Using RFID Technology to Stop Counterfeiting



Similar documents
Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

CRYPTOMEMORY POWERFUL SECURITY AT LOW COST

Atmel s Self-Programming Flash Microcontrollers

Trusted Platforms for Homeland Security

Application Note. Atmel CryptoAuthentication Product Uses. Atmel ATSHA204. Abstract. Overview

Fighting product clones through digital signatures

AN INTRODUCTION TO THE GLOBAL DOCUMENT TYPE IDENTIFIER (GDTI) TABLE OF CONTENTS

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

AVR1318: Using the XMEGA built-in AES accelerator. 8-bit Microcontrollers. Application Note. Features. 1 Introduction

More Secure, Less Costly IoT Edge Node Security Provisioning

Voltage's Encrypted

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Strong Security in Multiple Server Environments

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

E-Book Security Assessment: NuvoMedia Rocket ebook TM

Software Hardware Binding with Quiddikey

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Acceptable Use Policy

Acceptable Use Policy

Overview. SSL Cryptography Overview CHAPTER 1

PrivyLink Cryptographic Key Server *

Strengthen RFID Tags Security Using New Data Structure

Chapter 10. Cloud Security Mechanisms

How To Use Atmel'S Atmel Crypto Device For A Year On A Computer Or Cell Phone

SecureD Technical Overview

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

PUF Physical Unclonable Functions

Cisco Trust Anchor Technologies

Information Security Services

NOT ALL CODES ARE CREATED EQUAL

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

CS 356 Lecture 28 Internet Authentication. Spring 2013

Chapter 15 User Authentication

MovieLabs Specification for Enhanced Content Protection Version 1.0

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Advanced Authentication

Card Not Present Fraud Webinar Transcript

Research Article. Research of network payment system based on multi-factor authentication

CPSC 467: Cryptography and Computer Security

Understanding and Integrating KODAK Picture Authentication Cameras

TETRA Security for Poland

Application Note. Atmel ATSHA204 Authentication Modes. Prerequisites. Overview. Introduction

Enabling the secure use of RFID

Neutralus Certification Practices Statement

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Why you need secure

IT Architecture Review. ISACA Conference Fall 2003

Efficient Asset Tracking: From Manual to Automated

INTRODUCTION TO CRYPTOGRAPHY

Content Teaching Academy at James Madison University

APPLICATION NOTE. Secure Personalization with Transport Key Authentication. ATSHA204A, ATECC108A, and ATECC508A. Introduction.

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Chap. 1: Introduction

IY2760/CS3760: Part 6. IY2760: Part 6

Multi-Factor Authentication

Module 7 Security CS655! 7-1!

Information Security

Security. Definitions

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

43% Figure 1: Targeted Attack Campaign Diagram

Responsible Access and Use of Information Technology Resources and Services Policy

GT 6.0 GSI C Security: Key Concepts

WHY YOU NEED AN SSL CERTIFICATE

Using CryptoMemory in Full I 2 C Compliant Mode. Using CryptoMemory in Full I 2 C Compliant Mode AT88SC0104CA AT88SC0204CA AT88SC0404CA AT88SC0808CA

Security Requirements for RFID Computing Systems

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Oracle Retail Point-of-Service with Mobile Point-of-Service

Key Management Interoperability Protocol (KMIP)

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

Digital Signatures on iqmis User Access Request Form

OPC UA vs OPC Classic

Hang Seng HSBCnet Security. May 2016

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Preventing fraud in epassports and eids

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

GSM and UMTS security

Security Policy. Trapeze Networks

Acceptable Use Policy

Insight Guide. Encryption: A Guide

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

SSL A discussion of the Secure Socket Layer

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

USB Portable Storage Device: Security Problem Definition Summary

User Authentication Guidance for IT Systems

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

ISO27001 Controls and Objectives

Transcription:

Using RFID Technology to Stop Counterfeiting By Eustace Asanghanwa, Crypto & RF Memory Applications Summary RFID technology is well known for providing labeling solutions to automate inventory control. It is less known for its capability to offer anti-counterfeiting solutions. While providing cryptographic authentication schemes with data protection capabilities, a well implemented RFID security solution provides complete product protection against illegal cloning, intellectual property theft, and denial-of-service attacks. Atmel Corporation 2325 Orchard Parkway San Jose, CA 95131 TEL (408) 441-0311 FAX (408) 487-2600 Web Site: http://www.atmel.com

Table of Contents Using RFID Technology to Stop Counterfeiting... 1 Introduction... 3 Understanding the Problem of Counterfeit... 3 RFID and Product Labeling... 3 Assuring Product Authenticity with RFID... 4 Password Protection...5 Encrypted Labels...5 Challenge-Response Protection...5 Double Challenge-Response Protection...5 Adding Optional Security for Data Protection... 6 Write Protection...6 Data Encryption...6 Message Authentication Codes...7 Choosing the Proper RFID Security Solution... 7 Conclusion... 7 2 5260A RFID 06/07

Introduction Many people understand RFID as a next-generation barcode with technology to automate inventory control. Few people understand this technology can also protect against counterfeiting and even fewer have knowledge of how or what to consider when shopping for the right anti-counterfeit solution. This paper provides insights to the problem of counterfeit, how RFID technology can combat it, considerations for a complete RFID security solution, and what to look for when shopping for the right anti-counterfeiting RFID solution. Understanding the Problem of Counterfeit Counterfeiting entails illegal cloning of products with the sole intent of deriving economic benefit. The overriding incentive for counterfeiting is easy money without the associated intellectual property and product development costs, quality and reliability concerns. Product manufacturers pay dearly for counterfeiting including brand erosion, loss of market share, intellectual property value dilution, customer support for non-authentic products, and bad will. Classic solutions to counterfeiting have been tamper resistant/evident packaging, and special label markings. High value consumables like pharmaceuticals, electronics, accessories and cosmetics in today s markets provide incentive for counterfeiters to make capital investments for reproduction of packages and labels to enable cloning. Once they manufacture the appropriate packages and/or labels, they apply them to cheap imitations of the product and go to market. Because the counterfeiter has not incurred the costs typically associated with product development, they quickly cover their capital investments at the expense of the authentic product manufacturer. Counterfeiters have the motivation to surmount any packaging and labeling barriers and often achieve product cloning quite easily. This is because all of the information required for authentication is physically present with the product. Today s products require more advanced solutions to combat product counterfeiting. Effective solutions will require products to carry only part of the authentication information. The manufacturer can keep the other part and so controls production of the product. Holding back a piece of product authentication information as an anti-counterfeit solution works best when dealing with labels. RFID secure labeling provides this capability and requires proper implementation for effectiveness. RFID and Product Labeling RFID provides labeling technology like barcodes but with greater capability. Barcodes encode product-labeling information like names and serial numbers but nothing more. They require direct line-of-sight for access, can store only small amounts of information, and have minimum size requirements for effectiveness. As such, small sized items present challenges for item level barcode labeling. RFID technology, on the other hand, embeds labeling information in non-volatile memory devices, which in turn embeds in a product. Unlike barcodes, RFID tags come in various sizes sometimes as small as a grain of rice, have greater storage capacity, and do not require direct line-of-sight for access. The absence of size and line-of-sight limitations allows RFID tags to embed virtually into 3 5260A RFID 06/07

