CN107980143B - Management of protected items - Google Patents

Abstract

A tracking, identification and article management system and method for reliably and repeatably determining instances of physical unclonable attributes (of the same or different types) provided or inherent to an article of manufacture, using the physical unclonable attributes to generate an unclonable identity for the article, and then integrating the unclonable identity into a computer-based tracking system to enable the tracking system to track and monitor the article for known identity information. Applications include, but are not limited to, documents, fashion items, artwork, and other components.

Description

Management of protected items

Priority statement of prior application

This application claims priority from the following U.S. patent applications, each of which is incorporated herein by reference:

application number: 62/148,528, filing date: 2015/4/16

Application number: 62/295,914, filing date: 2016/2/16

Application number: 15/099,378, filing date: 2016/4/14

Technical Field

The present technology relates to the binding of electronic identities to articles of manufacture, and the efficient tracking and protection of items of interest. Non-limiting examples of technology in this application further relate to tracking and authentication systems that use physical non-replicable Attributes (PUAs) of articles, which technology allows for repeated extraction of a useful subset of PUAs and use of the extracted PUA information in real time to determine the integrity and authenticity of the article and associated tracking systems and devices.

Background

Many people in the past have attempted to protect high value items from loss, theft and counterfeiting. For example, luxury goods including leather bags, accessories, clothing, artwork, original documents and documents, and related items may be lost or stolen, and sometimes even counterfeited or counterfeited. Some past solutions have used a combination of anti-theft techniques, source identification and product identification techniques.

Anti-theft techniques include resonant tags, NFC chips or tags, and RFID tags that are affixed to or embedded in an item to be protected. Since these techniques can be removed by skilled thieves, these items are subject to "swapping labels," in which case the label is removed from one item and attached to another item for theft and counterfeiting. These tags typically report their presence, but cannot determine if the tag is still associated with the original item it is intended to identify.

Validating the source includes attaching a unique serial number or other product or item identifier to the item, either in physical or electronic form, that is related to the source information provided by the manufacturer. The unique serial number or other ID in digital and/or mechanical form can be counterfeited so that the counterfeit item is licensed for distribution. The current state of the item is not publicly visible in the manufacturer's "genuine" database, so the distributor typically cannot determine whether the item has been tampered with or is genuine.

Biometric technology, which is considered a form of highly personalized person-based attribute, such as a fingerprint or retinal scan, is traditionally used in security systems to "unlock" a repository of digital secrets (e.g., keys). Digital systems sometimes use such biometric information to grant access and/or protect the integrity of other parts of the system. Some of these past solutions have suffered from spoofing of biometric information, false positive/false negative rates (e.g., reliability) of the reader, and/or the integrity of the underlying device. Fingerprint and other biometric readers have proven to be vulnerable to fraud or intrusion in the past.

Examples of technology in this application further relate to the use of digital technology to authenticate and track physical objects for a wide variety of uses, such as inventory, supply chain integrity, asset recovery, and counterfeit identification. Some such existing systems encounter obstacles in the interaction between the digital and real world. It will be appreciated that some of these past solutions, in which identification and tracking devices in the form of tags, Radio Frequency Identification (RFID) and network connection tracking devices are attached, have resulted in their effectiveness being less than useful, along with their vulnerability to various attacks.

For example, if a tracking device is attached to an item, there may still be issues regarding whether the item and device are still together, whether a substitute or counterfeit item is present, whether the tracking device has been "spoofed," etc. As mentioned above, past counterfeit identification is often a manual task and known systems are still subject to attacks that render the messages they provide less valuable. Ideally, tracking and authentication systems for most items should be easily identifiable in some non-limiting applications, but this can result in the trackers and tags being easy targets for attacks that aim to damage and/or remove the trackers and tags from the items they protect.

Electronic systems may sometimes be susceptible to hacking that may compromise some combination of tracking devices, communications, and/or server infrastructure. All classes of security chip-based systems are to some extent susceptible to one or more of these attacks, any of which, if successful, may compromise the system and render it unusable. The techniques of the present application reduce these risks or their consequences.

Disclosure of Invention

Non-limiting technical examples of the present application provide a protected article that includes an authentic authorization component integrated within or as part of the protected article, the authentic authorization component including a functional aspect of the protected article and an electrical or electronic circuit providing authentic information, the circuit providing an authentic indicia derived from at least one aspect or feature of the protected article.

A further non-limiting technical example of the present application provides a protected article comprising: an object or part having at least one physical property that distinguishes the object or part from at least some other objects; the protected article further includes an electronic sensor non-removably attached to the component, the automatic electronic sensor automatically sensing the physical attribute of the component, and a communication device coupled to the sensor, the communication device reporting information related to or derived from the physical attribute.

The protected article is further characterized in that the physical attributes are non-duplicable and unique. The physical attributes of the protected item may be unique.

The protected article may be configured as a cryptographic element that receives the sensed physical attribute and develops a cryptographic authentication value accordingly. The communication device of the protected article comprises a wireless communication device. The sensor of the protected article includes at least one of a resistive sensor and an optical reader integrated in the article that detects physical properties of the component that are difficult to alter or copy.

Additional non-limiting examples of technology provide an article that includes a substrate and further includes an authentication circuit that provides a genuine article indicia derived from an intrinsic characteristic of the substrate. The substrate may include at least one of fabric, leather, polymer, carbon fiber, and metal. The authentication circuit may obtain the indicia from a component that is integrated as part of the article such that removal of the indicia would damage the structure and/or appearance of the article. As used herein, "non-detachable" does not require that the article be removed from the component, but merely means that removal or attempted removal of the article or that the structure, function, and/or appearance of the article is compromised. The intrinsic properties of the substrate may include automatically readable electrical and/or physical properties or characteristics of the substrate.

A further non-limiting example of technology provides a protected article that includes a genuine authorization component attached to the protected article in such a manner that removal of the genuine authorization component will damage the protected article. The protected article further comprises an authentic authorization component comprising circuitry providing authentic information, the circuitry providing an authentic signature derived from at least the first aspect of the protected article, the protected article having a further contactless authentication device embedded therein, and the authentic authorization component of the protected article being configured so as not to interfere with authentication by the further contactless authentication device.

The protected item may include a customs document.

Non-limiting examples of technology of the present application provide a fashion item that includes an authenticator integrated within the fashion item such that removal of the authenticator reduces the value of the fashion item, the authenticator being used in a functional aspect of the fashion item and the authenticator including an authentication circuit that provides a genuine mark derived from a physical aspect of the fashion item.

Further technical examples of the present application provide a protected article that includes a component that is integrated as part of the fashion article such that removal of the component reduces the value of the fashion article, and an authentication circuit that provides a genuine mark derived from the component.

The authentication circuit may measure a resistance of a portion of the component. The authentication circuit wirelessly reports the genuine mark. The genuine article indicia may be unique to the fashion item. The authentication circuit may be essentially non-variably bound to the fashion item. The component may form a structural aspect of the fashion item. The component may provide a decorative aspect of the fashion item. The component may provide at least one functional aspect of the fashion item independent of the authentication. The authentication circuit may be part of the component.

Further non-limiting technical examples of the present application provide a fashion item that includes a component that is integrated as part of the fashion item such that removal of the component detracts from the appearance of the fashion item. The fashion item further includes an authentication circuit that provides an authentic indicia derived from the component.

Further non-limiting technical examples of the present application provide methods of manufacturing a fashion item that include integrating a circuit providing a genuine article indicia and an authenticatable (i.e., capable of being authenticated) component as part of the fashion item; reading the authentication indicia from the circuit; and storing the authentication indicia in a database.

The fashion item may be continuously identified using the stored authentication mark.

A further non-limiting technical example of the present application provides an authentication component for use with a fashion item, comprising a component integrated as part of the fashion item such that subsequent removal of the component reduces the fashion value of the fashion item, the component comprising an authentication circuit that provides a genuine mark derived from the component.

Non-limiting examples of technology of the present application provide a reliable and repeatable system and method capable of determining, in real-time or otherwise, instances (of the same or different types) of one or more Physical Unclonable Attributes (PUAs) from an article of manufacture, using a selected PUA to generate an identity of the article that is not counterfeitable, and then integrating the identity of the counterfeitable into a computer-based tracking system, in a manner that allows the tracking system to track and monitor the article for known PUA-based identity information.

Physical uncloneable attributes ("PUA") are attributes or features inherent to the article itself. For example, the PUA may be generally inherent in the materials used during manufacture of the article and/or the method of manufacturing the article. There are typically or often multiple PUAs per item; the obstacle faced is how to identify and characterize them, and then use this information in a system that provides guarantees on authenticity, presence, and origin. Using PUAs, in particular unique sets of PUAs, enables to uniquely identify an attribute. Tracking and authentication systems that rely on the PUA of an item may use these techniques, which allow for the repeatable extraction of a useful subset of the PUA and the use of this extracted PUA information in real time to determine the integrity and authenticity of the item.

Non-limiting example techniques in this application may provide the following techniques in any combination:

A) capturing the PUA using one or more sensors attached to the item;

B) selecting/filtering the PUAs to obtain useful PUAs and to create digital artifacts useful for identifying and/or protecting communications between the key device and the management server;

C) creating a tracking device-specific query response pair (tag) based on the selected/filtered PUA;

D) creating a unique key, certificate and digital identity derived from the PUA; and/or

E) Securely providing these items (identity, key and certificate, challenge response pairs) to the management system for subsequent key device identification and secure communication;

F) the protected item is securely identified and tracked using one or more of these identity, key, certificate and challenge/response pairs.

In use, one non-limiting aspect of the management system selects one or more challenge/response pairs for the item and requests authentication of an attached tracking or key device using the selected challenge/response pair over a secure, encrypted channel. A PUA-derived challenge-response pair is a token in which a token tag is used as a challenge and a token value is used as a response.

In one exemplary, non-limiting embodiment, the PAMS server queries a tracking device that includes an integrated communicator, key and indicator. The PUA-derived key and digital identity may be used to create one or more unique secure channels between the management system and the tracking device through which the challenge request is securely issued. The tracking device responds to one or more queries with a tag value corresponding to each query, and the management system verifies the response to each query against the previously provided responses stored in the PAMS server. The effective response calculated based on the PUA just obtained can ensure that the same, real item is still associated with the tracking device.

By using the PUA in this manner, the system provides a self-identifying, self-authenticating item and end-to-end secure tracking system.

Exemplary embodiments in this application illustrate systems, processes, and techniques for authenticating, identifying, tracking, and recovering manufactured items, embodying techniques for identifying items based on PUAs, the creation of PUA-derived numerical identifiers, and the tracking and recovery of such items (if they have not been lost or stolen).

One particular impediment and potential application of the technology in this application is the certification and tracking of manufactured documents, articles, and fashion items. These articles are typically manufactured using materials and processes that are difficult to add tracking and authentication materials; either because the addition of authentication and tracking technology compromises the aesthetics or value of the item or because the item was originally manufactured without consideration of tracking and authentication. The techniques described herein use the PUAs of these articles to authenticate them.

