Post on 12-Sep-2021
Building Radio frequency IDentification for the Global Environment
Anti-counterfeiting Requirements Report
Authors: ETH Zurich, SAP Research
11 July 2007 This work has been partly funded by the European Commission contract No: IST-2005-033546
About the BRIDGE Project: BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu This document: This deliverable presents the requirements analysis for the anti-counterfeiting system that is under development in this work package. The envisaged system will authenticate products and it can be used to prevent counterfeit products from entering the distribution channel of genuine products. We define authentication of products as the verification of a product’s claimed identity. Because WP5 of the BRIDGE project is a business work package without a specific intended end-user company for the investigated anti-counterfeiting solution, this deliverable focuses on analyzing how potential technical solutions fit the requirements of anti-counterfeiting rather than on describing a list of requirements of a specific system. Disclaimer: This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission. Copyright 2007 by ETH Zurich, SAP Research, All rights reserved. The information in this document is proprietary to these BRIDGE consortium members. This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 3/85
Executive Summary
This deliverable presents the requirements analysis for the anti-counterfeiting system that is
under development in this work package. The envisaged system will authenticate products
and it can be used to prevent counterfeit products from entering the distribution channel of
genuine products. We define authentication of products as the verification of a product’s
claimed identity. Because WP5 of the BRIDGE project is a business work package without a
specific intended end-user company for the investigated anti-counterfeiting solution, this
deliverable focuses on analyzing how potential technical solutions fit the requirements of
anti-counterfeiting rather than on describing a list of requirements of a specific system.
Interviews with different industries revealed that the end-users of the product authentication
system, that is companies affected by product counterfeiting, need a fast and reliable online
check that could be used by all business partners and for different kinds of products.
Companies would also like to have the RFID-based product authentication system to be
closely linked to other services, for instance to support supply chain management activities.
Different industries have different requirements regarding the specific use of the RFID-based
product authentication system. These requirements mostly relate to how the RFID tags are
integrated into the products, what kind of RFID tags should be used, and how the tags are
read. The level of security in RFID-based product authentication systems is an important cost
factor because a higher level of security is achieved by cryptographic RFID tags that are
more expensive than the common RFID tags. Overall, companies desire a secure and
inexpensive system but find it hard to precisely specify the required level of security.
Interviews with customs revealed that having a standard solution that can be used to
authenticate different products is of primary importance for them. According to the interviews,
customs officers would most benefit from a system that could be used to authenticate
suspicious products with mobile devices.
Analysis of functional security requirements of product authentication in general shows that
there are three distinct approaches to authenticate products, depending on how the tag
cloning attack is mitigated. Tag cloning attack refers to copying a genuine product’s ID
number onto another tag that is attached to a counterfeit product. These approaches are: tag
authentication (i.e. use of cryptographic tags), location-based authentication (i.e. track and
trace based plausibility check), and authentication based on object-specific security features
(i.e. product’s physical fingerprint).
We have identified several solution concepts to authenticate RFID-tagged products in the
EPC network. Analysis of the current EPC network’s conformance to the identified
requirements revealed that the network’s support for the detection of cloned tags is far from
optimal and should be improved by an automated analysis of the track and trace data of the
product’s locations. Completely automated product authentication check (instead of such that
relies on users of the system analyzing the traces of products by themselves) is furthermore
required by the industries as well as customs. Therefore in the future steps of this work
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 4/85
package we will opt for the development of a track and trace based product authentication
system that automatically detects the cloned tags.
The goal of this work package is to study how the existing RFID and EPC technologies can
be applied to anti-counterfeiting. Hence, the development of completely new technical
solutions such as novel cryptographic tag authentication protocols is out of the scope of work
package. The technical contribution of this work package will focus on application areas of
the existing techniques, such as how to use the RFID track and trace data to detect cloned
tags. The contents of all deliverables of this work package are illustrated below in Figure 1.
D.5.1 Problem-Analysis Report on Counterfeiting and Illicit Trade
D.5.2 Anti-counterfeiting Requirements Report
D.5.3 Anti-counterfeiting Business Case Report
D.5.4 Anti-counterfeiting Trial Preparation Report
D.5.5 Anti-counterfeitingEvaluation Report
D.5.6.1 Anti-counterfeiting Application Guidelines
D.5.6.2 Anti-counterfeiting Implementation Roadmap
• Problem analysis of product counterfeiting• Problem analysis of illicit trade• Illicit trade in different industries• Impact of illicit trade (qualitative)
Deliverable Content
• Industry requirements of product authentication• Security requirements of product authentication• Product authentication in EPC network
• Impact of illicit trade (qualitative)• Impact of countermeasures• Financial model of counterfeiters
• Selection of appropriate hardware• Integration of tags• System integration
• Evaluation of trials• TBD
• Application guidelines• TBD
• Implementation Roadmap• TBD
Figure 1. Summary of all deliverables of BRIDGE WP5
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 5/85
Table of Contents
EXECUTIVE SUMMARY .................................................................................................................................... 3
1 INTRODUCTION ......................................................................................................................................... 7
1.1 MOTIVATION AND GOALS OF THIS REPORT............................................................................................ 9 1.2 METHODOLOGY ..................................................................................................................................... 9 1.3 PRODUCT AUTHENTICATION ............................................................................................................... 10
1.3.1 Object-specific features based authentication ......................................................................... 11 1.3.2 Tag authentication ........................................................................................................................ 11 1.3.3 Location based authentication .................................................................................................... 12 1.3.4 “Weak authentication” .................................................................................................................. 13
1.4 STRUCTURE OF THIS REPORT ............................................................................................................. 13
2 INDUSTRY REQUIREMENTS FOR PRODUCT AUTHENTICATION.............................................. 15
2.1 GENERAL REQUIREMENTS OF PRODUCT AUTHENTICATION ................................................................ 15 2.2 MOTIVATION FOR AN INDUSTRY-SPECIFIC APPROACH........................................................................ 17 2.3 INFORMATION TECHNOLOGY INDUSTRY.............................................................................................. 21 2.4 AUTOMOTIVE INDUSTRY ...................................................................................................................... 24 2.5 AEROSPACE INDUSTRY........................................................................................................................ 27 2.6 CONSUMER GOODS AND RETAIL INDUSTRY ....................................................................................... 30 2.7 LIFE SCIENCE AND PHARMACEUTICAL INDUSTRY............................................................................... 33 2.8 SUMMARY OF THE INDUSTRY REQUIREMENTS ................................................................................... 37
3 CUSTOMS REQUIREMENTS FOR PRODUCT AUTHENTICATION .............................................. 38
3.1 CUSTOMS IN SWITZERLAND ................................................................................................................ 39 3.2 CUSTOMS IN GERMANY ....................................................................................................................... 40 3.3 CUSTOMS REQUIREMENTS .................................................................................................................. 40
4 SECURITY REQUIREMENTS FOR PRODUCT AUTHENTICATION .............................................. 42
4.1 NON-FUNCTIONAL SECURITY REQUIREMENTS .................................................................................... 43 4.2 CHAIN OF TRUST, THREATS, AND RISKS IN PRODUCT AUTHENTICATION ............................................ 44
4.2.1 Chain of trust in product authentication..................................................................................... 45 4.2.2 Threats in product authentication ............................................................................................... 46 4.2.3 Risks in product authentication................................................................................................... 48
4.3 FUNCTIONAL SECURITY REQUIREMENTS ............................................................................................ 49
5 PRODUCT AUTHENTICATION IN THE EPC NETWORK................................................................. 51
5.1 TECHNICAL ENVIRONMENT OF THE SOLUTION .................................................................................... 51 5.2 DIFFERENT SOLUTION CONCEPTS IN THE EPC NETWORK ................................................................. 53 5.3 EPC NETWORK’S CONFORMANCE TO GENERAL REQUIREMENTS....................................................... 57 5.4 EPC NETWORK’S CONFORMANCE TO INDUSTRY SPECIFIC REQUIREMENTS ...................................... 59 5.5 EPC NETWORK’S CONFORMANCE TO SECURITY REQUIREMENTS ...................................................... 60
6 DISCUSSION ............................................................................................................................................. 64
REFERENCES ................................................................................................................................................... 65
APPENDIX A – SUMMARY OF INDUSTRY SPECIFIC REQUIREMENTS............................................. 69
APPENDIX B – ILLUSTRATIONS .................................................................................................................. 73
APPENDIX C – INTERVIEW GUIDELINE ..................................................................................................... 75
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 6/85
Table of Figures
FIGURE 1. SUMMARY OF ALL DELIVERABLES OF BRIDGE WP5........................................................................... 4 FIGURE 2. CATEGORIZATION OF REQUIREMENTS OF PRODUCT AUTHENTICATION.............................................. 10 FIGURE 3. STRUCTURE OF THIS REPORT. ............................................................................................................ 14 FIGURE 4. ILLUSTRATION OF INDUSTRY-SPECIFIC AND INDUSTRY-INDEPENDENT (GENERAL) REQUIREMENTS. 18 FIGURE 5. EUROPEAN CUSTOMS IMPORT PROCESS. ........................................................................................... 39 FIGURE 6. THE CHAIN OF TRUST OF (RECTANGLES) AND THREATS AGAINST (OVALS) RFID BASED PRODUCT
AUTHENTICATION SYSTEM. THE ARROWS INDICATE THE DIFFERENT INFORMATION FLOWS THAT TAKE
PLACE WITHIN PRODUCT AUTHENTICATION PROCESS. ............................................................................... 46 FIGURE 7. USE/MISUSE-CASE DIAGRAM OF FUNCTIONAL SECURITY REQUIREMENTS OF RFID BASED PRODUCT
AUTHENTICATION. THE WHITE OVALS ARE THE SECURITY GOALS OF THE SYSTEM AND THE BLACK OVALS
PRESENT THE THREATS. THE OVERALL REQUIREMENT IS TO MITIGATE ALL APPLICABLE THREATS WITH
SECURITY GOALS. ........................................................................................................................................ 50 FIGURE 8. AN EXAMPLE OF A TYPICAL ONS QUERY [48] .................................................................................... 52 FIGURE 9. ILLUSTRATION OF THE HARDWARE AND SOFTWARE ROLES OF THE EPCGLOBAL ARCHITECTURE
FRAMEWORK [45]. EPCGLOBAL STANDARDS DEFINE THE INTERFACES BETWEEN THE ROLES.................. 53 FIGURE 10. SOLUTION CONCEPT 1: PRODUCT AUTHENTICATION BASED ON TAG AUTHENTICATION / OBJECT-
SPECIFIC FEATURES. .................................................................................................................................... 54 FIGURE 11. SOLUTION CONCEPT 2: PRODUCT AUTHENTICATION BASED ON LOCAL TRACE ANALYSIS BY AN
ACCESSING EPCGLOBAL SUBSCRIBER........................................................................................................ 54 FIGURE 12. SOLUTION CONCEPT 3: PRODUCT AUTHENTICATION BASED ON GLOBAL TRACE ANALYSIS BY EPC-
TAS. ............................................................................................................................................................. 55 FIGURE 13. ILLUSTRATION OF PRODUCT AUTHENTICATION IN THE EPC NETWORK: THE ACCESSING
APPLICATION ON THE RIGHT-HAND SIDE AUTHENTICATES A PRODUCT WITH A EPC NUMBER ON IT. THE
NUMBERED COMMUNICATION MECHANISMS REPRESENT THE THREE DIFFERENT SOLUTION CONCEPTS. (*PLANNED BUT NOT YET DEFINED SERVICE, **NEW SERVICE)................................................................... 56
Table of Tables
TABLE 1. REQUIREMENTS FROM THE INFORMATION TECHNOLOGY INDUSTRY ................................................... 22 TABLE 2. REQUIREMENTS FROM THE AUTOMOTIVE INDUSTRY ........................................................................... 25 TABLE 3. REQUIREMENTS FROM THE AEROSPACE INDUSTRY............................................................................. 29 TABLE 4. REQUIREMENTS FROM THE CONSUMER GOODS AND RETAIL INDUSTRY ............................................ 32 TABLE 5. REQUIREMENTS FROM THE LIFE SCIENCES AND PHARMACEUTICALS INDUSTRY................................ 35 TABLE 6. RELATIONSHIPS BETWEEN USE CASES AND MISUSE CASES ................................................................. 43 TABLE 7. THE FUNCTIONAL SECURITY REQUIREMENTS OF DIFFERENT PRODUCT AUTHENTICATION APPROACHES
...................................................................................................................................................................... 50 TABLE 8. SUMMARY OF DIFFERENT INDUSTRIES REQUIREMENTS FOR RFID-BASED PRODUCT AUTHENTICATION
SYSTEM......................................................................................................................................................... 69
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 7/85
1 Introduction
In the previous deliverable of this work package, D5.1 – Problem-Analysis Report on
Counterfeiting and Illicit Trade, we have shown that counterfeiting is a serious threat that has
reached industrial scales. With today’s widely available manufacturing technology, it is
relatively easy to produce high volumes of counterfeit products that have adequate visual
quality to fool unaware consumers and even distributors of the genuine products. It is
expensive, however, to establish supply chains and distribution channels for the counterfeit
products and trust with the trading partners. Since most products flow anonymously1 today, it
is possible for the counterfeit players to abuse the distribution channels of the licit products
and inject the counterfeit products among the genuine ones. In addition to fooling the
unaware buyers to consume counterfeit products that can pose security and safety risks due
to their possibly inferior quality, the counterfeit players can ask full price from these
unconsciously consumed counterfeit products, which further increases their illegal profits.
Today, the problem of counterfeit trade is mostly addressed by affected companies’ legal
countermeasures. Legal trials, however, might not scale to solve the problem since all
counterfeit players can never be found because they hide their work, counterfeit players are
not always prosecuted due to lacking law enforcement in their countries of origin, and the
fines due to illicit trade are often small compared to the financial benefits so the
counterfeiters can quickly recover and recommence the illicit activities. Because of these
shortcomings of legal countermeasures we want to solve the problem at source by giving
each product a name (identifier) and by verifying this name (authentication) while the
products flow in their licit distribution channels. First, this countermeasure protects the
consumers and end-users of genuine products from consuming counterfeits by increasing
the supply chain security. Second, this countermeasure can potentially destroy the
counterfeiters’ business case by increasing the counterfeiters’ risks and lowering their
expected results, which would discourage illicit players in general to engage in product
counterfeiting.
There are many approaches and technologies to authenticate products available today, but
the problem of product counterfeiting remains and companies continuously demand new
technical countermeasures for example in the value printing industry that is responsible of
security of passports and banknotes. One problem with the existing technologies is that the
security features are static – they might not provide adequate level of protection and it’s often
only a question of time when they will be broken and copied to several counterfeit products.
Because illicit actors attempt to break or bypass the authentication mechanisms for illegal
financial benefits, security is a critical property of product authentication systems. Another
problem with the existing approaches is that even if a product authentication system provides
adequate level of security, there are many more requirements that have to be fulfilled in
order to use the product authentication as an effective anti-counterfeiting tool. Most
1 Without unique identities
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 8/85
importantly, these requirements include low cost and low effort to check a product and low
response times. Existing techniques that are considered highly secure today, such as
forensic analysis of a product’s natural or artificial features (e.g. microscopic taggants), or the
use of sophisticated security labels with special magnetic or optical properties, often fail
regarding these other requirements; the check can be performed only by using special
equipment (e.g. devices for chemical analysis, optical/magnetic reader devices), the check is
time-consuming and takes up to days of laboratory experiments, or the check can be
performed by a trained expert only. In particular, the price per check is often relatively high.
Therefore it is important to consider also what requirements the end-users of product
authentication systems have regarding the usability of the system. Auto-ID technologies and
Radio-Frequency IDentification (RFID) in particular have the potential of providing product
authentication solutions that can better address the needs of their end-users, such as
affected brand-owners and customs. This is because a carefully designed and implemented
RFID based product authentication system has the potential of being highly secure but also
easier and less expensive to be used for wide scale checks.
The main motivation to use RFID in product authentication is that RFID will be adopted
anyway in many applications due to its benefits in retail industry and logistics, so also the
potential for secure product authentication will be given. A market study of GS1 and
LogicaCMG [31] illustrates that the expected adoption rate of RFID is fast and billions of tags
will be sold annually in Europe alone within the newt few years. The same study also
concludes that the adoption is driven by item level tagging in retail and consumer goods
industry. In the long-term, the integration of RFID readers in mobile phones, in particular
through Near Field Communication (NFC) technology, presents a promising opportunity in
anti-counterfeiting. NFC denotes a technology that allows for integrating RFID functionality in
a mobile phone, making it both a RFID transponder and a reader device [1]. According to a
prediction of ABI research, in the year 2011 a total of 450 million mobile handsets (30% of all
mobile handsets) will be NFC-enabled [2]. Because the NFC handsets might become the
world’s largest RFID reader infrastructure in the future, solving the interoperability problems
between NFC and other RFID standards, EPC in particular, is of great interest for the
industry and actively addressed by both practitioners [3] and the scientific community [4]. If
these two technologies will converge, also the consumers could take part in verifying the
authenticity of tagged products.
The goal of this work package is to study how the existing RFID and EPC technologies can
be applied to anti-counterfeiting. Hence, the development of completely new technical
solutions such as novel cryptographic tag authentication protocols is out of the scope of work
package. The new technical contribution of this work package will focus on application areas
of the existing techniques, such as how to use the RFID track and trace data to detect cloned
tags.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 9/85
1.1 Motivation and goals of this report
This report investigates the suitability of RFID in anti-counterfeiting. Because WP5 of the
BRIDGE project is a business work package without a specific intended end-user company
for the investigated anti-counterfeiting solution, this deliverable focuses on analyzing how
potential technical solutions fit the requirements of anti-counterfeiting rather than on
describing a list of requirements of a specific system. The technological focus in on the
EPCglobal infrastructure that is being used and developed further within the overall BRIDGE
project. Because we can assume that RFID will anyway become widespread in the future,
the overall motivation of this report is to learn how to use it against product counterfeiting in
an optimal way. The goal of this report is to outline the steps to be taken to establish efficient
and effective anti-counterfeiting countermeasures through EPC technology. This includes:
• finding out the constraints and requirements of end-user companies that would use the
EPC based product authentication system (Section 2),
• finding out the constraints and requirements of customs has regarding the use of the
EPC-based product authentication system (Section 3),
• finding out the security requirements of reliable product authentication (Section 4), and
• finding out how these constraints and requirements can be met in the EPCglobal network
(Section 5).
