Colorado Springs, Colo. -- Certicom Corp., developer of the elliptical-curve cryptosystem, is collaborating with Texas Instruments Inc. on a security system to provide multitiered authentication in the manufacturing and tracking of often-counterfeited goods like shoes, watches, pharmaceuticals and consumer electronics. The system will link a dedicated Certicom hardware signing appliance with TI's RFID tag generation and reader network.
Prototypes will be demonstrated at an RFID conference this week, though products are not expected before mid-2007 or later. TI and Certicom are proposing elements of the architecture as a potential standard for item-level tags.
Certicom launched its first RFID and sensor-net security products in April, working with sensor-net startup Crossbow. In September, Certicom demonstrated a manufacturing-line tracking system called KeyInject, to be used in the supply chain of sensitive consumer devices such as conditional-access set-top boxes. "The signing engine we're working on with TI definitely has its roots in KeyInject, though there are changes in key generation reflecting the way electronic product codes have been developed," said Tony Walters, director of business development at Certicom.
Joseph Pearson, business development manager within TI's RFID group, said the company has looked at public-key cryptographic systems to bring security to product tracking, and had designed products based on RSA crypto algorithms. But like many OEMs examining IT industry security, TI was impressed by the code efficiency of elliptic-curve cryptography (ECC).
"The vision we have for this, which fits with EPCglobal's model for electronic product codes, is to create an electronic pedigree for products," Pearson said. "You want to look at a product's history on several levels while preserving a customer's privacy, but what you don't want to do is require a microprocessor-driven chip on a single product. The security model has to fit the low-cost goals for RFID systems in general."
The booming global counterfeiting industry, as reflected in the $93 million in counterfeit products seized by U.S. Customs in 2005, is driving this collaborative effort, Pearson said. Secure RFID readers can track item-level information in EPCs.
The 2004 extensions to IEEE cryptography standards, 1363a-2004, specified signatures developed by Certicom founder Scott Vanstone (specifically, Elliptic-Curve Pintsov-Vanstone Signatures), and allowed elliptic-curve algorithms for encryption as well. TI and Certicom collaborated in defining distributed authentication agents that would allow RFID tag authentication at multiple points in the manufacturing and distribution supply chain.
The product-class ID within an electronic product code is encrypted using Certicom ECC, and only readers that have an authorized verification key can authenticate the tag and decrypt the information. Using a 160-bit ECC crypto system saves two-thirds of the code space of a 1,024-bit RSA system, with the same level of security.
The signing appliance, developed by Certicom from the KeyInject work, was designed to fit the high-volume tag generation encountered in pharmaceutical packaging operations, which Walters said provides an "extreme test case" more sensitive to volume and cost constraints than even consumer electronics and clothing.
In the KeyInject model for offshore OEMs and ODMs, Certicom approached makers of digital media systems who traditionally distributed product keys for purposes of content protection, either on a master CD or over networks in unencrypted fashion. Certicom replaced this model with a system based on a secure PCI card similar to a FIPS-140 security module. In RFID, however, the low cost of client tags requires a simple security system, while the multiple tiers of product information allowed in the EPCglobal model require distributed authentication steps throughout the supply chain.
