Information technology — Automatic identification and data capture techniques — Part 19: Crypto suite RAMON security services for air interface communications

This document defines the Rabin-Montgomery (RAMON) crypto suite for the ISO/IEC 18000 series of air interfaces standards for radio frequency identification (RFID) devices. Its purpose is to provide a common crypto suite for security for RFID devices that can be referred to by ISO/IEC for air interface standards and application standards. This document specifies a crypto suite for Rabin-Montgomery (RAMON) for air interface for RFID systems. The crypto suite is defined in alignment with existing air interfaces. This document defines various authentication methods and methods of use for the cipher. A Tag and an Interrogator can support one, a subset, or all of the specified options, clearly stating what is supported.

Technologies de l'information — Techniques automatiques d'identification et de capture de données — Partie 19: Services de sécurité par suite cryptographique RAMON pour communications par interface radio

General Information

Status
Published
Publication Date
25-Jun-2019
Current Stage
6060 - International Standard published
Due Date
04-Aug-2021
Completion Date
26-Jun-2019
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 29167-19:2019 - Information technology -- Automatic identification and data capture techniques
English language
76 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 29167-19
Second edition
2019-06
Information technology — Automatic
identification and data capture
techniques —
Part 19:
Crypto suite RAMON security services
for air interface communications
Technologies de l'information — Techniques automatiques
d'identification et de capture de données —
Partie 19: Services de sécurité par suite cryptographique RAMON
pour communications par interface radio
Reference number
ISO/IEC 29167-19:2019(E)
©
ISO/IEC 2019

---------------------- Page: 1 ----------------------
ISO/IEC 29167-19:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 29167-19:2019(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Conformance . 2
4.1 Claiming conformance . 2
4.2 Interrogator conformance and obligations . 2
4.3 Tag conformance and obligations . 2
5 Symbols and abbreviated terms . 3
5.1 Symbols . 3
5.2 Abbreviated terms . 3
5.3 Notation . 4
6 Crypto suite introduction . 5
6.1 Overview . 5
6.2 Authentication protocols . 6
6.2.1 Tag identification . 6
6.2.2 Symmetric mutual authentication . 7
6.3 Send sequence counter . 8
6.4 Session key derivation . 9
6.4.1 General. 9
6.4.2 KDF in counter mode . 9
6.4.3 Key derivation scheme .10
6.5 IID, SID, used keys and their personalization .11
6.6 Key table .13
7 Parameter definitions .14
8 State diagrams.14
8.1 General .14
8.2 State diagram and transitions for Tag identification .15
8.2.1 General.15
8.2.2 Partial result mode . .15
8.2.3 Complete result mode .16
8.3 State diagram and transitions for mutual authentication .17
8.3.1 General.17
8.3.2 Partial result mode . .17
8.3.3 Complete result mode .18
8.3.4 Combination of complete and partial result mode . .19
9 Initialization and resetting .20
10 Identification and authentication.20
10.1 Tag identification .20
10.1.1 General.20
10.1.2 Partial result mode . .20
10.1.3 Complete result mode .20
10.2 Mutual authentication .21
10.2.1 General.21
10.2.2 Partial result mode . .21
10.2.3 Complete result mode .22
10.3 The Authenticate command.23
10.3.1 General.23
10.3.2 Message formats for Tag identification .23
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 29167-19:2019(E)