Exemplary embodiments of the present application provide an authentication and tracking component for use with collectible articles attachable to an item to authenticate and track a protected collectible article. Articles of this type have in the past typically been manually authenticated by the lack of an authentication-enabled solution, providing verifiable provenance, and tracking the location and status of the article in real time. Manual verification of an article is subjective in nature and often takes days or weeks to complete, and a "good" forgery often passes the verifier. The authentication and tracking components described in this application that are attached to or integrated into a protected item measure the PUA of the item and use the PUA to quickly authenticate the item in a non-counterfeitable manner. The components and systems also provide provenance and tracking information for the item, thereby supporting the value of the protected item.

Additional exemplary embodiments of the present application provide authentication and tracking features for official and high value documents. Examples of these types of documents include documents relating to complex financial transactions, including credit certificates, vouchers, bankers and buyers acceptance certificates, check-out certificates, admission certificates, passports, visas, driver's licenses, and other similar items. Each of these types of documents or articles are subject to risks of counterfeiting, misleading, and loss, which require mechanisms for reducing these risks.

In one exemplary embodiment, complex commodity transaction documents are typically delivered internationally by couriers in sealed courier bags. Courier bags constructed using the techniques described herein may provide integrity of bag material and latch status by providing a key monitor to periodically provide real-time location and status of the courier bag, and by measuring and monitoring at least one PUA of the bag and latch. Opening the express bag informs the recipient when and where the express bag was opened (or when and where it was tampered with), and allows the recipient to later determine that the express bag and its contents are authentic and have not been tampered with. In other example embodiments, an integrated device as described herein may be attached as part of an official document, wherein the device measures and monitors at least one PUA of the official document.

Other exemplary embodiments in the present application provide an authentication component for use with a fashion or other item that includes a component configured to be integrated as part of the item such that providing and/or removing the component from the protected item will reduce the fashion or other value of the item, as well as the usefulness or use of the item. In this case, the component includes an authentication circuit that provides a genuine mark derived from the component. Here, "reducing the fashion value of the fashion item" means that the structure and/or appearance of the fashion item is substantially changed after the fashion item is manufactured, so that the change of the fashion item from its original form appears quite obvious. Similarly, "reducing the value of a protected article" refers to substantially changing the structure and/or appearance of an article such that the article appears significantly altered from its original form and/or such that the protected article is rendered unsuitable for its intended purpose by changing appearance and/or function. Financial or official documents may have a reduced value if their origin and/or authenticity is questioned, and therefore are intended to be protected from intrusions during transport, and the bags or mailboxes with which the protected articles are provided have value as long as the documents they contain are determined to have not been tampered with. Such changes may take many forms, such as structural damage or destruction of the protected item, coloring or other visible appearance changes of the protected item, text or graphics indicating that the protected item has been "lost", "stolen", or other designs. In general, a protected item may include any item of value, such as an original piece of art, an industrial product, a passport or other official government or corporate document, a financial instrument, or any other item for which tracking, protection, and/or authentication is desired.

Brief description of the drawings

Exemplary, non-limiting and illustrative embodiments will be described in detail below with reference to the attached drawing figures, wherein:

FIG. 1A illustrates an example article having an automatic indicator that can indicate that the article has been stolen;

FIG. 1B illustrates an example article in which a conventional closed clasp support plate is used to provide an authentication key;

FIGS. 1C and 1D illustrate example articles in which a key is integrated as part of its structure;

FIG. 1E illustrates another type of article having exemplary structural elements for providing an authentication key;

FIG. 1F illustrates another article of manufacture having an additional midsole structure for providing an authentication key;

FIG. 1G shows another protected article having a key attached to an integral part of the protected article;

FIG. 2 illustrates a block diagram of an exemplary non-limiting management system capable of communicating with multiple protection devices;

FIG. 2A illustrates another non-limiting exemplary deployment architecture of a protected article management system;

FIG. 2B illustrates an exemplary relationship between keys, indicators, communicators (and integrated versions of these components) and other components of the protected article management system;

FIG. 3A shows a side view of an exemplary resistive mesh key;

FIG. 3B illustrates a top view of an exemplary resistive mesh key;

FIG. 4 illustrates an exemplary embodiment in which resistive mesh keys are embedded within a cast protected item part (a leg of a wallet);

5A, 5B illustrate front and side views of an exemplary embodiment of a resistive mesh key within a protected article;

FIG. 6 illustrates an exemplary flow chart for creating a protected article;

FIG. 7 illustrates an exemplary flow chart for initializing a protected item/key set;

FIG. 8 illustrates an exemplary flow chart for authenticating a protected item;

FIG. 9A shows a block diagram of an exemplary key controller;

FIG. 9B illustrates a block diagram of an exemplary integrated key controller and communicator;

FIG. 10 illustrates exemplary tags for schema reordering;

FIG. 11 illustrates an exemplary embodiment of a resistive mesh key for measuring adhesive layer properties;

FIG. 12 illustrates an exemplary embodiment of an optical signature key attached to a protected item;

FIG. 13 illustrates an exemplary embodiment of an RFID key attached to a protected item;

FIG. 14A illustrates an exemplary embodiment for initializing an optical sensor key;

FIG. 14B illustrates an exemplary process for reading an optical sensor key; and

FIG. 15 is an illustrative use of an integrated device attached to a protected item document.

Detailed description of non-limiting examples

Fig. 1A shows an exemplary high value article 10 (in this case, a fashion article such as a purse or commercial mailer) embodying the protection system encompassed by the present application. In this particular example, the protected item 10 may include a purse, clothing, shoes, or other high value item. For example, the illustrated wallet may be a brand name wallet made of high quality leather or other material with unique aesthetic design and coloring that enables it to be sold at a price of thousands of dollars. Keys for measuring and reporting unique values based on one or more protected items are incorporated within the high value item 10. In this context, the term "key" is an abbreviation for "key device" and does not, by itself, refer to a cryptographic key or information used to identify the item 10. Where it is desired to monitor the integrity of the article 10, other keys may be used to monitor the integrity of one or more aspects of the article 10.

The monitored portion of the article 10 may be visually disposed or may be integrated within the structure of the article 10 during manufacture of the article 10. The high value item 10 may communicate with or may also include a communicator, where the communicator communicates between the key and an external management system. Such communications may be encrypted or otherwise secured using the PUA-derived unique device ID and cryptographic keys to form an end-to-end secure communication channel between the management system and the keys of the protected item. This secure tunnel connects known and verified endpoints, e.g., management servers and keys that are identified and authenticated using PUA-derived cryptographic information. The management system 12 provides components (preferably wireless, but wired is also possible) that are connected to the key, and may also access a database that provides a data structure for storing protected item information, including protected tags, key information, communicator information, status and location information. In the illustrated example, the protected article token may be calculated from one or more measurable aspects of the protected article 10 and may be generated by a key as a result of measurement by the key of one or more physical properties (e.g., PUA) of the protected article. A token or set of tokens may be generated from a set of PUAs. Thus, these tag values describe uniquely identifiable aspects of the protected article 10, such as may distinguish a particular protected article 10 from some or all of the other protected articles.

In the particular non-limiting example shown in fig. 1A, the protected article 10 includes an indicator 14. The indicator 14 is a status element of the protected article 10 for displaying the protected article. In the illustrated example, the security or other aspects of the interaction between the embedded communicator of the protected article 10 and the management system 12 provides a "STOLEN" status displayed by the indicator 14. This "STOLEN" condition essentially destroys the fashion value of the article 10 because once the protected article 10 is opened, any bystander can immediately see that the article has been STOLEN.

Fig. 1B illustrates an example key 14 that may be incorporated into the structure of the protected article 10. In this example, the key 14 may include a conventional support panel for providing structural support for a magnetic or other snap closure device 16, the device 16 being part of the protected article 10. In the example shown, the support panel 14 includes an electrical or electronic circuit capable of providing a unique or unique identifier obtained from the PUA of the support panel 14 that identifies the protected article 10 and distinguishes the protected article 10 from some, most, or all of the other protected articles. The key integrated into the closure support panel in this manner can also monitor and report the status of the closure, if desired. The key 14 is bound to the protected item so that removal of the key 14 will be noticeable and may destroy or at least reduce the fashion value of the protected item.

Fig. 1C and 1D show another protected article 10a, in this case a lady shoe. In the example shown, footwear 10a includes structures 18a, 18b, 18c, 18d that may be used by key 14 to create indicia of a protected item. These structures 18 are integrated into the shoe 10a such that removal of the structures would reduce the fashion value of the shoe. Such a key structure 18 may be electronically interrogated to detect a protected article characteristic (e.g., PUA) that includes at least one measurable aspect of the protected article. Multiple keys may be incorporated within a given protected item, each key producing one or more (unique) tokens. Thus, combining the protected item tag values reported by the multiple keys of the protected item, it is possible to uniquely describe the identifiable aspects of the protected item.

Fig. 1E shows another example of a protected article 20, in this case a fashion jacket, that includes various structures 22 that can be used as indicia. Alternatively, the inherent properties of the article 20, such as minute imperfections in the surface of leather or other constituent materials, may be used as the PUA.

FIG. 1F illustrates another example of a protected article 24 in an exploded view, showing a midsole structure 26 or other substrate that may be used as a protected article key. As in the above example, any attempt to remove the structure of the key 26 will destroy or reduce the fashion value of the protected item 24. Thus, the key 26 is physically bonded to the protected article substrate, making an alternative attempt impossible or impractical.

Fig. 1G shows another protected article 24, in this case a key that is attached to an integral part of the protected article by an adhesive. The bonding interface between the key and the item is monitored, for example, by an electrical characteristic measuring sensor, to detect tampering of the key and/or removal or separation of the key from the protected item by detecting changes in the electrical characteristics of the bonding interface.

Non-limiting example of a System architecture

A Protected Article Management System (PAMS) provides a system for authentication and real-time status reporting of protected articles. The PAMS structurally comprises four main components, each of which comprises one or more sub-components as shown in figures 2, 2A and 2B and described below.

Fig. 2 and 2A show the relationship between the various components of the PAMS:

protected items (e.g., 140a, 140b, 140c, 140n), including the item itself, that are permanently associated with one or more keys (e.g., 150b, 150c, 150d, 150e, 150f, 150n1, 150n2), and zero or more indicators (160a, 160b, 160e, 160f, 160n1, 160n 2).

One or more secure communicators (e.g., 130a, 130b, 130c, 130d) in communication with one or more protected item keys, zero or more indicators, and at least one management system (e.g., 110a, 110 b).

A network (e.g., 120a, 120b) for communication between the communicator and the management system.

A wireless network (115) (e.g., bluetooth or WiFi (e.g., 802.11 based network)) is used for communication between the key, the indicator, and the at least one communicator. In some embodiments, wires may be used to connect the keys and indicators to the communicator instead of a wireless network.

At least one management system (e.g., 110a, 110b) for storing and managing protected item information, performing a genuine inspection of the protected item based on indicia provided by one or more keys associated with the protected item, and determining a current state of the protected item.

