Semantic classification of security requirements
about RFID-related entities or processes

Dr Ph. MARTIN, March 2008

This file represents and organizes security requirements about RFID-related entities or processes. Most of these requirements have been found in the Security Analysis Report of the Bridge project (currently, essentially its Appendix A).
More requirements from my report on "security and RFID" (in French) will be integrated.

The representations are written specialize those of this general ontology about information security and they use the FL notation. (These representations are shown below in the courier font; they are enclosed within the XHTML marks <KR> and </KR> for permitting WebKB-2 to distinguish them from regular text). The creator (or source) of each representation (category or statement) is represented: the identifier "pm" is used for the author of this document and the identifier "bridge" is used for the Security Analysis Report of the Bridge project.

This file (or, more precisely, the representations within this file) has already been loaded in the knowledge base of WebKB-2. Hence, these representations can be queried, navigated and complemented by anyone using WebKB-2 (e.g., click on the hyperlinks below). This ontology reuses the ontology of WebKB-2, i.e. an extension and correction of WordNet 1.7.


Note: in the FT notation, "A < B" means "A is a subtype of B" and "A > B C D" should be read "A has for subtypes B, C and D". By definition, if a type X is subtype of a type Y, any instance of X (that is, any object of type X) is an instance of Y. The form "A > {B C D}" means that the subtypes B, C and D are exclusive, that is, they are not allowed to share subtypes.

When the creator of a relations (e.g., a subtype relation) between two types is not made explicit - and in this file, relation creators are rarely made explicit - the creator of the relation is implicitely the same as the creator of the source category. For example, a statement of the form "creator1#type > creator2#type2" should be read: "according to creator1, creator1#type has for subtype creator2#type2".

An informal definition for a category can be put into its annotation (unlike a comment, an annotation is not discarded during the parsing and is associated to a particular object). In the FT notation, the form "(^...^)" can be used to represent annotations.


Table of contents



Supporting the security of RFID related entities or processes

The only value of the representations in this section is to relate the categories from the above section with those of the following sections, and hence to ease navigation.

 pm#process_supporting_the_security_of_some_RFID_related_entity_or_process
   < pm#process_supporting_the_security_of_a_particular_object,
   > pm#process_supporting_the_security_of_some_RFID_element
     pm#process_supporting_some_security_attribute_in_some_RFID_related_entity_or_process ;


Supporting the security of some RFID element

 pm#RFID_related_entity_or_process  < pm#thing_needed_for_some_process,
   > { bridge#RFID_tag  bridge#RFID_reader  bridge#RFID_related_network  bridge#RFID_related_application};
 
 pm#process_supporting_the_security_of_some_RFID_element
   > {pm#process_supporting_the_security_of_some_RFID_tag
      pm#process_supporting_the_security_of_some_RFID_reader
      pm#process_supporting_the_security_of_some_RFID_related_network
      pm#process_supporting_the_security_of_some_RFID_related_application 
     };

    //Note: in the FT notation, "X relationName: Y [1..*,1..*]" should be read 
    //      "any instance of X has for relationName at least one instance of Y" and
    //      "any instance of Y has for relationName at least one instance of Y".
   pm#process_supporting_the_security_of_some_RFID_tag
     object: bridge#RFID_tag [1..*,1..*],  //object or pm#object
     > bridge#process_supporting_authentication_in_some_RFID_tag
       bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag
       //not applicable: bridge#process_supporting_the_access_control_of_some_RFID_tag
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag
       bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag
       bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag
       bridge#process_supporting_interoperability_from/to_some_RFID_tag;
 
   pm#process_supporting_the_security_of_some_RFID_reader
     object: bridge#RFID_reader [1..*,1..*],
     > bridge#process_supporting_authentication_in_some_RFID_reader
       //not applicable: bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_reader
       bridge#process_supporting_the_access_control_of_some_RFID_reader
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader
       bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
       //not applicable: bridge#process_supporting_the_availability_of_some_RFID_reader
       bridge#process_supporting_interoperability_from/to_some_RFID_reader;
   
   pm#process_supporting_the_security_of_some_RFID_related_network
     object: bridge#RFID_related_network [1..*,1..*],
     > bridge#process_supporting_authentication_in_some_RFID_related_network
       bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network
       bridge#process_supporting_the_access_control_of_some_RFID_related_network
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network
       bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
       bridge#process_supporting_the_availability_of_some_RFID_related_network
       bridge#process_supporting_interoperability_from/to_some_RFID_related_network;
      
