An open-protocol solution offers manufacturers and dispensers authentication before electronic product codes take off.
by Daphne Allen, Editor
Thanks to FDA’s interest, radio-frequency identification (RFID) is the front-runner for electronic anticounterfeiting. Once encoded with the electronic product code (EPC), RFID tags may help manufacturers and their supply-chain partners build and communicate drug pedigrees electronically.
Widespread use is far from deployment, however. EPCglobal and other industry groups are working, often together, to develop EPC standards. But systems and infrastructure still need investment and support, among other tasks.
“Why wait for EPC standards before employing RFID?” asks Joseph Pearson, business development manager for Texas Instruments (TI; Dallas). Instead, the manufacturer of RFID transponders and readers has partnered with 3M (St. Paul, MN) and VeriSign to offer a simpler way to verify product authenticity in the short term.
Figure 1. Signature generation and authentication using public-key infrastructure. Courtesy of Texas Instruments.
Called authenticated RFID, the solution involves encoding RFID tags with encrypted digital signatures, similar to those used for Internet credit card purchases. The solution is based on 13.56 MHz technology that is compliant with ISO/IEC 15693 and ISO/IEC 18000-3 Mode 1 standards.
“We support electronic pedigrees using EPC, and our model supports the efforts of EPCglobal,” Pearson says. “But electronic pedigrees require everyone in the supply chain to participate—and that is not going to happen overnight. We want safe products now.”
TI, 3M, and VeriSign are providing what Pearson calls “open-protocol encryption technologies, with manufacturer signatures written to tags.” Those signatures can be determined to be genuine in an “off-network mode.”
TI will produce RFID tags programmed with a Unique Identifier (UID) number and a Product Manufacturer Identifier (PMID), which equates to the pharmaceutical manufacturer’s labeler code as found in the National Drug Code (NDC) or any other manufacturer-selected code.
When the tag is placed into a label or onto a package, a 1024-bit digital manufacturer signature is generated and locked into the tag’s memory. Public-key infrastructure (PKI) is used to encrypt this signature.
According to Pearson, “PKI relies on public-key cryptology, which uses a pair of mathematically related cryptographic keys—a public key and a corresponding unique private key. While the keys are mathematically related to each other, it is computationally infeasible to calculate one key’s encryption from the other when using a 1024-bit key size.” Pearson presents such information in his white paper, “Securing the Pharmaceutical Supply Chain with RFID and Pubic-Key Infrastructure Technologies.”
The PKI methodology uses two types of digital-signature algorithms: the Secure Hash Algorithm 1 (SHA-1) and the RSA Cryptosystem, named after inventors Ron Rivest, Adi Shamir, and Leonard Adleman.
Pearson says that the PKI-encrypted signature is “bookended” with PKI-reading technology employed at the dispensing site. “Readers used by pharmacists or other dispensers will compare the signature with those listed in a VeriSign index of public keys to match it to a manufacturer signature.” If the signature matches, pharmacists can feel pretty confident that the tag—and therefore the package—is authentic. “Even if no events have been captured after the product leaves the manufacturing facility, it is still possible at the point of dispensing to significantly increase the confidence that the tag was originated at an authentic pharmaceutical manufacturer,” explains Pearson in his paper. At the very least, he says, pharmacists will know that the product has not been relabeled.
As more parties throughout the supply chain equip themselves to handle RFID, “higher levels of confidence can be achieved by comparing events stored on the tag to associated data stored in a distributed data network,” he writes.
“Why wait for EPC standards before employing RFID?”
3M supplies the readers and provides system integration. “The RFID tag and reader work together to provide a security system that can be used by multiple manufacturers,” writes Andrew Dubner, senior specialist with 3M Security Systems Div., in his white paper, “Securing the Pharmaceutical Supply Chain—The Authenticated RFID Platform.” Dubner continues: “The platform . . . delivers authentication in the short term, and the ability to build an authenticated electronic pedigree as the network infrastructure builds.”