1.2 Methodology
To find out the constraints and business requirements of end-user companies of an EPC-
based product authentication system, we have interviewed companies affected by
counterfeiting as well as product authentication solution providers. The interviews were
conducted in two parts: First, the general requirements for an optimal product authentication
system were gathered from eight interviews with anti-counterfeiting experts. These interviews
were semi-structured with an interview guideline, conducted during the problem-analysis
task, by telephone, and they lasted about one hour. Second, to assess the industry-specific
requirements, another round of interviews was conducted. In this round, a total of 11
companies were reached for semi-structured interviews that were conducted via telephone
and lasted on average 50 minutes. About half of the interviewees were RFID experts in their
corresponding companies, and the other half were experts on anti-counterfeiting and/or
supply chain management related issues. The questionnaire used in these interviews can be
found in the appendixes. For third parties’ requirements, three anti-counterfeiting experts
from customs were interviewed.
To find out the security requirements of product authentication systems, another
methodology was opted: We first derived a formal definition for product authentication and
reviewed the different RFID-based product authentication approaches. In order to derive the
functional security requirements, we adopted the misuse case methodology proposed by
Sindre and Opdahl [5]. Misuse case concept extends the use case paradigm that is common
in requirements engineering. The non-functional security requirements were drawn by
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 10/85
understanding of the underlying logics behind product authentication. Categorization of the
requirements is presented in Figure 2.
Requirements Analysis D5.2
Security requirementsof product authentication
Business requirementsof product authentication
Non-functionalsecurity requirements
Functionalsecurity requirements
Industry specific
requirements
Industry specific
requirements
…Third
partiesrequirements
General requirements
Section 2 Section 3 Section 4
Figure 2. Categorization of requirements of product authentication
1.3 Product Authentication
Product authentication is the core service that technical anti-counterfeiting countermeasures
rely on. This subsection provides a short introduction to product authentication as a
background for the reader of this report. Authentication is one of the fundamental security
services together with confidentiality, integrity, availability, and non-repudiation of changes.
We define authentication as the process of proving one’s identity to someone else [6]. It
follows that we can formulate product authentication as identification of the product followed
by verification of the claimed identity. This definition can be formalized as follows:
Based on the existing product authentication techniques, we can identify three general
approaches how products can be authenticated. These general approaches are:
• product authentication based on object-specific features,
• product authentication based on tag (e.g., hologram, watermark, cryptographic RFID tag
etc.) authentication, and
• product authentication based on product location.
RFID can be used as an enabling technology to implement all these approaches and we give
below a short review of proposed concepts. More comprehensive reviews of different product
authentication techniques can be found from EU-SToP project deliverables D3.1 (State-of-
Product authentication = Product identification + Verification of claimed identity,
Identification = Claim of identity
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 11/85
the-art analysis on relevant research, existing technologies and products) and D4.1 (State-of-
the-art analysis of smart tagging technologies).
1.3.1 Object-specific features based authentication
Nochta et al. [7] proposed a way to use RFID to authenticate products based on so called
object-specific features. In their approach, information about physical or chemical features
that are unique to that particular product (e.g., very precise weight, unique patterns in surface
material, precise concentrations of different materials) is stored to the tag and linked to the
brand owner for example via a digital signature. The identity of a product can then be verified
by measuring the object-specific features of the product under study and comparing tem to
the unique features that the genuine product should have according to the brand owner. The
reasoning is that only the genuine product has that particular feature. The benefit of this
approach is that the tag only needs to store data which keeps the tag price low, but the cost
and effort to check the products is high.
In general, product authentication based on object-specific features can be formalized as
follows. Here, A stands for ‘verifier’ and B for ‘prover’, f is the measured feature value of the
product under study (B) and f̂ the reference value feature value of the genuine product.
1. B → A: “I am B”
2. A → B: “what is your feature value?”
3. B → A: f
4. A (verification): ε<− ff ˆ
1.3.2 Tag authentication
The second general approach to authenticate products is to insert a security label that is
hard to clone on genuine products, and to authenticate this security label. RFID tags can be
protected from cloning in different ways and many tag authentication protocols have been
proposed in the literature. WP4 of the BRIDGE project addresses the technical issues
regarding tag authentication (Task 4.3: Anti-cloning of RFID Tags). All tag authentication
protocols are based on (one or more) challenge-response pairs between the back-end
system and the tag. The conventional authentication protocols are based either on
symmetric-key encryption or asymmetric-key encryption. The conventional symmetric-key
authentication protocol between ‘verifier’ A and ‘prover’ B can be formalized as follows:
1. B → A: “I am B”
2. A → B: c
3. B → A: fA-B(c)
4. A (verification): gA-B (fA-B (c)) = c
Here fA-B(.) denotes encryption with the symmetric secret key shared by A and B, and gA-B(.)
denotes decryption with the same key. The verifier A creates a fresh (random) response c for
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 12/85
every execution instance of the protocol to make the use of old response messages useless
for attackers. Asymmetric-key authentication protocol differs in the way the verifier A
decrypts the response. When f-A(.) denotes encrypting with the secret key of A, and f+A(.)
decryption with the public key of A, the conventional asymmetric-key authentication protocol
can be formalized as:
1. B → A: “I am B”
2. A → B: c
3. B → A: f-A (c)
4. A (verification): f+A (f-A (c)) = c
The underlying reasoning in this product authentication approach is that a tag is authentic if it
knows a certain secret key. Since the computing resources of RFID tag are limited,
asymmetric encryption is currently infeasible in common RFID tags [8]. The proposed tag
authentication protocols are based on low-cost cryptographic primitives like bitwise
operations and pseudo-random numbers (e.g., [9]-[11]), on hash-functions (e.g., [12]-[14]),
on symmetric encryption (e.g., [15]-[17]), or on Physical Unclonable Functions (PUF). The
PUF is a one way function that allows calculation of unique responses using only some
hundreds of logical gates without using costly cryptographic primitives [18]. One possible
candidate for a PUF is proposed in [19] where the manufacturing variations of each
integrated circuit are used to implement a secret key on each tag. The back-end server
needs to store for each PUF (i.e., for each tag) a list of challenge-response pairs because,
without encryption, a PUF challenge-response pair that is once used can not be used again
since it may have been intercepted by an adversary.
It is important to note that strong tag authentication is subject to research in WP4 (Task 4.3:
Anti-cloning of RFID Tags) of BRIDGE project, and therefore no new technical solutions for
tag authentication will be proposed in this work package. A comprehensive review of existing
RFID tag authentication techniques can be found from SToP deliverable D3.1 - State-of-the-
art analysis on relevant research, existing technologies and products.
1.3.3 Location based authentication
Also location based authentication can be used to effectively mitigate the tag cloning attack.
Instead of preventing tag cloning, this approach attempts to detect the cloned tags that are
injected into a protected distribution channel. Hence, the third general approach how
products can be authenticated is based on their location. The underlying reasoning is that a
system that always knows where all the genuine products are can also answer whether a
product under study is genuine or not. The mechanism how the location history is gathered is
normally referred to as track and trace. The benefit of location based approach is that the
tags only need to carry an identifier while the complexity is in the back-end side.
The level of security of location based authentication depends on the accuracy of the location
data and it can be measured in terms of number of cloned products found by the product
authentication system versus false alarms, i.e., genuine products that are classified as
clones. If the product authentication system does not know where the product currently is
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 13/85
(e.g., product P is in warehouse x) but only where it has been (e.g., product P was observed
at location x at time t), detecting cloned tags becomes harder and inheritably less certain.
However, similar problems have been solved in related literature.
Finding cloned products from the track and trace data can be seen as intrusion detection.
Intrusion detection means the process of identifying and responding to malicious activity
targeted at computing and networking resources [56]. Intrusion detection techniques are
traditionally classified as anomaly- or signature- based. Signature-based systems act similar
to virus scanners and look for known, suspicious patterns in their input data. Anomaly-based
systems watch for deviations of actual from expected behavior and classify all "abnormal"
activities as malicious. Intrusion detection techniques have been applied to RFID data,
though so far not in supply chain applications. Mirowski [57] applied intrusion detection
techniques to detect cloned RFID access cards, but the method is prone to false alarms.
Also credit card fraud detection deals with similar problems than location based
authentication. There the problem is to detect fraudulent transactions, which corresponds to
detection of copied credit cards, by looking for specific transaction patters in a large amount
of data. Data mining techniques such as pattern recognition and classification have been
successfully applied to detect fraudulent transactions (e.g., [58],[59]), and fraud-detection
systems are currently in use to protect credit card companies and their customers.
1.3.4 “Weak authentication”
It is important to note that also serial level identification alone without verification of the
identities can be a powerful anti-counterfeiting tool. Juels [20] illustrates this with an example
from the art world where a Victorian painter issued serial numbers to his paintings and
catalogued them. The author argues that (partly) because of this reason, far less spurious
paintings of this particular painter turn up on the market than from other painters. In
particular, there are many methods that cannot proof with a high level of certainty that a
product is original, but that can proof in many cases (but not in all) that a product is
counterfeit. These methods do not implement secure product authentication as it is defined in
this paper but they can, as the aforementioned example from the art world illustrates, be
powerful anti-counterfeiting tools. We refer to these methods as weak product authentication.
Most common such method is to verify if a product has a valid ID number from a so called
white list [21] and to count the number of times this check has been performed to detect
cloned tags.
1.4 Structure of this report
This report is organized as follows. Section 2 presents the constraints and business
requirements of end-user companies regarding EPC-based product authentication system.
Section 3 presents the corresponding constraints and requirements of customs. In Section 4
we derive the security requirements of reliable product authentication. Section 5 analyzes
how the constraints and requirements gathered in Sections 2-4 can be met in the EPCglobal
network, and we finish with discussion. This structure is illustrated in below.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 14/85
Section 2
Section 3
Section 4
Section 5
Section Content
Constraints and business requirements ofend-user companies
Constraints and business requirements ofcustoms
Security requirements of reliable product authentication
Find out how the constraints and requirements(Sections 2-4) can be met in the EPCglobal network
Section 6 Discussion
Figure 3. Structure of this report.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 15/85
2 Industry requirements for product authentication
In this section we present the industry requirements for product authentication. These
requirements are gathered from interviews with affected companies and product
authentication solution providers. We in fact gathered technical requirements from these
industries interviews (see interview-guideline in the appendix) as we consider these to be the
relevant industry-requirements for the following steps that are planned in the course of this
work-package, regarding an RFID-based anti-counterfeiting solution.
In this chapter we first consider the general requirements for product authentication that are
common to all industries. The general requirements are found from subsection 2.1. In order
to find out more detailed requirements, we also consider the industry-specific requirements.
The motivation for the industry-specific approach and a summary of the industry-specific
research questions is found from subsection 2.2. The findings of industry-specific
requirements from four selected industries are from four subsections 2.3-2.6.
2.1 General requirements of product authentication
As mentioned in the introduction of this report, the goal of the technical countermeasures
against product counterfeiting is to secure the licit supply chain by giving single products
unique identities and by verifying these identities (i.e. product authentication). In this
subsection we present the general industry requirements of a RFID-based product
authentication system. These requirements are derived from interviews with affected
companies and product authentication solution providers and they present the properties of
an optimal product authentication solution.
The same system is used in the whole supply chain
Employees in the whole supply chain, including manufacturing facilities, distribution channel,
sales and end points, need to have the possibility to use the same product authentication
system to verify the identity of products. The use of the same system in the whole supply
chain would enable economies of scale for example for hardware investments, as well as
secure the genuine products in the whole chain of custody. To guarantee the integrity of the
flow of genuine products requires also cooperation among the all the custodians of genuine
products.
Customs can use the system to authenticate products
The system should facilitate customs work in authenticating the genuine products and
detecting counterfeit ones. In addition to customs, also other third parties like police and
public prosecution service could, in the optimal case, be trained to use the system.
End-users and consumers can use the system to authenticate products
In certain cases it could be valuable to give the end-users and consumers the possibility to
authenticate products. End-users have custody of a product while it is being used and, for
example, in the aerospace spare-part industry have the interest to authenticate products. It is
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 16/85
not clear in which cases brand-owners would like to give the private consumers the
opportunity to authenticate their products; in any case, giving this possibility for the
consumers would increase the number of found counterfeit products.
The system verifies the identity automatically
In order to be effective, end-users state that the system should give a straight answer
whether a product is authentic or not. This is not an issue when it comes to cryptographic tag
authentication, for example, but has implications on the functionalitity of a location based
authenticity check that should automatically verify the product’s indetity instead of only
presenting the track and trace record of the product. Also, some level of doubt is always
inherited in the results of product authentication. For example, the track and trace data can
be subject to statistical analysis that yields a probability that the product is genuine (or
counterfeit). Some end-users believe that the answer "this product might be authentic" would
not be valuable, and in that case the system should answer "I don't know". These special
cases require exception control, which usually needs human oversight and is costly. On the
other hand, other companies could accept some amount of doubt in the authentication
process because they have even more doubt in the process today.
The system supports supply chain management
The information sharing system for anti-counterfeiting should also be used in other logistics
information exchange, such as product recalls. In such a way the system should yield
management data for supply chain management, for example for forecasts, automatic
replenishment, and inventory management. Even though this is not a functionality of a
product authentication application, such services are important for the overall return on
investment in RFID technology and often expected additional benefits of RFID based product
authentication system.
The system supports online authentication
The system must be online to enable dynamic, non-static security features. Counterfeiters
can always fake an offline security features. The lifespan of static security features is low,
often measured only in months or some years. Sharing item-level information would enable
real time tracking for manufacturer and updating information about changing/manually
verified authentication features.
Real-time data
The system should provide short response times to enable timely countermeasures. This
means also that the time to check a product needs to be short, measured in seconds.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 17/85
2.2 Motivation for an industry-specific approach
With opting for an industry-specific approach in the first deliverable of BRIDGE work package
5 and thus identifying how different industries are affected by counterfeiting, valid and
valuable results could be obtained: different industries are affected differently and the volume
of counterfeits varies too. We will therefore opt for the same approach within the scope of
this deliverable, D5.2. This section will focus on industry-specific requirements for an RFID-
based anti-counterfeiting solution. The corresponding data was gathered by the means of
structured interviews. The respective sub-chapters describe the requirements of the following
industries:
• Information Technology Industry,
• Automotive Industry,
• Aerospace Industry,
• Consumer Goods and Retail Industry, and
• Life Sciences and Pharmaceutical industry.
The corresponding subsections 2.3-2.7 are structured as follows. After a short description of
the current anti-counterfeiting status in the respective industry, general fields of usage of
RFID-technology in this industry are looked at. Questions about the different fields of
application and their prioritization, if possible, are answered. In case the respective industry
does not use RFID-technology yet, a time plan for RFID-adoption is given if possible.
Secondly, the tag-specific requirements are elicited. How much data will be put (if ever) on
the tag, where will tags will be applied and what are the physical requirements for RFID-tags.
In the next step, anti-counterfeiting specific requirements are treated: what are the products
to be tagged on, what is the estimated volume of products, shall the applied tag be visible,
what is the tag lifetime, what anti-counterfeiting specific data, if ever, shall be stored on the
tag and will data be written on the tag later on, when coping with an anti-counterfeiting
solution. The anti-counterfeiting specific requirements close wit the clone-proof ness of the
tag and the possibility of using cryptographic tags.
In a third step, verification- and authentication-specific requirements are derived from the
industry interviews. Companies of diverse industries were asked about the confidence rate,
whether a product is genuine or not, should equal 100% or only converge to it. Companies
were also asked to give feedback about the devices that shall be enabled to perform the
product authentication, the authentication speed and to answer the question, which of the
various stakeholders should be enabled to verify products. They then were asked if the
number of authentications should be limited to a certain number and if offline authentications
were desired.
The final block of the interview-guideline (see Appendix C) deals with general track-and-trace
requirements: who would companies share data with, and which data would be shared. A
summarizing table closes the industry-specific requirements description. These industry-
specific tables are then aggregated into one table in order to identify industry-independent
requirements, which are common to all considered industries. Before we start with these
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 18/85
industry-specific requirements, we will in short describe in the next subchapter industry-
independent requirements and adapt them in the respective industry-section accordingly.
During the interviews, companies were asked to give feedback concerning the following
questions and aspects: first, they were asked to give a short description on their current anti-
counterfeiting efforts. Secondly, they were asked about the different fields of usage for RFID-
application (in general). And finally, questions concerning the RFID-based anti-counterfeiting
solution were posed. These comprised questions regarding the output format of the
authentication check, the desired reading rate of RFID-tags, the question who should be
enabled/entitled to perform these authentications, and the type of devices that shall perform
the authentication (mobile, fix or/and handheld). Companies were additionally asked whether
offline authentications should be possible, how high the desired reading rates are and at
which speed reading (writing) will be performed.
Concerning the requirements of RFID-tags, company representatives were asked to answer
the following questions: should tags be reliable against cloning (if the backend could check
for cloned tags), should cryptographic tags be used, should active or passive tags be used,
should tags with or without memory be used, will HF or UHF tags be deployed and whether
tags should be tamper-resistant or not, meaning that they break upon removal.
The figure below illustrates how industry-independent (general) requirements and industry-
specific requirements overlap.
Figure 4. Illustration of industry-specific and industry-independent (general) requirements.
Automotive Aerospace
CG & Retail
Pharmaceuticals
Information Technology
Industry- independent
Requirements
Industry-specific Requirements
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 19/85
The envisaged RFID-based anti-counterfeiting prototype that is subject to research in this
work package is supposed to not being industry-specific, but being industry-independent and
thus adaptable to specific industry-needs.
This work package is challenged by the fact that companies introduce RFID-technology for a
set of reasons, ideally for an all-in-one solution. Envisaged applications range from:
appropriate parts detection in the cars, smart manufacturing, smart reparation centers,
increased supply chain visibility, [see table and interviews], detection of product diversion,
and anti-counterfeiting. The priority and importance for the introduction of an RFID-based
anti-counterfeiting solution is different in the considered companies and industries. The
priority ranges from a pure side-effect to one of the highest motivations for the introduction of
RFID-technology.