    pm#process_supporting_the_security_of_some_RFID_related_application
     object: bridge#RFID_related_application [1..*,1..*],
     > bridge#process_supporting_authentication_in_some_RFID_related_application
       bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application
       bridge#process_supporting_the_access_control_of_some_RFID_related_application
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application
       bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application
       bridge#process_supporting_the_availability_of_some_RFID_related_application
       bridge#process_supporting_interoperability_from/to_some_RFID_related_application;


Supporting some security attribute of some RFID related entity or process

 pm#process_supporting_some_security_attribute_in_some_RFID_related_entity_or_process
   > {pm#process_supporting_authentication_in_some_RFID_related_entity_or_process
      pm#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_entity_or_process
      pm#process_supporting_the_access_control_of_some_RFID_related_entity_or_process
      pm#process_supporting_the_integrity_of_information_in/from_some_RFID_related_entity_or_process
      pm#process_supporting_the_confidentiality_of_communication_with_some_RFID_related_entity_or_process
      pm#process_supporting_the_privacy_of_information_in_some_RFID_related_entity_or_process
      pm#process_supporting_the_availability_of_some_RFID_related_entity_or_process
      pm#process_supporting_interoperability_from/to_some_RFID_related_entity_or_process
     };
  
   pm#process_supporting_authentication_in_some_RFID_related_entity_or_process 
     > bridge#process_supporting_authentication_in_some_RFID_tag
       bridge#process_supporting_authentication_in_some_RFID_reader
       bridge#process_supporting_authentication_in_some_RFID_related_network
       bridge#process_supporting_authentication_in_some_RFID_related_application;
   
   pm#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_entity_or_process
     > bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag
       //not applicable: bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_reader
       bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network
       bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application;
 
   pm#process_supporting_the_access_control_of_some_RFID_related_entity_or_process
     > //not applicable: bridge#process_supporting_the_access_control_of_some_RFID_tag
       bridge#process_supporting_the_access_control_of_some_RFID_reader
       bridge#process_supporting_the_access_control_of_some_RFID_related_network
       bridge#process_supporting_the_access_control_of_some_RFID_related_application;
   
   pm#process_supporting_the_integrity_of_information_in/from_some_RFID_related_entity_or_process
     > bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network_tag
       bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application;
   
   pm#process_supporting_the_confidentiality_of_communication_with_some_RFID_related_entity_or_process
     > bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader
       bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader
       bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network
       bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service;
   
   pm#process_supporting_the_privacy_of_information_in_some_RFID_related_entity_or_process
     > bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
       bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application;
   
   pm#process_supporting_the_availability_of_some_RFID_related_entity_or_process
     > bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag
       //not applicable: bridge#process_supporting_the_availability_of_some_RFID_reader
       bridge#process_supporting_the_availability_of_some_RFID_related_network
       bridge#process_supporting_the_availability_of_some_RFID_related_application;
 
   pm#process_supporting_interoperability_from/to_some_RFID_related_entity_or_process
     > bridge#process_supporting_interoperability_from/to_some_RFID_tag
       bridge#process_supporting_interoperability_from/to_some_RFID_reader
       bridge#process_supporting_interoperability_from/to_some_RFID_related_network_tag
       bridge#process_supporting_interoperability_from/to_some_RFID_related_application;



Supporting the security of RFID tags

A category identifier may include several names separated by "___". These names are then synonyms. A name may be shared by several categories (that is, it may have several meanings). An identifier has a unique meaning. In a category identifier of the form "creator1#X__Y", "creator1#X" is also an identifier of the same category but "creator1#Y" is not an identifier of this category.
Below, names such as "id_req_tag_1" are requirement names coming from the Security Analysis Report of the Bridge project. All the other names have been invented by "pm" to describe (and permit to organize) processes described in this report.