any product for flexible labeling down to the item level. This capability enables automatic tracking and inventory control with strategically placed interrogators. Assuring Product Authenticity with RFID RFID labeling with proper security measures can assure product authenticity and prevent illegal cloning. The necessary precondition for the effectiveness of this scheme is for the product to withhold information until after assuring the authenticity of the interrogator. To achieve this, the tag must expect the interrogator to provide information proving its authenticity. This piece of information is one that only an authentic manufacturer can provide. The tag thus issues cryptographic challenges to the interrogator and will not give out labeling information unless the interrogator provides the proper response. This challenge-response scheme, illustrated in Figure 1, constitutes the proper RFID labeling security necessary to combat cloning. Since the interrogator initiates communications in most RFID protocols, the tag will need to have the challenge always ready. The interrogator would read the challenge and generate a response for the tag to validate. The tag updates its challenge upon a successful response. Counterfeiters, not possessing the proper response to the challenge, will never obtain the labeling information from the device and thus have nothing to duplicate. For example, a shoe manufacturer like Nike may choose to protect its brand and products from piracy using RFID technology. If they embed authentication tags within the shoes, then distributors willing to build a reputation around distributing authentic products can obtain proper interrogator devices from the shoe manufacturer and consumers can feel confident they are purchasing authentic products. High end shoe manufacturers may also find interest in equipping major shopping centers with public authentication checking devices (interrogators) for consumers to validate purchases from hawkers. In either of these cases, pirated products will not pass the validation tests. Unfortunately, many existing RFID security solutions do not possess this challengeresponse scheme thus lacking the infrastructure to protect against counterfeiting. The next few paragraphs highlight some existing solutions and their adequacy. Figure 1. Challenge Response Sequence: Tag Updates Challenge after Every Successful Challenge Response. Tag current challenge always available for interrogator to read Interrogator Challenge RFID Interrogator Interrogator Secret Interrogator Response Tag releases label information if response is valid Product Label RFID Security Tag Embedded in Product 4 5260A RFID 06/07

Password Protection Widely used protection scheme but unfortunately the weakest. All it takes is the breach of a single password to retrieve a tag label for duplication. Some tags may implement rollingpassword schemes that enhance sophistication but the fact of the matter is that it remains a password protection scheme. It only takes a single password compromise to completely expose the product for illegal cloning. Encrypted Labels Some manufactures go through the pains of encrypting the labels using very strong cryptographic algorithms. They may choose to store these labels in tags possessing password security already for added protection. Unfortunately, counterfeiters do not need to decrypt or understand the labels in order to duplicate them. This protection scheme remains as trivial as that offered by password protection. Challenge-Response Protection This scheme requires that tags authenticate interrogators before divulging information. The tags issue interrogators cryptographic challenges for which only interrogators possessing certain secret information are able to respond correctly. By managing interrogator side secrets, authentic manufacturers will possess the ability to prevent counterfeiters from reading their product information thus preventing illegal cloning of their product. Double Challenge-Response Protection Similar to the challenge-response scheme with additional ability for the interrogator to also challenge the tag as illustrated in Figure 2. This scheme requires both interrogators and tags to independently store asymmetric secrets to use in the process. This mutual authentication scheme provides assurance to both authentic interrogator and tag about each other s authenticity. This is particularly useful where authentic interrogators need to provide field updates to authentic tags. For example, interrogators in a mobile electronic application, like smart phone firmware upgrade equipment at a supplier location may need to ascertain the authenticity of the tag (product) before issuing a firmware upgrade. This mutual authentication scheme provides for very powerful counterfeit protection. 5 5260A RFID 06/07

Figure 2. Double Challenge-Response Scheme Adding Optional Security for Data Protection The challenge-response and double challenge-response RFID security schemes provide effective anti-counterfeiting solutions. These solutions by themselves, however, do not offer data protection for data communication between the interrogator and the tag. An eavesdropper, for instance, can wait until completion of the challenge-response process, and intercept information between interrogator and tag. Depending on the application, they may even modify the information to suite their needs. For example, a malevolent eavesdropper with a competing product can intentionally inject errors in a firmware upgrade to a competitor s consumer electronic product to achieve a classic denial-ofservice attack. Such eavesdroppers may also inject false information into the competitor s authentic consumables, be it electronic or not, to make them appear non-authentic. A more complete solution to RFID label security thus requires data protection in addition to authentication for most applications. The following paragraphs outline useful data protection schemes with standalone adequacy or in combination depending on the application. Write Protection Offered by tags with the ability to lock the data contained within to prevent future modification. This is well suited for pure labeling applications with static label information. Write protection alone may be adequate for the protection of products like pharmaceuticals and consumables including cosmetics, accessories, and apparels. Data Encryption Offered by tags with the ability to encrypt information traffic between the interrogator and the tag. Encrypting data between the interrogator and tag assures the confidentiality of the data in transmission. Data confidentially may be useful both in protecting secrets or preventing man-in-the-middle attacks. This protection scheme will be useful in applications where field upgrades are necessary. 6 5260A RFID 06/07