As shown in fig. 2A, the system provides a non-traditional communication path between the PAMS server, the key and the indicator. These communication paths have several attributes. The information that is propagated between the keys, pointers and management server uses conventional endpoint authentication and session protection mechanisms (e.g., ssl/tls-based or encr-based encryption). Endpoint authentication (via a key device) is provided by using information derived from unique characteristics of the protected article, such as a PUA-derived device ID, a PUA-derived device certificate, a PUA-derived cryptographic key pair, and PUA-derived challenge/response information (e.g., token). Any of these PUA-derived materials may be used to authenticate the key endpoint. PUA-derived tokens are a preferred approach because they provide further assurance that the key device and protected item are still joined together.

Some keys may have limited wide area communication capabilities and rely on fixed access points (e.g., WiFi) or mobile peers (e.g., BLE peers) of the communicator that provide the required wide area communication. The fixed access point and the peer-to-peer communicator are used to communicate network communications between the keys and the PAMS server. They may also provide store and forward and related communication services.

When an all-in-one device (single key/indicator/communicator device) implementation is contemplated, the architecture supports more diverse hardware deployments in which the key and communicator are separated to provide a defense against unauthorized RF-based tracking of protected items by monitoring higher power or other RF or other signals emanating from unauthorized key devices. Some of these deployments are described below.

First, the communicator may interact with one or more key and indicator sets, as shown by the interaction (e.g., 135a) between the communicator 130a and the protected item 140n (and its corresponding keys and indicators (e.g., 160n1, 160n2, 150n1, 150n 2)). Each communicator may interact with any number of indicators and keys associated with a plurality of protected items. Separating the key and indicator device from the long-range communication device enables the key and indicator device to operate with relatively low power requirements and relatively low RF signals. It also provides redundant and backup communication paths for devices to handle long distance link failure conditions. The reduction in power required by the low power key and indicator device means that in some embodiments, the key and indicator may be powered using RF harvesting techniques known in the art.

Another non-limiting feature of the system architecture is that a single pointer and/or key may interact with more than one communicator to communicate with the PAMS server, as shown by interactions 135b and 135z, where pointer 160a interacts with two different communicators. The ability to communicate with multiple communicators can be advantageous when the communicator is lost or the item being protected is lost or stolen. In particular, if a previously used communicator is lost, stolen, or otherwise taken out of service, the indicators and keys associated with the protected item may reestablish communication with the management system (110). Secure end-to-end authentication between keys, indicators and management servers generally operates independent of the particular communicator. Thus, the communicator functions to provide communication over long distances (which consumes additional battery life), such as GSM or CDMA links to the telephone network, and may use GPS, cell tower, or WiFi triangulation techniques to provide location information. Optionally (not shown), the keys and indicators may be connected to a public or private WiFi network or a bluetooth peer-to-peer network (P2P) to use these systems as communicators. In some embodiments, the key and pointer may pass information about its observed RF environment to the PAMS server for use by the PAMS server in calculating the key and pointer location.

In addition, if the protected item is lost or stolen, the keys and indicators may re-establish communication with the PAMS management system using any available communicator. This allows redundancy in the communication path and the communication can repair itself if the communicator is lost or damaged. In addition, a particular key, indicator or communicator may be associated with one or more management servers. This may allow different systems to monitor the protected item, for example based on the first management server and the second insurance provider management server of the manufacturer. The key device architecture supports the generation of different initial values, materials and labels for each management server in communication with the key. This limits the amount of information about the underlying PUA and token generation algorithm that can be obtained from communication between the monitoring key and the PAMS server, and can further limit damage to the infrastructure if the PAMS server is compromised and the stored key device information is exposed. To create a new initial value, the key device may simply re-initialize to communicate with the repaired PAMS server. To create new initial values, cryptographic material, and tokens for the key device, the key device may simply be reinitialized to communicate with the repaired PAMS server.

When the protected item is reported as lost, but the item's key is still in secure communication with the PAMS server, the PAMS server may provide the current and/or last known location of the protected item to an authorized searcher. When the searcher comes within near-term radio range of the protected item, the PAMS server may instruct the key(s) to communicate with the communicator of the searcher so that the direction and distance between the communicator and the key may be determined electronically and displayed to the searcher.

Fig. 2B illustrates an exemplary system configuration of protected items (e.g., 140x, 140y, and 140z) associated with three different communicator/designator/key configurations (e.g., 130x, 160x, 150x), integrated devices (e.g., 125, 140y), and attached integrated communicators/designators/keys (e.g., 135, 140 z). Other configurations of system components are contemplated in alternative embodiments.

Generally, information about a protected item is added to the PAMS management server at the time of creation of the item and key initialization, and at this time, a permanent association between the protected item and its key and one or more protected item markers is created and recorded within the management system. The association between the key device and the protected item is permanent in that the key measures and integrates an intrinsic, physical or structural attribute (e.g., PUA) of the protected item within the item or attached to the item itself, such that removal of the key results in the key being invalid and/or changes the indicia reported by the key. Because the key measures and reports the intrinsic characteristics of the protected item (e.g., PUA), the remote system is able to determine: 1) the key does not spoof the information of the protected item; and 2) the key is not removed from the protected item with which it is associated.

If the key device is re-initialized, the previous flags are immediately invalidated because they are created by a one-way algorithm parameterized randomly when the key device is initialized for communication with a particular PAMS management server. This allows each set of tokens generated by a key device to be unique to the current key device/server initialization instance without changing the underlying PUA.

The PAMS may also maintain an association between the protected item and the indicator. In particular, if the measured and/or calculated indicia reported by the key do not match the file information of the protected item, the PAMS instructs the one or more communicators to set the status of at least one indicator associated with the protected item to indicate a verification failure.

In some embodiments, it is preferable to combine the functionality of one or more keys, zero or more indicators, and a communicator in a single device. The exact configuration of the key, indicator and communicator depends on the type of article being protected and may vary.

Protected items may be actively and repeatedly managed by PAMS throughout their useful life. The protected item is verified by re-measuring multiple times and comparing the new key provided signature with the pre-recorded signatures stored in the PAMS database. The PAMS system represents a user that needs to know the current state of the protected item (periodically and/or temporarily), communicate with the communicator associated with the key device, and cause the communicator associated with the protected item to communicate with the key device of the protected item in order to obtain a new tag reading and provide a trusted, verifiable current state and location of the protected item.

Non-limiting examples of management systems

The management system includes custom designed computer servers and systems (including processors, memory, and operating software components) and sufficient network interface and protocol support to enable the management system to communicate with one or more communicators and/or key devices over a network. Additionally, the software and/or hardware on the management system server includes program logic, user interfaces for providing direct connection to users and connection to users over a network, scheduling communications, determining the validity of protected items, and performing functions in the processing examples described below. External authenticity providers such as item sizers/authenticators, certificate authorities, etc. may be used as part of ensuring that the protected item can be authenticated.

Examples of management system servers include servers running Windows and IIS (e.g., Windows2008Server) or servers running Linux and Apache Web servers. The interface may include, for example, a web screen running on the smartphone, displayed in the smartphone's web browser, and serviced by the management system. More generally, examples of user interfaces may include a web screen running on a network connected to a web browser running on a personal computer; or a web screen running on a cellular data network connected to a web browser running on a smartphone screen. The management system servers may be provided individually, in parallel, or distributed as needed to handle the required requests and computational load.

The management system also includes computer program code operable to communicate with the user, the one or more communicators, and the storage system to store protected item information and manage the protected item by registering a new protected item, requesting and verifying a token provided by the protected item key, and setting an indicator specified in the program logic. As described above, the request for the key is generated by the management system program based on the user request and/or on a timed (periodic or other) basis.

The management system is connected to one or more databases (and associated database software, if needed). Typically, the database and the software that provides user and network access to the database reside on the management system server. No specific database system is required. SQL-based commercial databases from Oracle, Microsoft, Informix may be used, for example, a structured XML-based file system representation may be used. The particular database system to be used may be selected by one skilled in the art without losing the desired functionality.

The database stores (on one or more permanent non-transitory memories of the management system server) information about protected items, communicators, indicators, keys, labels, and associations between these items. Example data elements of information stored in the management system database are provided below. These data element lists are not displayed in a formal schema or database layout. One skilled in the art can perform the conversion from the list of elements to the mode used by the selected database application used on the particular PAMS server instance.

Protected items are high value items that are tracked and protected by PAMS.

Non-limiting examples of secure communicators

A secure communicator accesses and securely communicates with the key, the indicator and the management system. The secure communicator may interrogate the token of the key device and collect responses from the key and the designator to forward them to the management system, and receive commands from the management system and forward to the key and the designator. The secure communicator may also be used as a device to identify and locate keys and indicators associated with lost or missing protected items.

In some embodiments, the secure communicator connects with the key and the indicator using wireless communication means (e.g., optical, WiFi, bluetooth, or near field communication technologies). In other embodiments, the secure communicator is electrically connected to one or more keys and indicators and uses the connection to communicate directly with the key/indicator. In some embodiments, the secure communicator provides some other service (e.g., WiFi, cell tower, and/or GPS or other location reporting). In one non-limiting embodiment, the protected item includes a further embedded contactless electronic authentication device (e.g., an RFID or NFC chip), and the secure communicator is designed to use frequency, power level, and other features so as not to interfere with the further embedded contactless electronic authentication device.

Multiple communicators may be connected to one or more protected items and their keys. In some embodiments, the communicator is integrated within the protected article. In other embodiments, the communicator may be shared among multiple protected items, and may be freestanding, handheld, or may be integrated with a supporting infrastructure (e.g., a wired or wireless charging system). In one non-limiting embodiment, each communicator includes a processor, a key, a battery and a power harvester and at least one BLE (Bluetooth Low Energy) transceiver. Additional 802.11(WiFi) or telephony (e.g., GSM, CDMA) transceivers may be added to the embodiments as needed or preferred by the application. An external wireless signal acts on the combination causing the processor of the communicator to interrogate the key to receive the transmitted tag value from the key over the BLE connection and then forward the received tag to the management server using the available communication link.

Multiple communicators may be associated with different sets of protected items, keys and indicators. The plurality of communicators provide redundant communication paths (e.g., using adaptive mesh network technology) between the PAMS management server (and database) and the key and indicator device of the protected item. Some or all of the communication path may be used to encrypt and/or protect the reported information and data. For example, in one non-limiting embodiment, the communicator preferably communicates with the PAMS management server using an encrypted communication protocol (e.g., SSL or SSH). Communications between the PAMS management server and the communicator may use these and other encryption techniques to protect integrity, privacy, and/or authenticity.

Non-limiting examples of protected articles

Protected items may include, in one non-limiting application, commercial items with high intrinsic value and high resale value, but are often difficult to identify and authenticate individually. Such commercial items are often the subject of counterfeiting, theft and resale in the supply chain. Examples of such protected items include famous brand clothing (e.g., purses, shoes, watches, and dresses), high value household items (e.g., carpets, furniture, antiques, art, cultural relics, collectibles), historical, official and/or tracked copies of items, and packaging/covers for high value items. A given PAMS system may be used to track certain types of items, or various different types of items, or some subset of different item types. For example, one PAMS system may be used to track art while another PAMS system may be used to track official documents, or the same PAMS system may be used to track both official documents and work art. The PAMS system may be extensible, with the initial implementation being for one type of item, and then the same system is subsequently extended to track other types of items.

PAMS enables protection of a protected item by registering the protected item and its key in the PAMS, continuously associating one or more key devices/tokens with the protected item, and periodically checking the protected item to ensure the correct token for the item as reported by the key device. At any time, the PAMS may request the communicator to communicate with at least one key associated with the protected item to obtain the current token. Alternatively, the key or communicator may initiate the communication periodically and/or autonomously and send the token to the PAMS management server for authentication. In both cases, the presence of a tag that matches a previously stored tag, since the tag is derived from a key (at least in part from measurements of the PUA by the key), indicates that the same protected item is associated with the reported key; it is effectively ensured that the protected item is still present with the key. Similarly, if the measured PUA is associated with an aspect of the integrity of the article (e.g., the article has not been cut, torn, or disassembled), receiving the correct indicia from the key can ensure that the protected article has not been tampered with by disrupting the PUA measurement.

Non-limiting examples of indicators

The indicator is part of the protected item and may display the status of the protected item in the PAMS. Not all protected articles need to have an indicator, but some articles may require such an indicator. The status of the protected item may be indicated by a light or color, such as from an LED or electroluminescent panel. Alternatively, the status of the protected item may be indicated on the display. For example, the indicator may be a fabric panel that changes color depending on the state set by the management system.

Removal of the indicator may devalue and/or damage the protected article. By combining the function of the indicator with the daily part of the protected article, the indicator can be permanently associated with the protected article. For example, the indicator may be a logo patch on the wallet, which becomes orange (or some other noticeable or unadapted color) if the wallet is reported in a stolen status; if the wallet is not stolen in a PAMS, the indicator is silver (as the designer desires). Alternatively, the indicator may be embedded into a functional or decorative aspect of the protected item, such as a ring or strap-like accessory of a purse. Also, if the indicator is removed, the protected item may be damaged resulting in a reduction in its value. Alternatively, the indicator may be attached to the protected article by such means that the indicator is removed with a portion of the protected article, or removal of the indicator leaves a non-burnable mark or residue on the protected article.

The indicator interfaces with the PAMS using one or more communicators. The communicators may be electrically connected to the indicators, or they may be wirelessly connected using wireless communication means (e.g., WiFi, bluetooth, or near field communication technology). The PAMS server sends a command to the indicator to display a specific indication. In some embodiments, the status is indicated by a color change, such as a change from transparent to black, or by the presence or absence of a color at a particular location. For example, if a garment is reported stolen, a fabric swatch on a piece of white brand garment may turn brown. Alternatively, the indicator may include a display that displays relevant information, such as displaying the status of the item. For example, if an item is recorded as LOST or STOLEN in a PAMS, the indicator may be caused to display "stop" or "LOST", or no image appears; if the item is recorded as being genuine, text (e.g., "ok") or pictures (e.g., "manufacturer's logo") may be displayed.

Non-limiting examples of key devices

The non-limiting key device of the non-limiting embodiments herein authenticates various aspects of the particular item itself. In some non-limiting applications, the key device is associated with the protected item such that the association cannot be modified, removed, or changed without changing the key device's response to the electronic challenge requesting the current token or damaging the protected item. For example, the key device may be embedded within a structural or decorative element of the protected item such that removal of the key device would damage or reduce the value of the protected item (in the same manner as removal of the indicator would damage or reduce the value of the protected item). Alternatively, the key device may be attached to the protected item in such a way that removal of the key device leaves a mark or residue of tampering with the protected item, marks on the item, and reduces the value of the item. In other alternative embodiments, the key device may be attached to the protected item in such a way that removal of the key device or changing its physical attachment will break or change the electrical connection characteristics between the key device and the protected item, or change one or more physical properties of the protected item that can be sensed by the key device. Both types of changes have the effect of changing the physical properties of the protected item as measured by the key device, thereby changing the tag value calculated using the PUA information. In other embodiments, the key is associated with an invariant property inherent to the item itself.

The key device is interrogated electronically or otherwise by various components of the system and provides a unique set of responses to the interrogation. Multiple request/response sets may be used to ensure that the protected item and the key device are still physically associated and co-located. The information provided in its response by the PUA of the protected article is referred to as a tag value. In some embodiments, the response to the challenge is based solely on the attributes of the protected item and/or the association between the protected item and the key. In other embodiments, the response to the challenge is based only in part on these attributes and associations, and in combination with other aspects of the key device, to verify the integrity of the key and/or the protected item and/or the association between the key and the protected item. Removing the key from the protected item, tampering with the key, or even tampering with the association between the key and the protected item will change the response provided by the key to the challenge. The token returned by the key may be used as an authenticator for the protected item. In other words, if the key is present and a correct set of indicia is provided for the electronic challenge, it can be presumed or inferred that the protected item is present and genuine.

The key in one exemplary non-limiting embodiment is a combination of components including a key controller and one or more sensors associated with the key controller. A single key controller may be connected to one or more sensors and manage them by setting their parameters and reading values from the sensors. Each sensor distinguishes at least one physical property of the protected article that may be measured, e.g., an electrical property, an optically distinguishable characteristic of a material (e.g., a surface defect or change in paper, leather, fabric, or other material). The key controller connects the key component to one or more communicators (and/or wireless networks) and to the sensor using appropriate wires and circuitry. The key controller may be connected to the sensor using a wireless means. The key controller includes a processor that executes one or more programs to convert sensed information into unique or unique signatures for protected items, and to control and manage the sensors, as well as programs that provide a communication interface with other components of the PAMS to communicate signatures and accept queries and/or instructions.

An exemplary key controller is shown in fig. 9A. The key controller includes an embedded processor (910) (e.g., a CPU or FPGA) and one or more memories (e.g., RAM, ROM, or EEPROM) that store control programs executed by the processor. Both persistent and temporary memory are considered part of the key controller. The processor is powered by a battery (920) through a regulator 940a, which regulator 940a charges from a charging source, in this example an inductive charger 930. Other ways of keeping the battery charged are conceivable, such as piezo-based or motion-based charging, solar charging, electrical contact or any other contact or contactless charging.

Connected to the battery and the processor are a plurality of voltage regulators controlled by the processor such that a variable amount of power can be provided from the battery to one or more of the interface components. These regulators include a regulator 940b that controls the amount of power supplied to one or more indicators (960), and a regulator 940d that controls the amount of power supplied to the low power bluetooth communication component (970). The bluetooth communication means comprises one or more antennas (975). To save power, the processor may periodically control the regulator to turn off power to the bluetooth communication means and then turn on power to the communication means when communication with the PAMS management server or the communication controller is required. The indicator and the bluetooth communication means are additionally controlled by the processor, for example to set the value on the display of the indicator and to control the communication content, respectively.

One or more key sensor interfaces (950) are also coupled to and powered by a regulator (e.g., regulator 940c) controlled by the processor. The key sensor interface provides an interface between the processor of the key controller and hardware that measures and reports to the processor one or more physical attributes of the protected item. Examples of key sensor interfaces include resistive mesh interfaces and optical sensors (both described below). The key sensor interface is controlled by the processor using separate control circuitry (as shown).

Fig. 9B illustrates an embodiment of an integrated device that includes a key (e.g., a controller and a sensor), a communicator, and zero or more indicators. The integrated device includes the circuitry of the key controller of fig. 9A and adds additional regulators for controlling communication components for wireless communication, including a WiFi controller 980 and an antenna 985, GPS (global positioning system) circuitry 990 (which has an active antenna 994 and a super capacitor power backup 992), and wireless telephone circuitry (e.g., a CDMA or GSM chipset) 996 and its associated antenna 998.

The super capacitor 992 is charged by power provided to the GPS circuitry and provides a small amount of power when the battery logic is off to keep the GPS configured. This allows the processor to use the regulator (940f) to turn off and reactivate the GPS controller and its active antenna without losing initialization information for the GPS. Significant time and power savings can be achieved when the GPS geographic location is reactivated.

In some embodiments, power control and regulators for the communication circuit and key interface sensor may be omitted without loss of functionality, as the controlled circuits may not require the action of an external power source (e.g., they are powered by the control input).

The key may be identified by a unique identifier (e.g., a key ID) or a derived unique identifier (e.g., a value of a selected set of indicia) when communicating with the communicator. In some embodiments, to facilitate manufacture and retail sale of protected items, it is preferable that factory programming is not required to include unique information (e.g., public/private key pairs and globally unique identifiers of specific keys (e.g., GUIDs)); but rather internally generate these items during key initialization. The integrated device may have a single unique identifier for the device or may have a unique identifier for each integrated component (e.g., one unique ID for the communicator, one for each key controller, one for each designator). Alternatively, the device ID, the password information, the unique identifier, and the like may be unique only for a specific registration between the key device and the management server.

Examples of markers

Each key may generate multiple tokens as part of the interaction with the sensor to which it is connected. In many cases, it is preferable that the key produces a large number of tokens, making it difficult to "spoof" tokens returned in response to queries by the management server. The management server may request one or more tokens from the key by sending a request to the key that includes a token tag for the requested token. The key device responds with the requested tag value.

The key controller manages and generates the token. The tag has the following properties:

repeatability, the marking value can be repeatedly generated from the physical unclonable property of the protected item

Wide and sparse range

Independent of the observable operation of the key.

Two parts are marked: labels and values. The tag is a unique value (for the device) that is randomly generated (at initialization) to identify the tag value. The value of the token is the result of processing the protected item attribute as a function of the input using the PUA and key device information generated during initialization. In some embodiments, the function is a null operation and the returned tag value is the actual PUA read from the key device sensor. The function may use information unique to the current initialization of the key device in combination with a set of PUA values passed through the function (e.g., a hashing or encryption algorithm introduced with an initialization-specific initial value) to replace the input set of PUA values with an apparently random string of bits. This set of bits, while apparently random, is repeatable and can be compared to previously stored values or can be decoded by the recipient to produce a starting PUA value (if encoded using an encryption algorithm).

Each token is assigned a unique token value (e.g., a token tag) that can be used in subsequent operations to instruct the key to determine which token is to be determined, or to identify the key and token when reported from multiple keys. In effect, the key controller maps the requested tag to a value calculated using a particular set of measurements taken from the attached sensor. The tag label is typically created randomly by the key at initialization or may be pre-assigned based on a key controller tag generation algorithm. Thus, the tag label may represent one or more particular sensor measurements from a set of sensor measurements known only to the key device. In short, a marker tag is an ID that may refer to a physical location, a time series, an ordered series, or any other arbitrary identification that distinguishes one marker generated by a key from another marker generated by the same key device. The meaning of the tag does not change from one use of the key to the next, however, the tag is unique to a particular initialization of a key device. One impediment to creating keys is that they preferably generate enough tokens, and the range of generated token values is preferably quite large, non-clustered and sparsely populated. The large non-clustering range makes the returned tag value different from other tag values, and thus difficult to guess. The sparse padding range reduces the likelihood of random guessing success.

