1. Field of the Invention
The present invention relates to a method and a device for protecting a product against counterfeiting, having associated with the product a transponder on which at least one unique identifier is stored.
2. Description of the Background Art
In many cases, it is difficult or impossible to distinguish counterfeit products from original products at first glance. Counterfeits inflict losses at unacceptable levels on producers of original products, however. Consequently, there is a desire to identify products or goods in general in such a way that original products can be distinguished quickly and unambiguously from counterfeits in a simple way.
A variety of noncontacting identification systems, or so-called radio frequency identification (RFID) systems, are used to monitor a flow of goods. Such a system typically includes a base station or a reader or reader unit and a plurality of transponders or remote sensors (tags), which are located in the response area of the base station at the same time. The transponders and their transmitting and receiving devices customarily do not have an active transmitter for data transmission to the base station. Non-active transponders are called passive transponders if they do not have their own energy supply, and semi-passive transponders if they have their own energy supply. Passive transponders take the energy they require for their supply from the electromagnetic field emitted by the base station.
In general, something known as backscatter coupling is used to transmit data from a transponder to the base station using UHF or microwaves in the far field of the base station. To this end, the base station emits electromagnetic carrier waves, which the transmitting and receiving device in the transponder modulates, using a modulation method, and reflects appropriately for the data to be transmitted to the base station. The typical modulation methods for this purpose are amplitude modulation, phase modulation and amplitude shift keying (ASK) subcarrier modulation, in which the frequency or the phase position of the subcarrier is changed.
An access control method for transponders is described in the proposed standard ISO/IEC_CD 18000-6C dated Jan. 7, 2005. In this method, the transponder is first selected from among a plurality of transponders in a selection or arbitration process. The selection method described is a stochastic method in the form of a slotted ALOHA method. Such selection methods are described in detail in, for example, the “RFID Handbuch,” a textbook by Klaus Finkenzeller, HANSER Verlag, third edition, 2002, which has been published in English by John Wiley & Sons.
Once the transponder has been selected or isolated, the reader transmits a query to the transponder in the form of a return transmission of a random number previously transmitted by the transponder as part of the arbitration process, whereupon the transponder transmits protocol control bits (PC) and an identifier in the form of an electronic product code (EPC) to the reader. The protocol control bits contain information regarding a physical layer of the transmission path. Among other things, the identifier or the electronic product code EPC reflects a product identified by the transponder. The assignment of the EPC to the identified product is standardized, so that the product can be deduced from knowledge of the EPC.
A plurality of identifiers can be stored on the transponder, such as the EPC, a transponder-specific identifier known as the tag ID, and/or a communications-specific identifier such as a key identification. It is also possible, for example, for a manufacturer to identify his products with a specific manufacturer identifier. However, it is possible to bring counterfeit products on the market as so-called clones of the original product by reading out one or more identifier(s) from a transponder and using these identifier(s) on another transponder to label a product.
In order to be able to distinguish original products from counterfeits using an identifier, a data comparison can be performed using a suitable database. By this means, it is possible to determine whether a transponder-specific identifier issued only once has already been sighted in another location, and/or whether counterfeiting of an item is to be inferred for other reasons, for example on the basis of inconsistencies in its history. In other words, certain indicators are collected as a result of the data comparison that make it possible to infer a counterfeit, but this does not provide protection for the original products. A (global) data comparison and an analysis of the data to ferret out counterfeits is therefore only possible with great effort and expense.
Moreover, a global data comparison results in a conflict of goals: on the one hand the identifier is published as widely as possible so that a clone can be detected as quickly as possible, but on the other hand this wide publication makes it easier to read out the identifier and produce a clone.
In order to prevent a transponder from being used for a clone, it is known to assign to the transponder a unique, transponder-specific identifier at manufacture, which is protected by hardware means against overwriting. A transponder of this nature thus cannot be used for a counterfeit by overwriting the transponder-specific identifier. Nonetheless, transponders that are produced without write protection can still be overwritten in the corresponding memory areas.
It is therefore an object of the present invention to provide a method and a device for protecting a product against counterfeiting with a transponder associated with the product.
This object is attained by a method for protecting a product against counterfeiting with a transponder associated with the product, upon which at least one unique identifier is stored, wherein a flag in a set or cleared state is associated with the identifier, and read access to the identifier by a reader is only permitted after authentication when the flag is set.
According to the invention, when the flag is set, read access to the identifier, in particular to a transponder-specific identifier such as a unique transponder serial number, is only possible after authentication, which is to say after a successful identity verification. Authentication takes place in compliance with the aforementioned ISO/IEC_CD 18000-6C standard, for example. If a reader transmits a read command for the identifier in the case of a set flag, and no authentication has taken place, the transponder replies with an error identifier or sends no reply.
Depending on the application, blocking of a read access to additional identifiers, for example the EPC, is also advantageous. For example, if the EPC is freely readable, it is possible to infer the content of a container in a simple way by bringing a reader into the appropriate vicinity, thus ferreting out high-value products or the like in a simple way.
In an embodiment of the invention, the flag is at least one binary variable, which can assume at least two states, customarily 0 and 1. The 0 state here is generally designated as a cleared flag, and the 1 state as a set flag. In other embodiments, a reversed assignment of the states is possible, however.
In a embodiment of the invention, the flag is set in a non-reprogrammable memory area and/or is protected by hardware means against overwriting once set. The memory area is, for example, a nonvolatile memory area that can only be written once (one time programmable, OTP). A setting of the flag and/or a protection against overwriting, i.e., what is known as locking, preferably takes place as early as manufacture of the transponder. However, it is also possible for the flag to be set at a later point in time instead.
In another embodiment of the invention, an emulated flag is used, wherein at least one bit of the identifier is used to emulate flagging of the identifier. In other words, when the flag is emulated, it is “simulated” by a bit of the identifier, without providing separate memory areas on the transponder for the flag. AND and/or XOR operations are possible for the combination. In one embodiment, the bits of the identifier are wired to a D flip-flop, wherein a set state is emulated when at least one bit of the identifier is set.
In an embodiment, a security element, such as a check digit or polynomial for error correction, is associated with the identifier. Manipulation of the identifier, or of individual parts of it, can then be detected by checking the check digit, for example.
In another embodiment, the identifier and/or the security element is stored in a protected memory area, wherein the memory area is only accessible following authentication. For example, it is possible to store the identifier in a memory area which can only be addressed through commands of the aforementioned standard that require prior authentication. When the flag is set, then, an additional security level is built in, which demands another password or a certain command, for example.
In another embodiment of the invention, the identifier and/or the security element is stored in a hidden memory area, wherein the address of the memory area is not made public and/or access to the memory area requires a command that is not made public. Here, reading out the identifier from the hidden memory area (shadow memory) is only possible with knowledge of the address and/or of the secret command.
In another embodiment of the invention, the identifier and/or the security element is written to a non-reprogrammable memory area of the transponder and/or is protected by hardware means against overwriting and/or clearing. Consequently, the identifier of the transponder cannot be changed arbitrarily by a user. In the case of protection against clearing, binary cells which are set, which in the general case means are set to 1, cannot be cleared, which is to say set to 0. In this way, although it is indeed possible to manipulate an identification number, it is not possible to write any desired identification number on the transponder. Especially when a security element has been assigned to the identifier, manipulation of the number can easily be detected here through an erroneous check digit.
In an aspect, the identifier and/or the security element is written to the transponder during manufacture, in particular during a wafer test. After manufacture, especially after the measuring procedure (wafer test), the identification number can no longer be cleared or changed.
In another embodiment, the identifier is composed of data concerning a lot number, a wafer number and/or a position on the wafer. The corresponding information can then be retrieved from the identifier by authorized users through reverse inference.
In another embodiment of the invention, the identifier is stored on the transponder in encrypted form. Encrypted storage of the identifier is advantageous when concealment of the products is of interest, for example.
During the manufacturing process, writing of a transponder-specific identifier to the transponder usually takes place prior to the writing of a product-specific identifier such as an EPC. This is exploited in another embodiment of the invention, in which the identifier is a transponder-specific identifier, and an EPC is constructed, at least in part, using the transponder-specific identifier. Manipulation of the identifier here can be detected through a lack of agreement with an associated EPC. It is possible to implement an interaction of this nature between the identifiers, especially in the case of an extended EPC, which includes additional information along with the information hitherto provided in the EPC in accordance with the standard. Within the meaning of the invention, the combination of EPC and protocol control bits PC or extended protocol control bits XPC is also understood to be an extended EPC. When an extended EPC is used, it is possible in another embodiment that a symmetric password is made available for authentication through the EPC. This password is encrypted for transmission here, for example using asymmetric encryption.
The object is further attained by a transponder for protecting a product associated with the transponder against counterfeiting, upon which transponder at least one unique identifier is stored, wherein a flag in a set or cleared state is associated with the identifier, and when the flag is set, read access to the identifier by a reader is only permitted after authentication.
In an embodiment, the flag is comprised of a binary variable. Alternatively or in addition thereto, an emulated flag can be provided as the flag. The identifier preferably contains a security element such as a check digit, so that manipulation can be detected easily.
Further scope of applicability of the present invention will become apparent from the detailed description given hereinafter. However, it should be understood that the detailed description and specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only, since various changes and modifications within the spirit and scope of the invention will become apparent to those skilled in the art from this detailed description.
The present invention will become more fully understood from the detailed description given hereinbelow and the accompanying drawings which are given by way of illustration only, and thus, are not limitive of the present invention, and wherein:
Addressing of the corresponding memory area in the shadow memory area S is required for read access to the identifier ID. Without knowledge of the address of the memory area, reading out the identifier ID is only possible with great difficulty, even when the flag F is cleared. Consequently, in one embodiment of the invention, the address of the memory area where the identifier is stored is only provided to selected persons or groups of persons.
As the flag F, a binary variable can be stored on the transponder T, which preferably is protected against overwriting by suitable measures. In other embodiments, the flag is emulated.
The transponder T from
The invention being thus described, it will be obvious that the same may be varied in many ways. Such variations are not to be regarded as a departure from the spirit and scope of the invention, and all such modifications as would be obvious to one skilled in the art are to be included within the scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
DE 102007003514 | Jan 2007 | DE | national |
This nonprovisional application claims priority to German Patent Application No. DE 102007003514, which was filed in Germany on Jan. 19, 2007, and to U.S. Provisional Application No. 60/881,477, which was filed on Jan. 22, 2007, and which are both herein incorporated by reference.
Number | Date | Country | |
---|---|---|---|
60881477 | Jan 2007 | US |