bridge wp05 anti-counterfeiting requirements report

Building Radio frequency IDentification for the Global Environment

Anti-counterfeiting Requirements Report

Authors: ETH Zurich, SAP Research

11 July 2007 This work has been partly funded by the European Commission contract No: IST-2005-033546

About the BRIDGE Project: BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu This document: This deliverable presents the requirements analysis for the anti-counterfeiting system that is under development in this work package. The envisaged system will authenticate products and it can be used to prevent counterfeit products from entering the distribution channel of genuine products. We define authentication of products as the verification of a product’s claimed identity. Because WP5 of the BRIDGE project is a business work package without a specific intended end-user company for the investigated anti-counterfeiting solution, this deliverable focuses on analyzing how potential technical solutions fit the requirements of anti-counterfeiting rather than on describing a list of requirements of a specific system. Disclaimer: This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission. Copyright 2007 by ETH Zurich, SAP Research, All rights reserved. The information in this document is proprietary to these BRIDGE consortium members. This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

BRIDGE – Building Radio frequency IDentification solutions for the Global Environment

Anti-Counterfeiting Requirements Report 3/85

Executive Summary

This deliverable presents the requirements analysis for the anti-counterfeiting system that is

under development in this work package. The envisaged system will authenticate products

and it can be used to prevent counterfeit products from entering the distribution channel of

genuine products. We define authentication of products as the verification of a product’s

claimed identity. Because WP5 of the BRIDGE project is a business work package without a

specific intended end-user company for the investigated anti-counterfeiting solution, this

deliverable focuses on analyzing how potential technical solutions fit the requirements of

anti-counterfeiting rather than on describing a list of requirements of a specific system.

Interviews with different industries revealed that the end-users of the product authentication

system, that is companies affected by product counterfeiting, need a fast and reliable online

check that could be used by all business partners and for different kinds of products.

Companies would also like to have the RFID-based product authentication system to be

closely linked to other services, for instance to support supply chain management activities.

Different industries have different requirements regarding the specific use of the RFID-based

product authentication system. These requirements mostly relate to how the RFID tags are

integrated into the products, what kind of RFID tags should be used, and how the tags are

read. The level of security in RFID-based product authentication systems is an important cost

factor because a higher level of security is achieved by cryptographic RFID tags that are

more expensive than the common RFID tags. Overall, companies desire a secure and

inexpensive system but find it hard to precisely specify the required level of security.

Interviews with customs revealed that having a standard solution that can be used to

authenticate different products is of primary importance for them. According to the interviews,

customs officers would most benefit from a system that could be used to authenticate

suspicious products with mobile devices.

Analysis of functional security requirements of product authentication in general shows that

there are three distinct approaches to authenticate products, depending on how the tag

cloning attack is mitigated. Tag cloning attack refers to copying a genuine product’s ID

number onto another tag that is attached to a counterfeit product. These approaches are: tag

authentication (i.e. use of cryptographic tags), location-based authentication (i.e. track and

trace based plausibility check), and authentication based on object-specific security features

(i.e. product’s physical fingerprint).

We have identified several solution concepts to authenticate RFID-tagged products in the

EPC network. Analysis of the current EPC network’s conformance to the identified

requirements revealed that the network’s support for the detection of cloned tags is far from

optimal and should be improved by an automated analysis of the track and trace data of the

product’s locations. Completely automated product authentication check (instead of such that

relies on users of the system analyzing the traces of products by themselves) is furthermore

required by the industries as well as customs. Therefore in the future steps of this work



package we will opt for the development of a track and trace based product authentication

system that automatically detects the cloned tags.

The goal of this work package is to study how the existing RFID and EPC technologies can

be applied to anti-counterfeiting. Hence, the development of completely new technical

solutions such as novel cryptographic tag authentication protocols is out of the scope of work

package. The technical contribution of this work package will focus on application areas of

the existing techniques, such as how to use the RFID track and trace data to detect cloned

tags. The contents of all deliverables of this work package are illustrated below in Figure 1.

D.5.1 Problem-Analysis Report on Counterfeiting and Illicit Trade

D.5.2 Anti-counterfeiting Requirements Report

D.5.3 Anti-counterfeiting Business Case Report

D.5.4 Anti-counterfeiting Trial Preparation Report

D.5.5 Anti-counterfeitingEvaluation Report

D.5.6.1 Anti-counterfeiting Application Guidelines

D.5.6.2 Anti-counterfeiting Implementation Roadmap

• Problem analysis of product counterfeiting• Problem analysis of illicit trade• Illicit trade in different industries• Impact of illicit trade (qualitative)

Deliverable Content

• Industry requirements of product authentication• Security requirements of product authentication• Product authentication in EPC network

• Impact of illicit trade (qualitative)• Impact of countermeasures• Financial model of counterfeiters

• Selection of appropriate hardware• Integration of tags• System integration

• Evaluation of trials• TBD

• Application guidelines• TBD

• Implementation Roadmap• TBD

Figure 1. Summary of all deliverables of BRIDGE WP5



Table of Contents

EXECUTIVE SUMMARY .................................................................................................................................... 3

1 INTRODUCTION ......................................................................................................................................... 7

1.1 MOTIVATION AND GOALS OF THIS REPORT............................................................................................ 9 1.2 METHODOLOGY ..................................................................................................................................... 9 1.3 PRODUCT AUTHENTICATION ............................................................................................................... 10

1.3.1 Object-specific features based authentication ......................................................................... 11 1.3.2 Tag authentication ........................................................................................................................ 11 1.3.3 Location based authentication .................................................................................................... 12 1.3.4 “Weak authentication” .................................................................................................................. 13

1.4 STRUCTURE OF THIS REPORT ............................................................................................................. 13

2 INDUSTRY REQUIREMENTS FOR PRODUCT AUTHENTICATION.............................................. 15

2.1 GENERAL REQUIREMENTS OF PRODUCT AUTHENTICATION ................................................................ 15 2.2 MOTIVATION FOR AN INDUSTRY-SPECIFIC APPROACH........................................................................ 17 2.3 INFORMATION TECHNOLOGY INDUSTRY.............................................................................................. 21 2.4 AUTOMOTIVE INDUSTRY ...................................................................................................................... 24 2.5 AEROSPACE INDUSTRY........................................................................................................................ 27 2.6 CONSUMER GOODS AND RETAIL INDUSTRY ....................................................................................... 30 2.7 LIFE SCIENCE AND PHARMACEUTICAL INDUSTRY............................................................................... 33 2.8 SUMMARY OF THE INDUSTRY REQUIREMENTS ................................................................................... 37

3 CUSTOMS REQUIREMENTS FOR PRODUCT AUTHENTICATION .............................................. 38

3.1 CUSTOMS IN SWITZERLAND ................................................................................................................ 39 3.2 CUSTOMS IN GERMANY ....................................................................................................................... 40 3.3 CUSTOMS REQUIREMENTS .................................................................................................................. 40

4 SECURITY REQUIREMENTS FOR PRODUCT AUTHENTICATION .............................................. 42

4.1 NON-FUNCTIONAL SECURITY REQUIREMENTS .................................................................................... 43 4.2 CHAIN OF TRUST, THREATS, AND RISKS IN PRODUCT AUTHENTICATION ............................................ 44

4.2.1 Chain of trust in product authentication..................................................................................... 45 4.2.2 Threats in product authentication ............................................................................................... 46 4.2.3 Risks in product authentication................................................................................................... 48

4.3 FUNCTIONAL SECURITY REQUIREMENTS ............................................................................................ 49

5 PRODUCT AUTHENTICATION IN THE EPC NETWORK................................................................. 51

5.1 TECHNICAL ENVIRONMENT OF THE SOLUTION .................................................................................... 51 5.2 DIFFERENT SOLUTION CONCEPTS IN THE EPC NETWORK ................................................................. 53 5.3 EPC NETWORK’S CONFORMANCE TO GENERAL REQUIREMENTS....................................................... 57 5.4 EPC NETWORK’S CONFORMANCE TO INDUSTRY SPECIFIC REQUIREMENTS ...................................... 59 5.5 EPC NETWORK’S CONFORMANCE TO SECURITY REQUIREMENTS ...................................................... 60

6 DISCUSSION ............................................................................................................................................. 64

REFERENCES ................................................................................................................................................... 65

APPENDIX A – SUMMARY OF INDUSTRY SPECIFIC REQUIREMENTS............................................. 69

APPENDIX B – ILLUSTRATIONS .................................................................................................................. 73

APPENDIX C – INTERVIEW GUIDELINE ..................................................................................................... 75



Table of Figures

FIGURE 1. SUMMARY OF ALL DELIVERABLES OF BRIDGE WP5........................................................................... 4 FIGURE 2. CATEGORIZATION OF REQUIREMENTS OF PRODUCT AUTHENTICATION.............................................. 10 FIGURE 3. STRUCTURE OF THIS REPORT. ............................................................................................................ 14 FIGURE 4. ILLUSTRATION OF INDUSTRY-SPECIFIC AND INDUSTRY-INDEPENDENT (GENERAL) REQUIREMENTS. 18 FIGURE 5. EUROPEAN CUSTOMS IMPORT PROCESS. ........................................................................................... 39 FIGURE 6. THE CHAIN OF TRUST OF (RECTANGLES) AND THREATS AGAINST (OVALS) RFID BASED PRODUCT

AUTHENTICATION SYSTEM. THE ARROWS INDICATE THE DIFFERENT INFORMATION FLOWS THAT TAKE

PLACE WITHIN PRODUCT AUTHENTICATION PROCESS. ............................................................................... 46 FIGURE 7. USE/MISUSE-CASE DIAGRAM OF FUNCTIONAL SECURITY REQUIREMENTS OF RFID BASED PRODUCT

AUTHENTICATION. THE WHITE OVALS ARE THE SECURITY GOALS OF THE SYSTEM AND THE BLACK OVALS

PRESENT THE THREATS. THE OVERALL REQUIREMENT IS TO MITIGATE ALL APPLICABLE THREATS WITH

SECURITY GOALS. ........................................................................................................................................ 50 FIGURE 8. AN EXAMPLE OF A TYPICAL ONS QUERY [48] .................................................................................... 52 FIGURE 9. ILLUSTRATION OF THE HARDWARE AND SOFTWARE ROLES OF THE EPCGLOBAL ARCHITECTURE

FRAMEWORK [45]. EPCGLOBAL STANDARDS DEFINE THE INTERFACES BETWEEN THE ROLES.................. 53 FIGURE 10. SOLUTION CONCEPT 1: PRODUCT AUTHENTICATION BASED ON TAG AUTHENTICATION / OBJECT-

SPECIFIC FEATURES. .................................................................................................................................... 54 FIGURE 11. SOLUTION CONCEPT 2: PRODUCT AUTHENTICATION BASED ON LOCAL TRACE ANALYSIS BY AN

ACCESSING EPCGLOBAL SUBSCRIBER........................................................................................................ 54 FIGURE 12. SOLUTION CONCEPT 3: PRODUCT AUTHENTICATION BASED ON GLOBAL TRACE ANALYSIS BY EPC-

TAS. ............................................................................................................................................................. 55 FIGURE 13. ILLUSTRATION OF PRODUCT AUTHENTICATION IN THE EPC NETWORK: THE ACCESSING

APPLICATION ON THE RIGHT-HAND SIDE AUTHENTICATES A PRODUCT WITH A EPC NUMBER ON IT. THE

NUMBERED COMMUNICATION MECHANISMS REPRESENT THE THREE DIFFERENT SOLUTION CONCEPTS. (*PLANNED BUT NOT YET DEFINED SERVICE, **NEW SERVICE)................................................................... 56

Table of Tables

TABLE 1. REQUIREMENTS FROM THE INFORMATION TECHNOLOGY INDUSTRY ................................................... 22 TABLE 2. REQUIREMENTS FROM THE AUTOMOTIVE INDUSTRY ........................................................................... 25 TABLE 3. REQUIREMENTS FROM THE AEROSPACE INDUSTRY............................................................................. 29 TABLE 4. REQUIREMENTS FROM THE CONSUMER GOODS AND RETAIL INDUSTRY ............................................ 32 TABLE 5. REQUIREMENTS FROM THE LIFE SCIENCES AND PHARMACEUTICALS INDUSTRY................................ 35 TABLE 6. RELATIONSHIPS BETWEEN USE CASES AND MISUSE CASES ................................................................. 43 TABLE 7. THE FUNCTIONAL SECURITY REQUIREMENTS OF DIFFERENT PRODUCT AUTHENTICATION APPROACHES

...................................................................................................................................................................... 50 TABLE 8. SUMMARY OF DIFFERENT INDUSTRIES REQUIREMENTS FOR RFID-BASED PRODUCT AUTHENTICATION

SYSTEM......................................................................................................................................................... 69



1 Introduction

In the previous deliverable of this work package, D5.1 – Problem-Analysis Report on

Counterfeiting and Illicit Trade, we have shown that counterfeiting is a serious threat that has

reached industrial scales. With today’s widely available manufacturing technology, it is

relatively easy to produce high volumes of counterfeit products that have adequate visual

quality to fool unaware consumers and even distributors of the genuine products. It is

expensive, however, to establish supply chains and distribution channels for the counterfeit

products and trust with the trading partners. Since most products flow anonymously1 today, it

is possible for the counterfeit players to abuse the distribution channels of the licit products

and inject the counterfeit products among the genuine ones. In addition to fooling the

unaware buyers to consume counterfeit products that can pose security and safety risks due

to their possibly inferior quality, the counterfeit players can ask full price from these

unconsciously consumed counterfeit products, which further increases their illegal profits.

Today, the problem of counterfeit trade is mostly addressed by affected companies’ legal

countermeasures. Legal trials, however, might not scale to solve the problem since all

counterfeit players can never be found because they hide their work, counterfeit players are

not always prosecuted due to lacking law enforcement in their countries of origin, and the

fines due to illicit trade are often small compared to the financial benefits so the

counterfeiters can quickly recover and recommence the illicit activities. Because of these

shortcomings of legal countermeasures we want to solve the problem at source by giving

each product a name (identifier) and by verifying this name (authentication) while the

products flow in their licit distribution channels. First, this countermeasure protects the

consumers and end-users of genuine products from consuming counterfeits by increasing

the supply chain security. Second, this countermeasure can potentially destroy the

counterfeiters’ business case by increasing the counterfeiters’ risks and lowering their

expected results, which would discourage illicit players in general to engage in product

counterfeiting.

There are many approaches and technologies to authenticate products available today, but

the problem of product counterfeiting remains and companies continuously demand new

technical countermeasures for example in the value printing industry that is responsible of

security of passports and banknotes. One problem with the existing technologies is that the

security features are static – they might not provide adequate level of protection and it’s often

only a question of time when they will be broken and copied to several counterfeit products.

Because illicit actors attempt to break or bypass the authentication mechanisms for illegal

financial benefits, security is a critical property of product authentication systems. Another

problem with the existing approaches is that even if a product authentication system provides

adequate level of security, there are many more requirements that have to be fulfilled in

order to use the product authentication as an effective anti-counterfeiting tool. Most

1 Without unique identities



importantly, these requirements include low cost and low effort to check a product and low

response times. Existing techniques that are considered highly secure today, such as

forensic analysis of a product’s natural or artificial features (e.g. microscopic taggants), or the

use of sophisticated security labels with special magnetic or optical properties, often fail

regarding these other requirements; the check can be performed only by using special

equipment (e.g. devices for chemical analysis, optical/magnetic reader devices), the check is

time-consuming and takes up to days of laboratory experiments, or the check can be

performed by a trained expert only. In particular, the price per check is often relatively high.

Therefore it is important to consider also what requirements the end-users of product

authentication systems have regarding the usability of the system. Auto-ID technologies and

Radio-Frequency IDentification (RFID) in particular have the potential of providing product

authentication solutions that can better address the needs of their end-users, such as

affected brand-owners and customs. This is because a carefully designed and implemented

RFID based product authentication system has the potential of being highly secure but also

easier and less expensive to be used for wide scale checks.

The main motivation to use RFID in product authentication is that RFID will be adopted

anyway in many applications due to its benefits in retail industry and logistics, so also the

potential for secure product authentication will be given. A market study of GS1 and

LogicaCMG [31] illustrates that the expected adoption rate of RFID is fast and billions of tags

will be sold annually in Europe alone within the newt few years. The same study also

concludes that the adoption is driven by item level tagging in retail and consumer goods

industry. In the long-term, the integration of RFID readers in mobile phones, in particular

through Near Field Communication (NFC) technology, presents a promising opportunity in

anti-counterfeiting. NFC denotes a technology that allows for integrating RFID functionality in

a mobile phone, making it both a RFID transponder and a reader device [1]. According to a

prediction of ABI research, in the year 2011 a total of 450 million mobile handsets (30% of all

mobile handsets) will be NFC-enabled [2]. Because the NFC handsets might become the

world’s largest RFID reader infrastructure in the future, solving the interoperability problems

between NFC and other RFID standards, EPC in particular, is of great interest for the

industry and actively addressed by both practitioners [3] and the scientific community [4]. If

these two technologies will converge, also the consumers could take part in verifying the

authenticity of tagged products.

The goal of this work package is to study how the existing RFID and EPC technologies can

be applied to anti-counterfeiting. Hence, the development of completely new technical

solutions such as novel cryptographic tag authentication protocols is out of the scope of work

package. The new technical contribution of this work package will focus on application areas

of the existing techniques, such as how to use the RFID track and trace data to detect cloned

tags.



1.1 Motivation and goals of this report

This report investigates the suitability of RFID in anti-counterfeiting. Because WP5 of the

BRIDGE project is a business work package without a specific intended end-user company

for the investigated anti-counterfeiting solution, this deliverable focuses on analyzing how

potential technical solutions fit the requirements of anti-counterfeiting rather than on

describing a list of requirements of a specific system. The technological focus in on the

EPCglobal infrastructure that is being used and developed further within the overall BRIDGE

project. Because we can assume that RFID will anyway become widespread in the future,

the overall motivation of this report is to learn how to use it against product counterfeiting in

an optimal way. The goal of this report is to outline the steps to be taken to establish efficient

and effective anti-counterfeiting countermeasures through EPC technology. This includes:

• finding out the constraints and requirements of end-user companies that would use the

EPC based product authentication system (Section 2),

• finding out the constraints and requirements of customs has regarding the use of the

EPC-based product authentication system (Section 3),

• finding out the security requirements of reliable product authentication (Section 4), and

• finding out how these constraints and requirements can be met in the EPCglobal network

(Section 5).

1.2 Methodology

To find out the constraints and business requirements of end-user companies of an EPC-

based product authentication system, we have interviewed companies affected by

counterfeiting as well as product authentication solution providers. The interviews were

conducted in two parts: First, the general requirements for an optimal product authentication

system were gathered from eight interviews with anti-counterfeiting experts. These interviews

were semi-structured with an interview guideline, conducted during the problem-analysis

task, by telephone, and they lasted about one hour. Second, to assess the industry-specific

requirements, another round of interviews was conducted. In this round, a total of 11

companies were reached for semi-structured interviews that were conducted via telephone

and lasted on average 50 minutes. About half of the interviewees were RFID experts in their

corresponding companies, and the other half were experts on anti-counterfeiting and/or

supply chain management related issues. The questionnaire used in these interviews can be

found in the appendixes. For third parties’ requirements, three anti-counterfeiting experts

from customs were interviewed.

To find out the security requirements of product authentication systems, another

methodology was opted: We first derived a formal definition for product authentication and

reviewed the different RFID-based product authentication approaches. In order to derive the

functional security requirements, we adopted the misuse case methodology proposed by

Sindre and Opdahl [5]. Misuse case concept extends the use case paradigm that is common

in requirements engineering. The non-functional security requirements were drawn by



understanding of the underlying logics behind product authentication. Categorization of the

requirements is presented in Figure 2.

Requirements Analysis D5.2

Security requirementsof product authentication

Business requirementsof product authentication

Non-functionalsecurity requirements

Functionalsecurity requirements

Industry specific

requirements

Industry specific

requirements

…Third

partiesrequirements

General requirements

Section 2 Section 3 Section 4

Figure 2. Categorization of requirements of product authentication

1.3 Product Authentication

Product authentication is the core service that technical anti-counterfeiting countermeasures

rely on. This subsection provides a short introduction to product authentication as a

background for the reader of this report. Authentication is one of the fundamental security

services together with confidentiality, integrity, availability, and non-repudiation of changes.

We define authentication as the process of proving one’s identity to someone else [6]. It

follows that we can formulate product authentication as identification of the product followed

by verification of the claimed identity. This definition can be formalized as follows:

Based on the existing product authentication techniques, we can identify three general

approaches how products can be authenticated. These general approaches are:

• product authentication based on object-specific features,

• product authentication based on tag (e.g., hologram, watermark, cryptographic RFID tag

etc.) authentication, and

• product authentication based on product location.

RFID can be used as an enabling technology to implement all these approaches and we give

below a short review of proposed concepts. More comprehensive reviews of different product

authentication techniques can be found from EU-SToP project deliverables D3.1 (State-of-

Product authentication = Product identification + Verification of claimed identity,

Identification = Claim of identity



the-art analysis on relevant research, existing technologies and products) and D4.1 (State-of-

the-art analysis of smart tagging technologies).

1.3.1 Object-specific features based authentication

Nochta et al. [7] proposed a way to use RFID to authenticate products based on so called

object-specific features. In their approach, information about physical or chemical features

that are unique to that particular product (e.g., very precise weight, unique patterns in surface

material, precise concentrations of different materials) is stored to the tag and linked to the

brand owner for example via a digital signature. The identity of a product can then be verified

by measuring the object-specific features of the product under study and comparing tem to

the unique features that the genuine product should have according to the brand owner. The

reasoning is that only the genuine product has that particular feature. The benefit of this

approach is that the tag only needs to store data which keeps the tag price low, but the cost

and effort to check the products is high.

In general, product authentication based on object-specific features can be formalized as

follows. Here, A stands for ‘verifier’ and B for ‘prover’, f is the measured feature value of the

product under study (B) and f̂ the reference value feature value of the genuine product.

1. B → A: “I am B”

2. A → B: “what is your feature value?”

3. B → A: f

4. A (verification): ε<− ff ˆ

1.3.2 Tag authentication

The second general approach to authenticate products is to insert a security label that is

hard to clone on genuine products, and to authenticate this security label. RFID tags can be

protected from cloning in different ways and many tag authentication protocols have been

proposed in the literature. WP4 of the BRIDGE project addresses the technical issues

regarding tag authentication (Task 4.3: Anti-cloning of RFID Tags). All tag authentication

protocols are based on (one or more) challenge-response pairs between the back-end

system and the tag. The conventional authentication protocols are based either on

symmetric-key encryption or asymmetric-key encryption. The conventional symmetric-key

authentication protocol between ‘verifier’ A and ‘prover’ B can be formalized as follows:

1. B → A: “I am B”

2. A → B: c

3. B → A: fA-B(c)

4. A (verification): gA-B (fA-B (c)) = c

Here fA-B(.) denotes encryption with the symmetric secret key shared by A and B, and gA-B(.)

denotes decryption with the same key. The verifier A creates a fresh (random) response c for



every execution instance of the protocol to make the use of old response messages useless

for attackers. Asymmetric-key authentication protocol differs in the way the verifier A

decrypts the response. When f-A(.) denotes encrypting with the secret key of A, and f+A(.)

decryption with the public key of A, the conventional asymmetric-key authentication protocol

can be formalized as:

1. B → A: “I am B”

2. A → B: c

3. B → A: f-A (c)

4. A (verification): f+A (f-A (c)) = c

The underlying reasoning in this product authentication approach is that a tag is authentic if it

knows a certain secret key. Since the computing resources of RFID tag are limited,

asymmetric encryption is currently infeasible in common RFID tags [8]. The proposed tag

authentication protocols are based on low-cost cryptographic primitives like bitwise

operations and pseudo-random numbers (e.g., [9]-[11]), on hash-functions (e.g., [12]-[14]),

on symmetric encryption (e.g., [15]-[17]), or on Physical Unclonable Functions (PUF). The

PUF is a one way function that allows calculation of unique responses using only some

hundreds of logical gates without using costly cryptographic primitives [18]. One possible

candidate for a PUF is proposed in [19] where the manufacturing variations of each

integrated circuit are used to implement a secret key on each tag. The back-end server

needs to store for each PUF (i.e., for each tag) a list of challenge-response pairs because,

without encryption, a PUF challenge-response pair that is once used can not be used again

since it may have been intercepted by an adversary.

It is important to note that strong tag authentication is subject to research in WP4 (Task 4.3:

Anti-cloning of RFID Tags) of BRIDGE project, and therefore no new technical solutions for

tag authentication will be proposed in this work package. A comprehensive review of existing

RFID tag authentication techniques can be found from SToP deliverable D3.1 - State-of-the-

art analysis on relevant research, existing technologies and products.

1.3.3 Location based authentication

Also location based authentication can be used to effectively mitigate the tag cloning attack.

Instead of preventing tag cloning, this approach attempts to detect the cloned tags that are

injected into a protected distribution channel. Hence, the third general approach how

products can be authenticated is based on their location. The underlying reasoning is that a

system that always knows where all the genuine products are can also answer whether a

product under study is genuine or not. The mechanism how the location history is gathered is

normally referred to as track and trace. The benefit of location based approach is that the

tags only need to carry an identifier while the complexity is in the back-end side.

The level of security of location based authentication depends on the accuracy of the location

data and it can be measured in terms of number of cloned products found by the product

authentication system versus false alarms, i.e., genuine products that are classified as

clones. If the product authentication system does not know where the product currently is



(e.g., product P is in warehouse x) but only where it has been (e.g., product P was observed

at location x at time t), detecting cloned tags becomes harder and inheritably less certain.

However, similar problems have been solved in related literature.

Finding cloned products from the track and trace data can be seen as intrusion detection.

Intrusion detection means the process of identifying and responding to malicious activity

targeted at computing and networking resources [56]. Intrusion detection techniques are

traditionally classified as anomaly- or signature- based. Signature-based systems act similar

to virus scanners and look for known, suspicious patterns in their input data. Anomaly-based

systems watch for deviations of actual from expected behavior and classify all "abnormal"

activities as malicious. Intrusion detection techniques have been applied to RFID data,

though so far not in supply chain applications. Mirowski [57] applied intrusion detection

techniques to detect cloned RFID access cards, but the method is prone to false alarms.

Also credit card fraud detection deals with similar problems than location based

authentication. There the problem is to detect fraudulent transactions, which corresponds to

detection of copied credit cards, by looking for specific transaction patters in a large amount

of data. Data mining techniques such as pattern recognition and classification have been

successfully applied to detect fraudulent transactions (e.g., [58],[59]), and fraud-detection

systems are currently in use to protect credit card companies and their customers.

1.3.4 “Weak authentication”

It is important to note that also serial level identification alone without verification of the

identities can be a powerful anti-counterfeiting tool. Juels [20] illustrates this with an example

from the art world where a Victorian painter issued serial numbers to his paintings and

catalogued them. The author argues that (partly) because of this reason, far less spurious

paintings of this particular painter turn up on the market than from other painters. In

particular, there are many methods that cannot proof with a high level of certainty that a

product is original, but that can proof in many cases (but not in all) that a product is

counterfeit. These methods do not implement secure product authentication as it is defined in

this paper but they can, as the aforementioned example from the art world illustrates, be

powerful anti-counterfeiting tools. We refer to these methods as weak product authentication.

Most common such method is to verify if a product has a valid ID number from a so called

white list [21] and to count the number of times this check has been performed to detect

cloned tags.

1.4 Structure of this report

This report is organized as follows. Section 2 presents the constraints and business

requirements of end-user companies regarding EPC-based product authentication system.

Section 3 presents the corresponding constraints and requirements of customs. In Section 4

we derive the security requirements of reliable product authentication. Section 5 analyzes

how the constraints and requirements gathered in Sections 2-4 can be met in the EPCglobal

network, and we finish with discussion. This structure is illustrated in below.



Section 2

Section 3

Section 4

Section 5

Section Content

Constraints and business requirements ofend-user companies

Constraints and business requirements ofcustoms

Security requirements of reliable product authentication

Find out how the constraints and requirements(Sections 2-4) can be met in the EPCglobal network

Section 6 Discussion

Figure 3. Structure of this report.



2 Industry requirements for product authentication

In this section we present the industry requirements for product authentication. These

requirements are gathered from interviews with affected companies and product

authentication solution providers. We in fact gathered technical requirements from these

industries interviews (see interview-guideline in the appendix) as we consider these to be the

relevant industry-requirements for the following steps that are planned in the course of this

work-package, regarding an RFID-based anti-counterfeiting solution.

In this chapter we first consider the general requirements for product authentication that are

common to all industries. The general requirements are found from subsection 2.1. In order

to find out more detailed requirements, we also consider the industry-specific requirements.

The motivation for the industry-specific approach and a summary of the industry-specific

research questions is found from subsection 2.2. The findings of industry-specific

requirements from four selected industries are from four subsections 2.3-2.6.

2.1 General requirements of product authentication

As mentioned in the introduction of this report, the goal of the technical countermeasures

against product counterfeiting is to secure the licit supply chain by giving single products

unique identities and by verifying these identities (i.e. product authentication). In this

subsection we present the general industry requirements of a RFID-based product

authentication system. These requirements are derived from interviews with affected

companies and product authentication solution providers and they present the properties of

an optimal product authentication solution.

The same system is used in the whole supply chain

Employees in the whole supply chain, including manufacturing facilities, distribution channel,

sales and end points, need to have the possibility to use the same product authentication

system to verify the identity of products. The use of the same system in the whole supply

chain would enable economies of scale for example for hardware investments, as well as

secure the genuine products in the whole chain of custody. To guarantee the integrity of the

flow of genuine products requires also cooperation among the all the custodians of genuine

products.

Customs can use the system to authenticate products

The system should facilitate customs work in authenticating the genuine products and

detecting counterfeit ones. In addition to customs, also other third parties like police and

public prosecution service could, in the optimal case, be trained to use the system.

End-users and consumers can use the system to authenticate products

In certain cases it could be valuable to give the end-users and consumers the possibility to

authenticate products. End-users have custody of a product while it is being used and, for

example, in the aerospace spare-part industry have the interest to authenticate products. It is



not clear in which cases brand-owners would like to give the private consumers the

opportunity to authenticate their products; in any case, giving this possibility for the

consumers would increase the number of found counterfeit products.

The system verifies the identity automatically

In order to be effective, end-users state that the system should give a straight answer

whether a product is authentic or not. This is not an issue when it comes to cryptographic tag

authentication, for example, but has implications on the functionalitity of a location based

authenticity check that should automatically verify the product’s indetity instead of only

presenting the track and trace record of the product. Also, some level of doubt is always

inherited in the results of product authentication. For example, the track and trace data can

be subject to statistical analysis that yields a probability that the product is genuine (or

counterfeit). Some end-users believe that the answer "this product might be authentic" would

not be valuable, and in that case the system should answer "I don't know". These special

cases require exception control, which usually needs human oversight and is costly. On the

other hand, other companies could accept some amount of doubt in the authentication

process because they have even more doubt in the process today.

The system supports supply chain management

The information sharing system for anti-counterfeiting should also be used in other logistics

information exchange, such as product recalls. In such a way the system should yield

management data for supply chain management, for example for forecasts, automatic

replenishment, and inventory management. Even though this is not a functionality of a

product authentication application, such services are important for the overall return on

investment in RFID technology and often expected additional benefits of RFID based product

authentication system.

The system supports online authentication

The system must be online to enable dynamic, non-static security features. Counterfeiters

can always fake an offline security features. The lifespan of static security features is low,

often measured only in months or some years. Sharing item-level information would enable

real time tracking for manufacturer and updating information about changing/manually

verified authentication features.

Real-time data

The system should provide short response times to enable timely countermeasures. This

means also that the time to check a product needs to be short, measured in seconds.



2.2 Motivation for an industry-specific approach

With opting for an industry-specific approach in the first deliverable of BRIDGE work package

5 and thus identifying how different industries are affected by counterfeiting, valid and

valuable results could be obtained: different industries are affected differently and the volume

of counterfeits varies too. We will therefore opt for the same approach within the scope of

this deliverable, D5.2. This section will focus on industry-specific requirements for an RFID-

based anti-counterfeiting solution. The corresponding data was gathered by the means of

structured interviews. The respective sub-chapters describe the requirements of the following

industries:

• Information Technology Industry,

• Automotive Industry,

• Aerospace Industry,

• Consumer Goods and Retail Industry, and

• Life Sciences and Pharmaceutical industry.

The corresponding subsections 2.3-2.7 are structured as follows. After a short description of

the current anti-counterfeiting status in the respective industry, general fields of usage of

RFID-technology in this industry are looked at. Questions about the different fields of

application and their prioritization, if possible, are answered. In case the respective industry

does not use RFID-technology yet, a time plan for RFID-adoption is given if possible.

Secondly, the tag-specific requirements are elicited. How much data will be put (if ever) on

the tag, where will tags will be applied and what are the physical requirements for RFID-tags.

In the next step, anti-counterfeiting specific requirements are treated: what are the products

to be tagged on, what is the estimated volume of products, shall the applied tag be visible,

what is the tag lifetime, what anti-counterfeiting specific data, if ever, shall be stored on the

tag and will data be written on the tag later on, when coping with an anti-counterfeiting

solution. The anti-counterfeiting specific requirements close wit the clone-proof ness of the

tag and the possibility of using cryptographic tags.

In a third step, verification- and authentication-specific requirements are derived from the

industry interviews. Companies of diverse industries were asked about the confidence rate,

whether a product is genuine or not, should equal 100% or only converge to it. Companies

were also asked to give feedback about the devices that shall be enabled to perform the

product authentication, the authentication speed and to answer the question, which of the

various stakeholders should be enabled to verify products. They then were asked if the

number of authentications should be limited to a certain number and if offline authentications

were desired.

The final block of the interview-guideline (see Appendix C) deals with general track-and-trace

requirements: who would companies share data with, and which data would be shared. A

summarizing table closes the industry-specific requirements description. These industry-

specific tables are then aggregated into one table in order to identify industry-independent

requirements, which are common to all considered industries. Before we start with these



industry-specific requirements, we will in short describe in the next subchapter industry-

independent requirements and adapt them in the respective industry-section accordingly.

During the interviews, companies were asked to give feedback concerning the following

questions and aspects: first, they were asked to give a short description on their current anti-

counterfeiting efforts. Secondly, they were asked about the different fields of usage for RFID-

application (in general). And finally, questions concerning the RFID-based anti-counterfeiting

solution were posed. These comprised questions regarding the output format of the

authentication check, the desired reading rate of RFID-tags, the question who should be

enabled/entitled to perform these authentications, and the type of devices that shall perform

the authentication (mobile, fix or/and handheld). Companies were additionally asked whether

offline authentications should be possible, how high the desired reading rates are and at

which speed reading (writing) will be performed.

Concerning the requirements of RFID-tags, company representatives were asked to answer

the following questions: should tags be reliable against cloning (if the backend could check

for cloned tags), should cryptographic tags be used, should active or passive tags be used,

should tags with or without memory be used, will HF or UHF tags be deployed and whether

tags should be tamper-resistant or not, meaning that they break upon removal.

The figure below illustrates how industry-independent (general) requirements and industry-

specific requirements overlap.

Figure 4. Illustration of industry-specific and industry-independent (general) requirements.

Automotive Aerospace

CG & Retail

Pharmaceuticals

Information Technology

Industry- independent

Requirements

Industry-specific Requirements



The envisaged RFID-based anti-counterfeiting prototype that is subject to research in this

work package is supposed to not being industry-specific, but being industry-independent and

thus adaptable to specific industry-needs.

This work package is challenged by the fact that companies introduce RFID-technology for a

set of reasons, ideally for an all-in-one solution. Envisaged applications range from:

appropriate parts detection in the cars, smart manufacturing, smart reparation centers,

increased supply chain visibility, [see table and interviews], detection of product diversion,

and anti-counterfeiting. The priority and importance for the introduction of an RFID-based

anti-counterfeiting solution is different in the considered companies and industries. The

priority ranges from a pure side-effect to one of the highest motivations for the introduction of

RFID-technology.

The answers that we received on our questions regarding an RFID-based anti-counterfeiting

authentication device follow:

What shall be the output format of the authenticity check?

Considering the confidence of the answer of an RFID-based anti-counterfeiting system, no

100% answer is required, but surely desirable. It is however mandatory for those industries,

where the impact of counterfeit goods is life-threatening (food, beverages, security relevant

parts, drugs, etc.).

Reading rate

The term reading rate describes the success rate of read RFID-tags. The term “very high”

signifies a reading rate of about 95-100% whereas “high” stands for a reading rate of 90-95%

Who can authenticate?

Customs, wholesalers, retailers, distributors, and packaging centers shall be enabled to

authenticate products. When it comes to end-consumers, answers are diverging. Some

companies do not want to guarantee the authenticity of products that aren’t bought from the

official and/or from the brand owner controlled channels.2 Others consider product security

and thus customer security essential (see above).

Which devices shall perform the check authentication check?

All kinds of devices whether mobile (like mobile phones), handhelds, portables, and fixed

devices shall be enabled to perform the product authentication checks. Authentication should

be possible on the item- and on the bulk-level and shall not take more than several seconds.

Shall an offline authentication be possible?

The possibility of offline authentications (authentications using cryptographic tags, see

chapter 1.3) was highly appreciated by the interviewed companies. Checks can be

performed everywhere and at every time, without being necessarily connected to the

Internet. Customers that do not decree of a connection can test with corresponding devices.

However, the use of cryptographic tags is considered to be mandatory for offline

2 They do not want to secure parallel traded products.



authentication. However, as we have seen above, we will not consider offline authentications

in BRIDGE work package 5.

High reading rates without the alignment of the tags to the reader

In case reading rates of 100% cannot be obtained, there are still different possibilities to

attain higher success rates while reading RFID-tags. Experts suggested comparing the

actual deliveries with the advance shipment notice (ASN) via the EDI-systems (electronic

data interchange) or to use a set of readers rather than one single reader. Other possibilities

are the use of a reading tunnel or to induce more energy while reading the tags. Hence, the

confidence and reliability of the read-outs can be increased by using different supporting

techniques as mentioned above.

High reading and writing speeds

Since the deployment of RFID-technology is still in its beginning phase and none of the

interviewed companies is using RFID-tags for an anti-counterfeiting application yet,

statements concerning the required reading and writing speed can only be derived from the

actual production speeds. The specification concerning these speeds within this deliverable

are thus qualitative and cannot, for the time being, be given in a more quantitative way.

Requirements for the RFID-tags:

Reliability against cloned tags

According to the interviewed companies and depending on the products (life-threatening or

security relevant products) and on the industry, the fact that tags might be cloned can be

tolerated, if the backend system can detect these clones.

Use of cryptographic tags

As described in section 1.3.2, cryptographic tags enable the offline authentication of

products. As mentioned above, we will not consider this kind of product authentication.

However, different industries such as the aerospace industry desire their information on the

tag to be cryptographically secured so that competitors or worse counterfeiters cannot read

the contents of the tag.

Use of passive tags

There was a broad consensus between all interviewed companies from different industries to

use passive tags for their RFID-adoption. Considering their lower price and the large number

of in future deployed RFID-tags, the trade-off for using passive tags instead of active tags is

largely decided in favor of the passive tags. Concerning the prices, “low price” stands for 2-5

Euro cents per tag, whereas “very low” signifies a price from fractions of one Euro cent up to

1-2 Euro cents.

Details follow in the industry-specific subsections.

Usage of tags with / without memory

Concerning the memory capacity of the tags, there is a consensus between interviewed

companies upon a trade-off between the additional costs of the memory compared to its

benefits. Summarizing industry requirements yields to the statement: more memory capacity



might enable more applications. The question, whether the benefits of these applications are

worth the extra costs, remains.

Usage of HF-/UHF-tags–reading distance and bulk vs. item-level reading

On the long run, item-level and bulk readings are necessary in almost all industries. In some

industries, however, RFID-tags will have to be read from small and big distances (see

industry-specific subsections for further details).

Tamper-resistant tags

RFID-tags should be tamper-resistant and should break when they are removed from the

genuine products in order to prevent the use of genuine tags in counterfeit products.

2.3 Information Technology industry Mass serialization and product tracking is rudimentarily done in the Information Technology

(IT) industry by using customized bar codes. Warranty and parallel trading issues were the

main drivers for the introduction. Hardware manufacturers learn about product diversion as

soon as product breaks and shows up for warranty or repair reasons in a country for which

the sale of the product was not intended. Counterfeit products might be detected that way as

well. Software manufacturers such as Microsoft learn about counterfeit or diverted products

as soon as these products are activated via the Internet. To find out more about the ways

products are taking, the location where the product has been sold and the location where the

product has been activated (using the IP-address) are used and the ways in between are

“interpolated”. According to Microsoft’s experience, distributors who sell parallel traded

software products are found to sell counterfeited products as well.

RFID-technology in the IT industry is used for several reasons: logistics (especially in the

United States, where retailers like Wal-Mart require RFID-tagged products), partly in

manufacturing and for the asset management. Asset management in this context means the

inventory of hardware, especially server hardware in server rooms and corresponding racks.

Each server is equipped with an HF RFID-tag that is read in the server rack. Server

hardware can thus easily be tracked. It is envisaged to more use RFID-technology in

production and in the fields of product traceability.

The information and its amount that will be written on the tag are currently subject to

research. In the case of asset management, several hundred Kbits of data will be stored on

each tag. Writing data, while the product is moving in the supply chain, is equally desirable.

Besides storing the tracking data in the backend, storing it on the tag would be desirable.

According to the product and its production speed, products would have to be tagged with a

speed of up to 3600 pieces per hour. Concerning tag reading, similar requirements are

elicited. Additionally, bulk-reading possibilities at high reading speeds of even overlapping

tags are considered as mandatory, since product prices, on average, are quite high.

Considering the asset management, tags have to be read from a distance of 2 centimeters.

In the case of logistics, the average reading distance would be 2 meters, with or without a

direct line of sight.



Table 1. Requirements from the Information Technology Industry

Business Requirements and Aspects Information Technology Industry

Data

Data on tag Amount and type of data is currently subject to research. Read-only No.

Read-out and Write

Reading speed (high, low) High, at least 3600 pieces per hour in software manufacturing.

Online Yes. Offline Desirable, but not necessary. Reading rate Very high.

Writing speed (high, low) High, at least 3600 pieces per hour in software manufacturing.

Distance

Small (few cms) Big (till several m)

Both. Bulk readings should also be possible.

Tags

Active, passive tags Passive tags, but ideally active tags. Price Very cheap, considering the number of products to be tagged.

Life-time of tag Life-time of the channel (less than three months from manufacturer to client); for server hardware the tag-lifetime shall equal the product lifetime (3-5 years).

Tag-Visibility (hidden, overt)

Hidden, the smaller the used space, the better; hence, more space can be used for marketing purposes; Microsoft: the look of the product shall be the same everywhere, no matter where it was produced.

Tag-Application (material, surface, etc.) Inside the DVD inlay for software; hidden, no special requirements concerning the surface.

Clone prove tags Desirable but not necessary.

Usage of cryptographic tags Not necessarily, only in case of an offline authentication solution.

Miscellaneous issues

Environmental circumstances (temperature, overlapping tags, metal, covert tags, liquids)

None.

Products to be tagged Once a solution is in place, all products will be tagged; in the beginning only frequently counterfeit products will be tagged.

Constraints regarding tag integration None. Requirements regarding tamper resistance

Yes, broken if removed (destructive).

Devices to be enabled to read (mobile, portable, fixed devices)

Mobile, portable and fix.

Reuse of tags No, only in closed-loop environments. Production Line Application (needed? Speed)

Yes, at least 3600 pieces per hour in software manufacturing.

Estimated percentage of tagged products E.g., Microsoft: around 300 million pieces. Degree of human interaction Bulk reading should be possible. Level of confidence (100% or lower) Might also be lower; 99%. Own standard No, they will stick to the standard used in the retail industry.

Motivation, further application Traceability, more visibility and transparency, detection of parallel trading and product diversion.



Considering software, tag integration into the CD or DVD would be desired. But since the

actual technology does not allow distance or bulk reading of CD/DVD-tags, these will not be

used. Tags will be included into the DVD-case, inside the inlay. The reason for the hidden

application is primarily the saved application place on the cover itself, since this space can

be used for marketing reasons. If the customer comes into contact with the tags, these

should be applied in an overt manner. This is different when it comes to an anti-counterfeiting

application. For the hardware sector, the surface requirements are very diverse, ranging from

flat metal surfaces to, to outer boxes, to plastic surfaces and to small silicon surfaces. Tag

application requirements are therefore very diverse in this industry.

There are no special physical requirements (e.g., they have to withstand very high or very

low temperatures) for RFID-tags. Tags are partially reused in closed-loop applications. Since

the volume of tagged products is very high, the tag price is very important. However, active

and passive tags will be used.

More than 200 million software products and hardware parts will be yearly tagged. Expensive

products will be prioritized when item-level tagging is introduced. As soon as a corresponding

infrastructure is in place, all products will be tagged. Particularly in an anti-counterfeiting

application, RFID-tags are required to be destructive, meaning that they are supposed to

break upon removal. In the software-sector, unbundling of software components is an

important issue. Microsoft sees its office products sold separately.

In the IT industry, the tag lifetime has to equal the product lifetime. In case of server

hardware, this can correspond to a minimum RFID-tag lifetime of 3 to 5 years. Considering

retail hardware like mice and keyboards, tag lifetime has to equal at least as the product’s

presence in the channel, which on average corresponds to three month.

The amount and type of data and information that will be written on the tag is currently

subject to research. Accordingly, the usage of cryptographic use depends on the data that

will be stored on the tag.

According to industry interviews, a system that would not provide a 100% answer whether a

product is authentic or not, is still much better than the current status in the information

technology industry, especially in the software sector.

The number of performed authentication-checks shall not be limited to a certain number but

shall be flagged to the manufacturer. The authentication shall take place in the production

line, in the warehouse, at the point of sales (but not by the customer, since he assumes that

the products are genuine), at customs, and at the after sales service. The output format shall

be binary, clearly stating if a product is authentic or not. It shall also provide information

about the products destined market and its actual market.

Upon the question, whether offline authentication is desired, the interviewed experts

answered that since RFID-tags are considered to be unique, offline authentication should be

taken into consideration.

Track and trace data is already being shared with supply chain partners and customers. Data

sharing is not a critical issue for IT companies, since trading partners do already know about



the transactions involved. Companies consider it as a trade-off between data sharing and its

benefit. Customers and supply chain partners shall have the possibility to track the products.

2.4 Automotive industry

The current status of anti-counterfeiting efforts in the automotive industry comprehend

countermeasures such as holograms, cast in charge or batch number, alphanumeric codes

(the 15-digit code for instance) or inkjet prints where applicable, to mention some.

Combinations of these countermeasures are possible too. A very high quality of the

packaging (where available) might also make it more difficult for counterfeiters to copy the

product. Other manufacturers deliberately build in errors in the packaging that are only

known to the company or do not decree upon any anti-counterfeiting feature at all.

The automotive industry is characterized by a large network of suppliers surrounding the car

manufacturers (OEMs). OEMs have very small margins and are hence very price-sensitive.

This is especially why an RFID-based anti-counterfeiting solution, especially in the

automotive industry, should be part of an overall solution covering logistics, manufacturing,

anti-counterfeiting and after-sales service for instance. The automotive industry is using

RFID-technology in closed-loop environments like manufacturing, where it is not necessarily

bound to any standard. In that case, OEMs are free to define their own standard or to stick to

an industry-specific standard. Additionally, RFID-technology is planned to be used in open-

loop environments like logistics, appropriate parts identification and anti-counterfeiting.

However, one OEM reportedly stopped its pilot for RFID in logistics due to too high prices.

Industries’ evaluation concerning the data on tag range from ‘no data’ (limiting the tag’s

memory solely to the EPC-number) to ‘all necessary information for anti-counterfeiting’ (like

production date and time, customer data etc.) and to the answer ‘data will be put on the tag

according to the tag price’. The price-sensitivity of the automotive industry is quite evident

here. On the question, if data shall be written on the tag during the part’s movement through

the supply chain, the answers were diverse too. Information concerning the product, the

manufacturer, production line information (charge number, date) and later information from

each wholesaler and at each point of transfer data might be written on the tag. The speed

that is necessary to comply with the production speed can be derived from the flow of goods

in the production line. Taking the production line speeds of the interviewed companies, the

minimum writing speed has to be able to write 20 items per minute.

Highest reading rates are crucial in the automotive industry. Most of the companies require a

big reading distance of several meters (around 3 meters), since products will primarily be

read on the bulk level. Parts (pallets) are often transported in metal containers and even are

made of metals, where RFID-reading characteristics are not optimal.



Table 2. Requirements from the Automotive Industry

Business Requirements and Aspects Automotive Industry

Data

Data on tag Yes, but depends on the price of the tag. Read-only Yes.

Read-out and Write

Reading speed (high, low) High. Online Yes. Offline Yes, if cryptographic tags are used. Reading rate High. Writing speed (high, low) Still subject to research.

Distance


Depends on privacy issues (see text).

Tags

Active, passive tags Passive tags. Price Very low (fractions of one Euro cent up to 1-2 Euro cents).

Life-time of tag At least 15-20 years, due to legal guidelines (15 years after end-of-production).

Tag-Visibility (hidden, overt) Visible, customs require visible tags.

Tag-Application (material, surface, etc.) Yes: Place, surface, material, packaging, since some parts do not have any package, heat, differences in temperature, lifetime of the tag.

Clone prove tags Desirable. Usage of cryptographic tags Yes.



Temperature (between -30°C and + 120° C and more); depends on part to be tagged.

Products to be tagged Service parts, wear parts, security relevant parts, parts that are very frequent and thus interesting to counterfeiters; corresponds to 20-25% of all parts.

Constraints regarding tag integration Want to integrate the tag into the part itself; still, has to endure shocks and temperatures inside the car, difficult to accomplish.

Requirements regarding tamper resistance

Destroyed if removed.

Reuse of tags Yes, if it saves money. Devices to be enabled to read (mobile, portable, fixed devices)

All mentioned, especially mobile devices for customs.

Production Line Application (needed? Speed)

Yes, rather for suppliers.

Estimated percentage of tagged products 25% of all products, later all (between 200 000 and 2000 000). Degree of human interaction None or very low, because of high prices.

Level of confidence (100% or lower) Might be lower, if there is a matching between the EDI / ASN and the actual delivery.

Own standard Automotive Standards Organizations are binding. Motivation, further application After Sales Service, manufacturing, potentially logistics.

However, reading with a high reading rate, without having to align the tags to the reader, is

an essential requirement. Companies from the automotive industry, however, uttered

remarks concerning the reading distances. They are afraid of touched privacy issues



(according to national legislation) in case products can be read upon large distances.

Companies that want to use RFID-technology for the appropriate parts detection (anti-

counterfeiting relevant) require the tag to be readable even if it is built into the car. The

required reading rate corresponds, despite metallic elements, to 100%. In that case, the

required reading distance corresponds to several centimeters.

Requirements concerning the tag application are multifold: the main question is whether tag

will be applied on the part itself or on the packaging. On the item-level, tags have to be

applicable on alloy metals, plastics, on round forms and even materials. The possibility of

integrating the RFID-tags into the part would be highly appreciated by the automotive

industry, since the tags shall be used even if they are in use inside the car. Questions arise

for recycling, warranty issues (was the product bought originally or not and has it been used

before the accident as well, or was it then exchanged by an original but used part) and for

the tag’s lifetime, if it is used near or even inside a sparkplug for instance.

In almost all cases, item-level tags will have to be applied at production-line speed. Hence,

the integration into existing processes shall not disrupt running systems and the running

production; the tag will be most easily applied as a label, using the existing labeling

techniques. No human interaction shall be required. Longsellers will be tagged first. The

tagging priority does not necessarily lie with high-priced or very valuable products, but with

products that are very frequently used and where the demand is thus very high. Therefore

spare parts, wearing parts and security relevant parts (in case of accidents for liability) will

have the first priority, once item-level tagging will be introduced. Once a solution is in place

and tag prices decrease, all products will be tagged.

The number of parts to be tagged varies strongly whether tags will be applied on an item-

level base or not. Regarding item-level tagging, numbers range from 200 000 parts per year

up to 650 000 parts per day depending on product and company.

RFID-tags have to withstand very low temperatures from -40°C up to very high temperatures

of about 120°C and in the case of tags, which are close to the oil filter temperatures up to

200°C. Tags do not have to be read at this temperature, but they have to endure it. When

used inside the car, shall not break when built into the car. Due to legal regulations, all

automotive spare parts have to be available even 15 years after the end-of-production of a

car model, the lifetime of the tag shall, when the tag is also used inside the car, therefore

hast to last for at least 15-20 years. For economic reasons, tags might be reused. Tags in

closed-loop environments are already being reused.

Passive tags will be mainly used. Very cheap tags are preferred. Desired prices for passive

tags range from 3-5 Euro cents. Active tags might become interesting, as soon as price fall

below 10 Euro cents per piece.

Since not all parts can be tagged from the beginning, often faked and especially security

relevant parts will be tagged first. As mentioned above, the part’s price does not define the

tagging priority, but the part’s attractiveness for the counterfeiters. This corresponds on

average to 25% of all products. More research, regarding the attractiveness of a product has

to be conducted. In the long run, all products will be tagged otherwise, tagging for anti-



counterfeiting reasons does not have an effect. Especially for an anti-counterfeiting

application, tags should break if removed otherwise valid tags might be applied on counterfeit

products.

Regarding the visibility of the RFID-tag on the product, the automotive industry distinguishes

between labeling for customs and the labeling for clients. In a transition phase, the visibility of

the RFID-tag as a security feature might be crucial. For customers, however, the visibility of

the tag is not necessary or even not desirable. An alternative for customers could be a set of

security features, including the RFID-tag. Customers might become aware of the secured

product by detecting another security feature such as a hologram.

The requirements concerning the tag lifetime for an anti-counterfeiting application are very

similar to the general lifetime requirements. When used inside the running car, they have to

withstand on average another 6 years.

Since the reasons for introducing RFID-technology into the automotive industry are multifold

(see above) and since RFID-based anti-counterfeiting is one of these reasons, all data that

would be necessary for this anti-counterfeiting solution, would already be on the tag (when

tags with memory capacity are used).

Most of the interviewed companies would be comfortable with a solution that improves the

current situation of their anti-counterfeiting efforts (if existing). A 100% answer, whether the

product is authentic or not, is therefore not mandatory, at least for the beginning.

There shall not be any limit to the number of authentication-checks, but the checking-event

time and place and the identity of the supply chain partner (or end-customer) that is checking

shall be logged for detecting product diversions. The authentication itself shall take place in

warehouses, at the point of sales, at customs and in the after sales service.

Companies would only share the data that is absolutely necessary for a track-and-trace

application. While some companies do not know which data to be shared, others would

share data only with their close supply chain partners.

2.5 Aerospace industry

Compared to the automotive industry, the aerospace industry is characterized by a small

number of producers and suppliers, which are to 70% common for the biggest aircraft

manufacturers Boeing and Airbus SAS. This is also the reason for their common approach in

RFID integration. Interviews conducted for the first deliverable D5.1 revealed that industry

pain is biggest in the fields of counterfeit spare parts entering aircrafts. Spare parts hold an

attached lifecycle paper report, which includes detailed information of the parts. Experience

shows that these paper reports are counterfeited.

In the Aerospace industry, the introduction of RFID-technology is scheduled for logistic

purposes, aircraft reparation and warehouse management systems, product diversion, anti-

counterfeiting and tracking and tracing of spare parts for liability and warranty issues. In the

fields of aircraft reparations, smart bins equipped with RFID-tags for example can be tracked



through the facilities and thereby allowing for better accuracy of inventory data, which bears

a large cost reduction potential.

Delta Airlines as an example, tracks about a half million spare parts with a total value of one

billion US$. Improving the accuracy of inventory data using RFID-technology thus bears

potential for a vast increase in the efficiency of the respective part inventory management

[22].

The administration of used and refurbished spare parts (thus anti-counterfeiting) and the

warehouse management, however, are the most important applications for RFID-technology

in the aerospace industry. By storing information of the lifecycle on the tag (see above) and

having the possibility of offline read-outs, the aerospace industry is seeking to minimize the

amount of information that end users have to input manually and thus reducing errors during

data entry. Securing aircrafts from improper parts entering them is crucial within this industry.

Tag’s memory capacity is crucial for the aerospace industry, since whole product lifecycle

reports and a repair history shall be included in the RFID tag’s memory. Serial numbers and

detailed parts information shall be stored as well. This is why the proposed RFID tags will

have a capacity of up to 64,000 bits compared to the standard EPC Class-1 Gen-2 tags,

which are used by Wal-Mart for instance and which decree upon a capacity of around 256

bits. Due to the enormous amount of information that will be saved on the tag – and this

information might never be deleted – current RFID tags might soon run out of memory

capacity. Before tags with a higher capacity can be used, these tags have to be replaced

every 2-3 years on average, because the part itself has a lifetime of 15 years on average.

Today’s tag writing and reading speed is still too low for this application. However, concrete

specification regarding the speed could not be made. The reading rate has to be 100% and

the tags shall ideally be read while passing by the aircraft (2-3 meters). Very short distance

reading (like several centimeters), without having to align the reader to the tag (not like the

bar code that necessitates a direct line of sight), would be desirable. Spare parts will be read

on the item-level. Pallet- or bulk-reading would be exceptional.

The tag application has to comply with the DO160 Aerospace Norm [23] where label- and

tag-resistance are defined. Tags have to resist very high and very low temperatures (-60°C

to +60°C), humidity, acids, oil and different pressures. Electromagnetic shielding might be a

special challenge in the aerospace industry. Once tags are applied, they have to stick

irremovably on the parts. They have to be flexible, even and very small (a diameter of 5mm

would be optimal).

Due to the environment in which RFID tags will be applied, they will have to be functional

(readable, writeable) inside aircrafts without interfering with other aircraft signals and

frequencies and thus be compliant to the Federal Aviation Administration and the industry

internal Spec 2000 standard.



Table 3. Requirements from the Aerospace Industry

Business Requirements and Aspects Aerospace Industry

Data

Data on tag Yes, in the beginning 64kBits, the more the better. Read-only No, also writing, but no deletion.

Read-out and Write

Reading speed (high, low) Very fast, since many information is read; currently available speed is to low; the envisioned future scenario is to walk by an aircraft and while passing by, scanning all RFID-tags.

Online Yes, desirable. Offline Yes, as backup, in case there is no connection. Reading rate 100%. Writing speed (high, low) Highest possible writing speeds are desired.

Distance


Both; optimum would be passing by the airplane walking and reading all tags.

Tags

Passive tags Yes.

Active tags Yes, as long as these tags comply to industry norms (Spec 2000 norm).

Price Considering the parts prices, the tag price is more or less irrelevant.

Life-time of tag Product life-time is around 15 years. Problem: today’s memory capacity would only be sufficient for about 2 years. Tags have to be taken off and replaced by new ones.

Tag-Visibility (hidden, overt) None, at least readable. Tag-Application (material, surface, etc.) Very divers (see below). Clone prove tags Desired, but not mandatory if backend tid solution is considered.

Usage of cryptographic tags Yes a) Information should not legible to customers; b) to assure the identification of the tag



Spec 2000 Document, chapter 9 and the DO 160 Document: temperature variation, humidity (high, low), acids, oil compatibility, pressures, shocks, waterproofness, sand and dust, fungus resistance, salt spray, corrosion, icing, fire, flammability, smoke, toxicity, hail, constant acceleration.

Products to be tagged All line replaceable units (LRUs) will be tagged. There are about 5000 LRUs on average on a civil aircraft.

Constraints regarding tag integration Weight, size and the possibility to attach so that the tag does not fall off.

Requirements regarding tamper resistance Should break upon detachment (destructive). Devices to be enabled to read (mobile, portable, fixed devices)

All of the mentioned.

Reuse of tags No.

Production Line Application Yes; additionally different types of tags and reading/writing frequencies have to be taken into consideration, since different countries allow different frequencies.

Estimated percentage of tagged products All LRUs, almost 100%. Degree of human interaction Yes, should not be possible to detach it. Level of confidence (100% or lower) 100%.

Own standard Spec 2000 aerospace industry standard is more binding for aircraft manufacturers than EPCglobal/GS1 standard.

Motivation, further application Logistics, Equipment Configuration Management, Warehouse application.



According to industry estimations, all line replaceable units (LRUs) in the aircraft will be

tagged. This corresponds to about 5000 parts per aircraft and since every 75kg correspond

to one passenger, new requirements concerning the tag’s weight are elicited. Tags thus may

not weigh more than 2-5 grams.

Aerospace spare parts have a lifetime of 15 years on average. The obstacle for having the

same tag lifetime is currently the memory capacity. According to industry-estimations, tags

will have to be replaced every 2-3 years, since the tag’s memory capacity would be

exhausted. As soon as tags have a sufficient memory, their lifetime shall correspond to the

part’s lifetime.

During its use, all repair information, usage information such as flight miles shall be stored on

the tag. Chapter 9 of the industry-internal Spec2000 standard [24] specifies the information

that will be stored on tags.

Weak clone-proofness can be obtained by storing the part number (serial number) and the

RFID tag’s hardware number (Transponder ID number - TID) in a database. According to the

aerospace-industry, a centralized database with all worldwide used spare parts would

support the clone-proofness of the tag. Cryptographically secured information is due to the

following reasons desirable too: i) disguise tag information from competitors and ii) in order to

maintain the authentication of the tags.

An offline-authentication is highly desirable, since Internet-connection is not always available

everywhere, especially on the movement fields.

The aerospace industry would share product’s lifecycle data with other partners. Since the

open-loop adoption of RFID-technology is in its beginnings, no more concrete information

could be gathered. In the next years, Boeing and Airbus will ask their suppliers to deliver

spare parts equipped with RFID-tags. However, the supplier’s benefit is not evident yet.

For more information about the RFID-deployment in the aerospace industry, please refer to

the Auto-ID Labs Cambridge Aero-ID initiative under www.aero-id.org.

2.6 Consumer Goods and Retail industry

The current countermeasures against counterfeiting in the consumer goods and retail

industry comprehend the use of holograms, serial numbers or the use of high-quality and

hard to copy packaging. Many products do not decree upon an anti-counterfeiting feature at

all.

The consumer goods and retail industry trades with fast moving consumer goods (FCGM)

and is the leading industry concerning RFID-integration and adoption. RFID-technology will

be predominantly used for logistics in order to tag pallets and to accordingly read them on

the bulk level. On the long run, when tagging will be performed on the item-level, more

applications like anti-theft, in-store management processes, or automated checkouts will

follow. These applications only make sense under the prerequisite that all products in a retail

store are tagged, although a generalized statement cannot be given at this point in time.



Item-level tagging is not envisaged to be introduced before the next ten to fifteen years. This

is due to a necessary system changes (and “paradigm changes”) and the low speed of

adapting these changes.

On the item-level, there will solely be the EPC number on the tag, but on pallet-level, pallet

details will be stored, containing information on the products that are on the pallet like weight,

the EPC-SSCC code (Serial Shipping Container Code), dispatch numbers, reference

numbers, etc. Accordingly, no data will be written on the tag during the product’s movement

through the supply chain. On the long term, applications with information to be written can be

imagined. Until now, nothing is planned. The data writing speed is therefore still subject to

research.

Assuming that a 100% reading rate cannot be guaranteed, multiple readers, logical

connections and cross-checks with backend systems would help to guarantee the highest

reading rate possible, according to industry. The reading distance for tags on pallet level has

to be around 2-3.5 meters and later for item-level tagging several centimeters. Reading has

to be possible under all circumstances like up to 300 packages per second, lying T-Shirts in

plastic bags, very high and very low temperatures (-30°C to +50°C, from Russia to the

Middle East), and it is important to bulk read cartons with a high reading rate.

Depending on the tagging of pallets or of individual items, requirements are differing. Pallet

tagging requirements are not as challenging as the tag-application on item-level. Pallets with

liquids, however, are still hard to tag. When it comes to the tagging of a little number of

individual bottles or cans (solutions are researched here to apply the tag on the outer

package in case of i.e. six-pack of cans) like tetra packs, the outer box will be tagged. The

Consumer Goods and Retail industry assumes that there will be a transition phase in which

the bar code and the RFID-code will coexist. Countries, which are technically not very

advanced and which still do not use the bar code even will most probably adopt the RFID-tag

with a big time delay. Not all products will be directly tagged. Estimations suggest that the

priority lies with products that are more expensive than 30 Euros (interview with a major

European Retail Chain). Temperature sensitive tags would be very useful for cold chains as

well. Integrating the tags into crinkled cardboard would support its application and therefore

its use. Otherwise, the tag will be part of the label.

As mentioned above, tags will have to withstand very high and very low temperatures.

Passive tags, since cheaper will be used. On the pallet-level, tags should not be more

expensive than 5-10 Euro cents (e.g. Wal-Mart). Broad item-level tagging would be

performed, as soon as the tag price is below 1-2 Euro cents. Active tags will not be used.

Especially for the anti-counterfeiting solution, tags shall break once removed.

Some figures are available for the volumes of products (from a major multinational consumer

goods company): 400 000 pallets (for one single company), and accordingly several hundred

million individual items per year for the whole industry are envisaged. In that case up to 200

cosmetic items per minute would have to be tagged (in production line speed) and products

are exported to 27 different countries.



Table 4. Requirements from the Consumer Goods and Retail Industry

Business Requirements and Aspects Consumer Goods and Retail Industry

Data

Data on tag No. Read-only Yes.

Read-out and Write

Reading speed (high, low) High. Online Rather yes. Offline Rather yes. Reading rate High. Writing speed (high, low) -

Distance


Both, item- and bulk-reading.

Tags

Active, passive tags Passive. Price Very low (fractions of one Euro cent up to 1-2 Euro cents). Life-time of tag 220 days on average. Tag-Visibility (hidden, overt) Overt (see text). Tag-Application (material, surface, etc.) None. Clone prove tags Not necessarily if there is a database support. Usage of cryptographic tags No.



None.

Products to be tagged Counterfeit products, expensive products, often faked products.

Constraints regarding tag integration None. Requirements regarding tamper resistance

-



Reuse of tags No. Production Line Application (needed? Speed)

Not very industry specific.

Estimated percentage of tagged products Pallet and carton tagging, later maybe item-level tagging (see text).

Degree of human interaction High for pallet and carton tagging. Level of confidence (100% or lower) High. Own standard No. Motivation, further application Logistics.

As soon as tags will be used in the retail industry, there will most probably be an etiquette

accompanying the product and informing the consumer of the existence of such a tag

(EPCglobal code of conduct). The Consumer Goods and Retail industry, however, has to

rethink this code of conduct when it comes to an RFID-based anti-counterfeiting application.

Additionally, the Metro Retail Group will introduce an RFID-disabler for privacy issues. Once



a product has been sold, the customer can disable the RFID-tag so that it cannot be read

outside the shop anymore.

Tags lifetime varies from 220 days on average for a product in the retail supply chain up to 2

years for complete trading units. In case of reusable tags like in logistics, the lifetime might

add up to more than three years. In that case, RFID-tags will have to withstand scratches

and other physical impacts. However, the prices for tags that withstand cold-chains or tags

that have a very long lifetime are much higher than standard tags. Therefore, each

application will decree upon its specialized tags. However, no additional data will be stored or

written on the tag for an anti-counterfeiting solution.

Since the supply chain of the Consumer Goods and Retail industry is very complex, the

number of possible authentication-checks cannot be limited to a fix number, as this might be

possible in other industries. Product flows vary even for the same products, especially if

producers send their products to different retailers Europe-wide.

No offline authentication is necessary, since all data is traditionally held in the backend-

systems.

The Consumer Goods and Retail industry would share data with their supply chain partners

for the sake of a track-and-trace system. They traditionally already share these data on their

own information systems. Data would be created at each point of transfer, where the shipper

would forward the information, that he has received / delivered the goods. Other information

would be pallet identification number, and the DESADV (dispatch advice), saying that goods

will arrive at a destination.

2.7 Life Science and Pharmaceutical Industry

According to BRIDGE deliverable D5.1 (Problem Analysis Report on Counterfeiting and Illicit

Trade), the pharmaceutical industry has been in recent years, depending on brands, markets

and countries to different extents, increasingly affected by counterfeits. Countermeasures

embrace the use of different visible and invisible security features (such as holograms,

visible and invisible ink or batch numbers). Moreover, chemical analyses and third party

authentication solutions3 are used to detect counterfeits and drugs that are suspected

counterfeits (for more information about countermeasures in the pharmaceutical industry,

please refer to EU-SToP deliverable D3.1, chapter 4.2).

The possibility to detect counterfeit drugs is crucial for brand protection and patient safety

reasons. Its relevance is also represented by the importance that is assigned to anti-

counterfeiting approaches on the company’s board level.

Regarding the introduction of RFID-technology into the pharmaceutical industry, there are

several major drivers: the industry is anticipating early changes from the U.S. Food and Drug

Administration (FDA) that track-and-trace and the ePedigree might soon become mandatory

in the pharmaceutical industry (Prescription Drug Marketing Act of 1987 and 2004, [54]). The

3 E.g., www.sunchemicals.com/security.



state of California (USA), for instance, requires that the electronic pedigree for drugs will be

adopted by 2009 in order to protect the chain of custody for drug products from

counterfeiting.

On a European level, mass-serialization is most advanced in Italy. Drugs have to be labelled

with so-called “bollions”, unique serial numbers given out by the government. They were

introduced for anti-fraud and accounting reasons. However, they do not provide any

information about the drug manufacturer nor about the client. In a second phase these

bollions will be replaced by RFID-based labels which only contain the unique serial number.

Besides the detection of counterfeits, bringing more transparency into the sophisticated

supply chain (logistics, warehouse issues) and detecting the repackaging of products is

crucial for the pharmaceutical industry. Repackaging is legal in the European Union and in

the United States. However, some examples from literature suggest that repackaging is one

source of faked drugs [55]. Detecting product diversion would be an important aspect as well,

since distribution channels of counterfeit and diverted products might be overlapping,

according to industry-sources.

A major problem for pharmaceutical companies is the data ownership and the visibility along

the complex supply chain. As soon as the products leave to the first customer, the

manufacturer does not have any control or visibility about his products. Third party

companies have specialized in providing this information back to the manufacturer. An

ePedigree application, as an anti-counterfeiting application, might additionally help to make

the supply chain more secure.

According to industry-interviews, RFID-technology is already being tested in the

pharmaceutical industry. Running pilots are due to the next two years at Pfizer and Novartis,

to name some of them. RFID-technology is moreover used for logistic reasons. The

pharmaceutical industry is however aware that a more general (standard) RFID-based anti-

counterfeiting solution is more appropriate. Customized solutions would be too expensive

and might not cover all governmental requirements and compliances or might not easily be

adaptable to changes. Additionally, the solution shall be as wide as possible, so that every

state and customer is covered.

Tags will be applied on an item-level basis and on all drug packages. However, drugs might

also be tagged on the blister-level, since the content of drug packages can be counterfeit (or

reused), still using the genuine packaging. Experiences with counterfeit products in genuine

packaging and genuine products in counterfeit packaging have already been made (see also

BRIDGE deliverable D5.1).

Depending on the application method, place, space and material (metals and liquids), RFID-

tags can therefore either be pasted as a label on the drug package, or into the blister (in case

of tablets). As mentioned above and for security reasons, they should be attached as close

to the products as possible. The application on the carton is not considered to be very

secure, since they can easily be removed. Tags have to be small and readable from variable

distances (several centimetres to several meters), and on item- and bulk-level. Passive tags,



since they are cheaper, will be deployed. They have to be tamper resistant and break upon

removal and not cost more than 2 USD cents.

Table 5. Requirements from the Life Sciences and Pharmaceuticals Industry

Business Requirements and Aspects Life Sciences and Pharmaceuticals Industry

Data

Data on tag Yes, 96 bit serial number. Exception: reading data from temperature sensors for 50 days, one reading every minute.

Read-only No.

Read-out and Write

Reading speed (high, low) Very high, no concrete numbers available yet. Online Yes. Offline No. Reading rate 100%. Writing speed (high, low) Very high, no concrete numbers available yet.

Distance


Variable reading distance necessary.

Tags

Active, passive tags Passive tags. Price Maximum price of 2 USD cents. Life-time of tag Tag lifetime = product lifetime; between 1-3 years. Tag-Visibility (hidden, overt) Hidden, due to security and privacy reasons.

Tag-Application (material, surface, etc.) There are many different and unique factors regarding tag application. No generalization possible.

Clone prove tags Yes, necessary. Usage of cryptographic tags No.



There are different requirements regarding the tag application; tags have to resist cold and rough handling.

Products to be tagged Products that are most prone to being counterfeit and stolen.

Constraints regarding tag integration There are many different and unique factors regarding tag application. No generalization possible. Most important aspects, however, are liquids, metals and space issues.


Yes, because counterfeit deterrent.



Reuse of tags No. Production Line Application (needed? Speed)

Yes.

Estimated percentage of tagged products In the beginning not 100%, especially those which are prone to be faked and stolen, potentially several millions.

Degree of human interaction None. Level of confidence (100% or lower) 100%, maybe also lower. Own standard No. Motivation, further application Logistics, product diversion issues.

RFID-tags and barcodes (1-D and 2-D) will coexist. Several levels of authentication can be

distinguished: ID Level 1: the tagging on the individual package, respectively on the item-



level. ID Level 2: the tagging of the display carton. ID Level 3, signifying the tagging of the

shipping case and ID Level 4, the tagging on the pallet level.

The tag lifetime has to be superior to the product’s expiration date. Life-times between one

and three years, also considering rough handling and low temperatures, are necessary.

Concerning the data on tag, it is foreseen to store 96 bits on the tags (serial number). There

are, however, exceptions like in the case of drugs that have to be cooled during the whole

supply chain. Temperature sensors could be attached to the RFID-tags. They would be read

every minute while the temperature sensitive products are in the supply chain. The obtained

temperature information would be written on the tag’s memory. Although no more than this

data will be written on the tag, the writing and the reading speed have to be very high, since

the system shall not slow down the production (the exact speed varies heavily on the product

and on the manufacturing company).

Examples from literature support the need of clone-proof tags, the usage of cryptographic

tags, however, is not necessary. A 100% answer, whether the product is genuine or not is

not absolutely mandatory, at least in the first phase of introduction. However, indicating the

level of confidence would be desirable.

All devices, whether mobile, handheld or fix shall be enabled to perform the product

authentication. No requirements concerning the authentication speed could be obtained.

There is a need for an international warning system, once a counterfeit drug has been

detected. However, the system should be tolerant concerning “deliberately made mistakes”,

meaning intentional changes of packaging in different lots.

Authentication shall be possible on the single-item, multi-item and case-level. Wholesalers,

retailer and customers shall be enabled to authenticate. It seems, however, that RFID tags

will be disabled before the drugs reach consumers' hands. This is largely due to privacy

concerns. Stores could use the information on RFID-tags to know what bottle of pills a

customer has in his shopping bag. The highest priority of authentication checks lies therefore

in the production line and at the point of sales. Considering the complexity of the supply

chain, the number of authentication checks for one single item shall not be limited to a

certain number.

Offline authentications are not necessary, considering the complexity and the costs of these

systems. Furthermore, there is a need for open systems standard supporting the

authentication of products from all manufacturers, as already mentioned above.

According to industry interviews, companies will share the information that is necessary for

authentication. This is especially due to the complexity of the multi-stage pharmaceuticals

supply chain. The tag number and all relevant business and transactional data would be

shared downstream to the customer.

Products will be tagged on the individual- and on the bulk-level and there won’t be any

priorities regarding the tag application. Passive tags will be used and will have to be read

from a distance of less than one meter.



More requirements, that are less RFID-based, will be additionally be assessed in EU-SToP

work packages 1 and 4.

2.8 Summary of the Industry Requirements

We learned from the conducted industry interviews that many industry-requirements for an

RFID-based anti-counterfeiting solution are overlapping. We could summarize these overlaps

in this section. However, there are requirements which are very specific to some industry,

such as the vast memory usage in the aerospace industry, or the demand of reusing tags in

the automotive industry, or the use of hidden tags in the information technology industry that

cannot be generalized. These requirements are summarized in Appendix A.

The following section deals with customs requirements for an RFID-based anti-counterfeiting

solution. Customs organization can be seen as a key player in the fight against counterfeits,

since 80% of all counterfeit products in the European Union are imports from outside [25].



3 Customs requirements for product authentication

In this section we collect the customs requirements for RFID-based product authentication

systems. Customs can be seen as a governmental end-user of the system. We first present

how counterfeit products are seized in the European import process and then focus on the

Swiss customs as an example of modern customs organization. Based on the understanding

the role of product authentication in the import process and organizational constraints, we

derive the customs requirements for RFID-based product authentication.

Customs are responsible for about 70% of all seizures of counterfeit products in the world

[26]. The role of customs is especially important in protecting the European Union and the

U.S. markets because the vast majority of counterfeit products in those markets are imports

[27] and, after entering the market, subject to free circulation within the community. However,

in anti-counterfeiting customs role is more supportive than proactive, which means that

customs mostly provide help to trademark owners to protect their IPRs when this is

requested.

Due to limited resources and size of the workload, it is impossible to search every

consignment entering the country; in practice, only about 1-4 percent of imported goods are

physically inspected. Customs conduct risk analysis based on information in the freight

papers to identify high-risk consignments in pre-hand. Though the risk-analysis can be

partially automated, interviews with customs officers reveal that the experience of the officers

plays a very important role in recognizing suspecting consignments.

Under European Council Regulation 3295/94, the Customs Authorities have the right to seize

suspected infringing products at the border provided that certain conditions are fulfilled:

• An application has been made by the rights holder

• An infringement is suspected

• Customs procedures have been followed.

The rights holder is the person holding a trademark, a patent, a copyright or design right.

Affected companies can thus fend off repeated attacks by counterfeiters through lodging

Applications for Action with customs. To submit such a request for assistance by customs,

the right holder must fulfill two conditions: the request must provide customs administration

with a sufficiently accurate description to make identification of genuine products possible

and proof must be provided that confirms that the applicant is indeed the holder of the right in

question. With such an application in place, customs will inspect goods which match the

criteria specified in the request. Customs rarely intervene without an application in place.

On receiving the application including the necessary information, customs will work with the

rights holder to assess the application and, if accepted, will advise customs officers to look

out for the infringing products. The suspect products will then be detained pending a

substantive decision about seizure. This decision should be made within 10 working days

(max. 20) after the detention of the goods [28]. How counterfeit products are detected in the

European customs import process is illustrated in Figure 5.



High-Risk?

SeizureInspection Suspicion?Application

in place?Infringement?

Free Circulation

Legal Case

yes

yesyes

yes

yes

no

no

no

no

Freight Papers

Obtain newapplication?

no

Risk Analysis

Figure 5. European customs import process.

Currently customs don’t use specific product authentication techniques to verify the existence

of security features that brand-owners apply to the genuine products. There are tens or

hundreds of different product authentication techniques today and most of them require

special equipment for verification. Customs cannot invest in multiple product authentication

techniques because it means overlapping investments in hardware and training of personnel

– currently one product authentication technique is used only in a small number of different

products. Therefore customs only concentrate on detecting suspicious cases and leave the

final responsibility of product authentication to the brand-owners.

There are two straight-forward ways how customs could increase the seizure rate of

counterfeit products. First, by increasing the inspection rate which would require allocation of

more resources, namely man power, to physical inspections. Second, by increasing the

quality of brand-owners’ descriptions of genuine products; the better this description is, the

faster genuineness of the product can be verified. However, sometimes the visual quality of

counterfeit goods is so high that even experts of the brand-owner are fooled. Therefore also

automated and secure product authentication would support customs at detecting counterfeit

goods.

3.1 Customs in Switzerland

Swiss customs organization does not decree upon a hardware-based, mobile or handheld

system that supports customs officers with their work to detect counterfeit goods.

Brand owners that seek the support of customs have to file an application according to the

“Markenschutzgesetz” (articles §70/71) and “Urheberrechtsgesetz” to the customs

organization so that imported goods of these brands are checked for counterfeits. The

application, the so-called “Antrag auf Hilfeleistung”, costs CHF 600 and has to be renewed

every two years. In addition to this fee, the brand owner has to submit a security deposit of

between CHF 10.000 and 100.000. Furthermore, customs organization has to be provided by

detailed product descriptions so that officers can identify genuine from counterfeit products.

These product descriptions then are stored on the intranet of customs organization and

available to all customs officers. There are currently 45 of these applications available in the

customs’ intranet (mostly luxury products and drugs). The better the provided information

are, the more efficiently counterfeit products can be detected. If there are any doubts



concerning the genuineness of the products to be imported, the customs organization can

stop the importation of the product for ten days in order to give the brand owner the

possibility to check the products. The brand owner that has filed his application for customs

support can then release the products from customs. After the ten day waiting period, the

products will be released anyway. The security deposit, which was installed by the brand

owner is supposed to cover any damage that was caused by delayed shipping (due to these

ten days). If customs seized products that appear to be counterfeit, in very evident cases

customs will inform the brand owner even if he did not apply for the “Hilfeleistung”.

Customs, however, cannot control all products flows into the country. Checks are performed

on a spot check base. Currently, only around 5% of all products, which come into a country,

can be checked. The majority of products is only checked on a paper-base or is not checked

at all. And customs’ competencies are rather limited. They cannot call legal help from the

police, once counterfeits are detected. Their action is limited to seizing the goods and holding

them back for a ten days period of time.

3.2 Customs in Germany

As described above, German customs procedure is aligned with the general European

customs procedure. Currently, around 700 companies have applied for customs’ support to

detect counterfeit products from their brands.

3.3 Customs requirements

Custom’s main requirement for an RFID-based anti-counterfeiting system is the usage of a

standardized European or even world-wide and cross-industry standard. In other words,

customs need one solution or one device that can be used for multiple products. Such a

system doesn’t exist today. New requirements are elicited when such a solution with a

handheld device is introduced: which stakeholder would be responsible for the maintenance

of such a device (exchange batteries, repair the devices etc.), which stakeholder is

responsible for the training, which party would finance such a solution, etc.

Customs require that the system is able to authenticate one product at a time. Being able to

read multiple products at once (bulk reading) would not increase customs efficiency in

detecting counterfeit products since the system would not be used to verify all products, but

only the selected suspicious ones. The underlying problem is that counterfeit products are

not tagged in most cases and they are thus invisible for the RFID reader.

Customs would need mobile or handheld RFID reader devices since the inspections are

conducted manually and not only at borders, but also on highways, in company’s stock

houses, on trucks, etc. where an Internet connection in not always available.

Like the other end-users, also customs prefer online authentication systems as they promise

higher reliability. However, a 100% confidence level to the result of the check is not

mandatory since customs still can to hold back the goods and call the brand-owner for

additional checks. On the other hand, an added value would be a high reliability of the

authentication with legal consequences. Unequivocal statements would be required.

However, false reports would be extremely costly.



Once a product has been identified as a counterfeit, customs will only reveal the identity of

the responsible distributor. This happens only in case the brand owner will sue him. Brand-

owners, however, have the final responsibility in showing that seized goods are counterfeits

for example in the legal case. According to the conducted interviews, customs do not have

any special requirements concerning the visibility of the RFID tags, nor the speed (response

time) of the system.

Detecting counterfeit products virtually resembles the look for “the needle in the haystack”.

Customs could be supported by intelligence about ships or cargo aircrafts, which are carrying

counterfeit products onboard. Using this information and looking for suspicious goods would

be efficient and not stop or hinder the flow of goods. Compared to the finding of suspicious

goods, the identification of the counterfeits would then relatively be a minor step.



4 Security requirements for product authentication

In this section we derive the security requirements of RFID-based product authentication

systems. In order to enable the design of a sound and forward compatible product

authentication system, we opt for a systematic and general analysis of security requirements

for product authentication. The result of this analysis is a comprehend understanding of

security requirements of all possible RFID-based product authentication approaches, not

only those of the chosen solution concept. It is important to emphasize that the security

requirements of a product authentication system depend on the chosen approach. In this

section, we present the complete set of approaches and their security requirements without

making assumptions about the selected solution concept.

Finding and defining security requirements of a system takes place in the system design

phase. In general, security requirements exist because people and the negative agents that

they create (such as computer viruses) pose real threats to systems. Security requirements

define the security goals of the system that answer the question, “What do you expect

security to do for you?” [29]. Moreover, security differs from all other specification areas in

that someone is deliberately threatening to break the system [30]. Security requirements are

particularly important for product authentication which can be considered a security

application because, strictly speaking, its only function is to provide security against certain

threats (i.e., cloning of products). Correspondingly, in the absence of these threats, secure

product authentication would not be needed because identification alone would always

reveal the real identity of products.

We present the non-functional security requirements of RFID-based product authentication

systems in subsection 4.1. They are derived from understanding of the underlying logic of

general product authentication process. Derivation of the functional security requirements of

product authentication systems is less straight-forward and requires a small review to related

work: Alexander [30] and Sindre and Opdahl [5] have examined the concept of misuse cases

that can be used to derive the functional security requirements of an application. Use cases

have become increasingly common in requirements engineering of new applications, but

they offer only limited support for electing security threats and requirements because they

model the intended use only. A use case is a description of how end-users will use a system

and it describes a task or a series of tasks that users will accomplish using the system.

Extending the use case paradigm with misuse cases of illicit actors to model and analyze

scenarios in systems under design can improve security by helping to mitigate the threats.

Misuse cases can be thought to be identical to use cases, except that they are meant to

detail common attempted abuses of the system. The following table illustrates the

relationships between use cases and misuse cases.



Table 6. Relationships between use cases and misuse cases4

Source Case

Case Type Use Misuse

Target case Use Includes threatens

Misuse mitigates includes

Misuse/use case methodology is well suitable in cases where the actions of illicit actors are

predictable, such as in product authentication. Sindre and Opdahl [5] propose the following

five step process for eliciting functional security requirements with misuse cases:

I) Identify critical assets in the system (information, virtual location, and

computerized activity),

II) Define security goals for each asset,

III) Identify threats to each security goal by identifying stakeholders that may

intentionally harm the system,

IV) Identify and analyze risks for the threats using risk analysis, and

V) Define security requirements for the threats to match risks and protection costs.

The resulting security requirements are presented in a use and misuse case diagram that

shows how actions of illicit actors threaten the system and which security goals are needed

to mitigate these threats. We employ this described process to derive the functional security

requirements in subsection 4.2 and present the resulting requirements in subsection 4.3. The

use and misuse case diagram is particularly useful in our case because it clearly shows how

different product authentication approaches can be used to achieve the same final effect.

4.1 Non-functional security requirements

The non-functional security requirements are derived by understanding the underlying logic

behind product authentication process and they complement the functional security

requirements. Non-functional system requirements relate the performance and reliability of

the system and they can’t be modeled by use cases [32]. The first three requirements

concern product authentication in general, while the fourth one is specific to location based

authentication.

Complete coverage of security features: The underlying logic behind any product

authentication approach is that if a product cannot proof its identity when it should, it is not

genuine. This implies that it is not enough if only a part of the genuine products have a

security feature based on which they can be authenticated. Consider a situation where a

4 The table is read so that “a use case mitigates a misuse case” and “a misuse case threatens a use case”.



pharmaceutical manufacturer wants to improve the security of an expensive drug product

and therefore it inserts a cryptographic RFID tag on every second product. While as a result

half of genuine products can proof their identities in a rather secure way, it doesn’t help

finding any additional counterfeit products since the lack of the security feature doesn’t imply

counterfeit origins.

It’s worth noticing that this requirement can be overcome when single products have unique

identities and the back-end knows which products have which security features. In the

example above this would mean that every second product should implement a

cryptographic tag authentication protocol. In this scenario, it’s important that the

counterfeiters don’t know which products don’t have the security features; otherwise

counterfeiters could simply target (clone) only the non-protected products.

Availability: The fact that products that cannot proof their identity when they should must be

considered counterfeits, mandates a rigid availability requirement for the product

authentication system. Since networked RFID systems are vulnerable to denial-of-service

attacks in both network and tag layer, this is particularly worrisome for RFID based product

authentication. RFID tags can be destroyed rather simply for example with hand-held devices

that send an intensive electro-magnetic pulse [33]. Therefore a wide scale tag incapacitation

attack has the potential to significantly increase the cost of running RFID based product

authentication system.

Trust in parties who authenticate products: Product authentication can only help in such

environments where the parties have interest in using the system to find counterfeit products.

No degree of technical security in product authentication can overcome the will to

intentionally sell or consume a counterfeit product. In addition, the parties using product

authentication system can acquire information like serial numbers and locations of genuine

products from the system. Therefore a level of trust is needed in parties who use the system

to authenticate products.

Data sharing: Location based product authentication is possibly only when the locations of

genuine products can be followed with high enough degree of spatial and temporal

granularity. Today, companies share this kind of information unenthusiastically and rather on

a need to know basis than on a regular basis. The only way to be sure that a location based

product authentication application has all the information it needs to draw the right

conclusions in the presence of adversaries, is that companies establish data sharing policies

to provide a stable degree of visibility for the product authentication system.

4.2 Chain of trust, threats, and risks in product authentication

In this subsection 4.2 we employ the use and misuse case methodology of Sindre and

Opdahl [5] that is presented in the introduction of this section to derive the functional security

requirements for product authentication. Functional requirements state the services or

operations a system has to provide regardless of its physical limitations and they can be

modeled with use cases [32]. Our use case under study is product authentication by a licit



actor (e.g., sales clerk, customs officer, and consumer). The misuse case is an attack where

the illicit actor attempts to fool the security mechanism to make a counterfeit product pass

the authenticity check as a genuine one. In the following subsection 4.2.1 we identify the

critical assets and their security goals (steps 1 and 2 in the methodology) by deriving the

chain of trust of general RFID based product authentication process. In subsection 4.2.2 we

consider the threats (step 3) and in subsection 4.2.3 the risks (step 4) against the chain of

trust. The resulting set of functional security requirements (step 5) that are needed to

mitigate the chosen threats is presented in the subsection 4.3.

4.2.1 Chain of trust in product authentication

In this subsection we identify the chain of trust in general RFID based product authentication

process by studying the information flow within the authentication process. Chain of trust is a

representation of the process that is to be secured. The first step in all RFID based product

authentication approaches is identification where the reader device interrogates the tag

attached to the product and the tag answers by transmitting the product ID number. In

Section 0 we presented that there are three ways how a product can proof that it really has

the claimed identity and we consider all three cases below.

In product authentication based on object-specific features, the testing equipment measures

the product’s feature value (the product’s physical or chemical fingerprint) and transmits this

feature value to the product authentication application. We consider the product

authentication application a software agent that makes the final decision whether a product is

authentic or not and it resides in the internal IT systems of the company that provides the

service (e.g., the brand-owner). In order to do the final decision, the product authentication

application needs reference information, the feature value of the genuine product, that is

compared to the measured feature value. We call this last process step the verification of

identity. If the two feature values do not match, the product under study is not the genuine

one.

In product authentication based on tag authentication, the tag proofs its identity by showing

that it knows a certain secret key with a challenge-response protocol. To know what the

correct response for a certain challenge is, the product authentication application needs

reference data which usually is the tag’s secret key. In this approach the verification of

identity is trivial key comparison.

In location based product authentication, the testing equipment sends time and location

where the product has been seen to the product authentication application. The location of

the product is compared to the product history that serves as the reference information, and

if the location is plausible, the product is genuine. For example, if the history states that the

product should be in Japan but it is seen in Switzerland, an alarm should be raised. Because

products flow across organizational boundaries, we assume that the history is retrieved from

an external IT system.

In order to guarantee the integrity of the abovementioned information flows, one has to be

able to trust that tag is attached to the right product, that the tag is original and not tampered

with, that the radio-frequency communication is not tampered with, that the testing equipment



works correctly, that the reference information is authentic and true, that the product history

is authentic and true, and that the product history is not tampered with. Finally, the

verification of identity needs to draw the right conclusions based on the available evidence.

This chain of trust is illustrated in Figure 6. The arrows in the illustration indicate the

information flow.

Figure 6. The chain of trust of (rectangles) and threats against (ovals) RFID based product

authentication system. The arrows indicate the different information flows that take place

within product authentication process. 5

4.2.2 Threats in product authentication

Each step in the chain of trust is a possible point of attack against the product authentication

system. In this subsection we identify and evaluate all threats against the product

authentication process. These threats are illustrated as black ovals in Figure 6.

1) Tag removal and reapplying: Removing and reapplying the tag from a genuine product to

a counterfeit one can fool the product authentication application. Without special techniques

that bind the tag and the product (e.g., use of object-specific features, subsection 1.3.1, or

special seals), it is only the tag that is authenticated and not the product. Many RFID tags

that are used in product serialization are adhesive labels. If not specifically addressed,

removing and reapplying them to counterfeit products poses no significant barriers for skilled

counterfeiters. This is similar to removal and reapplying of price tags which is an existing

threat in the retail industry.

When an RFID tag authenticates high-value items such as airplane spare parts or rare drug

products, even the removal and reapplying of a small number of tags can be financially

interesting for the counterfeit players. The lack of binding between the tag and the product is

especially problematic in the pharmaceutical industry where the RFID tag is never attached

to the drug product itself (tablet, ampoule, vial etc.) but on the secondary or tertiary

packaging (blister package, carton package etc.). Not only is it easy to disassociate the tag

from the drug product it authenticates by changing the contents of the package, but it also is

a common practice in the industry when the products are repackaged. Drug products are

5 A bigger version of this picture is in Appendix B



repackaged for example in order to change the language of the package and instructions as

the products move to another country. Repackaging of drug products is legal in Europe and

in the US but illicit actors can use it to inject counterfeit products to the market by including

fakes among the unpackaged genuine products.

2) Tag cloning: Tag cloning refers to cloning a genuine tag and attaching it to a counterfeit

product. If the tag is unprotected, it is easy to clone simply by interrogating it and by writing

the acquired ID number on another tag. Interrogating tags without permission is referred to

as clandestine scanning [20] and most RFID tags are not protected from it. Furthermore, so

called rogue scanning using a sensitive reader equipped with a powerful antenna or an

antenna array and possibly output power that exceeds the legal limits can exceed the

nominal read range. For example, Kfir and Wool [34] suggest that the rogue scanning range

for ISO 14443 tags can be five times higher than their nominal reading range.

Once a reader has powered a tag (or initiated communication with an active tag), a second

reader can monitor the tag emission by passively listening the signal and capture the product

ID number for cloning. This is referred to as eavesdropping and the maximum distance

where a tag can be eavesdropped may be even larger than the rogue scanning range [20].

Also the reader-to-tag communication can be eavesdropped, though this channel is less

frequently used to transfer tag-specific information. Because the reader transmits at much

higher power than the tags, however, eavesdropping range for the reader-to-tag channel is

much greater than for the tag-to-reader channel [35].

Numerous techniques have been developed to protect tags from cloning. The principal

techniques are reader authentication where the tag makes sure it communicates with an

authorized reader prior to enclosing any sensitive information (prevention), tag authentication

where the reader makes sure the tag is genuine (remedy), and mutual authentication that

incorporates both these approaches. Since reader authentication is only a partially

preventive counter measure, it cannot be considered a complete solution against tag cloning.

Tag authentication protocols are briefly presented in subsection 1.3.2 above. Even though

tag authentication protocols can provide significant improvements to a tag’s cloning

resistance, there are many ways to conduct a cloning attack even against a protected tag.

These attacks include side channel attack (e.g., [37]), reverse-engineering and cryptanalysis

(e.g., [38]), brute-force attack, physical attacks (e.g., [39]) and different active attacks against

the protocol of the tag itself (e.g., [40]). In addition, tag authentication is always vulnerable to

data theft, where the secret encryption schemes of genuine tags are stolen or sold out by

insiders.

3) Attack against RF communication: Also an attack against the radio-frequency (RF)

communication can fool the product authentication system. An adversary could conduct a

replay attack by hiding a replay device close to the reader device (or even together with a

product) to replicate genuine tags. A replay device is basically a RF tape recorder that can

scan and then replicate tags, and building such a device requires only little money or

expertise [41]. Even complex tag authentication protocols can be vulnerable to relay attack

where the adversary who resides between a genuine tag and a reader captures and



retransmits the challenge from the reader to the genuine tag, and again retransmits the

correct response to the reader device.

4) Manipulation of testing equipment: The testing equipment includes the RFID reader and,

for object-specific features approach, a device that can measure the features of the product

under study. If the testing equipment is compromised, it can no longer be trusted to give right

answers. In the simplest case the testing equipment can be hard coded to let all products

pass the check. In a more complicated attack, it could try to claim a wrong location to the

product authentication application, for example the known location of the genuine product so

as to fool the location based plausibility check.

5) Attack against internal IT system: The most important functionalities and data of a product

authentication system reside in the internal IT system of the company that provides the

authentication service. These comprise the reference information of genuine products and

the part of the system that draws the final conclusion about the authenticity of a product.

Therefore also the internal IT system can be an attracting point of attack for adversaries.

6) Manipulation of product history: The history of a product can either move together with the

product as a pedigree (e.g., [42]), reside in distributed database of all the custodians of the

product (e.g., [36]), or reside in one central database. Depending on the actual

implementation, the history of a genuine product is vulnerable to different ways of

manipulation. We consider the following three cases of manipulation: addition of bogus

events to “relocate” the product, removal of existing events for example to hide the fact that

the product is already sold, and modification of attributes (time and location) of existing

events. All cases of manipulation of history can be used to fool the location based plausibility

check.

7) Forgery of product history: In addition to manipulation of an existing product’s history, also

the creation of a falsified history from scratch can threaten location based product

authentication. We refer to this threat as forgery of product history and it includes creation of

a completely new identity that it given to the counterfeit product and injection of the forged

history to the external IT system.

4.2.3 Risks in product authentication

In this subsection we assess the risks in RFID based product authentication based on the

comprehensive list of threats derived above. The reason to evaluate the risks it to identify

which threats should be mitigated by the system’s functional security requirements, and

which threats need not be addressed. This step can be seen as a reality check about which

threats really are important in practice. The risks that the different threats pose have different

magnitudes (risk levels) that depend on two components – exposure (or consequence) and

uncertainty (or likelihood) [43].

Attacking the RF communication is complex and requires hiding special equipment in the

proximity of the authenticating reader device. Doing this is hard in practice since the

authentication takes place in a controlled environment under the supervision of authorized

personnel. Therefore the likelihood of such an attack is low. Similarly, since the testing



equipment is handled by authorized personnel only, we conclude that manipulation of testing

equipment is also not likely to happen. Attacks against the internal IT systems are not

specific to RFID systems and they can be addressed by standard techniques of security

engineering [6]. Therefore they are left out of the scope of this analysis. Based on the

previous subsection, the risk levels of all the other threats are assumed high enough so that

they need to be mitigated by the functional security requirements. The resulting list of

applicable threats is below. The last two of them apply for location based authentication only.

• Tag removal and reapplying

• Tag cloning

• Manipulation of product history

• Forgery of product history

4.3 Functional Security requirements

The functional security requirements of RFID based product authentication system are the

security goals that are needed to mitigate the list of threats obtained from the risk

assessment at the end of the previous section. The overall security requirement is to mitigate

all applicable threats. If a threat is not mitigated, the cost to break the system is low and the

system is not secure. Therefore the level of security of a product authentication system

depends on how well the functional requirements are met. There are multiple combinations

of security goals that mitigate all the threats, which reflects the different product

authentication approaches. In particular, all security goals can be substituted by others. The

threats and security goals are illustrated in the use/misuse case diagram, Figure 7.

The threat of tag cloning attack must be mitigated either by a tag authentication protocol that

detects the cloned tags, by location based authentication that detects the cloned tags, or by

verifying the object-specific features that authenticates the product itself.

The threat of tag removal and reapplying attack must be mitigated either by verifying the tag-

product integrity (e.g., with a seal), by verifying the object-specific features that detects if the

tag is attached to a wrong product, or by preventing the tag removal. One way to prevent the

removal in practice is to integrate the tag in such a way that the chip will detach from the

antenna if the tag is removed. This method is applied for example in some sprayer perfume

bottles where the tag resides between the bottle top and the glass bottle – and if the bottle

top is removed, the antennal will stay attached to the glass bottle whilst the chip comes off

with the bottle top.

Last, the threat of manipulation of product history is mitigated by guaranteeing the integrity of

the history, and the threat of forgery of product history is mitigated by guaranteeing

authenticity of the history. Integrity and authenticity are basic security services and how they

can be guaranteed in a product authentication system in the EPC network is discussed in

Section 5.



Figure 7. Use/misuse-case diagram of functional security requirements of RFID based product

authentication. The white ovals are the security goals of the system and the black ovals present

the threats. The overall requirement is to mitigate all applicable threats with security goals. 6

The functional security requirements of different RFID-based product authentication

approaches are summarized in the table below. All three approaches achieve the same

overall goal that is to mitigate all threats against the system.

Table 7. The functional security requirements of different product authentication approaches

Tag authentication approach (crypto tags)

Object-specific security features approach

Location based plausibility check approach

• Tag authentication

• Prevent tag removal /

verify tag-product integrity

• Verify object-specific

security features

• Guarantee integrity of

history

• Guarantee authenticity of

history

• Detect cloned tags

• Prevent tag removal / verify

tag-product integrity

6 A bigger version of this picture is in Appendix B



5 Product authentication in the EPC network

In Sections 2-4 of this report, we have collected requirements for product authentication

system from various end-users and derived functional and non-functional security

requirements that the system must conform to. In this section, we analyze how the collected

set of constraints and requirements can be met by the EPCglobal infrastructure (EPC

network) that is subject to research in the overall BRIDGE project. This analysis will yield

concrete guidelines for the development of a trial infrastructure that will take place in Task 4

of this work package.

Subsection 5.1 presents the technical environment of the solution. In subsection 5.2 we

derive different solution concepts for product authentication in the EPC network.

Assumptions about solution implementation are necessary to investigate EPC network’s

conformance to the collected requirements for product authentication. In subsection 5.3 we

go through business requirements and the functional security requirements and analyze how

the existing EPC network conforms to them, and present suggestions for improvements.

Because the conformance to non-functional security requirements (Section 4.1) is practically

independent of technology, they are omitted from this analysis.

5.1 Technical environment of the solution

EPC stands for Electronic Product Code and it is an industry driven RFID standard of

EPCglobal Inc. [44]. Being supported by major industrial players especially from the U.S.

retail industry (e.g., Gillette, Johnson & Johnson, and Wal-Mart), EPC is the most deployed

standard for networked RFID. EPC systems are built for increased supply-chain efficiency

and we identify how they can be used in product authentication.

The hardware and software roles defined by EPCglobal are illustrated in Figure 9. These

comprise EPCglobal core services that are common for the whole network, as well as roles

that are specific to each EPCglobal subscriber, i.e. a company. The security functions of the

EPCglobal architecture are distributed among different roles and interfaces [45], therefore an

understanding of the complete architecture is required.

Most EPC tags are inexpensive passive tags (EPC Classes 0/1/2) for item-level tagging with

optional user memories. In addition to tags, readers, and filtering & collection layer that

erects application layer events (ALE), EPCglobal also develops standards for sharing the

item-level data to enable a complete RFID network. The main network components are EPC

Information Services (EPC-IS), Object Naming Service (ONS), and Discovery Services (DS)

[45].

The EPC-IS defines standard interface for capturing and querying EPC-related data and the

related security mechanisms, authentication and authorization [46]. Here, authentication

means verifying the identity of different entities of the network, and authorization means

verifying that a certain entity has the permission to access certain data. The EPC-related



data, events about single or aggregated items, is stored in EPC-IS repository. The ratified

specifications of the EPC-IS were published during the time of finishing this article and can

be found from [47].

The ONS [48] uses the Internet’s existing Domain Name System (DNS) for looking up

(resolving) information about a certain product from the owner of the EPC number database,

which is typically the manufacturer of the product. EPCglobal provides the root ONS as a

part of the core network services and it is up to each subscriber to run the local ONS that

replies to the lookup requests. A typical ONS query where the network address of the EPC-

IS of the brand-owner (denoted by address(EPC-ISB)) is resolved from the EPC number of

the tag, is presented in Figure 8. To illustrate the ONS query format, the local system

(denoted by A) queries the ONS system with a EPC in URI form and receives the URI form

domain-name as a response:

1. A → ONS: EPC (e.g.: urn:epc:id:sgtin:0614141.000024.400)

2. ONS → A: address(EPC-ISB) (e.g.: 000024.0614141.sgtin.id.onsepc.com)

Figure 8. An example of a typical ONS query [48]

The DS locates all EPC-IS services that may have information about a specific EPC and,

additionally, also provides a cache for some EPC-IS data [45]. The DS is not yet a defined

part of the EPCglobal architecture framework, but its general functionality is known. The DS

is subject to closer research in WP2 of this project. To illustrate the functionality of the DS, an

example of one possible query format, which is by no means the final query format of the DS

that is being developed in WP2, is illustrated below. Here, A refers to an application that

wants to locate information about a certain EPC from the DS, and address(.) refers to the

network address of a network service (.).

1. A → DS: EPC

2. DS → A: {address(EPC-IS1), address(EPC-IS2), …, address(EPC-ISN)}

To link this example with the example ONS query from above, the manufacturer’s server in

the ONS query, EPC-ISB, can be one of the returned services from the DS query, e.g. EPC-



IS1. In addition to ONS and DS, the core services of the EPCglobal architecture include

subscriber authentication (SA) service.

Figure 9. Illustration of the hardware and software roles of the EPCglobal architecture

framework [45]. EPCglobal standards define the interfaces between the roles.

5.2 Different solution concepts in the EPC network

We identify three distinct solution concepts for secure product authentication in the EPC

network. These three concepts are presented below.

Concept 1: EPC-PAS

The first solution concept makes use of the EPC Product Authentication Service (PAS)

suggested by Staake et al. [36] that is run by the brand-owner. A product is authenticated by

a challenge-response protocol between the tag and the EPC-PAS server. In addition, it has

to be guaranteed that the tag is attached to the right product, otherwise only the tag is

securely authenticated but not the product. Product authentication in this solution concept

can be based on tag authentication using cryptographic tags (subsection 1.3.2) or on object-

specific features7 (subsection 1.3.1). The architecture and message formats of this solution

concept are presented in Figure 10.

7 This approach can be implemented as a challenge-response protocol where challenge is void and response is

the measured feature value



Figure 10. Solution concept 1: Product authentication based on tag authentication / object-

specific features.

Concept 2: Local trace analysis

The second solution concept is based on querying the EPC network for a product’s trace and

making the trace analysis locally (by the EPCglobal subscriber of the accessing application)

in order to know whether the read tag is the genuine one or a cloned one. Both DS and ONS

queries can be used to locate the services that contain information about a product, if these

locations are not known prior to the authentication. The accessing application retrieves the

trace according to its authorization to access events regarding the product under study. As it

can be assumed that events about products are by default kept secret and shared on need to

now basis only, this solution concept is likely to be feasible only for authorized trading

partners. The architecture and message formats of this solution concept are presented in

Figure 11.