Message Authentication Codes Message authentication codes (MAC) are cryptographic digests that allow the recipient of information to ascertain the authenticity of the source and integrity of the data content. MAC generation uses cryptographic secrets stored within the interrogator and tag. For any given message, only an authentic interrogator or tag can issue the proper MAC. The sender of data thus generates a MAC to accompany the data. The recipient of the data verifies the MAC. If the MAC does not checkout, it either implies that the source of the message is not authentic, the integrity of the message is questionable (i.e. message has been modified since it left the source), or there were channel communication errors. The combination of data encryption and use of MAC provides powerful data protection to field updates like firmware upgrades to electronic products. Choosing the Proper RFID Security Solution Conclusion Many RFID tags offer some level of security but choosing the proper security for your application is the only way to protect your product. The proper security for anticounterfeiting, at the minimum, requires the RFID tag to possess the ability to authenticate the interrogator prior to divulging labeling information. This provides the authentic product manufacturer control over tag label access by controlling cryptographic secrets needed by interrogators. This prevents counterfeiters from accessing product labels within the tags. There are two things to consider when shopping for an RFID anti-counterfeiting solution: 1. Ensure the RFID tag offers authentication capability prior to access of label information stored within the tag. Look for the challenge-response scheme in applications where the interrogators only need to identify the tag. Look for the double challenge-response scheme (mutual authentication) in applications where interrogators may also need to modify information stored within the tag or product. For example, have interrogators perform mutual authentication with the tags embedded within a consumer electronic device before issuing a firmware upgrade to the product. 2. Ensure the RFID tag offers adequate data protection capability for your application. Look for tags with write protection for applications that require labeling information remain fixed and where the labeling information does not need to be confidential. Look for tags with data encryption and MAC capability for applications requiring assurance of data confidentiality and integrity, and source authenticity. An example of such an application is issuance of firmware upgrades to consumer electronics where the authenticity of the electronic product needs ascertaining, and also where the firmware intellectual property and integrity need protection. RFID technology can stop product counterfeiting. Combating product counterfeiting requires a paradigm shift from embedding product authentication information within the product to having the authentic manufacturer withhold and control a piece of that information. RFID provides the necessary technology, to include single and double challenge-response authentication security schemes. A complete RFID product protection solution needs to also consider data protection. Data protection schemes include write- 7 5260A RFID 06/07

protection, data encryption, and use of Message Authentication Codes (MAC). Depending on the application, a combination of the right authentication and data protection security schemes can provide complete product protection. 8 5260A RFID 06/07

Editor's Notes About Atmel Corporation Founded in 1984, Atmel Corporation is headquartered in San Jose, California with manufacturing facilities in North America and Europe. Atmel designs, manufactures and markets worldwide, advanced logic, mixed-signal, nonvolatile memory and RF semiconductors. Atmel is also a leading provider of system-level integration semiconductor solutions using CMOS, BiCMOS, SiGe, and high-voltage BCDMOS process technologies. Further information can be obtained from Atmel s Web site at www.atmel.com. Contact: Eustace Asanghanwa, Crypto & RF Memory Applications, Colorado Springs, Colorado, USA, Tel: (719) 540-6689, e-mail: easanghanwa@cso.atmel.com 2007 Atmel Corporation. All rights reserved. Atmel, logo and combinations thereof, and others, are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others. 9 5260A RFID 06/07

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information