RFID technologies duke it out

And you thought the fight over radio frequency identification technology was all about whether Big Brother would be able to track unsuspecting individuals as they go about their daily lives. In some corners it's still about that, but RFID has matured to the point where debates have more to do with what kind of RFID is appropriate for government applications than whether it's appropriate at all.This summer, a congressional conference committee wrestled over two incompatible types of radio frequency identification technology proposed for the Western Hemisphere Travel Initiative, a joint border-control project of the Homeland Security and State departments [for more about WHTI, see , GCN.com/669].Essentially, they're fighting over slices of the electromagnetic spectrum. In one corner are proponents of so-called high-frequency chips employed in the familiar smart cards used to secure access to buildings. In the other corner are backers of ultrahigh-frequency chips used in RFID tags that track cases of toothpaste through supply chains to the local Wal-Mart or military post exchange.If you think the debate has nothing to do with your agency, think again. The HF versus UHF question is likely to permeate decisions about RFID applications for the foreseeable future, whether it's tracking livestock and pharmaceuticals, or tagging important documents and agency IT assets. Therefore understanding the positions today will help your agency tomorrow.Here's where we stand now: DHS proposed UHF for the WHTI PASS card, and the department's U. S. Visitor and Immigrant Status Indicator Technology program is testing it for visa holders crossing the Canadian and Mexican borders. The State Department pushed the HF smart-card technology that it uses in its new e-passports, and the Senate's Stevens-Leahy amendment specified a standard only supported in smart cards.Meanwhile, in response to privacy concerns, a DHS committee issued a draft recommendation against using any type of RFID for personal identification. That fanned a lobbying effort by a UHF industry that sees its technology as the future'with cheap, ubiquitous tags and readers.'DHS was going down a long-range path that was very UHF-focused, and we think that's the wrong approach,' said Cathy Medich, manager of industry councils for the Smart Card Alliance, which recommended further testing.'U.S. Visit seems to be specifying a technology from the supply-chain industry,' added Neville Pattinson, director of technology at alliance member and chipmaker Gemalto North America (). Pattinson said the debate is clouded by misperceptions, including DHS' incorrectly lumping contactless smart cards with UHF tags. (In August, Gemalto received an order from the Government Printing Office for its e-passport technology.)The conflict is rooted in the inherently dual nature of border control, which involves the security role of DHS and the passport responsibilities of State, which might have an advantage from its e-passport experiences. 'The e-passport program is going forward, so they'll already have the infrastructure,' said alliance spokesperson Deb Montner, claiming the UHF camp is trying to introduce a second, unproven technology whose costs will rise as it takes on needed security.Frank Moss, the State Department's deputy assistant secretary for passport services, declined to state a preference but promised an eventual solution. 'Whatever the administration decides is the technology will be subject to the rulemaking process,' Moss said. 'We expect to have a rich conversation with interested parties.'Moss said the e-passport requirements differ from WHTI's and were developed for worldwide interoperability, with the card holding biometric finger scans and facial photos. 'WHTI is not intended to be a globally interoperable travel document,' Moss said. 'It's intended to be a pointer to a database. That is where the biometric information on the traveler resides.' With the more personal information stored on the E-Passport itself, the short transmission distances of smart cards are appropriate, Moss said, while a longer-range WHTI card might be readable only when its owner chooses.So who's right? Before an agency can answer that, it needs to explore further the differences between the two radio technologies.HF transmits data between its radio and a reader at 13.56 MHz and at ranges under three feet. UHF works at around 860-930 MHz and can broadcast up to 32 feet.'HF uses a technology called magnetic coupling that is inherently shorter-range than the radiated approach of UHF,' said Scot Stelter, director of strategic marketing for Alien Technology (www.alientechnology.com), which makes UHF hardware. The slowest HF readers are cheaper than UHF'under $100, versus around $500 for UHF'but high-speed HF readers for recognizing small, closely spaced items can cost thousands of dollars. UHF proponents claim that with UHF ramp-up creating economies of scale, costs are getting comparable. Long-term, they say, UHF tags will be cheaper because their antennae can be as simple as a single wire circle or even made of conductive ink on paper, while HF needs metal wire wound many times.HF adherents say typical UHF tags, at several inches wide, are too big for small items. The UHF camp says its shorter-range tags will be comparable to HF's.'The benefit of HF technology is that it's on the ISM [Industrial, Scientific, and Medical] band,' said Mike Liard, director of RFID and contactless technology at ABI Research in Oyster Bay, N.Y.Liard, who testified before the Senate committee evaluating WHTI technologies, said ISM is available worldwide. The frequency has long been supported by two standards of the International Organization for Standardization, ISO 14443 and 15693, which define contactless smart cards. On the other hand, UHF only recently achieved ISO's imprimatur in an amendment to the 180000-6 item-management standard approved in July. 'HF has a leg up on UHF when it comes to technology, established standards, and market presence,' Liard said.UHF proponents counter that while HF has settled on a single frequency, its multiple data protocols can cause incompatibilities between tags and readers, and its frequency advantage vanishes when UHF runs at the lower frequency. Stelter said Alien recently introduced World Tags that handle the slightly different frequencies used in the U.S., Europe and Japan, plus another tag targeting the small-item, 13.56-MHz market.UHF supporters say their technology is capable of handling needs now met by HF while avoiding the cost of two infrastructures. 