ISO/IEC 29167-19:2019

INTERNATIONAL ISO/IEC
STANDARD 29167-19
Second edition
2019-06
Information technology — Automatic
identification and data capture
techniques —
Part 19:
Crypto suite RAMON security services
for air interface communications
Technologies de l'information — Techniques automatiques
d'identification et de capture de données —
Partie 19: Services de sécurité par suite cryptographique RAMON
pour communications par interface radio
Reference number
©
ISO/IEC 2019
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Conformance . 2
4.1 Claiming conformance . 2
4.2 Interrogator conformance and obligations . 2
4.3 Tag conformance and obligations . 2
5 Symbols and abbreviated terms . 3
5.1 Symbols . 3
5.2 Abbreviated terms . 3
5.3 Notation . 4
6 Crypto suite introduction . 5
6.1 Overview . 5
6.2 Authentication protocols . 6
6.2.1 Tag identification . 6
6.2.2 Symmetric mutual authentication . 7
6.3 Send sequence counter . 8
6.4 Session key derivation . 9
6.4.1 General. 9
6.4.2 KDF in counter mode . 9
6.4.3 Key derivation scheme .10
6.5 IID, SID, used keys and their personalization .11
6.6 Key table .13
7 Parameter definitions .14
8 State diagrams.14
8.1 General .14
8.2 State diagram and transitions for Tag identification .15
8.2.1 General.15
8.2.2 Partial result mode . .15
8.2.3 Complete result mode .16
8.3 State diagram and transitions for mutual authentication .17
8.3.1 General.17
8.3.2 Partial result mode . .17
8.3.3 Complete result mode .18
8.3.4 Combination of complete and partial result mode . .19
9 Initialization and resetting .20
10 Identification and authentication.20
10.1 Tag identification .20
10.1.1 General.20
10.1.2 Partial result mode . .20
10.1.3 Complete result mode .20
10.2 Mutual authentication .21
10.2.1 General.21
10.2.2 Partial result mode . .21
10.2.3 Complete result mode .22
10.3 The Authenticate command.23
10.3.1 General.23
10.3.2 Message formats for Tag identification .23
© ISO/IEC 2019 – All rights reserved iii

10.3.3 Message formats for Mutual Authentication .24
10.4 Authentication response .25
10.4.1 General.25
10.4.2 Response formats for Tag identification .25
10.4.3 Response formats for mutual authentication .26
10.4.4 Authentication error response .28
10.5 Determination of result modes .29
11 Secure communication .30
11.1 General .30
11.2 Secure communication command .30
11.3 Secure Communication response .31
11.3.1 General.31
11.3.2 Secure communication error response .31
11.4 Encoding of Read and Write commands for secure communication .31
11.5 Application of secure messaging primitives .32
11.5.1 General.32
11.5.2 Secure Communication command messages .33
11.5.3 Secure Communication response messages .34
11.5.4 Explanation of cipher block chaining mode .37
11.6 Padding for Symmetric Encryption .38
Annex A (informative) State transition tables .39
Annex B (informative) Error codes and error handling .42
Annex C (normative) Cipher description .43
Annex D (informative) Test vectors .53
Annex E (informative) Protocol specifics .56
Annex F (informative) Non-traceable and integrity-protected Tag identification .64
Annex G (normative) Description of the TLV record .67
Annex H (informative) Memory Organization for Secure UHF Tags .72
Bibliography .76
iv © ISO/IEC 2019 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 31, Automatic identification and data capture.
This second edition cancels and replaces the first edition (ISO/IEC 29167-19:2016), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— It was thought that the fixed RAMON key length (KE) of 1 024 bits for tag authentication, defined
in the first edition of this document, would maybe not be sufficient for all future uses. The method
proposed in this edition allows extending the length of the cryptographic RAMON key by discrete
steps of 128 bits. Beyond the previously defined key length of 1 024 bits, key lengths of 1 152, 1 280,
1 408, 1 536, 1 664 bits and beyond become feasible. The current method does not limit the possible
key length in any way. The key length only is limited by the ability to send the cryptographic
authentication response, which is of equal length to the cryptographic key, back to the interrogator.
Allowing extended key length makes sure that the RAMON encryption is future-proofed and
security can be improved as needed.
— To support different key lengths in a generic approach, the mix function has been revised.
— To improve the readability and consistency of this document, the specification of the cipher and the
description of the TLV record have been separated into independent subclauses.
— A new TLV-Structure, supporting data identifiers according to ASC MH 10, was added.
A list of all parts in the ISO 29167 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2019 – All rights reserved v

