We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAbigail Fraser
Modified about 1 year ago
RFID Tag Authentication Proposal
©2007 GS1 Canada2 The Challenge (1) Product counterfeiting is a lucrative industry Manufacturing cost is low Low cost material Low cost labour Most people think of counterfeiting as harmless and obvious “Rolex” watches, “Louis Vitton” handbags sold on a sidewalk are obvious fakes New release movies on DVD while still in theatres also obvious fakes Cost to manufacturer can be quite high Even if purchasers of counterfeit products would never buy the legitimate article, value of brand is compromised
©2007 GS1 Canada3 The Challenge (2) Many counterfeit products end up in the legitimate distribution channel Often better quality, not easy to spot In some cases (e.g. pharmaceuticals), replacement of real with fake can have dire consequences Risk to counterfeiters is low Seizure of a shipment is cost of doing business Viewed as a victimless crime, seldom prosecuted, and convictions often result in a simple fine
©2007 GS1 Canada4 The Challenge (3) Good counterfeit almost impossible to spot if everything is copied Product Manuals Packaging Barcode Inherent weakness in GTIN is that barcode is not unique to the item EPC tag with SGTIN uniquely identifies item… or does it?
©2007 GS1 Canada5 SGTIN Format Per the EPCglobal standards, the SGTIN contains the company prefix, item reference, and serial number Company prefix is assigned by GS1 MO and is unique worldwide Item reference is assigned by owner of the company prefix and is unique within the company prefix Serial number is assigned by manufacturer of the item and is unique within the company prefix and item reference Encoded as urn:epc:id:sgtin:.. e.g. urn:epc:id:sgtin:
©2007 GS1 Canada6 Counterfeiting the SGTIN (1) Counterfeiting is easy Tags are cheap Company prefix and item reference are easily obtainable Serial number can be randomly generated Data Discovery can detect forged serial numbers EPCIS lookup will not find matching serial number Serial numbers can be duplicated as well RFID reader inserted somewhere in the legitimate supply chain can read hundreds of legitimate serial numbers at a time Serial numbers can then be reused on counterfeit products
©2007 GS1 Canada7 Counterfeiting the SGTIN (2) Data Discovery can detect duplicate serial numbers Product can’t be in two locations at once But which one is legitimate? If EPCIS stores the Tag Identifier (TID) corresponding to the SGTIN, counterfeit can be identified TID is (or should be) invariant Duplication of TID requires cooperation of tag manufacturer or manufacture of tags that have writeable TID
©2007 GS1 Canada8 Scalability EPCIS lookup of millions or billions of products simply not scalable High bandwidth required High processor power required at EPCIS server Internet lag plus processing time, multiplied by number of items, renders counterfeit detection highly impractical
©2007 GS1 Canada9 Digital Signature Simple solution: sign the tag Calculate the MD5 hash of the SGTIN URN plus the TID e.g. urn:epc:id:sgtin: / where TID is TID is included in the hash to prevent duplication of SGTIN and signature to a different tag Encrypt the MD5 hash with the appropriate private key Multiple private keys may exists for reasons outlined later Write the SGTIN and the encrypted MD5 hash to the tag
©2007 GS1 Canada10 Verifying the Signature (1) The problem now is how to verify the signature Most common solution that has been proposed is the trading of public keys among supply chain partners Does not work in a complex trading relationship Many partners not known to manufacturer Many interested parties (e.g. customs inspectors) are not a direct part of the supply chain What if there were a way to make the public key discoverable? Enter the Object Naming Service, stage left…
©2007 GS1 Canada11 Verifying the Signature (2) Read the SGTIN and the encrypted MD5 hash from the tag Based on the content of the RFID tag, create ONS host name e.g sgtin.id.onsepc.com Search for NAPTR records with service of type "EPC+pubkey“ Multiple records may be returned, each with a different preference Calculate the MD5 hash of the SGTIN URN plus TID
©2007 GS1 Canada12 Verifying the Signature (3) Following the preference order returned by ONS, decrypt the encrypted hash on the tag compare the result to the calculated hash If a match is found, the tag is valid If a match is not found, the tag is forged and the product is likely counterfeit Maintenance of public/private keys is entirely at the discretion of the owner the company prefix One for each GTIN One for multiple or all GTIN’s One for multiple or all identification keys (GTIN’s, GLN’s, etc.)