10.3.3 Message formats for Mutual Authentication .24
10.4 Authentication response .25
10.4.1 General.25
10.4.2 Response formats for Tag identification .25
10.4.3 Response formats for mutual authentication .26
10.4.4 Authentication error response .28
10.5 Determination of result modes .29
11 Secure communication .30
11.1 General .30
11.2 Secure communication command .30
11.3 Secure Communication response .31
11.3.1 General.31
11.3.2 Secure communication error response .31
11.4 Encoding of Read and Write commands for secure communication .31
11.5 Application of secure messaging primitives .32
11.5.1 General.32
11.5.2 Secure Communication command messages .33
11.5.3 Secure Communication response messages .34
11.5.4 Explanation of cipher block chaining mode .37
11.6 Padding for Symmetric Encryption .38
Annex A (informative) State transition tables .39
Annex B (informative) Error codes and error handling .42
Annex C (normative) Cipher description .43
Annex D (informative) Test vectors .53
Annex E (informative) Protocol specifics .56
Annex F (informative) Non-traceable and integrity-protected Tag identification .64
Annex G (normative) Description of the TLV record .67
Annex H (informative) Memory Organization for Secure UHF Tags .72
Bibliography .76
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 29167-19:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 31, Automatic identification and data capture.
This second edition cancels and replaces the first edition (ISO/IEC 29167-19:2016), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— It was thought that the fixed RAMON key length (KE) of 1 024 bits for tag authentication, defined
in the first edition of this document, would maybe not be sufficient for all future uses. The method
proposed in this edition allows extending the length of the cryptographic RAMON key by discrete
steps of 128 bits. Beyond the previously defined key length of 1 024 bits, key lengths of 1 152, 1 280,
1 408, 1 536, 1 664 bits and beyond become feasible. The current method does not limit the possible
key length in any way. The key length only is limited by the ability to send the cryptographic
authentication response, which is of equal length to the cryptographic key, back to the interrogator.
Allowing extended key length makes sure that the RAMON encryption is future-proofed and
security can be improved as needed.
— To support different key lengths in a generic approach, the mix function has been revised.
— To improve the readability and consistency of this document, the specification of the cipher and the
description of the TLV record have been separated into independent subclauses.
— A new TLV-Structure, supporting data identifiers according to ASC MH 10, was added.
A list of all parts in the ISO 29167 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 29167-19:2019(E)

Introduction
This document specifies the security services of a Rabin-Montgomery (RAMON) crypto suite. It is
important to know that all security services are optional. The crypto suite provides Tag authentication
security service.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this International
Standard may involve the use of patents concerning radio-frequency identification technology given in
the clauses identified below.
ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The
holders of these patent rights have ensured the ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statements of the holders of these patent rights are registered with ISO and IEC.
Information on the declared patents may be obtained from:
NXP B.V.
411 East Plumeria
San Jose
CA-95134 1924
USA
Impinj, Inc.
400 Fairview Ave N, # 1200
Seattle, WA 98109
USA
Giesecke & Devrient GmbH
Prinzregentenstrasse 159
D-81607 Munich
Germany
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
vi © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29167-19:2019(E)
Information technology — Automatic identification and
data capture techniques —
Part 19:
Crypto suite RAMON security services for air interface
communications
1 Scope
This document defines the Rabin-Montgomery (RAMON) crypto suite for the ISO/IEC 18000 series of
air interfaces standards for radio frequency identification (RFID) devices. Its purpose is to provide a
common crypto suite for security for RFID devices that can be referred to by ISO/IEC for air interface
standards and application standards.
This document specifies a crypto suite for Rabin-Montgomery (RAMON) for air interface for RFID
systems. The crypto suite is defined in alignment with existing air interfaces.
This document defines various authentication methods and methods of use for the cipher. A Tag and an
Interrogator can support one, a subset, or all of the specified options, clearly stating what is supported.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 8825-1, Information technology — ASN.1 encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) — Part 1
ISO/IEC 15962:2013, Information technology — Radio frequency identification (RFID) for item
management — Data protocol: data encoding rules and logical memory functions
ISO/IEC 18000-3, Information technology — Radio frequency identification for item management —
Part 3: Parameters for air interface communications at 13,56 MHz
ISO/IEC 18000-4, Information technology — Radio frequency identification for item management —
Part 4: Parameters for air interface communications at 2,45 GHz
ISO/IEC 18000-63:2015, Information technology — Radio frequency identification for item management —
Part 63: Parameters for air interface communications at 860 MHz to 960 MHz Type C
ISO/IEC 19762, Information technology — Automatic identification and data capture (AIDC) techniques —
Harmonized vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19762 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 29167-19:2019(E)