Introduction
This document specifies the security services of a Rabin-Montgomery (RAMON) crypto suite. It is
important to know that all security services are optional. The crypto suite provides Tag authentication
security service.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this International
Standard may involve the use of patents concerning radio-frequency identification technology given in
the clauses identified below.
ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The
holders of these patent rights have ensured the ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statements of the holders of these patent rights are registered with ISO and IEC.
Information on the declared patents may be obtained from:
NXP B.V.
411 East Plumeria
San Jose
CA-95134 1924
USA
Impinj, Inc.
400 Fairview Ave N, # 1200
Seattle, WA 98109
USA
Giesecke & Devrient GmbH
Prinzregentenstrasse 159
D-81607 Munich
Germany
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
vi © ISO/IEC 2019 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 29167-19:2019(E)
Information technology — Automatic identification and
data capture techniques —
Part 19:
Crypto suite RAMON security services for air interface
communications
1 Scope
This document defines the Rabin-Montgomery (RAMON) crypto suite for the ISO/IEC 18000 series of
air interfaces standards for radio frequency identification (RFID) devices. Its purpose is to provide a
common crypto suite for security for RFID devices that can be referred to by ISO/IEC for air interface
standards and application standards.
This document specifies a crypto suite for Rabin-Montgomery (RAMON) for air interface for RFID
systems. The crypto suite is defined in alignment with existing air interfaces.
This document defines various authentication methods and methods of use for the cipher. A Tag and an
Interrogator can support one, a subset, or all of the specified options, clearly stating what is supported.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 8825-1, Information technology — ASN.1 encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) — Part 1
ISO/IEC 15962:2013, Information technology — Radio frequency identification (RFID) for item
management — Data protocol: data encoding rules and logical memory functions
ISO/IEC 18000-3, Information technology — Radio frequency identification for item management —
Part 3: Parameters for air interface communications at 13,56 MHz
ISO/IEC 18000-4, Information technology — Radio frequency identification for item management —
Part 4: Parameters for air interface communications at 2,45 GHz
ISO/IEC 18000-63:2015, Information technology — Radio frequency identification for item management —
Part 63: Parameters for air interface communications at 860 MHz to 960 MHz Type C
ISO/IEC 19762, Information technology — Automatic identification and data capture (AIDC) techniques —
Harmonized vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19762 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
© ISO/IEC 2019 – All rights reserved 1

— IEC Electropedia: available at http: //www .electropedia .org/
3.1
authentication
service that is used to establish the origin of information
3.2
confidentiality
property whereby information is not disclosed to unauthorized parties
3.3
integrity
property whereby data have not been altered in an unauthorized manner since they were created,
transmitted or stored
3.4
non-traceability
protection ensuring that an unauthorized interrogator is not able to track the tag location by using the
information sent in the tag response
3.5
secure communication
communication between the tag and the interrogator by use of the Authenticate command, assuring
authenticity, integrity (3.3) and confidentiality (3.2) of exchanged messages
4 Conformance
4.1 Claiming conformance
An Interrogator or Tag shall comply with all relevant clauses of this document, except those marked as
“optional”.
4.2 Interrogator conformance and obligations
An Interrogator shall implement the mandatory commands defined in this document and conform to
ISO/IEC 18000-3, ISO/IEC 18000-4 or ISO/IEC 18000-63, as relevant.
An Interrogator may implement any subset of the optional commands defined in this document.
The Interrogator shall not
— implement any command that conflicts with this document, or
— require the use of an optional, proprietary or custom command to meet the requirements of this
document.
4.3 Tag conformance and obligations
A Tag shall implement the mandatory commands defined in this document for the supported types and
conform to ISO/IEC 18000-3, ISO/IEC 18000-4 or ISO/IEC 18000-63, as relevant
A Tag may implement any subset of the optional commands defined in this document.
A Tag shall not
— implement any command that conflicts with this document, or
— require the use of an optional, proprietary or custom command to meet the requirements of this
document.
2 © ISO/IEC 2019 – All rights reserved