The answers that we received on our questions regarding an RFID-based anti-counterfeiting
authentication device follow:
What shall be the output format of the authenticity check?
Considering the confidence of the answer of an RFID-based anti-counterfeiting system, no
100% answer is required, but surely desirable. It is however mandatory for those industries,
where the impact of counterfeit goods is life-threatening (food, beverages, security relevant
parts, drugs, etc.).
Reading rate
The term reading rate describes the success rate of read RFID-tags. The term “very high”
signifies a reading rate of about 95-100% whereas “high” stands for a reading rate of 90-95%
Who can authenticate?
Customs, wholesalers, retailers, distributors, and packaging centers shall be enabled to
authenticate products. When it comes to end-consumers, answers are diverging. Some
companies do not want to guarantee the authenticity of products that aren’t bought from the
official and/or from the brand owner controlled channels.2 Others consider product security
and thus customer security essential (see above).
Which devices shall perform the check authentication check?
All kinds of devices whether mobile (like mobile phones), handhelds, portables, and fixed
devices shall be enabled to perform the product authentication checks. Authentication should
be possible on the item- and on the bulk-level and shall not take more than several seconds.
Shall an offline authentication be possible?
The possibility of offline authentications (authentications using cryptographic tags, see
chapter 1.3) was highly appreciated by the interviewed companies. Checks can be
performed everywhere and at every time, without being necessarily connected to the
Internet. Customers that do not decree of a connection can test with corresponding devices.
However, the use of cryptographic tags is considered to be mandatory for offline
2 They do not want to secure parallel traded products.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 20/85
authentication. However, as we have seen above, we will not consider offline authentications
in BRIDGE work package 5.
High reading rates without the alignment of the tags to the reader
In case reading rates of 100% cannot be obtained, there are still different possibilities to
attain higher success rates while reading RFID-tags. Experts suggested comparing the
actual deliveries with the advance shipment notice (ASN) via the EDI-systems (electronic
data interchange) or to use a set of readers rather than one single reader. Other possibilities
are the use of a reading tunnel or to induce more energy while reading the tags. Hence, the
confidence and reliability of the read-outs can be increased by using different supporting
techniques as mentioned above.
High reading and writing speeds
Since the deployment of RFID-technology is still in its beginning phase and none of the
interviewed companies is using RFID-tags for an anti-counterfeiting application yet,
statements concerning the required reading and writing speed can only be derived from the
actual production speeds. The specification concerning these speeds within this deliverable
are thus qualitative and cannot, for the time being, be given in a more quantitative way.
Requirements for the RFID-tags:
Reliability against cloned tags
According to the interviewed companies and depending on the products (life-threatening or
security relevant products) and on the industry, the fact that tags might be cloned can be
tolerated, if the backend system can detect these clones.
Use of cryptographic tags
As described in section 1.3.2, cryptographic tags enable the offline authentication of
products. As mentioned above, we will not consider this kind of product authentication.
However, different industries such as the aerospace industry desire their information on the
tag to be cryptographically secured so that competitors or worse counterfeiters cannot read
the contents of the tag.
Use of passive tags
There was a broad consensus between all interviewed companies from different industries to
use passive tags for their RFID-adoption. Considering their lower price and the large number
of in future deployed RFID-tags, the trade-off for using passive tags instead of active tags is
largely decided in favor of the passive tags. Concerning the prices, “low price” stands for 2-5
Euro cents per tag, whereas “very low” signifies a price from fractions of one Euro cent up to
1-2 Euro cents.
Details follow in the industry-specific subsections.
Usage of tags with / without memory
Concerning the memory capacity of the tags, there is a consensus between interviewed
companies upon a trade-off between the additional costs of the memory compared to its
benefits. Summarizing industry requirements yields to the statement: more memory capacity
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 21/85
might enable more applications. The question, whether the benefits of these applications are
worth the extra costs, remains.
Usage of HF-/UHF-tags–reading distance and bulk vs. item-level reading
On the long run, item-level and bulk readings are necessary in almost all industries. In some
industries, however, RFID-tags will have to be read from small and big distances (see
industry-specific subsections for further details).
Tamper-resistant tags
RFID-tags should be tamper-resistant and should break when they are removed from the
genuine products in order to prevent the use of genuine tags in counterfeit products.
2.3 Information Technology industry Mass serialization and product tracking is rudimentarily done in the Information Technology
(IT) industry by using customized bar codes. Warranty and parallel trading issues were the
main drivers for the introduction. Hardware manufacturers learn about product diversion as
soon as product breaks and shows up for warranty or repair reasons in a country for which
the sale of the product was not intended. Counterfeit products might be detected that way as
well. Software manufacturers such as Microsoft learn about counterfeit or diverted products
as soon as these products are activated via the Internet. To find out more about the ways
products are taking, the location where the product has been sold and the location where the
product has been activated (using the IP-address) are used and the ways in between are
“interpolated”. According to Microsoft’s experience, distributors who sell parallel traded
software products are found to sell counterfeited products as well.
RFID-technology in the IT industry is used for several reasons: logistics (especially in the
United States, where retailers like Wal-Mart require RFID-tagged products), partly in
manufacturing and for the asset management. Asset management in this context means the
inventory of hardware, especially server hardware in server rooms and corresponding racks.
Each server is equipped with an HF RFID-tag that is read in the server rack. Server
hardware can thus easily be tracked. It is envisaged to more use RFID-technology in
production and in the fields of product traceability.
The information and its amount that will be written on the tag are currently subject to
research. In the case of asset management, several hundred Kbits of data will be stored on
each tag. Writing data, while the product is moving in the supply chain, is equally desirable.
Besides storing the tracking data in the backend, storing it on the tag would be desirable.
According to the product and its production speed, products would have to be tagged with a
speed of up to 3600 pieces per hour. Concerning tag reading, similar requirements are
elicited. Additionally, bulk-reading possibilities at high reading speeds of even overlapping
tags are considered as mandatory, since product prices, on average, are quite high.
Considering the asset management, tags have to be read from a distance of 2 centimeters.
In the case of logistics, the average reading distance would be 2 meters, with or without a
direct line of sight.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 22/85
Table 1. Requirements from the Information Technology Industry
Business Requirements and Aspects Information Technology Industry
Data
Data on tag Amount and type of data is currently subject to research. Read-only No.
Read-out and Write
Reading speed (high, low) High, at least 3600 pieces per hour in software manufacturing.
Online Yes. Offline Desirable, but not necessary. Reading rate Very high.
Writing speed (high, low) High, at least 3600 pieces per hour in software manufacturing.
Distance
Small (few cms) Big (till several m)
Both. Bulk readings should also be possible.
Tags
Active, passive tags Passive tags, but ideally active tags. Price Very cheap, considering the number of products to be tagged.
Life-time of tag Life-time of the channel (less than three months from manufacturer to client); for server hardware the tag-lifetime shall equal the product lifetime (3-5 years).
Tag-Visibility (hidden, overt)
Hidden, the smaller the used space, the better; hence, more space can be used for marketing purposes; Microsoft: the look of the product shall be the same everywhere, no matter where it was produced.
Tag-Application (material, surface, etc.) Inside the DVD inlay for software; hidden, no special requirements concerning the surface.
Clone prove tags Desirable but not necessary.
Usage of cryptographic tags Not necessarily, only in case of an offline authentication solution.
Miscellaneous issues
Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)
None.
Products to be tagged Once a solution is in place, all products will be tagged; in the beginning only frequently counterfeit products will be tagged.
Constraints regarding tag integration None. Requirements regarding tamper resistance
Yes, broken if removed (destructive).
Devices to be enabled to read (mobile, portable, fixed devices)
Mobile, portable and fix.
Reuse of tags No, only in closed-loop environments. Production Line Application (needed? Speed)
Yes, at least 3600 pieces per hour in software manufacturing.
Estimated percentage of tagged products E.g., Microsoft: around 300 million pieces. Degree of human interaction Bulk reading should be possible. Level of confidence (100% or lower) Might also be lower; 99%. Own standard No, they will stick to the standard used in the retail industry.
Motivation, further application Traceability, more visibility and transparency, detection of parallel trading and product diversion.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 23/85
Considering software, tag integration into the CD or DVD would be desired. But since the
actual technology does not allow distance or bulk reading of CD/DVD-tags, these will not be
used. Tags will be included into the DVD-case, inside the inlay. The reason for the hidden
application is primarily the saved application place on the cover itself, since this space can
be used for marketing reasons. If the customer comes into contact with the tags, these
should be applied in an overt manner. This is different when it comes to an anti-counterfeiting
application. For the hardware sector, the surface requirements are very diverse, ranging from
flat metal surfaces to, to outer boxes, to plastic surfaces and to small silicon surfaces. Tag
application requirements are therefore very diverse in this industry.
There are no special physical requirements (e.g., they have to withstand very high or very
low temperatures) for RFID-tags. Tags are partially reused in closed-loop applications. Since
the volume of tagged products is very high, the tag price is very important. However, active
and passive tags will be used.
More than 200 million software products and hardware parts will be yearly tagged. Expensive
products will be prioritized when item-level tagging is introduced. As soon as a corresponding
infrastructure is in place, all products will be tagged. Particularly in an anti-counterfeiting
application, RFID-tags are required to be destructive, meaning that they are supposed to
break upon removal. In the software-sector, unbundling of software components is an
important issue. Microsoft sees its office products sold separately.
In the IT industry, the tag lifetime has to equal the product lifetime. In case of server
hardware, this can correspond to a minimum RFID-tag lifetime of 3 to 5 years. Considering
retail hardware like mice and keyboards, tag lifetime has to equal at least as the product’s
presence in the channel, which on average corresponds to three month.
The amount and type of data and information that will be written on the tag is currently
subject to research. Accordingly, the usage of cryptographic use depends on the data that
will be stored on the tag.
According to industry interviews, a system that would not provide a 100% answer whether a
product is authentic or not, is still much better than the current status in the information
technology industry, especially in the software sector.
The number of performed authentication-checks shall not be limited to a certain number but
shall be flagged to the manufacturer. The authentication shall take place in the production
line, in the warehouse, at the point of sales (but not by the customer, since he assumes that
the products are genuine), at customs, and at the after sales service. The output format shall
be binary, clearly stating if a product is authentic or not. It shall also provide information
about the products destined market and its actual market.
Upon the question, whether offline authentication is desired, the interviewed experts
answered that since RFID-tags are considered to be unique, offline authentication should be
taken into consideration.
Track and trace data is already being shared with supply chain partners and customers. Data
sharing is not a critical issue for IT companies, since trading partners do already know about
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 24/85
the transactions involved. Companies consider it as a trade-off between data sharing and its
benefit. Customers and supply chain partners shall have the possibility to track the products.
2.4 Automotive industry
The current status of anti-counterfeiting efforts in the automotive industry comprehend
countermeasures such as holograms, cast in charge or batch number, alphanumeric codes
(the 15-digit code for instance) or inkjet prints where applicable, to mention some.
Combinations of these countermeasures are possible too. A very high quality of the
packaging (where available) might also make it more difficult for counterfeiters to copy the
product. Other manufacturers deliberately build in errors in the packaging that are only
known to the company or do not decree upon any anti-counterfeiting feature at all.
The automotive industry is characterized by a large network of suppliers surrounding the car
manufacturers (OEMs). OEMs have very small margins and are hence very price-sensitive.
This is especially why an RFID-based anti-counterfeiting solution, especially in the
automotive industry, should be part of an overall solution covering logistics, manufacturing,
anti-counterfeiting and after-sales service for instance. The automotive industry is using
RFID-technology in closed-loop environments like manufacturing, where it is not necessarily
bound to any standard. In that case, OEMs are free to define their own standard or to stick to
an industry-specific standard. Additionally, RFID-technology is planned to be used in open-
loop environments like logistics, appropriate parts identification and anti-counterfeiting.
However, one OEM reportedly stopped its pilot for RFID in logistics due to too high prices.
Industries’ evaluation concerning the data on tag range from ‘no data’ (limiting the tag’s
memory solely to the EPC-number) to ‘all necessary information for anti-counterfeiting’ (like
production date and time, customer data etc.) and to the answer ‘data will be put on the tag
according to the tag price’. The price-sensitivity of the automotive industry is quite evident
here. On the question, if data shall be written on the tag during the part’s movement through
the supply chain, the answers were diverse too. Information concerning the product, the
manufacturer, production line information (charge number, date) and later information from
each wholesaler and at each point of transfer data might be written on the tag. The speed
that is necessary to comply with the production speed can be derived from the flow of goods
in the production line. Taking the production line speeds of the interviewed companies, the
minimum writing speed has to be able to write 20 items per minute.
Highest reading rates are crucial in the automotive industry. Most of the companies require a
big reading distance of several meters (around 3 meters), since products will primarily be
read on the bulk level. Parts (pallets) are often transported in metal containers and even are
made of metals, where RFID-reading characteristics are not optimal.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 25/85
Table 2. Requirements from the Automotive Industry
Business Requirements and Aspects Automotive Industry
Data
Data on tag Yes, but depends on the price of the tag. Read-only Yes.
Read-out and Write
Reading speed (high, low) High. Online Yes. Offline Yes, if cryptographic tags are used. Reading rate High. Writing speed (high, low) Still subject to research.
Distance
Small (few cms) Big (till several m)
Depends on privacy issues (see text).
Tags
Active, passive tags Passive tags. Price Very low (fractions of one Euro cent up to 1-2 Euro cents).
Life-time of tag At least 15-20 years, due to legal guidelines (15 years after end-of-production).
Tag-Visibility (hidden, overt) Visible, customs require visible tags.
Tag-Application (material, surface, etc.) Yes: Place, surface, material, packaging, since some parts do not have any package, heat, differences in temperature, lifetime of the tag.
Clone prove tags Desirable. Usage of cryptographic tags Yes.
Miscellaneous issues
Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)
Temperature (between -30°C and + 120° C and more); depends on part to be tagged.
Products to be tagged Service parts, wear parts, security relevant parts, parts that are very frequent and thus interesting to counterfeiters; corresponds to 20-25% of all parts.
Constraints regarding tag integration Want to integrate the tag into the part itself; still, has to endure shocks and temperatures inside the car, difficult to accomplish.
Requirements regarding tamper resistance
Destroyed if removed.
Reuse of tags Yes, if it saves money. Devices to be enabled to read (mobile, portable, fixed devices)
All mentioned, especially mobile devices for customs.
Production Line Application (needed? Speed)
Yes, rather for suppliers.
Estimated percentage of tagged products 25% of all products, later all (between 200 000 and 2000 000). Degree of human interaction None or very low, because of high prices.
Level of confidence (100% or lower) Might be lower, if there is a matching between the EDI / ASN and the actual delivery.
Own standard Automotive Standards Organizations are binding. Motivation, further application After Sales Service, manufacturing, potentially logistics.
However, reading with a high reading rate, without having to align the tags to the reader, is
an essential requirement. Companies from the automotive industry, however, uttered
remarks concerning the reading distances. They are afraid of touched privacy issues
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 26/85
(according to national legislation) in case products can be read upon large distances.
Companies that want to use RFID-technology for the appropriate parts detection (anti-
counterfeiting relevant) require the tag to be readable even if it is built into the car. The
required reading rate corresponds, despite metallic elements, to 100%. In that case, the
required reading distance corresponds to several centimeters.
Requirements concerning the tag application are multifold: the main question is whether tag
will be applied on the part itself or on the packaging. On the item-level, tags have to be
applicable on alloy metals, plastics, on round forms and even materials. The possibility of
integrating the RFID-tags into the part would be highly appreciated by the automotive
industry, since the tags shall be used even if they are in use inside the car. Questions arise
for recycling, warranty issues (was the product bought originally or not and has it been used
before the accident as well, or was it then exchanged by an original but used part) and for
the tag’s lifetime, if it is used near or even inside a sparkplug for instance.
In almost all cases, item-level tags will have to be applied at production-line speed. Hence,
the integration into existing processes shall not disrupt running systems and the running
production; the tag will be most easily applied as a label, using the existing labeling
techniques. No human interaction shall be required. Longsellers will be tagged first. The
tagging priority does not necessarily lie with high-priced or very valuable products, but with
products that are very frequently used and where the demand is thus very high. Therefore
spare parts, wearing parts and security relevant parts (in case of accidents for liability) will
have the first priority, once item-level tagging will be introduced. Once a solution is in place
and tag prices decrease, all products will be tagged.
The number of parts to be tagged varies strongly whether tags will be applied on an item-
level base or not. Regarding item-level tagging, numbers range from 200 000 parts per year
up to 650 000 parts per day depending on product and company.
RFID-tags have to withstand very low temperatures from -40°C up to very high temperatures
of about 120°C and in the case of tags, which are close to the oil filter temperatures up to
200°C. Tags do not have to be read at this temperature, but they have to endure it. When
used inside the car, shall not break when built into the car. Due to legal regulations, all
automotive spare parts have to be available even 15 years after the end-of-production of a
car model, the lifetime of the tag shall, when the tag is also used inside the car, therefore
hast to last for at least 15-20 years. For economic reasons, tags might be reused. Tags in
closed-loop environments are already being reused.
Passive tags will be mainly used. Very cheap tags are preferred. Desired prices for passive
tags range from 3-5 Euro cents. Active tags might become interesting, as soon as price fall
below 10 Euro cents per piece.
Since not all parts can be tagged from the beginning, often faked and especially security
relevant parts will be tagged first. As mentioned above, the part’s price does not define the
tagging priority, but the part’s attractiveness for the counterfeiters. This corresponds on
average to 25% of all products. More research, regarding the attractiveness of a product has
to be conducted. In the long run, all products will be tagged otherwise, tagging for anti-
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 27/85
counterfeiting reasons does not have an effect. Especially for an anti-counterfeiting
application, tags should break if removed otherwise valid tags might be applied on counterfeit
products.
Regarding the visibility of the RFID-tag on the product, the automotive industry distinguishes
between labeling for customs and the labeling for clients. In a transition phase, the visibility of
the RFID-tag as a security feature might be crucial. For customers, however, the visibility of
the tag is not necessary or even not desirable. An alternative for customers could be a set of
security features, including the RFID-tag. Customers might become aware of the secured
product by detecting another security feature such as a hologram.
