A great deal of attention is paid to protecting digital assets. For example, contemporary cryptography inhibits counterfeiting of Blu-Ray video discs and streaming video content. Contemporary cryptography also enables crypto-currencies, securing the underlying store of value and ensuring trusted transactions.
Far less attention is paid to protecting physical assets. As a result, luxury goods fall victim to widespread counterfeiting. Moreover, industrial, medical, aerospace, and military equipment face risks that compromise integrity. Existing authentication solutions fall short of protecting high-value goods against sophisticated threats.
RFID tags may be employed to defend against these threats. The simplest RFID tags identify a physical asset by providing a serial number to a scanner device via electromagnetic waves. While useful for inventory purposes, such simple tags are easily cloned by copying legitimate serial numbers.
More advanced RFID tags hinder cloning by employing a challenge-response mechanism: the scanner sends a random challenge message to the RFID tag; the RFID tag performs a symmetric cryptography operation, a function of the challenge message and a the tag's copy of a shared key; the RFID tag returns the response to the scanner; the scanner sends the same challenge message to an online server; the online server performs the same symmetric cryptography operation with its copy of the shared key and returns the result to the scanner; the scanner compares the response from the RFID tag and the response from the online server; if the response values match, the RFID tag is authenticated.
In this scheme, each RFID tag is assigned a unique serial number and a unique shared key; during manufacturing, both values are programmed into the RFID tag and sent to the online server. This manufacturing step may be exploited by a threat actor, as the shared key can be observed during programming.
This scheme has a serious vulnerability that lessens long-term security: the online server is a tremendously attractive target, holding all credentials of all RFID tags. Once the online server is compromised, a threat actor can copy the database and clone the serial numbers and shared keys onto new RFID tags; the cloned RFID tags are indistinguishable from the real RFID tags. The likelihood of this threat increases over time: the online server must be available 24×7 to perform the challenge-response protocol described above (in cyber-security this is called the data at rest problem). Lastly, there is no remediation for RFID tags in the field: they cannot be re-programmed with new “uncompromised” shared keys. This serious vulnerability is inherent in systems that employ shared keys and symmetric cryptography.
A new type of cryptographically strong RFID tag disclosed herein eliminates the vulnerabilities of shared keys by having a robust identity. The RFID tag is attached to a physical asset and is designed to operate for the lifetime of the physical asset. Anti-tampering techniques may be employed to render the DSA-RFID tag permanently inoperable should it be removed from the physical asset.
A robust identity is unique, indelible, and unforgeable. A robust identity must have a practical means of expression and a practical means of authentication. Endowing each RFID tag with its own robust secret identity and a corresponding robust public identity meets these requirements.
The robust private identity and robust public identity are not programmed into the cryptographically strong RFID tag during manufacturing. Instead, a physically unclonable function (PUF) endows each RFID tag with a unique, unobservable, unclonable, and permanent robust secret identity. PUFs exploit variations inherent in the manufacture of semiconductor ICs to produce a statistically random output value that is different in every IC manufactured, including ICs manufactured on the same semiconductor wafer.
A PUF output cannot be observed by an attacker—during manufacturing or otherwise—attempting to copy private key values, thereby preventing cloning, reproduction, or emulation of a DSA-RFID tag. The robust secret identity—unique, indelible, and unforgeable—cannot be observed by any means; it is only used in calculations performed entirely within the RFID tag.
One such calculation performed within the RFID tag produces its robust public identity using a one-way mathematical function of the robust private identity. One-way mathematical functions are used in many contemporary cryptography systems: calculation in the forward direction is straightforward, while calculation in the reverse direction is so difficult as to be considered impossible.
Another calculation performed within the RFID tag provides a challenge-response mechanism. The response is produced by a one-way mathematical function of the input challenge and the robust private identity.
The robust public identity uniquely identifies the RFID tag, providing a means of expression for the robust identity. The robust public identity is also used in the challenge-response mechanism—validation of the response is a function of the input challenge message and the robust public identity—providing a means of authentication for the robust identity.
Moreover, an online service, disclosed herein, records the provenance of each physical asset, starting with binding the RFID tag to a trusted agent—such as the physical asset's manufacturer—and continuing with every conveyance of the physical asset. The recording of each conveyance adds great value: tracing ownership of in luxury goods is highly desirable; movement of industrial, medical, aerospace, and military equipment is essential to supply chain assurance.
Implementing a record of provenance using an online server presents a potential single point of failure and vulnerability. Implementing this record as a distributed redundant system may remove the single point of failure, though it creates additional points of vulnerability (in cyber-security this is called a larger attack surface).
The present disclosure includes a novel implementation of blockchain technology that provides a complete solution. This solution also minimizes the attack surface while maximizing availability, addressing the data at rest problem cited earlier.
