ISO IEC TR 24729-4-2009 PDF

Full title and description

Information technology — Radio frequency identification for item management — Implementation guidelines — Part 4: Tag data security (ISO/IEC TR 24729-4:2009). This technical report gives guidance to system designers on potential threats to the data held on RFID tags and on the tag-to-reader air interface, and recommends countermeasures and best practices to improve tag data security and support data-access privacy in RFID deployments.

Abstract

ISO/IEC TR 24729-4:2009 is a technical report that describes security objectives, a threat taxonomy and risk-assessment approaches for RFID tag data and tag-to-reader communications. It identifies common attacks (e.g., skimming, eavesdropping, spoofing, cloning, tampering, denial of service) and maps appropriate countermeasures (memory locking, passwords, authentication, encryption, cloaking, read-range limiting, true WORM programming and related practices). The report focuses on the tag and the air interface; reader-to-host and back-end enterprise security are outside its scope. Privacy is addressed in general terms as it relates to data-access security on tags.

General information

• Status: Published (Technical Report)
• Publication date: 11 March 2009
• Publisher: ISO and IEC (joint publication by ISO/IEC JTC 1/SC 31)
• ICS / categories: 35.040 - Information coding; 35.040.50 - Automatic identification and data capture techniques
• Edition / version: Edition 1 (2009)
• Number of pages: 20

Scope

The report addresses security for RFID tags and tag-to-reader communications used in item management. It helps designers identify threats to tag-held data, assess risk (probability and impact), and select practical countermeasures appropriate to the application environment. It does not attempt to prescribe enterprise back-end or reader-to-host security architectures, nor does it provide detailed consumer-privacy policy; rather it discusses privacy implications insofar as they relate to tag data access and protection.

Key topics and requirements

• Definitions and security objectives for tag data and the tag-to-reader interface.
• Threat taxonomy: skimming, eavesdropping/sniffing, spoofing, cloning, data tampering, malicious code, denial of service, unauthorized killing, jamming/shielding.
• Risk-assessment methodology to prioritize threats and countermeasures based on context.
• Countermeasures and best practices: memory lock and access control, password protection, authentication schemes, cryptographic protection (where appropriate), limiting read range, cloaking/obfuscation, WORM programming, tag ID verification and “license-plate” approaches.
• Implementation guidance and real-world scenarios illustrating trade-offs (e.g., cost, complexity, interoperability, performance).
• High-level discussion of privacy considerations and how data-access security supports personal privacy.
• Annex material with additional notes on encryption and other technical options for protecting tag data.

Typical use and users

Primary users are RFID system designers, solution architects, integrators and security engineers working in logistics, retail, healthcare, pharmaceuticals, manufacturing and other sectors that deploy item-level RFID. The report is also useful to standards writers, procurement teams evaluating tag security requirements, and privacy officers seeking to understand technical controls at the tag/air-interface level.

Related standards

Related documents and families commonly referenced with this report include other parts of the ISO/IEC TR 24729 series (parts covering RFID-enabled labels/packaging and operational guidance), the ISO/IEC 18000 series (air-interface and air‑protocol definitions, notably ISO/IEC 18000-6 for UHF), cryptography/security-related RFID standards and guidelines (e.g., ISO/IEC work on RFID security), and sector-specific or implementation profiles (for example EPC/RFID specifications and encoding rules). Users will typically consult these alongside TR 24729-4 when specifying or implementing secure RFID solutions.

Keywords

RFID, tag data security, data access security, tag-to-reader, privacy, skimming, eavesdropping, cloning, authentication, encryption, memory lock, UHF, ISO/IEC 18000, implementation guidelines.

FAQ

Q: What is this standard?

A: ISO/IEC TR 24729-4:2009 is a technical report providing implementation guidance on tag data security for RFID systems used in item management.

Q: What does it cover?

A: It covers threat identification, risk assessment, and recommended countermeasures focused on RFID tags and the tag-to-reader air interface; it does not prescribe reader-to-host or back-end enterprise security architectures and addresses consumer privacy only in relation to tag data-access controls.

Q: Who typically uses it?

A: RFID system designers, integrators, security engineers, solution architects, procurement teams and standards developers working in supply chain, retail, healthcare and other industries that deploy RFID item-management solutions.

Q: Is it current or superseded?

A: The document is a published technical report first issued in March 2009 (Edition 1). Users should check the latest catalogues of ISO/IEC or national standards bodies for any updates, confirmations or superseding work before relying on it for new procurements or compliance activities.

Q: Is it part of a series?

A: Yes — it is Part 4 of the ISO/IEC TR 24729 series of implementation guidelines for RFID in item management; other parts of the series cover labels/packaging, recycling/tag considerations and operational guidance for interrogator systems.

Q: What are the key keywords?

A: RFID, tag data security, data access security, skimming, eavesdropping, cloning, authentication, encryption, privacy, UHF, ISO/IEC 18000.