The requirements concerning the tag lifetime for an anti-counterfeiting application are very
similar to the general lifetime requirements. When used inside the running car, they have to
withstand on average another 6 years.
Since the reasons for introducing RFID-technology into the automotive industry are multifold
(see above) and since RFID-based anti-counterfeiting is one of these reasons, all data that
would be necessary for this anti-counterfeiting solution, would already be on the tag (when
tags with memory capacity are used).
Most of the interviewed companies would be comfortable with a solution that improves the
current situation of their anti-counterfeiting efforts (if existing). A 100% answer, whether the
product is authentic or not, is therefore not mandatory, at least for the beginning.
There shall not be any limit to the number of authentication-checks, but the checking-event
time and place and the identity of the supply chain partner (or end-customer) that is checking
shall be logged for detecting product diversions. The authentication itself shall take place in
warehouses, at the point of sales, at customs and in the after sales service.
Companies would only share the data that is absolutely necessary for a track-and-trace
application. While some companies do not know which data to be shared, others would
share data only with their close supply chain partners.
2.5 Aerospace industry
Compared to the automotive industry, the aerospace industry is characterized by a small
number of producers and suppliers, which are to 70% common for the biggest aircraft
manufacturers Boeing and Airbus SAS. This is also the reason for their common approach in
RFID integration. Interviews conducted for the first deliverable D5.1 revealed that industry
pain is biggest in the fields of counterfeit spare parts entering aircrafts. Spare parts hold an
attached lifecycle paper report, which includes detailed information of the parts. Experience
shows that these paper reports are counterfeited.
In the Aerospace industry, the introduction of RFID-technology is scheduled for logistic
purposes, aircraft reparation and warehouse management systems, product diversion, anti-
counterfeiting and tracking and tracing of spare parts for liability and warranty issues. In the
fields of aircraft reparations, smart bins equipped with RFID-tags for example can be tracked
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 28/85
through the facilities and thereby allowing for better accuracy of inventory data, which bears
a large cost reduction potential.
Delta Airlines as an example, tracks about a half million spare parts with a total value of one
billion US$. Improving the accuracy of inventory data using RFID-technology thus bears
potential for a vast increase in the efficiency of the respective part inventory management
[22].
The administration of used and refurbished spare parts (thus anti-counterfeiting) and the
warehouse management, however, are the most important applications for RFID-technology
in the aerospace industry. By storing information of the lifecycle on the tag (see above) and
having the possibility of offline read-outs, the aerospace industry is seeking to minimize the
amount of information that end users have to input manually and thus reducing errors during
data entry. Securing aircrafts from improper parts entering them is crucial within this industry.
Tag’s memory capacity is crucial for the aerospace industry, since whole product lifecycle
reports and a repair history shall be included in the RFID tag’s memory. Serial numbers and
detailed parts information shall be stored as well. This is why the proposed RFID tags will
have a capacity of up to 64,000 bits compared to the standard EPC Class-1 Gen-2 tags,
which are used by Wal-Mart for instance and which decree upon a capacity of around 256
bits. Due to the enormous amount of information that will be saved on the tag – and this
information might never be deleted – current RFID tags might soon run out of memory
capacity. Before tags with a higher capacity can be used, these tags have to be replaced
every 2-3 years on average, because the part itself has a lifetime of 15 years on average.
Today’s tag writing and reading speed is still too low for this application. However, concrete
specification regarding the speed could not be made. The reading rate has to be 100% and
the tags shall ideally be read while passing by the aircraft (2-3 meters). Very short distance
reading (like several centimeters), without having to align the reader to the tag (not like the
bar code that necessitates a direct line of sight), would be desirable. Spare parts will be read
on the item-level. Pallet- or bulk-reading would be exceptional.
The tag application has to comply with the DO160 Aerospace Norm [23] where label- and
tag-resistance are defined. Tags have to resist very high and very low temperatures (-60°C
to +60°C), humidity, acids, oil and different pressures. Electromagnetic shielding might be a
special challenge in the aerospace industry. Once tags are applied, they have to stick
irremovably on the parts. They have to be flexible, even and very small (a diameter of 5mm
would be optimal).
Due to the environment in which RFID tags will be applied, they will have to be functional
(readable, writeable) inside aircrafts without interfering with other aircraft signals and
frequencies and thus be compliant to the Federal Aviation Administration and the industry
internal Spec 2000 standard.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 29/85
Table 3. Requirements from the Aerospace Industry
Business Requirements and Aspects Aerospace Industry
Data
Data on tag Yes, in the beginning 64kBits, the more the better. Read-only No, also writing, but no deletion.
Read-out and Write
Reading speed (high, low) Very fast, since many information is read; currently available speed is to low; the envisioned future scenario is to walk by an aircraft and while passing by, scanning all RFID-tags.
Online Yes, desirable. Offline Yes, as backup, in case there is no connection. Reading rate 100%. Writing speed (high, low) Highest possible writing speeds are desired.
Distance
Small (few cms) Big (till several m)
Both; optimum would be passing by the airplane walking and reading all tags.
Tags
Passive tags Yes.
Active tags Yes, as long as these tags comply to industry norms (Spec 2000 norm).
Price Considering the parts prices, the tag price is more or less irrelevant.
Life-time of tag Product life-time is around 15 years. Problem: today’s memory capacity would only be sufficient for about 2 years. Tags have to be taken off and replaced by new ones.
Tag-Visibility (hidden, overt) None, at least readable. Tag-Application (material, surface, etc.) Very divers (see below). Clone prove tags Desired, but not mandatory if backend tid solution is considered.
Usage of cryptographic tags Yes a) Information should not legible to customers; b) to assure the identification of the tag
Miscellaneous issues
Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)
Spec 2000 Document, chapter 9 and the DO 160 Document: temperature variation, humidity (high, low), acids, oil compatibility, pressures, shocks, waterproofness, sand and dust, fungus resistance, salt spray, corrosion, icing, fire, flammability, smoke, toxicity, hail, constant acceleration.
Products to be tagged All line replaceable units (LRUs) will be tagged. There are about 5000 LRUs on average on a civil aircraft.
Constraints regarding tag integration Weight, size and the possibility to attach so that the tag does not fall off.
Requirements regarding tamper resistance Should break upon detachment (destructive). Devices to be enabled to read (mobile, portable, fixed devices)
All of the mentioned.
Reuse of tags No.
Production Line Application Yes; additionally different types of tags and reading/writing frequencies have to be taken into consideration, since different countries allow different frequencies.
Estimated percentage of tagged products All LRUs, almost 100%. Degree of human interaction Yes, should not be possible to detach it. Level of confidence (100% or lower) 100%.
Own standard Spec 2000 aerospace industry standard is more binding for aircraft manufacturers than EPCglobal/GS1 standard.
Motivation, further application Logistics, Equipment Configuration Management, Warehouse application.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 30/85
According to industry estimations, all line replaceable units (LRUs) in the aircraft will be
tagged. This corresponds to about 5000 parts per aircraft and since every 75kg correspond
to one passenger, new requirements concerning the tag’s weight are elicited. Tags thus may
not weigh more than 2-5 grams.
Aerospace spare parts have a lifetime of 15 years on average. The obstacle for having the
same tag lifetime is currently the memory capacity. According to industry-estimations, tags
will have to be replaced every 2-3 years, since the tag’s memory capacity would be
exhausted. As soon as tags have a sufficient memory, their lifetime shall correspond to the
part’s lifetime.
During its use, all repair information, usage information such as flight miles shall be stored on
the tag. Chapter 9 of the industry-internal Spec2000 standard [24] specifies the information
that will be stored on tags.
Weak clone-proofness can be obtained by storing the part number (serial number) and the
RFID tag’s hardware number (Transponder ID number - TID) in a database. According to the
aerospace-industry, a centralized database with all worldwide used spare parts would
support the clone-proofness of the tag. Cryptographically secured information is due to the
following reasons desirable too: i) disguise tag information from competitors and ii) in order to
maintain the authentication of the tags.
An offline-authentication is highly desirable, since Internet-connection is not always available
everywhere, especially on the movement fields.
The aerospace industry would share product’s lifecycle data with other partners. Since the
open-loop adoption of RFID-technology is in its beginnings, no more concrete information
could be gathered. In the next years, Boeing and Airbus will ask their suppliers to deliver
spare parts equipped with RFID-tags. However, the supplier’s benefit is not evident yet.
For more information about the RFID-deployment in the aerospace industry, please refer to
the Auto-ID Labs Cambridge Aero-ID initiative under www.aero-id.org.
2.6 Consumer Goods and Retail industry
The current countermeasures against counterfeiting in the consumer goods and retail
industry comprehend the use of holograms, serial numbers or the use of high-quality and
hard to copy packaging. Many products do not decree upon an anti-counterfeiting feature at
all.
The consumer goods and retail industry trades with fast moving consumer goods (FCGM)
and is the leading industry concerning RFID-integration and adoption. RFID-technology will
be predominantly used for logistics in order to tag pallets and to accordingly read them on
the bulk level. On the long run, when tagging will be performed on the item-level, more
applications like anti-theft, in-store management processes, or automated checkouts will
follow. These applications only make sense under the prerequisite that all products in a retail
store are tagged, although a generalized statement cannot be given at this point in time.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 31/85
Item-level tagging is not envisaged to be introduced before the next ten to fifteen years. This
is due to a necessary system changes (and “paradigm changes”) and the low speed of
adapting these changes.
On the item-level, there will solely be the EPC number on the tag, but on pallet-level, pallet
details will be stored, containing information on the products that are on the pallet like weight,
the EPC-SSCC code (Serial Shipping Container Code), dispatch numbers, reference
numbers, etc. Accordingly, no data will be written on the tag during the product’s movement
through the supply chain. On the long term, applications with information to be written can be
imagined. Until now, nothing is planned. The data writing speed is therefore still subject to
research.
Assuming that a 100% reading rate cannot be guaranteed, multiple readers, logical
connections and cross-checks with backend systems would help to guarantee the highest
reading rate possible, according to industry. The reading distance for tags on pallet level has
to be around 2-3.5 meters and later for item-level tagging several centimeters. Reading has
to be possible under all circumstances like up to 300 packages per second, lying T-Shirts in
plastic bags, very high and very low temperatures (-30°C to +50°C, from Russia to the
Middle East), and it is important to bulk read cartons with a high reading rate.
Depending on the tagging of pallets or of individual items, requirements are differing. Pallet
tagging requirements are not as challenging as the tag-application on item-level. Pallets with
liquids, however, are still hard to tag. When it comes to the tagging of a little number of
individual bottles or cans (solutions are researched here to apply the tag on the outer
package in case of i.e. six-pack of cans) like tetra packs, the outer box will be tagged. The
Consumer Goods and Retail industry assumes that there will be a transition phase in which
the bar code and the RFID-code will coexist. Countries, which are technically not very
advanced and which still do not use the bar code even will most probably adopt the RFID-tag
with a big time delay. Not all products will be directly tagged. Estimations suggest that the
priority lies with products that are more expensive than 30 Euros (interview with a major
European Retail Chain). Temperature sensitive tags would be very useful for cold chains as
well. Integrating the tags into crinkled cardboard would support its application and therefore
its use. Otherwise, the tag will be part of the label.
As mentioned above, tags will have to withstand very high and very low temperatures.
Passive tags, since cheaper will be used. On the pallet-level, tags should not be more
expensive than 5-10 Euro cents (e.g. Wal-Mart). Broad item-level tagging would be
performed, as soon as the tag price is below 1-2 Euro cents. Active tags will not be used.
Especially for the anti-counterfeiting solution, tags shall break once removed.
Some figures are available for the volumes of products (from a major multinational consumer
goods company): 400 000 pallets (for one single company), and accordingly several hundred
million individual items per year for the whole industry are envisaged. In that case up to 200
cosmetic items per minute would have to be tagged (in production line speed) and products
are exported to 27 different countries.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 32/85
Table 4. Requirements from the Consumer Goods and Retail Industry
Business Requirements and Aspects Consumer Goods and Retail Industry
Data
Data on tag No. Read-only Yes.
Read-out and Write
Reading speed (high, low) High. Online Rather yes. Offline Rather yes. Reading rate High. Writing speed (high, low) -
Distance
Small (few cms) Big (till several m)
Both, item- and bulk-reading.
Tags
Active, passive tags Passive. Price Very low (fractions of one Euro cent up to 1-2 Euro cents). Life-time of tag 220 days on average. Tag-Visibility (hidden, overt) Overt (see text). Tag-Application (material, surface, etc.) None. Clone prove tags Not necessarily if there is a database support. Usage of cryptographic tags No.
Miscellaneous issues
Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)
None.
Products to be tagged Counterfeit products, expensive products, often faked products.
Constraints regarding tag integration None. Requirements regarding tamper resistance
-
Devices to be enabled to read (mobile, portable, fixed devices)
All of the mentioned.
Reuse of tags No. Production Line Application (needed? Speed)
Not very industry specific.
Estimated percentage of tagged products Pallet and carton tagging, later maybe item-level tagging (see text).
Degree of human interaction High for pallet and carton tagging. Level of confidence (100% or lower) High. Own standard No. Motivation, further application Logistics.
As soon as tags will be used in the retail industry, there will most probably be an etiquette
accompanying the product and informing the consumer of the existence of such a tag
(EPCglobal code of conduct). The Consumer Goods and Retail industry, however, has to
rethink this code of conduct when it comes to an RFID-based anti-counterfeiting application.
Additionally, the Metro Retail Group will introduce an RFID-disabler for privacy issues. Once
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 33/85
a product has been sold, the customer can disable the RFID-tag so that it cannot be read
outside the shop anymore.
Tags lifetime varies from 220 days on average for a product in the retail supply chain up to 2
years for complete trading units. In case of reusable tags like in logistics, the lifetime might
add up to more than three years. In that case, RFID-tags will have to withstand scratches
and other physical impacts. However, the prices for tags that withstand cold-chains or tags
that have a very long lifetime are much higher than standard tags. Therefore, each
application will decree upon its specialized tags. However, no additional data will be stored or
written on the tag for an anti-counterfeiting solution.
Since the supply chain of the Consumer Goods and Retail industry is very complex, the
number of possible authentication-checks cannot be limited to a fix number, as this might be
possible in other industries. Product flows vary even for the same products, especially if
producers send their products to different retailers Europe-wide.
No offline authentication is necessary, since all data is traditionally held in the backend-
systems.
The Consumer Goods and Retail industry would share data with their supply chain partners
for the sake of a track-and-trace system. They traditionally already share these data on their
own information systems. Data would be created at each point of transfer, where the shipper
would forward the information, that he has received / delivered the goods. Other information
would be pallet identification number, and the DESADV (dispatch advice), saying that goods
will arrive at a destination.
2.7 Life Science and Pharmaceutical Industry
According to BRIDGE deliverable D5.1 (Problem Analysis Report on Counterfeiting and Illicit
Trade), the pharmaceutical industry has been in recent years, depending on brands, markets
and countries to different extents, increasingly affected by counterfeits. Countermeasures
embrace the use of different visible and invisible security features (such as holograms,
visible and invisible ink or batch numbers). Moreover, chemical analyses and third party
authentication solutions3 are used to detect counterfeits and drugs that are suspected
counterfeits (for more information about countermeasures in the pharmaceutical industry,
please refer to EU-SToP deliverable D3.1, chapter 4.2).
The possibility to detect counterfeit drugs is crucial for brand protection and patient safety
reasons. Its relevance is also represented by the importance that is assigned to anti-
counterfeiting approaches on the company’s board level.
Regarding the introduction of RFID-technology into the pharmaceutical industry, there are
several major drivers: the industry is anticipating early changes from the U.S. Food and Drug
Administration (FDA) that track-and-trace and the ePedigree might soon become mandatory
in the pharmaceutical industry (Prescription Drug Marketing Act of 1987 and 2004, [54]). The
3 E.g., www.sunchemicals.com/security.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 34/85
state of California (USA), for instance, requires that the electronic pedigree for drugs will be
adopted by 2009 in order to protect the chain of custody for drug products from
counterfeiting.
On a European level, mass-serialization is most advanced in Italy. Drugs have to be labelled
with so-called “bollions”, unique serial numbers given out by the government. They were
introduced for anti-fraud and accounting reasons. However, they do not provide any
information about the drug manufacturer nor about the client. In a second phase these
bollions will be replaced by RFID-based labels which only contain the unique serial number.
Besides the detection of counterfeits, bringing more transparency into the sophisticated
supply chain (logistics, warehouse issues) and detecting the repackaging of products is
crucial for the pharmaceutical industry. Repackaging is legal in the European Union and in
the United States. However, some examples from literature suggest that repackaging is one
source of faked drugs [55]. Detecting product diversion would be an important aspect as well,
since distribution channels of counterfeit and diverted products might be overlapping,
according to industry-sources.
A major problem for pharmaceutical companies is the data ownership and the visibility along
the complex supply chain. As soon as the products leave to the first customer, the
manufacturer does not have any control or visibility about his products. Third party
companies have specialized in providing this information back to the manufacturer. An
ePedigree application, as an anti-counterfeiting application, might additionally help to make
the supply chain more secure.
According to industry-interviews, RFID-technology is already being tested in the
pharmaceutical industry. Running pilots are due to the next two years at Pfizer and Novartis,
to name some of them. RFID-technology is moreover used for logistic reasons. The
pharmaceutical industry is however aware that a more general (standard) RFID-based anti-
counterfeiting solution is more appropriate. Customized solutions would be too expensive
and might not cover all governmental requirements and compliances or might not easily be
adaptable to changes. Additionally, the solution shall be as wide as possible, so that every
state and customer is covered.
Tags will be applied on an item-level basis and on all drug packages. However, drugs might
also be tagged on the blister-level, since the content of drug packages can be counterfeit (or
reused), still using the genuine packaging. Experiences with counterfeit products in genuine
packaging and genuine products in counterfeit packaging have already been made (see also
BRIDGE deliverable D5.1).
Depending on the application method, place, space and material (metals and liquids), RFID-
tags can therefore either be pasted as a label on the drug package, or into the blister (in case
of tablets). As mentioned above and for security reasons, they should be attached as close
to the products as possible. The application on the carton is not considered to be very
secure, since they can easily be removed. Tags have to be small and readable from variable
distances (several centimetres to several meters), and on item- and bulk-level. Passive tags,
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 35/85
since they are cheaper, will be deployed. They have to be tamper resistant and break upon
removal and not cost more than 2 USD cents.