A blockchain implementation is a specialized database consisting of an ordered sequence of blocks, each block containing a group of transactions. A blockchain forms an indelible record of transactions via a trustless distributed consensus model. Each full node on the blockchain network constructs its own blockchain from first principles, validating every block and validating every transaction using only its own trusted blockchain. Consensus is established by a majority of full nodes, mitigating the vulnerability of compromised nodes. Adding full nodes reduces the attack surface while increasing availability. Implementing a record of provenance using blockchain technology meets all of the requirements for establishing authenticity and provenance of physical assets.
Every transaction in a blockchain is protected by one or more digital signatures using public-key cryptography (PKC). A form of asymmetric cryptography, PKC employs key pairs: a private key (described earlier as a robust secret identity) and a public key (described earlier as a robust public identity).
A digital signature algorithm (DSA) processes an input message (which may be thought of as a challenge) and a private key, and produces a digital signature (which may be thought of as a response). Validation of a digital signature is a function of the input message and the public key.
DSA provides authentication without the risks of a shared key. Additionally, DSA protects the integrity of the input message, preventing modification of the input message. Furthermore, DSA provides non-repudiation: any entity can independently validate the digital signature.
In a blockchain, DSA processes a transaction—formally, a cryptographic hash function of a transaction producing a transaction hash—as the input message and stores the result in the transaction. The digital signature protects the integrity of the transaction by preventing modification due to malfeasance or malfunction. More prominently, the digital signature proves ownership and approval of the asset transfer described in the transaction: the existing owner generates the digital signature using a private key associated with the asset.
This blockchain implementation employs two digital signatures in every transaction, known as 2-of-2 MultiSig. One of the digital signatures is provided by the existing owner of the physical asset, as described in the preceding paragraph. The second digital signature is provided by the cryptographically strong RFID tag: DSA is the challenge-response mechanism, using one-way mathematical function of the transaction hash and the private key securely ensconced within the RFID tag.
The digital signature provided by the existing owner is cryptographic proof of ownership of the physical asset and approval of a transaction. The digital signature provided by the RFID tag is cryptographic proof that the physical asset is present during the transaction. Both digital signatures are recorded in the transaction and both digital signatures are validated by every full node on the blockchain network.
A new physical asset is added to the blockchain with a registration transaction. This type of transaction can be performed only by a trusted agent known to the blockchain, for example, a manufacturer. Trusted agents hold a trusted agent key pair, including their robust private identity (private key) and a robust public identity (public key). The public key may be registered with a third-party certificate authority.
Registration transactions include the trusted agent public key and the RFID tag public key, binding the physical asset to the trusted agent. A registration transaction includes a digital signature produced by a physical asset's trusted agent and a digital signature produced by its RFID tag. The respective private keys are required to produce these digital signatures, so the digital signatures cannot be forged. Every registration transaction is validated by all full nodes on the blockchain network. After being mined and recorded in the blockchain, a registration transaction is cryptographic proof of authenticity.
Ownership of a physical asset is transferred with a conveyance transaction. This type of transaction can be performed by anyone possessing the physical asset: a distributor, retailer, individual seller, subcontractor, testing service, calibration service, or other supply-chain partner. A conveyance transaction includes a digital signature produced by a physical asset's existing owner and a digital signature produced by its RFID tag. Every conveyance transaction is validated by all full nodes on the blockchain network. After being mined and recorded in the blockchain, a conveyance transaction is cryptographic proof of the physical asset's provenance.
A physical asset's first conveyance transaction is linked to its registration transaction. Each subsequent conveyance transaction is linked to the physical asset's previous conveyance transaction. Every full node maintains an index of the latest transaction for each physical asset. The complete provenance of a physical asset is explored by “walking back” through its linked transactions to its registration transaction.
The authenticity and provenance of a physical asset may be explored and vetted by any entity. The digital signature algorithm incorporated into the cryptographically strong RFID tag provides authentication with non-repudiation (challenge-response mechanisms using symmetric cryptography provide only authentication). Non-repudiation enables any entity to validate independently the RFID tag challenge-response mechanism, including remote entities without direct access to the physical asset. Furthermore, non-repudiation is enables any entity to investigate a physical asset's entire record in the blockchain, by independently validating each transaction.
Tackling anti-counterfeiting and supply chain assurance delivers great value to manufacturers and customers in the primary market. Significant additional value is delivered aftermarket. Industrial, medical, aerospace, and military equipment may be tracked across departments and organizations; maintenance tests and calibrations may also be recorded. Luxury goods secondary sales are conducted with complete confidence, benefitting all parties: the buyer, the seller, and the manufacturer (brand protection). Every one of these primary and secondary transactions is conducted and recorded with the protection of strong contemporary cryptography.
The novel implementation of blockchain technology employing the cryptographically strong RFID tag constructs an indelible and cryptographically provable record of authenticity and provenance. The registration and conveyance transactions record not simply a reference to a physical asset, but instead record the active participation of a physical asset in its transactions. Every transaction involving a specific physical asset includes a digital signature that can only be produced by its attached RFID tag. Furthermore, such a digital signature can only be produced during the transaction, proving that a physical asset was present during each of its transactions. An entity can independently inspect and validate a physical asset's transactions. Physical assets are thereby protected with a new level of trustworthiness.