Modern anti-counterfeiting techniques generally can be divided into two classes, namely methods that exploit specific physical properties related to the items to be protected and methods that are based on digital techniques. Typically, these latter methods rely on properties of cryptographic algorithms.
In the physical approach to anti-counterfeiting solutions, the properties to be verified are either features of the item itself (e.g. surface structure) or are technically connected to the item in an irremovable way. Examples include holograms, seals, security labels, water marks, micro marks, chemical marks, special papers and reproduction techniques, fluorescent colors, laser engravings, special coatings and paints, and many more. Methods for marking products or packages rely on special manufacturing steps or special materials that are not commonly available and require highly sophisticated technical production and handling capabilities. The general philosophy behind physical property-based anti-counterfeiting techniques is that there is a substantial and sufficiently large technological gap between the producer of the security mark and the attacker. It is the hope that an attacker trying to create counterfeit products does not have access to the necessary materials, or that cost and complexity of the process of creating forgeries would make the attack unattractive. The ongoing dissemination of knowledge about the technical details and machines for product marking, however, particularly in the age of the Internet, results in a permanent battle between legitimate manufacturer and counterfeiter.
Most physical anti-counterfeiting techniques need some special treatment of items or packages during the manufacturing process, and it is often difficult to verify the genuineness of the artificial marks in an automated way. For example, chemical marks have to be analyzed in a laboratory for their verification.
In contrast, cryptographic methods gain their security only from the secrecy of key material and do not rely on the belief that the manufacturer is technologically superior to the attacker. The level of protection offered by cryptographic schemes depends mainly on the length of the secret keys involved and can easily be scaled such that any straight-forward attack becomes impossible. Authenticity of data can be achieved by algorithms for generation and verification of message authentication codes and digital signatures. These algorithms prevent the creation of data for counterfeit products, but they cannot protect against the copying and cloning of valid authentication data of genuine products. In order to provide security against counterfeiting, the authenticity of the item needs to be checked. Therefore, it is typically necessary for the authentication data to be bound to a physical object like a smart card or a security integrated circuit (IC). In this situation, the protection mechanisms of the hardware prevent unauthorized access to key material or authentication data. Verification of the authenticity of items is accomplished by active protocols between the verifier and the item to be tested.
There exist conventional schemes using only data authentication and a database of all genuine products. These schemes establish an electronic pedigree of the products and offer protection from forgery because an attacker is not able to authenticate fake data on its own. But because genuine data can be copied easily, it is not possible to detect cloned products without on-line access to the background database of all products. Even if inconsistencies with entries in the database were detected, the scheme does not distinguish between genuine products and clones.
In the literature, many cryptographic techniques for data authentication have been published. These algorithms typically append additional information for authentication (authenticator, authentication data) to the original data. The authenticator is a function of the original data and a secret key. The authenticator assures that the original data has not been manipulated and that the data is genuine. The cryptographic mechanism guarantees that no attacker is able to compute a valid authenticator without knowledge of the secret key, even if he knows already many valid pairs of data and the corresponding authenticator. Moreover, the cryptographic scheme ensures that the attacker cannot extract the secret key from many valid pairs of data and adjoined authenticator. Interactive methods, e.g. challenge-response protocols, and non-interactive methods, e.g. message authentication codes (MAC) using symmetric key management and digital signature schemes using asymmetric key management, also exist.
Several semiconductor manufacturers currently offer security ICs for the detection of counterfeit products. There exist products for contactless verification based on radio frequency identification (RFID) and wired components. In one scheme, the components implement a challenge-response protocol: the host (verifier) sends a randomly chosen challenge to the security device. The security device in turn computes a message authentication code (for example using a keyed hash function) depending on the challenge and the secret key stored in the device and sends the authentication data back to the host. If the security device uses symmetric key management, the host knows the secret key, repeats the computation, and compares the two results. If the results are equal then the device has proven knowledge of its secret key and will be considered authentic. Almost all available low-cost security devices for anti-counterfeiting follow this design approach.
Since the secret keys of all security devices to be verified have to be known to the host, special care has to be taken to protect the keys stored in the host. In most applications the host contains a special security device (for example a smart card) to protect the secret key.
There also exist several security devices for anti-counterfeiting using asymmetric key management. In the literature, small VLSI (very large scale integration) devices for the computation of ECDSA (elliptic curve digital signature algorithm) signatures and devices implementing asymmetric challenge-response protocols have been described. A passive RFID tag using an asymmetric challenge-response protocol, for example, is available as a prototype, and the security IC ORIGA available from INFINEON TECHNOLOGIES AG can be used for applications with wired interface.
Asymmetric key management has many benefits over the symmetric approach since there is no secret key information necessary in the host device. This allows the host side of the protocol to be implemented completely in software. This is especially advantageous for large decentralized applications in which an attacker can get access to and control of host devices. All practically relevant applications based on asymmetric key management derive their security from the assumed hardness of computing discrete logarithms in the group of points of some elliptic curve defined over finite fields of characteristic two. This specific mathematical structure offers the best ratio of cryptographic security versus length of the parameters and allows low-cost and small foot-print VLSI implementations with low power consumption.
Another aspect of authentication, however, relates to the protection of data exchanged by devices, beyond the authentication of the devices themselves. Even if a set of devices has been authenticated, critical data sent or received by the devices can be vulnerable. For example, a non-authenticated device can intercept communications and tamper with data, which can go undetected even if the original devices were authenticated. Wireless devices, particularly those used in public spaces, can be especially vulnerable to such interceptions, often referred to as “man-in-the-middle” or “piggyback” attacks. Existing solutions often use a session key, which is typically so long that decoding data quickly is difficult or impossible. Further, session keys known only to the parties exchanging information need to be established, with the keys and the process(es) for establishing them kept secure.
Therefore, there is a need for improved authentication systems that address both device and data security.