A second impediment is that an attacker will not be able to determine valid ones from invalid ones based on the response of the key device.

A third impediment is that an attacker will not be able to determine what the key device/sensor measures to produce a signed result. This limits spoofing of input to the key device.

A fourth impediment is that the mark returned by the key device is repeatable over time.

A fifth impediment is that the indicia produced by the key device and its association with the protected item can withstand changes due to daily use and cleaning. Thus, the key device should respond to the reproducibly generated markings within acceptable measurement limits when the protected item is used within normal daily use, and after a normal cleaning process has been performed. For example, a key device associated with a high value dress must be able to operate to produce a verifiable mark during and after normal use (wearing) of the garment, as well as after any required cleaning (e.g., washing or dry cleaning) of the garment.

One way to attack the key may be to communicate with the key device and observe the results, whether during a response to the communication or during the key device's interaction with the protected item. Key device communications are designed to invalidate these types of observations. The key device operation is similarly designed to eliminate correlation between the tag label of a particular request and the externally visible action of the key device and its sensor.

First, the key maintains an internal cache of "valid" tag values (see the examples of the tag table below). For a request for a valid tag (e.g., a tag known to the device), the key may select the value from the tag table and return the tag value without accessing the sensor (or randomly accessing one or more sensors to obfuscate its actions), or accessing one or more sensors (including accessing some sensors and ignoring the result) and calculating a new tag value. For invalid marker tags, the key computes a random marker value and returns the value. If space permits, the invalid tag label and return value are stored in the tag table and the counter of the invalid tag request is incremented. If the counter reaches a specified threshold, the key device may take other actions, including notifying the PAMS server that it is under attack or setting an indicator to indicate that the key device has been under attack.

By caching known tags and only regenerating tags for certain requests, the key device breaks any causal relationship between a particular tag and a particular sensor activity and/or sensor response.

Each time by reading some or all of the sensors to obtain the requested sensor values, and then selecting a subset of the sensor readings for use in generating the input set of token values, the key device interrupts the relationship between a particular token and the sensor value it uses as input.

Second, the key device creates a new random markup tag for each instance of the key (when the key device is associated with the PAMS server). This limits attacks based on the tag space of the tag and removes attacks against the second key device based on the known tag of the first key device.

Third, the key device associates (maps) the marker tag differently with the computed marker value of each key device. This limits the ability of an attacker to guess the settings or reads associated with a particular tagged tag (or tag location) and further prevents an attack on the entire key device based on this information.

Mark table

The key controller maintains at least one internal table of token information for computing, responding to token requests, and authenticating tokens. Preferably, a list is maintained for each PAMS administration server registered for the key device. The tag table contains the information required by the key device to respond to the tag request of the PAMS management server. An example list is as follows:

the index column indicates the tag label order for certain communications with the PAMS management server. For cache tag tags that do not correspond to known (computed by the key device) tags (e.g., false tags or probe requests from a potential counterfeiter), the index column is set to "-1".

The tag label is a random value that is established when the controller initializes. The values in the column are unique to the key.

The token value is generated by the key device using one or more uncopyable physical properties of the protected item as input. The token is generated by a processor of the key device executing program code stored in a key memory. The program code reads the unique features/attributes from the one or more sensors and generates one or more tag values from the features/attributes. Generally, the generation of the mark begins with a list of features/attributes (e.g., PUAs) of the protected item as determined by one or more sensors. From the list of features/attributes, the tag generation algorithm selects one or more features/attributes as inputs to the tag generation algorithm. Not all features/attributes need to be used in the tag generation. The selected feature/attribute may be a single feature/attribute, may be a set of features/attributes, or may be all of the features/attributes. The tag generation algorithm then selects the order of these selected features/attributes for tag generation. The permutation sequence greatly changes the resulting marker value. For example, the selected order may be in ascending order of presentation, may be in descending order of presentation, may alternately display the features/attributes in presentation, and so on. The same set of features/attributes may be ordered in different ways to produce different tag values, thereby increasing the number of tags that can be generated from a set of features/attributes.

The features/attributes are passed through a position sensitive function to compute the marker values. Examples of such algorithms include cryptographic hashes, such as MD5 and CRC. The algorithm is position sensitive so that changes in the input sequence produce different results, allowing many tokens to be generated using each set of features/attributes.

For example, one simple tag generation algorithm is the CRC-16 algorithm that includes bytes of an array of functions/attributes. Consider an array of four feature/attribute (PUA) values.

Index	PUA value
			0	0x 0001
1	0x 0002
		2	0x 0003
3	0x 0004

In increasing index order, the CRC-16 calculation of bytes yields a different result than the calculation of bytes in decreasing index order. The following table illustrates the wide variance of the calculated tag values using CRC-16 calculations based on the feature/attribute (PUA) input order.

Other input order arrangements are possible.

Different algorithms (e.g., MD5 hashing) produce longer output strings at smaller input sizes.

In general, the above table illustrates how a relatively small number of feature/attribute values may be used to generate more unique indicia that uniquely identifies a protected item.

The sensor ID column identifies the sensor to be used by the key controller.

The sensor parameter column identifies parameters for configuring the sensor. The sensor parameters vary depending on the type of sensor and may be randomly selected for certain types of sensors. For example:

for an optical sensor, the sensor parameters may include illumination, sensor exposure, and lens settings.

For a resistive sensor, the sensor parameters may include the settings of the control pins (e.g., which pins are set to a particular voltage, which pins are set to ground, and which pins are set to not connected).

The marking algorithm column identifies the marking algorithm and any necessary parameters for the algorithm. For example, the column may identify CRC-16 or MD5 as the tag computation algorithm to be used, as well as any required initialization parameters for that algorithm.

The timestamp column identifies the last time that the communicator or PAMS server queried a particular tag label. The timestamp is used to determine whether the tag should be recalculated (e.g., re-read the sensor) or whether the cached value can be used.

Example of a tag mapping to a tag entry

In some embodiments, an optional feature of the key is that it maps the tag label to a tag entry on a specific instance basis. This breaks any relationship between the location of the tag label in the tag table and any underlying hardware configuration. Alternatively, the tag tables may be reordered after they are populated (possibly by ordering by tag label values in ascending order) to break the ordering of any interdependencies between the tag tables and the hardware.

Fig. 10 shows the effect of this ordering and how it masks the underlying sensor mapping.

It may be desirable for the key to be able to withstand tampering or to respond in a known manner to tamper detection in a defeat response. It is further contemplated that any such key device failure may be detected through normal querying and communication of the key device.

Examples of Key devices/Key types

Several types of keys are envisaged depending on the type of protected item associated, the type of sensor required and how the key device is integrated with the protected item.

Resistive grid key

Randomly printed conductive keys

Variable conductive adhesive

Optically sensitive key

RFID Key

Creation of resistive mesh keys

The process of creating a resistive grid key creates a device for displaying item-specific electrical characteristics (e.g., resistance value, voltage) measured by the sensor of the key to display unique properties of the protected item. Resistive mesh key technology is useful for detecting electrical characteristics of one or more aspects of a protected article. The resistive mesh key includes an electrical characteristic sensor (e.g., a resistance sensor, a voltage measurement sensor), a mesh between measurement points where the electrical characteristic varies based on a property or aspect of the protected item (resistive mesh circuitry), and processing techniques provided by the sensor and/or key controller for displaying and reading the unique value produced by the resistive mesh circuitry.

Resistive mesh keys are useful when the protected article has independent electrical properties that vary with the configuration of the protected article and can be measured, or when components of the protected article having these electrical properties are embedded into solid components of the protected article (e.g., the purse bottom, buckle, watchband holder, shoe sole, and heel). The other places where the resistive mesh key may be applicable is determined by the design of the protected article and may be utilized.

A generic electrical characteristic sensor operating with a resistive mesh, and typically operating with a resistive mesh, provides a generic circuit for determining characteristics of the resistive mesh and the electrical network.

In one embodiment, the electrical characteristic sensor can determine the electrical characteristic by applying a known voltage, ground, or resistance to one or more leads (leads 220 of fig. 3A) and measuring the resulting resistance/voltage on the second lead. Many embedded microcontrollers provide an analog/digital interface to directly power these leads of the embedded controller. Alternatively, the circuitry for powering these leads is well understood and may be added by the key designer as needed.

Typically, each lead in a set of leads is connected to one of ground, a known supply voltage (e.g., Vcc), or a high resistance (high Z). The body of the resistive network produces a resulting voltage that can be read from the second conductor. This is in effect the use of the measured electrical characteristic as a voltage divider, which has many advantages. First, thermal changes in resistance are offset, eliminating the problem of temperature-based repeatability. Similarly, changes in voltage (e.g., caused by low battery) are also offset. Finally, it produces a large number of measurable combinations, with an 8-lead arrangement producing at least 15446 possible combinations, and a 10-lead arrangement producing at least 186600 combinations.

In one embodiment, the microcontroller of the key controller randomly determines (at initialization) initial values associated with each lead wire connected for proper electrical measurement. The initialization values define whether each lead is:

0-set to ground

1-set to Vcc

2-is set to hi-Z

3-use the pin as an analog input (e.g., connected to an A/D converter to read a value therefrom).

The initial value for each lead may be encoded and stored as two bits, or as a particular voltage/resistance for use.

The randomly generated initial value is checked for validity (at least one ground, at least one Vcc, exactly one analog input), and for reproducible results (e.g., less close to measurement boundary conditions), invalid entries are regenerated, if necessary, until a valid initialization vector is created. The verified initial value is stored in a memory of the key for later use. Spoof values may also be generated and stored in a similar manner.

By applying mathematical techniques during initialization and simple testing of the resistive network, we can characterize the starting conditions and measurement thresholds that will give enough properties to create the mark and store these starting conditions, measurement thresholds, and lead settings as initial values. Alternatively, we can store the seed values into a repeatable algorithm as initial values to calculate the lead settings. The combination of generated invalid or non-repeatable initial values may be discarded to generate valid, reliable values using a lead-based value filter. These techniques for initialization make the electrical characteristics measured for the protected item unpredictable between keys, but repeatable for any given key.

In one embodiment, electrical characteristic measurement leads extend from the integrated device controller/measurement resistor array to a set of contacts attached to the protected article. These contacts may be in the form of a connector, a set of contact plates, or a set of pins, depending on their intended use.

Fig. 3A and 3B show a first example of a resistive mesh key. FIG. 3A is a side view of a resistive mesh key. It includes a key controller (205) and a resistive mesh key circuit board (210), the circuit board (210) having a contact/connector (220) attached to the circuit board and electrically connected to each trace (230) etched thereon. The key controller (205) includes a key sensor interface that also includes sensitive electrical characteristic measurement circuitry, and driver circuitry that applies known electrical characteristics (e.g., voltage, ground, and resistance) to at least one component of the resistive grid. In one embodiment, an optional multiplexer selects different electrical paths through the circuit using pins that select the contact/connection being measured. In an alternative embodiment, no multiplexer is used, and the defined inputs are applied to all but the leads connected to the circuit, and the remaining leads are read for the value of the entire circuit.