Table 5. Requirements from the Life Sciences and Pharmaceuticals Industry
Business Requirements and Aspects Life Sciences and Pharmaceuticals Industry
Data
Data on tag Yes, 96 bit serial number. Exception: reading data from temperature sensors for 50 days, one reading every minute.
Read-only No.
Read-out and Write
Reading speed (high, low) Very high, no concrete numbers available yet. Online Yes. Offline No. Reading rate 100%. Writing speed (high, low) Very high, no concrete numbers available yet.
Distance
Small (few cms) Big (till several m)
Variable reading distance necessary.
Tags
Active, passive tags Passive tags. Price Maximum price of 2 USD cents. Life-time of tag Tag lifetime = product lifetime; between 1-3 years. Tag-Visibility (hidden, overt) Hidden, due to security and privacy reasons.
Tag-Application (material, surface, etc.) There are many different and unique factors regarding tag application. No generalization possible.
Clone prove tags Yes, necessary. Usage of cryptographic tags No.
Miscellaneous issues
Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)
There are different requirements regarding the tag application; tags have to resist cold and rough handling.
Products to be tagged Products that are most prone to being counterfeit and stolen.
Constraints regarding tag integration There are many different and unique factors regarding tag application. No generalization possible. Most important aspects, however, are liquids, metals and space issues.
Requirements regarding tamper resistance
Yes, because counterfeit deterrent.
Devices to be enabled to read (mobile, portable, fixed devices)
All of the mentioned.
Reuse of tags No. Production Line Application (needed? Speed)
Yes.
Estimated percentage of tagged products In the beginning not 100%, especially those which are prone to be faked and stolen, potentially several millions.
Degree of human interaction None. Level of confidence (100% or lower) 100%, maybe also lower. Own standard No. Motivation, further application Logistics, product diversion issues.
RFID-tags and barcodes (1-D and 2-D) will coexist. Several levels of authentication can be
distinguished: ID Level 1: the tagging on the individual package, respectively on the item-
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 36/85
level. ID Level 2: the tagging of the display carton. ID Level 3, signifying the tagging of the
shipping case and ID Level 4, the tagging on the pallet level.
The tag lifetime has to be superior to the product’s expiration date. Life-times between one
and three years, also considering rough handling and low temperatures, are necessary.
Concerning the data on tag, it is foreseen to store 96 bits on the tags (serial number). There
are, however, exceptions like in the case of drugs that have to be cooled during the whole
supply chain. Temperature sensors could be attached to the RFID-tags. They would be read
every minute while the temperature sensitive products are in the supply chain. The obtained
temperature information would be written on the tag’s memory. Although no more than this
data will be written on the tag, the writing and the reading speed have to be very high, since
the system shall not slow down the production (the exact speed varies heavily on the product
and on the manufacturing company).
Examples from literature support the need of clone-proof tags, the usage of cryptographic
tags, however, is not necessary. A 100% answer, whether the product is genuine or not is
not absolutely mandatory, at least in the first phase of introduction. However, indicating the
level of confidence would be desirable.
All devices, whether mobile, handheld or fix shall be enabled to perform the product
authentication. No requirements concerning the authentication speed could be obtained.
There is a need for an international warning system, once a counterfeit drug has been
detected. However, the system should be tolerant concerning “deliberately made mistakes”,
meaning intentional changes of packaging in different lots.
Authentication shall be possible on the single-item, multi-item and case-level. Wholesalers,
retailer and customers shall be enabled to authenticate. It seems, however, that RFID tags
will be disabled before the drugs reach consumers' hands. This is largely due to privacy
concerns. Stores could use the information on RFID-tags to know what bottle of pills a
customer has in his shopping bag. The highest priority of authentication checks lies therefore
in the production line and at the point of sales. Considering the complexity of the supply
chain, the number of authentication checks for one single item shall not be limited to a
certain number.
Offline authentications are not necessary, considering the complexity and the costs of these
systems. Furthermore, there is a need for open systems standard supporting the
authentication of products from all manufacturers, as already mentioned above.
According to industry interviews, companies will share the information that is necessary for
authentication. This is especially due to the complexity of the multi-stage pharmaceuticals
supply chain. The tag number and all relevant business and transactional data would be
shared downstream to the customer.
Products will be tagged on the individual- and on the bulk-level and there won’t be any
priorities regarding the tag application. Passive tags will be used and will have to be read
from a distance of less than one meter.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 37/85
More requirements, that are less RFID-based, will be additionally be assessed in EU-SToP
work packages 1 and 4.
2.8 Summary of the Industry Requirements
We learned from the conducted industry interviews that many industry-requirements for an
RFID-based anti-counterfeiting solution are overlapping. We could summarize these overlaps
in this section. However, there are requirements which are very specific to some industry,
such as the vast memory usage in the aerospace industry, or the demand of reusing tags in
the automotive industry, or the use of hidden tags in the information technology industry that
cannot be generalized. These requirements are summarized in Appendix A.
The following section deals with customs requirements for an RFID-based anti-counterfeiting
solution. Customs organization can be seen as a key player in the fight against counterfeits,
since 80% of all counterfeit products in the European Union are imports from outside [25].
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 38/85
3 Customs requirements for product authentication
In this section we collect the customs requirements for RFID-based product authentication
systems. Customs can be seen as a governmental end-user of the system. We first present
how counterfeit products are seized in the European import process and then focus on the
Swiss customs as an example of modern customs organization. Based on the understanding
the role of product authentication in the import process and organizational constraints, we
derive the customs requirements for RFID-based product authentication.
Customs are responsible for about 70% of all seizures of counterfeit products in the world
[26]. The role of customs is especially important in protecting the European Union and the
U.S. markets because the vast majority of counterfeit products in those markets are imports
[27] and, after entering the market, subject to free circulation within the community. However,
in anti-counterfeiting customs role is more supportive than proactive, which means that
customs mostly provide help to trademark owners to protect their IPRs when this is
requested.
Due to limited resources and size of the workload, it is impossible to search every
consignment entering the country; in practice, only about 1-4 percent of imported goods are
physically inspected. Customs conduct risk analysis based on information in the freight
papers to identify high-risk consignments in pre-hand. Though the risk-analysis can be
partially automated, interviews with customs officers reveal that the experience of the officers
plays a very important role in recognizing suspecting consignments.
Under European Council Regulation 3295/94, the Customs Authorities have the right to seize
suspected infringing products at the border provided that certain conditions are fulfilled:
• An application has been made by the rights holder
• An infringement is suspected
• Customs procedures have been followed.
The rights holder is the person holding a trademark, a patent, a copyright or design right.
Affected companies can thus fend off repeated attacks by counterfeiters through lodging
Applications for Action with customs. To submit such a request for assistance by customs,
the right holder must fulfill two conditions: the request must provide customs administration
with a sufficiently accurate description to make identification of genuine products possible
and proof must be provided that confirms that the applicant is indeed the holder of the right in
question. With such an application in place, customs will inspect goods which match the
criteria specified in the request. Customs rarely intervene without an application in place.
On receiving the application including the necessary information, customs will work with the
rights holder to assess the application and, if accepted, will advise customs officers to look
out for the infringing products. The suspect products will then be detained pending a
substantive decision about seizure. This decision should be made within 10 working days
(max. 20) after the detention of the goods [28]. How counterfeit products are detected in the
European customs import process is illustrated in Figure 5.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 39/85
High-Risk?
SeizureInspection Suspicion?Application
in place?Infringement?
Free Circulation
Legal Case
yes
yesyes
yes
yes
no
no
no
no
Freight Papers
Obtain newapplication?
no
Risk Analysis
Figure 5. European customs import process.
Currently customs don’t use specific product authentication techniques to verify the existence
of security features that brand-owners apply to the genuine products. There are tens or
hundreds of different product authentication techniques today and most of them require
special equipment for verification. Customs cannot invest in multiple product authentication
techniques because it means overlapping investments in hardware and training of personnel
– currently one product authentication technique is used only in a small number of different
products. Therefore customs only concentrate on detecting suspicious cases and leave the
final responsibility of product authentication to the brand-owners.
There are two straight-forward ways how customs could increase the seizure rate of
counterfeit products. First, by increasing the inspection rate which would require allocation of
more resources, namely man power, to physical inspections. Second, by increasing the
quality of brand-owners’ descriptions of genuine products; the better this description is, the
faster genuineness of the product can be verified. However, sometimes the visual quality of
counterfeit goods is so high that even experts of the brand-owner are fooled. Therefore also
automated and secure product authentication would support customs at detecting counterfeit
goods.
3.1 Customs in Switzerland
Swiss customs organization does not decree upon a hardware-based, mobile or handheld
system that supports customs officers with their work to detect counterfeit goods.
Brand owners that seek the support of customs have to file an application according to the
“Markenschutzgesetz” (articles §70/71) and “Urheberrechtsgesetz” to the customs
organization so that imported goods of these brands are checked for counterfeits. The
application, the so-called “Antrag auf Hilfeleistung”, costs CHF 600 and has to be renewed
every two years. In addition to this fee, the brand owner has to submit a security deposit of
between CHF 10.000 and 100.000. Furthermore, customs organization has to be provided by
detailed product descriptions so that officers can identify genuine from counterfeit products.
These product descriptions then are stored on the intranet of customs organization and
available to all customs officers. There are currently 45 of these applications available in the
customs’ intranet (mostly luxury products and drugs). The better the provided information
are, the more efficiently counterfeit products can be detected. If there are any doubts
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 40/85
concerning the genuineness of the products to be imported, the customs organization can
stop the importation of the product for ten days in order to give the brand owner the
possibility to check the products. The brand owner that has filed his application for customs
support can then release the products from customs. After the ten day waiting period, the
products will be released anyway. The security deposit, which was installed by the brand
owner is supposed to cover any damage that was caused by delayed shipping (due to these
ten days). If customs seized products that appear to be counterfeit, in very evident cases
customs will inform the brand owner even if he did not apply for the “Hilfeleistung”.
Customs, however, cannot control all products flows into the country. Checks are performed
on a spot check base. Currently, only around 5% of all products, which come into a country,
can be checked. The majority of products is only checked on a paper-base or is not checked
at all. And customs’ competencies are rather limited. They cannot call legal help from the
police, once counterfeits are detected. Their action is limited to seizing the goods and holding
them back for a ten days period of time.
3.2 Customs in Germany
As described above, German customs procedure is aligned with the general European
customs procedure. Currently, around 700 companies have applied for customs’ support to
detect counterfeit products from their brands.
3.3 Customs requirements
Custom’s main requirement for an RFID-based anti-counterfeiting system is the usage of a
standardized European or even world-wide and cross-industry standard. In other words,
customs need one solution or one device that can be used for multiple products. Such a
system doesn’t exist today. New requirements are elicited when such a solution with a
handheld device is introduced: which stakeholder would be responsible for the maintenance
of such a device (exchange batteries, repair the devices etc.), which stakeholder is
responsible for the training, which party would finance such a solution, etc.
Customs require that the system is able to authenticate one product at a time. Being able to
read multiple products at once (bulk reading) would not increase customs efficiency in
detecting counterfeit products since the system would not be used to verify all products, but
only the selected suspicious ones. The underlying problem is that counterfeit products are
not tagged in most cases and they are thus invisible for the RFID reader.
Customs would need mobile or handheld RFID reader devices since the inspections are
conducted manually and not only at borders, but also on highways, in company’s stock
houses, on trucks, etc. where an Internet connection in not always available.
Like the other end-users, also customs prefer online authentication systems as they promise
higher reliability. However, a 100% confidence level to the result of the check is not
mandatory since customs still can to hold back the goods and call the brand-owner for
additional checks. On the other hand, an added value would be a high reliability of the
authentication with legal consequences. Unequivocal statements would be required.
However, false reports would be extremely costly.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 41/85
Once a product has been identified as a counterfeit, customs will only reveal the identity of
the responsible distributor. This happens only in case the brand owner will sue him. Brand-
owners, however, have the final responsibility in showing that seized goods are counterfeits
for example in the legal case. According to the conducted interviews, customs do not have
any special requirements concerning the visibility of the RFID tags, nor the speed (response
time) of the system.
Detecting counterfeit products virtually resembles the look for “the needle in the haystack”.
Customs could be supported by intelligence about ships or cargo aircrafts, which are carrying
counterfeit products onboard. Using this information and looking for suspicious goods would
be efficient and not stop or hinder the flow of goods. Compared to the finding of suspicious
goods, the identification of the counterfeits would then relatively be a minor step.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 42/85
4 Security requirements for product authentication
In this section we derive the security requirements of RFID-based product authentication
systems. In order to enable the design of a sound and forward compatible product
authentication system, we opt for a systematic and general analysis of security requirements
for product authentication. The result of this analysis is a comprehend understanding of
security requirements of all possible RFID-based product authentication approaches, not
only those of the chosen solution concept. It is important to emphasize that the security
requirements of a product authentication system depend on the chosen approach. In this
section, we present the complete set of approaches and their security requirements without
making assumptions about the selected solution concept.
Finding and defining security requirements of a system takes place in the system design
phase. In general, security requirements exist because people and the negative agents that
they create (such as computer viruses) pose real threats to systems. Security requirements
define the security goals of the system that answer the question, “What do you expect
security to do for you?” [29]. Moreover, security differs from all other specification areas in
that someone is deliberately threatening to break the system [30]. Security requirements are
particularly important for product authentication which can be considered a security
application because, strictly speaking, its only function is to provide security against certain
threats (i.e., cloning of products). Correspondingly, in the absence of these threats, secure
product authentication would not be needed because identification alone would always
reveal the real identity of products.
We present the non-functional security requirements of RFID-based product authentication
systems in subsection 4.1. They are derived from understanding of the underlying logic of
general product authentication process. Derivation of the functional security requirements of
product authentication systems is less straight-forward and requires a small review to related
work: Alexander [30] and Sindre and Opdahl [5] have examined the concept of misuse cases
that can be used to derive the functional security requirements of an application. Use cases
have become increasingly common in requirements engineering of new applications, but
they offer only limited support for electing security threats and requirements because they
model the intended use only. A use case is a description of how end-users will use a system
and it describes a task or a series of tasks that users will accomplish using the system.
Extending the use case paradigm with misuse cases of illicit actors to model and analyze
scenarios in systems under design can improve security by helping to mitigate the threats.
Misuse cases can be thought to be identical to use cases, except that they are meant to
detail common attempted abuses of the system. The following table illustrates the
relationships between use cases and misuse cases.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 43/85
Table 6. Relationships between use cases and misuse cases4
Source Case
Case Type Use Misuse
Target case Use Includes threatens
Misuse mitigates includes
Misuse/use case methodology is well suitable in cases where the actions of illicit actors are
predictable, such as in product authentication. Sindre and Opdahl [5] propose the following
five step process for eliciting functional security requirements with misuse cases:
I) Identify critical assets in the system (information, virtual location, and
computerized activity),
II) Define security goals for each asset,
III) Identify threats to each security goal by identifying stakeholders that may
intentionally harm the system,
IV) Identify and analyze risks for the threats using risk analysis, and
V) Define security requirements for the threats to match risks and protection costs.
The resulting security requirements are presented in a use and misuse case diagram that
shows how actions of illicit actors threaten the system and which security goals are needed
to mitigate these threats. We employ this described process to derive the functional security
requirements in subsection 4.2 and present the resulting requirements in subsection 4.3. The
use and misuse case diagram is particularly useful in our case because it clearly shows how
different product authentication approaches can be used to achieve the same final effect.
4.1 Non-functional security requirements
The non-functional security requirements are derived by understanding the underlying logic
behind product authentication process and they complement the functional security
requirements. Non-functional system requirements relate the performance and reliability of
the system and they can’t be modeled by use cases [32]. The first three requirements
concern product authentication in general, while the fourth one is specific to location based
authentication.
Complete coverage of security features: The underlying logic behind any product
authentication approach is that if a product cannot proof its identity when it should, it is not
genuine. This implies that it is not enough if only a part of the genuine products have a
security feature based on which they can be authenticated. Consider a situation where a
4 The table is read so that “a use case mitigates a misuse case” and “a misuse case threatens a use case”.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 44/85
pharmaceutical manufacturer wants to improve the security of an expensive drug product
and therefore it inserts a cryptographic RFID tag on every second product. While as a result
half of genuine products can proof their identities in a rather secure way, it doesn’t help
finding any additional counterfeit products since the lack of the security feature doesn’t imply
counterfeit origins.
It’s worth noticing that this requirement can be overcome when single products have unique
identities and the back-end knows which products have which security features. In the
example above this would mean that every second product should implement a
cryptographic tag authentication protocol. In this scenario, it’s important that the
counterfeiters don’t know which products don’t have the security features; otherwise
counterfeiters could simply target (clone) only the non-protected products.
Availability: The fact that products that cannot proof their identity when they should must be
considered counterfeits, mandates a rigid availability requirement for the product
authentication system. Since networked RFID systems are vulnerable to denial-of-service
attacks in both network and tag layer, this is particularly worrisome for RFID based product
authentication. RFID tags can be destroyed rather simply for example with hand-held devices
that send an intensive electro-magnetic pulse [33]. Therefore a wide scale tag incapacitation
attack has the potential to significantly increase the cost of running RFID based product
authentication system.
Trust in parties who authenticate products: Product authentication can only help in such
environments where the parties have interest in using the system to find counterfeit products.
No degree of technical security in product authentication can overcome the will to
intentionally sell or consume a counterfeit product. In addition, the parties using product
authentication system can acquire information like serial numbers and locations of genuine
products from the system. Therefore a level of trust is needed in parties who use the system
to authenticate products.
Data sharing: Location based product authentication is possibly only when the locations of
genuine products can be followed with high enough degree of spatial and temporal
granularity. Today, companies share this kind of information unenthusiastically and rather on
a need to know basis than on a regular basis. The only way to be sure that a location based
product authentication application has all the information it needs to draw the right
conclusions in the presence of adversaries, is that companies establish data sharing policies
to provide a stable degree of visibility for the product authentication system.
