From Barcodes to the Internet of Things
Patrick PypeDirector European AffairsNXP Semiconductors
RFID Security : Theory & PracticeLorentz Center, Leiden, March 28th, 2008
2
Table of Contents1. NXP Semiconductors
2. History & Vision
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
3
Table of Contents1. NXP Semiconductors
2. History & Vision
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
4
NXP Semiconductors Established in 2006(formerly a division of Philips) Builds on a heritage of 50+ years of experience in semiconductors Provides engineers and designers with semiconductors and software that deliver better sensory experiencesTop-10 supplier with Sales of € 4.6 Bln (2007)Sales: China 20%, Netherlands16%,
Singapore 9% USA 8%, Taiwan 8%, South Korea 11%, Germany 6%, Other 22%Headquarters: Eindhoven, The Netherlands
Key focus areas: – Mobile & Personal, Home, Automotive & Identification,
Multimarket Semiconductors
Owner of NXP Software: a fully independent software solutions company
5
NXP: leader in contactless technologyRFID: NXP is market leader
– “NXP Semiconductors Tops New RFID transponderIC Vendor Matrix Ranking”, ABI Research, December 2007
Public transportation: # 1 in transport ticketing IC’s– >650 cities incl. London, Moscow, Atlanta, Sao Paulo, Beijing,
Seoul, Taipei, Sydney
Car immobilizer and keyless entry/go systems: #1 leadership position
E-government:#1 in ePassport ICs– 45 of 53 ePassport countries use NXP ICs
Banking: #1 in contactless bank cardIC’s
NFC: Shaper of new global standard– Click, the BBC Flagship Technology TV Program, names NFC
one of the Top Five Technologies for 2008
6
Table of Contents1. NXP Semiconductors
2. History & Vision
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
7
History of RFID
US Patent # 2,612,994
1920 1940 1960 1980 2000 2020
1st
commercialuse
$$$$UPC
Paper H.StockmanCommunication by
Means of Reflected Power
IFF transponder
WW II
Explansion of# Applications
1st e-Passport(Malaysia)
1st e-Ticketing(Paris, RATP)
$$$$US Patent # 3,713,148
Passive RadioTransponderWith Memory
US Patent # 4,384,288
RFIDAbbreviation
NFC Standard
8
Identifying people, goods & values
people Goods & cattle values
Passport
ID card
Driver License
Health card
Access Control
Car access & immobilizer
Retail & supply chain
Animal tagging & food safety
Libraries & Rental
Pharma & Proof-of-Originality
Mobile telephony (SIM)
Banking
Transport ticketing
9
NXP RFID Vision2006 2012 2020
RFID becomes more powerful and starts to process data on the IC, reducing the need for reader and server power
RFID technology today is used for replacing bar codes
RFID networks allow for peer to peer communication, removing the need for reader infrastructure and servers
10
… towards “The Internet of Things”
Any TIMEconnection
Any PLACEConnection
Any THINGconnection
On the moveOutdoors & indoors
NightDaytime
On the moveOutdours
Indoors away from the PCIndoors at the PC
Between PC’sHuman2Human, not using a PC
Human2Thing, using generic equipmentThing2Thing
11
Table of Contents1. NXP Semiconductors
2. History & Vision
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
12
Contactless offers many benefits
Ease of use, convenience
Fast processing (e.g. for transport ticketing)
Low reader maintenance costs (no mechanics or magnetic heads)
Reliable
Secure (various security levels available depending on application)
13
Contactless becomes ubiquitous
time
contactlessMag-stripe Ski ticketing
contactless Car Immobilizer
contactless Car Access
contactlessMag-stripe Transport ticketingVisual inspection
contactlessVisual inspection Animal tagging
contactlessBar code Libraries & rental
contactlessMag-stripe Bankingcontact
contactless Retail & supply chainBar code
contactless PassportsMachinereadableVisual inspection
contactless Access ControlMag-stripeVisual inspection
14
New Markets for RFID plus Sensors
• Value Proposition for Cold Chain : Reduce waste and over-production
• Up to 50% shrinkage in Retail sector linked to perished food; US households waste 43B$ / yr
• Market potential
• With label prices < $0.50 disposable labels will be used on shipments of perishables goods (over 1B/yr)
BULK PRODUCE, MEAT, POULTRY, FISH
FOOD
MEDICAL / PHARMACEUTICALS
FLORAL
INDUSTRIAL/ OTHER
VACCINES, BLOOD, PHARMA
CUT FLOWERS
FILM, ADHESIVES, PAINT, CHEMICALS
BULK PRODUCE, MEAT, POULTRY, FISH
FOOD
MEDICAL / PHARMACEUTICALS
FLORAL
INDUSTRIAL/ OTHER
VACCINES, BLOOD, PHARMA
CUT FLOWERS
FILM, ADHESIVES, PAINT, CHEMICALS
15
NFC turns the mobile phone into a contactless Swiss army knife
1 - Card emulation(payment, transport & event
ticketing, access, …)
2 - Card reader(smart posters, tagged
promotions, authentication, …)
3 – P2P(Easy BT/Wifi
pairing, games, data exchange,
…)
16
Access info on-the-move
battery-less smart object
SecureIn combination with Smart Card
Technology
Example: SmartConnectSecure transactions based on NFC + smart card IC
Additional Smart card
Secure paymentsTransport accessBuilding accessStore digital rights (DRM)
Peer-to-peer communication
Mobile payment & transaction
17
The identification IC market grows fast…U.S.$ Billions
Current View (October 2007)
0
500
1000
1500
2000
2500
2007 2008 2009 2010 2011
Mar
ket V
alue
(EU
R M
)
… and will be predominantly contactless in
2011
19
Table of Contents1. NXP Semiconductors
2. History
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
20
Society benefits are significant …
Saving lives with authenticating medicine
Reduce waste and overproduction (for instance ‘vers schakel’ )
Increasing border and building security
….