In a first embodiment, the variable resistive mesh circuit is implemented as a circuit board (210) preferably having a plurality of traces, each electrically connected to a different pin of the key connector. Conductive fibers (240) are randomly interspersed on the traces to provide intermittent conduction between each pair of traces. In essence, the fibers form bridging elements that electrically bridge traces on the circuit board with different conductivity materials at randomly selected locations. In one embodiment, the conductive fibers comprise carbon fibers of different lengths and diameters. The circuit board, traces and conductive flex are encased in an epoxy or other non-conductive polymer coating (250) to secure the flex to the traces, prevent conductive fiber movement, and limit tampering with the resistive mesh key.

In a first embodiment, fig. 3B shows a top view of an exemplary resistive mesh key.

In another embodiment, the variable resistive mesh circuitry may be implemented by printing conductive traces and/or bridging elements of the resistive mesh key chip using one or more conductive inks. The traces may be pre-printed on the resistive mesh chip and only the bridging elements printed to produce variable electrical properties. Alternatively, both traces and bridge elements may be printed using a pattern of traces and bridge elements selected by the printing program. The selection may be random or may be based on one or more templates having a random factor. The arrangement and electrical properties of the printed parts of the chip can be varied by adjusting the dimensions (width, thickness) of the lines and the ink properties using a printing program. The printing of the "bridging" elements may use different types of inks or by varying the inks used (to include inks of different electrical characteristics) to further vary the electrical characteristics of the printed resistive mesh circuit.

In one embodiment, the circuit board is created with traces and connectors (and other portions as necessary), as described above. Conductive material is sputtered onto the circuit board (or printed in a pattern similar to random sputtering) to form conductive paths between the traces, and a circuit board coated with epoxy or polymer as described above is obtained.

The bridging elements are placed in the resistive mesh circuit using a natural stochastic process (e.g., sputtering) in which conductive ink is sputtered onto a substrate with conductive traces, creating a unique PUA. To create circuits with essentially random characteristics, sputtering creates a random pattern of conductive ink on the traces. Other methods of ink patterning may also be applied.

In an alternative embodiment, a paste-like or solid-like variable resistive mesh circuit may be formed by partially mixing conductive elements into a settable matrix (e.g., a polymer or epoxy). In these embodiments, conductive elements (e.g., carbon fibers or metal beads) are mixed into a matrix compound (e.g., a polymer, liquid plastic resin, or other similar compound), and the resulting compound is shaped, cast, or cast into a desired shape, which is provided as a solid having variable electrical properties at different points. The key controller and leads may be attached to the resulting solid body, or embedded in the matrix, or partially embedded in the matrix before it hardens. Due to the incomplete mixing of the matrix and the conductive element, the electrical properties of the matrix/conductive element solid will naturally change, forming a multi-way variable resistance within the resulting solid. The solid may be formed and/or cast as part of a protected article as desired.

Alternatively, the same technique may be used for the gum base substrate and the conductive material to fabricate the variable resistive mesh adhesive layer. The variable resistive mesh adhesive layer may replace any glue or adhesive used in the construction of the protected article, or may be used to attach portions of the PAMS system to the protected article.

Each variable resistive mesh circuit may be operated by a key controller that measures an electrical characteristic of the variable resistive mesh circuit by applying a known voltage or current (generally, power), ground, or known resistance to one or more portions of the circuit (e.g., by powering one or more wires, grounding one or more leads, or connecting one or more leads to a known resistance (or leaving them unconnected to achieve an infinite resistance)), and by measuring an electrical characteristic from a second lead. The resistive PUA is one of the measurement objects.

Each lead may be set to a particular voltage, ground, or high resistance (e.g., unconnected) by the key controller, or may be connected to a sensor that reads the electrical characteristics of the lead based on the sensor initial values. For example, for a first setting of the key controller, pin 1 may be powered with +5V, pin 2 being readable; in a second arrangement, lead 2 may be powered with +5V, and lead 1 may be read. In yet another example arrangement, pin 1 may be set to ground, pin 2 may be set to +5V, pin 3 may be set to not connect, and pin 4 may be read. Depending on the number of leads available, a large number of power, ground and no-connect lead arrangements may be provided.

In a first mode of operation, the key operates by applying a voltage to each pin of the connector and reading the resulting electrical characteristic (e.g., voltage/resistance) from the other pins. In some embodiments, digital to analog and analog to digital signal converters (not shown, in the key controller logic) and communication components are made part of the key. The resulting set of readings provides a unique signature of the electrical characteristics of the protected item as measured by the key device, which is difficult to copy and replace.

In a second mode of operation, a key supply having a known voltage on one or more measurement leads and a voltage generated from the measured circuit are created by using a grid read from another lead. Each simulated conductive path through the resistive mesh will contribute a portion of the generated voltage being read and the overall characteristics of the resistive mesh being calculated. Changing the resistance of any one resistive path through the resistive mesh will change the resulting voltage measurement.

The key controller operates by determining one or more pin configuration settings, associating the determined settings with a particular token request, and saving the settings within the controller. Each time the key controller is interrogated for a particular token, the key controller configures the measurement leads according to the setting of the requested token and reads the generated value from the circuit. The read value is used as input to a tag generation calculation performed by the key controller. In addition, changing or tampering with the resistive mesh circuit will result in a change in the reading, which in turn will produce a different signature.

Alternatively, the indicia generated from the electrical characteristic key may be derived by reading a set of readings from a variety of leads associated with a set of selected settings. In this embodiment, typically, multiple settings per lead are required for each key read, and the electrical characteristics (e.g., PUA) of each setting of the key processor are read, with the PUA results stored in an ordered list or array of readings. The read list is then used to generate a signature for the key by using a particular PUA selected based on the list or array, permutation of hops, and offset setting algorithm described herein.

In alternative exemplary embodiments, the processor may use a random number generator and initial value seeds to generate a list of electrical characteristic settings for each lead, and a set of tested settings to ensure accurate selection of one lead for which reading is desired, at least one lead selecting a non-zero power input, and the other leads set as a power input, a resistor, or ground. The requested flag is then generated using the generated settings list.

Integration of keys within protected items

The generated keys may be made part of the protected item, molded into part of the protected item, or otherwise integrated, making it difficult to remove the keys from the protected item without damaging one of the keys or the protected item.

In some embodiments, the resistive mesh key may be printed on a component integrated into the protected article, or may be printed directly on the protected article.

The resistive mesh key may be constructed as part of the protected article, which may prevent the resistive mesh key from being manipulated or otherwise alter the PUA measurement provided by the resistive mesh key if the protected article is tampered with. In a first exemplary embodiment, the resistive mesh key may be integrated as part of a hard sheet component of the protected item (e.g., a purse or handbag bottom, a buckle back plate, and similar applications). The resistive mesh measured by the resistive mesh key is provided by the material that forms part of the protected item to which the key is attached, for example, the material used to form the bottom of a handbag or the back plate of a buckle.

Alternatively, the key may measure a characteristic of at least some of the material from which the protected item is constructed, such as the resistance of a liner within a purse or courier bag. In each case, when determining the metric used, the key measures at least one aspect of the protected item, in part to create the mark. The key may similarly measure one or more electrical characteristics (e.g., resistance, conductance, capacitance) about the adhesive layer, grommet, closure or seal of the protected article, which is used to determine whether the grommet or closure has been opened and/or the seal has been broken, and to determine whether subsequent indicia for determining the measured portion of the article has been tampered with or broken since its initial creation.

The resistive mesh key may be constructed as an integral part of the solid component of the protected article, such as being cast into the heel of a shoe or molded into the handle of a handbag. In these cases, the electrodes of the resistive mesh key measure the resistance of the solid part material around the key. Figures 4 and 5A, 5B illustrate one particular way in which the key is integrated into the protected item. Fig. 5A, 5B show multiple locations on an exemplary wallet where keys may be integrated. The key may be integrated within a rigid component, such as a back plate (440), a clasp (430), a leg (300), or a back plate (420). Fig. 4 is an example of a cross-section of a key cast into a purse leg demonstrating the measured aspects of how the key is configured for use in constructing the material of the protected item. The key may be contained within the article and may take any of the forms described herein, for example, the protected article portion may have a variable resistive circuit cast into it, or if a variable resistive polymer is used, a key controller chip embedded within it and cast together, where the key controller chip reads the properties of the variable resistive polymer comprising the protected article portion. In each case it should be noted that the key measures the structure as part of the protected article, and each protected article instance has a structure that naturally produces a different PUA, so that a substitution attack on the key itself would only result in an unexpected value being returned to the PAMS (and the protected article failing the test).

In the case of using an adhesive to attach a key to a protected article, one aspect of an article suitable for use in generating a PUA is used to monitor the integrity of the attachment adhesive. If the adhesive used is partially and/or variably conductive, a key controller having an electrical characteristic measurement sensor interface may be used to measure the electrical characteristics of the entire adhesive. If the bond is tampered with (e.g., the key is removed from the article), the electrical properties (e.g., resistance) of the bonding material measured between the two leads will change, and this change will be detected by the key. Other methods of verifying bond integrity may be used, such as embedded resistance wires.

In the exemplary embodiment shown in fig. 11, a key (1100) comprising an electrical characteristic sensor is attached to the protected article (140) such that the measurement leads extend into the layer of variably conductive adhesive to incorporate the key into the protected article. The leads are positioned to measure the resistive grid created by the variable conductive adhesive. The electrical resistance characteristics of the adhesive are measured and a signature is generated by running a signature generation algorithm. In an alternative exemplary embodiment shown in fig. 1G, a resistive grid key (e.g., a key having an electrical characteristic sensor that measures resistance) is attached to the protected item with the resistive wire extending into the adhesive layer. The resistance characteristics of the resistance wire can be measured and used to determine the integrity of the adhesive layer. When portions of the embedded protected article are tampered with, then the integrity of the circuit is measured and the resistance wires on which the measurement system relies break or stretch (and change their resistance values).

Creation of optical property keys

In some embodiments, the key may be created using an optical sensor that provides an image that provides information for creating the mark or the image processing results for creating the mark. One approach is an optical key that includes an optical sensor that takes a macroscopic (e.g., magnified) image of a portion of the protected item, identifies one or more features in the macroscopic image, and then computes one or more markers from the macroscopic image features. Thus, these markings are based on visible attributes that are part of the protected article construction, such as unique patterns of defects, manufacturing tool markings, fabric weaving, and stitching, which may collectively uniquely identify the protected article. Alternatively, visible properties may be calculated, such as edge patterns determined after processing the macroscopic image using an edge detection algorithm. The computation of these tokens from the image is typically performed inside the key using the embedded processor, memory and image sensor of the key itself. Alternatively, the key may include the processor, image sensor and communication means, and the act of capturing an image of the protected item and transmitting the captured macro image to the PAMS server, wherein the PUA is identified and the tag calculated and compared to the previously captured tag.

Optical property keys generally include a key controller and optical sensor assembly, which also includes an optical key controller that includes a key controller controlled optical sensor (e.g., a camera chip for visible, IR, and/or UV detection), a key controller controlled lens (focal length), and a key controller controlled illumination (e.g., an LED or other light source). The key controller provides logic and connections to control the operation of the optical sensor, lens and lighting system. For example, the key controller may control the lens to set a particular focal length and/or magnification, and may control the light source to control intensity, wavelength (color), etc.

The optical property key may include one or more optical sensors (e.g., digital cameras) coupled with the lens and the lighting device, the optical sensors being oriented such that the lens and the sensors are positioned to capture a macro image of a protected item to which the device is attached. In one exemplary embodiment, the optical sensor is placed within the hardware enclosure such that it protrudes outward through the bottom of the integrated device hardware (attached to the surface of the protected item). When optical sensors are used, the integrated device hardware may provide optional illumination (e.g., LEDs) as needed to illuminate the protected item. The adhesive layer is formed with voids and therefore does not block the optical sensor/lens.

The optical sensor is an optical sensor with high resolution, such as sony IMX145, coupled to a lens that effectively magnifies and focuses an image of the protected item. The lens provides a suitable magnification, for example 1 to 50 times, for the feature captured in the image. For example, experiments have shown that a magnification of 10 x can provide sufficient magnification to account for the PUA characteristics of U.S. passports, cover leather, and paper.

In reading data from the protected item, the key controller sets optical sensor parameters (e.g., exposure length), lens settings (e.g., focal length, magnification), and lighting conditions (e.g., light intensity, light color [ wavelength ]), and then captures at least one image. The key controller extracts an image from the sensor and performs one or more feature extraction algorithms thereon. In order to compare the features of two images in an "apple-to-apple" comparison ("apple-to-apple" compare "), an accurate position of the sensor relative to the protected item, or an image registration and cropping step, is required. Feature extraction algorithms may be selected and adjusted for a particular type of image to be processed, and attributes such as texture, weave, grain, and similar features identified in the image are taken into account. As an example, ORB feature extraction with hamming distance works well in extracting the unique microscopic features of the us passport cover. The generated list of features (and/or feature locations) of the image is then combined with a tag generation algorithm to generate one or more tags for the protected item. Changing the protected article or moving the optical sensor assembly relative to the protected article will produce different images having different characteristics. This will cause the same set of features to no longer be generated during feature extraction and the same labels to no longer be generated.

Image registration may be performed using features identified in the images, such as a set of intersecting stitches, cuts or indentations in the material, or edges of the imaged material, or by identifying a set of features in the images that have similar distance and angular relationships between the features.

In the exemplary embodiment shown in fig. 12, the optical key (1110) is attached to the protected article (140) such that the image sensor senses the piece of fabric that is part of the protected article. The key is attached using an adhesive (1220) such that the image sensor (1250), illumination lamp (1240), and lens (1230) of the key are directed at the fabric that is part of the protected item. An image sensor captures an image of the fabric under visible light with high magnification, processes the image to detect lines, fabric stitches, and stitches in the observed fabric image, and determines features based on: (a) fabric/thread defects, (b) location within the image, and (c) the relationship (distance/orientation) between the stitch and the fabric weave pattern. The fabric image produces on average 5 to 1500 unique identifiable features (e.g. PUA-based features) which are then further selected and filtered to a repeatable subset of features. These features are then processed by a tag generation algorithm to generate a tag. Similar results have been obtained when processing images of fabric, leather and some plastic document covers taken under 10 x magnification and bright white illumination. Commercially produced paper images can use 10 x magnification and UV illumination to achieve similar results.

In another alternative embodiment, the optical key is attached such that the image sensor senses a portion of the cover of the protected document (e.g., a U.S. passport). The passport cover is typically a plastic impregnated fabric. The image sensor photographs the cover of a document at 10 times magnification using high intensity white light. The key then processes the image to detect the pattern of cover texture made in the passport cover and determines features based on these texture features. Features in the image have different shapes, orientations and locations. The passport cover may recognize 300-1500 unique identifiable features on average. The identified features are filtered and compared to a list of repeatable identified features and a tag generation algorithm is run to produce an associated set of tags that uniquely characterize the key and the passport.

The initialization sequence for the optical key is slightly more complex than the initialization sequence for the resistive mesh key. Fig. 14A illustrates a step-by-step process of initializing an optical key. In step 14100, the optical key creates a unique local public/private key pair and saves the key pair and other initial values in the memory of the key device (step 14110). This key pair will be used in implementations that utilize public key cryptography. Similar techniques may be used to generate symmetric keys for symmetric key based approaches. In an alternative embodiment where encryption is not used, other indicia that produce the initial value are randomly selected and stored in the memory of the device. Illumination settings (e.g., wavelength, intensity), lens (e.g., focal length) settings, and sensor exposure time are also selected and stored as part of the initial value settings. In some cases, the initial values are determined experimentally, from which a repeatable PUA can be obtained by taking multiple images under different conditions and selecting settings that yield acceptable images. Alternatively, the key may use multiple feature recognition algorithms. The tag table is also cleared and an offset/skip value is selected for each tag at initialization.

The key then sets the sensor using the previously stored initial values and acquires the first image from the sensor, calculates its features and creates a list of the obtained features (step 14120). The features may correspond directly to the PUAs of the article, or a set of features in a particular arrangement may correspond to the PUAs. The determined list of features is optionally added to a list of stored initial values in the device memory.

The key then takes a second image from the sensor, calculates its features and creates a second list of features. The two feature lists are then normalized and sorted according to position in the image. The resulting feature lists are compared to determine common features between the images. A high percentage of common features indicates that the current sensor and feature detection algorithm settings are capable of reliably and repeatably determining features. The best "N" repeatable features are selected for calculating the markers. "N" is selected based in part on the image quality, the number and quality of features detected, and the number of features required to generate the marker. In some embodiments, the first "N" repeatable features are selected. In alternative embodiments, additional processes will be employed to analyze, filter, and select the "N" repeatable features.

In some implementations, multiple feature detection algorithms may be used, and the "N" features are determined based on the outputs of these multiple algorithms. Experimental tests have shown that 30 to 40 retention features yield enough information to create enough markings for paper, leather, and certain types of documents and document covers. Increasing the number of identifying features may not necessarily improve the identifiability and resulting robustness of the created markings. In some embodiments, the "first N" features are stored as initial values in the device.

The "first N" features are used to calculate a plurality of marker values. The features are organized as a linear array and multiple tokens can be generated from a single feature list using the location based feature selection algorithm as described above and by varying the offset and skip increments of selection from the feature array. The offset and jump delta used to calculate each marker value is stored with each generated marker in a marker table for subsequent use (step 14150).

The created tag values may then be associated with one or more tag labels, with the labels, tag parameters, tag/tag value mappings, tags, tag locations, timestamp of tag creation, etc. being stored as part of a tag table (14160, 14170).

The key then reads the tag table and sends a tag/value list (in the requested external order, which may be the same or different from the sequence tags stored in the tag table) and the public cryptographic key (if needed) to the PAMS management server (step 14180), which stores this information for later use (step 14190).

The image key responds to a device query requesting authentication of a particular tag label by returning the corresponding tag value using the process shown in fig. 14B. Alternatively, the key may periodically perform new measurements and send them to the PAMS management server without an initial request. Obfuscation techniques may be incorporated into the final process, for example, capturing multiple images with different sensor settings each time a mark is requested. The general process of verifying the tag value is as follows:

(a) the device receives a request that is confirmed to be from a known authorized requester (14510). Invalid requests are immediately rejected or ignored. Based on the request, the key device determines whether a new image is needed (based at least in part on the timestamp in the tag table). If no new image is needed, proceed to step 14590.

(b) If a new image is required, the key device obtains sensor settings (parameters) from the previously stored initialization information (in the tag table), sets the sensor according to these parameters, and obtains a third image from the sensor (step 14530). Features are then determined from the newly acquired image using a particular feature detection algorithm, processed in the same manner as the initial feature list to determine repeatable features, and a new "top N" repeatable feature list is computed using the third image features (14540). The computed top feature list is matched against the stored top feature list (14550) and an acceptable match is tested (14560). Note that an acceptable match does not mean a complete 1: 1, but rather there is a significant proportion of matching features. The acceptability of a particular match is determined based on the material being measured; with the sensor device used and its settings, and the feature detection algorithm and parameters, if the matching of the feature list is not acceptable and there is an attached indicator, the key device optionally sets an indicator to indicate that the protected item has been tampered with (14570). Using the stored initial values (e.g., private key, start index, jump value, and other information from the initialization store and/or the tag table) and the computed feature list, a new set of tag values is computed and the newly computed set of tags is associated with the appropriate tag labels. The timestamp of the updated tag value is updated to the current timestamp [ or counter for key devices that do not have an internal clock ] (step 14580). This has the effect of replacing the last seen marker stored in the device and enabling the caching of these values. Look up the requested tag in the tag table (tag index is further replaced with tag value using the optional tag index map) and return the requested tag (steps 14600, 14610) to the requestor.

Creation of RFID keys

In the exemplary embodiment shown in fig. 13, the key (1110) is attached to the protected item (140) containing the RFID chip. The key is configured with an RFID sensor (1330) and optional protective shielding (1340), the RFID sensor being positioned so that the RFID chip can be interrogated using very low power settings, the shielding blocking external RF signals to increase the sensitivity of the RFID chip and to inhibit spoofing from external (interfering) RF signal sources from acting directly on the RFID sensor. In another exemplary embodiment, an RFID chip (1350) may be added to the adhesive layer (1320) to bind the key to the protected item.

The identified features are filtered and a token is generated by running a token generation algorithm.

The key may be constructed using one or more of the above techniques, and thus a combined sensing key of resistive, optical, and RFID may be created.

Examples of Using the System

There are many processes associated with PAMS. The following describes the selected key process.

Creation of a protected article

Transportation, distribution and management of protected items in wholesale/pre-sale supply chains

Sale/resale of protected items

Associating a protected item with one or more communicators

Regularly enquiring/reporting/setting the status of a protected item

Display the status of the protected item.

Protected item creation

Fig. 6 (process flow 6000) illustrates the creation of a protected article and is described below.

1. In step 6010, the appropriate key/indicator/communicator is embedded into the protected article during the manufacturing process, creating the protected article as dictated by the design.

2. As part of step 6020, the protected item and its keys, indicators, and communicators (if any) are registered with the PAMS server. Registration includes the process of discovering the key associated with the protected item through interrogation by a communicator in the factory, and checking the operation of the key during manufacture.

3. Initialization of the key is performed (step 6030) (described below). This step varies according to the type of each key that is initialized.

4. Step 6040 involves the step of associating the source and related information with the protected item in the PAMS database. Such information may include date/time of creation, material and component specifications, make and model, values displayed on a pointer associated with the protected item, and the like.

5. Step 6050 includes logging the log information to the PAMS. These steps include recording the manufacturing and distribution information, as well as the first sales information (factory and/or designer direct sales of protected items) into the PAMS in a log associated with the protected items.