'You do have the option of using UHF at long read ranges and short read ranges,' said Joe White, vice president of product management and tag engineering at Symbol Technologies (www.symbol.com), a Holtsville, N.Y. UHF manufacturer.There also is an aspect of security to the HF-UHF discussion. UHF is undeniably lagging HF in perceptions of security and privacy. Its case rests more on technological promise than practical reality. But while HF has a huge installed base, some experts say the technology is vulnerable to many of the same threats as UHF.'The fact that you can read a card at a distance worries the Homeland Security privacy people,' said Larry Huseby, director of public sector business development at Intermec Technologies Corp. (www.intermec.com), another UHF supplier based in Everett, Wash. This fear harkens back to the concern that UHF chips might be used to track people without their knowledge.'Every privacy professional I've talked to has a problem with the fact that it [UHF] transmits a static number,' Pattinson said. But Stelter dismissed such concerns, saying 'the RFID chip knows nothing about the person's whereabouts.'In fact, some of the features of smart cards could help make UHF cards more secure. 'It's absolutely possible to make just-as-secure products from UHF as the market demands it,' said Chris Kelley, Intermec's director of RFID.Though Kelley concedes that because it was designed for financial transactions, today's HF has more built-in security than UHF.For example, the UHF security solution planned by U.S. Visit is a metal cover that can serve as a Faraday cage (an enclosure designed to exclude electromagnetic fields) to block radio waves until the user removes it. U.S Visit also will use a method employed by HF cards called Basic Access Control, which authenticates readers over encrypted channels.HF supporters are skeptical. 'For human-identity applications, you need the security capabilities of the ISO 14443 smart cards,' Medich said. 'Those capabilities are not supported by the longer-range RFID tags.' Some worry the new Gen 2 UHF standard (see sidebar) doesn't have enough built-in security, leaving tags open to vulnerabilities such as cloning and eavesdropping.However, in a UHF scenario much depends on how much data the tag actually holds.Personal information could be stored on secure databases located near checkpoints, making the security discussion about the database, not the tag. 'The technology for securing databases is well established,' Stelter said. 'People in banking and the military have been working on it for 20 years.' He added that UHF could ensure privacy even if hackers can read tag numbers, as long as the user is anonymous. 'The question is, 'How much security do I need to be effective?' ' Stelter said.'The other side claims you need all this information on the card,' said Tim Heffernan, Symbol's director of public policy and a UHF proponent. 'But from a security perspective, you wouldn't want to put all this information on the card.'But even if the UHF tags serve only as 'license plates''i.e. pointers to a database'some say they could still pose security concerns. 'If people can read that and clone a card, they can impersonate you,' said the Smart Card Alliance's Montner.Of course, the UHF model also puts a heavier burden on databases in general. 'This is about managing a lot more information,' said Jack Pellicci, public sector group vice for database vendor Oracle Corp. 'It's more than just putting together tags and readers.' He cited the Army's RFID tags with embedded temperature sensors that monitor meals ready-to-eat, which can sit for days in the Iraqi desert. 'They transmit everything they have, and they retransmit and retransmit,' Pellicci said, so the database must be designed to record only data that changes.Smart cards have their own database safeguards. For a decade, RFID-based credit cards have been backed by Triple-DES encryption of personal-identity data stored on back-end systems.Whatever the database angle, neither HF nor UHF is completely free of security concerns. According to experts, both technologies are vulnerable to 'skimming' and other attempts to pull data off the airwaves. In a 2004 paper, 'Security and Privacy Issues in E-Passports,' experts from the University of California, Berkeley and RSA Laboratories wrote, 'E-passport trials held in October 2004 reportedly showed the possibility of eavesdropping from a range of 30 feet. Others have shown how relay devices can be used to read ISO 14443 chips, the kind used in e-passports, from even greater distances.'In a November 2005 report, 'Security Standards for the RFID Market,' the National Institute of Standards and Technology said the new EPCglobal Gen 2 standard for UHF added longer passwords for its kill command, but it lacks a key-management function. NIST also concluded that despite their advanced security features, smart cards remain vulnerable to significant threats.While HF and UHF are being debated for ID cards, the issue is fairly settled when it comes to supply chain management, in part because of UHF Gen 2 mandates by Wal-Mart and the Defense Department. Which is largely why UHF is making inroads into HF's traditional strongholds.Conventional wisdom says you need HF for item tagging and environments that contain liquids or metal, leaving UHF for boxes and pallets. But UHF advocates claim it works just fine for so-called 'near-field' applications, which are critical in industries such as pharmaceuticals, with its vials of medicine and foil-covered blister packs. 'The notion that UHF can't be used in proximity to liquid is a myth,' Stelter said.'I think we'll see a layering of technology depending on the level of the supply chain,' said Peter Langworthy, a senior program manager at Northrop Grumman Information Technology, an integrator that installed a DOD system that uses RFID to track pallets shipped between the U.S. and Germany. 'You see redundant technology even on the same item itself.' Langworthy added he expects DOD to phase in case- and item-level UHF tags using off-the-shelf Gen 2 products.Liard recommends analyzing the technologies through the prism of closed-loop systems that allow control over who and what can enter the system'for example, library books, or federal employees entering buildings'and open-loop, such as the consumer-goods industry, which must accommodate numerous partners. 'The limited range of high frequency poses challenges for open-loop supply-chain applications,' Liard said. 'But with open-loop applications, you certainly have security concerns.'At the end of the day, no matter what an agency needs to keep track of, HF and UHF flavors of RFID require an in-depth analysis of requirements, resources and risk. The fact of the matter is, regardless of what the two camps say, neither technology is a slam-dunk across all applications. As each evolves, the debates will evolve with them.