4.2 Chain of trust, threats, and risks in product authentication
In this subsection 4.2 we employ the use and misuse case methodology of Sindre and
Opdahl [5] that is presented in the introduction of this section to derive the functional security
requirements for product authentication. Functional requirements state the services or
operations a system has to provide regardless of its physical limitations and they can be
modeled with use cases [32]. Our use case under study is product authentication by a licit
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 45/85
actor (e.g., sales clerk, customs officer, and consumer). The misuse case is an attack where
the illicit actor attempts to fool the security mechanism to make a counterfeit product pass
the authenticity check as a genuine one. In the following subsection 4.2.1 we identify the
critical assets and their security goals (steps 1 and 2 in the methodology) by deriving the
chain of trust of general RFID based product authentication process. In subsection 4.2.2 we
consider the threats (step 3) and in subsection 4.2.3 the risks (step 4) against the chain of
trust. The resulting set of functional security requirements (step 5) that are needed to
mitigate the chosen threats is presented in the subsection 4.3.
4.2.1 Chain of trust in product authentication
In this subsection we identify the chain of trust in general RFID based product authentication
process by studying the information flow within the authentication process. Chain of trust is a
representation of the process that is to be secured. The first step in all RFID based product
authentication approaches is identification where the reader device interrogates the tag
attached to the product and the tag answers by transmitting the product ID number. In
Section 0 we presented that there are three ways how a product can proof that it really has
the claimed identity and we consider all three cases below.
In product authentication based on object-specific features, the testing equipment measures
the product’s feature value (the product’s physical or chemical fingerprint) and transmits this
feature value to the product authentication application. We consider the product
authentication application a software agent that makes the final decision whether a product is
authentic or not and it resides in the internal IT systems of the company that provides the
service (e.g., the brand-owner). In order to do the final decision, the product authentication
application needs reference information, the feature value of the genuine product, that is
compared to the measured feature value. We call this last process step the verification of
identity. If the two feature values do not match, the product under study is not the genuine
one.
In product authentication based on tag authentication, the tag proofs its identity by showing
that it knows a certain secret key with a challenge-response protocol. To know what the
correct response for a certain challenge is, the product authentication application needs
reference data which usually is the tag’s secret key. In this approach the verification of
identity is trivial key comparison.
In location based product authentication, the testing equipment sends time and location
where the product has been seen to the product authentication application. The location of
the product is compared to the product history that serves as the reference information, and
if the location is plausible, the product is genuine. For example, if the history states that the
product should be in Japan but it is seen in Switzerland, an alarm should be raised. Because
products flow across organizational boundaries, we assume that the history is retrieved from
an external IT system.
In order to guarantee the integrity of the abovementioned information flows, one has to be
able to trust that tag is attached to the right product, that the tag is original and not tampered
with, that the radio-frequency communication is not tampered with, that the testing equipment
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 46/85
works correctly, that the reference information is authentic and true, that the product history
is authentic and true, and that the product history is not tampered with. Finally, the
verification of identity needs to draw the right conclusions based on the available evidence.
This chain of trust is illustrated in Figure 6. The arrows in the illustration indicate the
information flow.
Figure 6. The chain of trust of (rectangles) and threats against (ovals) RFID based product
authentication system. The arrows indicate the different information flows that take place
within product authentication process. 5
4.2.2 Threats in product authentication
Each step in the chain of trust is a possible point of attack against the product authentication
system. In this subsection we identify and evaluate all threats against the product
authentication process. These threats are illustrated as black ovals in Figure 6.
1) Tag removal and reapplying: Removing and reapplying the tag from a genuine product to
a counterfeit one can fool the product authentication application. Without special techniques
that bind the tag and the product (e.g., use of object-specific features, subsection 1.3.1, or
special seals), it is only the tag that is authenticated and not the product. Many RFID tags
that are used in product serialization are adhesive labels. If not specifically addressed,
removing and reapplying them to counterfeit products poses no significant barriers for skilled
counterfeiters. This is similar to removal and reapplying of price tags which is an existing
threat in the retail industry.
When an RFID tag authenticates high-value items such as airplane spare parts or rare drug
products, even the removal and reapplying of a small number of tags can be financially
interesting for the counterfeit players. The lack of binding between the tag and the product is
especially problematic in the pharmaceutical industry where the RFID tag is never attached
to the drug product itself (tablet, ampoule, vial etc.) but on the secondary or tertiary
packaging (blister package, carton package etc.). Not only is it easy to disassociate the tag
from the drug product it authenticates by changing the contents of the package, but it also is
a common practice in the industry when the products are repackaged. Drug products are
5 A bigger version of this picture is in Appendix B
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 47/85
repackaged for example in order to change the language of the package and instructions as
the products move to another country. Repackaging of drug products is legal in Europe and
in the US but illicit actors can use it to inject counterfeit products to the market by including
fakes among the unpackaged genuine products.
2) Tag cloning: Tag cloning refers to cloning a genuine tag and attaching it to a counterfeit
product. If the tag is unprotected, it is easy to clone simply by interrogating it and by writing
the acquired ID number on another tag. Interrogating tags without permission is referred to
as clandestine scanning [20] and most RFID tags are not protected from it. Furthermore, so
called rogue scanning using a sensitive reader equipped with a powerful antenna or an
antenna array and possibly output power that exceeds the legal limits can exceed the
nominal read range. For example, Kfir and Wool [34] suggest that the rogue scanning range
for ISO 14443 tags can be five times higher than their nominal reading range.
Once a reader has powered a tag (or initiated communication with an active tag), a second
reader can monitor the tag emission by passively listening the signal and capture the product
ID number for cloning. This is referred to as eavesdropping and the maximum distance
where a tag can be eavesdropped may be even larger than the rogue scanning range [20].
Also the reader-to-tag communication can be eavesdropped, though this channel is less
frequently used to transfer tag-specific information. Because the reader transmits at much
higher power than the tags, however, eavesdropping range for the reader-to-tag channel is
much greater than for the tag-to-reader channel [35].
Numerous techniques have been developed to protect tags from cloning. The principal
techniques are reader authentication where the tag makes sure it communicates with an
authorized reader prior to enclosing any sensitive information (prevention), tag authentication
where the reader makes sure the tag is genuine (remedy), and mutual authentication that
incorporates both these approaches. Since reader authentication is only a partially
preventive counter measure, it cannot be considered a complete solution against tag cloning.
Tag authentication protocols are briefly presented in subsection 1.3.2 above. Even though
tag authentication protocols can provide significant improvements to a tag’s cloning
resistance, there are many ways to conduct a cloning attack even against a protected tag.
These attacks include side channel attack (e.g., [37]), reverse-engineering and cryptanalysis
(e.g., [38]), brute-force attack, physical attacks (e.g., [39]) and different active attacks against
the protocol of the tag itself (e.g., [40]). In addition, tag authentication is always vulnerable to
data theft, where the secret encryption schemes of genuine tags are stolen or sold out by
insiders.
3) Attack against RF communication: Also an attack against the radio-frequency (RF)
communication can fool the product authentication system. An adversary could conduct a
replay attack by hiding a replay device close to the reader device (or even together with a
product) to replicate genuine tags. A replay device is basically a RF tape recorder that can
scan and then replicate tags, and building such a device requires only little money or
expertise [41]. Even complex tag authentication protocols can be vulnerable to relay attack
where the adversary who resides between a genuine tag and a reader captures and
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 48/85
retransmits the challenge from the reader to the genuine tag, and again retransmits the
correct response to the reader device.
4) Manipulation of testing equipment: The testing equipment includes the RFID reader and,
for object-specific features approach, a device that can measure the features of the product
under study. If the testing equipment is compromised, it can no longer be trusted to give right
answers. In the simplest case the testing equipment can be hard coded to let all products
pass the check. In a more complicated attack, it could try to claim a wrong location to the
product authentication application, for example the known location of the genuine product so
as to fool the location based plausibility check.
5) Attack against internal IT system: The most important functionalities and data of a product
authentication system reside in the internal IT system of the company that provides the
authentication service. These comprise the reference information of genuine products and
the part of the system that draws the final conclusion about the authenticity of a product.
Therefore also the internal IT system can be an attracting point of attack for adversaries.
6) Manipulation of product history: The history of a product can either move together with the
product as a pedigree (e.g., [42]), reside in distributed database of all the custodians of the
product (e.g., [36]), or reside in one central database. Depending on the actual
implementation, the history of a genuine product is vulnerable to different ways of
manipulation. We consider the following three cases of manipulation: addition of bogus
events to “relocate” the product, removal of existing events for example to hide the fact that
the product is already sold, and modification of attributes (time and location) of existing
events. All cases of manipulation of history can be used to fool the location based plausibility
check.
7) Forgery of product history: In addition to manipulation of an existing product’s history, also
the creation of a falsified history from scratch can threaten location based product
authentication. We refer to this threat as forgery of product history and it includes creation of
a completely new identity that it given to the counterfeit product and injection of the forged
history to the external IT system.
4.2.3 Risks in product authentication
In this subsection we assess the risks in RFID based product authentication based on the
comprehensive list of threats derived above. The reason to evaluate the risks it to identify
which threats should be mitigated by the system’s functional security requirements, and
which threats need not be addressed. This step can be seen as a reality check about which
threats really are important in practice. The risks that the different threats pose have different
magnitudes (risk levels) that depend on two components – exposure (or consequence) and
uncertainty (or likelihood) [43].
Attacking the RF communication is complex and requires hiding special equipment in the
proximity of the authenticating reader device. Doing this is hard in practice since the
authentication takes place in a controlled environment under the supervision of authorized
personnel. Therefore the likelihood of such an attack is low. Similarly, since the testing
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 49/85
equipment is handled by authorized personnel only, we conclude that manipulation of testing
equipment is also not likely to happen. Attacks against the internal IT systems are not
specific to RFID systems and they can be addressed by standard techniques of security
engineering [6]. Therefore they are left out of the scope of this analysis. Based on the
previous subsection, the risk levels of all the other threats are assumed high enough so that
they need to be mitigated by the functional security requirements. The resulting list of
applicable threats is below. The last two of them apply for location based authentication only.
• Tag removal and reapplying
• Tag cloning
• Manipulation of product history
• Forgery of product history
4.3 Functional Security requirements
The functional security requirements of RFID based product authentication system are the
security goals that are needed to mitigate the list of threats obtained from the risk
assessment at the end of the previous section. The overall security requirement is to mitigate
all applicable threats. If a threat is not mitigated, the cost to break the system is low and the
system is not secure. Therefore the level of security of a product authentication system
depends on how well the functional requirements are met. There are multiple combinations
of security goals that mitigate all the threats, which reflects the different product
authentication approaches. In particular, all security goals can be substituted by others. The
threats and security goals are illustrated in the use/misuse case diagram, Figure 7.
The threat of tag cloning attack must be mitigated either by a tag authentication protocol that
detects the cloned tags, by location based authentication that detects the cloned tags, or by
verifying the object-specific features that authenticates the product itself.
The threat of tag removal and reapplying attack must be mitigated either by verifying the tag-
product integrity (e.g., with a seal), by verifying the object-specific features that detects if the
tag is attached to a wrong product, or by preventing the tag removal. One way to prevent the
removal in practice is to integrate the tag in such a way that the chip will detach from the
antenna if the tag is removed. This method is applied for example in some sprayer perfume
bottles where the tag resides between the bottle top and the glass bottle – and if the bottle
top is removed, the antennal will stay attached to the glass bottle whilst the chip comes off
with the bottle top.
Last, the threat of manipulation of product history is mitigated by guaranteeing the integrity of
the history, and the threat of forgery of product history is mitigated by guaranteeing
authenticity of the history. Integrity and authenticity are basic security services and how they
can be guaranteed in a product authentication system in the EPC network is discussed in
Section 5.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 50/85
Figure 7. Use/misuse-case diagram of functional security requirements of RFID based product
authentication. The white ovals are the security goals of the system and the black ovals present
the threats. The overall requirement is to mitigate all applicable threats with security goals. 6
The functional security requirements of different RFID-based product authentication
approaches are summarized in the table below. All three approaches achieve the same
overall goal that is to mitigate all threats against the system.
Table 7. The functional security requirements of different product authentication approaches
Tag authentication approach (crypto tags)
Object-specific security features approach
Location based plausibility check approach
• Tag authentication
• Prevent tag removal /
verify tag-product integrity
• Verify object-specific
security features
• Guarantee integrity of
history
• Guarantee authenticity of
history
• Detect cloned tags
• Prevent tag removal / verify
tag-product integrity
6 A bigger version of this picture is in Appendix B
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 51/85
5 Product authentication in the EPC network
In Sections 2-4 of this report, we have collected requirements for product authentication
system from various end-users and derived functional and non-functional security
requirements that the system must conform to. In this section, we analyze how the collected
set of constraints and requirements can be met by the EPCglobal infrastructure (EPC
network) that is subject to research in the overall BRIDGE project. This analysis will yield
concrete guidelines for the development of a trial infrastructure that will take place in Task 4
of this work package.
Subsection 5.1 presents the technical environment of the solution. In subsection 5.2 we
derive different solution concepts for product authentication in the EPC network.
Assumptions about solution implementation are necessary to investigate EPC network’s
conformance to the collected requirements for product authentication. In subsection 5.3 we
go through business requirements and the functional security requirements and analyze how
the existing EPC network conforms to them, and present suggestions for improvements.
Because the conformance to non-functional security requirements (Section 4.1) is practically
independent of technology, they are omitted from this analysis.
5.1 Technical environment of the solution
EPC stands for Electronic Product Code and it is an industry driven RFID standard of
EPCglobal Inc. [44]. Being supported by major industrial players especially from the U.S.
retail industry (e.g., Gillette, Johnson & Johnson, and Wal-Mart), EPC is the most deployed
standard for networked RFID. EPC systems are built for increased supply-chain efficiency
and we identify how they can be used in product authentication.
The hardware and software roles defined by EPCglobal are illustrated in Figure 9. These
comprise EPCglobal core services that are common for the whole network, as well as roles
that are specific to each EPCglobal subscriber, i.e. a company. The security functions of the
EPCglobal architecture are distributed among different roles and interfaces [45], therefore an
understanding of the complete architecture is required.
Most EPC tags are inexpensive passive tags (EPC Classes 0/1/2) for item-level tagging with
optional user memories. In addition to tags, readers, and filtering & collection layer that
erects application layer events (ALE), EPCglobal also develops standards for sharing the
item-level data to enable a complete RFID network. The main network components are EPC
Information Services (EPC-IS), Object Naming Service (ONS), and Discovery Services (DS)
[45].
The EPC-IS defines standard interface for capturing and querying EPC-related data and the
related security mechanisms, authentication and authorization [46]. Here, authentication
means verifying the identity of different entities of the network, and authorization means
verifying that a certain entity has the permission to access certain data. The EPC-related
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 52/85
data, events about single or aggregated items, is stored in EPC-IS repository. The ratified
specifications of the EPC-IS were published during the time of finishing this article and can
be found from [47].
The ONS [48] uses the Internet’s existing Domain Name System (DNS) for looking up
(resolving) information about a certain product from the owner of the EPC number database,
which is typically the manufacturer of the product. EPCglobal provides the root ONS as a
part of the core network services and it is up to each subscriber to run the local ONS that
replies to the lookup requests. A typical ONS query where the network address of the EPC-
IS of the brand-owner (denoted by address(EPC-ISB)) is resolved from the EPC number of
the tag, is presented in Figure 8. To illustrate the ONS query format, the local system
(denoted by A) queries the ONS system with a EPC in URI form and receives the URI form
domain-name as a response:
1. A → ONS: EPC (e.g.: urn:epc:id:sgtin:0614141.000024.400)
2. ONS → A: address(EPC-ISB) (e.g.: 000024.0614141.sgtin.id.onsepc.com)
Figure 8. An example of a typical ONS query [48]
The DS locates all EPC-IS services that may have information about a specific EPC and,
additionally, also provides a cache for some EPC-IS data [45]. The DS is not yet a defined
part of the EPCglobal architecture framework, but its general functionality is known. The DS
is subject to closer research in WP2 of this project. To illustrate the functionality of the DS, an
example of one possible query format, which is by no means the final query format of the DS
that is being developed in WP2, is illustrated below. Here, A refers to an application that
wants to locate information about a certain EPC from the DS, and address(.) refers to the
network address of a network service (.).
1. A → DS: EPC
2. DS → A: {address(EPC-IS1), address(EPC-IS2), …, address(EPC-ISN)}
To link this example with the example ONS query from above, the manufacturer’s server in
the ONS query, EPC-ISB, can be one of the returned services from the DS query, e.g. EPC-
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 53/85
IS1. In addition to ONS and DS, the core services of the EPCglobal architecture include
subscriber authentication (SA) service.
Figure 9. Illustration of the hardware and software roles of the EPCglobal architecture
framework [45]. EPCglobal standards define the interfaces between the roles.
5.2 Different solution concepts in the EPC network
We identify three distinct solution concepts for secure product authentication in the EPC
network. These three concepts are presented below.
Concept 1: EPC-PAS
The first solution concept makes use of the EPC Product Authentication Service (PAS)
suggested by Staake et al. [36] that is run by the brand-owner. A product is authenticated by
a challenge-response protocol between the tag and the EPC-PAS server. In addition, it has
to be guaranteed that the tag is attached to the right product, otherwise only the tag is
securely authenticated but not the product. Product authentication in this solution concept
can be based on tag authentication using cryptographic tags (subsection 1.3.2) or on object-
specific features7 (subsection 1.3.1). The architecture and message formats of this solution
concept are presented in Figure 10.
7 This approach can be implemented as a challenge-response protocol where challenge is void and response is
the measured feature value
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 54/85
Figure 10. Solution concept 1: Product authentication based on tag authentication / object-
specific features.
Concept 2: Local trace analysis
The second solution concept is based on querying the EPC network for a product’s trace and
making the trace analysis locally (by the EPCglobal subscriber of the accessing application)
in order to know whether the read tag is the genuine one or a cloned one. Both DS and ONS
queries can be used to locate the services that contain information about a product, if these
locations are not known prior to the authentication. The accessing application retrieves the
trace according to its authorization to access events regarding the product under study. As it
can be assumed that events about products are by default kept secret and shared on need to
now basis only, this solution concept is likely to be feasible only for authorized trading
partners. The architecture and message formats of this solution concept are presented in
Figure 11.
