from barcodes to the internet of things - lorentz center pype.pdf · from barcodes to the internet...

From Barcodes to the Internet of Things

Patrick PypeDirector European AffairsNXP Semiconductors

RFID Security : Theory & PracticeLorentz Center, Leiden, March 28th, 2008

2

Table of Contents1. NXP Semiconductors

2. History & Vision

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

3

Table of Contents1. NXP Semiconductors

2. History & Vision

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

4

NXP Semiconductors Established in 2006(formerly a division of Philips) Builds on a heritage of 50+ years of experience in semiconductors Provides engineers and designers with semiconductors and software that deliver better sensory experiencesTop-10 supplier with Sales of € 4.6 Bln (2007)Sales: China 20%, Netherlands16%,

Singapore 9% USA 8%, Taiwan 8%, South Korea 11%, Germany 6%, Other 22%Headquarters: Eindhoven, The Netherlands

Key focus areas: – Mobile & Personal, Home, Automotive & Identification,

Multimarket Semiconductors

Owner of NXP Software: a fully independent software solutions company

5

NXP: leader in contactless technologyRFID: NXP is market leader

– “NXP Semiconductors Tops New RFID transponderIC Vendor Matrix Ranking”, ABI Research, December 2007

Public transportation: # 1 in transport ticketing IC’s– >650 cities incl. London, Moscow, Atlanta, Sao Paulo, Beijing,

Seoul, Taipei, Sydney

Car immobilizer and keyless entry/go systems: #1 leadership position

E-government:#1 in ePassport ICs– 45 of 53 ePassport countries use NXP ICs

Banking: #1 in contactless bank cardIC’s

NFC: Shaper of new global standard– Click, the BBC Flagship Technology TV Program, names NFC

one of the Top Five Technologies for 2008

6

Table of Contents1. NXP Semiconductors

2. History & Vision

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

7

History of RFID

US Patent # 2,612,994

1920 1940 1960 1980 2000 2020

1st

commercialuse

$$$$UPC

Paper H.StockmanCommunication by

Means of Reflected Power

IFF transponder

WW II

Explansion of# Applications

1st e-Passport(Malaysia)

1st e-Ticketing(Paris, RATP)

$$$$US Patent # 3,713,148

Passive RadioTransponderWith Memory

US Patent # 4,384,288

RFIDAbbreviation

NFC Standard

8

Identifying people, goods & values

people Goods & cattle values

Passport

ID card

Driver License

Health card

Access Control

Car access & immobilizer

Retail & supply chain

Animal tagging & food safety

Libraries & Rental

Pharma & Proof-of-Originality

Mobile telephony (SIM)

Banking

Transport ticketing

9

NXP RFID Vision2006 2012 2020

RFID becomes more powerful and starts to process data on the IC, reducing the need for reader and server power

RFID technology today is used for replacing bar codes

RFID networks allow for peer to peer communication, removing the need for reader infrastructure and servers

10

… towards “The Internet of Things”

Any TIMEconnection

Any PLACEConnection

Any THINGconnection

On the moveOutdoors & indoors

NightDaytime

On the moveOutdours

Indoors away from the PCIndoors at the PC

Between PC’sHuman2Human, not using a PC

Human2Thing, using generic equipmentThing2Thing

11

Table of Contents1. NXP Semiconductors

2. History & Vision

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

12

Contactless offers many benefits

Ease of use, convenience

Fast processing (e.g. for transport ticketing)

Low reader maintenance costs (no mechanics or magnetic heads)

Reliable

Secure (various security levels available depending on application)

13

Contactless becomes ubiquitous

time

contactlessMag-stripe Ski ticketing

contactless Car Immobilizer

contactless Car Access

contactlessMag-stripe Transport ticketingVisual inspection

contactlessVisual inspection Animal tagging

contactlessBar code Libraries & rental

contactlessMag-stripe Bankingcontact

contactless Retail & supply chainBar code

contactless PassportsMachinereadableVisual inspection

contactless Access ControlMag-stripeVisual inspection

14

New Markets for RFID plus Sensors

• Value Proposition for Cold Chain : Reduce waste and over-production

• Up to 50% shrinkage in Retail sector linked to perished food; US households waste 43B$ / yr

• Market potential

• With label prices < $0.50 disposable labels will be used on shipments of perishables goods (over 1B/yr)

BULK PRODUCE, MEAT, POULTRY, FISH

FOOD

MEDICAL / PHARMACEUTICALS

FLORAL

INDUSTRIAL/ OTHER

VACCINES, BLOOD, PHARMA

CUT FLOWERS

FILM, ADHESIVES, PAINT, CHEMICALS

BULK PRODUCE, MEAT, POULTRY, FISH

FOOD

MEDICAL / PHARMACEUTICALS

FLORAL

INDUSTRIAL/ OTHER

VACCINES, BLOOD, PHARMA

CUT FLOWERS

FILM, ADHESIVES, PAINT, CHEMICALS

15

NFC turns the mobile phone into a contactless Swiss army knife

1 - Card emulation(payment, transport & event

ticketing, access, …)