5 Symbols and abbreviated terms
5.1 Symbols
xx binary notation
xxh hexadecimal notation
|| concatenation of syntax elements in the order written
5.2 Abbreviated terms
AES Advanced encryption standard
CBC Cipher block chaining
CH Challenge
CH , CH Interrogator random challenge, 16 bytes
I1 I2
CH Tag random challenge, 16 bytes
T
CG Cryptogram
CMAC Ciphered message authentication code
CRC Cyclic redundancy check
CRC–16 16-bit CRC
CS Crypto suite
CSI Crypto suite identifier
DEC(key, data) AES decryption of enciphered “data” with secret “key”
ENC(key, data) AES encryption of plain “data” with secret “key”
EPC™ Electronic product code
IID Interrogator identifier, 8 bytes
IV Initialization vector for CBC-encryption, 16 bytes
KDF Key derivation function
k Bit length of public RAMON key K and private key K
E D
k shall be divisible by 128 and ≥1 024.
K Public key for encryption stored on Tag
E
K Private decryption key stored on Interrogator
D
K Public signature verification key stored on Interrogator
V
K Private signature generation key stored in the tag issuer facility
S
K Shared secret message encryption key
ENC
K Shared secret message authentication key
MAC
© ISO/IEC 2019 – All rights reserved 3

KESel Key select (determines which K will be used)
E
KSel Key select (determines which pair of K , K will be used)
ENC MAC
MAC(key, data) Calculation of a MAC of (enciphered) “data”’ with secret “key”; internal state of
the tag's state machine
MAMx,y Mutual authentication method x.y
MCV MAC chaining value
MIX(CH, RN, SID) RAMON mix function
PRF Pseudorandom function
R Tag response
RAMON Rabin-Montgomery
RFU Reserved for future use
RM_ENC(key, data) RAMON encryption of plain “data” with public “key”
RM_DEC(key, data) RAMON decryption of enciphered “data” with private “key”
RN Random number
RNT Random number generated by the tag, 16 bytes
S Message encryption session key
ENC
S Message authentication session key
MAC
SID Secret IDentifier, 8 bytes, identifying the tag
SSC Send sequence counter for replay protection, 16 bytes
TAMx,y Tag authentication method x.y; internal state of the tag's state machine
TLV Tag length value
UHF Ultra high frequency
UII Unique item identifier
WORM Write once, read many
5.3 Notation
This document uses the notation of ISO/IEC 18000-63.
The following notation for key derivation corresponds to Reference [7].
PRF(s,x) A pseudo-random function with seed s and input data x.
K Key derivation key used as input to the KDF to derive keying material. K is used as the
I I
block cipher key, and the other input data are used as the message defined in
Reference [9].
K Keying material output from a key derivation function, a binary string of the required
O
length, which is derived using a key derivation key.
4 © ISO/IEC 2019 – All rights reserved

Label A string that identifies the purpose for the derived keying material, which is encoded as a
binary string.
Context A binary string containing the information related to the derived keying material. It may
include identities of parties who are deriving and/or using the derived keying material
and, optionally, a nonce known by the parties who derive the keys.
L An integer specifying the length (in bits) of the derived keying material K . L is repre-
O
sented as a binary string when it is an input to a key derivation function. The length of
the binary string is specified by the encoding method for the input data.
h An integer that indicates the length (in bits) of the output of the PRF.
i A counter that is input to each iteration of the PRF.
r An integer, smaller or equal to 32, that indicates the length of the binary representation
of the counter i. in bits.
00h An all zero byte. An optional data field used to indicate a separation of different variable
length data fields.
The smallest integer that is larger than or equal to X. The ceiling of X.
 
