CEN/TR 16669:2014

SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Vmesnik za izvajanje ISO/IEC 18000-3
Information technology - Device interface to support ISO/IEC 18000-3
Informationstechnik - Geräteschnittstelle zur Unterstützung von ISO/IEC 18000-3 Mode 1
and Mode 3 tags
Technologie de l’information - Interface de prise en charge d’ISO/IEC 18000-3 Mode 1
pour les appareils
Ta slovenski standard je istoveten z: CEN/TR 16669:2014
ICS:
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 16669
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Device interface to support ISO/IEC
18000-3
Technologies de l'information - Interface de prise en charge Informationstechnik - Geräteschnittstelle zur Unterstützung
d'ISO/CEI 18000-3 pour les appareils von ISO/IEC 18000-3 Mode 3 tags

This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16669:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Normative references .6
3 Terms and definitions .6
4 Symbols and Abbreviations .6
5 Executive Summary .7
6 Evaluation privacy protection level of ISO/IEC 18000-3 Mode 3 .7
6.1 General .7
6.2 Technology does not depend on a persistent tag id for air interface communications .8
6.3 Support of standardized access passwords .8
6.3.1 ISO/IEC 18000-3 Mode 3 tags .8
6.3.2 Kill password .9
6.3.3 Access password.9
6.4 Support of the Kill function. .9
6.5 Conclusion .9
7 Industry feedback on the need for the device interface .9
7.1 General .9
7.2 General description of system architecture for Library Management Systems . 10
7.3 Feedback on various quotes to justify the development of a device interface . 11
7.3.1 General . 11
7.3.2 Need for a device interface standard . 11
7.3.3 Migration from old to new technology . 11
7.3.4 Inertia associated with any attempt to standardize the device interface . 12
7.3.5 Additional security features built into the device interface. . 12
7.3.6 Delaying for two years will result in a lost opportunity? . 12
7.3.7 Leaving operators to choose between the technologies . 12
7.3.8 Standardized device interface to be incorporated into the PIA? . 12
7.3.9 Conclusion . 13
8 Industry feedback on features of the device interface as listed in the scope . 13
8.1 General . 13
8.2 Features of the device interface as listed in the scope . 13
8.3 GS1/EPCglobal LLRP and ISO/IEC 24791 . 14
8.4 Conclusion . 15
9 Threats through memory content in library RFID tags . 15
9.1 Analysis . 15
9.2 Conclusion . 15
Annex A (Informative) Industry representatives . 16
A.1 Libraries . 16
A.1.1 KopGroep Bibliotheken . 16
A.1.2 Stadtbibliothek Hannover . 16
A.2 Library RFID System Integrators . 17
A.2.1 Bibliotheca . 17
A.2.2 Nedap . 17
A.3 Providers of ISO/IEC 18000-3 readers . 18
A.3.1 Feig . 18
A.3.2 Tagsys Europe . 18
Bibliography . 19

Foreword
This document (CEN/TR 16669:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase.
This Technical Report is related to the development of a Technical Specification to define the device interface
to support ISO/IEC 18000-3 Mode 3 tags.
The proposed Technical Specification on a device interface was intended to support two high frequency air
interface protocols; ISO/IEC 18000-3 mode 1 that has been established and used for 15 years and
ISO/IEC 18000-3 mode 3 that is just emerging. The assumption was that ISO/IEC 18000-3 mode 3 would
offer greater security and that the protection of the privacy would be better served by it. The proposed device
interface is intended as a serious attempt to bring greater control to this highly used air interface protocol. In
addition, by developing a device interface that supports both air interface protocols, there is the potential to
assist in the migration from the older, and (suggested) less secure, technology to a newer and (assumed)
more robust technology. Robustness, in this case, is not only of benefit to the operator of the system but also
to end users who come into daily contact with the technologies.
In the exploration phase to start with the preparations for the Technical Specification the project team
encountered a challenge to translate the specifics of the required device interface features into practical
specifications. First it was not clear why ISO/IEC 18000-3 mode 3 would offer greater security to protect the
privacy of the consumers. Second it was not obvious to which “application” the reader should connect and
how the proposed device interface would contribute to improving the privacy protection of the consumer.
Therefore the project team decided to consult the industry to get their feedback on the proposed standard for
a device interface.
The device interface is aimed at supporting ISO/IEC 18000-3 technology. The Library industry is by far the
largest market for the ISO/IEC 18000-3 tags. Therefore this Technical Report will focus on the value that the
proposed device could offer to improve the protection of the privacy of the consumer of the European Library
Industry.
This Technical Report describes the project team's approach to resolve the challenges. Clause 6 described
the evaluation of the privacy protection level of 18000-3 Mode 3. Clause 7 describes the feedback of the
industry on the need for the device interface. Clause 8 describes the feedback of the industry on features of
the device interface as listed in the scope. Clause 9 points to some potential threats caused by some of the
memory content in library RFID tags. Annex A contains the list of industry representatives wh
...