WO2015039279A1 - A system and method for authentication - Google Patents

A system and method for authentication Download PDF

Info

Publication number
WO2015039279A1
WO2015039279A1 PCT/CN2013/083617 CN2013083617W WO2015039279A1 WO 2015039279 A1 WO2015039279 A1 WO 2015039279A1 CN 2013083617 W CN2013083617 W CN 2013083617W WO 2015039279 A1 WO2015039279 A1 WO 2015039279A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
code
replacement
resynchronization
passkey
Prior art date
Application number
PCT/CN2013/083617
Other languages
French (fr)
Inventor
Chi Hung Tong
Yijun He
Original Assignee
Hong Kong R&D Centre for Logistics and Supply Chain Management Enabling Technologies Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hong Kong R&D Centre for Logistics and Supply Chain Management Enabling Technologies Limited filed Critical Hong Kong R&D Centre for Logistics and Supply Chain Management Enabling Technologies Limited
Priority to CN201380080974.9A priority Critical patent/CN105849739B/en
Priority to PCT/CN2013/083617 priority patent/WO2015039279A1/en
Publication of WO2015039279A1 publication Critical patent/WO2015039279A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud

Definitions

  • the present invention relates to a system and method for authentication, and particularly, although not exclusively, to a system and method for authenticating a product or service.
  • a method for authentication comprising the steps of: - receiving a verification request for verifying an identifier and a check code associated with an authentication subject;
  • the method for authentication further comprising the step of updating the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code.
  • the record associated with the identifier is updated to be associated with the replacement check code.
  • a method for authentication further comprising the step of:
  • the method for authentication further comprising the step of updating the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code.
  • the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
  • a method for authentication comprising the steps of:
  • the method for authentication further comprising the step of updating the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
  • the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
  • the authentication password and/or the resynchronization password is manually input by a user.
  • the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject.
  • the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject.
  • the method for authentication further comprising the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
  • the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module.
  • the reader module is arranged to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
  • the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
  • the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices.
  • the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
  • the method for authentication further comprising the step of generating a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
  • the method for authentication further comprising the step of updating the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • the method for authentication further comprising the step of updating the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • the step of generating the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes the step of processing the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
  • the method for authentication further comprising the step of transmitting a verified signal when the identifier is verified.
  • the tag device includes a near field communication (NFC) arrangement.
  • NFC near field communication
  • the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
  • the authentication subject is a product.
  • the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey is an alphanumeric string.
  • the alphanumeric string is of a random length.
  • the security code module is arranged to use using a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
  • the code generating algorithm is arranged to generate random alphanumeric strings.
  • the reader module is a handheld device.
  • the handheld device is a smartphone, a media device or a tablet PC.
  • a system for authentication comprising:
  • a gateway arranged to receive a verification request for verifying an identifier and a check code associated with an authentication subject
  • a verification module arranged to verify the identifier and the check code by locating a record associated with the identifier in an authentication database
  • system for authentication further comprising a routine to update the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code.
  • the record associated with the identifier is updated to be associated with the replacement check code.
  • a system for authentication comprising:
  • a gateway arranged to receive a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject
  • a verification module arranged to verify the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database
  • system for authentication further comprising a routine to update the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code.
  • the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
  • a system for authentication comprising:
  • a gateway arranged to receive a verification request for verifying an identifier, a resynchronization code and a resynchronization password associated with an authentication subject;
  • a verification module arranged to verify the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database
  • system for authentication further comprising a routine to update the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
  • the system for authentication in accordance with claim 41, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
  • the authentication password and/or the resynchronization password is manually input by a user.
  • the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject.
  • the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject.
  • system for authentication further comprising a routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
  • the routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module.
  • the reader module is arranged to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
  • the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
  • the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices. In an embodiment of the fifth or the sixth aspect, the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
  • system for authentication further comprising a routine to generate a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
  • system for authentication further comprising a routine to update the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • a system for authentication in accordance with any one of claims 52 to 54, further comprising a routine to update the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
  • the routine to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes a routine to process the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
  • system for authentication further comprising a routine to transmit a verified signal when the identifier is verified.
  • the tag device includes a near field communication (NFC) arrangement.
  • NFC near field communication
  • the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
  • the authentication subject is a product.
  • the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey is an alphanumeric string.
  • the alphanumeric string is of a random length.
  • the security code module is arranged to use a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
  • the code generating algorithm is arranged to generate random alphanumeric strings.
  • the reader module is a handheld device.
  • the handheld device is a smartphone, a media device or a tablet PC.
  • a tag for authenticating a product comprising
  • a storage module arranged to store an identifier, a check code, a authentication code and/or a resynchronization code associated with the product, wherein when the identifier, the check code, the authentication code and/or the resynchronization code is read by a communication interface, the check code, the authentication code and/or the resynchronization code is updated with a replacement check code, a replacement authentication code and/or a replacement resynchronization code.
  • the storage module is arranged to receive the replacement check code, the replacement authentication code and the replacement resynchronization code from the communication interface to update the check code, the authentication code and the resynchronization code stored in the storage module.
  • the storage module is further arranged to store an authentication passkey and a resynchronization passkey associated with the product; and wherein the authentication code and the resynchronization code are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
  • the authentication passkey and/or the resynchronization passkey are non-readable by a reader module.
  • a method for authenticating a product comprising the steps of:
  • Figure 1 is a schematic diagram of a computing server for operation as a system for authentication in accordance with one embodiment of the present invention
  • Figure 2 is a schematic diagram of an embodiment of the system for authentication in accordance with one embodiment of the present invention
  • Figure 3 is a block diagram of an embodiment of an authentication server of Figure 1 ;
  • Figure 4 is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 2;
  • Figure 5 is a flow diagram of an example of the operation of the system for authentication;
  • FIG. 6 is a block diagram of a tag for authenticating a product for authentication in accordance with one embodiment of the present invention.
  • Figure 7A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention.
  • Figure 7B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 7A;
  • Figure 8A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention.
  • Figure 8B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 8A;
  • Figure 9A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention.
  • Figure 9B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 9 A.
  • This embodiment is arranged to provide a system for authentication, comprising:
  • a gateway arranged to receive a verification request for verifying an identifier associated with an authentication subject
  • a verification module arranged to verify the identifier by locating a record associated with the identifier in an authentication database, and whereupon the identifier has been verified, using an identifier generator to generate a replacement identifier for updating the record in the authentication database.
  • the verification request is arranged to be received from a reader module arranged to communicate the identifier from the associated authentication subject having a tag arranged to store the identifier and the identifier is stored in the tag is updated with the replacement identifier upon verification of the identifier.
  • the gateway, verification module and the identifier generator are implemented by or for operation on a computer having an appropriate user interface.
  • the computer may be implemented by any computing architecture, including stand-alone PC, client/server architecture, "dumb" terminal/mainframe architecture, or any other appropriate architecture.
  • the computing device is appropriately programmed to implement the invention.
  • FIG. 1 there is a shown a schematic diagram of a computer or a computing server 100 which in this embodiment comprises a server 100 arranged to operate, at least in part if not entirely, the system for authentication in accordance with one embodiment of the invention.
  • the server 100 comprises suitable components necessary to receive, store and execute appropriate computer instructions.
  • the components may include a processing unit 102, read-only memory (ROM) 104, random access memory (RAM) 106, and input/output devices such as disk drives 108, input devices 110 such as an Ethernet port, a USB port, etc.
  • Display 112 such as a liquid crystal display, a light emitting display or any other suitable display and communications links 114.
  • the server 100 includes instructions that may be included in ROM 104, RAM 106 or disk drives 108 and may be executed by the processing unit 102. There may be provided a plurality of communication links 114 which may variously connect to one or more computing devices such as a server, personal computers, terminals, wireless or handheld computing devices. At least one of a plurality of communications link may be connected to an external computing network through a telephone line or other type of communications link.
  • the server may include storage devices such as a disk drive 108 which may encompass solid state drives, hard disk drives, optical drives or magnetic tape drives.
  • the server 100 may use a single disk drive or multiple disk drives.
  • the server 100 may also have a suitable operating system 116 which resides on the disk drive or in the ROM of the server 100.
  • the system has a database 120 residing on a disk or other storage device which is arranged to store at least one record 122.
  • the database 120 is in communication with the server 100 with an interface, which is implemented by computer software residing on the server 100.
  • the database 120 may also be implemented as a stand-alone database system in communication with the server 100 via an external computing network, or other types of communication links.
  • the server 100 is used as part of an authentication system 200 as an authentication server 202 arranged to communicate with a reader module 204 arranged to read and/or write to a tag associated with an authentication subject 208, such as a product or service which is required to be authenticated.
  • the authentication server 202 is arranged to process a verification request of an identifier stored in a tag.
  • the server 202 is arranged to communicate with the reader module 204 such that once the reader module 204 reads the identifier stored in a tag, the identifier is transmitted to the server 202 for verification.
  • the reader module 204 may be in the form of a scanner, a reader, smart phone or a user operated kiosk 206 arranged to communicate with the server 202 and to read an identifier from an authentication subject 208 which may be a goods item or authentication certificate of a service.
  • the authentication subject 208 such as a goods item, may include a tag device 210 associated with the authentication subject 208 which is arranged to tag the authentication subject 208. This tag device 210 is in turn readable by the reader module 204 for authentication.
  • the communication link between the reader module 204 and the server may be an internet connection 212 or a computer network which is operated on a telephone line or other types of communication links.
  • the communication links including the communication link between the authentication server 202 and the reader module 204, the communication link 214 between the reader module 204 and the authentication subject 208, and the internet connections 212, are encrypted with AES encryption, or other encryption methods, such as SSL or SSH, as appreciated by a person skilled in the art.
  • AES encryption or other encryption methods, such as SSL or SSH, as appreciated by a person skilled in the art.
  • SSL or SSH Secure Shell
  • the identity of the reader module 204 may be further protected by one or more security schemes.
  • an E-token can be used for a kiosk identity, wherein the E-token may be initialized with a kiosk private certificate stored in a protected memory space in the kiosk 206 in which the protected memory can only be reference by an on-chip unit; a platform public key which is provided by the authentication system; and a unique kiosk identity (ID) string such as a alpha-numeric string with 32 bytes.
  • the kiosk 206 may also require a user logon before it can access the authentication server 202 for data enquiry to reduce the risk of unauthorized access.
  • the kiosk 206 or the reader module 204 logon to the authentication server 202
  • the kiosk 206 or reader module 204 sends the required E-token information to the authentication server 202.
  • the authentication server 202 may generate and provide a random (of say 32 bytes) key to the kiosk 206 which can be used for consequent requests and for data encryption for every communication between the kiosk 206, scanner or other forms of reader module 204 and the server 202. Examples of such keys may include the generation and usage of a session key to encrypt and identify a particular communication session, whilst an encryption key may be generated and used to encrypt any data transmitted between the different components.
  • the tag device 210 associated with each authentication subject 208 may also be protected by a security scheme.
  • at least one password must be correctly entered before the tag is enabled for reading and writing data to the tag.
  • Unauthorized kiosk or reader module can also be barred from reading, writing, or modifying data such as an identifier stored in the tag without an access password.
  • some information in the tag can be locked with a different passwords provided by a manufacturer.
  • the authentication server 202 is arranged to support item level password control.
  • the tag device 210 also includes an anti-tamper arrangement arranged such that the tag cannot be removed from an authentication subject 208 without physical damage to the tag device 210 or the associated authentication subject 208.
  • This anti-tampering arrangement may for example be arranged such that upon tampering, the tag will no longer function and cannot be read or written to by a reader module 204, although in some embodiments, the tag may have additional routine which would allow an authorized reader module 204 to instruct the tag to enter a "tamper" mode which would allow the tag to be removed or otherwise disassociate itself from a product or authentication subject 208 and thus preventing the tag from being destroyed. This in turn allows the secured reusability of the tag.
  • the authentication server 202 includes a gateway 302, a verification module 304, an authentication database 306 and an identifier generator 308, which may be implemented as individual or shared components by hardware or software on or in connection with a computer system to act or provided the functionality necessary for the server 100 to operate as a system for authentication.
  • the gateway 302 module is arranged to communicate with a reader module 204 to obtain an identifier associated with an authentication subject 208, such as a product.
  • the authentication subject 208 has an associated tag device 210
  • the tag device 210 is firstly read by a reader module 204 to retrieve an identifier stored in the tag.
  • the reader module 204 transmits the identifier to the authentication server 202 by sending a verification request.
  • This verification request includes the identifier read from the tag and is, in turn, sent to the gateway 302 of the authentication server 202.
  • the identifier may be randomly composed, algorithm/mathematically composed or any combination thereof, an alphanumeric string of a predetermined length, calculated random length or it may be a barcode, QR code or other forms of computer readable code or identifier.
  • the gateway 302 once successfully reads the identifier, then passes the received identifier to the verification module 304 for verification.
  • the verification module 304 may then proceed to verify the received identifier by locating a record associated with the identifier in the authentication database 306.
  • the authentication database 306 stores a plurality of records associated with respective identifiers which would indicate that the identifier is valid.
  • This authentication database 306 can be securely controlled by the manufacturer, retailer, law enforcement agency or another authorized persons or stake holders which may be entrusted to verify the authenticity of an authentication subject 208 and may be populated with records of identifiers which are representative of valid products or services.
  • the records within the authentication database 306 may include the identifier or in some examples, associated product or service information such as make, model, colour, shipping history or other attributes or information for distribution to an authorized party so as to increase the security and usability of the authentication process.
  • the authentication server 202 uses an identifier generator 308 to generate a replacement identifier, which may be an alpha-numeric string which is different from the identifier which has just been verified.
  • the identifier generator 308 may then write the replacement identifier to the authentication database 306 by updating the record in the authentication database 306 such that the replacement identifier is stored in the authentication database 306 to replace the identifier which has just been verified.
  • the identifier which has just been read and verified cannot be verified in the future as the next verification process of this authentication subject 208 will require a reading of the replacement identifier which has just been generated and stored in the authentication database 306, although for record keeping and logging purposes, the old identifier which is being replaced may, in another embodiment, continue to be stored in the record on the authentication database 306 but as an old record which can be used for logging purposes, but not subsequent authentication.
  • the rules of authentication may be suitable adjusted so that an old identifier, up to a certain number of subsequent replacement identifiers, can still be considered valid for authentication. This may be advantageous in authentication of products where communication links are intermittent or unreliable.
  • the replacement identifier is also sent to the gateway 302 such that it may be transmitted to the reader module 204 for updating the tag associated with the authentication subject 208.
  • This allows the tag to be updated with the replacement identifier and thus allowing the product associated with the tag to be verified again in the future as a subsequent reading of the tag by the reader module 204 will read the replacement identifier which is now stored in the authentication database 306 for this particular authentication subject 208.
  • the identifier generator 308 may include a security code module 310 arrange to generate the replacement identifier.
  • the security code module 310 When the identifier generator 308 sends a request to the security code module 310 for a replacement identifier, the security code module 310 generates a replacement identifier and returns the replacement identifier to the identifier generator 308.
  • the security code module 310 is arranged to generate a secure code in variable length (e.g. 4 bytes to 20 bytes or any other size), the generated code may be a random alpha-numeric string and is one-time and unique in that it is different from any previously verified code.
  • Other forms of replacement identifier generation algorithm may be employed to generate a replacement identifier in the security code module 310 as appreciated by a person skilled in the art.
  • the authentication server 202 may further include an error module 312 arranged to handle an unsuccessful verification processed by the verification module 304.
  • the error module 312 may update a record in a database indicating the number of unsuccessful verification handled by a certain reader module 204. This provides an advantage in that the error module may also provide an error message to the gateway 302 which may be further transmitted to the associated kiosk 206, reader, scanner or other reader module 204 for displaying the error message.
  • FIG 4 there is shown a block diagram of a tag for authenticating a product comprising a storage module arranged to store an identifier associated with the product, wherein when the identifier is accessed by a communication interface, the identifier is updated with a replacement identifier.
  • the tag device 210 comprises a storage module 402, which may include a re- writable non- volatile memory for storing an identifier.
  • the tag device 210 may also include other memory device including one-time-programmable memory and volatile memory for storing the identifier and information other than the identifier.
  • the authentication server 202 Upon successful verification, the authentication server 202 transmits a replacement identifier to the reader module 204, and the reader module 204 transmits the replacement identifier to the communication interface 404.
  • the replacement identifier is subsequently updated in the memory module 402 of the tag device 210.
  • the tag device 210 may further include a security code module 406 arranged to generate a replacement identifier upon successful verification.
  • the replacement identifier is subsequently updated in the memory module 402 of the tag device 210, and may also be transmitted to the authentication server 202 for updating the associated record in the authentication database 306.
  • the replacement identifier may be generated by the tag 210 and sent back to the server 100 for updating, or alternatively, both the server 100 and the tag 210 can generate the replacement identifier, but both security code modules must be operating with the same generation method or algorithm such that the replacement identifier generated by the tag 210 and the replacement identifier generated by the server 100 must be identical.
  • the tag device 210 is implemented with a passive RFID arrangement arranged to communicate with an RFID reader.
  • the RFID tag includes rewritable non-volatile memory for storage of an alpha-numeric string as an identifier.
  • the RFID tag may be embedded in an authentication subject 208 during the manufacturing of the authentication subject 208.
  • the RFID may be embedded in to a block of material such as plastic or epoxy, to prevent easy hacking or reverse-engineering of the tag.
  • the tag may be arranged to be non-removable without physical damage to the tag or the authentication subject 208 to ensure a lifetime unique identification for each respective authentication subject 208, wherein a damaged tag is arranged to be rendered not readable by any reader.
  • example embodiments are advantageous in that a product can be authenticated whilst ensuring an identifier used for the authentication cannot be imitated by a counterfeiter.
  • the identifier is arranged to change on each read operation, the identifier, even if captured by a counterfeiter or some other unauthorized party, cannot be used to falsely authenticate an imitation product or service.
  • infant formula tins or other products can be attached with a tamper proof tag device 210 which can be checked by a retailer or consumer.
  • the identifier Upon the identifier having been read, the identifier can be verified for authenticity, whilst the retailer and consumer can be assured that the identifier that has been read cannot be a copy as it is subject to authorized changes on each read operation, thus allowing assurance as to the authenticity of the product since the authentication of the product is a continuing process and not a single point of authentication which could be have been imitated by an counterfeiter.
  • an identifier of a tag device 210 associated with a product for authentication is read by a reader module 204, such as a scanner, reader or kiosk 206 operated by a user.
  • the identifier may be a code of variable length or may comprise other characteristics associated with the tag device 210.
  • the tag device 210 may be an anti-tamper RFID tag.
  • the tag device 210 is arranged to be read by an authorized reader module 204 which may be in the form of a hand held scan gun, a PDA, a smartphone embedded with Near Field Communication (NFC) technology or a kiosk 206 with a RFID reader or any other reading means.
  • NFC Near Field Communication
  • the identifier is sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication.
  • the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier to the authentication system may be through wired or wireless communication links including but not limited to the internet or a kiosk. In one embodiment, the authentication system and the reading means may be a single unit.
  • the authentication server 202 matches the incoming identifier with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier with the data in the database to perform authentication.
  • the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202.
  • the authentication server 202 Upon successful verification of the identifier, in step 506, the authentication server 202 checks for outstanding operations related to the identifier. In one embodiment, the outstanding operations may include any one of the authentication procedures in Figure 5. When an outstanding operations related to that identifier is located, these operations will be resumed in step 508.
  • the authentication system will record that particular identifier and the authentication process will be terminated in step 516.
  • an identifier generator 308 in the authentication server 202 generates a replacement identifier.
  • the identifier generator 308 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the identifier generator 308 may be external of the authentication server 202.
  • the replacement identifier may be a code of variable length that is different to the original identifier.
  • the replacement identifier is not associated with any prior tag devices 210. More preferably, the replacement identifier is not located in the authentication database 306 prior to generating by the identifier generator 308. In an event where error or failure occurs during generation of the replacement identifier, the authentication system records the event and terminates the authentication process in step 516.
  • the authentication server 202 Upon successful generation of the replacement identifier, in step 512, the authentication server 202 transmits and writes the replacement identifier to the tag device 210.
  • the authentication system may have a gateway 302 that performs the transmission of the replacement identifier to the tag device 210.
  • authentication server 202 may utilize an external transmission system to transmit the replacement identifier.
  • the transmission of the replacement identifier to the tag device 210 may be through wire or wireless communication links such as but not limited to the internet or a kiosk.
  • the replacement identifier may be a code comprising a different length or may comprise other characteristics associated with the tag device 210.
  • the authentication server 202 records the event and terminates the authentication process.
  • the authentication server 202 Upon successfully completing the writing of the replacement identifier to the tag device 210, in step 514, the authentication server 202 updates the record of the authentication database 306 to associate the replacement identifier with that tag device 210.
  • the original identifier is removed from the authentication database 306.
  • the authentication server 202 records the event and terminates the authentication process in step 516.
  • the authentication process completes and terminates.
  • a tag 600 for authenticating a product comprising a storage module 602 arranged to store an identifier, a check code 604, a authentication code 606 and/or a resynchronization code 610 associated with the product, wherein when the identifier, the check code 604, the authentication code 606 and/or the resynchronization code 610 is read by a communication interface, the check code 604, the authentication code 606 and/or the resynchronization code 610 is updated with a replacement check code 614, a replacement authentication code and/or a replacement resynchronization code.
  • the storage module 602 is arranged to receive the replacement check code 614, the replacement authentication code and the replacement resynchronization code from the communication interface to update the check code 604, the authentication code 606 and the resynchronization code 610 stored in the storage module 602.
  • the storage module 602 is further arranged to store an authentication passkey 608 and a resynchronization passkey 612 associated with the product; and wherein the authentication code 606 and the resynchronization code 610 are arranged to be replaceable only if a respective authentication passkey 608 or a resynchronization passkey 612 is provided in the update process.
  • the authentication code 606 and the resynchronization code 610 are write-protected by the authentication passkey 608 and the resynchronization passkey 612 respectively.
  • the authentication passkey 608 and/or the resynchronization code 612 are stored in a storage module other than the storage module 602.
  • the authentication passkey and/or the resynchronization passkey are non- readable by a reader module.
  • the passkeys are readable by a reader module other than the reader module arranged to read the identifier, the check code 604, the authentication code 606 and/or the re synchronization code 610.
  • the tag 600 is arranged to be read by an authorized or an unauthorized reader module 204 which may be in the form of a hand held scan gun, a PDA, a smartphone embedded with Near Field Communication (NFC) technology or RFID reader or any other reading means.
  • an authorized or an unauthorized reader module 204 which may be in the form of a hand held scan gun, a PDA, a smartphone embedded with Near Field Communication (NFC) technology or RFID reader or any other reading means.
  • NFC Near Field Communication
  • an identifier of a tag device 600 associated with a product for authentication is read by a reader module 204, such as a scanner, reader or kiosk 206 operated by a user.
  • a gateway arranged to receive a verification request for verifying an identifier and a check code associated with an authentication subject
  • a verification module arranged to verify the identifier and the check code by locating a record associated with the identifier in an authentication database
  • the identifier and the check code 604 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 704.
  • the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc.
  • the transfer of the identifier and the check code 604 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet.
  • the authentication server 202 verifies the identifier and the check code 604 by locating a record associated with the identifier in an authentication database 306 of the authentication server 202.
  • the authentication server 202 matches the incoming identifier and the check code 604 with the data in the database to perform authentication.
  • the authentication server 202 matches the information associated with the incoming identifier and the check code 604 with the data in the database to perform authentication.
  • the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202.
  • the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
  • the authentication server 202 generates a replacement check code 614.
  • the replacement check code 614 may be a code of variable length that is different to the original check code.
  • the replacement check code 614 is not associated with any prior tag device 600. More preferably, the replacement check code 614 is not located in the authentication database 306 previously.
  • the authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614 with that tag device 600.
  • the original check code 604 is removed from the authentication database 306.
  • the authentication server 202 Upon successful generation of the replacement check code 614, the authentication server 202 transmits the replacement check code 614 to the reader module 204.
  • the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 214 in step 710.
  • the authentication system may have gateway 302 that performs the transmission of the replacement check code 614 to the tag device 600.
  • authentication server 202 may utilize an external transmission system to transmit the replacement check code 614.
  • the transmission of the replacement check code 614 to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
  • the reader module 204 overwrites the original check code 604 with the replacement check code 614.
  • the replacement check code 614 may be a code comprising a different length or may comprise other characteristics associated with the tag device 600.
  • the reader module is arranged to transmit the replacement code to the tag device 600 and the tag device is arranged to overwrite the original check code 604 with the replacement check code 614.
  • a gateway arranged to receive a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject
  • a verification module arranged to verify the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database
  • the system for authentication working in a product authentication mode 800, starting with step 802, upon reading an identifier and an authentication code 606 stored in the tag device 600 by the reader module 204, and a user is requested to provide an authentication password 618 to the system for authentication 800.
  • the authentication password is manually input to the reader module 204.
  • the password may be printed on a sales receipt upon the completion of a successful transaction in an authorized shop.
  • the password may be displayed to the customer prior to the successful completion of the transaction.
  • the identifier, the authentication code 606 and the authentication password 618 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 804.
  • the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc.
  • the transfer of the identifier and the check code 604 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet.
  • the authentication server 202 matches the incoming identifier, the authentication code 606 and the authentication password 618 with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier, the authentication code 606 and the authentication password 618 with the data in the database to perform authentication.
  • the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202. If the verification of the identifier, the authentication code 606 and/or the authentication password 618 is unsuccessful, the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
  • the authentication server 202 retrieves an authentication passkey 608 from authentication database 306, and generates a replacement check code 614, a replacement authentication code 616 and a replacement authentication passkey.
  • the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey may be a code of variable length that is different to the original check code 604, the original authentication code 606 and the original authentication passkey 608.
  • the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey are not associated with any prior tag device 600.
  • the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey are not located in the authentication database 306 previously.
  • the authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey with that tag device 600.
  • the original check code 604, the original authentication code 606 and the original authentication passkey 608 are removed from the authentication database 306.
  • the authentication server 202 Upon successful generation of the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey, the authentication server 202 transmits the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the reader module 204.
  • the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 204 in step 810.
  • the authentication system may have gateway 302 that performs the transmission of the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600.
  • authentication server 202 may utilize an external transmission system to transmit the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey.
  • the transmission of the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
  • the reader module 204 provides the tag device 600 with the original authentication passkey 608 such that the original authentication code 608 is configured to be replaceable after 3DES authentication between tag device 600 and reader module 204 using original authentication passkey 608.
  • the reader module overwrites the original check code 604, the original authentication code 606 and the original authentication passkey 608 with the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey.
  • the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey may be a code comprising a different length or may comprise other characteristics associated with the tag device 600.
  • the reader module is arranged to transmit the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600 and the tag device is arranged to overwrite the original check code 604, the original authentication code 606 and the original authentication passkey 608 with the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey.
  • a system for authentication comprising:
  • a gateway arranged to receive a verification request for verifying an identifier, a resynchronization code and a resynchronization password associated with an authentication subject;
  • a verification module arranged to verify the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database
  • the resynchronization password is manually input to the reader module 204.
  • the password may be printed on a sales receipt upon the completion of a successful transaction in an authorized shop.
  • the identifier, the resynchronization code 610 and the resynchronization password 622 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 904.
  • the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier, the resynchronization code 610 and the resynchronization password 622 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet. Once the identifier, the resynchronization code 610 and the resynchronization password
  • the authentication server 202 verifies the identifier, the resynchronization code 610 and the resynchronization password 622 by locating a record associated with the identifier in an authentication database 306 of the authentication server 202.
  • the authentication server 202 matches the incoming identifier, the resynchronization code 610 and the resynchronization password 622 with the data in the database to perform authentication.
  • the authentication server 202 matches the information associated with the incoming identifier, the resynchronization code 610 and the resynchronization password 622 with the data in the database to perform authentication.
  • the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202.
  • the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
  • the authentication server 202 retrieves a resynchronization passkey 612 authentication database 306, and generates a replacement check code 614, a replacement authentication code 616, a replacement authentication passkey, a replacement resynchronization code 620 and a replacement resynchronization passkey.
  • the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey may be a code of variable length that is different to the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612.
  • the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey are not associated with any prior tag device 600. More preferably, the replacement check code 614, the replacement authentication code
  • the authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey with that tag device 600.
  • the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 are removed from the authentication database 306.
  • the authentication server 202 Upon successful generation of the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey, the authentication server 202 transmits the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the reader module 204.
  • the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 204 in step 910.
  • the authentication system may have gateway 302 that performs the transmission of the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600.
  • authentication server 202 may utilize an external transmission system to transmit the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement re synchronization passkey.
  • the transmission of the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
  • the reader module 204 provides the tag device 600 with the original resynchronization passkey 612 such that the original resynchronization code 612 is configured to be replaceable after 3DES authentication between tag device 600 and reader module 204 using original resynchronization passkey 612.
  • the reader module overwrites the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 with the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey.
  • the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey may be a code comprising a different length or may comprise other characteristics associated with the tag device 600.
  • the reader module is arranged to transmit the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600 and the tag device is arranged to overwrite the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 with the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey.
  • the system for authentication is suitable for untrusted reader module, which may include malware or software programs for de-compilation.
  • Reader module in this system for authentication may only work as a communication device for reading the codes or passkeys which change once it is read.
  • the reader module can be as common as an NFC reader included in a smartphone or any handheld device, such that the authentication of a tagged product is possible to anyone in anywhere, where expensive tag devices or trusted kiosk is not required.
  • the tag is possible to be re synchronized with the authentication server with a valid resynchronization password provided solely to the owner of the tagged product.
  • the authentication code stored in the tag may not match with the record stored in the authentication database, the owner may resynchronize the tag to reset the codes that match with the authentication database to enable the product to be authentication again.
  • the embodiments described with reference to the Figures can be implemented as an application programming interface (API) or as a series of libraries for use by a developer or can be included within another software application, such as a terminal or personal computer operating system or a portable computing device operating system.
  • program modules include routines, programs, objects, components and data files assisting in the performance of particular functions
  • the functionality of the software application may be distributed across a number of routines, objects or components to achieve the same functionality desired herein.
  • any appropriate computing system architecture may be utilised. This will include stand alone computers, network computers and dedicated hardware devices.
  • the terms "computing system” and “computing device” are used, these terms are intended to cover any appropriate arrangement of computer hardware capable of implementing the function described.
  • database may include any form of organized or unorganized data storage devices implemented in either software, hardware or a combination of both which are able to implement the function described. It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as shown in the specific embodiments without departing from the spirit or scope of the invention as broadly described. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.

Abstract

A system and method for authentication comprising the steps of receiving a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject; verifying the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database.

Description

A SYSTEM AND METHOD FOR AUTHENTICATION
TECHNICAL FIELD The present invention relates to a system and method for authentication, and particularly, although not exclusively, to a system and method for authenticating a product or service.
BACKGROUND
Counterfeits, imitations and non authorized products or services continue to cause various problems in today's economy, with imitations and counterfeits occurring in a large range of goods and services ranging from luxury goods to infant formula. This in turn has caused problems ranging from economy loss suffered by intellectual property owners to health scares resultant from counterfeits health products which uses dangerous or hazards ingredients in its manufacture.
Unfortunately, with imitators becoming more sophisticated in copying, imitating or faking a product or service, it would be desirable for consumers, retailers and law enforcement agencies to readily differentiate between an authentic product or service from those which are non- authentic. Attempts have been made by product manufactures to protect their products from being imitated through unique distinguishing features which would allow a consumer, retailer or law enforcement official to identify the authenticity of the product. Some examples of how this has been achieved is by the use of unique packaging such as watermarking or laser printed labels which are more difficult to imitate as the production of these labels require a more sophisticated set of equipment.
However, as the technologies involved in the manufacture of these labels become more widespread and popular, so are the tools which are used to make these unique labels, and thus counterfeiters or imitators can also imitate these unique packing as part of the counterfeit production. This in turn has caused many of these unique labels to become less effective in being able to assist consumers to distinguish the authenticity of the products or services. SUMMARY OF THE INVENTION
In accordance with a first aspect of the present invention, there is provided a method for authentication comprising the steps of: - receiving a verification request for verifying an identifier and a check code associated with an authentication subject;
- verifying the identifier and the check code by locating a record associated with the identifier in an authentication database; and
whereupon the identifier and the check code has been verified, generate a replacement check code for updating the record in the authentication database.
In an embodiment of the first aspect, the method for authentication further comprising the step of updating the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code.
In an embodiment of the first aspect, the record associated with the identifier is updated to be associated with the replacement check code. In accordance with a second aspect of the present invention, there is provided a method for authentication further comprising the step of:
- receiving a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject;
- verifying the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database. In an embodiment of the second aspect, the method for authentication further comprising the step of updating the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code. In an embodiment of the second aspect, the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
In accordance with a third aspect of the present invention, there is provided a method for authentication comprising the steps of:
- receiving a verification request for verifying an identifier, a re synchronization code and a resynchronization password associated with an authentication subject;
- verifying the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database; and whereupon the identifier, the resynchronization code and the resynchronization password has been verified, generate a replacement resynchronization code, a replacement authentication code and a replacement check code for updating the record in the authentication database.
In an embodiment of the third aspect, the method for authentication further comprising the step of updating the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
In an embodiment of the third aspect, the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
In an embodiment of the second aspect or the third aspect, the authentication password and/or the resynchronization password is manually input by a user.
In an embodiment of the second aspect or the third aspect, the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject.
In an embodiment of the second aspect or the third aspect, the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject.
In an embodiment of the second aspect or the third aspect, the method for authentication further comprising the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
In an embodiment of the second aspect or the third aspect, the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module. In an embodiment of the second aspect or the third aspect, the reader module is arranged to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
In an embodiment of the second aspect or the third aspect, the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
In an embodiment of the second aspect or the third aspect, the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices.
In an embodiment of the second aspect or the third aspect, the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
In an embodiment of the second aspect or the third aspect, the method for authentication further comprising the step of generating a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
In an embodiment of the second aspect or the third aspect, the method for authentication further comprising the step of updating the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
In an embodiment of the second aspect or the third aspect, the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
In an embodiment of the second aspect or the third aspect, the method for authentication further comprising the step of updating the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
In an embodiment of the first, the second or the third aspect, the step of generating the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes the step of processing the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
In an embodiment of the first, the second or the third aspect, the method for authentication further comprising the step of transmitting a verified signal when the identifier is verified.
In an embodiment of the first, the second or the third aspect, the tag device includes a near field communication (NFC) arrangement. In an embodiment of the first, the second or the third aspect, the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
In an embodiment of the first, the second or the third aspect, the authentication subject is a product.
In an embodiment of the first, the second or the third aspect, the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey, is an alphanumeric string.
In an embodiment of the first, the second or the third aspect, the alphanumeric string is of a random length.
In an embodiment of the first, the second or the third aspect, the security code module is arranged to use using a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
In an embodiment of the first, the second or the third aspect, the code generating algorithm is arranged to generate random alphanumeric strings. In an embodiment of the first, the second or the third aspect, the reader module is a handheld device.
In an embodiment of the first, the second or the third aspect, the handheld device is a smartphone, a media device or a tablet PC.
In accordance with a fourth aspect of the present invention, there is provided a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier and a check code associated with an authentication subject;
- a verification module arranged to verify the identifier and the check code by locating a record associated with the identifier in an authentication database; and
whereupon the identifier and the check code has been verified, generate a replacement check code for updating the record in the authentication database.
In an embodiment of the fourth aspect, the system for authentication further comprising a routine to update the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code. In an embodiment of the fourth aspect, the record associated with the identifier is updated to be associated with the replacement check code.
In accordance with a fifth aspect of the present invention, there is provided a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject;
- a verification module arranged to verify the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database.
In an embodiment of the fifth aspect, the system for authentication further comprising a routine to update the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code. In an embodiment of the fifth aspect, the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
In accordance with a sixth aspect of the present invention, there is provided a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, a resynchronization code and a resynchronization password associated with an authentication subject;
- a verification module arranged to verify the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the resynchronization code and the resynchronization password has been verified, generate a replacement resynchronization code, a replacement authentication code and a replacement check code for updating the record in the authentication database.
In an embodiment of the sixth aspect, the system for authentication further comprising a routine to update the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
In an embodiment of the sixth aspect, the system for authentication in accordance with claim 41, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
In an embodiment of the fifth or the sixth aspect, the authentication password and/or the resynchronization password is manually input by a user. In an embodiment of the fifth or the sixth aspect, the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject. In an embodiment of the fifth or the sixth aspect, the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject. In an embodiment of the fifth or the sixth aspect, the system for authentication further comprising a routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
In an embodiment of the fifth or the sixth aspect, the routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module.
In an embodiment of the fifth or the sixth aspect, the reader module is arranged to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
In an embodiment of the fifth or the sixth aspect, the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
In an embodiment of the fifth or the sixth aspect, the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices. In an embodiment of the fifth or the sixth aspect, the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
In an embodiment of the fifth or the sixth aspect, the system for authentication further comprising a routine to generate a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
In an embodiment of the fifth or the sixth aspect, the system for authentication further comprising a routine to update the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
In an embodiment of the fifth or the sixth aspect, the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
55. A system for authentication in accordance with any one of claims 52 to 54, further comprising a routine to update the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
In an embodiment of the fifth or the sixth aspect, the routine to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes a routine to process the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
In an embodiment of the fourth, the fifth or the sixth aspect, the system for authentication further comprising a routine to transmit a verified signal when the identifier is verified.
In an embodiment of the fourth, the fifth or the sixth aspect, the tag device includes a near field communication (NFC) arrangement.
In an embodiment of the fourth, the fifth or the sixth aspect, the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
In an embodiment of the fourth, the fifth or the sixth aspect, the authentication subject is a product.
In an embodiment of the fourth, the fifth or the sixth aspect, the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey, is an alphanumeric string.
In an embodiment of the fourth, the fifth or the sixth aspect, the alphanumeric string is of a random length.
In an embodiment of the fourth, the fifth or the sixth aspect, the security code module is arranged to use a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
In an embodiment of the fourth, the fifth or the sixth aspect, the code generating algorithm is arranged to generate random alphanumeric strings.
In an embodiment of the fourth, the fifth or the sixth aspect, the reader module is a handheld device.
In an embodiment of the fourth, the fifth or the sixth aspect, the handheld device is a smartphone, a media device or a tablet PC.
In accordance with a seventh aspect of the present invention, there is provided a tag for authenticating a product comprising
- a storage module arranged to store an identifier, a check code, a authentication code and/or a resynchronization code associated with the product, wherein when the identifier, the check code, the authentication code and/or the resynchronization code is read by a communication interface, the check code, the authentication code and/or the resynchronization code is updated with a replacement check code, a replacement authentication code and/or a replacement resynchronization code.
In an embodiment of the seventh aspect, the storage module is arranged to receive the replacement check code, the replacement authentication code and the replacement resynchronization code from the communication interface to update the check code, the authentication code and the resynchronization code stored in the storage module.
In an embodiment of the seventh aspect, the storage module is further arranged to store an authentication passkey and a resynchronization passkey associated with the product; and wherein the authentication code and the resynchronization code are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
In an embodiment of the seventh aspect, the authentication passkey and/or the resynchronization passkey are non-readable by a reader module. In accordance with a eighth aspect of the present invention, there is provided a method for authenticating a product comprising the steps of:
- engaging a tag in accordance with an embodiment of the seventh aspect;
- reading the tag to obtain an identifier, and any one of a check code, a authentication code or a resynchronization code; and
- transmitting the identifier, and any one of the check code, the authentication code or the resynchronization code to an embodiment of the fourth, the fifth or the sixth aspect.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described, by way of example, with reference to the accompanying drawings in which:
Figure 1 is a schematic diagram of a computing server for operation as a system for authentication in accordance with one embodiment of the present invention;
Figure 2 is a schematic diagram of an embodiment of the system for authentication in accordance with one embodiment of the present invention; Figure 3 is a block diagram of an embodiment of an authentication server of Figure 1 ;
Figure 4 is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 2; Figure 5 is a flow diagram of an example of the operation of the system for authentication;
Figure 6 is a block diagram of a tag for authenticating a product for authentication in accordance with one embodiment of the present invention;
Figure 7A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention;
Figure 7B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 7A; Figure 8A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention;
Figure 8B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 8A;
Figure 9A is a flow diagram of an example of the operation in accordance with one embodiment of the present invention; and
Figure 9B is a block diagram of an embodiment of a tag for authenticating a product as shown in Figure 6 operating according to an embodiment of an operation as shown in Figure 9 A. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
With reference to Figure 1, an embodiment of the present invention is illustrated. This embodiment is arranged to provide a system for authentication, comprising:
- a gateway arranged to receive a verification request for verifying an identifier associated with an authentication subject;
- a verification module arranged to verify the identifier by locating a record associated with the identifier in an authentication database, and whereupon the identifier has been verified, using an identifier generator to generate a replacement identifier for updating the record in the authentication database.
Preferably, in one example, the verification request is arranged to be received from a reader module arranged to communicate the identifier from the associated authentication subject having a tag arranged to store the identifier and the identifier is stored in the tag is updated with the replacement identifier upon verification of the identifier.
In this embodiment, the gateway, verification module and the identifier generator are implemented by or for operation on a computer having an appropriate user interface. The computer may be implemented by any computing architecture, including stand-alone PC, client/server architecture, "dumb" terminal/mainframe architecture, or any other appropriate architecture. The computing device is appropriately programmed to implement the invention.
Referring to Figure 1, there is a shown a schematic diagram of a computer or a computing server 100 which in this embodiment comprises a server 100 arranged to operate, at least in part if not entirely, the system for authentication in accordance with one embodiment of the invention. The server 100 comprises suitable components necessary to receive, store and execute appropriate computer instructions. The components may include a processing unit 102, read-only memory (ROM) 104, random access memory (RAM) 106, and input/output devices such as disk drives 108, input devices 110 such as an Ethernet port, a USB port, etc. Display 112 such as a liquid crystal display, a light emitting display or any other suitable display and communications links 114. The server 100 includes instructions that may be included in ROM 104, RAM 106 or disk drives 108 and may be executed by the processing unit 102. There may be provided a plurality of communication links 114 which may variously connect to one or more computing devices such as a server, personal computers, terminals, wireless or handheld computing devices. At least one of a plurality of communications link may be connected to an external computing network through a telephone line or other type of communications link. The server may include storage devices such as a disk drive 108 which may encompass solid state drives, hard disk drives, optical drives or magnetic tape drives. The server 100 may use a single disk drive or multiple disk drives. The server 100 may also have a suitable operating system 116 which resides on the disk drive or in the ROM of the server 100.
The system has a database 120 residing on a disk or other storage device which is arranged to store at least one record 122. The database 120 is in communication with the server 100 with an interface, which is implemented by computer software residing on the server 100. Alternatively, the database 120 may also be implemented as a stand-alone database system in communication with the server 100 via an external computing network, or other types of communication links.
With reference to Figure 2, there is shown an embodiment of the system for authentication 200. In this embodiment, the server 100 is used as part of an authentication system 200 as an authentication server 202 arranged to communicate with a reader module 204 arranged to read and/or write to a tag associated with an authentication subject 208, such as a product or service which is required to be authenticated. In this example, the authentication server 202 is arranged to process a verification request of an identifier stored in a tag. The server 202 is arranged to communicate with the reader module 204 such that once the reader module 204 reads the identifier stored in a tag, the identifier is transmitted to the server 202 for verification. In this example, the reader module 204 may be in the form of a scanner, a reader, smart phone or a user operated kiosk 206 arranged to communicate with the server 202 and to read an identifier from an authentication subject 208 which may be a goods item or authentication certificate of a service. Preferably, the authentication subject 208, such as a goods item, may include a tag device 210 associated with the authentication subject 208 which is arranged to tag the authentication subject 208. This tag device 210 is in turn readable by the reader module 204 for authentication. The communication link between the reader module 204 and the server may be an internet connection 212 or a computer network which is operated on a telephone line or other types of communication links.
Preferably, the communication links, including the communication link between the authentication server 202 and the reader module 204, the communication link 214 between the reader module 204 and the authentication subject 208, and the internet connections 212, are encrypted with AES encryption, or other encryption methods, such as SSL or SSH, as appreciated by a person skilled in the art. This is advantageous in that the data transmitted between each device, module or gateway is secured to avoid hacking or reverse-engineering of the authentication system.
The identity of the reader module 204, such as the scanner or kiosk 206 may be further protected by one or more security schemes. In one example, an E-token can be used for a kiosk identity, wherein the E-token may be initialized with a kiosk private certificate stored in a protected memory space in the kiosk 206 in which the protected memory can only be reference by an on-chip unit; a platform public key which is provided by the authentication system; and a unique kiosk identity (ID) string such as a alpha-numeric string with 32 bytes. The kiosk 206 may also require a user logon before it can access the authentication server 202 for data enquiry to reduce the risk of unauthorized access. When the kiosk 206 or the reader module 204 logon to the authentication server 202, the kiosk 206 or reader module 204 sends the required E-token information to the authentication server 202. Once the logon is successful, the authentication server 202 may generate and provide a random (of say 32 bytes) key to the kiosk 206 which can be used for consequent requests and for data encryption for every communication between the kiosk 206, scanner or other forms of reader module 204 and the server 202. Examples of such keys may include the generation and usage of a session key to encrypt and identify a particular communication session, whilst an encryption key may be generated and used to encrypt any data transmitted between the different components.
In this example, the tag device 210 associated with each authentication subject 208 may also be protected by a security scheme. In one example, at least one password must be correctly entered before the tag is enabled for reading and writing data to the tag. Unauthorized kiosk or reader module can also be barred from reading, writing, or modifying data such as an identifier stored in the tag without an access password. Additionally, some information in the tag can be locked with a different passwords provided by a manufacturer. Preferably, the authentication server 202 is arranged to support item level password control.
Preferably, the tag device 210 also includes an anti-tamper arrangement arranged such that the tag cannot be removed from an authentication subject 208 without physical damage to the tag device 210 or the associated authentication subject 208. This anti-tampering arrangement may for example be arranged such that upon tampering, the tag will no longer function and cannot be read or written to by a reader module 204, although in some embodiments, the tag may have additional routine which would allow an authorized reader module 204 to instruct the tag to enter a "tamper" mode which would allow the tag to be removed or otherwise disassociate itself from a product or authentication subject 208 and thus preventing the tag from being destroyed. This in turn allows the secured reusability of the tag.
Referring to Figure 3, there is shown a block diagram of an embodiment of an authentication server 202 used as a system for authentication. In this embodiment, the authentication server 202 includes a gateway 302, a verification module 304, an authentication database 306 and an identifier generator 308, which may be implemented as individual or shared components by hardware or software on or in connection with a computer system to act or provided the functionality necessary for the server 100 to operate as a system for authentication.
In this example, the gateway 302 module is arranged to communicate with a reader module 204 to obtain an identifier associated with an authentication subject 208, such as a product. As the authentication subject 208 has an associated tag device 210, the tag device 210 is firstly read by a reader module 204 to retrieve an identifier stored in the tag.
Once the identifier is read from the tag, the reader module 204 transmits the identifier to the authentication server 202 by sending a verification request. This verification request includes the identifier read from the tag and is, in turn, sent to the gateway 302 of the authentication server 202. In a non-limiting example, the identifier may be randomly composed, algorithm/mathematically composed or any combination thereof, an alphanumeric string of a predetermined length, calculated random length or it may be a barcode, QR code or other forms of computer readable code or identifier. The gateway 302, once successfully reads the identifier, then passes the received identifier to the verification module 304 for verification. The verification module 304 may then proceed to verify the received identifier by locating a record associated with the identifier in the authentication database 306. Preferably, the authentication database 306 stores a plurality of records associated with respective identifiers which would indicate that the identifier is valid. This authentication database 306 can be securely controlled by the manufacturer, retailer, law enforcement agency or another authorized persons or stake holders which may be entrusted to verify the authenticity of an authentication subject 208 and may be populated with records of identifiers which are representative of valid products or services. The records within the authentication database 306 may include the identifier or in some examples, associated product or service information such as make, model, colour, shipping history or other attributes or information for distribution to an authorized party so as to increase the security and usability of the authentication process.
In this example, if the verification module 304 locates a matching record in the authentication database 306, the identifier is successfully verified, and thus the associated authenticated subject is deemed to be authentic and an authentication message or alert may be sent to a user notifying the user of the authenticity of the authentication subject 208. Subsequent to the successful verification, the authentication server 202 uses an identifier generator 308 to generate a replacement identifier, which may be an alpha-numeric string which is different from the identifier which has just been verified. The identifier generator 308 may then write the replacement identifier to the authentication database 306 by updating the record in the authentication database 306 such that the replacement identifier is stored in the authentication database 306 to replace the identifier which has just been verified. As a result of this action, the identifier which has just been read and verified cannot be verified in the future as the next verification process of this authentication subject 208 will require a reading of the replacement identifier which has just been generated and stored in the authentication database 306, although for record keeping and logging purposes, the old identifier which is being replaced may, in another embodiment, continue to be stored in the record on the authentication database 306 but as an old record which can be used for logging purposes, but not subsequent authentication. In these other embodiments, the rules of authentication may be suitable adjusted so that an old identifier, up to a certain number of subsequent replacement identifiers, can still be considered valid for authentication. This may be advantageous in authentication of products where communication links are intermittent or unreliable.
Once the replacement identifier is stored in the authentication database 306, the replacement identifier is also sent to the gateway 302 such that it may be transmitted to the reader module 204 for updating the tag associated with the authentication subject 208. This allows the tag to be updated with the replacement identifier and thus allowing the product associated with the tag to be verified again in the future as a subsequent reading of the tag by the reader module 204 will read the replacement identifier which is now stored in the authentication database 306 for this particular authentication subject 208.
In this example, the identifier generator 308 may include a security code module 310 arrange to generate the replacement identifier. When the identifier generator 308 sends a request to the security code module 310 for a replacement identifier, the security code module 310 generates a replacement identifier and returns the replacement identifier to the identifier generator 308. In a non-limiting example, the security code module 310 is arranged to generate a secure code in variable length (e.g. 4 bytes to 20 bytes or any other size), the generated code may be a random alpha-numeric string and is one-time and unique in that it is different from any previously verified code. Other forms of replacement identifier generation algorithm may be employed to generate a replacement identifier in the security code module 310 as appreciated by a person skilled in the art.
In some embodiments, the authentication server 202 may further include an error module 312 arranged to handle an unsuccessful verification processed by the verification module 304. In one example, the error module 312 may update a record in a database indicating the number of unsuccessful verification handled by a certain reader module 204. This provides an advantage in that the error module may also provide an error message to the gateway 302 which may be further transmitted to the associated kiosk 206, reader, scanner or other reader module 204 for displaying the error message. Referring to Figure 4, there is shown a block diagram of a tag for authenticating a product comprising a storage module arranged to store an identifier associated with the product, wherein when the identifier is accessed by a communication interface, the identifier is updated with a replacement identifier. In this embodiment, the tag device 210 comprises a storage module 402, which may include a re- writable non- volatile memory for storing an identifier. The tag device 210 may also include other memory device including one-time-programmable memory and volatile memory for storing the identifier and information other than the identifier. When the tag device 210 is read by a reader module 204, a communication link 214 between the tag device 210 and the reader module 204 is established. The communication interface 404 retrieves the identifier stored in the memory module 402. In one non-limiting example, the identifier is an alpha-numeric string. The communication interface 404 then transmits the identifier to the reader module 204 which is further verified by the authentication server 202. Upon successful verification, the authentication server 202 transmits a replacement identifier to the reader module 204, and the reader module 204 transmits the replacement identifier to the communication interface 404. The replacement identifier is subsequently updated in the memory module 402 of the tag device 210.
In an alternative embodiment, the tag device 210 may further include a security code module 406 arranged to generate a replacement identifier upon successful verification. The replacement identifier is subsequently updated in the memory module 402 of the tag device 210, and may also be transmitted to the authentication server 202 for updating the associated record in the authentication database 306. In this alternative embodiment, as the tag device 210 has its own security code module 406, the replacement identifier may be generated by the tag 210 and sent back to the server 100 for updating, or alternatively, both the server 100 and the tag 210 can generate the replacement identifier, but both security code modules must be operating with the same generation method or algorithm such that the replacement identifier generated by the tag 210 and the replacement identifier generated by the server 100 must be identical. These alternative embodiments are advantageous in that the replacement identifier does not need to be transmitted from the server 100 to reader module 204 or kiosk 206 and thus reducing the risk of interception or unauthorized access or corruption of the replacement identifier during transmission.
In one example, the tag device 210 is implemented with a passive RFID arrangement arranged to communicate with an RFID reader. In this example, the RFID tag includes rewritable non-volatile memory for storage of an alpha-numeric string as an identifier. The RFID tag may be embedded in an authentication subject 208 during the manufacturing of the authentication subject 208. Alternative the RFID may be embedded in to a block of material such as plastic or epoxy, to prevent easy hacking or reverse-engineering of the tag. Additionally the tag may be arranged to be non-removable without physical damage to the tag or the authentication subject 208 to ensure a lifetime unique identification for each respective authentication subject 208, wherein a damaged tag is arranged to be rendered not readable by any reader.
These example embodiments are advantageous in that a product can be authenticated whilst ensuring an identifier used for the authentication cannot be imitated by a counterfeiter. As the identifier is arranged to change on each read operation, the identifier, even if captured by a counterfeiter or some other unauthorized party, cannot be used to falsely authenticate an imitation product or service. In a retail setting, for example, infant formula tins or other products can be attached with a tamper proof tag device 210 which can be checked by a retailer or consumer. Upon the identifier having been read, the identifier can be verified for authenticity, whilst the retailer and consumer can be assured that the identifier that has been read cannot be a copy as it is subject to authorized changes on each read operation, thus allowing assurance as to the authenticity of the product since the authentication of the product is a continuing process and not a single point of authentication which could be have been imitated by an counterfeiter.
An example of the operation of the system for authentication will be described with reference to the process as outlined in Figure 5.
Firstly, an identifier of a tag device 210 associated with a product for authentication, such as a luxury item, food item or any other product or service is read by a reader module 204, such as a scanner, reader or kiosk 206 operated by a user. In one embodiment, the identifier may be a code of variable length or may comprise other characteristics associated with the tag device 210. In a preferred embodiment, the tag device 210 may be an anti-tamper RFID tag. In some other embodiments, the tag device 210 is arranged to be read by an authorized reader module 204 which may be in the form of a hand held scan gun, a PDA, a smartphone embedded with Near Field Communication (NFC) technology or a kiosk 206 with a RFID reader or any other reading means.
Starting with step 502, upon reading the identifier by the reader module 204, the identifier is sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication. In some embodiments, the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier to the authentication system may be through wired or wireless communication links including but not limited to the internet or a kiosk. In one embodiment, the authentication system and the reading means may be a single unit. Once the identifier is received at the authentication system, in step 504, the authentication server 202 verifies the identifier by locating a record associated with the identifier in an authentication database 306 of the authentication server 202. In one embodiment, the authentication server 202 matches the incoming identifier with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier with the data in the database to perform authentication. In some examples, the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202. Upon successful verification of the identifier, in step 506, the authentication server 202 checks for outstanding operations related to the identifier. In one embodiment, the outstanding operations may include any one of the authentication procedures in Figure 5. When an outstanding operations related to that identifier is located, these operations will be resumed in step 508.
However, if the verification of the identifier is unsuccessful, the authentication system will record that particular identifier and the authentication process will be terminated in step 516.
Once it is determined that the identifier is valid and there are no outstanding operations, in step 510, an identifier generator 308 in the authentication server 202 generates a replacement identifier. In one embodiment, the identifier generator 308 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the identifier generator 308 may be external of the authentication server 202. In one example, the replacement identifier may be a code of variable length that is different to the original identifier. Preferably, the replacement identifier is not associated with any prior tag devices 210. More preferably, the replacement identifier is not located in the authentication database 306 prior to generating by the identifier generator 308. In an event where error or failure occurs during generation of the replacement identifier, the authentication system records the event and terminates the authentication process in step 516.
Upon successful generation of the replacement identifier, in step 512, the authentication server 202 transmits and writes the replacement identifier to the tag device 210. In one embodiment, the authentication system may have a gateway 302 that performs the transmission of the replacement identifier to the tag device 210. In another embodiment, authentication server 202 may utilize an external transmission system to transmit the replacement identifier. In some embodiments, the transmission of the replacement identifier to the tag device 210 may be through wire or wireless communication links such as but not limited to the internet or a kiosk. Once the replacement identifier is received at the tag device 210, the tag device 210 overwrites the original identifier with the replacement identifier. In some embodiments as mentioned, the replacement identifier may be a code comprising a different length or may comprise other characteristics associated with the tag device 210. In an event where error or failure occurs during transmission and writing of the replacement identifier, the authentication server 202 records the event and terminates the authentication process. Upon successfully completing the writing of the replacement identifier to the tag device 210, in step 514, the authentication server 202 updates the record of the authentication database 306 to associate the replacement identifier with that tag device 210. In some embodiments, the original identifier is removed from the authentication database 306. In an event where error or failure occurs during the update of the authentication database 306, the authentication server 202 records the event and terminates the authentication process in step 516.
Once the authentication database 306 is successfully updated, the authentication process completes and terminates.
With reference to Figure 6, there is shown a tag 600 for authenticating a product comprising a storage module 602 arranged to store an identifier, a check code 604, a authentication code 606 and/or a resynchronization code 610 associated with the product, wherein when the identifier, the check code 604, the authentication code 606 and/or the resynchronization code 610 is read by a communication interface, the check code 604, the authentication code 606 and/or the resynchronization code 610 is updated with a replacement check code 614, a replacement authentication code and/or a replacement resynchronization code.
Preferably, the storage module 602 is arranged to receive the replacement check code 614, the replacement authentication code and the replacement resynchronization code from the communication interface to update the check code 604, the authentication code 606 and the resynchronization code 610 stored in the storage module 602.
Preferably, the storage module 602 is further arranged to store an authentication passkey 608 and a resynchronization passkey 612 associated with the product; and wherein the authentication code 606 and the resynchronization code 610 are arranged to be replaceable only if a respective authentication passkey 608 or a resynchronization passkey 612 is provided in the update process. In other words, the authentication code 606 and the resynchronization code 610 are write-protected by the authentication passkey 608 and the resynchronization passkey 612 respectively. Alternatively, the authentication passkey 608 and/or the resynchronization code 612 are stored in a storage module other than the storage module 602.
Preferably, the authentication passkey and/or the resynchronization passkey are non- readable by a reader module. Alternatively, the passkeys are readable by a reader module other than the reader module arranged to read the identifier, the check code 604, the authentication code 606 and/or the re synchronization code 610.
Preferably, the tag 600 is arranged to be read by an authorized or an unauthorized reader module 204 which may be in the form of a hand held scan gun, a PDA, a smartphone embedded with Near Field Communication (NFC) technology or RFID reader or any other reading means.
An example of three operations of a system for authentication and the tag 600 will be described with reference to the process as outlined in Figure 7A, 7B, 8A, 8B, 9A and 9B.
Firstly, an identifier of a tag device 600 associated with a product for authentication, such as a luxury item, food item or any other product or service is read by a reader module 204, such as a scanner, reader or kiosk 206 operated by a user.
With reference to Figure 7 A and 7B, there is shown a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier and a check code associated with an authentication subject;
- a verification module arranged to verify the identifier and the check code by locating a record associated with the identifier in an authentication database; and
whereupon the identifier and the check code has been verified, generate a replacement check code for updating the record in the authentication database. Referring to Figure 7A, in the system for authentication working in a quick check mode
700, starting with step 702, upon reading an identifier and a check code 604 stored in the tag device 600 by the reader module 204, the identifier and the check code 604 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 704. In some embodiments, the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier and the check code 604 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet.
Once the identifier and the check code are received at the authentication system, the authentication server 202 verifies the identifier and the check code 604 by locating a record associated with the identifier in an authentication database 306 of the authentication server 202. In one embodiment, the authentication server 202 matches the incoming identifier and the check code 604 with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier and the check code 604 with the data in the database to perform authentication. In some examples, the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202.
If the verification of the identifier and/or the check code 604 is unsuccessful, the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
Once it is determined that the identifier and the check code 604 are valid, in step 706, the authentication server 202 generates a replacement check code 614. In one example, the replacement check code 614 may be a code of variable length that is different to the original check code. Preferably, the replacement check code 614 is not associated with any prior tag device 600. More preferably, the replacement check code 614 is not located in the authentication database 306 previously. The authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614 with that tag device 600. In some embodiments, the original check code 604 is removed from the authentication database 306.
Upon successful generation of the replacement check code 614, the authentication server 202 transmits the replacement check code 614 to the reader module 204. Optionally, the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 214 in step 710. In one embodiment, the authentication system may have gateway 302 that performs the transmission of the replacement check code 614 to the tag device 600. In another embodiment, authentication server 202 may utilize an external transmission system to transmit the replacement check code 614. In some embodiments, the transmission of the replacement check code 614 to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
With reference to Figure 7B, once the replacement check code 614 is received at the reader module 204, the reader module 204 overwrites the original check code 604 with the replacement check code 614. In some embodiments as mentioned, the replacement check code 614 may be a code comprising a different length or may comprise other characteristics associated with the tag device 600. In some embodiments, the reader module is arranged to transmit the replacement code to the tag device 600 and the tag device is arranged to overwrite the original check code 604 with the replacement check code 614.
With reference to Figure 8 A and 8B, there is shown a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject;
- a verification module arranged to verify the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database. Referring to Figure 8A, in the system for authentication working in a product authentication mode 800, starting with step 802, upon reading an identifier and an authentication code 606 stored in the tag device 600 by the reader module 204, and a user is requested to provide an authentication password 618 to the system for authentication 800. Preferably, the authentication password is manually input to the reader module 204. In an example embodiment, the password may be printed on a sales receipt upon the completion of a successful transaction in an authorized shop. In an alternative embodiment, the password may be displayed to the customer prior to the successful completion of the transaction. The identifier, the authentication code 606 and the authentication password 618 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 804. In some embodiments, the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier and the check code 604 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet. Once the identifier, the authentication code 606 and the authentication password 618 are received at the authentication system, the authentication server 202 verifies the identifier, the authentication code 606 and the authentication password 618 by locating a record associated with the identifier in an authentication database 306 of the authentication server 202. In one embodiment, the authentication server 202 matches the incoming identifier, the authentication code 606 and the authentication password 618 with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier, the authentication code 606 and the authentication password 618 with the data in the database to perform authentication. In some examples, the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202. If the verification of the identifier, the authentication code 606 and/or the authentication password 618 is unsuccessful, the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
Once it is determined that the identifier, the authentication code 606 and the authentication password 618 are valid, in step 806, the authentication server 202 retrieves an authentication passkey 608 from authentication database 306, and generates a replacement check code 614, a replacement authentication code 616 and a replacement authentication passkey. In one example, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey may be a code of variable length that is different to the original check code 604, the original authentication code 606 and the original authentication passkey 608. Preferably, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey are not associated with any prior tag device 600. More preferably, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey are not located in the authentication database 306 previously. The authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey with that tag device 600. In some embodiments, the original check code 604, the original authentication code 606 and the original authentication passkey 608 are removed from the authentication database 306.
Upon successful generation of the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey, the authentication server 202 transmits the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the reader module 204. Optionally, the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 204 in step 810. In one embodiment, the authentication system may have gateway 302 that performs the transmission of the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600. In another embodiment, authentication server 202 may utilize an external transmission system to transmit the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey. In some embodiments, the transmission of the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
With reference to Figure 8B, once the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey are received at the reader module 204, the reader module 204 provides the tag device 600 with the original authentication passkey 608 such that the original authentication code 608 is configured to be replaceable after 3DES authentication between tag device 600 and reader module 204 using original authentication passkey 608. The reader module overwrites the original check code 604, the original authentication code 606 and the original authentication passkey 608 with the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey. In some embodiments as mentioned, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey may be a code comprising a different length or may comprise other characteristics associated with the tag device 600. In some embodiments, the reader module is arranged to transmit the original authentication passkey 608, the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey to the tag device 600 and the tag device is arranged to overwrite the original check code 604, the original authentication code 606 and the original authentication passkey 608 with the replacement check code 614, the replacement authentication code 616 and the replacement authentication passkey. With reference to Figure 9 A and 9B, there is shown a system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, a resynchronization code and a resynchronization password associated with an authentication subject;
- a verification module arranged to verify the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the resynchronization code and the resynchronization password has been verified, generate a replacement resynchronization code, a replacement authentication code and a replacement check code for updating the record in the authentication database.
Referring to Figure 9A, in the system for authentication working in a global resynchronization mode 900, starting with step 902, upon reading an identifier and a resynchronization code 610 stored in the tag device 600 by the reader module 204, and a user is requested to provide a resynchronization password 622 to the system for authentication 900. Preferably, the resynchronization password is manually input to the reader module 204. In an example embodiment, the password may be printed on a sales receipt upon the completion of a successful transaction in an authorized shop. The identifier, the resynchronization code 610 and the resynchronization password 622 are sent from the reader to a gateway 302 of an authentication system which includes an authentication server 202 to perform the authentication in step 904. In some embodiments, the authentication server 202 may be an information handling system such as a computer, a PDA, a mobile device, etc. Also, the transfer of the identifier, the resynchronization code 610 and the resynchronization password 622 to the authentication system may be through wired or wireless communication links 214 including but not limited to the internet. Once the identifier, the resynchronization code 610 and the resynchronization password
622 are received at the authentication system, the authentication server 202 verifies the identifier, the resynchronization code 610 and the resynchronization password 622 by locating a record associated with the identifier in an authentication database 306 of the authentication server 202. In one embodiment, the authentication server 202 matches the incoming identifier, the resynchronization code 610 and the resynchronization password 622 with the data in the database to perform authentication. In some other embodiments, the authentication server 202 matches the information associated with the incoming identifier, the resynchronization code 610 and the resynchronization password 622 with the data in the database to perform authentication. In some examples, the authentication database 306 may be part of the authentication server 202 (i.e. the same unit). In some other examples, the authentication database 306 may be external of the authentication server 202.
If the verification of the identifier, the resynchronization code 610 and/or the resynchronization password 622 is unsuccessful, the authentication system will record that particular identifier and the authentication process will be terminated. Alternatively, an error message will be transmitted to the reader indicating that the verification is unsuccessful.
Once it is determined that the identifier, the resynchronization code 610 and the resynchronization password 622 are valid, in step 906, the authentication server 202 retrieves a resynchronization passkey 612 authentication database 306, and generates a replacement check code 614, a replacement authentication code 616, a replacement authentication passkey, a replacement resynchronization code 620 and a replacement resynchronization passkey. In one example, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey may be a code of variable length that is different to the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612. Preferably, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey are not associated with any prior tag device 600. More preferably, the replacement check code 614, the replacement authentication code
616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey are not located in the authentication database 306 previously. The authentication server 202 updates the record of the authentication database 306 to associate the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey with that tag device 600. In some embodiments, the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 are removed from the authentication database 306.
Upon successful generation of the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey, the authentication server 202 transmits the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the reader module 204. Optionally, the authentication server 202 transmits a product info associated with the product being authenticated, and the product info is shown to a user via a device comprising the reader module 204 in step 910.
In one embodiment, the authentication system may have gateway 302 that performs the transmission of the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600.
In another embodiment, authentication server 202 may utilize an external transmission system to transmit the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement re synchronization passkey. In some embodiments, the transmission of the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600 may be through wire or wireless communication links 214 such as but not limited to the internet.
With reference to Figure 9B, once the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey are received at the reader module 204, the reader module 204 provides the tag device 600 with the original resynchronization passkey 612 such that the original resynchronization code 612 is configured to be replaceable after 3DES authentication between tag device 600 and reader module 204 using original resynchronization passkey 612. The reader module overwrites the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 with the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey.
In some embodiments as mentioned, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey may be a code comprising a different length or may comprise other characteristics associated with the tag device 600.
In some other embodiments, the reader module is arranged to transmit the original resynchronization passkey 612, the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey to the tag device 600 and the tag device is arranged to overwrite the original check code 604, the original authentication code 606, the original authentication passkey 608, the original resynchronization code 610 and the original resynchronization passkey 612 with the replacement check code 614, the replacement authentication code 616, the replacement authentication passkey, the replacement resynchronization code 620 and the replacement resynchronization passkey. Advantageously, the system for authentication is suitable for untrusted reader module, which may include malware or software programs for de-compilation. Reader module in this system for authentication may only work as a communication device for reading the codes or passkeys which change once it is read. The reader module can be as common as an NFC reader included in a smartphone or any handheld device, such that the authentication of a tagged product is possible to anyone in anywhere, where expensive tag devices or trusted kiosk is not required.
Advantageously, the tag is possible to be re synchronized with the authentication server with a valid resynchronization password provided solely to the owner of the tagged product. In an occasion that the codes stored in a tag is modified by a malware or counterfeits manufacturers, the authentication code stored in the tag may not match with the record stored in the authentication database, the owner may resynchronize the tag to reset the codes that match with the authentication database to enable the product to be authentication again.
Although not required, the embodiments described with reference to the Figures can be implemented as an application programming interface (API) or as a series of libraries for use by a developer or can be included within another software application, such as a terminal or personal computer operating system or a portable computing device operating system. Generally, as program modules include routines, programs, objects, components and data files assisting in the performance of particular functions, the skilled person will understand that the functionality of the software application may be distributed across a number of routines, objects or components to achieve the same functionality desired herein. It will also be appreciated that where the methods and systems of the present invention are either wholly implemented by computing system or partly implemented by computing systems then any appropriate computing system architecture may be utilised. This will include stand alone computers, network computers and dedicated hardware devices. Where the terms "computing system" and "computing device" are used, these terms are intended to cover any appropriate arrangement of computer hardware capable of implementing the function described.
It will be appreciated by persons skilled in the art that the term "database" may include any form of organized or unorganized data storage devices implemented in either software, hardware or a combination of both which are able to implement the function described. It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as shown in the specific embodiments without departing from the spirit or scope of the invention as broadly described. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.
Any reference to prior art contained herein is not to be taken as an admission that the information is common general knowledge, unless otherwise indicated.

