trust_with_hosted_data_in_some_RFID_related_network___NC3
bridge#process_allowing_companies_to_have_withdrawal_and_access_control_over_their_hosted_data_in_some_RFID_related_network___NC4;
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network
> bridge#process_supporting_only_authorized_and_accurate_registration_of_EPC_ISs_in_a_DS
bridge#process_supporting_the_visibility_and_up-to_date_nature_of_information_in_some_RFID_related_network
bridge#process_and__RFID_infrastructure_allowing_effective_anti-counterfeiting_through_multiparty_track_and_trace_information___NI2
bridge#process_allowing_only_secure_updates_to_prevent_data_corruption_in_RFID_related_network___NI4
bridge#process_making_trusted_parties_validate_received_data_in_RFID_related_network___NI5
bridge#process_ensuring_that_network_transactions_are_well_formed___NI6;
bridge#process_supporting_only_authorized_and_accurate_registration_of_EPC_ISs_in_a_DS___id_req_net_7a
(^Only authorized parties must be allowed to register their EPC ISs with a DS in such a way that parties can not be injected selfishly and inaccurate information into the system.^);
bridge#process_supporting_the_visibility_and_up-to_date_nature_of_information_in_some_RFID_related_network___id_req_net_7b
(^A client's access rights must be able to access 'all' the data she is entitled to. In order to prevent from data inconsistency the information must be up-to-date.^);
bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network___id_req_net_2
(^A scalable confidential architecture must be used. The external transaction through the interfaces among discovery services and other parties, i.e., queries and updates must be confidential with accordance to the security polices which should set the fields of the DS record to be protected.^);
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
> bridge#process_supporting_anonymous_data_transactions_in_some_RFID_related_network;
bridge#process_supporting_anonymous_data_transactions_in_some_RFID_related_network___id_req_net_4
(^A party should not have to to disclose its real identity. The EPC network elements must implement access control and authentication mechanism by which anonymous data transactions can be feasible.^);
bridge#process_supporting_the_availability_of_some_RFID_related_network___id_req_net_3___NI1___NO1
(^EPICS systems must be resilient to Internet/local (Distributed) Denial of Service attack or failure of components, and provide back-ups facilities in order to avoid unavailability at any time.^);
bridge#process_supporting_interoperability_from/to_some_RFID_related_network___id_req_net_8___NO2
(^Network components should be built upon existing standards and frameworks for identity and access control.^);
bridge#process_supporting_authentication_in_some_RFID_related_application___id_req_app_1
(^Users must own a single credential and must authenticate to the application to which want to get access.^)
> bridge#process_detecting_a_RFID_tag_movement_between_products___AI2
bridge#process_detecting_a_RFID_cloned_tag___AI3
bridge#process_supporting_authentication_between_partners_before_a_RFID_related_communication_between_companies___AI4___AC1
bridge#process_allowing_a_company_to_track_and_trace_an_RFID_related_product_in_order_to_verify_its_authenticity___AI5
bridge#process_or_architecture_ensuring_that_RFID_related_changes_and_access_can_be_traced_back_to_specific_identities___AI6
bridge#process_recording_EPCs_in_business_transactions___AI7
bridge#process_supporting_the_validation_and_audit_of_business_transactions___AI8
bridge#process_ensuring_that_data_is_transferred_only_with_clear_destination_and_usage___AC2
pm#process_ensuring_that_a_RFID_tag_is_destroyed_when_it_is_disposed_of
pm#process_hiding_the_way_RFID_tag_identifiers_are_generated_in_a_company
pm#process_allowing_to_delete_all_information_related_to_a_tag_when_a_tag_is_killed;
bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application___id_req_app_5
(^The parties which update DS records must be accountable for this fact. Likewise, the responsibility which the parties own in order not to refuse having receive queries at any time.^);
bridge#process_supporting_the_access_control_of_some_RFID_related_application___id_req_app_6
(^Employee and application user must own an access rights depending on the roles assigned by the valid authority in charge of the EPC application.^);
bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application___id_req_app_7
(^privacy concerns of companies and customer must be achieved by assuring the integrity of the relevant data collected. To facilitate a bridge#process_supporting_the_availability_of_some_RFID_related_application, the collected data must fulfill the following features: 1) data collected should be adequate, relevant, and not excessive, 2) data should not be kept longer that necessary, 3) companies and customers have the right to know data about them or their products is stored, 4) data collected should be processed for a specific purpose (e.g. data mining to infer new, unauthorized data shouldn't be permitted or feasible.^)
> bridge#process_verifying_RFID_related_product_characteristics___AI1
bridge#process_guaranteing_the_completeness_of_records___AI9;
bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service___id_req_app_2
(^interfaces should assure confidentiality in the exchange data between the applications and the network services.^);
bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application___id_req_app_4
> bridge#process_preventing_anyone_to_know_if_another_use_of_some_RFID_discovery_service_is_made;
bridge#process_preventing_anyone_to_know_if_another_use_of_some_RFID_discovery_service_is_made
(^The parties interacting with DS should not be able to see from the usage of DS whether or not another party is querying or updating the DS.^);
bridge#process_supporting_the_availability_of_some_RFID_related_application___id_req_app_3
(^DS must be able to provide mechanism whereby prevent users from monopolising the resources.^);
bridge#process_supporting_interoperability_from/to_some_RFID_related_application___id_req_app_8
(^Even though any new security mechanisms and trust models affect the in place mechanisms and the current applications and in order to avoid high cost application migration, the interoperability should not only considered at intra-organizational level.^);