©2007 GS1 Canada13 Verifying the Signature (4) Multiple public keys may be returned Certificate revocation not possible as long as tags signed with private key are in the supply chain Preference order dictates which one is most current Certificates may be deprecated for a variety of reasons Certificate has expired Private key has been compromised Contract manufacturer with private key has been running extra shifts to produce same product and shipping it through black market channels
©2007 GS1 Canada14 Scalability Public keys for a GTIN need to be retrieved only once Refresh would be required only when digital signature can’t be verified If digital signature can’t be verified after refresh, product is counterfeit All processing required to verify signature is done locally No EPCIS integration required No need for manual process to share public keys
©2007 GS1 Canada15 Managing Private Keys Company prefix owner has several options to manage the private key Pre-sign RFID tags, keeps private key secure Give different private key to each contract manufacturer Key per manufacturer limits damage done by mismanaged or stolen key Make signature process available through OASIS Digital Signature Services open.org/committees/tc_home.php?wg_abbrev=dss open.org/committees/tc_home.php?wg_abbrev=dss Logging of calls ensures that number of tags signed matches number produced
©2007 GS1 Canada16 Data Matrix Data Matrix and other 2-D codes could include digital signature Lack of invariant like TID makes copying individual tag easier but requirement for line-of-sight scanning limits volume of copied tags
©2007 GS1 Canada17 Securing User Memory Various elements in user memory may be signed as well Need to develop a mechanism for identifying writer of data in user memory Need to develop mechanism for looking up public key of the writer as it will not be based on the GTIN, which belongs to the product manufacturer Once the above is done, user memory content (e.g. destination GLN for high-value product) may be verified using the same mechanism
©2007 GS1 Canada18 Additional Information Laurent Vieille, Anti-Counterfeiting Coordinator, GS1 France, has prepared an excellent paper on challenges in counterfeiting Discusses a layered approach to counterfeit detection Contact at
©2007 GS1 Canada19 Contact Details Kevin Dean Special Projects Consultant T ext F Don Mills Rd., Suite 800 Toronto, ON M3B 3L1 Helpdesk
Virtual Private Networks (VPNs) VPNs allow secure, remote, connections… but they don’t protect you from a compromised remote PC.
Sales Order Cycle Review Report Insert Date. Source: 2 Table of Contents Executive Summary 3 Objective, Scope & Procedures Performed4.
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
1 Advanced Database Application Development Performance Tuning Performance Benchmarks Standardization E-Commerce Legacy Systems.
Improvement SAE Book The Improvement Project is designed to be used by anyone attempting to improve the value or appearance of the home, place of employment,
Network Security Protecting An Organizations Network.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
M-COMMERCE Md. Rashedul Hasan. The Wireless Revolution We are seeing a widespread convergence in wireless technology and the services it offers. If content.
MANAGING TRADE SECRETS IN A FRANCHISING ARRANGEMENT Guriqbal Singh Jaiya Director, SMEs Division, WIPO
UNIT I FUNDAMENTAL OF E-COMMERCE 1.1INTRODUCTION TO E-COMMERCE 1.2 DRIVING FORCES OF E-COMMERCE 1.3 BENEFITS AND LIMITATIONS OF E-COMMERCE 1.4 DATA MINING.
Introduction to Telecommunication Equipment: PBX, ACD, IVR, CMS, CAS and Workforce Management or How to Select Telephone Systems & Services to Fit Your.
Friendly Technologies 2007 Patent Pending PEARS – Privacy Ensuring Affordable RFID System Humberto Moran Friendly Technologies Ltd.
Chapter 10 Implementing Electronic Commerce Security Gary Schneider, 2003.
SubCAT Purpose built Job and Business Administration for Australian and New Zealand Trade Contractors By Construction People for Construction People.
SCENARIO EXPLORER Introduction Basic Design Scenario Graphic Navigation Pane Content Area The Scenario Explorer provides you with comprehensive information.
1 Indexing. 2 Overview An index is a table containing a list of keys associated with a reference field pointing to the record where the information referenced.
Drybridge Consulting Party Identification Directory Installing the Microsoft Research Service IDEAlliance and Drybridge Consulting – collaborating to deliver.
Copyright © 2003 Pearson Education, Inc. Slide 11-1.
Computer Forensics. Introduction Topics to be covered –Defining Computer Forensics –Reasons for gathering evidence –Who uses Computer Forensics –Steps.
EPCglobal HLS Industry Adoption Roadmap Final Version v13.2 Prepared by the EPCglobal HLS Industry Adoption Task Force For General Release Published ___,
Logical IT Security By Prashant Mali.
COMPUTER NETWORKS. COMMUNICATION BETWEEN COMPUTERS For a computer to communicate with each other (which may be a completely different system) an interface.
Using and Maintaining Office Equipment Introduction Clerical equipment is a necessity for offices Communication Records Billing, payroll, etc. Shredders.
Scalability and efficiency: Introducing a new mechanism to the internet must not jeopardize its efficiency. Enhancing IP for mobility must not generate.
1 A Cloud Reference Framework … for discussion only … Please send comments and suggestions to Bhumip Khasnabish Friday,
PCTI Limited - A Unique Name For Quality Education CS-75 INTRANET ADMINISTRATION By: Vinay Aggarwal.
Inventory Control Taking the ComCash ® POS System to new levels of functionality for the Retail Merchant.
INTERNET MARKETING CHAPTER 6 Electronic Payment Systems Pranjoy Arup Das
The Client/Server Database Environment CS263 Lecture 12.
© 2016 SlidePlayer.com Inc. All rights reserved.