EPCIS

EPCglobal Core Services

(SA, DS, ONS Root)

RFID Tag

RFID Reader

Filtering &

Collection (ALE)

EPCIS

EPCglobal Subscriber

Trace Analysis

Answer (Yes, No,

Don’t know)RFID Tag

RFID Reader

Filtering &

Collection (ALE)


EPCIS Accessing

Application

DS/ONS

lookup

Trace

EPCIS

queries

Trace


Figure 11. Solution concept 2: Product authentication based on local trace analysis by an

accessing EPCglobal subscriber.



Concept 3: EPC-TAS

To improve the trace analysis concept presented above, we also consider promoting the

functionality to detect cloned tags to the level of the core services of the EPC network. We

call this new service the EPC Trace Analysis Service (EPC-TAS) and it requires that all

parties who handle the products agree to share certain events like reception and shipping

notifications with the EPC-TAS. In this way the EPC-TAS would obtain a comprehensive

visibility about the movement of the products and thus it could in real time analyze the

complete traces of products to detect the cloned tags. The primary functionality of this

service is to receive queries of triplets {EPC, Location, Time} and to answer whether the

product under study is genuine or a cloned one. This third product authentication concept is

presented in Figure 12.

Figure 12. Solution concept 3: Product authentication based on global trace analysis by EPC-

TAS.

The different ways to implement product authentication systems in the EPC network are

illustrated in Figure 13 below. The numbered communication flows present the three solution

concepts.



Figure 13. Illustration of product authentication in the EPC network: the accessing application

on the right-hand side authenticates a product with a EPC number on it. The numbered

communication mechanisms represent the three different solution concepts. (*Planned but not

yet defined service, **New service)



5.3 EPC network’s conformance to general requirements

In this subsection we go through the list of end-user’s general requirements for RFID-based

anti-counterfeiting systems, and analyze how the EPC network and relating standards

conform to them.

The same system is used in the whole supply chain

The EPC network based product authentication system can be used in the whole supply

chain if all supply chain partners install needed RFID reader infrastructure and software (e.g.,

product authentication application client). For location based check, it is not always desirable

to publish the track and trace data with all those parties who authenticate products. This can

potentially limit the usability of the product authentication system among supply chain

partners. Therefore the location based plausibility check should be provided by the

manufacturer or someone working under the manufacturer’s control and authority, so that a

verifier does not acquire the complete track and trace record of the product under study but

only the outcome of the check (i.e., genuine or counterfeit) from the provider of the product

authentication service. If this limitation regarding track and trace data sharing will be

overcome, then also the location based product authentication system can be used without

further issues in the whole supply chain.

Customs can use the system to authenticate products

Customs require a standardized solution when it comes to wider adoption of product

authentication techniques. There are tens or hundreds of different product authentication

techniques today and most of them require special equipment. Customs simply cannot invest

in multiple product authentication techniques because it means overlapping investments in

hardware and training of personnel. Currently, customs see RFID only as one among several

product authentication techniques.

However, barcode readers are widely adopted by the customs today and barcode readers

are a part of basic equipment of modern customs officers. When RFID matures, it will replace

and complement barcodes in many applications. Therefore it can be assumed that customs

will also adopt standard RFID readers to replace and complement the existing barcode

infrastructure. Therefore RFID based product authentication techniques appear more

promising than competing technologies.

Also customs require that the system gives a clear answer whether the product is authentic

or not. Therefore the location based product authentication approach could be used by the

customs only if the verification of identity is automated.

End-users and consumers can use the system to authenticate products

The optimal anti-counterfeiting system would allow also the consumers and end-users of the

products to authenticate products. In the case of intuitional end-users (e.g., airplane

maintenance centre that wants to detect bogus spare parts), this is similar case than with the

supply chain partners. When it comes to private consumers, two constraints have to be

overcome.



First, in order to use the EPC network based product authentication systems by themselves,

the consumers need access to an RFID reader device. This could be achieved by installing

publicly available RFID readers, for example as an added value service provided by retailers,

that consumers could use for different identification based services. Already today, there are

publicly available barcode readers that consumers can use to decrypt barcodes, but they are

rather sparse. A more promising solution in the long-term is capability to read RFID tags with

mobile phones. Already today, the Near-Field Communication (NFC) technology brings

specifid RFID readers to mobile phones. The NFC adoption rate is low today, but according

to prediction of ABI research, in the year 2011 a total of 450 million mobile handsets (30% of

all mobile handsets) will be NFC-enabled [2]. It is important to note, however, that current

NFC reader devices cannot read the EPC tags that operate in another frequency band and

comply to completely different RFID standards.

Second constraint is that a specific access point to the product authentication application is

required for parties external who come outside the EPC network. Consumers will not have

access to EPC network services as they are not EPCglobal subscribers. This constraint can

be technically overcome by setting up a public access point for the EPC network based

product authentication service.

The system verifies the identity automatically

The output format of the authenticity check should be a clear “yes” or “no” answer (i.e.,

genuine or counterfeit). Optionally, the system could estimate the level of confidence of the

answer to detect unclear cases. The way how this answer is derived (i.e. how the system

verifies the claimed identity) should be automated. In the case of authentication based on

object-specific features and tag authentication, the verification of authenticity is straight

forward and can be easily automated. In the case of location based check, the track and

trace data needs to be analyzed for a plausibility check that detects cloned tags, i.e.

counterfeits. End-users of the system cannot analyze the track and trace data manually

when performing wide scale checks. First of all this would be time consuming and thus

costly. Secondly, the end-users of the system might lack the required expertise to detect

suspicious movements from the product’s trace.

So far there are no published methodologies or guidelines how to use the track and trace

data to automatically detect cloned tags for anti-counterfeiting. This functionality needs to be

implemented by making use of artificial intelligence that can distinguish suspicious traces

among licit ones. How to design and implement such a system will be subject to research in

the following phases of this work package.

The system supports supply chain management

One of the business requirements of RFID based product authentication systems is the

support for supply chain management, such as, forecasts, automatic replenishment, and

inventory management. An EPC network based product authentication system has the

access to the needed item-level information to enable this support; product authentication

can be seen as one service and source of business value that EPC network enables. The

approach where multiple business applications reside over the same technical platform is



also an underlying motivation of the BRIDGE project. In this way, the return on investment of

RFID technology comes from multiple business applications rather than from one specific

way the technology is used.

The system supports online authentication

End-users of the RFID-based product authentication system require that the authentication is

non-static and conducted online. This means that an online system can monitor the status of

the products that are protected by the system and that the verification process can be

managed dynamically. Product authentication in the EPC network happens online. This

means that in contrast to holograms, for example, the system can monitor and log past

instances of the authentication protocol. Like this, for example the number of counterfeit

products the system has detected is automatically calculated. The fact that the security

features are not static but dynamic means that compromised (copied) product EPC numbers

or tag cryptographic secret keys can be blacklisted, thus preventing the repeated use of

broken security features.

Real-time data

The EPC network based product authentication system can be fully automated and works on

real-time data. This enables short response times (seconds) and real-time monitoring, that

further enable very fast response times for countermeasures that take place after product

authentication.

5.4 EPC network’s conformance to industry specific requirements

In this subsection we analyze the EPC network’s conformance to the industry-specific

tagging requirements from Section 2.

Tag cost, reading distance, and lifetime

The interviews with different companies have revealed that most end-users of RFID based

product authentication systems demand low-cost tags that can be read from long distance in

a reliable way. Furthermore, the required tag lifetimes vary from some months up to 15 years

and more. This calls for the use of simple passive UHF tags, for example EPC Class-1 Gen-

2 UHF tags [49]. The UHF frequency band guarantees the best reading distance in the

absence of metals, fluids, and other conductive materials. The reliability of existing EPC tags,

namely the read-rate, depends on the specific reading environment and so it is hard to be

generalized, but overall it is not always in satisfactory, especially in environments with

conductive materials. However, the read rate is increasing while the technology matures. The

passive tags have practically infinite lifetime [50] which is enough for virtually most

applications in theory. However, the longevity is given only if the environment doesn’t harm

the tag for example by physical stress or extreme temperatures. In contrast, active tags’

lifetime is determined by the battery’s lifetime which is typically some years. Requirements

regarding tag integration to products are case specific and will not be addressed here.

Overall, RFID appears a suitable tagging technology when compared against the

requirements of end-users of product authentication applications.



5.5 EPC network’s conformance to security requirements

In this subsection, we go through selected security requirements of product authentication8

that are collected in Section 4 and analyze how the existing EPC network conforms to them.

Tag authentication

The current EPC network does not directly support tag authentication. Furthermore, to our

knowledge there are currently no cryptographic RFID tags commercially available that

operate in the UHF band that is likely to dominate in supply chain applications; most existing

cryptographic RFID tags operate in the HF band and normally conform to ISO 14443

(proximity card) or sometimes to ISO 15693 (vicinity card) standards. There are, however,

first implementations of a tag crypto module for Advanced Encryption Standard (AES) that

fulfill the requirements of both HF and UHF tags in terms of chip size and power-

consumption [51]. Though tag authentication in the EPC network is not yet reality, the

concept of tag authentication in the EPC network has been addressed in the literature. The

EPC Class-1 Gen-2 (UHF) tag standard [49] includes factory programmed transponder ID

number (TID) that can be used to increase the tag’s cloning resistance. In addition, Juels [52]

has shown how to leverage the PIN-based access control and privacy enhancement

mechanisms (KILL command) of EPC Class-1 Gen-2 tags to achieve a crude challenge-

response authentication. The EPC Class-1 Gen-2 standard also exploits the difference

between reader-to-tag and tag-to-reader eavesdropping ranges that can vary a lot. When

transmitting a PIN to a tag, the tag first transmits a random secret to the reader that encrypts

the PIN code using XOR. This protects the reader-to-tag transmission from eavesdroppers

who cannot listen to the weaker tag transmissions [35], making cloning harder for

eavesdroppers.

In order to bring advanced cryptography to the EPC network, Staake et al. [36] proposed to

extend it with a so called EPC Product Authentication Service (EPC-PAS) that would store

the secret keys and calculate challenges for authentication protocols. This corresponds to

the first solution concept (subsection 5.2) and is illustrated by the mechanism number 1 in

Figure 13. The EPC-PAS would complement the EPC-IS by separating the cryptographic

service from the data repository and it could reply to accessing applications whether a tag is

authentic or not. This analysis shows that the concept of tag authentication in EPC network is

well addressed but the remaining research challenge is how to bring tag authentication into

reality in a scalable and cost-effective way that can guarantee the needed level of availability.

It is important to note that strong tag authentication is subject to research in WP4 (Task 4.3:

Anti-cloning of RFID Tags) of BRIDGE project, and therefore no new technical solutions for

tag authentication will be proposed in this work package. A comprehensive review of existing

RFID tag authentication techniques can be found from SToP deliverable D3.1 - State-of-the-

art analysis on relevant research, existing technologies and products.

8 The security requirements “verify of tag-product integrity” and “prevent tag removal” are omitted from this

analysis because they do not depend on the properties of the EPC network



Object-specific features based authentication

The object-specific security features based product authentication approach can also be

implemented as a challenge-response protocol where the response message is simply the

measured feature value. Therefore the EPC-PAS concept presented above could also be

used to implement this product authentication approach. From the EPC network, this would

only require storing the unique feature values of the product in the EPC-PAS in a similar way

than the secret keys or access codes. Overall, the requirements this approach poses to RFID

technology are minimalist as the complexity is in the physical measurement of the features.

Guarantee integrity of history

The location based product authentication application has to have correct and complete

history of the product under study. In order to conform to this requirement, the network has to

guarantee two things: that the events are not tampered with and that all the events for which

the accessing application is authorized are returned when requested. The former can be

achieved in the EPC network by securing the communication and protecting the data in EPC-

IS repositories. The EPC network’s conformance to the latter depends on the Discovery

Services module (DS) that is not yet defined. If the DS cannot guarantee that it locates all the

services in the ECP network that publish events about a product, then the product

authentication application is not guaranteed to have the complete visibility for the detection of

cloned tags. This may lead to false decisions made by the location based product

authentication application. For example, consider a case where products are for the first time

imported for sales to another country and the receiving company scans the products and

publishes the reception event in their EPC-IS. If the products are later authenticated at the

sales point based on their history but the DS does not locate the events that are published in

the receiving company’s EPC-IS, the product authentication application does not know that

the products are imported to that country and might consider them counterfeits.

Because of this illustrated reason, the DS needs to guarantee that the complete product

history is located from the EPC network. This needs to be taken into account in the design of

the DS functionality of the EPC network9.

Guarantee authenticity of history

Authenticity of history in the EPC network is guaranteed by authentication of different entities

using public-key infrastructure which is defined by EPCglobal Certificate Profile [53]. These

entities are users inside the EPC network (people), services/servers (EPCIS, ONS, etc.), and

readers and other devices. Even though this mechanism does not allow authentication of the

history itself but only authentication of the entities that provide it, the provided security

mechanism is sufficient because the entities that provide the history have to be trusted

parties. Even when a company signs the events, there is no cryptographic proof that the

product really is in that location. Therefore it is possible to inject false information to the EPC

network, which is currently not addressed by the network’s security services.

9 Requirements of WP5 for the design of serial-level look-up service in WP2 are: Return the complete track and

trace history of a product where the events contain at least (EPC, time of the event, location of the event),

provide the identity of the publishers of the events, and protect the trace from manipulation (when applicable).



Detect cloned tags

The current EPC network does not provide direct support for detection of cloned tags but it

does provide means for subscribers to do this by themselves which is presented by the

solution concept two, local trace analysis (subsection 5.2). A subscriber can query the EPC-

IS repositories for events about a product and reason himself whether the product under

study is genuine or a cloned one. This is illustrated by mechanism number 2 in Figure 13.

This mechanism has three shortcomings. First, the EPC-IS answers to queries according to

the authorization of the accessing application and can disclose any amount of information it

wants which can be less than requested. Therefore only those subscribers who are

authorized to access the product’s history in all the product’s custodians’ EPC-IS repositories

have the full visibility for detecting the cloned tags. This also means that only subscribers of

the EPC network who are authorized to follow the movements of the product can

authenticate the product at all. That restriction is likely to make this authentication

mechanism out of the reach for, for example, consumers. Last, a party interpreting the track

and trace data might not have all the needed knowledge about the restrictions concerning

the movement of the genuine products to draw the right conclusion whether a product under

study is genuine or a cloned one. For example, it is important to know if the genuine products

are distributed only through a small number of authorized dealers and how the traces of

genuine products normally look like in order to detect suspicious products. Also knowledge of

the exceptional movement of the genuine products, for example when products move

upstream in the supply chain due to mistakes in shipments, can be useful to avoid false

alarms.

The third envisaged solution concept, global trace analysis by EPC-TAS (subsection 5.2),

has benefits over the local trace analysis. The EPC-TAS would have the best possible

visibility to detect cloned tags. In addition, the EPC-TAS would disclose only a minimal

amount of information about the product under study when answering to queries (1 bit).

Therefore this product authentication mechanism could be made accessible to many users,

for example consumers, without the fear of disclosing sensible information like past locations

of the product. This service would have to be run under the authority of the brand-owner to

give necessary credibility, or even legal status, to the answers. Therefore the service could

utilize the brand-owner’s knowledge about the restrictions and irregularities in the distribution

channel of the genuine products in order to configure the system with best possible a priori

knowledge to give the most sensible interpretations of the track and trace data.

One major difference between EPC-TAS and other product authentication mechanisms is

that EPC-TAS would detect the counterfeit products without specific authenticity checks

initiated by the custodians of the products. EPC-TAS only needs to be provided the updated

location information of products in order to find counterfeits. This means that the system

could provide product authentication capability as a background, monitoring service.

Furthermore, the EPC-TAS could automatically aggregate the results into business

intelligence for example by identifying the most likely entry points of counterfeit products in

the distribution channel. The precise functionality of the proposed service, especially

concerning the automated decision making process, and integration of this service to the



existing EPC network, remain open research topics and subject to future work within the

BRIDGE project



6 Discussion

In this report, we have studied the requirements of RFID-based product authentication

systems for anti-counterfeiting. The considered general requirements do not relate any

specific use-case of the product authentication system, but present a holistic view of what is

required from an optimal and secure solution. The industry requirements for a product

authentication system are collected from affected companies and solution providers. The

industry-specific requirements, or constraints, regarding the use of a RFID-based product

authentication system have bee addressed in four industry branches. Overall, the potential

end-users envisage a fast and reliable online check that can be used by all business partners

and for different kinds of products. The industry-specific requirements mostly relate the

integration of tags to the products and the way the tags are read. Also customs requirements

are taken into account in our analysis, though to lesser extent than those of the industries.

Most importantly, we have discovered that customs require a standardized product

authentication system to be used for different kinds of products using mobile reader devices.

To provide solid foundations for a secure solution, we have derived the functional and non-

functional security requirements for product authentication systems. We have identified three

different mechanisms how to implement product authentication systems within the EPC

network, which will be valuable feedback for the trial infrastructure development task (Task

5.4). When analyzing EPC network’s conformance to functional security requirements of

product authentication, we have discovered that the network’s existing mechanism to detect

cloned tags is far from optimal. Detection of cloned tag is needed to guarantee the security of

location based product authentication approaches. Furthermore, the detection needs to be

automated to keep the cost and effort to perform a check low.

For the abovementioned reasons, the solution concept that is chosen in this work package

will perform a location based authenticity check using track and trace data and its main

functionality is to detect the cloned tags through automatic trace analysis. Importantly, this

solution is less expensive than an approach using cryptographic tags and can be

implemented without large additional investments in equipment or hardware. Since location

based check requires data sharing and collaboration from the custodians of the genuine

products, the future work in this work package includes assessment of cases where this

solution feasible, and where other solutions are required.

