NIST: Linee guida per la sicurezza dei sistemi RFID (prima parte)

Lo statunitense National Institute of Standards and Technology (NIST) ha pubblicato lo scorso 27 aprile 2007 la versione definitiva (NIST SP 800-98) delle "Guidelines for Securing Radio Frequency Identification (RFID) Systems" (pdf , 1,5 M).
Il testo analizza i rischi di sicurezza e di privacy connessi ai sistemi RFID e fornisce una serie di suggerimenti per proteggere le informazioni, anche sensibili, che utilizzano tale tecnologia.

Indice del documento

  • Executive Summary
  • 1. Introduction
    • 1.1 Authority
    • 1.2 Purpose and Scope
    • 1.3 Document Structure
  • 2. RFID Technology
    • 2.1 Automatic Identification and Data Capture (AIDC) Technology
    • 2.2 RFID System Components
    • 2.3 RF Subsystem
    • 2.3.1 Tag Characteristics
    • 2.3.2 Reader Characteristics
    • 2.3.3 Tag-Reader Communication
    • 2.4 Enterprise Subsystem
    • 2.4.1 Middleware
    • 2.4.2 Analytic Systems
    • 2.4.3 Network Infrastructure
    • 2.5 Inter-Enterprise Subsystem
    • 2.5.1 Open System Networks
    • 2.5.2 Object Naming Service (ONS)
    • 2.5.3 Discovery Service
    • 2.6 Summary
  • 3. RFID Applications and Application Requirements
    • 3.1 RFID Application Types
    • 3.1.1 Asset Management
    • 3.1.2 Tracking
    • 3.1.3 Authenticity Verification
    • 3.1.4 Matching
    • 3.1.5 Process Control
    • 3.1.6 Access Control
    • 3.1.7 Automated Payment
    • 3.1.8 Supply Chain Management
    • 3.2 RFID Information Characteristics
    • 3.3 RFID Transaction Environment
    • 3.3.1 Distance between Reader and Tag
    • 3.3.2 Transaction Speed
    • 3.3.3 Network Connectivity and Data Storage
    • 3.4 The Tag Environment between Transactions
    • 3.4.1 Data Collection Requirements
    • 3.4.2 Human and Environmental Threats to Tag Integrity
    • 3.5 RFID Economics
    • 3.6 Summary
  • 4. RFID Risks
    • 4.1 Risk
    • 4.2 Business Intelligence Risk
    • 4.3 Privacy Risk
    • 4.4 Externality Risk
    • 4.4.1 Hazards of Electromagnetic Radiation
    • 4.4.2 Computer Network Attacks
    • 4.5 Summary
  • 5. RFID Security Controls
    • 5.1 Management Controls
    • 5.1.1 RFID Usage Policy
    • 5.1.2 IT Security Policies
    • 5.1.3 Agreements with External Organizations
    • 5.1.4 Minimizing Sensitive Data Stored on Tags
    • 5.2 Operational Controls
    • 5.2.1 Physical Access Control
    • 5.2.2 Appropriate Placement of Tags and Readers
    • 5.2.3 Secure Disposal of Tags
    • 5.2.4 Operator and Administrator Training
    • 5.2.5 Information Labels / Notice
    • 5.2.6 Separation of Duties
    • 5.2.7 Non-revealing Identifier Formats
    • 5.2.8 Fallback Identification System
    • 5.3 Technical Controls
    • 5.3.1 Authentication and Data Integrity
    • 5.3.2 RF Interface Protection
    • 5.3.3 Tag Data Protection
    • 5.4 Summary
  • 6. RFID Privacy Considerations
    • 6.1 Types of Personal Information
    • 6.2 The Applicability of Privacy Considerations to RFID Systems
    • 6.3 Privacy Principles
    • 6.4 Privacy Requirements for Federal Agencies
    • 6.4.1 Privacy Act of 1974
    • 6.4.2 E-Government Act of 2002
    • 6.4.3 Federal Information Security Management Act (FISMA)
    • 6.4.4 Consolidated Appropriations Act of 2005
    • 6.4.5 Office of Management and Budget (OMB) Privacy Memoranda ..................6-9
    • 6.5 Health Insurance Portability and Accountability Act (HIPAA) of 1996
    • 6.6 Federal CIO Council Privacy Control Families
    • 6.7 Industry Resources Addressing RFID Privacy
    • 6.8 Summary
  • 7. Recommended Practices
  • 8. Case Studies
    • 8.1 Case Study #1: Personnel and Asset Tracking in a Health Care Environment .......8-1
    • 8.1.1 Phase 1: Initiation
    • 8.1.2 Phase 2: Acquisition/Development
    • 8.1.3 Phase 3: Implementation
    • 8.1.4 Phase 4: Operations/Maintenance
    • 8.1.5 Phase 5: Disposition
    • 8.1.6 Summary and Evaluation
    • 8.2 Case Study #2: Supply Chain Management of Hazardous Materials
    • 8.2.1 Phase 1: Initiation
    • 8.2.2 Phase 2: Acquisition/Development
    • 8.2.3 Phase 3: Implementation
    • 8.2.4 Phase 4: Operations/Maintenance
    • 8.2.5 Phase 5: Disposition
    • 8.2.6 Summary and Evaluation
  • List of Appendices
    • Appendix A— RFID Standards and Security Mechanisms
    • A.1 International Standards
    • A.2 Industry Standards
    • A.3 Security Mechanisms in RFID Standards
    • A.4 Proprietary Designs
    • Appendix B— Glossary
    • Appendix C— Acronyms and Abbreviations
    • Appendix D— Information Resources
    • Appendix E— FCC Exposure Limits
    • Appendix F— Index
AG-Vocabolario: