- Email: [email protected]
Design and development of a mobile EPC-RFID-based self-validation system (MESS) for product authentication
Computers in Industry 61 (2010) 624–635
Contents lists available at ScienceDirect
Computers in Industry journal homepage: www.elsevier.com/locate/compind
Design and development of a mobile EPC-RFID-based self-validation system (MESS) for product authentication S.K. Kwok *, Jacky S.L. Ting, Albert H.C. Tsang, W.B. Lee, Benny C.F. Cheung Department of Industrial and Systems Engineering, The Hong Kong Polytechnic University, Hung Hom, Hong Kong, Hong Kong, China
A R T I C L E I N F O
A B S T R A C T
Article history: Received 12 August 2008 Received in revised form 18 January 2010 Accepted 1 February 2010 Available online 2 March 2010
The increase in the number of counterfeits penetrating into the open market has created the need for a product authentication approach in tracing and tracking the product anytime, anywhere. Owing to the vague concepts frequently represented in flow of products, this paper presents a self-valuation and visualization system by integrating the RFID technology and EPC concept to protect products from counterfeiting by the means of mobile platform. In this paper, a system architecture is proposed which is capable of integrating mobile technology and EPC-RFID applications. The implementation roadmap of such system architecture is examined and explained in the context of a case study. The aims of the system are to provide greater visibility of the product logistic flow data and to improve the anticounterfeit process, from traditional physical identification to self-validated location-based authentication. The case study illustrates the capability, benefits and advantages of using the proposed system, particularly its support of product authentication and supply chain activities in countering the global counterfeit problems. ß 2010 Elsevier B.V. All rights reserved.
Keywords: Anti-counterfeit system Counterfeiting Electronic product code (EPC) Product authentication Radio frequency identification (RFID)
1. Introduction Counterfeiting has grown substantially over the past years to become the greatest threat to today’s global market [1–4]. International Chamber of Commerce Commercial Crime Services [5] estimated that around 5% of all worldwide trade in 2006 was in counterfeit goods, with the counterfeit market being worth US$250 each year. It is a global phenomenon affecting a wide range of products, spreading at an alarming rate to electrical equipment, cigarettes, and even medicines [6]. The boom in counterfeiting has triggered a dramatic increase in the number of anti-counterfeit and product authentication technologies (such as hologram, security printing, security labels, and biometrics) in the market [8]. However, there are doubts about the ease of selfvalidation that these technologies can provide in product authentication. Since their verification principle relies on optical detection and identification of the security features (i.e. they require human experts or machines to determine whether a given product is genuine or counterfeit), it is a formidable challenge to customers in determining the product’s authenticity themselves. As a result, a self-validated product authentication solution is much needed as far as the customers are concerned.
* Corresponding author. Tel.: +852 2766 6578; fax: +852 2774 9038. E-mail address: [email protected] (S.K. Kwok). 0166-3615/$ – see front matter ß 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.compind.2010.02.001
This paper explores the feasibility and practicality of shifting the focus of product identification from traditional humanreadable or kiosk-based solutions to customer self-authentication. With the popularity of mobile devices (e.g. smart phone), the basic principle of the proposed approach is to demonstrate to the users the full logistic track record of specific products for identifying anomalies under the ubiquitous communication environment with automatic product identification technologies. The tracking and automated identification are based on the use of radio frequency identification (RFID) technology [31]. RFID has emerged as a promising vehicle to combat counterfeiting by its characteristics of automatic verification of product authenticity, non-static nature of security features, and cryptographic resistance against cloning [9]. With several standards have been developed for RFID, electronic product code (EPC) standard [7] (which is developed by Auto ID and sponsored by MIT and EPCglobal) has better compatibility and more recognized in the market. With this standard, real-time RFID-related data can be shared over the Internet [10]. Each RFID-tagged item can be tracked and traced via the complete descriptive information shared under the umbrella of EPCglobal [1,3,7,9]. Thus, the concept of supply chain visualization can be achieved. A number of EPCRFID-based systems have been reported in the literatures [7,32,33], but most of them are standalone kiosk-based solutions. In contrast, with mobile technology that has become part of our daily life, integration of mobile devices and EPC-RFID-based system can provide a more user-friendly self-validated product
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
authentication solution. As such integration is still in an early stage of development, more attention should be paid to discuss the issues posed by developing and deploying such systems. The purpose of this paper is to present the architectural design of a mobile EPC-RFID-based self-validation system (MESS) to enhance the product authentication measure by visualizing product transactions in a supply chain, enhancing the track and trace capability in determining the product’s authenticity, and heightening the security level and self-validated product authentication process compared with the common anti-counterfeit technologies. A case study will also be presented to illustrate the feasibility and procedures of implementing the proposed system in an IT solution provider. 2. Counterfeiting and current product authentication technologies Counterfeiting is an unauthorized copying or application of a trademark on items that do not originate from or with the approval of the brand owner [2,3]. It is a knowing duplication with the purposes of deceiving and defrauding [1]. Numerous researchers indicate that the phenomenon of counterfeiting is not new; but what has changed about counterfeiting today is that the scope and scale of the problem are growing at a rate previously unknown and little recognized by those most affected [11]. The entire society loses billions of dollars every year to counterfeiters. The World Bank’s Global Economic Prospects report for 2002 concluded that there were ‘‘reasons to believe that enforcement of intellectual property rights has a positive net impact on economic growth prospects’’ [3]. Counterfeit goods cause companies to suffer direct loss in sales when they have to compete directly with counterfeiters. Government and manufacturers spend huge amounts of money in combating counterfeiting. Since many counterfeit goods, especially those in the health and safety categories, are of inferior quality, such products had been the cause of a number of major public health and safety incidents [12–14]. The World Health Organization estimated that 5–7% of pharmaceutical products worldwide are counterfeit goods which comprise few active ingredients and lots of contaminants [15]. Thus, counterfeiting is a global problem that produces financial losses as well as public health and safety threats. A range of product authentication tools are available to allow the company to protect its brand and its customers, enforce its rights and protect its distribution channels. The technological solutions [8] that enable companies to authenticate and track their products within the supply chain can be categorized into 2 groups, as presented in Table 1. Lehtonen et al. [16] claim that the optimal product authentication system should have an appropriate level of security and allow customers to authenticate products by themselves. But in the current product authentication technologies, it is observed that even the overt technology can provide a self-verification of products, it is easily reproduced by counter-
625
Table 1 Characteristics of two product authentication technologies.
Visible to naked eye Require specialized equipment to conduct product authentication Possibility of replication by others Cost Durability
Overt
Covert
Yes No
No Yes
Easy Cheap Short
Hard Expensive Long
feiters. Whereas the covert technology can present a high security level, specialized reading devices are required (i.e. not customeroriented). In order to encounter the above limitations, numerous researchers are recently promoting to introduce RFID technology (i.e. a kind of covert technology) to combat counterfeiting. Apart from the user-friendliness, RFID can support location-based authentication for detecting fraudulent transactions, providing better communication within the supply chain. Generally, RFID is emerging as a technology that is utilized for contactless automatic identification of products in different logistics contexts [26,27]. Compared with other product authentication technology, it offers extended data capacity and employs a numbering scheme called EPC, which serves as a global standard to provide a unique ID for any item in the world [1,28]. EPC is a license-plate type of identifier that enables near-real-time tracking information on a product within its supply chain [28]. Although there are other forms of identifiers like universal product code (UPC) and bar code, EPC allows item-level tracking by storing not just information on the manufacturer and product type, but also a unique serial number of the item [26]. This unique identification feature makes RFID feasible in product authentication and even anti-counterfeiting. Table 2 reviews the current RFID-based and EPC-RFID-based product authentication technologies. So far, most product authentication systems are done under the manufacturers’ perspectives, for example, Kwok et al. [10] has proposed InRECS to deliver accurate and global supply chain visibility with intelligent feedback into inventory and materials transfer process for manufacturers. Therefore, this paper attempts to concentrate on designing an approach on the basis of customers’ aspects. 3. Infrastructure of mobile EPC-RFID-based self-validation system (MESS) The architecture of the mobile EPC-RFID-based self-validation system (MESS) is illustrated in Fig. 1. It consists of three tiers: presentation tier, application tier, and information services tier. The 3-tier structure is designed to separate the major functions of mobile product authentication applications into logical sections for handling displays, processing logic, and data services. Displays are managed by the presentation tier, processing logic by the application tier, and data services by the information services tier.
Table 2 Current RFID adoption in product authentication. Purpose
Description
Unique identification
1. 2. 1. 2. 3. 4. 5. 1. 2. 3. 1.
Cryptographic tag authentication
Location-based authentication
Product specific features
Write and catalog a unique serial number on each item [17] Keep a secure list of valid product ID numbers in a secure server [18] Apply re-encryption to prevent static identifiers and optical data of the banknotes [19] Propose a hash-lock approach to lock the tag without storing access key [20] Extend the randomized version of Weis et al.’ hash-lock scheme [21] Employ Gen 2 compliant cryptographic features to encrypt the security level of tag-to-reader communication [22] Utilize lightweight cryptography and Jigsaw encoding to encrypt the EPC code [23] Introduce a secure authentication through the database-reader-tag environment [7] Detect some of the cloned tags by searching for deviations from expected behavior [24] Detect irregularities by comparing the actual and pre-defined product flow [10] Combine the TID number and product specific features of the item to form a digital signature [25]
626
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 1. System architecture of MESS.
3.1. Presentation tier The presentation tier has to be discussed first because the system needs to respond to users’ instructions and queries. There are five types of users – suppliers, manufacturers, distributors, retailers and customers – all of which employ RFID reader embedded mobile devices, like mobile phones or personal digit assistant (PDA), to track and trace information on product identification and transactions in the entire supply chain or in the product life-cycle. In other words, when a client queries the RFID-tagged product within the read range of a mobile RFID device, data (i.e. product information) are captured remotely from tags to the RFID reader (see Fig. 2). Fig. 2A shows the data communication through wireless network, while Fig. 2B illustrates the communication through general packet radio service (GPRS). Once the query has been entered, the authentication logic and algorithm will be
processed in the application tier so that the captured data can be sent to and displayed on the client’s mobile device [29]. 3.2. Application tier The application tier, which consists of an RFID intelligent module – product authentication system (PAS) – offers a standard format of product information and visualizing model for the entire life-cycle of the product. It can create and coordinate many sets of diversified data (i.e. information on product movement) within the supply chain into a standardized and consistent body of useful information. This enables customers to track their goods’ origin and movements in the supply chain via wireless network and GPRS. A unique EPC tag is assigned to each individual product that is used to provide the product authentication capabilities of the
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
627
Fig. 2. A logical view of data communication through the Internet.
solution. Once the tagged product is transferred in the supply chain, particular information (such as received date and time) is recorded in the back-end database. Thus, customers can differentiate the genuineness of a product by instantly reading its RFID tag. Alerts are prompted to users when there are problems in the distribution channel like one of the supply chain participants is missing in the trail of transactions.
As shown in Fig. 3, the PAS has two levels and one cryptographic approach to protect the data stored in the RFID tag from malicious access: 1. Level one: EPC generating. 2. Level two: product authenticity check. 3. Cryptography: encryption and decryption.
Fig. 3. Product authentication system (PAS).
628
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 4. The structure of a 96-bit Class 1Gen 2 RFID tag.
3.2.1. Level one: EPC generating This module is designed to provide a numbering system for unique identification of individual units of products. In this proposed work, RFID tag that features in EPCglobal Class-1 Generation-2 (which is called Class 1Gen 2 for short in this paper) specification is adopted. One of the reasons of such standard selection is due to its growing adoption in item-level identification in the globalized market [39]. Another reason is because of standardization issues. Owing to the diversity of different standards, recent researches focus on the interchange ability [34,35] and compatibility [36] (especially in two leading standards—ISO and EPC) to encourage the interoperability of product identification for the growing RFID market. In 2006, Class 1Gen 2 has been approved as ISO 18000, being a part of ISO/IEC 18000-6 standard [37]. RFID tags and readers compliant to such standard will be compatible across companies and geographies. Such tag can store various attributes of an item, such as its manufacturer, product type, and unique serial number. In particular, 96-bit EPC tags are the most commonly used in industry because their data capacity is sufficient for most applications. About 80,000 trillion unique numbers can be generated, so about 268 million companies can register with the EPC, with each company has up to 68 billion unique serial numbers for each product [27]. A data structure of 96-bit Class 1Gen 2 is show in Fig. 4, in which it consists of four basic data elements: a header, an EPC manager, an object class, and a serial number. Each element represents particular information of the product, like the EPC manager means the identification code of the company and the object class implies the type code of the product. Thus, by registering information into these elements, each product can have their own unique identification number. Once the manufacturer assigns and generates an EPC to a product item, the entire logistics network traversed by the product can be visualized by recording all the transactions in each supply chain party. The first three data elements are registered according
to the companies’ requirement whereas the last element (i.e. serial number) is automatically generated by a program installed in the RFID intelligent module and stored in the system database. To protect the tag from malicious access, a hybrid cryptographic approach, which will be further discussed later section, is used to encrypt the tag information. After the encrypted RFID tag (eRFID tag) has been generated, the manufacturer will print out the standard format eRFID tags to be attached to the products. Thus, only authenticated readers can access the contents of tags. 3.2.2. Level two: product authenticity check To perform the product authenticity check function, the eRFID tag is decrypted and the stored EPC data is normalized according to a standard format for globalized querying (Fig. 5). Normalization is the process of maintaining the same RFID data format regarding the Class 1Gen 2 standard on the scanned eRFID tags. It involves two components: EPC middleware and EPC information services (EPCIS). Given the wide range of readers, each with a different interface and communication protocol, are available in the market around the world, interoperability of systems are difficult to achieve. It is possible that an enterprise may use several types of readers from one or more vendors. In other words, different data structure will be generated according to particular reader style. Thus, to function in a multi-vendor environment, EPC middleware is used to filter and transform the scanned eRFID data into conformable one. On completion of the data normalization process, the EPC middleware will move on to the EPCIS to associate the EPC data with business events and the related information. Business event data relate to dynamic tracking information of the product when the RFID-tagged product moves through a supply chain. Once the tagged product arrives at a supply chain party, its EPC information will be captured and registered into the company’s local database (i.e. EPCIS). This allows the aggregation of data collected from
Fig. 5. Logic flow of the normalization approach.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
629
Fig. 6. Example of abnormal flow in supply chain.
reader events for translation into information meaningful to applications. In other words, the EPCIS defines a common interface model for standardizing the EPC-related data in physical markup language (PML) format, which is a standard technology based on extensible markup language (XML), for further application and display on a web-based platform. Through this product authenticity checking process, customers can obtain the EPC of a scanned product by querying the remotely distributed EPCIS. The EPCIS embeds the specified information about the tagged product. In addition, the product details and location record such as when and where the item was produced, when and where the item arrived at the distribution point, etc., can be retrieved. When equipped with such data normalization capability, any type of RFID device (i.e. reader and middleware) can be used to display on a real-time basis, the product information and the route through which the item had moved. This way, customers can be alerted instantly when anomalies are detected in the flow of the item’s supply chain, like missing one of the supply chain participants—this could be a clue that the item is a fake (see Fig. 6).
bit cyclical redundancy code (CRC) to form a ‘key’ and then write into the PIN value of RFID tag. Since the PIN lengths are in 32-bit long, attackers are difficult to resolve it as there are 232 (i.e. 4294967296) combinations. A set of information (i.e. the pseudoEPC and the ‘key’ or hash value) is received when users interrogate the RFID-tagged product by an RFID device. For decrypting the pseudoEPC, an authorized device is required to generate another ‘key’ for unlocking the hash value. If it succeeds in unlocking the hash value (i.e. the received hash value matches with the newly generated hash value), the tag information is said to be trusted (i.e. the information has not been altered nor inadvertently changed). These locking and unlocking processes ensure the integrity of the product information as well as the location record. With this design, supply chain parties will be alerted to which indicates that the tagged item is a counterfeit when they cannot unlock the hash value. Thus, all parties in the supply chain can determine the authenticity of the received product and detect any unauthorized party.
3.2.3. Cryptography: encryption and decryption Although Class 1Gen 2 RFID tag is common to use in item-level product authentication and trace-and-track, it is limited in its data protection [19,33,38,39]. As stated by Jeon and Cho [32], Class 1Gen 2 RFID tag lacks the data protection of tags, and has few mechanisms to manage the message interception over the air channel and the eavesdropping within the interrogation zone of the RFID reader. Thus, to cope with the security threats, a hybrid approach to cryptography and authentication was adopted to protect the information stored in the Class 1Gen 2 tags. As shown in Fig. 7, the EPC is first encrypted by the Jigsaw encoding scheme [23], transforming the 96-bit EPC into a pseudoEPC that is difficult to decrypt. The key idea of using this scheme to encrypt the EPC is because the Jigsaw encoding scheme will not change the standard of RFID readers and tags, keeping the RFID tag in the current ISO/EPC standardization. Then, a hash function [30] is used to lock the pseudoEPC for the purpose of integrity verification of the EPC, helping the user to detect whether the tag is cloned by attackers or not. The hash value employs a 32-
The information services tier contains the system databases that maintain all the information of the MESS. Each record in the database represents a registered product with its EPC and product details like product name, product description, country of origin (COO), expiry date, etc. Therefore, customers can easily retrieve the product information of tagged items by employing mobile RFID devices, and then match the information with the physical product to prevent a fake purchase. However, this only ensures the integrity of product information, but not the integrity of the item’s life-cycle information. A self-developed EPC network is embedded in the system database so as to check both types of integrity. Since the EPC standard is still in an early adoption stage and not many companies currently employ it, a self-developed network, which is based on the specification of EPCglobal Network [40], is used as a secure platform for recording the movement of the product within the supply chain. Once the EPC standard is widely used, the proposed system can be plugged into the EPCglobal. The self-developed EPC network provides a framework for data exchange between parties in the supply chain. All the track and
3.3. Information services tier
630
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 7. A hybrid approach to cryptography and authentication in tag protection.
trace information – the location and time when the product moved from one supply chain participant to another – are stored in the system database. Once the product is produced, the manufacturer will generate a 96-bit EPC and register it along with the genuine product information in the database. As the product goes to another participant, say ABC Company, the EPC is registered in ABC’s local EPCIS and then ABC Company will query the object naming service (ONS) to request access to the item’s EPC data. At the same time, the location and event information of this transaction will be registered in the ONS to ensure continued
updating of information in the product life-cycle. This data registration and updating process will repeat itself until the product is purchased by customers. The architecture of the self-developed EPC network is depicted in Fig. 8. As shown in the figure, requesting product information is a roll-up process, which transforms the raw tag data into meaningful and machine readable EPC data. The ONS serves like the domain name system (DNS) in the Internet world, it returns the location of EPCIS where the product details can be found. To shorten the response time, each request will query the local ONS server first.
Fig. 8. Architecture of the self-developed EPC network.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
631
Fig. 9. Implementation phases in developing the MESS.
When the requested information is not available there, the query will be forwarded to the root ONS server for further resolution. This design enables real-time response to queries. 4. A case study on implementation of the proposed system The proposed system was implemented in an IT solution provider in Hong Kong to assess feasibility of the proposed approach. The solution provider is The Counterfake International Limited. It specializes in developing solutions that integrate different technologies, such as RFID, interactive voice response system (IVRS), short message system (SMS), and web portal, to address the counterfeit issue. In May 2005, the company in collaboration with The Hong Kong Polytechnic University launched a 2-year project on development of an RFID-enabled counterfeit protection prototype with the financial support of a government funding scheme. It aims at exploring the possibility of using RFID technology to fight against the growing number of counterfeits. The system was developed in several phases as shown in Fig. 9. The significance and issues to be addressed in each phase are explained as follows. 4.1. Phase 1: system accessories selection In this case study, passive Class 1Gen 2 RFID tag and RFID reader embedded PDA were used to develop a mobile RFID environment.
In addition, a computer was employed to function as the system server that allows high speed access and provides large storage capacity so that it can deal with many accesses and manipulate the huge database at the same time. Preferably, basic network services for Internet access (e.g. wireless LAN facilities) should also be implemented to allow end-users to access the system remotely. An RFID Label Printer was used to print the EPC tag of each product. Apart from hardware items, it was also necessary to select software packages for implementation of the proposed system. These include a database management system (DBMS) for data manipulation, and a .NET framework from Microsoft for development of application programs. 4.2. Phase 2: content selection Obviously, users expect to retrieve a lot of information from the system for users for browsing. To support product authentication, the contents maintained in the system were determined by answering questions such as (a) How can the product information be presented effectively? (b) What type of product information is useful to users? (c) Are there privacy issues to be addressed? To present the product information clearly, aesthetic appearance and navigational methods are the salient considerations in content selection (Fig. 10). By following the proven guidelines in user interface design, each page displayed by the system should
Fig. 10. User interface of MESS.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
632
have a consistent look-and-feel, and the areas for system navigation are tailor-made for different types of display device. 4.3. Phase 3: security selection Security is an important issue in the proposed product authentication system. In MESS, the information retrieved from the RFID tag demonstrates a crucial event in detecting the counterfeit. Although the s RFID system is more secure than other product authentication technologies, a weakness of EPC tags as devices in a security system us that they are vulnerable to cloning attacks as well as password disclosure and information leakage [38]. Concerning information must be securely exchanged among the authorized supply chain parties, data encryption and protection is important to support the EPC-RFID-based anticounterfeit mechanism (i.e. presenting the product movement to the users). The security measures selected for protecting the tag information requires heavily on the expertise of system developers. They need to consider various technologies that can provide a secure and sound platform for users to interact with the system, taking into account their constraints and likely enhancements of these technologies. 4.4. Phase 4: data integration Before distributing its products, the manufacturer has to provide the MESS with clean and detailed information on these products. At the same time, a structured and unique identification code is generated for each piece of product tracked by the selfdeveloped EPC network. Typically, the manufacturer provides a data warehouse to store the product information, and another data warehouse to keep records of product movements in the supply chain for visualization of the logistics network. Availability of information on authenticated products and their life-cycle transactions are essential to provide a sound and secure platform for protect against counterfeiting, real-time tracking of products necessitates data synchronization between databases. With the advent of EPC, records in multiple databases can link with each other by the key field (i.e. EPC) in order to perform data exchange in high-volume batch updates and in executing real-time incremental changes. 4.5. Phase 5: system establishment and piloting improvement In the final phase, the system was field-tested in an operational environment at dispersed sites of multiple supply chain participants. Prior to this pilot run, the application programs had to be designed to meet all the actual situations. Meeting and working with the system users ensured that the application programs were customized to suite operational requirements. Continuous feedback and progress meetings were the foundations for system
refinement. Bugs detected during the evaluation period were fixed by the project team to enable the release of ‘error-free’ application programs. With these user feedbacks, the project team can understand the user requirements more thoroughly, enabling them to develop application programs that are more user-friendly. Obviously, this phase involved a lot of analytical and programming efforts (for refining the system) so as to develop a successful system for counterfeit prevention. 5. Performance evaluation The case study reported in this paper sheds light on the effectiveness of using an RFID-enabled infrastructure as a counter measure to combat the global counterfeiting problem. Results of the field trials indicate that MESS out-performs the current product authentication techniques in counterfeit prevention. Apart from self-validated services, MESS also provides stakeholders with other benefits, such as higher level of public safety, better information sharing and brand name protection. These benefits are elucidated as follows. 5.1. More effective product authentication solution Table 3 compares the current product authentication mechanism adopted by the IT solution provider with the MESS. The IT solution provider reported improvements in product authentication effectiveness and utilization of resources after piloting the proposed system. Previously, it had to handle many calls from customers to check the authenticity of products, an extremely labor intensive activity. Furthermore, the company had to change the product’s print labels at least twice a year because counterfeiters can imitate the labels of genuine products in due course. This makes the use of label-print technology expensive as a product authentication approach. With the adoption of the MESS, customers can authenticate the products themselves. The high degree of data security assures integrity of the data in the tag and prevents cloning of tags. Several trials had been conducted to measure the improvement in verifying the authenticity of a product after adoption of MESS. Table 4 compares the trial results of the current operation (i.e. label-print technology) with those of the proposed solution (MESS). The total time of the entire process was reduced by at least 87% which was achieved by drastically simplifying the product authentication process from 7 steps to 2 steps. Without the MESS, customers often need to wait for more than 2 min to get someone to answer the call because several calls may be waiting for their turns to be serviced at any one time. As a result, availability of the customer service hotline suffered. With the use of MESS, the entire authentication process is handled over wireless networks or GPRS. The high speed broadband communication enables customers to authenticate RFID-tagged products anytime, anywhere, in real time.
Table 3 Comparison between the current product authentication mechanism and MESS. Current product authentication mechanism
MESS
Principle
Each product depends on the high-print technology to create a barrier to imitation
Identification Verification Imitation
Experts and machines are required to examine the print labels Customers are difficult to verify the product’s authenticity Labels can be duplicated by counterfeiters
Value-added Functions
Not available
Each product can be identified with a unique EPC code, enabling customers to verify the item’s authenticity over the Internet No human-readable label is required for identification It is easy for customers to ascertain the product’s authenticity Imitation is close to impossible because the chance of successful decryption of the EPC is one to hundred billions The life-cycle transactions of products can be made visible to supply chain participants to support decision making and strategic planning
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
633
Table 4 Estimated time of product authentication process between (a) the current product authentication technology and (b) the proposed solution (MESS). (a) Current product authentication technology
1st trial (min)
2nd trial (min)
3rd trial (min)
Customer side Step 1 Step 2 Step 3
Read the high-print label Call customer service hotline for assistance Wait for response to the call
1.38 1.00 3.50
2.33 1.00 2.33
1.33 1.00 3.50
Company side Step 1 Step 2 Step 3 Step 4
Receive the call Input the product details into the system Wait for the system to retrieve information Interpret the retrieved information and inform the caller accordingly
0.50 1.40 1.84 1.12
0.66 1.66 1.74 1.44
0.48 1.33 1.62 1.51
Total time (min)
10.74
11.16
10.77
(b) MESS
1st time (min)
2nd time (min)
3rd time (min)
Customer side Step 1 Company side Step 1
Scan RFID-tagged product by mobile device
0.33
0.45
0.24
Retrieve information from the system and display it on the customer’s mobile device
1.00
1.00
1.00
Total time (min) Time reduction (%)
1.33
1.45
1.24
87.61%
87.01%
88.49%
Remarks: This table only demonstrates a proof of concept of adopting the MESS. The performance results summarized will vary with the volume of service requests. Once there is a volume of service requested, further optimization model will be studied and investigated.
In general, the proposed solution will utilize resources more efficiently in supply chain participants’ communication, track and trace services, product authentication, as well as product lifecycle visualization. Furthermore, the product information visualization capability of MESS makes the system so easy to use that users can start to use it to authenticate products within minimal training. 5.2. Uninterrupted and secure tracking network The tracking capability of MESS provides customers with a means to ascertain the authenticity of an RFID-tagged product by simply scanning it under a reader. With the common broadband connectivity to the Internet, the tracking network has no geographic limitation for ‘uninterrupted object tracking’. As a result, users can gain access to the network anytime, anywhere for real-time product authentication. 5.3. Enhanced communication and information sharing The self-developed EPC network supports more effective communication amongst the supply chain participants, enabling visualization of hidden supply chain information. Through the adoption of RFID technology and the EPC standard, companies can view the life-cycle transactions of products on a user-friendly interface. All such information is stored in the centralized databases, closing the decision making gaps between supply chain participants. 5.4. Enhanced public safety Product recalls and product counterfeiting are public safety issues. With improved visibility of supply chain information, companies can respond to public safety incidents more promptly and efficiently in identifying the products that need to be recalled and tracking the counterfeits. Take the pharmaceutical industry as an example, drug counterfeiting and drug recalls are serious public health problems in recent years. The proposed system effectively tracks products throughout the global supply networks, sharing product data for detection of counterfeited drugs in the supply chain.
5.5. Brand name protection With the exception of the counterfeiters, all stakeholders in the supply chain win by implementing the proposed system. Through deployment of the RFID intelligent engine, manufacturers and retailers are protected against fake, thereby enhancing their corporate image and customers’ confidence in the products they supply. In addition, the self-developed EPC network provides the supply chain participants with a standard for communication and information sharing to facilitate decision making and planning. In summary, the proposed system offers an effective solution to address the product authentication and anti-counterfeiting issues. Results of the case study validate feasibility of adopting the proposed approach. The highly effective detection of fakes will deter counterfeiting to a significant extent. 6. Conclusion Counterfeit prevention is a complicated and important issue, as well as a major challenge to enterprises. The proposed system, employing mobile devices with RFID technology and EPC standard, provides an efficient and effective approach to self-validated product authentication. As of late, studies on integrating these technologies to combat counterfeiting are rare. In addition, this research provides a feasible solution to both system structure and implementation roadmap. The issues of standardization and security between tag-and-reader are also considered. Furthermore, the generic infrastructure of MESS offers flexibility in deterring product counterfeiting and protecting RFID data. When compared with the current product authentication technologies, MESS provides customers with a more effective and ease-touse approach to verifying an item’s authenticity via an Internetenabled mobile device. With such feature, users can track and trace the product anywhere and anytime in a timely manner. It should be noted that the system is not limited to depicting product supply chain information to authorized parties; it can also integrate such information with other applications to support decision making and communication. While findings of the case study indicate that encouraging results can be achieved after implementation of the proposed system, a number of hurdles and challenges are yet to be
634
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
addressed. For example, the readability of RFID tags is greatly affected by the environment and the reader’s orientation. Thus, identification and resolution of roadblocks to RFID adoption would be an interesting topic for future research. Acknowledgements The authors would like to express their sincere thanks to the Research Committee of The Hong Kong Polytechnic University for financial support of the research work (Project Code: G-YE31) and The Counterfake International Limited for providing the RFID hardware needed in the proof of concept study. References [1] P. Lei, F. Claret-Tournier, C. Chatwin, R. Young, A secure mobile track and trace system for anti-counterfeiting, in: Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service, Hong Kong, March 29– April 1, (2005), pp. 686–689. [2] ICC Counterfeiting Intelligence Bureau, ICC Handbook, ICC Commercial Crime Services, 2005. [3] D. Hopkins, L.T. Kontnik, M.T. Turnage, Counterfeiting Exposed: Protecting your Brand and Customers, Wiley, Hoboken, NJ, 2003. [4] S. Bastia, Next generation technologies to combat counterfeiting of electronic components, IEEE Transactions on Components and Packaging Technologies 25 (1) (2002) 175–176. [5] International Chamber of Commerce Commercial Crime Services, International Guide to IP Rights Enforcement First Edition 2006, International Chamber of Commerce Counterfeiting Intelligence Bureau, 2006. [6] ICC Counterfeiting Intelligence Bureau, The International Anti-counterfeiting Directory, ICC Commercial Crime Services, 2008. [7] T. Staake, F. Thiesse, E. Fleisch, Extending the EPC network—the potential of RFID in anti-counterfeiting, in: Proceedings of the ACM Symposium on Applied Computing, Santa Fe, New Mexico, 2005. [8] ICC Counterfeiting Intelligence Bureau, Anti-Counterfeiting Technology Guide, ICC Commercial Crime Services, 2005. [9] United States Food and Drug Administration, COMBATING COUNTERFEIT DRUGS—A Report of the Food and Drug Administration, U.S. Food and Drug Administration, Rockville, MD, 2004. [10] S.K. Kwok, A.H.C. Tsang, J.S.L. Ting, W.B. Lee, B.C.F. Cheung, An intelligent RFID-based electronic anti-counterfeit system (InRECS) for the manufacturing industry, in: Proceedings of the 17th International Federation of Automatic Control (IFAC) World Congress 2008, Seoul, Korea, July 6–11, (2008), pp. 5482–5487. [11] J. Kim, H. Kim, A wireless service for product authentication in mobile RFID environment, in: Proceedings of the 1st International Symposium on Wireless Pervasive Computing, Phuket, Thailand, January 16–18, (2006), p. 5. [12] Reconnaissance International, Pharmaceutical counterfeiting: fears into facts, Authentication News 8 (7) (2002) 1. [13] FDA (Food and Drug Administration) U.S., Counterfeit Drug Task Force Interim Report, 2003. [14] U.S. Department of Health and Human Services, Combating Counterfeit Drugs, Food and Administration, 2004. [15] Imitating property is theft, The Economist (May) (2003) 52–54. [16] M. Lehtonen, T. Staake, F. Michahelles, E. Fleisch, From identification to authentication—a review of RFID product authentication techniques, in: Proceedings of the Workshop on RFID Security—RFIDSec 06, July, 2006. [17] A. Juels, RFID security and privacy: a research survey, Journal of Selected Areas in Communication (J-SAC) 24 (2) (2006) 381–395. [18] R. Koh, E. Schuster, I. Chackrabarti, A. Bellman, Securing the pharmaceutical supply chain, in: White Paper, Auto-ID Labs, Massachusetts Institute of Technology, 2003. [19] A. Juels, R. Pappu, Squealing Euros: privacy protection in RFID-enabled banknotes, in: Proceedings of Financial Cryptography–FC’’03, Le Gosier, Guadeloupe, French, West Indies, (2003), pp. 103–121. [20] S. Weis, S. Sarma, R. Rivest, D. Engels, Security and privacy aspects of low-cost radio frequency identification systems, in: Proceedings of the International Conference on Security in Pervasive Computing—SPC 2003, Berlin/Heidelberg/ New York, (2003), pp. 454–469. [21] D. Henrici, P. Mu¨ller, Hash-based enhancement of location privacy for radiofrequency identification devices using varying identifiers, in: Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW’04), March 14–17, (2004), pp. 149–153. [22] D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning, in: Proceedings of the 2006 Symposium on Cryptography and Information Security, Hiroshima, Japan, January 17–20, 2006. [23] K.H.M. Wong, P.C.L. Hui, A.C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computers in Industry 57 (4) (2006) 342–349. [24] L.T. Mirowski, Detecting clone radio frequency identification tags, Bachelor’s Thesis, School of Computing, University of Tasmania, November, 2006.
[25] Z. Nochta, T. Staake, E. Fleisch, Product specific security features based on RFID technology, in: Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’’06), January 23–27, (2006), pp. 72–75. [26] H. Bhatt, B. Glover, RFID Essentials, 1st ed., O’Reilly, Sebastopol, CA, 2006. [27] S. Lahiri, RFID Sourcebook, Pearson plc, Upper Saddle River, NJ, 2006. [28] EPCglobal, Inc., RFID Implementation Cookbook, 2006 Available at: http:// www.epcglobalinc.org/what/cookbook. [29] G. Elliott, N. Phillips, Mobile Commerce and Wireless Computing Systems, Pearson/Addison Wesley, Harlow, 2004. [30] C. Cid, Recent developments in cryptographic hash functions: security implications and future directions, Information Security Technical Report 11 (2) (2006) 100–107. [31] J. Holmstro¨m, R. Kajosaari, K. Fra¨mling, E. Langius, Roadmap to tracking based business and intelligent products, Computers in Industry 60 (3) (2009) 229–233. [32] K.Y. Jeon, S.H. Cho, A RFID EPC C1 Gen2 system with channel coding capability in AWGN noise environments, IEICE Transactions on Communications E92-B (2) (2009) 608–611. [33] H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards, Computer Standards and Interfaces 29 (2) (2007) 254–259. [34] E.W.T. Ngai, K.K.L. Moon, F.J. Riggins, C.Y. Yi, RFID research: an academic literature review (1995–2005) and future research directions, International Journal of Production Economics 112 (2) (2008) 510–520. [35] P. King, Hex Is Not the Standard, 2009 available at: http://www.rfidjournal.com/ article/print/4912. [36] R. Weinstein, RFID: a technical overview and its application to the enterprise, IT Professional 7 (3) (2005) 27–33. [37] M.C. O’Connor, Gen 2 EPC Protocol Approved as ISO 18000-6C, 2006 Available at: http://www.rfidjournal.com/article/articleview/2481/1/1/. [38] E.Y. Choi, D.H. Lee, J.I. Lim, Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2 RFID systems, Computer Standards and Interfaces 31 (6) (2009) 1124–1130. [39] D.N. Due, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal GEN-2 RFID tag against traceability and cloning, in: Proceedings of the 2006 Symposium on Cryptography and Information Security, 2006. [40] EPCglobal, Inc., EPCglobal Standards Overview, 2009 Available at: http:// www.epcglobalinc.org/standards. S.K. Kwok is a lecturer in the department of industrial and systems engineering of The Hong Kong Polytechnic University. His research areas are in artificial intelligence, industrial and systems engineering, information and communication technologies (ICT), logistics enabling technologies and mobile commerce. He participates in several industry-based research projects, which include web-enabled collaborative working platform development, customer relationship management, mobile devices application in vendor management inventory, RF-tag order tracking system, etc. For all the mentioned projects, latest ICT are applied to streamline information flow and enhance the knowledge management (KM) among modern business units. The research outcomes are presented in several international conferences and published in various international journals. Jacky S.L. Ting is a PhD candidate at the department of industrial and systems engineering of The Hong Kong Polytechnic University. He received his BSc degree in enterprise engineering and e-business at the same university. His research interests include knowledge engineering, computer modeling of medical knowledge, medical informatics and decision support systems.
Albert H.C. Tsang is principal lecturer in the department of industrial and systems engineering at The Hong Kong Polytechnic University. He provided consultancy and advisory services to enterprises and industry support organizations in manufacturing, logistics, public utilities, healthcare and government sectors on matters related to quality, reliability, maintenance, performance management and assessment of performance excellence, and engineering asset management—these are also areas of his research interest. He is the author of ‘WeibullSoft’, a computer-aided selflearning package on Weibull analysis. Apart from publishing papers in various international refereed journals, he is also the author/co-author of three books on various aspects of engineering asset management, and two books on industrial applications of RFID.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 W.B. Lee is the chair professor of the department of industrial and systems engineering of The Hong Kong Polytechnic University and the director of The Hong Kong Polytechnic University Microsoft Enterprise Systems Centre (MESC). He is also the president of the Hong Kong Advancement of the Association of Science and Technology, and the past chairman of the Institution of Electrical Engineers, Hong Kong. His research interests include manufacturing science, dispersed network manufacturing systems, knowledge management and logistics engineering.
635
Benny C.F. Cheung is an associate professor and an associate director in the Advanced Optics Manufacturing Centre (AOMC) and Knowledge Management Research Centre (KMRC) in the department of industrial and systems engineering at The Hong Kong Polytechnic University. His research work emphases on industrial applications and applied research. His research interests include precision engineering, knowledge and technology management, artificial intelligence, and logistics systems. He has authored and co-authored five research books, five book chapters and more than 200 research papers in various refereed journals and international conferences in which more than 120 of them were refereed journal papers.
Contents lists available at ScienceDirect
Computers in Industry journal homepage: www.elsevier.com/locate/compind
Design and development of a mobile EPC-RFID-based self-validation system (MESS) for product authentication S.K. Kwok *, Jacky S.L. Ting, Albert H.C. Tsang, W.B. Lee, Benny C.F. Cheung Department of Industrial and Systems Engineering, The Hong Kong Polytechnic University, Hung Hom, Hong Kong, Hong Kong, China
A R T I C L E I N F O
A B S T R A C T
Article history: Received 12 August 2008 Received in revised form 18 January 2010 Accepted 1 February 2010 Available online 2 March 2010
The increase in the number of counterfeits penetrating into the open market has created the need for a product authentication approach in tracing and tracking the product anytime, anywhere. Owing to the vague concepts frequently represented in flow of products, this paper presents a self-valuation and visualization system by integrating the RFID technology and EPC concept to protect products from counterfeiting by the means of mobile platform. In this paper, a system architecture is proposed which is capable of integrating mobile technology and EPC-RFID applications. The implementation roadmap of such system architecture is examined and explained in the context of a case study. The aims of the system are to provide greater visibility of the product logistic flow data and to improve the anticounterfeit process, from traditional physical identification to self-validated location-based authentication. The case study illustrates the capability, benefits and advantages of using the proposed system, particularly its support of product authentication and supply chain activities in countering the global counterfeit problems. ß 2010 Elsevier B.V. All rights reserved.
Keywords: Anti-counterfeit system Counterfeiting Electronic product code (EPC) Product authentication Radio frequency identification (RFID)
1. Introduction Counterfeiting has grown substantially over the past years to become the greatest threat to today’s global market [1–4]. International Chamber of Commerce Commercial Crime Services [5] estimated that around 5% of all worldwide trade in 2006 was in counterfeit goods, with the counterfeit market being worth US$250 each year. It is a global phenomenon affecting a wide range of products, spreading at an alarming rate to electrical equipment, cigarettes, and even medicines [6]. The boom in counterfeiting has triggered a dramatic increase in the number of anti-counterfeit and product authentication technologies (such as hologram, security printing, security labels, and biometrics) in the market [8]. However, there are doubts about the ease of selfvalidation that these technologies can provide in product authentication. Since their verification principle relies on optical detection and identification of the security features (i.e. they require human experts or machines to determine whether a given product is genuine or counterfeit), it is a formidable challenge to customers in determining the product’s authenticity themselves. As a result, a self-validated product authentication solution is much needed as far as the customers are concerned.
* Corresponding author. Tel.: +852 2766 6578; fax: +852 2774 9038. E-mail address: [email protected] (S.K. Kwok). 0166-3615/$ – see front matter ß 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.compind.2010.02.001
This paper explores the feasibility and practicality of shifting the focus of product identification from traditional humanreadable or kiosk-based solutions to customer self-authentication. With the popularity of mobile devices (e.g. smart phone), the basic principle of the proposed approach is to demonstrate to the users the full logistic track record of specific products for identifying anomalies under the ubiquitous communication environment with automatic product identification technologies. The tracking and automated identification are based on the use of radio frequency identification (RFID) technology [31]. RFID has emerged as a promising vehicle to combat counterfeiting by its characteristics of automatic verification of product authenticity, non-static nature of security features, and cryptographic resistance against cloning [9]. With several standards have been developed for RFID, electronic product code (EPC) standard [7] (which is developed by Auto ID and sponsored by MIT and EPCglobal) has better compatibility and more recognized in the market. With this standard, real-time RFID-related data can be shared over the Internet [10]. Each RFID-tagged item can be tracked and traced via the complete descriptive information shared under the umbrella of EPCglobal [1,3,7,9]. Thus, the concept of supply chain visualization can be achieved. A number of EPCRFID-based systems have been reported in the literatures [7,32,33], but most of them are standalone kiosk-based solutions. In contrast, with mobile technology that has become part of our daily life, integration of mobile devices and EPC-RFID-based system can provide a more user-friendly self-validated product
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
authentication solution. As such integration is still in an early stage of development, more attention should be paid to discuss the issues posed by developing and deploying such systems. The purpose of this paper is to present the architectural design of a mobile EPC-RFID-based self-validation system (MESS) to enhance the product authentication measure by visualizing product transactions in a supply chain, enhancing the track and trace capability in determining the product’s authenticity, and heightening the security level and self-validated product authentication process compared with the common anti-counterfeit technologies. A case study will also be presented to illustrate the feasibility and procedures of implementing the proposed system in an IT solution provider. 2. Counterfeiting and current product authentication technologies Counterfeiting is an unauthorized copying or application of a trademark on items that do not originate from or with the approval of the brand owner [2,3]. It is a knowing duplication with the purposes of deceiving and defrauding [1]. Numerous researchers indicate that the phenomenon of counterfeiting is not new; but what has changed about counterfeiting today is that the scope and scale of the problem are growing at a rate previously unknown and little recognized by those most affected [11]. The entire society loses billions of dollars every year to counterfeiters. The World Bank’s Global Economic Prospects report for 2002 concluded that there were ‘‘reasons to believe that enforcement of intellectual property rights has a positive net impact on economic growth prospects’’ [3]. Counterfeit goods cause companies to suffer direct loss in sales when they have to compete directly with counterfeiters. Government and manufacturers spend huge amounts of money in combating counterfeiting. Since many counterfeit goods, especially those in the health and safety categories, are of inferior quality, such products had been the cause of a number of major public health and safety incidents [12–14]. The World Health Organization estimated that 5–7% of pharmaceutical products worldwide are counterfeit goods which comprise few active ingredients and lots of contaminants [15]. Thus, counterfeiting is a global problem that produces financial losses as well as public health and safety threats. A range of product authentication tools are available to allow the company to protect its brand and its customers, enforce its rights and protect its distribution channels. The technological solutions [8] that enable companies to authenticate and track their products within the supply chain can be categorized into 2 groups, as presented in Table 1. Lehtonen et al. [16] claim that the optimal product authentication system should have an appropriate level of security and allow customers to authenticate products by themselves. But in the current product authentication technologies, it is observed that even the overt technology can provide a self-verification of products, it is easily reproduced by counter-
625
Table 1 Characteristics of two product authentication technologies.
Visible to naked eye Require specialized equipment to conduct product authentication Possibility of replication by others Cost Durability
Overt
Covert
Yes No
No Yes
Easy Cheap Short
Hard Expensive Long
feiters. Whereas the covert technology can present a high security level, specialized reading devices are required (i.e. not customeroriented). In order to encounter the above limitations, numerous researchers are recently promoting to introduce RFID technology (i.e. a kind of covert technology) to combat counterfeiting. Apart from the user-friendliness, RFID can support location-based authentication for detecting fraudulent transactions, providing better communication within the supply chain. Generally, RFID is emerging as a technology that is utilized for contactless automatic identification of products in different logistics contexts [26,27]. Compared with other product authentication technology, it offers extended data capacity and employs a numbering scheme called EPC, which serves as a global standard to provide a unique ID for any item in the world [1,28]. EPC is a license-plate type of identifier that enables near-real-time tracking information on a product within its supply chain [28]. Although there are other forms of identifiers like universal product code (UPC) and bar code, EPC allows item-level tracking by storing not just information on the manufacturer and product type, but also a unique serial number of the item [26]. This unique identification feature makes RFID feasible in product authentication and even anti-counterfeiting. Table 2 reviews the current RFID-based and EPC-RFID-based product authentication technologies. So far, most product authentication systems are done under the manufacturers’ perspectives, for example, Kwok et al. [10] has proposed InRECS to deliver accurate and global supply chain visibility with intelligent feedback into inventory and materials transfer process for manufacturers. Therefore, this paper attempts to concentrate on designing an approach on the basis of customers’ aspects. 3. Infrastructure of mobile EPC-RFID-based self-validation system (MESS) The architecture of the mobile EPC-RFID-based self-validation system (MESS) is illustrated in Fig. 1. It consists of three tiers: presentation tier, application tier, and information services tier. The 3-tier structure is designed to separate the major functions of mobile product authentication applications into logical sections for handling displays, processing logic, and data services. Displays are managed by the presentation tier, processing logic by the application tier, and data services by the information services tier.
Table 2 Current RFID adoption in product authentication. Purpose
Description
Unique identification
1. 2. 1. 2. 3. 4. 5. 1. 2. 3. 1.
Cryptographic tag authentication
Location-based authentication
Product specific features
Write and catalog a unique serial number on each item [17] Keep a secure list of valid product ID numbers in a secure server [18] Apply re-encryption to prevent static identifiers and optical data of the banknotes [19] Propose a hash-lock approach to lock the tag without storing access key [20] Extend the randomized version of Weis et al.’ hash-lock scheme [21] Employ Gen 2 compliant cryptographic features to encrypt the security level of tag-to-reader communication [22] Utilize lightweight cryptography and Jigsaw encoding to encrypt the EPC code [23] Introduce a secure authentication through the database-reader-tag environment [7] Detect some of the cloned tags by searching for deviations from expected behavior [24] Detect irregularities by comparing the actual and pre-defined product flow [10] Combine the TID number and product specific features of the item to form a digital signature [25]
626
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 1. System architecture of MESS.
3.1. Presentation tier The presentation tier has to be discussed first because the system needs to respond to users’ instructions and queries. There are five types of users – suppliers, manufacturers, distributors, retailers and customers – all of which employ RFID reader embedded mobile devices, like mobile phones or personal digit assistant (PDA), to track and trace information on product identification and transactions in the entire supply chain or in the product life-cycle. In other words, when a client queries the RFID-tagged product within the read range of a mobile RFID device, data (i.e. product information) are captured remotely from tags to the RFID reader (see Fig. 2). Fig. 2A shows the data communication through wireless network, while Fig. 2B illustrates the communication through general packet radio service (GPRS). Once the query has been entered, the authentication logic and algorithm will be
processed in the application tier so that the captured data can be sent to and displayed on the client’s mobile device [29]. 3.2. Application tier The application tier, which consists of an RFID intelligent module – product authentication system (PAS) – offers a standard format of product information and visualizing model for the entire life-cycle of the product. It can create and coordinate many sets of diversified data (i.e. information on product movement) within the supply chain into a standardized and consistent body of useful information. This enables customers to track their goods’ origin and movements in the supply chain via wireless network and GPRS. A unique EPC tag is assigned to each individual product that is used to provide the product authentication capabilities of the
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
627
Fig. 2. A logical view of data communication through the Internet.
solution. Once the tagged product is transferred in the supply chain, particular information (such as received date and time) is recorded in the back-end database. Thus, customers can differentiate the genuineness of a product by instantly reading its RFID tag. Alerts are prompted to users when there are problems in the distribution channel like one of the supply chain participants is missing in the trail of transactions.
As shown in Fig. 3, the PAS has two levels and one cryptographic approach to protect the data stored in the RFID tag from malicious access: 1. Level one: EPC generating. 2. Level two: product authenticity check. 3. Cryptography: encryption and decryption.
Fig. 3. Product authentication system (PAS).
628
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 4. The structure of a 96-bit Class 1Gen 2 RFID tag.
3.2.1. Level one: EPC generating This module is designed to provide a numbering system for unique identification of individual units of products. In this proposed work, RFID tag that features in EPCglobal Class-1 Generation-2 (which is called Class 1Gen 2 for short in this paper) specification is adopted. One of the reasons of such standard selection is due to its growing adoption in item-level identification in the globalized market [39]. Another reason is because of standardization issues. Owing to the diversity of different standards, recent researches focus on the interchange ability [34,35] and compatibility [36] (especially in two leading standards—ISO and EPC) to encourage the interoperability of product identification for the growing RFID market. In 2006, Class 1Gen 2 has been approved as ISO 18000, being a part of ISO/IEC 18000-6 standard [37]. RFID tags and readers compliant to such standard will be compatible across companies and geographies. Such tag can store various attributes of an item, such as its manufacturer, product type, and unique serial number. In particular, 96-bit EPC tags are the most commonly used in industry because their data capacity is sufficient for most applications. About 80,000 trillion unique numbers can be generated, so about 268 million companies can register with the EPC, with each company has up to 68 billion unique serial numbers for each product [27]. A data structure of 96-bit Class 1Gen 2 is show in Fig. 4, in which it consists of four basic data elements: a header, an EPC manager, an object class, and a serial number. Each element represents particular information of the product, like the EPC manager means the identification code of the company and the object class implies the type code of the product. Thus, by registering information into these elements, each product can have their own unique identification number. Once the manufacturer assigns and generates an EPC to a product item, the entire logistics network traversed by the product can be visualized by recording all the transactions in each supply chain party. The first three data elements are registered according
to the companies’ requirement whereas the last element (i.e. serial number) is automatically generated by a program installed in the RFID intelligent module and stored in the system database. To protect the tag from malicious access, a hybrid cryptographic approach, which will be further discussed later section, is used to encrypt the tag information. After the encrypted RFID tag (eRFID tag) has been generated, the manufacturer will print out the standard format eRFID tags to be attached to the products. Thus, only authenticated readers can access the contents of tags. 3.2.2. Level two: product authenticity check To perform the product authenticity check function, the eRFID tag is decrypted and the stored EPC data is normalized according to a standard format for globalized querying (Fig. 5). Normalization is the process of maintaining the same RFID data format regarding the Class 1Gen 2 standard on the scanned eRFID tags. It involves two components: EPC middleware and EPC information services (EPCIS). Given the wide range of readers, each with a different interface and communication protocol, are available in the market around the world, interoperability of systems are difficult to achieve. It is possible that an enterprise may use several types of readers from one or more vendors. In other words, different data structure will be generated according to particular reader style. Thus, to function in a multi-vendor environment, EPC middleware is used to filter and transform the scanned eRFID data into conformable one. On completion of the data normalization process, the EPC middleware will move on to the EPCIS to associate the EPC data with business events and the related information. Business event data relate to dynamic tracking information of the product when the RFID-tagged product moves through a supply chain. Once the tagged product arrives at a supply chain party, its EPC information will be captured and registered into the company’s local database (i.e. EPCIS). This allows the aggregation of data collected from
Fig. 5. Logic flow of the normalization approach.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
629
Fig. 6. Example of abnormal flow in supply chain.
reader events for translation into information meaningful to applications. In other words, the EPCIS defines a common interface model for standardizing the EPC-related data in physical markup language (PML) format, which is a standard technology based on extensible markup language (XML), for further application and display on a web-based platform. Through this product authenticity checking process, customers can obtain the EPC of a scanned product by querying the remotely distributed EPCIS. The EPCIS embeds the specified information about the tagged product. In addition, the product details and location record such as when and where the item was produced, when and where the item arrived at the distribution point, etc., can be retrieved. When equipped with such data normalization capability, any type of RFID device (i.e. reader and middleware) can be used to display on a real-time basis, the product information and the route through which the item had moved. This way, customers can be alerted instantly when anomalies are detected in the flow of the item’s supply chain, like missing one of the supply chain participants—this could be a clue that the item is a fake (see Fig. 6).
bit cyclical redundancy code (CRC) to form a ‘key’ and then write into the PIN value of RFID tag. Since the PIN lengths are in 32-bit long, attackers are difficult to resolve it as there are 232 (i.e. 4294967296) combinations. A set of information (i.e. the pseudoEPC and the ‘key’ or hash value) is received when users interrogate the RFID-tagged product by an RFID device. For decrypting the pseudoEPC, an authorized device is required to generate another ‘key’ for unlocking the hash value. If it succeeds in unlocking the hash value (i.e. the received hash value matches with the newly generated hash value), the tag information is said to be trusted (i.e. the information has not been altered nor inadvertently changed). These locking and unlocking processes ensure the integrity of the product information as well as the location record. With this design, supply chain parties will be alerted to which indicates that the tagged item is a counterfeit when they cannot unlock the hash value. Thus, all parties in the supply chain can determine the authenticity of the received product and detect any unauthorized party.
3.2.3. Cryptography: encryption and decryption Although Class 1Gen 2 RFID tag is common to use in item-level product authentication and trace-and-track, it is limited in its data protection [19,33,38,39]. As stated by Jeon and Cho [32], Class 1Gen 2 RFID tag lacks the data protection of tags, and has few mechanisms to manage the message interception over the air channel and the eavesdropping within the interrogation zone of the RFID reader. Thus, to cope with the security threats, a hybrid approach to cryptography and authentication was adopted to protect the information stored in the Class 1Gen 2 tags. As shown in Fig. 7, the EPC is first encrypted by the Jigsaw encoding scheme [23], transforming the 96-bit EPC into a pseudoEPC that is difficult to decrypt. The key idea of using this scheme to encrypt the EPC is because the Jigsaw encoding scheme will not change the standard of RFID readers and tags, keeping the RFID tag in the current ISO/EPC standardization. Then, a hash function [30] is used to lock the pseudoEPC for the purpose of integrity verification of the EPC, helping the user to detect whether the tag is cloned by attackers or not. The hash value employs a 32-
The information services tier contains the system databases that maintain all the information of the MESS. Each record in the database represents a registered product with its EPC and product details like product name, product description, country of origin (COO), expiry date, etc. Therefore, customers can easily retrieve the product information of tagged items by employing mobile RFID devices, and then match the information with the physical product to prevent a fake purchase. However, this only ensures the integrity of product information, but not the integrity of the item’s life-cycle information. A self-developed EPC network is embedded in the system database so as to check both types of integrity. Since the EPC standard is still in an early adoption stage and not many companies currently employ it, a self-developed network, which is based on the specification of EPCglobal Network [40], is used as a secure platform for recording the movement of the product within the supply chain. Once the EPC standard is widely used, the proposed system can be plugged into the EPCglobal. The self-developed EPC network provides a framework for data exchange between parties in the supply chain. All the track and
3.3. Information services tier
630
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
Fig. 7. A hybrid approach to cryptography and authentication in tag protection.
trace information – the location and time when the product moved from one supply chain participant to another – are stored in the system database. Once the product is produced, the manufacturer will generate a 96-bit EPC and register it along with the genuine product information in the database. As the product goes to another participant, say ABC Company, the EPC is registered in ABC’s local EPCIS and then ABC Company will query the object naming service (ONS) to request access to the item’s EPC data. At the same time, the location and event information of this transaction will be registered in the ONS to ensure continued
updating of information in the product life-cycle. This data registration and updating process will repeat itself until the product is purchased by customers. The architecture of the self-developed EPC network is depicted in Fig. 8. As shown in the figure, requesting product information is a roll-up process, which transforms the raw tag data into meaningful and machine readable EPC data. The ONS serves like the domain name system (DNS) in the Internet world, it returns the location of EPCIS where the product details can be found. To shorten the response time, each request will query the local ONS server first.
Fig. 8. Architecture of the self-developed EPC network.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
631
Fig. 9. Implementation phases in developing the MESS.
When the requested information is not available there, the query will be forwarded to the root ONS server for further resolution. This design enables real-time response to queries. 4. A case study on implementation of the proposed system The proposed system was implemented in an IT solution provider in Hong Kong to assess feasibility of the proposed approach. The solution provider is The Counterfake International Limited. It specializes in developing solutions that integrate different technologies, such as RFID, interactive voice response system (IVRS), short message system (SMS), and web portal, to address the counterfeit issue. In May 2005, the company in collaboration with The Hong Kong Polytechnic University launched a 2-year project on development of an RFID-enabled counterfeit protection prototype with the financial support of a government funding scheme. It aims at exploring the possibility of using RFID technology to fight against the growing number of counterfeits. The system was developed in several phases as shown in Fig. 9. The significance and issues to be addressed in each phase are explained as follows. 4.1. Phase 1: system accessories selection In this case study, passive Class 1Gen 2 RFID tag and RFID reader embedded PDA were used to develop a mobile RFID environment.
In addition, a computer was employed to function as the system server that allows high speed access and provides large storage capacity so that it can deal with many accesses and manipulate the huge database at the same time. Preferably, basic network services for Internet access (e.g. wireless LAN facilities) should also be implemented to allow end-users to access the system remotely. An RFID Label Printer was used to print the EPC tag of each product. Apart from hardware items, it was also necessary to select software packages for implementation of the proposed system. These include a database management system (DBMS) for data manipulation, and a .NET framework from Microsoft for development of application programs. 4.2. Phase 2: content selection Obviously, users expect to retrieve a lot of information from the system for users for browsing. To support product authentication, the contents maintained in the system were determined by answering questions such as (a) How can the product information be presented effectively? (b) What type of product information is useful to users? (c) Are there privacy issues to be addressed? To present the product information clearly, aesthetic appearance and navigational methods are the salient considerations in content selection (Fig. 10). By following the proven guidelines in user interface design, each page displayed by the system should
Fig. 10. User interface of MESS.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
632
have a consistent look-and-feel, and the areas for system navigation are tailor-made for different types of display device. 4.3. Phase 3: security selection Security is an important issue in the proposed product authentication system. In MESS, the information retrieved from the RFID tag demonstrates a crucial event in detecting the counterfeit. Although the s RFID system is more secure than other product authentication technologies, a weakness of EPC tags as devices in a security system us that they are vulnerable to cloning attacks as well as password disclosure and information leakage [38]. Concerning information must be securely exchanged among the authorized supply chain parties, data encryption and protection is important to support the EPC-RFID-based anticounterfeit mechanism (i.e. presenting the product movement to the users). The security measures selected for protecting the tag information requires heavily on the expertise of system developers. They need to consider various technologies that can provide a secure and sound platform for users to interact with the system, taking into account their constraints and likely enhancements of these technologies. 4.4. Phase 4: data integration Before distributing its products, the manufacturer has to provide the MESS with clean and detailed information on these products. At the same time, a structured and unique identification code is generated for each piece of product tracked by the selfdeveloped EPC network. Typically, the manufacturer provides a data warehouse to store the product information, and another data warehouse to keep records of product movements in the supply chain for visualization of the logistics network. Availability of information on authenticated products and their life-cycle transactions are essential to provide a sound and secure platform for protect against counterfeiting, real-time tracking of products necessitates data synchronization between databases. With the advent of EPC, records in multiple databases can link with each other by the key field (i.e. EPC) in order to perform data exchange in high-volume batch updates and in executing real-time incremental changes. 4.5. Phase 5: system establishment and piloting improvement In the final phase, the system was field-tested in an operational environment at dispersed sites of multiple supply chain participants. Prior to this pilot run, the application programs had to be designed to meet all the actual situations. Meeting and working with the system users ensured that the application programs were customized to suite operational requirements. Continuous feedback and progress meetings were the foundations for system
refinement. Bugs detected during the evaluation period were fixed by the project team to enable the release of ‘error-free’ application programs. With these user feedbacks, the project team can understand the user requirements more thoroughly, enabling them to develop application programs that are more user-friendly. Obviously, this phase involved a lot of analytical and programming efforts (for refining the system) so as to develop a successful system for counterfeit prevention. 5. Performance evaluation The case study reported in this paper sheds light on the effectiveness of using an RFID-enabled infrastructure as a counter measure to combat the global counterfeiting problem. Results of the field trials indicate that MESS out-performs the current product authentication techniques in counterfeit prevention. Apart from self-validated services, MESS also provides stakeholders with other benefits, such as higher level of public safety, better information sharing and brand name protection. These benefits are elucidated as follows. 5.1. More effective product authentication solution Table 3 compares the current product authentication mechanism adopted by the IT solution provider with the MESS. The IT solution provider reported improvements in product authentication effectiveness and utilization of resources after piloting the proposed system. Previously, it had to handle many calls from customers to check the authenticity of products, an extremely labor intensive activity. Furthermore, the company had to change the product’s print labels at least twice a year because counterfeiters can imitate the labels of genuine products in due course. This makes the use of label-print technology expensive as a product authentication approach. With the adoption of the MESS, customers can authenticate the products themselves. The high degree of data security assures integrity of the data in the tag and prevents cloning of tags. Several trials had been conducted to measure the improvement in verifying the authenticity of a product after adoption of MESS. Table 4 compares the trial results of the current operation (i.e. label-print technology) with those of the proposed solution (MESS). The total time of the entire process was reduced by at least 87% which was achieved by drastically simplifying the product authentication process from 7 steps to 2 steps. Without the MESS, customers often need to wait for more than 2 min to get someone to answer the call because several calls may be waiting for their turns to be serviced at any one time. As a result, availability of the customer service hotline suffered. With the use of MESS, the entire authentication process is handled over wireless networks or GPRS. The high speed broadband communication enables customers to authenticate RFID-tagged products anytime, anywhere, in real time.
Table 3 Comparison between the current product authentication mechanism and MESS. Current product authentication mechanism
MESS
Principle
Each product depends on the high-print technology to create a barrier to imitation
Identification Verification Imitation
Experts and machines are required to examine the print labels Customers are difficult to verify the product’s authenticity Labels can be duplicated by counterfeiters
Value-added Functions
Not available
Each product can be identified with a unique EPC code, enabling customers to verify the item’s authenticity over the Internet No human-readable label is required for identification It is easy for customers to ascertain the product’s authenticity Imitation is close to impossible because the chance of successful decryption of the EPC is one to hundred billions The life-cycle transactions of products can be made visible to supply chain participants to support decision making and strategic planning
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
633
Table 4 Estimated time of product authentication process between (a) the current product authentication technology and (b) the proposed solution (MESS). (a) Current product authentication technology
1st trial (min)
2nd trial (min)
3rd trial (min)
Customer side Step 1 Step 2 Step 3
Read the high-print label Call customer service hotline for assistance Wait for response to the call
1.38 1.00 3.50
2.33 1.00 2.33
1.33 1.00 3.50
Company side Step 1 Step 2 Step 3 Step 4
Receive the call Input the product details into the system Wait for the system to retrieve information Interpret the retrieved information and inform the caller accordingly
0.50 1.40 1.84 1.12
0.66 1.66 1.74 1.44
0.48 1.33 1.62 1.51
Total time (min)
10.74
11.16
10.77
(b) MESS
1st time (min)
2nd time (min)
3rd time (min)
Customer side Step 1 Company side Step 1
Scan RFID-tagged product by mobile device
0.33
0.45
0.24
Retrieve information from the system and display it on the customer’s mobile device
1.00
1.00
1.00
Total time (min) Time reduction (%)
1.33
1.45
1.24
87.61%
87.01%
88.49%
Remarks: This table only demonstrates a proof of concept of adopting the MESS. The performance results summarized will vary with the volume of service requests. Once there is a volume of service requested, further optimization model will be studied and investigated.
In general, the proposed solution will utilize resources more efficiently in supply chain participants’ communication, track and trace services, product authentication, as well as product lifecycle visualization. Furthermore, the product information visualization capability of MESS makes the system so easy to use that users can start to use it to authenticate products within minimal training. 5.2. Uninterrupted and secure tracking network The tracking capability of MESS provides customers with a means to ascertain the authenticity of an RFID-tagged product by simply scanning it under a reader. With the common broadband connectivity to the Internet, the tracking network has no geographic limitation for ‘uninterrupted object tracking’. As a result, users can gain access to the network anytime, anywhere for real-time product authentication. 5.3. Enhanced communication and information sharing The self-developed EPC network supports more effective communication amongst the supply chain participants, enabling visualization of hidden supply chain information. Through the adoption of RFID technology and the EPC standard, companies can view the life-cycle transactions of products on a user-friendly interface. All such information is stored in the centralized databases, closing the decision making gaps between supply chain participants. 5.4. Enhanced public safety Product recalls and product counterfeiting are public safety issues. With improved visibility of supply chain information, companies can respond to public safety incidents more promptly and efficiently in identifying the products that need to be recalled and tracking the counterfeits. Take the pharmaceutical industry as an example, drug counterfeiting and drug recalls are serious public health problems in recent years. The proposed system effectively tracks products throughout the global supply networks, sharing product data for detection of counterfeited drugs in the supply chain.