X
 
 
{X} Indicates that data X is an optional input to the key derivation function.
[T] An integer T represented as a binary string (denoted by “2”) with a length specified by
the function, an algorithm, or a protocol which uses T as an input.
∅ The empty binary string.
6 Crypto suite introduction
6.1 Overview
The RAMON crypto suite permits two levels of implementation. The first level provides secure
identification and tag authentication, while the second level extends the functionality by mutual
authentication to securely communicate between Interrogator and Tag, e.g. for secure reading and
writing non-volatile memory.
Basic RAMON Tags can provide only the first level of implementation, while more sophisticated Tags
also provide the second level. See Figure 1 for the different implementation levels for the RAMON
crypto suite.
© ISO/IEC 2019 – All rights reserved 5

Figure 1 — Overview of the different implementation levels for the RAMON crypto suite
6.2 Authentication protocols
6.2.1 Tag identification
The Rabin-Montgomery crypto suite provides non-traceable and confidential Tag identification.
Confidentiality and privacy for the Tag’s identifier are provided without requiring the Tag to store a
private key.
[14]
The crypto suite is based on the asymmetric cryptosystem developed by Michael O. Rabin . The
[11]
original algorithm is augmented by a method detected by Peter Montgomery , which avoids the
division of long numbers in modular arithmetic. The advantage of combining Rabin encryption with the
concept of Montgomery multiplication is related to the fact that no “costly” division is required.
The Tag performs only public key operations. The Interrogator performs the “expensive” private
key operation. The steps necessary to carry out RAMON are outlined in Table 1. RAMON encryption
performed by the Tag and decryption shall be performed by the Interrogator as specified in C.3 and C.4.
The cryptographic keys are specified in 6.6. A test example for the RAMON encryption with a 1 024-bit
public encryption-key K is defined in Annex D.
E
Annex G details the structure of the clear text record, the TLV record, used for authentication of the
Tag, comprising the Tag identity record and random data originating in part from the Tag and from the
Interrogator for the other part. The TLV record shall be structured in accordance with Annex G.
6 © ISO/IEC 2019 – All rights reserved

Table 1 — Protocol steps for Tag identification
Interrogator Tag
(K , K ) (SID, K )
D V E
Generate random challenge CH and send it to (CH )
I1 I1
the Tag. → Generate random number RN .
T
Generate response cryptogram:
(R) R = RM_ENC(K , MIX(CH , RN , TLV record)).
E I1 T
Decrypt Tag response and apply the inverse of ←
the MIX function to get the plaintext P:
−1
P = MIX (RM_DEC (K , R)).
D
Obtain CH , RN and SID from plaintext P.
I1 T
Compare previously generated Interrogator
challenge with the value received from Tag. If
successful, Tag is identified.
If a signature is provided along with the SID,
use K to validate the signature. If successful,
V
Tag is authenticated.
6.2.2 Symmetric mutual authentication
This crypto suite allows combining the Rabin-Montgomery scheme for Tag identification with
symmetric mutual authentication. The mutual authentication specified by this crypto suite is based on
AES, according to Reference [12]. The CBC mode for encryption is specified in Reference [8]. For MAC
generation, CMAC according to Reference [9] is used. For derivation of secure messaging keys, the KDF
in counter mode specified in 5.1 of Reference [7] is used.
The protocol steps for mutual authentication are outlined in Table 2.
Table 2 — Protocol steps for mutual authentication
Interrogator Tag
Phase
(IID, Database, K , K ) (SID, K , K , K )
D V E ENC MAC
(1) Tag Generate random challenge CH and send it (CH ) Generate random number RN .
I1 I1 T
Identification to the Tag. → Generate response:
(R) R = RM_ENC(K , MIX(CH , RN ,
E I1 T
Decrypt Tag response and apply the ← TLV record, '00' byte)).
inverse of the MIX function to get the plain-
text P:
−1
P = MIX [RM_DEC (K , R)].
D
Obtain CH , RN and SID from plaintext P.
I1 T
Compare previously generated Interrogator
challenge with the value received from Tag.
If successful, Tag is identified.
If a signature is provided along with the SID,
use K to validate the signature. If success-
V
ful, Tag is authenticated.
Set CH = RN .
T T
The Interrogator has successfully identified (and authenticated) the Tag.
In the following phase, CH and SID are used in the mutual authentication.
T
© ISO/IEC 2019 – All rights reserved 7