EPCIS
EPCglobal Core Services
(SA, DS, ONS Root)
RFID Tag
RFID Reader
Filtering &
Collection (ALE)
EPCIS
EPCglobal Subscriber
Trace Analysis
Answer (Yes, No,
Don’t know)RFID Tag
RFID Reader
Filtering &
Collection (ALE)
EPCglobal Subscriber
EPCIS Accessing
Application
DS/ONS
lookup
Trace
EPCIS
queries
Trace
EPCglobal Subscriber
Figure 11. Solution concept 2: Product authentication based on local trace analysis by an
accessing EPCglobal subscriber.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 55/85
Concept 3: EPC-TAS
To improve the trace analysis concept presented above, we also consider promoting the
functionality to detect cloned tags to the level of the core services of the EPC network. We
call this new service the EPC Trace Analysis Service (EPC-TAS) and it requires that all
parties who handle the products agree to share certain events like reception and shipping
notifications with the EPC-TAS. In this way the EPC-TAS would obtain a comprehensive
visibility about the movement of the products and thus it could in real time analyze the
complete traces of products to detect the cloned tags. The primary functionality of this
service is to receive queries of triplets {EPC, Location, Time} and to answer whether the
product under study is genuine or a cloned one. This third product authentication concept is
presented in Figure 12.
Figure 12. Solution concept 3: Product authentication based on global trace analysis by EPC-
TAS.
The different ways to implement product authentication systems in the EPC network are
illustrated in Figure 13 below. The numbered communication flows present the three solution
concepts.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 56/85
Figure 13. Illustration of product authentication in the EPC network: the accessing application
on the right-hand side authenticates a product with a EPC number on it. The numbered
communication mechanisms represent the three different solution concepts. (*Planned but not
yet defined service, **New service)
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 57/85
5.3 EPC network’s conformance to general requirements
In this subsection we go through the list of end-user’s general requirements for RFID-based
anti-counterfeiting systems, and analyze how the EPC network and relating standards
conform to them.
The same system is used in the whole supply chain
The EPC network based product authentication system can be used in the whole supply
chain if all supply chain partners install needed RFID reader infrastructure and software (e.g.,
product authentication application client). For location based check, it is not always desirable
to publish the track and trace data with all those parties who authenticate products. This can
potentially limit the usability of the product authentication system among supply chain
partners. Therefore the location based plausibility check should be provided by the
manufacturer or someone working under the manufacturer’s control and authority, so that a
verifier does not acquire the complete track and trace record of the product under study but
only the outcome of the check (i.e., genuine or counterfeit) from the provider of the product
authentication service. If this limitation regarding track and trace data sharing will be
overcome, then also the location based product authentication system can be used without
further issues in the whole supply chain.
Customs can use the system to authenticate products
Customs require a standardized solution when it comes to wider adoption of product
authentication techniques. There are tens or hundreds of different product authentication
techniques today and most of them require special equipment. Customs simply cannot invest
in multiple product authentication techniques because it means overlapping investments in
hardware and training of personnel. Currently, customs see RFID only as one among several
product authentication techniques.
However, barcode readers are widely adopted by the customs today and barcode readers
are a part of basic equipment of modern customs officers. When RFID matures, it will replace
and complement barcodes in many applications. Therefore it can be assumed that customs
will also adopt standard RFID readers to replace and complement the existing barcode
infrastructure. Therefore RFID based product authentication techniques appear more
promising than competing technologies.
Also customs require that the system gives a clear answer whether the product is authentic
or not. Therefore the location based product authentication approach could be used by the
customs only if the verification of identity is automated.
End-users and consumers can use the system to authenticate products
The optimal anti-counterfeiting system would allow also the consumers and end-users of the
products to authenticate products. In the case of intuitional end-users (e.g., airplane
maintenance centre that wants to detect bogus spare parts), this is similar case than with the
supply chain partners. When it comes to private consumers, two constraints have to be
overcome.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 58/85
First, in order to use the EPC network based product authentication systems by themselves,
the consumers need access to an RFID reader device. This could be achieved by installing
publicly available RFID readers, for example as an added value service provided by retailers,
that consumers could use for different identification based services. Already today, there are
publicly available barcode readers that consumers can use to decrypt barcodes, but they are
rather sparse. A more promising solution in the long-term is capability to read RFID tags with
mobile phones. Already today, the Near-Field Communication (NFC) technology brings
specifid RFID readers to mobile phones. The NFC adoption rate is low today, but according
to prediction of ABI research, in the year 2011 a total of 450 million mobile handsets (30% of
all mobile handsets) will be NFC-enabled [2]. It is important to note, however, that current
NFC reader devices cannot read the EPC tags that operate in another frequency band and
comply to completely different RFID standards.
Second constraint is that a specific access point to the product authentication application is
required for parties external who come outside the EPC network. Consumers will not have
access to EPC network services as they are not EPCglobal subscribers. This constraint can
be technically overcome by setting up a public access point for the EPC network based
product authentication service.
The system verifies the identity automatically
The output format of the authenticity check should be a clear “yes” or “no” answer (i.e.,
genuine or counterfeit). Optionally, the system could estimate the level of confidence of the
answer to detect unclear cases. The way how this answer is derived (i.e. how the system
verifies the claimed identity) should be automated. In the case of authentication based on
object-specific features and tag authentication, the verification of authenticity is straight
forward and can be easily automated. In the case of location based check, the track and
trace data needs to be analyzed for a plausibility check that detects cloned tags, i.e.
counterfeits. End-users of the system cannot analyze the track and trace data manually
when performing wide scale checks. First of all this would be time consuming and thus
costly. Secondly, the end-users of the system might lack the required expertise to detect
suspicious movements from the product’s trace.
So far there are no published methodologies or guidelines how to use the track and trace
data to automatically detect cloned tags for anti-counterfeiting. This functionality needs to be
implemented by making use of artificial intelligence that can distinguish suspicious traces
among licit ones. How to design and implement such a system will be subject to research in
the following phases of this work package.
The system supports supply chain management
One of the business requirements of RFID based product authentication systems is the
support for supply chain management, such as, forecasts, automatic replenishment, and
inventory management. An EPC network based product authentication system has the
access to the needed item-level information to enable this support; product authentication
can be seen as one service and source of business value that EPC network enables. The
approach where multiple business applications reside over the same technical platform is
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 59/85
also an underlying motivation of the BRIDGE project. In this way, the return on investment of
RFID technology comes from multiple business applications rather than from one specific
way the technology is used.
The system supports online authentication
End-users of the RFID-based product authentication system require that the authentication is
non-static and conducted online. This means that an online system can monitor the status of
the products that are protected by the system and that the verification process can be
managed dynamically. Product authentication in the EPC network happens online. This
means that in contrast to holograms, for example, the system can monitor and log past
instances of the authentication protocol. Like this, for example the number of counterfeit
products the system has detected is automatically calculated. The fact that the security
features are not static but dynamic means that compromised (copied) product EPC numbers
or tag cryptographic secret keys can be blacklisted, thus preventing the repeated use of
broken security features.
Real-time data
The EPC network based product authentication system can be fully automated and works on
real-time data. This enables short response times (seconds) and real-time monitoring, that
further enable very fast response times for countermeasures that take place after product
authentication.
5.4 EPC network’s conformance to industry specific requirements
In this subsection we analyze the EPC network’s conformance to the industry-specific
tagging requirements from Section 2.
Tag cost, reading distance, and lifetime
The interviews with different companies have revealed that most end-users of RFID based
product authentication systems demand low-cost tags that can be read from long distance in
a reliable way. Furthermore, the required tag lifetimes vary from some months up to 15 years
and more. This calls for the use of simple passive UHF tags, for example EPC Class-1 Gen-
2 UHF tags [49]. The UHF frequency band guarantees the best reading distance in the
absence of metals, fluids, and other conductive materials. The reliability of existing EPC tags,
namely the read-rate, depends on the specific reading environment and so it is hard to be
generalized, but overall it is not always in satisfactory, especially in environments with
conductive materials. However, the read rate is increasing while the technology matures. The
passive tags have practically infinite lifetime [50] which is enough for virtually most
applications in theory. However, the longevity is given only if the environment doesn’t harm
the tag for example by physical stress or extreme temperatures. In contrast, active tags’
lifetime is determined by the battery’s lifetime which is typically some years. Requirements
regarding tag integration to products are case specific and will not be addressed here.
Overall, RFID appears a suitable tagging technology when compared against the
requirements of end-users of product authentication applications.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 60/85
5.5 EPC network’s conformance to security requirements
In this subsection, we go through selected security requirements of product authentication8
that are collected in Section 4 and analyze how the existing EPC network conforms to them.
Tag authentication
The current EPC network does not directly support tag authentication. Furthermore, to our
knowledge there are currently no cryptographic RFID tags commercially available that
operate in the UHF band that is likely to dominate in supply chain applications; most existing
cryptographic RFID tags operate in the HF band and normally conform to ISO 14443
(proximity card) or sometimes to ISO 15693 (vicinity card) standards. There are, however,
first implementations of a tag crypto module for Advanced Encryption Standard (AES) that
fulfill the requirements of both HF and UHF tags in terms of chip size and power-
consumption [51]. Though tag authentication in the EPC network is not yet reality, the
concept of tag authentication in the EPC network has been addressed in the literature. The
EPC Class-1 Gen-2 (UHF) tag standard [49] includes factory programmed transponder ID
number (TID) that can be used to increase the tag’s cloning resistance. In addition, Juels [52]
has shown how to leverage the PIN-based access control and privacy enhancement
mechanisms (KILL command) of EPC Class-1 Gen-2 tags to achieve a crude challenge-
response authentication. The EPC Class-1 Gen-2 standard also exploits the difference
between reader-to-tag and tag-to-reader eavesdropping ranges that can vary a lot. When
transmitting a PIN to a tag, the tag first transmits a random secret to the reader that encrypts
the PIN code using XOR. This protects the reader-to-tag transmission from eavesdroppers
who cannot listen to the weaker tag transmissions [35], making cloning harder for
eavesdroppers.
In order to bring advanced cryptography to the EPC network, Staake et al. [36] proposed to
extend it with a so called EPC Product Authentication Service (EPC-PAS) that would store
the secret keys and calculate challenges for authentication protocols. This corresponds to
the first solution concept (subsection 5.2) and is illustrated by the mechanism number 1 in
Figure 13. The EPC-PAS would complement the EPC-IS by separating the cryptographic
service from the data repository and it could reply to accessing applications whether a tag is
authentic or not. This analysis shows that the concept of tag authentication in EPC network is
well addressed but the remaining research challenge is how to bring tag authentication into
reality in a scalable and cost-effective way that can guarantee the needed level of availability.
It is important to note that strong tag authentication is subject to research in WP4 (Task 4.3:
Anti-cloning of RFID Tags) of BRIDGE project, and therefore no new technical solutions for
tag authentication will be proposed in this work package. A comprehensive review of existing
RFID tag authentication techniques can be found from SToP deliverable D3.1 - State-of-the-
art analysis on relevant research, existing technologies and products.
8 The security requirements “verify of tag-product integrity” and “prevent tag removal” are omitted from this
analysis because they do not depend on the properties of the EPC network
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 61/85
Object-specific features based authentication
The object-specific security features based product authentication approach can also be
implemented as a challenge-response protocol where the response message is simply the
measured feature value. Therefore the EPC-PAS concept presented above could also be
used to implement this product authentication approach. From the EPC network, this would
only require storing the unique feature values of the product in the EPC-PAS in a similar way
than the secret keys or access codes. Overall, the requirements this approach poses to RFID
technology are minimalist as the complexity is in the physical measurement of the features.
Guarantee integrity of history
The location based product authentication application has to have correct and complete
history of the product under study. In order to conform to this requirement, the network has to
guarantee two things: that the events are not tampered with and that all the events for which
the accessing application is authorized are returned when requested. The former can be
achieved in the EPC network by securing the communication and protecting the data in EPC-
IS repositories. The EPC network’s conformance to the latter depends on the Discovery
Services module (DS) that is not yet defined. If the DS cannot guarantee that it locates all the
services in the ECP network that publish events about a product, then the product
authentication application is not guaranteed to have the complete visibility for the detection of
cloned tags. This may lead to false decisions made by the location based product
authentication application. For example, consider a case where products are for the first time
imported for sales to another country and the receiving company scans the products and
publishes the reception event in their EPC-IS. If the products are later authenticated at the
sales point based on their history but the DS does not locate the events that are published in
the receiving company’s EPC-IS, the product authentication application does not know that
the products are imported to that country and might consider them counterfeits.
Because of this illustrated reason, the DS needs to guarantee that the complete product
history is located from the EPC network. This needs to be taken into account in the design of
the DS functionality of the EPC network9.
Guarantee authenticity of history
Authenticity of history in the EPC network is guaranteed by authentication of different entities
using public-key infrastructure which is defined by EPCglobal Certificate Profile [53]. These
entities are users inside the EPC network (people), services/servers (EPCIS, ONS, etc.), and
readers and other devices. Even though this mechanism does not allow authentication of the
history itself but only authentication of the entities that provide it, the provided security
mechanism is sufficient because the entities that provide the history have to be trusted
parties. Even when a company signs the events, there is no cryptographic proof that the
product really is in that location. Therefore it is possible to inject false information to the EPC
network, which is currently not addressed by the network’s security services.
9 Requirements of WP5 for the design of serial-level look-up service in WP2 are: Return the complete track and
trace history of a product where the events contain at least (EPC, time of the event, location of the event),
provide the identity of the publishers of the events, and protect the trace from manipulation (when applicable).
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 62/85
Detect cloned tags
The current EPC network does not provide direct support for detection of cloned tags but it
does provide means for subscribers to do this by themselves which is presented by the
solution concept two, local trace analysis (subsection 5.2). A subscriber can query the EPC-
IS repositories for events about a product and reason himself whether the product under
study is genuine or a cloned one. This is illustrated by mechanism number 2 in Figure 13.
This mechanism has three shortcomings. First, the EPC-IS answers to queries according to
the authorization of the accessing application and can disclose any amount of information it
wants which can be less than requested. Therefore only those subscribers who are
authorized to access the product’s history in all the product’s custodians’ EPC-IS repositories
have the full visibility for detecting the cloned tags. This also means that only subscribers of
the EPC network who are authorized to follow the movements of the product can
authenticate the product at all. That restriction is likely to make this authentication
mechanism out of the reach for, for example, consumers. Last, a party interpreting the track
and trace data might not have all the needed knowledge about the restrictions concerning
the movement of the genuine products to draw the right conclusion whether a product under
study is genuine or a cloned one. For example, it is important to know if the genuine products
are distributed only through a small number of authorized dealers and how the traces of
genuine products normally look like in order to detect suspicious products. Also knowledge of
the exceptional movement of the genuine products, for example when products move
upstream in the supply chain due to mistakes in shipments, can be useful to avoid false
alarms.
The third envisaged solution concept, global trace analysis by EPC-TAS (subsection 5.2),
has benefits over the local trace analysis. The EPC-TAS would have the best possible
visibility to detect cloned tags. In addition, the EPC-TAS would disclose only a minimal
amount of information about the product under study when answering to queries (1 bit).
Therefore this product authentication mechanism could be made accessible to many users,
for example consumers, without the fear of disclosing sensible information like past locations
of the product. This service would have to be run under the authority of the brand-owner to
give necessary credibility, or even legal status, to the answers. Therefore the service could
utilize the brand-owner’s knowledge about the restrictions and irregularities in the distribution
channel of the genuine products in order to configure the system with best possible a priori
knowledge to give the most sensible interpretations of the track and trace data.
One major difference between EPC-TAS and other product authentication mechanisms is
that EPC-TAS would detect the counterfeit products without specific authenticity checks
initiated by the custodians of the products. EPC-TAS only needs to be provided the updated
location information of products in order to find counterfeits. This means that the system
could provide product authentication capability as a background, monitoring service.
Furthermore, the EPC-TAS could automatically aggregate the results into business
intelligence for example by identifying the most likely entry points of counterfeit products in
the distribution channel. The precise functionality of the proposed service, especially
concerning the automated decision making process, and integration of this service to the
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 63/85
existing EPC network, remain open research topics and subject to future work within the
BRIDGE project
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 64/85
6 Discussion
In this report, we have studied the requirements of RFID-based product authentication
systems for anti-counterfeiting. The considered general requirements do not relate any
specific use-case of the product authentication system, but present a holistic view of what is
required from an optimal and secure solution. The industry requirements for a product
authentication system are collected from affected companies and solution providers. The
industry-specific requirements, or constraints, regarding the use of a RFID-based product
authentication system have bee addressed in four industry branches. Overall, the potential
end-users envisage a fast and reliable online check that can be used by all business partners
and for different kinds of products. The industry-specific requirements mostly relate the
integration of tags to the products and the way the tags are read. Also customs requirements
are taken into account in our analysis, though to lesser extent than those of the industries.
Most importantly, we have discovered that customs require a standardized product
authentication system to be used for different kinds of products using mobile reader devices.
To provide solid foundations for a secure solution, we have derived the functional and non-
functional security requirements for product authentication systems. We have identified three
different mechanisms how to implement product authentication systems within the EPC
network, which will be valuable feedback for the trial infrastructure development task (Task
5.4). When analyzing EPC network’s conformance to functional security requirements of
product authentication, we have discovered that the network’s existing mechanism to detect
cloned tags is far from optimal. Detection of cloned tag is needed to guarantee the security of
location based product authentication approaches. Furthermore, the detection needs to be
automated to keep the cost and effort to perform a check low.
For the abovementioned reasons, the solution concept that is chosen in this work package
will perform a location based authenticity check using track and trace data and its main
functionality is to detect the cloned tags through automatic trace analysis. Importantly, this
solution is less expensive than an approach using cryptographic tags and can be
implemented without large additional investments in equipment or hardware. Since location
based check requires data sharing and collaboration from the custodians of the genuine
products, the future work in this work package includes assessment of cases where this
solution feasible, and where other solutions are required.
It should be noted that product authentication alone, however, is not sufficient to fight illicit
trade, but it should be used in a business context. An effective anti-counterfeiting strategy
consists of a combination of countermeasures. General requirements for anti-counterfeiting
and countermeasures against drivers and enablers of illicit trade, as well as against different
dimensions of illicit trade, are studied in forthcoming deliverable of project SToP (D1.2 -
Description of technical and organizational requirements for product authentication solutions
based on ambient intelligence).