5.5. Brand name protection With the exception of the counterfeiters, all stakeholders in the supply chain win by implementing the proposed system. Through deployment of the RFID intelligent engine, manufacturers and retailers are protected against fake, thereby enhancing their corporate image and customers’ confidence in the products they supply. In addition, the self-developed EPC network provides the supply chain participants with a standard for communication and information sharing to facilitate decision making and planning. In summary, the proposed system offers an effective solution to address the product authentication and anti-counterfeiting issues. Results of the case study validate feasibility of adopting the proposed approach. The highly effective detection of fakes will deter counterfeiting to a significant extent. 6. Conclusion Counterfeit prevention is a complicated and important issue, as well as a major challenge to enterprises. The proposed system, employing mobile devices with RFID technology and EPC standard, provides an efficient and effective approach to self-validated product authentication. As of late, studies on integrating these technologies to combat counterfeiting are rare. In addition, this research provides a feasible solution to both system structure and implementation roadmap. The issues of standardization and security between tag-and-reader are also considered. Furthermore, the generic infrastructure of MESS offers flexibility in deterring product counterfeiting and protecting RFID data. When compared with the current product authentication technologies, MESS provides customers with a more effective and ease-touse approach to verifying an item’s authenticity via an Internetenabled mobile device. With such feature, users can track and trace the product anywhere and anytime in a timely manner. It should be noted that the system is not limited to depicting product supply chain information to authorized parties; it can also integrate such information with other applications to support decision making and communication. While findings of the case study indicate that encouraging results can be achieved after implementation of the proposed system, a number of hurdles and challenges are yet to be
634
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635
addressed. For example, the readability of RFID tags is greatly affected by the environment and the reader’s orientation. Thus, identification and resolution of roadblocks to RFID adoption would be an interesting topic for future research. Acknowledgements The authors would like to express their sincere thanks to the Research Committee of The Hong Kong Polytechnic University for financial support of the research work (Project Code: G-YE31) and The Counterfake International Limited for providing the RFID hardware needed in the proof of concept study. References [1] P. Lei, F. Claret-Tournier, C. Chatwin, R. Young, A secure mobile track and trace system for anti-counterfeiting, in: Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service, Hong Kong, March 29– April 1, (2005), pp. 686–689. [2] ICC Counterfeiting Intelligence Bureau, ICC Handbook, ICC Commercial Crime Services, 2005. [3] D. Hopkins, L.T. Kontnik, M.T. Turnage, Counterfeiting Exposed: Protecting your Brand and Customers, Wiley, Hoboken, NJ, 2003. [4] S. Bastia, Next generation technologies to combat counterfeiting of electronic components, IEEE Transactions on Components and Packaging Technologies 25 (1) (2002) 175–176. [5] International Chamber of Commerce Commercial Crime Services, International Guide to IP Rights Enforcement First Edition 2006, International Chamber of Commerce Counterfeiting Intelligence Bureau, 2006. [6] ICC Counterfeiting Intelligence Bureau, The International Anti-counterfeiting Directory, ICC Commercial Crime Services, 2008. [7] T. Staake, F. Thiesse, E. Fleisch, Extending the EPC network—the potential of RFID in anti-counterfeiting, in: Proceedings of the ACM Symposium on Applied Computing, Santa Fe, New Mexico, 2005. [8] ICC Counterfeiting Intelligence Bureau, Anti-Counterfeiting Technology Guide, ICC Commercial Crime Services, 2005. [9] United States Food and Drug Administration, COMBATING COUNTERFEIT DRUGS—A Report of the Food and Drug Administration, U.S. Food and Drug Administration, Rockville, MD, 2004. [10] S.K. Kwok, A.H.C. Tsang, J.S.L. Ting, W.B. Lee, B.C.F. Cheung, An intelligent RFID-based electronic anti-counterfeit system (InRECS) for the manufacturing industry, in: Proceedings of the 17th International Federation of Automatic Control (IFAC) World Congress 2008, Seoul, Korea, July 6–11, (2008), pp. 5482–5487. [11] J. Kim, H. Kim, A wireless service for product authentication in mobile RFID environment, in: Proceedings of the 1st International Symposium on Wireless Pervasive Computing, Phuket, Thailand, January 16–18, (2006), p. 5. [12] Reconnaissance International, Pharmaceutical counterfeiting: fears into facts, Authentication News 8 (7) (2002) 1. [13] FDA (Food and Drug Administration) U.S., Counterfeit Drug Task Force Interim Report, 2003. [14] U.S. Department of Health and Human Services, Combating Counterfeit Drugs, Food and Administration, 2004. [15] Imitating property is theft, The Economist (May) (2003) 52–54. [16] M. Lehtonen, T. Staake, F. Michahelles, E. Fleisch, From identification to authentication—a review of RFID product authentication techniques, in: Proceedings of the Workshop on RFID Security—RFIDSec 06, July, 2006. [17] A. Juels, RFID security and privacy: a research survey, Journal of Selected Areas in Communication (J-SAC) 24 (2) (2006) 381–395. [18] R. Koh, E. Schuster, I. Chackrabarti, A. Bellman, Securing the pharmaceutical supply chain, in: White Paper, Auto-ID Labs, Massachusetts Institute of Technology, 2003. [19] A. Juels, R. Pappu, Squealing Euros: privacy protection in RFID-enabled banknotes, in: Proceedings of Financial Cryptography–FC’’03, Le Gosier, Guadeloupe, French, West Indies, (2003), pp. 103–121. [20] S. Weis, S. Sarma, R. Rivest, D. Engels, Security and privacy aspects of low-cost radio frequency identification systems, in: Proceedings of the International Conference on Security in Pervasive Computing—SPC 2003, Berlin/Heidelberg/ New York, (2003), pp. 454–469. [21] D. Henrici, P. Mu¨ller, Hash-based enhancement of location privacy for radiofrequency identification devices using varying identifiers, in: Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW’04), March 14–17, (2004), pp. 149–153. [22] D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning, in: Proceedings of the 2006 Symposium on Cryptography and Information Security, Hiroshima, Japan, January 17–20, 2006. [23] K.H.M. Wong, P.C.L. Hui, A.C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computers in Industry 57 (4) (2006) 342–349. [24] L.T. Mirowski, Detecting clone radio frequency identification tags, Bachelor’s Thesis, School of Computing, University of Tasmania, November, 2006.
[25] Z. Nochta, T. Staake, E. Fleisch, Product specific security features based on RFID technology, in: Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’’06), January 23–27, (2006), pp. 72–75. [26] H. Bhatt, B. Glover, RFID Essentials, 1st ed., O’Reilly, Sebastopol, CA, 2006. [27] S. Lahiri, RFID Sourcebook, Pearson plc, Upper Saddle River, NJ, 2006. [28] EPCglobal, Inc., RFID Implementation Cookbook, 2006 Available at: http:// www.epcglobalinc.org/what/cookbook. [29] G. Elliott, N. Phillips, Mobile Commerce and Wireless Computing Systems, Pearson/Addison Wesley, Harlow, 2004. [30] C. Cid, Recent developments in cryptographic hash functions: security implications and future directions, Information Security Technical Report 11 (2) (2006) 100–107. [31] J. Holmstro¨m, R. Kajosaari, K. Fra¨mling, E. Langius, Roadmap to tracking based business and intelligent products, Computers in Industry 60 (3) (2009) 229–233. [32] K.Y. Jeon, S.H. Cho, A RFID EPC C1 Gen2 system with channel coding capability in AWGN noise environments, IEICE Transactions on Communications E92-B (2) (2009) 608–611. [33] H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards, Computer Standards and Interfaces 29 (2) (2007) 254–259. [34] E.W.T. Ngai, K.K.L. Moon, F.J. Riggins, C.Y. Yi, RFID research: an academic literature review (1995–2005) and future research directions, International Journal of Production Economics 112 (2) (2008) 510–520. [35] P. King, Hex Is Not the Standard, 2009 available at: http://www.rfidjournal.com/ article/print/4912. [36] R. Weinstein, RFID: a technical overview and its application to the enterprise, IT Professional 7 (3) (2005) 27–33. [37] M.C. O’Connor, Gen 2 EPC Protocol Approved as ISO 18000-6C, 2006 Available at: http://www.rfidjournal.com/article/articleview/2481/1/1/. [38] E.Y. Choi, D.H. Lee, J.I. Lim, Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2 RFID systems, Computer Standards and Interfaces 31 (6) (2009) 1124–1130. [39] D.N. Due, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal GEN-2 RFID tag against traceability and cloning, in: Proceedings of the 2006 Symposium on Cryptography and Information Security, 2006. [40] EPCglobal, Inc., EPCglobal Standards Overview, 2009 Available at: http:// www.epcglobalinc.org/standards. S.K. Kwok is a lecturer in the department of industrial and systems engineering of The Hong Kong Polytechnic University. His research areas are in artificial intelligence, industrial and systems engineering, information and communication technologies (ICT), logistics enabling technologies and mobile commerce. He participates in several industry-based research projects, which include web-enabled collaborative working platform development, customer relationship management, mobile devices application in vendor management inventory, RF-tag order tracking system, etc. For all the mentioned projects, latest ICT are applied to streamline information flow and enhance the knowledge management (KM) among modern business units. The research outcomes are presented in several international conferences and published in various international journals. Jacky S.L. Ting is a PhD candidate at the department of industrial and systems engineering of The Hong Kong Polytechnic University. He received his BSc degree in enterprise engineering and e-business at the same university. His research interests include knowledge engineering, computer modeling of medical knowledge, medical informatics and decision support systems.
Albert H.C. Tsang is principal lecturer in the department of industrial and systems engineering at The Hong Kong Polytechnic University. He provided consultancy and advisory services to enterprises and industry support organizations in manufacturing, logistics, public utilities, healthcare and government sectors on matters related to quality, reliability, maintenance, performance management and assessment of performance excellence, and engineering asset management—these are also areas of his research interest. He is the author of ‘WeibullSoft’, a computer-aided selflearning package on Weibull analysis. Apart from publishing papers in various international refereed journals, he is also the author/co-author of three books on various aspects of engineering asset management, and two books on industrial applications of RFID.
S.K. Kwok et al. / Computers in Industry 61 (2010) 624–635 W.B. Lee is the chair professor of the department of industrial and systems engineering of The Hong Kong Polytechnic University and the director of The Hong Kong Polytechnic University Microsoft Enterprise Systems Centre (MESC). He is also the president of the Hong Kong Advancement of the Association of Science and Technology, and the past chairman of the Institution of Electrical Engineers, Hong Kong. His research interests include manufacturing science, dispersed network manufacturing systems, knowledge management and logistics engineering.
635
Benny C.F. Cheung is an associate professor and an associate director in the Advanced Optics Manufacturing Centre (AOMC) and Knowledge Management Research Centre (KMRC) in the department of industrial and systems engineering at The Hong Kong Polytechnic University. His research work emphases on industrial applications and applied research. His research interests include precision engineering, knowledge and technology management, artificial intelligence, and logistics systems. He has authored and co-authored five research books, five book chapters and more than 200 research papers in various refereed journals and international conferences in which more than 120 of them were refereed journal papers.