— IEC Electropedia: available at http: //www .electropedia .org/
3.1
authentication
service that is used to establish the origin of information
3.2
confidentiality
property whereby information is not disclosed to unauthorized parties
3.3
integrity
property whereby data have not been altered in an unauthorized manner since they were created,
transmitted or stored
3.4
non-traceability
protection ensuring that an unauthorized interrogator is not able to track the tag location by using the
information sent in the tag response
3.5
secure communication
communication between the tag and the interrogator by use of the Authenticate command, assuring
authenticity, integrity (3.3) and confidentiality (3.2) of exchanged messages
4 Conformance
4.1 Claiming conformance
An Interrogator or Tag shall comply with all relevant clauses of this document, except those marked as
“optional”.
4.2 Interrogator conformance and obligations
An Interrogator shall implement the mandatory commands defined in this document and conform to
ISO/IEC 18000-3, ISO/IEC 18000-4 or ISO/IEC 18000-63, as relevant.
An Interrogator may implement any subset of the optional commands defined in this document.
The Interrogator shall not
— implement any command that conflicts with this document, or
— require the use of an optional, proprietary or custom command to meet the requirements of this
document.
4.3 Tag conformance and obligations
A Tag shall implement the mandatory commands defined in this document for the supported types and
conform to ISO/IEC 18000-3, ISO/IEC 18000-4 or ISO/IEC 18000-63, as relevant
A Tag may implement any subset of the optional commands defined in this document.
A Tag shall not
— implement any command that conflicts with this document, or
— require the use of an optional, proprietary or custom command to meet the requirements of this
document.
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 29167-19:2019(E)

5 Symbols and abbreviated terms
5.1 Symbols
xx binary notation
2
xxh hexadecimal notation
|| concatenation of syntax elements in the order written
5.2 Abbreviated terms
AES Advanced encryption standard
CBC Cipher block chaining
CH Challenge
CH , CH Interrogator random challenge, 16 bytes
I1 I2
CH Tag random challenge, 16 bytes
T
CG Cryptogram
CMAC Ciphered message authentication code
CRC Cyclic redundancy check
CRC–16 16-bit CRC
CS Crypto suite
CSI Crypto suite identifier
DEC(key, data) AES decryption of enciphered “data” with secret “key”
ENC(key, data) AES encryption of plain “data” with secret “key”
EPC™ Electronic product code
IID Interrogator identifier, 8 bytes
IV Initialization vector for CBC-encryption, 16 bytes
KDF Key derivation function
k Bit length of public RAMON key K and private key K
E D
k shall be divisible by 128 and ≥1 024.
K Public key for encryption stored on Tag
E
K Private decryption key stored on Interrogator
D
K Public signature verification key stored on Interrogator
V
K Private signature generation key stored in the tag issuer facility
S
K Shared secret message encryption key
ENC
K Shared secret message authentication key
MAC
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 29167-19:2019(E)

KESel Key select (determines which K will be used)
E
KSel Key select (determines which pair of K , K will be used)
ENC MAC
MAC(key, data) Calculation of a MAC of (enciphered) “data”’ with secret “key”; internal state of
the tag's state machine
MAMx,y Mutual authentication method x.y
MCV MAC chaining value
MIX(CH, RN, SID) RAMON mix function
PRF Pseudorandom function
R Tag response
RAMON Rabin-Montgomery
RFU Reserved for future use
RM_ENC(key, data) RAMON encryption of plain “data” with public “key”
RM_DEC(key, data) RAMON decryption of enciphered “data” with private “key”
RN Random number
RNT Random number generated by the tag, 16 bytes
S Message encryption session key
ENC
S Message authentication session key
MAC
SID Secret IDentifier, 8 bytes, identifying the tag
SSC Send sequence counter for replay protection, 16 bytes
TAMx,y Tag authentication method x.y; internal state of the tag's state machine
TLV Tag length value
UHF Ultra high frequency
UII Unique item identifier
WORM Write once, read many
5.3 Notation
This document uses the notation of ISO/IEC 18000-63.
The following notation for key derivation corresponds to Reference [7].
PRF(s,x) A pseudo-random function with seed s and input data x.
K Key derivation key used as input to the KDF to derive keying material. K is used as the
I I
block cipher key, and the other input data are used as the message defined in
Reference [9].
K Keying material output from a key derivation function, a binary string of the required
O
length, which is derived using a key derivation key.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 29167-19:2019(E)

Label A string that identifies the purpose for the derived keying material, which is encoded as a
binary string.
Context A binary string containing the information related to the derived keying material. It may
include identities of parties who are deriving and/or using the derived keying material
and, optionally, a nonce known by the parties who derive the keys.
L An integer specifying the length (in bits) of the derived keying material K . L is repre-
O
sented as a binary string when it is an input to a key derivation function. The length of
the binary string is specified by the encoding method for the input data.
h An integer that indicates the length (in bits) of the output of the PRF.
i A counter that is input to each iteration of the PRF.
r An integer, sm
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.