21
…but issues remain
Technology Choice– It is not sufficiently clear to many potential adopters which frequency to
use
Europe versus Rest-of-the-World– Legislation in EU could become more stringent resulting in slower take-off
Waste Handling– Separating silicon from glass-based products when embedded could
cause issues for glass recycling purposes
Privacy & Security– Privacy concerns around the use of RFID and data management
22
Table of Contents1. NXP Semiconductors
2. History
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
23
Privacy & Security
What to do ?Technology
Providers
System CompaniesService ProvidersGovernment
Consumers
UniversitiesResearch
Institutes
Industry
All to Play aConstructive Role in the
- Debate- Benefit Thinking- Problem Solving
24
Privacy & Security
What to do ?Technology
Providers
System CompaniesService ProvidersGovernment
Consumers
UniversitiesResearch
Institutes
Industry
All to Play aConstructive Role in the
- Debate- Benefit Thinking- Problem Solving
25
Technology Providers
Need to offer a wide range of IC products with different levels of securityfrom low to extremely high
– Application security depends on the security of the chip, but also the security measures in the rest of the system
– Security has a price; The highest security levels are not required for all applications– Customers (typically the system integrators) select the ICs with the security level fit
for their applications & system concept
Privacy-sensitive information stored on contactless chips requires adequate security
– Technology providers typically offer various security mechanisms and options on contactless chips; Customers select the mechanisms and options they want to use in their application
NXP takes its responsibility and works with governments & authorities and advices its customers on how to properly protect privacy & security at system-level
26
RFID tag & Contactless Smart Card technology
WEAK STRONG
PaymentCards
Animal tagging
Inventorytracking
Transportationticketing
eGovernmentCards, ePassport
eVisa
Source:
LOW
HIGH
Sen
sitiv
ity o
f typ
ical
info
rmat
ion
stor
ed
Strength of protection of data privacy and security
Personal informationBiometric dataSecure keys
Financial account information
Ticket value
Electronic productcode
Unique identifier
27
MIFAREClassicMF1 S20MF1 S50MF1 S70
MIFAREMIFAREClassicClassicMF1 S20MF1 S20MF1 S50MF1 S50MF1 S70MF1 S70
MIFAREPlusMF1 S61MF1 S71
MIFAREMIFAREPlusPlusMF1 S61MF1 S61MF1 S71MF1 S71
MIFAREUltralightMF0 U10MF0 U11
MIFAREMIFAREUltralightUltralightMF0 U10MF0 U10MF0 U11MF0 U11
HW CryptoHW Crypto
EEPROMEEPROM
Contactless InterfaceContactless Interface
CertificationCertification
crypto1 3DES, AES
512 Bit 320B, 1 KB, 4 KB 2, 4 Kbyte 2, 4, 8 Kbyte
ISO 14443 A (13.56MHz, up to 10cm distance, 106 - 848kBaud)
- -
-
CC EAL 4+
MFRC – FamilyMFRC MFRC –– FamilyFamily
DesignDesign--In PackageIn Package
Reader ICReader IC
PEGODA (CL RD701)PEGODA PEGODA (CL RD701)(CL RD701)
crypto1, AES
CC EAL 4+
Special FeaturesSpecial Features - - MIFARE Classiccompatible -
MIFAREDESFireMF3 D21MF3 D41MF3 D81
MIFAREMIFAREDESFireDESFireMF3 D21MF3 D21MF3 D41MF3 D41MF3 D81MF3 D81
MIFAREUltralight 2MF0 U20MF0 U21
MIFAREMIFAREUltralight 2Ultralight 2MF0 U20MF0 U20MF0 U21MF0 U21
1500 Bit
-
3DES
-
Contactless Card IC PortfolioContactless Card IC Portfolio
28
Technology Providers
Research on different means for enhancing security
– State-of-the-Art encryption methodologies
– Unique Chip Identification through PUF-technology : measure unique & unpredictable physical process technology variations in order to detect a key – avoiding the storage of keys in memories which can be under attack
Open dialogue & cooperation with key universities & research institutes
– Continuous improvement & being ahead of malicious persons (“The Car-Theft Paradigm”)
29
Privacy & Security
What to do ?Technology
Providers
System CompaniesService ProvidersGovernment
Consumers
UniversitiesResearch
Institutes
Industry
All to Play aConstructive Role in the
- Debate- Benefit Thinking- Problem Solving
30
System Companies / Service Providers
Need to be informed & aware of various levels of security provided
– The RFID chip as such is “only” a first layer in a total system– Different security levels can already be offered in the RFID chip– The database handling & people involved are also key in the total system
Need to make decision in trade-off space, while maintaining conformity with legislation :
– Level of Security– Cost– Risk
31
Privacy & Security
What to do ?Technology
Providers
System CompaniesService ProvidersGovernment
Consumers
UniversitiesResearch
Institutes
Industry
All to Play aConstructive Role in the
- Debate- Benefit Thinking- Problem Solving
32
Consumers
Need to be aware of benefits & risks– Education !