 bridge#process_supporting_authentication_in_some_RFID_tag___id_req_tag_1
   > bridge#process_permitting_an_RFID_tag_to_prove_its_identity_to_an_RFID_reader
     bridge#process_permitting_an_RFID_tag_to_ask_its_identity_to_an_RFID_reader___TC2
     bridge#process_preventing_an_RFID_tag_to_be_moved_to_another_product___TI3
     bridge#process_ensuring_that_an_RFID_tag_has_only_one_EPC___TI4
     bridge#process_verifying_an_RFID_tag_after_its_writing___TI5
     bridge#process_authenticating_an_RFID_tag___TI6
     bridge#process_preventing_an_RFID_tag_to_be_cloned___TI7;
 
 bridge#process_supporting_the_non-repudiation_of_information_sent_by_some_RFID_tag___id_req_tag_5
   (^A reader that includes signature functionality must request that a tag signs information sent to it. With the signature, a reader can prove that a specific tag has communicated with it.^);
 
 bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_tag___id_req_tag_7
   (^Tag must be secured against malicious writing of EPC.^)
   > bridge#process_securing_an_RFID_tag_against_the_malicious_writing_of_its_EPC___TI2
     bridge#process_protecting_an_RFID_tag_when_moving_from_closed_to_open_loop___TI8
     bridge#process_protecting_an_RFID_tag_when_moving_from_open_to_closed_loop___TC4;
 
 bridge#process_supporting_the_confidentiality_of_communication_between_RFID_tag_and_reader___id_req_tag_2
   (^Communication between tag and reader must be encrypted for applications that need to prevent eavesdropping of the contact-less channel.^);
 
 bridge#process_supporting_the_privacy_of_information_in_some_RFID_tag___id_req_tag_4
   > bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_not_within_company-influence;

     bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_not_within_company-influence___TC1
       > bridge#process_permitting_to_disable_an_RFID_tag_when_it_is_sold_to_a_final_user___TC3;
 
 bridge#process_supporting_the_availability_of_access_to_information_in_some_RFID_tag___id_req_tag_3___TI1
   (^Tags should not be disabled when product is being used by business process.^);
 
 bridge#process_supporting_interoperability_from/to_some_RFID_tag___id_req_tag_8
   (^The tag must comply with EPC, maybe with temporary IDs, or restrict access to some protected memory only to authenticated readers. This allows to apply secure tags in standard supply chains but makes secure operation possible (e.g. after POS).^)
   > bridge#process_permitting_a_secure_RFID_tag_to_operate_with_existing_insecure_readers___TO1;
 



Supporting the security of RFID readers

 bridge#process_supporting_authentication_in_some_RFID_reader___id_req_rea_1___RC3
   (^Mechanisms must be in place for an RFID reader to authenticate its identity and function, to tags and network components^);
 
 bridge#process_supporting_the_access_control_of_some_RFID_reader___id_req_rea_6
   (^The reader must implement access control on any interfaces that allow the modification of reader operation or access to internal information.^)
   > bridge#process_forbidding_corrupted_or_fake_readers_to_access_internal_business___RC2;
 
 bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_reader___id_req_rea_7___R12
   (^Injection of data from readers needs to be controlled in order to avoid the data corruption with false information.^)
   > bridge#process_permitting_RFID_reader_to_read_and_correctly_transmit_tag_information___RI3
     bridge#process_protecting_companies_internal_systems_from_attacks_by_corrupted_malicious_or_fake_RFID_readers___RI1
     bridge#process_preventing_an_RFID_reader_to_allow_injection_attacks_from_malicious_tag_data___RO3
     bridge#process_preventing_a_compromised_RFID_reader_to_provide_means_to_attack_other_IT_systems___RO2;
 
 bridge#process_supporting_the_confidentiality_of_communication_with_a_RFID_reader___id_req_rea_2
   > bridge#process_permitting_an_RFID_reader_to_identify_in_which_way_the_tag_information_is_encoded_and_to_implement_different_protocols_simultaneously___id_req_rea_2
     bridge#process_forbidding_corrupted_readers_to_eavesdrop_on_tag_events___RC1;
 
 bridge#process_supporting_the_privacy_of_information_in_some_RFID_reader
   > bridge#identification_or_use_by_a_RFID_reader_of_the_right_password_or_shared_secret_for_communications
     bridge#secure_storage_of_the_secret_information_by_a_RFID_reader;
 
     bridge#identification_or_use_by_a_RFID_reader_of_the_right_password_or_shared_secret_for_communications___id_req_rea_4a
     (^The reader must be able to identify which secret should be applied to encoded information. The right password or shared secret should be provided to the right reader with secure communication.^);
 