2 - Card reader(smart posters, tagged

promotions, authentication, …)

3 – P2P(Easy BT/Wifi

pairing, games, data exchange,

…)

16

Access info on-the-move

battery-less smart object

SecureIn combination with Smart Card

Technology

Example: SmartConnectSecure transactions based on NFC + smart card IC

Additional Smart card

Secure paymentsTransport accessBuilding accessStore digital rights (DRM)

Peer-to-peer communication

Mobile payment & transaction

17

The identification IC market grows fast…U.S.$ Billions

Current View (October 2007)

0

500

1000

1500

2000

2500

2007 2008 2009 2010 2011

Mar

ket V

alue

(EU

R M

)

… and will be predominantly contactless in

2011

18

We are over the technology chasm …

Source – Geoffrey Moore, The Chasm Group

We Are Here

19

Table of Contents1. NXP Semiconductors

2. History

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

20

Society benefits are significant …

Saving lives with authenticating medicine

Reduce waste and overproduction (for instance ‘vers schakel’ )

Increasing border and building security

….

21

…but issues remain

Technology Choice– It is not sufficiently clear to many potential adopters which frequency to

use

Europe versus Rest-of-the-World– Legislation in EU could become more stringent resulting in slower take-off

Waste Handling– Separating silicon from glass-based products when embedded could

cause issues for glass recycling purposes

Privacy & Security– Privacy concerns around the use of RFID and data management

22

Table of Contents1. NXP Semiconductors

2. History

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

23

Privacy & Security

What to do ?Technology

Providers

System CompaniesService ProvidersGovernment

Consumers

UniversitiesResearch

Institutes

Industry

All to Play aConstructive Role in the

- Debate- Benefit Thinking- Problem Solving

24

Privacy & Security

What to do ?Technology

Providers

System CompaniesService ProvidersGovernment

Consumers

UniversitiesResearch

Institutes

Industry

All to Play aConstructive Role in the

- Debate- Benefit Thinking- Problem Solving

25

Technology Providers

Need to offer a wide range of IC products with different levels of securityfrom low to extremely high

– Application security depends on the security of the chip, but also the security measures in the rest of the system

– Security has a price; The highest security levels are not required for all applications– Customers (typically the system integrators) select the ICs with the security level fit

for their applications & system concept

Privacy-sensitive information stored on contactless chips requires adequate security

– Technology providers typically offer various security mechanisms and options on contactless chips; Customers select the mechanisms and options they want to use in their application

NXP takes its responsibility and works with governments & authorities and advices its customers on how to properly protect privacy & security at system-level

26

RFID tag & Contactless Smart Card technology

WEAK STRONG

PaymentCards

Animal tagging

Inventorytracking

Transportationticketing

eGovernmentCards, ePassport

eVisa

Source:

LOW

HIGH

Sen

sitiv

ity o

f typ

ical

info

rmat

ion

stor

ed

Strength of protection of data privacy and security

Personal informationBiometric dataSecure keys

Financial account information

Ticket value

Electronic productcode

Unique identifier

27

MIFAREClassicMF1 S20MF1 S50MF1 S70

MIFAREMIFAREClassicClassicMF1 S20MF1 S20MF1 S50MF1 S50MF1 S70MF1 S70

MIFAREPlusMF1 S61MF1 S71

MIFAREMIFAREPlusPlusMF1 S61MF1 S61MF1 S71MF1 S71

MIFAREUltralightMF0 U10MF0 U11

MIFAREMIFAREUltralightUltralightMF0 U10MF0 U10MF0 U11MF0 U11

HW CryptoHW Crypto

EEPROMEEPROM

Contactless InterfaceContactless Interface

CertificationCertification

crypto1 3DES, AES

512 Bit 320B, 1 KB, 4 KB 2, 4 Kbyte 2, 4, 8 Kbyte

ISO 14443 A (13.56MHz, up to 10cm distance, 106 - 848kBaud)

- -

-

CC EAL 4+

MFRC – FamilyMFRC MFRC –– FamilyFamily

DesignDesign--In PackageIn Package

Reader ICReader IC

PEGODA (CL RD701)PEGODA PEGODA (CL RD701)(CL RD701)

crypto1, AES

CC EAL 4+

Special FeaturesSpecial Features - - MIFARE Classiccompatible -

MIFAREDESFireMF3 D21MF3 D41MF3 D81

MIFAREMIFAREDESFireDESFireMF3 D21MF3 D21MF3 D41MF3 D41MF3 D81MF3 D81

MIFAREUltralight 2MF0 U20MF0 U21

MIFAREMIFAREUltralight 2Ultralight 2MF0 U20MF0 U20MF0 U21MF0 U21

1500 Bit

-

3DES

-

Contactless Card IC PortfolioContactless Card IC Portfolio

28

Technology Providers

Research on different means for enhancing security

– State-of-the-Art encryption methodologies

– Unique Chip Identification through PUF-technology : measure unique & unpredictable physical process technology variations in order to detect a key – avoiding the storage of keys in memories which can be under attack

Open dialogue & cooperation with key universities & research institutes

– Continuous improvement & being ahead of malicious persons (“The Car-Theft Paradigm”)

29

Privacy & Security

What to do ?Technology

Providers

System CompaniesService ProvidersGovernment

Consumers

UniversitiesResearch

Institutes

Industry

All to Play aConstructive Role in the

- Debate- Benefit Thinking- Problem Solving

30

System Companies / Service Providers

Need to be informed & aware of various levels of security provided

– The RFID chip as such is “only” a first layer in a total system– Different security levels can already be offered in the RFID chip– The database handling & people involved are also key in the total system

Need to make decision in trade-off space, while maintaining conformity with legislation :

– Level of Security– Cost– Risk

31

Privacy & Security

What to do ?Technology

Providers

System CompaniesService ProvidersGovernment

Consumers

UniversitiesResearch

Institutes

Industry

All to Play aConstructive Role in the

- Debate- Benefit Thinking- Problem Solving

32

Consumers

Need to be aware of benefits & risks– Education !

Objective information handling– What does it provide ?– What does it not provide ?– How does it compare to other technologies ?

Gradual acceptance building– From Pilot Demonstrator Projects…

• “Vers Schakel” – RFID in the supply chain of fresh vegetables (with a.o. : NXP, Schuitema, Capgemini, CBL, Heemskerk, Intel, KPN, Wageningen University)

– … to Full Deployment

33

Privacy & Security

What to do ?Technology

Providers

System CompaniesService ProvidersGovernment

Consumers

UniversitiesResearch

Institutes

Industry

All to Play aConstructive Role in the

- Debate- Benefit Thinking- Problem Solving

34

GovernmentGovernments should take up responsibility :

– Set legal framework to avoid mis-use of technologies– Create platform for economic growth of their industry– Pro-actively define vision of future societies

Several initiatives are being taken

– US FTC… a good example…: keep-an-eye and take action whenever a need occurs…

– EU RFID Expert Group : investigate societal impact of RFID-usage incl. evolution towards “Internet of Things” Society in cooperation with different stakeholders

– EU Member States• NL - Platform RFID, College Bescherming Persoonsgegevens• GE – RFID Informationsforum, BSI (German Federal Office for Information Security)• etc…

35

Table of Contents1. NXP Semiconductors

2. History

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

36

EU RFID Expert Working GroupOfficial kick-off : June 2007

Objective : – Provide “Recommendation” towards Member States & Stakeholders on the

design & operation of RFID applications in a lawful, ethically admissable, and socially and politically accepted way, respecting privacy and ensuring appropriate information security

– Look into different application areas : logistics, working place, government

Set of Guidelines to harmonize amongst

Member States, published by European Commission

Industry

ConsumerGroups

StandardisationCommittees

MemberStates

InvitedSpeakers+

37

Main Items of EU “Recommendation”

No new legislation needed

– “Existing data protection directive is sufficient to protect privacy”(95/46/EC, 99/5/EC, 2002/58/EC)

Need to conduct a “Privacy Impact Assessment” Study

– Fully supported by industry

– Need to further define when “data” becomes “personal data”

38

Main Items of EU “Recommendation”

Need to further work on “Awareness Raising Activities” / “Best Available Techniques”

– Some Examples :

• Technical Guidelines for Implementation & Utilization of RFID-based Systems (cooperation NXP – German Federal Office for Information Security BSI)

– RFID-usage in eTicketing for Public Transport– RFID-usage in eTicketing for Stadiums and Events– NFC-based mobile eTicketing– RFID-usage in Logistics & Retail

• “Vers Schakel” – RFID in the supply chain of fresh vegetables (with a.o. : NXP, Schuitema, Capgemini, CBL, Heemskerk, Intel, KPN, Wageningen University)

39

Main Items of EU “Recommendation”

Different rules for different types of applications

– RFID containing Personal Data

– RFID in Retail Sector (“Tagged Items”)

• Need to inform customers about presence of RFID tags / readers -> “logo”

• De-activiation (permanent or temporary) on request of customers (“opt-out”) and if there is not a necessary feature of the product behind the Point-of-Sales

Need to enhance R&D work

– “Security & Privacy by Design” principle

– More focus to be put on applied research & pilot trials

40

Table of Contents1. NXP Semiconductors

2. History

3. Contactless – Benefits & Future Perspectives

4. Impact on Society

5. Privacy & Security Aspects

6. EU RFID Expert Working Group

7. Conclusions

41

Conclusions

• Contactless identification (RFID, NFC, contactless smartcards) offers significant benefits in an increasing number of applications

• The “Internet-of-Things” era is approaching and will become reality

• Industry & Government Officials all over the world should work together to create solutions that ensure that the societal benefits of RFID are gained while ensuring that protecting privacy and advancing security are top priorities along the way.

• All RFID-stakeholders need to educate consumers about RFID and its use in a fact-based manner

42

Final Remark to Reflect upon…

Not the Technology itself is the Issue,

But it’s the People who are Handling it !

43