Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > RF/Microwave

Group pushes RFID standardization to secure supply chain

Posted: 23 Sep 2008 ?? ?Print Version ?Bookmark and Share

Keywords:RFID tagging? authentication system? supply chain secure?

The U.S. pharmaceutical industry has been piloting trials of RFID tag technology as a way to secure the prescription drug supply chain via an electronic pedigree due to government requirements aimed at securing the integrity of the healthcare system in the country. Beyond meeting legislative requirements, RFID track-and-trace trials have strong commercial promise to reduce counterfeit drugs and boost supply chain efficiency.

It is widely believed that the pharmaceutical pilots will lead the way to widespread deployment of Item-Level Tagging (ILT). What has worked to track and trace inventory at the pallet-and-case level, however, is not optimal when dispensing item-level products.

The crux of the matter: A centralized, online authentication scheme adds significant cost and complexity to RFID authentication. A decentralized approach, however, can provide both item-level authentication and privacy in real-time, without full-time access to a centralized database, which is more flexible and cost effective. A decentralized approach, based on Elliptic Curve Pintsov-Vanstone Signatures (ECPVS), extends the benefits of ILT where online access is too costly or not possible.

Retailers such as Wal-Mart Stores have been early adopters of RFID tagging technology for improved supply chain management. As RFID goes mainstream, EPCglobal, an international non-profit aimed at achieving worldwide standardization and adoption of electronic product codes (EPCs), is driving RFID standardization, with a comprehensive numbering system and centralized IT infrastructure intended to deliver RFID benefits to the supply chain on a global scale.

EPCglobal enables electronic supply chain management using track-and-trace of shipments at the container and pallet level, with a uniform EPC that can be used by OEMs, shippers, distributors and retailers to manage inventory flow.

In addition to supply chain management, EPCglobal is addressing the growing counterfeit product problem. The U.S. Department of Homeland Security seized more than $93 million in counterfeit products in 2005, according to government statistics. Counterfeit products can put the public at risk, with pharmaceuticals a special concern.

Centralized vs. decentralized
RFID tags can mitigate the risk of counterfeit products, but unfortunately the data on a legitimate tag can easily be copied to a bogus tag. The good news is that copied data can be detected with an authentication system. A couple of methods have been proposed for authenticating individual tags. One is a centralized approach based on electronic databases; the other is a decentralized approach based on digital signatures.

Privacy is also a critical issue. It's a concern for the consumer who may not wish to broadcast his Viagra purchase, but it's also important for the manufacturer that wants to prevent the detection and subsequent theft of genuine products, or substitution with counterfeits, in the supply chain. An RFID tag authentication system must ensure that only authorized devices can identify products.

The centralized approach uses an online database such as the EPCglobal system to provide an ILT pedigree service. The data from every product to be authenticated would be registered in a secure online database, linking the unique tag ID to the product's unique 96bit EPCglobal product identifier. Each item to be processed or authenticated could be found by accessing the database.

The major limitation of this method is that all tag readers and writers need online access to the database, which adds significant cost and risk to an authentication system. If a large retailer like Wal-Mart experiences a small percentage of network downtime, it could have a significant impact on the business. Accessing online information is sometimes itself undesirable because the act leaks information.

The decentralized alternative to RFID-based product authentication involves the use of digital signatures. Digital signatures allow each tag, thus each item-level product, to be authenticated. All that's needed to authenticate any tag is the public key from the signing key pair.

Using digital signatures to authenticate RFID tags is not a new idea. Texas Instruments and VeriSign tested 1024bit RSA digital signatures on RFID tags in mid-2005.

The RSA signature itself was generated on the concatenation of the Unique Item Identifier (UID) and the Product Manufacturer Identifier. The signature on such a tag can be easily copied into a counterfeit tag, but because the UIDs of the tags are unique and cannot be reprogrammed, a copied signature will not be verified successfully.

Off-line benefit
The benefit of the digital signature approach to authentication is that verification is an off-line process. It requires only that each reader has possession of the verification key, which is the public key corresponding to the tag's signature.

The problem found during the trial is that use of RSA signatures requires more than 1 Kbps of memory and is too slow for practical application in high-speed, low-cost ILT software. Also, the public key digital signature approach used by VeriSign for tag authentication did not solve tag privacy problems, so only one of pharma ILT requirement was met.

RSA-based authentication schemes have shortcomings, but there is a digital signature scheme that provides both authentication and privacy in an off-line environment suitable for ILT. Based on Elliptic Curve Cryptography, this technique, ECPVS, uses the IEEE 1363a standard, and has been applied commercially to applications such as digital postal metering, in demand high-speed signing and advanced security.

ECPVS includes message recoverypart of a message signed can be recovered from the signature verification process. This feature can be used to advantage in an ILT because ECPVS can provide authentication and privacy in a single off-line operation.

ECPVS can be used to sign an RFID tag and verify it using a reader with the corresponding public "verification" key. At the same time it can hide the Product Class ID from unauthorized readers without a verification key.

Strong and efficient, ECPVS is ideal for RFID ILT. A tag requiring the same security level as one signed with a 1,024-bit RSA signature requires only 352 bits of storage. Memory size impacts die size, so saving memory reduces RFID tag cost.

Using ECPVS, retailers and pharmacies can realize process efficiencies by making sensitive product data available on the tag for smart-shelf inventory management, decreasing the need for access to a centralized system.

Public key
ECPVS is based on public-key cryptography, and the overarching system security architecture uses Public Key Infrastructure design principles to protect vital system assets.

The Certificate Authority is responsible for issuing signing credentials for individual product lines to be authenticated. Signature and verification keys are generated based on product certification request from the pharma manufacturer. Signing credentials are delivered via secure communications link such as SSL.

Digital signature schemes rely on keeping the private key of a public/private key pair secret and sharing the public key. In the ILT scheme, this requires drug manufacturers to maintain control over their private signing keys, preventing production of authentic tags.

ILT signing in a high-speed production environment requires a robust security design. Best practice indicates the use of a FIPS 140-2 Level 3 Hardware Security Module (HSM) as part of the RFID tag signing system. The HSM must interface with both the RFID printers writing the tags. In essence, what is required is a secure tag signing station that operates at production-line speeds.

To authenticate the RFID tags, readers must employ an authentication agent that can verify each ECPVS signature and recover the encrypted Product Class ID. The agent must have access to a copy of the verification keys, the public keys linked to the signing process.

Bottom line, ECPVS bridges the gap between pallet-level supply chain management and item-level authentication. Verification can be done by low-cost, portable readers without network access. Off-line operation is fast and cost effective and ensures product authenticity as well as end-user privacy.

- Jim Alfred
EE Times

Article Comments - Group pushes RFID standardization to...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top