Table 2 (continued)
Interrogator Tag
Phase
(IID, Database, K , K ) (SID, K , K , K )
D V E ENC MAC
(2) Mutual Generate CH .
I2
Authentication
Generate cryptogram:
S = CH || IID || CH || SID;
I2 T
C = ENC (K , S);
ENC
M = MAC (K , C);
MAC
CG = C || M. (CG ) Decrypt and verify the cryptogram:
I I
→ MAC (K , C);
MAC
DEC (K , C).
ENC
Verify CH and SID. If equal, gener-
T
ate Session Keys S , S .
ENC MAC
Initialize SSC.
Generate Tag cryptogram:
S = CH || SID || CH || IID;
T I2
C = ENC (K , S);
ENC
M = MAC (K , C);
MAC
CG = C || M
T
Verify the cryptogram: (CG )
T
MAC (K , C); ←
MAC
DEC (K , C).
ENC
Verify CH , CH , SID and IID.
I2 T
If equal, generate session keys: S , S .
ENC MAC
Initialize SSC.
Mutual authentication is now complete and a secure channel is established.
The Interrogator has access to a list of SIDs (Secret identifiers) with the associated K and K for
ENC MAC
each Tag. This is represented by the “Database” on Interrogator's site.
After having successfully identified the Tag in Phase 1, the Interrogator is able to find secret keys K
ENC
and K that it shares with the Tag. K is used in CBC mode. The IV for encryption is set to all zeroes
MAC ENC
00h.00h. As the size of S is on both sides a multiple of the AES block size, no padding is applied. K is
MAC
used to calculate a 16-byte MAC.
CH and CH are used as challenges in the challenge-response protocol for mutual authentication and
T I2
for generation of the starting value of the SSC. See 6.3 for details.
The session encryption key, S , is used for confidentiality of data in transit. AES encryption, including
ENC
an SSC, is illustrated in Figure 18; decryption is illustrated in Figure 19. The session MAC key, S , is
MAC
used for data and protocol integrity. This crypto suite derives session keys as specified in 6.4.
If the Tag cannot verify the interrogator's MAC, it reports a crypto suite error (see Annex B for further
information) and assumes state Init. If the interrogator cannot verify the tag's MAC, the tag is not
authenticated.
6.3 Send sequence counter
The send sequence counter (SSC) ensures that the initial values (IVs) are different for every encryption
and the MAC chaining values (MCVs) are different for every MAC generation. To this end, the SSC is
incremented (+1) each time before a Secure Communication command or response is processed.
After mutual authentication, the initial value of the send sequence counter SSC is generated as follows:
8 © ISO/IEC 2019 – All rights reserved

SSC = CH ( least significant bytes) ||
T
CH ( least significant bytes)
I2
After receiving a secure command, the Tag increments SSC, then checks the MAC and then decrypts the
command. In turn, before sending a secure response, the Tag increments SSC, encrypts the response
and generates the MAC. Each particular step is under control of the security flags. Thus, if SSC has the
value x at idle time, x+1 is used for processing the next secure command, and x+2 is used for processing
the response. SSC may overflow to 0h during the increment without particular action.
6.4 Session key derivation
6.4.1 General
The derivation of the session keys, S and S , is based on the KDF in counter mode specified in
ENC MAC
5.1 of Reference [7]. This method uses CMAC as the PRF with AES as underlying block cipher with full
16 bytes output length. The input to the PRF for this cipher suite is as specified in 6.4.3.
6.4.2 KDF in counter mode
The key derivation function iterates a pseudorandom function n times and concatenates the output
 
until L bits of keying material are generated, where n: = . Lh/ . In each iteration, the fixed input data is
 
 
the string Label || 00h || Context || [L] . The counter [i] is the iteration variable and is represented as a
2 2
binary string of r bits.
Figure 2 illustrates the process.
The input to the PRF [see step d) of Process] is explained in 6.4.2.
For the derivation of session encryption key S , K is set to K . For the derivation of session MAC key
ENC I ENC
S , K is set to K .
MAC I MAC
Fixed values
— h – The length of the output of the PRF in bits;
— r – The length of the binary representation of the counter i. in bits.
Input: K , Label, Context, and L.
I
Process
 
a) n: = Lh/ .
 
 
r
b) If n > 2 −1, then indicate a crypto suite error and stop.
c) result(0) := ∅.
d) For i = 1 to n, do
— K(i) := PRF (K , [i] || Label || 00h || Context || [L] );
I 2 2
— result(i) := result(i−1) || K(i).
e) Return: K := the leftmost L bits of result (n).
O
Output: K .
O
© ISO/IEC 2019 – All rights reserved 9