Objective information handling– What does it provide ?– What does it not provide ?– How does it compare to other technologies ?
Gradual acceptance building– From Pilot Demonstrator Projects…
• “Vers Schakel” – RFID in the supply chain of fresh vegetables (with a.o. : NXP, Schuitema, Capgemini, CBL, Heemskerk, Intel, KPN, Wageningen University)
– … to Full Deployment
33
Privacy & Security
What to do ?Technology
Providers
System CompaniesService ProvidersGovernment
Consumers
UniversitiesResearch
Institutes
Industry
All to Play aConstructive Role in the
- Debate- Benefit Thinking- Problem Solving
34
GovernmentGovernments should take up responsibility :
– Set legal framework to avoid mis-use of technologies– Create platform for economic growth of their industry– Pro-actively define vision of future societies
Several initiatives are being taken
– US FTC… a good example…: keep-an-eye and take action whenever a need occurs…
– EU RFID Expert Group : investigate societal impact of RFID-usage incl. evolution towards “Internet of Things” Society in cooperation with different stakeholders
– EU Member States• NL - Platform RFID, College Bescherming Persoonsgegevens• GE – RFID Informationsforum, BSI (German Federal Office for Information Security)• etc…
35
Table of Contents1. NXP Semiconductors
2. History
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
36
EU RFID Expert Working GroupOfficial kick-off : June 2007
Objective : – Provide “Recommendation” towards Member States & Stakeholders on the
design & operation of RFID applications in a lawful, ethically admissable, and socially and politically accepted way, respecting privacy and ensuring appropriate information security
– Look into different application areas : logistics, working place, government
Set of Guidelines to harmonize amongst
Member States, published by European Commission
Industry
ConsumerGroups
StandardisationCommittees
MemberStates
InvitedSpeakers+
37
Main Items of EU “Recommendation”
No new legislation needed
– “Existing data protection directive is sufficient to protect privacy”(95/46/EC, 99/5/EC, 2002/58/EC)
Need to conduct a “Privacy Impact Assessment” Study
– Fully supported by industry
– Need to further define when “data” becomes “personal data”
38
Main Items of EU “Recommendation”
Need to further work on “Awareness Raising Activities” / “Best Available Techniques”
– Some Examples :
• Technical Guidelines for Implementation & Utilization of RFID-based Systems (cooperation NXP – German Federal Office for Information Security BSI)
– RFID-usage in eTicketing for Public Transport– RFID-usage in eTicketing for Stadiums and Events– NFC-based mobile eTicketing– RFID-usage in Logistics & Retail
• “Vers Schakel” – RFID in the supply chain of fresh vegetables (with a.o. : NXP, Schuitema, Capgemini, CBL, Heemskerk, Intel, KPN, Wageningen University)
39
Main Items of EU “Recommendation”
Different rules for different types of applications
– RFID containing Personal Data
– RFID in Retail Sector (“Tagged Items”)
• Need to inform customers about presence of RFID tags / readers -> “logo”
• De-activiation (permanent or temporary) on request of customers (“opt-out”) and if there is not a necessary feature of the product behind the Point-of-Sales
Need to enhance R&D work
– “Security & Privacy by Design” principle
– More focus to be put on applied research & pilot trials
40
Table of Contents1. NXP Semiconductors
2. History
3. Contactless – Benefits & Future Perspectives
4. Impact on Society
5. Privacy & Security Aspects
6. EU RFID Expert Working Group
7. Conclusions
41
Conclusions
• Contactless identification (RFID, NFC, contactless smartcards) offers significant benefits in an increasing number of applications
• The “Internet-of-Things” era is approaching and will become reality
• Industry & Government Officials all over the world should work together to create solutions that ensure that the societal benefits of RFID are gained while ensuring that protecting privacy and advancing security are top priorities along the way.
• All RFID-stakeholders need to educate consumers about RFID and its use in a fact-based manner
42
Final Remark to Reflect upon…
Not the Technology itself is the Issue,
But it’s the People who are Handling it !