It should be noted that product authentication alone, however, is not sufficient to fight illicit

trade, but it should be used in a business context. An effective anti-counterfeiting strategy

consists of a combination of countermeasures. General requirements for anti-counterfeiting

and countermeasures against drivers and enablers of illicit trade, as well as against different

dimensions of illicit trade, are studied in forthcoming deliverable of project SToP (D1.2 -

Description of technical and organizational requirements for product authentication solutions

based on ambient intelligence).



References

[1] NFC Forum. (2007). Available: http://www.nfc-forum.org/aboutus/

[2] K. Norton and K. Hall, “Contactless Payment Comes to Cell Phones”. Business Week,

November 21, 2006.

[3] C. Swedberg. (2006, December). TwinLinx Proposes to Marry NFC and EPC. RFID

Journal. [Online]. Available: http://www.rfidjournal.com

[4] T. Wiechert, F. Thiesse, F. Michahelles, P. Schmitt, and E. Fleisch, “Connecting Mobile

Phones to the Internet of Things: A Discussion of Compatibility Issues between EPC and

NFC,” Americas Conference on Information Systems, AMCIS 2007, submitted for

publication.

[5] G, Sindre and A.L. Opdahl, “Eliciting security requirements with misuse cases,”

Requirements Engineering, Springer-Verlag, vol. 10, 2005, pp. 34–44.

[6] R. Anderson, Security engineering. New York: Wiley, 2001.

[7] Z. Nochta, T. Staake, and E. Fleisch, “Product Specific Security Features Based on RFID

Technology,” International Symposium on Applications and the Internet Workshops

(SAINTW'06), 2006, pp. 72—75.

[8] M. Lehtonen, T. Staake, F. Michahelles, and E. Fleisch, “From Identification to

Authentication – A Review of RFID Product Authentication Techniques,” presented at the

Workshop on RFID Security 2006, Austria.

[9] A. Juels, “Minimalist cryptography for low-cost RFID tag,” In Prod. 4th Conf. on Security in

Communication Networks, Italia, 2004, pp. 149—164.

[10] I. Vajda and L. Buttyán, “Lightweight authentication protocols for low-cost RFID tags,” in

Workshop on Security in Ubiquitous Computing, 2003.

[11] G. Tsudik, “YA-TRAP: Yet another trivial RFID authentication protocol,” in International

Conference on Pervasive Computing and Communications – PerCom 2006, Pisa, Italy,

2006, pp. 640—643.

[12] G. Avoine and P. Oechslin, ”A scalable and provably secure hash based RFID protocol,”

in IEEE International Workshop on Pervasive Computing and Communication Security –

PerSec 2005, Kauai Island, Hawaii, USA, 2005, pp. 110–114.

[13] T. Dimitriou, “A Lightweight RFID Protocol to protect against Traceability and Cloning

attacks,” in IEEE Conference on Security and Privacy for Emerging Areas in Communication

Networks – SecureComm, Athens, Greece, 2005.

[14] ang, J. Park, H. Lee, K. Ren, and K. Kim, “Mutual authentication protocol for low-cost

RFID,” in ECRYPT Workshop on RFID and Lightweight Crypto, Graz, Austria, 2005.

[15] S. Dominikus, E. Oswald, and M. Feldhofer, “Symmetric authentication for RFID systems

in practice,” in ECRYPT Workshop on RFID and Lightweight Crypto, Graz, Austria, 2005.



[16] M. Feldhofer, M. Aigner, and S. Dominikus, “An Application of RFID Tags using Secure

Symmetric Authentication,” In Proc. 1st International Workshop on Privacy and Trust in

Pervasive and Ubiquitous Computing - SecPerU 2005, Santorini Island, Greece, 2005, pp.

43–49.

[17] D. Bailey and A. Juels, “Shoehorning security into the EPC standard”, Manuscript in

submission, 2006.

[18] D. Ranasinghe, D. Engels, and P. Cole, “Security and privacy: Modest proposals for low-

cost RFID systems,” presented at the Auto-ID Labs Research Workshop, Zurich,

Switzerland, September 2004.

[19] J. Lee, D. Lim, B. Gassend, G.E. Suh, M. Dijk, and S. Devadas, “A Technique to Build a

Secret Key in Integrated Circuits for Identification and Authentication Applications,”

Symposium on VLSI circuits, 2004, pp 176—179.

[20] A. Juels, “RFID Security and Privacy: A Research Survey,” IEEE Journal of Selected

Areas in Communications, vol. 24, pp. 381—394, February 2006.

[21] R. Koh, E. Schuster, I. Chackrabarti, and A. Bellman, ”Securing the Pharmaceutical

Supply Chain,” Auto-ID Labs White Paper, 2003. Available: http://www.autoidlabs.org.

[22] Vijayan, Jaikumar. Boeing readies RFID standards for release to suppliers in 2005 but

the aircraft maker says it won't mandate usage; http://www.creative-weblogging.de/cgi-

bin/frames.cgi?url=http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10

801,95989,00.html

[23] DO160 Aerospace Norm Document, provided by Airbus SAS.

[24] ATA Spec2000 Chapter 9, Draft on Parts Specification - version 1.0, provided by Airbus

SAS, 1/17/2007

[25] J. Dryden. Counting the Cost: The Economic Impacts of Counterfeiting and Piracy -

Preliminary Findings of the OECD Study. Communcation at Global Congress on Combating

Counterfeiting and Piracy; 30-31 January 2007, International Conference Center, Geneva.

[26] European Commission. Counterfeiting & piracy: Frequently asked questions.

MEMO/05/364, Brussels, 11 October, 2005

[27] European Commission. Community-wide counterfeit statistics for 2004, 2006.

[28] Orgalime, Combating Counterfeiting, October 2001

[29] M. Bishop, “What Is Computer Security?,” IEEE Security and Privacy Magazine, vol. 1,

2003, pp. 67—69

[30] I. Alexander, “Misuse cases: use cases with hostile intent,” IEEE Software, vol. 20, 2003,

pp. 58—66.

[31] GS1. (2007). European Passive RFID Market Sizing 2007-2022. [Online]. Available:

http://www.bridge-project.eu/data/File/European%20Passive%20RFID%20Market%20Sizi

ng%202007-2022-v1.pdf



[32] T. Ramezani and M. Razzazi, “Examination and Classification of Security Requirements

of Software Systems,” in 2nd IEEE International Conference on Information &

Communication Technologies (ICTTA’06), Syria, 2006.

[33] Chaos Communication Congress. (2006). RFID-Zapper. [Online]. Available:

http://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)

[34] Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contactless smartcard

systems,” First International Conference on Security and Privacy for Emerging Areas in

Communications Networks (SECURECOMM'05), 2005, pp. 47—58.

[35] S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and privacy aspects of low-cost

radio frequency identification systems,” International Conference on Security in Pervasive

Computing – SPC 2003, vol. 2802, 2003, pp. 454—469.

[36] T. Staake, F. Thiesse, and E. Fleisch, “Extending the EPC Network - The Potential of

RFID in Anti-Counterfeiting,” in Proc. Symposium on Applied Computing, New York, 2005,

pp. 1607—1612.

[37] M.C. O’Conner. (2006, February). EPC Tags Subject to Phone Attacks. RFID Journal.

[Online]. Available: http://www.rfidjournal.com.

[38] S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo, “Security analysis

of a cryptographically enabled RFID device,” in 14th USENIX Security Symposium, 2005.

[39] S. Weingart, ”Physical Security Devices for Computer Subsystems: A Survey of Attacks

and Defenses,” in Proc. Workshop on Cryptographic Hardware and Embedded Systems,

Massachusetts, 2000, pp. 302—317.

[40] H. Gilbert, M. Robshaw, and H. Sibert, “An active attack against HB+ – a provably

secure lightweight authentication protocol,” manuscript, July 2005.

[41] J. Westhues, “Hacking the prox card,” in RFID: Applications, Security, and Privacy,

Addison-Wesley, 2005, pp. 291—300.

[42] J. Pearson, “Securing the Pharmaceutical Supply Chain with RFID and Public-key

Infrastructure (PKI) Technologies”. Texas Instruments White Paper, June 2005. Available:

http://www.ti.com/rfid/docs/docntr.shtml.

[43] G.A. Holton, “Defining Risk,” Financial Analysts Journal, vol. 60, 2004, pp. 19—25.

[44] EPCglobal. (2007). Available: http://www.epcglobalinc.org.

[45] EPCglobal. (2005, July). EPCglobal Architecture Framework Version 1.0. [Online].

Available: http://www.epcglobalinc.org/standards/.

[46] EPCglobal. (2006, January). EPC Information Services (EPCIS) Version 1.0

Specification. Working Draft Version of 8 Jan 2006. Unpublished.

[47] http://www.epcglobalinc.org/standards

[48] EPCglobal. (2005, October). Object Naming Service (ONS) Specification Version 1.0.

[Online]. Available: http://www.epcglobalinc.org/standards/.



[49] EPCglobal. (2005, January). Class-1 Generation-2 UHF RFID Conformance

Requirements Specification v. 1.0.2. [Online]. Available:

http://www.epcglobalinc.org/standards/.

[50] California Software Labs. Whitepapers, May 2005. Available at:

http://www.cswl.com/whitepapers/rfid-technology.html.

[51] M. Feldhofer, S. Dominikus, J. Wolkerstorfer, "Strong Authentication for RFID Systems

using the AES Algorithm", in Proc. of Workshop of Cryptographic Hardware and Embedded

Systems - CHES 2004, Boston, USA, vol. 3156, 2004, pp. 357–370.

[52] A. Juels, “Strengthening EPC Tags Against Cloning,” in ACM Workshop on Wireless

Security, 2005, pp.67—76.

[53] EPCglobal. (2006, March). EPCglobal Certificate Profile. Ratified Specification 1.0.

[Online]. Available: http://www.epcglobalinc.org/standards/.

[54] Tecchannel. (June 2006). FDA lifts delay on enforcing drug pedigree rules. [Online].

Available: http://www.tecchannel.de/news/international/440904/.

[55] D. deKieffer, “Trojan Drugs: Counterfeit and Mislabeld Pharmaceuticals in the Legitimate

Market,” in American Journal of Law and Medicine, Boston University of Law, vol. 32, 2006,

pp. 325-349.

[56] P. Chan, W. Fan, A. Prodromidis, and S. Stolfo, "Distributed Data Mining in Credit Card

Fraud Detection, " in IEEE Intelligent Systems, vol. 14, pp. 67-74, November/December

1999.

[57] L. Mirowski, Detecting Clone Radio Frequency Identification Tags. Bachelor's Thesis,

School of Computing, University of Tasmania, November 2006.

[58] P. Chan, W. Fan, A. Prodromidis, and S. Stolfo, "Distributed Data Mining in Credit Card

Fraud Detection, " in IEEE Intelligent Systems, vol. 14, pp. 67-74, November/December

1999.

[59] S. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. Chan, "Credit card fraud detection

using meta-learning: Issues and initial results," in AAAI-97 Workshop on Fraud Detection and

Risk Management, 1997.

Appendix A – Summary of industry specific requirements

Table 8. Summary of different industries requirements for RFID-based product authentication system.

Business Requirements

and Aspects

Information

Technology

Automotive

Industry

Life Science and

Pharmaceutical

Aerospace

Industry

CG & and

Retail Industry

Data

Data on tag

Amount and type of data is currently subject to research.

Yes, but depends on the tag price of the tag.

Yes, 96 bit serial number. Exception: reading data from temperature sensors for 50 days, one reading every minute.

Yes, in the beginning 64kBits, the more the better.

No.

Read-only No. Yes. No. No, also writing, but no deletion. Yes.

Read-out and Write

Reading speed (high, low)

High, at least 3600 pieces per hour in software manufacturing.

High. Very high, no concrete numbers available yet.

Very fast, since many information is read; currently available speed is to low; the envisioned future scenario is to walk by an aircraft and while passing by, scanning all RFID-tags.

High.

Online Yes. Yes. Yes. Yes, desirable. Rather yes.

Offline Desirable, but not necessary.

Yes, if crypto-graphic tags

No. Yes, as backup, in case of no connection.

Rather yes.

Reading rate Very high. High. 100% 100%. High.

Writing speed (high, low)

High, at least 3600 pieces per hour in software manufacturing.

Still subject to research.

Very high, no concrete numbers available yet.

Highest possible writing speeds are desired.

-

Distance

Small (few cms)

Big (till several m)

Both. Bulk readings should also be possible.

Both, but depends on privacy issues (see text).

Variable reading distance necessary.

Both; optimum would be passing by the airplane and reading all tags

Both, item- and bulk-reading.

Tags


Anti-Counterfeiting Requirements Report 70/85 Created on 12/06/2007 4:57 PM

Passive tags: yes

Active, passive tags Passive tags, but ideally active tags.

Passive tags. Passive tags. Yes, as long as these tags comply to industry norms (Spec 2000 norm).

Passive.

Price

Very cheap, considering the number products to be tagged

Very low

(fractions of one Euro cent up to 1-2 Euro cents).

Not exceeding 2 USD cents.

More or less Irrelevant, since parts are very expensive

Very low (fractions of one Euro cent up to 1-2 Euro cents).

Life-time of tag

Life-time of the channel (less than three months from manufacturer to client); for server hardware the tag-lifetime shall equal the product lifetime (3-5 years).

At least 15-20 years, due to legal guidelines (15 years after end-of-production).

Product lifetime = tag lifetime, between 1 and 3 years.

Product life-time is around 15 years. Problem: today’s memory capacity would only be sufficient for about 2 years. Tags have to be taken off and replaced by new ones.

220 days on average.

Tag-Visibility (hidden, overt)

Hidden, the smaller the used space, the better; hence, more space can be used for marketing purposes; Microsoft: the look of the product shall be the same everywhere, no matter where it was produced.

Visible, customs require visible tags.

Hidden, due to security and privacy reasons.

None, at least readable. Overt (see text).

Tag-Application (material, surface, etc.)

Inside the DVD inlay for software; hidden, no

Yes: Place, surface, material, packaging, since some parts don’t have package,

There are many different and unique factors regarding tag application. No generalization

Very diverse (see below). None.



special requirements concerning the surface.

heat, cold, lifetime of the tag.

possible.

Clone prove tags Desirable but not necessary

Desirable Yes, necessary. Desired, but not mandatory if backend tid solution is considered.

Not necessarily if there is a database support.

Usage of cryptographic tags

Not necessarily, only in case of an offline authentication solution.

Yes No.

Yes a) Information should not legible to customers; b) to assure the identification of the tag

No.


Environmental circumstances (temp., overlapping tags, metal, covert tags, liquids)

None.

Temperature, between -30°C and + 120° C and more, depends on what product and place.

There are different requirements regarding the tag application; tags have to resist cold and rough handling.

Spec 2000 Document, chapter 9 and the DO 160 Document: temperature variation, humidity (high, low), acids, oil compatibility, pressures, shocks, waterproofness, sand and dust, fungus resistance, salt spray, corrosion, icing, fire, flammability, smoke, toxicity, hail, constant acceleration.

None.

Products to be tagged

Once a solution is in place, all products will be tagged; in the beginning only frequently counterfeit products will be tagged.

Service parts, wear parts, security relevant parts, parts that are very frequent and thus interesting to counterfeiters; corresponds to 20-25% of all parts.

Products those are most prone to being counterfeit and stolen.

All line replaceable units (LRUs) will be tagged. There are about 5000 LRUs on average on a civil aircraft.

Counterfeit products, expensive products, often faked products.

Constraints regarding tag integration

None.

Want to integrate the tag into the part itself; still, has to endure shocks and temperatures inside the car..

There are many different and unique factors regarding tag application. No generalization possible. Most important aspects, however, are liquids, metals and space

Weight, size and the possibility to attach so that the tag does not fall off.

None.



issues.


Yes, broken if removed (destructive).

Yes, shall break if removed

Yes, because counterfeit deterrent.

Yes, shall break if removed. -

Devices to check (mobile, portable, fixed devices)

All of the mentioned

All of the mentioned

All of the mentioned. All of the mentioned. All of the mentioned

Reuse of tags No, only in closed-loop environments.

Yes, if it saves money

No. No. No.

Production Line Application (needed? Speed)

Yes, at least 3600 pieces per hour in software manufacturing.

Yes, rather for suppliers.

Yes

Yes; additionally different types of tags and reading/writing frequencies have to be taken into consideration, since different countries allow different frequencies.

Not very industry specific.

Estimated percentage of tagged products

E.g., Microsoft: around 300 Million pieces.

25% of all products, later all (between 200 000 and 2000 000)

In the beginning not 100%, especially those which are prone to be faked and stolen, potentially several millions.

All LRUs, almost 100%. Pallet and carton tagging, later maybe item-level tagging (see text).

Degree of human interaction

Bulk reading should be possible.

Low, due to price reasons

None. Should not be possible to detach it. High for pallet and carton tagging.

Level of confidence (100% or lower)

Might also be lower; 99%

Might be lower, if there is a matching between the EDI / ASN and the actual delivery.

100%, maybe also lower, if percentage of confidence is indicated.

100%. High.

Own standard No.

Automotive Standards Organizations are binding.

No. Spec 2000 aerospace industry standard is more binding for aircraft manufacturers than EPCglobal/GS1 standard.

No.

Motivation, further application

Traceability, more visibility and transparency, detection of parallel trading and product diversion.

After Sales Service, manufacturing, potentially logistics.

Legal compliance, logistic, supply chain visibility and transparency, detection of and diversion.

Logistics, Equipment Configuration Management, Warehouse application.

Logistics.



Appendix B – Illustrations

Figure 6. The chain of trust of (rectangles) and threats against (ovals) RFID based product authentication system. The arrows indicate the different information flows that take place within product authentication process.



Figure 7. Use/misuse-case diagram of functional security requirements of RFID based product authentication. The white ovals are the security goals of the system and the black ovals present the threats. The overall requirement is to mitigate all applicable threats with security goals.

Appendix C – Interview Guideline

bridge wp05 anti-counterfeiting requirements report

Documents