Title: RFID BASICS

In this section some general principles and basics of RFID systems are described.

As with all other IT systems, RFID systems can vary in terms of complexity and implementation. However, NIST have defined the following common subsystem building-blocks: 

1. The RF subsystem. This subsystem consists of the RFID tag and the RFID reader and is the part that performs identification and related transactions over a wireless interface. In this document we will interchangeably use the term RFID-system or Front end –system for this subsystem.

2. The enterprise subsystem. This subsystem comprises the computers and software necessary to process and store data acquired from the RF subsystem. 

3. The inter-enterprise subsystem. This subsystem is used to connect different enterprise subsystems to each other if information needs to be shared between organisations. In this document we will collectively refer to the enterprise subsystem and the inter-enterprise subsystem as the backend system. 

RFID tags in general come in many different types and have different characteristics regarding e.g. power source, operating frequency and functionality. Thus they can be classified in a number of different ways. A common way to classify RFID tags in a general way is to divide them into active or passive tags. Active RFID tags have a permanent power supply. Hence these tags can perform “computations” continuously and independent from the environment.  

Active tags also have in general much more computation power compared to passive ones. Hence they can do much better cryptographic operations.  

Both properties make active tags much more appropriated for applying security and privacy protecting mechanisms. But on the other hand active tags are orders of magnitude larger than passive ones. Therefore they could not be used in most of the privacy threatened areas of application like unique tagging of objects. 

Passive tags can from a privacy and security standpoint be further divided into: 

1. basic, very low-cost tags: tags which can mainly store some hundreds bits and can execute only very limited operations which are far behind the needs for even basic cryptography

2. symmetric-key, low-cost tags: tags which can do basic symmetric-key cryptographic operations

3. public-key, more expensive tags: tags which can also do public-key cryptography.

According to NIST “the most prominent industry standard for RFID are the EPCglobal specifications and standards for supply chain and patient safety applications”. EPCglobal divides the tags into different classes. Tags belonging to the EPCglobal Class-0 or Class-1 of the first generation have no security functionality. Tags adherent to the EPCglobal Class-1 generation 2 standard implement a 32 bit long password which can be used to trigger the kill process, which is used to deactivate a tag. Basic symmetric cryptographic functionality is integrated into EPCglobal Class-2 tags, as well as some form of authenticated access control, but no details are given by the specification.

The operating distance, data transfer speed and tag reading speed of an RFID-system is dependent on the radio frequency of the tag. In general one could say that the higher the frequency the higher the data transfer speed and the tag reading speed. High frequency tags are also usually designed to operate over longer distances . However, high frequencies are also easier blocked or weakened by obstacles in the signal path. Table 1 summarises the frequencies and give application examples for the different ranges.

Table 1: RFID frequencies  

RFID readers (or more precise the infrastructure part of the overall RFID system) can mainly be divided into online and offline ones. Online RFID readers offer in general much more design options, because they can communicate with whatever is necessary to achieve certain security or privacy goals. They have for instance full access to the whole backend system, which can store all necessary data (like cryptographic keys, certificates etc.).

Required data can be stored on the RFID tag itself, or in some backend database using the tag identifier as the primary key. Right now storing the data in central databases and getting the data on-demand is more popular than storing data on tags, mainly because low-cost tags have a very small storage capacity. Other reasons are that holding data in more or less central databases offers the possibility of seamless data and software updates, as well as extended access control. Furthermore, one can argue that central databases are superior in terms of securing the data against attackers. Of course there have been a lot of examples of security breaches lately at big (banking) companies who could not protect user data in their databases.