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 65/85
References
[1] NFC Forum. (2007). Available: http://www.nfc-forum.org/aboutus/
[2] K. Norton and K. Hall, “Contactless Payment Comes to Cell Phones”. Business Week,
November 21, 2006.
[3] C. Swedberg. (2006, December). TwinLinx Proposes to Marry NFC and EPC. RFID
Journal. [Online]. Available: http://www.rfidjournal.com
[4] T. Wiechert, F. Thiesse, F. Michahelles, P. Schmitt, and E. Fleisch, “Connecting Mobile
Phones to the Internet of Things: A Discussion of Compatibility Issues between EPC and
NFC,” Americas Conference on Information Systems, AMCIS 2007, submitted for
publication.
[5] G, Sindre and A.L. Opdahl, “Eliciting security requirements with misuse cases,”
Requirements Engineering, Springer-Verlag, vol. 10, 2005, pp. 34–44.
[6] R. Anderson, Security engineering. New York: Wiley, 2001.
[7] Z. Nochta, T. Staake, and E. Fleisch, “Product Specific Security Features Based on RFID
Technology,” International Symposium on Applications and the Internet Workshops
(SAINTW'06), 2006, pp. 72—75.
[8] M. Lehtonen, T. Staake, F. Michahelles, and E. Fleisch, “From Identification to
Authentication – A Review of RFID Product Authentication Techniques,” presented at the
Workshop on RFID Security 2006, Austria.
[9] A. Juels, “Minimalist cryptography for low-cost RFID tag,” In Prod. 4th Conf. on Security in
Communication Networks, Italia, 2004, pp. 149—164.
[10] I. Vajda and L. Buttyán, “Lightweight authentication protocols for low-cost RFID tags,” in
Workshop on Security in Ubiquitous Computing, 2003.
[11] G. Tsudik, “YA-TRAP: Yet another trivial RFID authentication protocol,” in International
Conference on Pervasive Computing and Communications – PerCom 2006, Pisa, Italy,
2006, pp. 640—643.
[12] G. Avoine and P. Oechslin, ”A scalable and provably secure hash based RFID protocol,”
in IEEE International Workshop on Pervasive Computing and Communication Security –
PerSec 2005, Kauai Island, Hawaii, USA, 2005, pp. 110–114.
[13] T. Dimitriou, “A Lightweight RFID Protocol to protect against Traceability and Cloning
attacks,” in IEEE Conference on Security and Privacy for Emerging Areas in Communication
Networks – SecureComm, Athens, Greece, 2005.
[14] ang, J. Park, H. Lee, K. Ren, and K. Kim, “Mutual authentication protocol for low-cost
RFID,” in ECRYPT Workshop on RFID and Lightweight Crypto, Graz, Austria, 2005.
[15] S. Dominikus, E. Oswald, and M. Feldhofer, “Symmetric authentication for RFID systems
in practice,” in ECRYPT Workshop on RFID and Lightweight Crypto, Graz, Austria, 2005.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 66/85
[16] M. Feldhofer, M. Aigner, and S. Dominikus, “An Application of RFID Tags using Secure
Symmetric Authentication,” In Proc. 1st International Workshop on Privacy and Trust in
Pervasive and Ubiquitous Computing - SecPerU 2005, Santorini Island, Greece, 2005, pp.
43–49.
[17] D. Bailey and A. Juels, “Shoehorning security into the EPC standard”, Manuscript in
submission, 2006.
[18] D. Ranasinghe, D. Engels, and P. Cole, “Security and privacy: Modest proposals for low-
cost RFID systems,” presented at the Auto-ID Labs Research Workshop, Zurich,
Switzerland, September 2004.
[19] J. Lee, D. Lim, B. Gassend, G.E. Suh, M. Dijk, and S. Devadas, “A Technique to Build a
Secret Key in Integrated Circuits for Identification and Authentication Applications,”
Symposium on VLSI circuits, 2004, pp 176—179.
[20] A. Juels, “RFID Security and Privacy: A Research Survey,” IEEE Journal of Selected
Areas in Communications, vol. 24, pp. 381—394, February 2006.
[21] R. Koh, E. Schuster, I. Chackrabarti, and A. Bellman, ”Securing the Pharmaceutical
Supply Chain,” Auto-ID Labs White Paper, 2003. Available: http://www.autoidlabs.org.
[22] Vijayan, Jaikumar. Boeing readies RFID standards for release to suppliers in 2005 but
the aircraft maker says it won't mandate usage; http://www.creative-weblogging.de/cgi-
bin/frames.cgi?url=http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10
801,95989,00.html
[23] DO160 Aerospace Norm Document, provided by Airbus SAS.
[24] ATA Spec2000 Chapter 9, Draft on Parts Specification - version 1.0, provided by Airbus
SAS, 1/17/2007
[25] J. Dryden. Counting the Cost: The Economic Impacts of Counterfeiting and Piracy -
Preliminary Findings of the OECD Study. Communcation at Global Congress on Combating
Counterfeiting and Piracy; 30-31 January 2007, International Conference Center, Geneva.
[26] European Commission. Counterfeiting & piracy: Frequently asked questions.
MEMO/05/364, Brussels, 11 October, 2005
[27] European Commission. Community-wide counterfeit statistics for 2004, 2006.
[28] Orgalime, Combating Counterfeiting, October 2001
[29] M. Bishop, “What Is Computer Security?,” IEEE Security and Privacy Magazine, vol. 1,
2003, pp. 67—69
[30] I. Alexander, “Misuse cases: use cases with hostile intent,” IEEE Software, vol. 20, 2003,
pp. 58—66.
[31] GS1. (2007). European Passive RFID Market Sizing 2007-2022. [Online]. Available:
http://www.bridge-project.eu/data/File/European%20Passive%20RFID%20Market%20Sizi
ng%202007-2022-v1.pdf
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 67/85
[32] T. Ramezani and M. Razzazi, “Examination and Classification of Security Requirements
of Software Systems,” in 2nd IEEE International Conference on Information &
Communication Technologies (ICTTA’06), Syria, 2006.
[33] Chaos Communication Congress. (2006). RFID-Zapper. [Online]. Available:
http://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)
[34] Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contactless smartcard
systems,” First International Conference on Security and Privacy for Emerging Areas in
Communications Networks (SECURECOMM'05), 2005, pp. 47—58.
[35] S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and privacy aspects of low-cost
radio frequency identification systems,” International Conference on Security in Pervasive
Computing – SPC 2003, vol. 2802, 2003, pp. 454—469.
[36] T. Staake, F. Thiesse, and E. Fleisch, “Extending the EPC Network - The Potential of
RFID in Anti-Counterfeiting,” in Proc. Symposium on Applied Computing, New York, 2005,
pp. 1607—1612.
[37] M.C. O’Conner. (2006, February). EPC Tags Subject to Phone Attacks. RFID Journal.
[Online]. Available: http://www.rfidjournal.com.
[38] S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo, “Security analysis
of a cryptographically enabled RFID device,” in 14th USENIX Security Symposium, 2005.
[39] S. Weingart, ”Physical Security Devices for Computer Subsystems: A Survey of Attacks
and Defenses,” in Proc. Workshop on Cryptographic Hardware and Embedded Systems,
Massachusetts, 2000, pp. 302—317.
[40] H. Gilbert, M. Robshaw, and H. Sibert, “An active attack against HB+ – a provably
secure lightweight authentication protocol,” manuscript, July 2005.
[41] J. Westhues, “Hacking the prox card,” in RFID: Applications, Security, and Privacy,
Addison-Wesley, 2005, pp. 291—300.
[42] J. Pearson, “Securing the Pharmaceutical Supply Chain with RFID and Public-key
Infrastructure (PKI) Technologies”. Texas Instruments White Paper, June 2005. Available:
http://www.ti.com/rfid/docs/docntr.shtml.
[43] G.A. Holton, “Defining Risk,” Financial Analysts Journal, vol. 60, 2004, pp. 19—25.
[44] EPCglobal. (2007). Available: http://www.epcglobalinc.org.
[45] EPCglobal. (2005, July). EPCglobal Architecture Framework Version 1.0. [Online].
Available: http://www.epcglobalinc.org/standards/.
[46] EPCglobal. (2006, January). EPC Information Services (EPCIS) Version 1.0
Specification. Working Draft Version of 8 Jan 2006. Unpublished.
[47] http://www.epcglobalinc.org/standards
[48] EPCglobal. (2005, October). Object Naming Service (ONS) Specification Version 1.0.
[Online]. Available: http://www.epcglobalinc.org/standards/.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 68/85
[49] EPCglobal. (2005, January). Class-1 Generation-2 UHF RFID Conformance
Requirements Specification v. 1.0.2. [Online]. Available:
http://www.epcglobalinc.org/standards/.
[50] California Software Labs. Whitepapers, May 2005. Available at:
http://www.cswl.com/whitepapers/rfid-technology.html.
[51] M. Feldhofer, S. Dominikus, J. Wolkerstorfer, "Strong Authentication for RFID Systems
using the AES Algorithm", in Proc. of Workshop of Cryptographic Hardware and Embedded
Systems - CHES 2004, Boston, USA, vol. 3156, 2004, pp. 357–370.
[52] A. Juels, “Strengthening EPC Tags Against Cloning,” in ACM Workshop on Wireless
Security, 2005, pp.67—76.
[53] EPCglobal. (2006, March). EPCglobal Certificate Profile. Ratified Specification 1.0.
[Online]. Available: http://www.epcglobalinc.org/standards/.
[54] Tecchannel. (June 2006). FDA lifts delay on enforcing drug pedigree rules. [Online].
Available: http://www.tecchannel.de/news/international/440904/.
[55] D. deKieffer, “Trojan Drugs: Counterfeit and Mislabeld Pharmaceuticals in the Legitimate
Market,” in American Journal of Law and Medicine, Boston University of Law, vol. 32, 2006,
pp. 325-349.
[56] P. Chan, W. Fan, A. Prodromidis, and S. Stolfo, "Distributed Data Mining in Credit Card
Fraud Detection, " in IEEE Intelligent Systems, vol. 14, pp. 67-74, November/December
1999.
[57] L. Mirowski, Detecting Clone Radio Frequency Identification Tags. Bachelor's Thesis,
School of Computing, University of Tasmania, November 2006.
[58] P. Chan, W. Fan, A. Prodromidis, and S. Stolfo, "Distributed Data Mining in Credit Card
Fraud Detection, " in IEEE Intelligent Systems, vol. 14, pp. 67-74, November/December
1999.
[59] S. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. Chan, "Credit card fraud detection
using meta-learning: Issues and initial results," in AAAI-97 Workshop on Fraud Detection and
Risk Management, 1997.
Appendix A – Summary of industry specific requirements
Table 8. Summary of different industries requirements for RFID-based product authentication system.
Business Requirements
and Aspects
Information
Technology
Automotive
Industry
Life Science and
Pharmaceutical
Aerospace
Industry
CG & and
Retail Industry
Data
Data on tag
Amount and type of data is currently subject to research.
Yes, but depends on the tag price of the tag.
Yes, 96 bit serial number. Exception: reading data from temperature sensors for 50 days, one reading every minute.
Yes, in the beginning 64kBits, the more the better.
No.
Read-only No. Yes. No. No, also writing, but no deletion. Yes.
Read-out and Write
Reading speed (high, low)
High, at least 3600 pieces per hour in software manufacturing.
High. Very high, no concrete numbers available yet.
Very fast, since many information is read; currently available speed is to low; the envisioned future scenario is to walk by an aircraft and while passing by, scanning all RFID-tags.
High.
Online Yes. Yes. Yes. Yes, desirable. Rather yes.
Offline Desirable, but not necessary.
Yes, if crypto-graphic tags
No. Yes, as backup, in case of no connection.
Rather yes.
Reading rate Very high. High. 100% 100%. High.
Writing speed (high, low)
High, at least 3600 pieces per hour in software manufacturing.
Still subject to research.
Very high, no concrete numbers available yet.
Highest possible writing speeds are desired.
-
Distance
Small (few cms)
Big (till several m)
Both. Bulk readings should also be possible.
Both, but depends on privacy issues (see text).
Variable reading distance necessary.
Both; optimum would be passing by the airplane and reading all tags
Both, item- and bulk-reading.
Tags
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 70/85 Created on 12/06/2007 4:57 PM
Passive tags: yes
Active, passive tags Passive tags, but ideally active tags.
Passive tags. Passive tags. Yes, as long as these tags comply to industry norms (Spec 2000 norm).
Passive.
Price
Very cheap, considering the number products to be tagged
Very low
(fractions of one Euro cent up to 1-2 Euro cents).
Not exceeding 2 USD cents.
More or less Irrelevant, since parts are very expensive
Very low (fractions of one Euro cent up to 1-2 Euro cents).
Life-time of tag
Life-time of the channel (less than three months from manufacturer to client); for server hardware the tag-lifetime shall equal the product lifetime (3-5 years).
At least 15-20 years, due to legal guidelines (15 years after end-of-production).
Product lifetime = tag lifetime, between 1 and 3 years.
Product life-time is around 15 years. Problem: today’s memory capacity would only be sufficient for about 2 years. Tags have to be taken off and replaced by new ones.
220 days on average.
Tag-Visibility (hidden, overt)
Hidden, the smaller the used space, the better; hence, more space can be used for marketing purposes; Microsoft: the look of the product shall be the same everywhere, no matter where it was produced.
Visible, customs require visible tags.
Hidden, due to security and privacy reasons.
None, at least readable. Overt (see text).
Tag-Application (material, surface, etc.)
Inside the DVD inlay for software; hidden, no
Yes: Place, surface, material, packaging, since some parts don’t have package,
There are many different and unique factors regarding tag application. No generalization
Very diverse (see below). None.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 71/85 Created on 12/06/2007 4:57 PM
special requirements concerning the surface.
heat, cold, lifetime of the tag.
possible.
Clone prove tags Desirable but not necessary
Desirable Yes, necessary. Desired, but not mandatory if backend tid solution is considered.
Not necessarily if there is a database support.
Usage of cryptographic tags
Not necessarily, only in case of an offline authentication solution.
Yes No.
Yes a) Information should not legible to customers; b) to assure the identification of the tag
No.
Miscellaneous issues
Environmental circumstances (temp., overlapping tags, metal, covert tags, liquids)
None.
Temperature, between -30°C and + 120° C and more, depends on what product and place.
There are different requirements regarding the tag application; tags have to resist cold and rough handling.
Spec 2000 Document, chapter 9 and the DO 160 Document: temperature variation, humidity (high, low), acids, oil compatibility, pressures, shocks, waterproofness, sand and dust, fungus resistance, salt spray, corrosion, icing, fire, flammability, smoke, toxicity, hail, constant acceleration.
None.
Products to be tagged
Once a solution is in place, all products will be tagged; in the beginning only frequently counterfeit products will be tagged.
Service parts, wear parts, security relevant parts, parts that are very frequent and thus interesting to counterfeiters; corresponds to 20-25% of all parts.
Products those are most prone to being counterfeit and stolen.
All line replaceable units (LRUs) will be tagged. There are about 5000 LRUs on average on a civil aircraft.
Counterfeit products, expensive products, often faked products.
Constraints regarding tag integration
None.
Want to integrate the tag into the part itself; still, has to endure shocks and temperatures inside the car..
There are many different and unique factors regarding tag application. No generalization possible. Most important aspects, however, are liquids, metals and space
Weight, size and the possibility to attach so that the tag does not fall off.
None.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 72/85 Created on 12/06/2007 4:57 PM
issues.
Requirements regarding tamper resistance
Yes, broken if removed (destructive).
Yes, shall break if removed
Yes, because counterfeit deterrent.
Yes, shall break if removed. -
Devices to check (mobile, portable, fixed devices)
All of the mentioned
All of the mentioned
All of the mentioned. All of the mentioned. All of the mentioned
Reuse of tags No, only in closed-loop environments.
Yes, if it saves money
No. No. No.
Production Line Application (needed? Speed)
Yes, at least 3600 pieces per hour in software manufacturing.
Yes, rather for suppliers.
Yes
Yes; additionally different types of tags and reading/writing frequencies have to be taken into consideration, since different countries allow different frequencies.
Not very industry specific.
Estimated percentage of tagged products
E.g., Microsoft: around 300 Million pieces.
25% of all products, later all (between 200 000 and 2000 000)
In the beginning not 100%, especially those which are prone to be faked and stolen, potentially several millions.
All LRUs, almost 100%. Pallet and carton tagging, later maybe item-level tagging (see text).
Degree of human interaction
Bulk reading should be possible.
Low, due to price reasons
None. Should not be possible to detach it. High for pallet and carton tagging.
Level of confidence (100% or lower)
Might also be lower; 99%
Might be lower, if there is a matching between the EDI / ASN and the actual delivery.
100%, maybe also lower, if percentage of confidence is indicated.
100%. High.
Own standard No.
Automotive Standards Organizations are binding.
No. Spec 2000 aerospace industry standard is more binding for aircraft manufacturers than EPCglobal/GS1 standard.
No.
Motivation, further application
Traceability, more visibility and transparency, detection of parallel trading and product diversion.
After Sales Service, manufacturing, potentially logistics.
Legal compliance, logistic, supply chain visibility and transparency, detection of and diversion.
Logistics, Equipment Configuration Management, Warehouse application.
Logistics.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 73/85 Created on 12/06/2007 4:57 PM
Appendix B – Illustrations
Figure 6. The chain of trust of (rectangles) and threats against (ovals) RFID based product authentication system. The arrows indicate the different information flows that take place within product authentication process.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 74/85 Created on 12/06/2007 4:57 PM
Figure 7. Use/misuse-case diagram of functional security requirements of RFID based product authentication. The white ovals are the security goals of the system and the black ovals present the threats. The overall requirement is to mitigate all applicable threats with security goals.
Appendix C – Interview Guideline
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 76/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 77/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 78/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 79/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 80/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 81/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 82/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 83/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 84/85 Created on 12/06/2007 4:57 PM
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Anti-Counterfeiting Requirements Report 85/85 Created on 12/06/2007 4:57 PM