Claims

1. A method for authentication comprising the steps of:
- receiving a verification request for verifying an identifier and a check code associated with an authentication subject;
- verifying the identifier and the check code by locating a record associated with the identifier in an authentication database; and
whereupon the identifier and the check code has been verified, generate a replacement check code for updating the record in the authentication database.
2. A method for authentication in accordance with claim 1, further comprising the step of updating the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code.
3. A method for authentication in accordance with claim 2, wherein the record associated with the identifier is updated to be associated with the replacement check code.
4. A method for authentication comprising the steps of:
- receiving a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject;
- verifying the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database.
5. A method for authentication in accordance with claim 4, further comprising the step of updating the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code.
6. A method for authentication in accordance with claim 5, wherein the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
7. A method for authentication comprising the steps of:
- receiving a verification request for verifying an identifier, a re synchronization code and a resynchronization password associated with an authentication subject; - verifying the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the resynchronization code and the resynchronization password has been verified, generate a replacement resynchronization code, a replacement authentication code and a replacement check code for updating the record in the authentication database.
8. A method for authentication in accordance with claim 7, further comprising the step of updating the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
9. A method for authentication in accordance with claim 8, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
10. A method for authentication in accordance with any one of the claims 4 to 9, wherein the authentication password and/or the resynchronization password is manually input by a user.
11. A method for authentication in accordance with any one of the preceding claims, wherein the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject.
12. A method for authentication in accordance with claim 11, wherein the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject.
13. A method for authentication in accordance with any of claims 11 or 12, further comprising the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
14. A method for authentication in accordance with claim 13, wherein the step of updating the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module.
15. A method for authentication in accordance with claim 14, wherein the reader module is arranged to update the check code, the authentication code and/or the re synchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
16. A method for authentication in accordance with any one of claims 12 to 15, wherein the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
17. A method for authentication in accordance with claim 16, wherein the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices.
18. A method for authentication in accordance with any one of the claims 16 to 17, wherein the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
19. A method for authentication in accordance with any one of claims 16 to 18, further comprising the step of generating a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
20. A method for authentication in accordance with claim 19, further comprising the step of updating the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
21. A method for authentication in accordance with claim 20, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
22. A method for authentication in accordance with any one of claims 19 to 21, further comprising the step of updating the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
23. A method for authentication in accordance with any one of the preceding claims, wherein the step of generating the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes the step of processing the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
24. A method for authentication in accordance with any one of the preceding claims, further comprising the step of transmitting a verified signal when the identifier is verified.
25. A method for authentication in accordance with any one of claims 12 to 24, wherein the tag device includes a near field communication (NFC) arrangement.
26. A method for authentication in accordance with any one of claims 12 to 25, wherein the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
27. A method for authentication in accordance with any one of the preceding claims, wherein the authentication subject is a product.
28. A method for authentication in accordance with any one of the preceding claims, wherein the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey, is an alphanumeric string.
29. A method for authentication in accordance with claim 28, wherein the alphanumeric string is of a random length.
30. A method for authentication in accordance with any one of claims 23 to 29, wherein the security code module is arranged to use using a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
31. A method for authentication in accordance with claim 30, wherein the code generating algorithm is arranged to generate random alphanumeric strings.
32. A method for authentication in accordance with any one of claims 12 to 31, wherein the reader module is a handheld device.
33. A method for authentication in accordance with claim 32, wherein the handheld device is a smartphone, a media device or a tablet PC.
34. A system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier and a check code associated with an authentication subject;
- a verification module arranged to verify the identifier and the check code by locating a record associated with the identifier in an authentication database; and
whereupon the identifier and the check code has been verified, generate a replacement check code for updating the record in the authentication database.
35. A system for authentication in accordance with claim 34, further comprising a routine to update the record in the authentication database with the replacement check code such that the record associated with the identifier is updated with the replacement check code.
36. A system for authentication in accordance with claim 35, wherein the record associated with the identifier is updated to be associated with the replacement check code.
37. A system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, an authentication code and an authentication password associated with an authentication subject;
- a verification module arranged to verify the identifier, the authentication code and the authentication password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the authentication code and the authentication password has been verified, generate a replacement authentication code and a replacement check code for updating the record in the authentication database.
38. A system for authentication in accordance with claim 37, further comprising a routine to update the record in the authentication database with the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement authentication code and the replacement check code.
39. A system for authentication in accordance with claim 38, wherein the record associated with the identifier is updated to be associated with the replacement authentication code and the replacement check code.
40. A system for authentication comprising:
- a gateway arranged to receive a verification request for verifying an identifier, a resynchronization code and a resynchronization password associated with an authentication subject;
- a verification module arranged to verify the identifier, the resynchronization code and the resynchronization password by locating a record associated with the identifier in an authentication database; and
whereupon the identifier, the resynchronization code and the resynchronization password has been verified, generate a replacement resynchronization code, a replacement authentication code and a replacement check code for updating the record in the authentication database.
41. A system for authentication in accordance with claim 40, further comprising a routine to update the record in the authentication database with the replacement resynchronization code, the replacement authentication code and the replacement check code such that the record associated with the identifier is updated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
42. A system for authentication in accordance with claim 41, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization code, the replacement authentication code and the replacement check code.
43. A system for authentication in accordance with any one of the claims 37 to 42, wherein the authentication password and/or the resynchronization password is manually input by a user.
44. A system for authentication in accordance with any one of the claims 34 to 43, wherein the verification request is received from a reader module arranged to communicate the identifier, the check code, the authentication code and/or the resynchronization code from the associated authentication subject.
45. A system for authentication in accordance with claim 44, wherein the identifier, the check code, the authentication code and/or the resynchronization code are stored on one or more tag devices arranged to tag the authentication subject.
46. A system for authentication in accordance with any one of claim 44 or 45, further comprising a routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
47. A system for authentication in accordance with claim 46, wherein in the routine to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code includes transmitting the replacement check code, the replacement authentication code and/or the replacement resynchronization code to the reader module.
48. A system for authentication in accordance with claim 47, wherein the reader module is arranged to update the check code, the authentication code and/or the resynchronization code stored on the tag device with the replacement check code, the replacement authentication code and/or the replacement resynchronization code.
49. A system for authentication in accordance with any one of claims 45 to 48, wherein the authentication code and the resynchronization code stored on the one or more tag devices are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
50. A system for authentication in accordance with claim 49, wherein the authentication passkey and/or the resynchronization passkey are stored on the one or more tag devices.
51. A system for authentication in accordance with any one of the claims 49 or 50, wherein the authentication passkey and/or the resynchronization passkey are non-readable by the reader module.
52. A system for authentication in accordance with any one of claims 49 to 51, further comprising a routine to generate a replacement resynchronization passkey and/or a replacement authentication passkey for updating the record in the authentication database.
53. A system for authentication in accordance with claim 52, further comprising a routine to update the record in the authentication database with the replacement resynchronization passkey and/or the replacement authentication passkey such that the record associated with the identifier is updated with the replacement resynchronization passkey and/or the replacement authentication passkey.
54. A system for authentication in accordance with claim 53, wherein the record associated with the identifier is updated to be associated with the replacement resynchronization passkey and/or the replacement authentication passkey.
55. A system for authentication in accordance with any one of claims 52 to 54, further comprising a routine to update the resynchronization passkey and/or the authentication passkey stored on the one or more tag devices with the replacement resynchronization passkey and/or the replacement authentication passkey.
56. A system for authentication in accordance with any one of claims 34 to 55, wherein the routine to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey for updating the record associate with the identifier includes a routine to process the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey with a security code module to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
57. A system for authentication in accordance with any one of claims 34 to 56, further comprising a routine to transmit a verified signal when the identifier is verified.
58. A system for authentication in accordance with any one of claims 45 to 57, wherein the tag device includes a near field communication (NFC) arrangement.
59. A system for authentication in accordance with any one of claims 45 to 58, wherein the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code, the resynchronization passkey, the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey is encrypted.
60. A system for authentication in accordance with any one of claims 34 to 59, wherein the authentication subject is a product.
61. A system for authentication in accordance with any one of claims 34 to 60, wherein the identifier, the check code, the authentication code, the authentication passkey, the resynchronization code and/or the resynchronization passkey, is an alphanumeric string.
62. A system for authentication in accordance with claim 61, wherein the alphanumeric string is of a random length.
63. A system for authentication in accordance with claim 56 to 62, wherein the security code module is arranged to use a predetermined code generating algorithm to generate the replacement check code, the replacement authentication code, the replacement authentication passkey, the replacement resynchronization code and/or the replacement resynchronization passkey.
64. A system for authentication in accordance with claim 63, wherein the code generating algorithm is arranged to generate random alphanumeric strings.
65. A system for authentication in accordance with any one of claims 45 to 64, wherein the reader module is a handheld device.
66. A system for authentication in accordance with claim 65, wherein the handheld device is a smartphone, a media device or a tablet PC.
67. A tag for authenticating a product comprising
- a storage module arranged to store an identifier, a check code, a authentication code and/or a resynchronization code associated with the product, wherein when the identifier, the check code, the authentication code and/or the resynchronization code is read by a communication interface, the check code, the authentication code and/or the resynchronization code is updated with a replacement check code, a replacement authentication code and/or a replacement resynchronization code.
68. A tag in accordance with claim 67, wherein the storage module is arranged to receive the replacement check code, the replacement authentication code and the replacement resynchronization code from the communication interface to update the check code, the authentication code and the resynchronization code stored in the storage module.
69. A tag in accordance with any one of claims 67 or 68, wherein the storage module is further arranged to store an authentication passkey and a resynchronization passkey associated with the product; and wherein the authentication code and the resynchronization code are arranged to be replaceable only if a respective authentication passkey or a resynchronization passkey is provided in the update process.
70. A tag in accordance with claim 69, wherein the authentication passkey and/or the resynchronization passkey are non-readable by a reader module.
71. A method for authenticating a product comprising the steps of:
- engaging a tag in accordance with any one of claims 67 to 70 to the product;
- reading the tag to obtain an identifier, and any one of a check code, a authentication code or a resynchronization code; and
- transmitting the identifier, and any one of the check code, the authentication code or the resynchronization code to a system for authentication in accordance with any one of claims 34 to 66 for verification.
PCT/CN2013/083617 2013-09-17 2013-09-17 A system and method for authentication WO2015039279A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201380080974.9A CN105849739B (en) 2013-09-17 2013-09-17 Authentication system and authentication method
PCT/CN2013/083617 WO2015039279A1 (en) 2013-09-17 2013-09-17 A system and method for authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/083617 WO2015039279A1 (en) 2013-09-17 2013-09-17 A system and method for authentication

Publications (1)

Publication Number Publication Date
WO2015039279A1 true WO2015039279A1 (en) 2015-03-26

Family

ID=52688074

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/083617 WO2015039279A1 (en) 2013-09-17 2013-09-17 A system and method for authentication

Country Status (2)

Country Link
CN (1) CN105849739B (en)
WO (1) WO2015039279A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111523907A (en) * 2020-03-10 2020-08-11 浙江冒个泡电子商务有限公司 Anti-counterfeiting method
US20220129878A1 (en) * 2016-06-27 2022-04-28 Altria Client Services Llc Methods, systems, apparatuses, and non-transitory computer readable media for validating encoded information

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020000367A1 (en) * 2018-06-29 2020-01-02 Logistics and Supply Chain MultiTech R&D Centre Limited Multi-sensor theft/threat detection system for crowd pre-screening
CN110135542B (en) * 2019-07-09 2019-10-08 上海吾十吾信息技术有限公司 The method, apparatus and system of user's interactive mode Internet of Things verifying based on RF tag
WO2021004125A1 (en) * 2019-07-09 2021-01-14 上海吾十吾信息技术有限公司 Radio frequency tag-based user interactive internet of things verification method, apparatus and system
IT202100014651A1 (en) * 2021-06-04 2022-12-04 Pozidis Group Sagl System and method for providing certificates of authenticity for products

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500018A (en) * 2008-02-03 2009-08-05 张元梅 Method for digital information false proof
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
CN102663591A (en) * 2012-03-19 2012-09-12 樊俊锋 Product anti-counterfeiting method and system based on electronic tag

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1102781C (en) * 1998-08-19 2003-03-05 曹莉冬 Anti-fake system and method using information mark to distinguish true and false
CN1560775B (en) * 2004-02-25 2012-01-04 栗宏刚 Ternary variable dynamic authentication system and method based on moble communication standard short message service platform
US20090096574A1 (en) * 2007-10-16 2009-04-16 Rcd Technology, Inc. Rfid tag using encrypted password protection
CN101504715B (en) * 2009-03-04 2011-11-16 深圳市众合联科技有限公司 Product identity digital identification apparatus, inspection apparatus, product and anti-fake inspection method
CN102385710B (en) * 2011-08-15 2013-01-16 王志刚 Method and system for verifying fact or fiction
CN103246841A (en) * 2012-02-09 2013-08-14 富泰华工业(深圳)有限公司 Unlocking password resetting system and method of electronic device
CN102622633A (en) * 2012-03-14 2012-08-01 江苏联博计算机信息产业有限公司 Multifunctional digital anti-counterfeiting code tag and applications of multifunctional digital anti-counterfeiting code tag

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500018A (en) * 2008-02-03 2009-08-05 张元梅 Method for digital information false proof
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
CN102663591A (en) * 2012-03-19 2012-09-12 樊俊锋 Product anti-counterfeiting method and system based on electronic tag

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220129878A1 (en) * 2016-06-27 2022-04-28 Altria Client Services Llc Methods, systems, apparatuses, and non-transitory computer readable media for validating encoded information
CN111523907A (en) * 2020-03-10 2020-08-11 浙江冒个泡电子商务有限公司 Anti-counterfeiting method

Also Published As

Publication number Publication date
CN105849739B (en) 2020-10-30
CN105849739A (en) 2016-08-10

Similar Documents

Publication Publication Date Title
CN108053001B (en) Information security authentication method and system for electronic warehouse receipt
JP2021522735A (en) Methods and systems for automatic object recognition and authentication
US9256881B2 (en) Authenticating and managing item ownership and authenticity
US9628270B2 (en) Cryptographically-verifiable attestation label
US10019530B2 (en) ID tag authentication system and method
CN105849739B (en) Authentication system and authentication method
US20160098730A1 (en) System and Method for Block-Chain Verification of Goods
US20080297326A1 (en) Low Cost RFID Tag Security And Privacy System And Method
KR101812638B1 (en) Module, service server, system and method for authenticating genuine goods using secure element
US8459550B2 (en) Method for transferring data, a computer program product, a data provision and a data receiving device and a communication system
WO2017116303A1 (en) Secure dual-mode anti-counterfeit product authentication methodology and system
US20180205714A1 (en) System and Method for Authenticating Electronic Tags
KR20040085800A (en) contactless type communication tag and portable tag reader for verifying a genuine article
TW201826177A (en) Inspection device and inspection method
WO2014134827A1 (en) System and method for authentication
WO2020076968A1 (en) System and methods for authenticating tangible products
KR100497630B1 (en) Portable RF-tag reader for verifying a genuine article
CN114830599B (en) Managing physical objects using encryption anchors
KR20090041473A (en) Authentication server for validating product authenticity using otp electronic tag and method therefor
RU2814089C2 (en) Methods and systems for automatic object recognition and authenticity verification
AU2019100668A4 (en) A Method of Providing Secure Ownership of an Object
US20220318821A1 (en) System and methods for authenticating tangible products
JP5386860B2 (en) Payment system, payment processing apparatus, validity verification apparatus, validity verification request processing program, validity verification processing program, and validity verification method
JP2018072977A (en) Commodity authenticity determination system
KR101192972B1 (en) An authenti cation system for anti-forgery using the smart card chip and method of thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13893806

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13893806

Country of ref document: EP

Kind code of ref document: A1