James Wiley, director of electronic documents at RFID chip,
tag and
reader maker
Texas Instruments (TI), provided attendees an overview of the best practices his company recommends for the use of RFID in identity documents.
In any identity
authentication system deployed by the government, Wiley explained, "there are two players: the citizen, whose identity is being challenged, and the government, who is working to authenticate the citizen. Both groups have serious and legitimate concerns, and any best practices need to address both groups." He added that "Security need not be attained at the price of privacy or operational efficiency," maintaining that clear rules must be set, pertaining both to the procedural and technological aspects of the identification system.
On the procedural side, Wiley stated, the government must inform each citizen, in advance, about which personally identifiable information is being collected, where this data is being collected, how it is being saved and with whom it is being shared. Citizens must also have a means of correcting inaccurate data linked to them through the identification system, and, whenever possible, their participation in the system should be voluntary.
On the technology side, he said, any RF-enabled identity document, and the reader used to collect data from that document, must each be authenticated by the government agency before any data is transmitted between the card and reader, to ensure both elements are legitimate and authorized. Moreover, all data transmitted via RF signals between a card and reader should be encrypted to protect it from being captured by an unauthorized party.
"RFID encompasses an incredibly wide range of technologies, and there are a lot of different flavors of this stuff," Wiley said, pointing in particular to the differences between the high-frequency cryptographically protected RFID inlays used in many identification and payment systems, and the long-range UHF inlays, incapable of supporting data encryption, that the DHS wants to use in the PASS card. TI manufactures both HF inlays that support data encryption and UHF inlays that do not.
For the benefit of the attendees, Wiley used a prototype PASS card containing an EPC Gen 2 UHF inlay and an off-the-shelf RFID
interrogator to show how simple it is to capture and encode the prototype's identification number onto another EPC inlay. "The attendees were amazed by how quickly and easily the Gen 2 tags could be cloned," says Pattinson.
According to Pattinson, Gemalto and the other companies and groups at the briefing will continue to petition for the establishment of a technology trial in which EPC tags will be tested alongside high-frequency data-encrypted tags and other technologies.
THE WORLD'S RFID AUTHORITY
PREMIUM = Requires Subscription. Learn More
