Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips NIST Special Publication 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology Tom Karygiannis Bernard Eydt Greg Barber Lynn Bunn Ted Phillips C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of St andards and Technology Gaithersburg, MD 20899-8930 April 2007 US Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert C. Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director GUIDELINES FOR SECURING RFID SYSTEMS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at th e National Institute of Standards and Technology (NIST) promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities in clude the development of technical, physical, administrative, and management standards and guide lines for the cost-effective security and privacy of sensitive unclassified information in Federal com puter systems. Special Publication 800-series documents report on ITL’s research, guidelines, and outreach efforts in computer security and its collaborative activities with industry, gov ernment, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. National Institute of Standards and Technology Special Publication 800-98 Natl. Inst. Stand. Technol. Spec. Publ. 800-98, 154 pages (April 2007) iiGUIDELINES FOR SECURING RFID SYSTEMS iiiAcknowledgments The authors, Tom Karygiannis of NIST, and Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Phillips of Booz Allen Hamilton, wish to thank Steven Fick, Rick Korchak, Kate Remley, Jeff Guerrieri, Dylan Williams, Karen Scarfone, and Tim Grance of NIST, and Kenneth Waldrop and Beth Mallory of Booz Allen Hamilton. These individuals reviewed drafts of this document and cont ributed to its technical content. The authors would also like to express their thanks to several experts for their critical review and feedback on drafts of the publication. These experts include V.C. Kumar of Texas Instruments; Simson Garfinkel of the Naval Postgraduate School; Peter Sa nd of the Department of Homeland Security; Erika McCallister of MITRE; and several professionals s upporting Automatic Identification Technology (AIT) program offices within the Department of Defen se (DoD), especially Nicholas Tsougas, Fred Naigle, Vince Pontani, Jere Engelman, and Kathleen Smith. During the public comment period we received helpful comments from the following Federal Government agencies: the US Departments of Defense, Health and Human Services, Homeland Security, Labor, and State; the Office of the Director of National Intelligence; the Office of Management and Budget; and the General Services Administration. We also received several helpful contributions from commercial industry, including comments from EPCglobal, Veri