SOURCE Reference [7].
Figure 2 — KDF in counter mode
6.4.3 Key derivation scheme
The following derivation data are used to generate session keys according to the KDF in counter mode
as specified in Reference [7].
The one byte counter, i, may take the values 01h or 02h. The value 01h is used when L takes the value
0080h for derivation of AES-128 keys, which is currently the only case relevant for this document
(see NOTE below).
The iteration variable, i, is concatenated with the fixed input data. The fixed input data is a concatenation
of a Label, a separation indicator 00h, the Context, and [L] as follows:
— Label: consists of 11 zeroes (00h) bytes followed by a one byte derivation constant as defined in
Table 3;
— One byte separation indicator 00h;
— Context: CH || CH ;
I2 T
— [L] : the length in bits of the derived data. For derivation of AES-128 keys, which is currently the
only case relevant for this document, L takes the value 0080h (see NOTE below).
In each iteration, the fixed input data is the string Label || 0x00 || Context || [L] .
NOTE Currently, this document only supports AES-128 keys.
10 © ISO/IEC 2019 – All rights reserved

Table 3 — Encoding of the one byte derivation constant
b8 b7 b6 b5 b4 b3 b2 b1 Description
0 0 0 0 0 0 1 x Key derivation
0 0 0 0 0 0 x 0 Derivation of session encryption key S with K set to K
ENC I ENC
0 0 0 0 0 0 x 1 Derivation of session MAC key S with K set to K
MAC I MAC
NOTE  Any other value is RFU.
A Tag or an Interrogator shall not use a derivation constant marked as RFU.
6.5 IID, SID, used keys and their personalization
This crypto suite assumes the following keys and information to be available on the Tag:
— the SID, optionally signed with the signature key K before it is stored on the Tag;
S
— the RAMON encryption key K ;
E
and, if mutual authentication is provided:
— the shared secret keys K and K .
ENC MAC
On the Interrogator:
— the RAMON decryption key K ;
D
— optionally, the signature verification key K ;
V
— a list of valid SIDs; each SID can have a signature attached to it;
and, if mutual authentication is provided:
— the shared secret keys K and K .
ENC MAC
The IID is an 8-byte value which identifies the interrogator to the Tag. The IID can be chosen freely, but
shall remain constant during a session.
The SID is a unique 8-byte value which identifies the Tag to the interrogator. It is set during
personalization and remains constant throughout the lifetime of the Tag.
The SID used by this crypto suite is used by the application to securely identify the tag and therefore has
nothing in common with any unique identifier defined by an air interface standard. The SID used by this
crypto suite shall never be sent in plaintext. The SID can be signed to preserve integrity and to provide
authenticity. The SID and the optional signature should never be readable for an unauthorized reader.
The party that generates the signature possesses the key pair consisting of the private and the public
key (K , K ) for signature generation and verification. It may forward the public key K to another party
S V V
to enable it to verify the signature. F.3 contains the specification of the signature over the SID. Annex F
shows the usage of the SID in combination with the non-traceability feature of this crypto suite.
The Tag does not perform signature generation or verification, nor does it store the corresponding
keys. It only stores the SID along with its signature (which is optional) and the public key K for Tag
E
authentication. If mutual authentication is supported, the Tag also stores the shared secret keys K
ENC
and K .
MAC
The memory locations storing the SID and the secret keys K , K and K shall not be readable for
E ENC MAC
any Interrogator after having written these values once during production of the Tag. For that purpose,
a Tag may have a memory area used for storing the SID and the key K configured as WORM or as a fuse.
E
However, production is out of scope of this document; this functionality has to be implemented in a
proprietary way.
© ISO/IEC 2019 – All rights reserved 11

The Interrogator application performing RAMON shall have access to the private decryption key K in
D
order to be able to decrypt the authentication message sent by the Tag. In order to be able to perform
mutual authentication, the Interrogator shall have access to the keys K and K associated with a
ENC MAC
specific SID.
EXAMPLE Figure 3 shows an example system flow with the involved components and keys. System Integrator
and Tag Issuer can work in parallel. The steps performed by these parties can be executed independently of the
other party. Generation of the signature key pair and signing of SIDs is an optional security function provided by
the operational environment.
Fig
...