     bridge#secure_storage_of_the_secret_information_by_a_RFID_reader___id_req_rea_4b
     (^The secret information required to decode the tag must be maintained in a secure memory part of the reader. A secret can not be disclosed to the wrong application, user or reader owner.^);
 
 bridge#process_supporting_interoperability_from/to_some_RFID_reader
   > bridge#process_supporting_the_compliance_of_some_RFID_reader_with_some_reading_policy
     bridge#process_permitting_a_secure_RFID_reader_to_operate_with_secure_and_insecure_RFID_tags;
 
     bridge#process_supporting_the_compliance_of_some_RFID_reader_with_some_reading_policy___id_req_rea_8a
     (^It is mandatory to provide a mechanism to guarantee that the RFID reader complies with a specific reading policy in support of fair information practice principles.^);
 
     bridge#process_permitting_a_secure_RFID_reader_to_operate_with_secure_and_insecure_RFID_tags___id_req_rea_8b___RO1
     (^Secure reader should be able to operate with secure and insecure RFID tags.^);



Supporting the security of RFID related networks

 bridge#process_supporting_authentication_in_some_RFID_related_network___id_req_net_1
   (^Mutual authentication between the parties which takes part in EPC data communication. A large size scalable authentication infrastructure must be used.^)
   > bridge#process_authenticating_network_transactions_in_some_RFID_related_network___N17
     bridge#process_authenticating_client_queries_in_some_RFID_related_network___NC2
     bridge#process_ensuring_that_the_origin_of_event_in_an_RFID_related_network_is_provable___NI3;
 
 bridge#process_supporting_the_non-repudiation_of_information_in_some_RFID_related_network___id_req_net_5
   (^Data contributions to the system must be signed in order that individual parties can me held accountable for the quality of the data they provide. There must be accountability for data validity (N19)^);
 
 bridge#process_supporting_the_access_control_of_some_RFID_related_network___id_req_net_6
   (^Information shares must own the capability to specify the conditions under which they want to share the data. These rules must be managed by sound access controls mechanism.^)
   > bridge#process_using_transport_security_to_complement_EPC_network_component_security___NI8___NC5
     bridge#process_securing_event_collection_in_some_RFID_related_network___NC1
     bridge#process_allowing_companies_to_choose_who_to_trust_with_hosted_data_in_some_RFID_related_network___NC3
     bridge#process_allowing_companies_to_have_withdrawal_and_access_control_over_their_hosted_data_in_some_RFID_related_network___NC4;

 bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_network
   > bridge#process_supporting_only_authorized_and_accurate_registration_of_EPC_ISs_in_a_DS 
     bridge#process_supporting_the_visibility_and_up-to_date_nature_of_information_in_some_RFID_related_network
     bridge#process_and__RFID_infrastructure_allowing_effective_anti-counterfeiting_through_multiparty_track_and_trace_information___NI2
     bridge#process_allowing_only_secure_updates_to_prevent_data_corruption_in_RFID_related_network___NI4
     bridge#process_making_trusted_parties_validate_received_data_in_RFID_related_network___NI5
     bridge#process_ensuring_that_network_transactions_are_well_formed___NI6;

     bridge#process_supporting_only_authorized_and_accurate_registration_of_EPC_ISs_in_a_DS___id_req_net_7a 
     (^Only authorized parties must be allowed to register their EPC ISs with a DS in such a way that parties can not be injected selfishly and inaccurate information into the system.^);
 
     bridge#process_supporting_the_visibility_and_up-to_date_nature_of_information_in_some_RFID_related_network___id_req_net_7b 
     (^A client's access rights must be able to access 'all' the data she is entitled to. In order to prevent from data inconsistency the information must be up-to-date.^);
 
 bridge#process_supporting_the_confidentiality_of_communication_in_a_RFID_related_network___id_req_net_2
   (^A scalable confidential architecture must be used. The external transaction through the interfaces among discovery services and other parties, i.e., queries and updates must be confidential with accordance to the security polices which should set the fields of the DS record to be protected.^);
 
 bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_network
   > bridge#process_supporting_anonymous_data_transactions_in_some_RFID_related_network;
 
     bridge#process_supporting_anonymous_data_transactions_in_some_RFID_related_network___id_req_net_4
     (^A party should not have to to disclose its real identity. The EPC network elements must implement access control and authentication mechanism by which anonymous data transactions can be feasible.^);
 
 bridge#process_supporting_the_availability_of_some_RFID_related_network___id_req_net_3___NI1___NO1
   (^EPICS systems must be resilient to Internet/local (Distributed) Denial of Service attack or failure of components, and provide back-ups facilities in order to avoid unavailability at any time.^);
 
 bridge#process_supporting_interoperability_from/to_some_RFID_related_network___id_req_net_8___NO2
   (^Network components should be built upon existing standards and frameworks for identity and access control.^);



Supporting the security of RFID related applications

 bridge#process_supporting_authentication_in_some_RFID_related_application___id_req_app_1
   (^Users must own a single credential and must authenticate to the application to which want to get access.^)
   > bridge#process_detecting_a_RFID_tag_movement_between_products___AI2
     bridge#process_detecting_a_RFID_cloned_tag___AI3
     bridge#process_supporting_authentication_between_partners_before_a_RFID_related_communication_between_companies___AI4___AC1
     bridge#process_allowing_a_company_to_track_and_trace_an_RFID_related_product_in_order_to_verify_its_authenticity___AI5
     bridge#process_or_architecture_ensuring_that_RFID_related_changes_and_access_can_be_traced_back_to_specific_identities___AI6
     bridge#process_recording_EPCs_in_business_transactions___AI7
     bridge#process_supporting_the_validation_and_audit_of_business_transactions___AI8
     bridge#process_ensuring_that_data_is_transferred_only_with_clear_destination_and_usage___AC2
     pm#process_ensuring_that_a_RFID_tag_is_destroyed_when_it_is_disposed_of
     pm#process_hiding_the_way_RFID_tag_identifiers_are_generated_in_a_company
     pm#process_allowing_to_delete_all_information_related_to_a_tag_when_a_tag_is_killed;

 bridge#process_supporting_the_non-repudiation_of_information_sent_or_received_by_some_RFID_related_application___id_req_app_5
   (^The parties which update DS records must be accountable for this fact. Likewise, the responsibility which the parties own in order not to refuse having receive queries at any time.^);
 
 bridge#process_supporting_the_access_control_of_some_RFID_related_application___id_req_app_6
   (^Employee and application user must own an access rights depending on the roles assigned by the valid authority in charge of the EPC application.^);
 
 bridge#process_supporting_the_integrity_of_information_in/from_some_RFID_related_application___id_req_app_7
   (^privacy concerns of companies and customer must be achieved by assuring the integrity of the relevant data collected. To facilitate a bridge#process_supporting_the_availability_of_some_RFID_related_application, the collected data must fulfill the following features: 1) data collected should be adequate, relevant, and not excessive, 2) data should not be kept longer that necessary, 3) companies and customers have the right to know data about them or their products is stored, 4) data collected should be processed for a specific purpose (e.g. data mining to infer new, unauthorized data shouldn't be permitted or feasible.^)
   > bridge#process_verifying_RFID_related_product_characteristics___AI1
     bridge#process_guaranteing_the_completeness_of_records___AI9;
 
 bridge#process_supporting_the_confidentiality_of_communication_between_RFID_related_application_and_network_service___id_req_app_2
   (^interfaces should assure confidentiality in the exchange data between the applications and the network services.^);
 
 bridge#process_supporting_the_privacy_of_information_in_some_RFID_related_application___id_req_app_4
   > bridge#process_preventing_anyone_to_know_if_another_use_of_some_RFID_discovery_service_is_made;
 
     bridge#process_preventing_anyone_to_know_if_another_use_of_some_RFID_discovery_service_is_made
     (^The parties interacting with DS should not be able to see from the usage of DS whether or not another party is querying or updating the DS.^);
 
 bridge#process_supporting_the_availability_of_some_RFID_related_application___id_req_app_3
   (^DS must be able to provide mechanism whereby prevent users from monopolising the resources.^);
 
 bridge#process_supporting_interoperability_from/to_some_RFID_related_application___id_req_app_8
   (^Even though any new security mechanisms and trust models affect the in place mechanisms and the current applications and in order to avoid high cost application migration, the interoperability should not only considered at intra-organizational level.^);