Initialization of key/communicator

This process describes the initialization of the system using a new key that is part of the protected item. This process is performed during manufacture when a new protected item is created. Alternatively, when the protected item is repaired at the factory or at an authorized location at the factory, the key device may be reinitialized and the previous token value no longer valid. In some embodiments, a key device may be initialized once for each PAMS server associated with its key device.

1. Step 7010 includes registering the communicator and protected item ID in the PAMS management server database. If the keys are pre-associated with the protected item ID, the keys are also registered.

2. Step 7020 includes setting the state of the protected item/flag value to (unassociated) and clearing any previously established associations between communicators and keys. This step resets all information previously established and records the reset in the log of the protected item.

3. For each key identified (either by association or by discovery), iteratively (step 7030) using the key device to determine a set of unique tag labels and values, reading the PUA values associated with the labels from the key device (step 7040), calculating the generated tag values, and storing the unique tags in a management system database associated with the key, protected article, and communicator. The update is also recorded in the log of the protected item (step 7050).

4. Step 7060 associates the key, protected item and communicator (if not previously associated) in the PAMS database.

In particular, for a resistive mesh key, the step of creating a unique value from the key further comprises at least one iteration of the following additional steps:

a. at least two electrodes (leads) are selected to measure the electrical characteristics between the two electrodes and to determine the electrical settings to be used for each electrode.

b. A signal comprising a known voltage and amperage is applied to at least a first electrode of the selected set of electrodes.

c. An electrical characteristic (e.g., voltage) value is read from a second electrode in the set of electrodes.

d. Repeating steps (a) - (c) for each pair of leads.

e. Converting at least one of the read electrical property values to a tag value.

In an alternative embodiment using a resistive grid key, the step of using the key to create a time-domain unique value further comprises the additional steps of:

a. at least two electrodes are selected to measure an electrical characteristic therebetween.

b. A signal comprising varying (known) voltage and current intensities is applied to at least a first electrode of the selected set of electrodes (e.g. a sine wave).

c. At intervals, the generated electrical property values are read from the second electrode of the set of electrodes.

d. The at least one time interval converted and read electrical property value is converted into a tag value.

Authentication of protected items

As shown in FIG. 8, in the authentication process of a protected item, the system uses one or more keys and a communicator to authenticate the protected item associated with the key by:

a. in step 8010, the communicator identifies available key devices for the protected item and sends a communicator ID, and optionally one or more identified key device IDs, from the communicator to the PAMS management server. Other information, such as GPS and/or location information, may also be forwarded to the PAMS management server in this communication.

The pams management server receives the communicator ID and the key ID and looks up information about the associated protected item. The PAMS management server selects one or more tokens to authenticate and sends the token tag for the desired token to the communicator for forwarding to the key. The selected tag may be selected based on a timestamp, LRU, cache, random selection, or other technique. For example, a pseudo-random number sequence may be used to specify which subset of tag labels to select for a particular authentication request. The PAMS server also assigns a transaction ID for this validation (for tracking purposes).

c. In step 8020, one or more key challenge instructions are received from the PAMS management server via the communicator, the key challenge instructions including a tag label for one or more desired tags. The communicator may also receive the unique transaction ID for subsequent use. The communicator forwards the requested tag to the key device.

Step 8030 involves the key receiving a key challenge instruction, looking up the requested tag to determine the sensor and sensor settings to use, and translating the key challenge instruction to identify the pair (the type of challenge to be performed, the settings for performing the challenge). Note that the key may be required to provide all tag values, some tag values, or even different sets of tag values from one request to the next. In some cases, the key may be required to have a non-existent tag value to check its response (and confuse a potential attacker).

In the key, for each identified (key, label) pair, step 8050 is repeated: (a) determining how to interrogate the sensor, (b) performing an interrogation of the sensor, and (c) recording sensor values/identified characteristics in a defined order or in accordance with association with a particular sensor setting, and (d) calculating a tag value based on the newly recorded sensor values/characteristics. The defined order is specified by the PAMS server and may include all or a selected subset of known tag labels and values that may be arranged randomly or sequentially. Other interrogations of the sensor may be performed by the key to obfuscate the mapping of the tag label to the sensor settings. The key is queried using a completely random number that has not been previously registered without any complaints.

d. In step 8060, the requested marker response value is sent from the key device to the PAMS server via the communicator in the requested response order. An interrogation instruction (for stateless operation of the database), a communicator ID and/or a previously received transaction ID are optionally sent if desired.

And e, the PAMS management server calculates the validity of the received information and determines the validity of the received mark. A validity determination is made based on matching one or more of the received tags with the stored tags in the PAMS management server. Note that not all received tag values must be validated by the PAMS server to make a validity determination. Some values may be ignored (their request is for obfuscation purposes) and in some cases a small portion of the token values may be allowed to mismatch (in the case where feature detection is not fully reliable). The PAMS management server may optionally record the validity determination in a database. In step 8070, the communicator receives an authentication response from the PAMS management server.

f. In step 8080, using the received authentication response, the communicator sets one or more indicators associated with the protected item to respond to the receipt (or non-receipt) of the authentication response and/or its contents.

Upon receiving the token from the key, the PAMS management server compares the token with previously stored tokens in the PAMS database. Depending on the key type and token provided, the comparison may not be a perfect match, but may be "within a specified tolerance range". For example, the tag of the resistive mesh key may be decoded and compared using a 5% tolerance value.

Attaching an integrated device to a customs document

Fig. 15 shows an example of using an integrated device 1000 (with any or all of the disclosed sensor patterns) to attach a key device 1004 to an official document (e.g., passport 1002) that is susceptible to loss or theft. The integrated device 1002 enables the passport 1002 to be located when separated from the issuer and provides a mechanism for tracking the stolen or lost passport 1002 before it is improperly used, as well as further identifying the current status of the document. One impediment to using the integrated device 1000 in this manner is to attach the key device 1004 to the passport, making it difficult to remove without leaving a mark. Typically, this is achieved using a strong adhesive (e.g., epoxy). Hard adhesives that are affixed to a flexible substrate such as a passport cover often suffer from adhesive strength issues, including the ability to "peel" the adhesive from the cover, thereby allowing the integrated device to be separated from the passport.

Another mechanism is to use a peelable adhesive that adheres strongly to the passport and also to the housing of the integrated device, but has a weaker layer that fails when subjected to force. When force is applied, the peelable adhesive separates from one or more predetermined locations provided by the weaker layer, leaving a first remaining portion attached to the passport and a second remaining portion attached to the integrated device, and a portion of the weaker portion will be attached to each of the remaining portions. Each remaining portion may change color to a unique (different) color (e.g., due to exposure to air), or as a visual indicator to show that the integrated device has been removed.

A more interesting mechanism could be to have the integrated device recognize that the integrated device and passport have been separated and the integrated device take action to display an indication and notify the PAMS server that the integrated device and passport are no longer associated with each other.

In an exemplary embodiment, the integrated device may monitor internal inertial/shock sensors and take action if a shock greater than a predetermined level occurs (e.g., inertial sensor trigger). The action may include one or more of the following: a) displaying an indication on the integrated device; b) reporting to the PAMS server; c) further action is taken to verify the integrity of the integrated device and passport. For example, an inertial sensor may trigger an impact greater than 5G or 25G (or any arrangement between 5G and 25G). Alternatively, the inertial sensor may be triggered if motion of the integrated device is observed consistent with a predetermined pattern. For example, the integrated device may be preprogrammed with an inertial motion pattern indicating twisting and rotation of the integrated device detached from the passport, and programmed to notify the PAMS server if an inertial motion matching the preprogrammed pattern is detected. In an alternative embodiment, the integrated device may record inertial motion and forward information about the motion to the PAMS server, where the recorded motion information is matched to one or more patterns to determine whether the integrated device may be detached from the passport.

In an alternative exemplary embodiment, a conductive adhesive layer is used, and the integrated device monitors one or more electrical properties of the adhesive layer. In one embodiment, the adhesive layer has a variable conductivity and the integrated device has measurement pins or leads inserted into the adhesive layer. If the electrical properties of the adhesive layer change by more than a specified amount, the integrated device takes the action described above. In some embodiments, the adhesive layer may have fine conductive lines embedded therein. This is particularly useful when using a peelable adhesive layer and passing the wire through a relatively weak interface layer. Separation of the adhesive layer may result in stretching and/or breaking of the wire, which may alter its electrical properties. Likewise, if the electrical characteristics of the wires embedded within the adhesive layer change by more than a specified amount, the integrated device takes the action described above.

In a final exemplary embodiment, the integrated device is equipped with a passport-facing sensor and an optional light source, wherein the sensor provides an image of a portion of the passport (e.g. visible, UV or IR illumination). A feature analysis algorithm is then used on the image to determine the unique features of the image as described above. If the characteristic changes (or the changed characteristic exceeds a certain percentage), the integrated device will take the action described above. In alternative embodiments, the detected feature may be printed on the passport during initialization, or may be a PUA present in the passport at initialization. Note that the feature analysis and comparison may be performed by an integrated device. In an alternative embodiment, the images may be uploaded to the PAMS server and the analysis and comparison performed there.

In a further illustrative, non-limiting example, a set of keys and indicators may be integrated into an item container (e.g., a courier bag for transporting high value documents used in complex international financial transactions). Generally, the authenticity and origin of these documents is guaranteed. Courier bags or other container mailboxes for protected items are used to protect these in-transit documents. In such a courier bag for a protected item, a first key is configured to measure the PUA associated with the integrity of the courier bag itself, and a second key is configured to measure the PUA associated with the integrity of the courier bag envelope. As for the indicator and the communicator, they may be optionally integrated or used independently.

In this example, the integrity of the courier bag itself is measured using a variably conductive liner of the bag, the conductivity of which is measured at various points within the bag by a resistive grid key. The bond between the key and the courier bag is also monitored if the key is fixed in an accessible location and does not trigger other tamper detection aspects of the courier bag. A change in the electrical properties of the express bag indicates that the liner of the bag has been tampered with. The second key is to measure the integrity of the closure mechanism of the express bag, particularly if the seal for closure remains intact.

The pouch seal can be constructed by using a variable conductive adhesive, using a strip of variable conductive adhesive, a conductive wire interwoven into a seal produced using conventional sealing techniques, any of which can monitor and measure the PUA by a resistive mesh key or an optical key, or by using conventional sealing techniques where the PUA is measured and monitored by an optical key.

In use, the courier bag contains the document to be protected, the courier bag is sealed, and the key is initialized and registered with the PAMS. By initializing the key each time the express bag is sealed, a new marker is created, thus eliminating attacks based on the way the express bag is used in advance and its marker changes when the express bag is opened, and eliminating attacks. The express bags are transported to the final destination. Periodically during transit and after destination acknowledgement, the integrity of the bag and seal is checked by instructing the key integrated into the bag to read the bag and sealed PUA, determine the label of the bag and transmit the label to the PAMS server. The server checks whether the received indicia corresponds to a previously stored indicia provided during key initialization and, if so, can conclude that the express bag has not been tampered with. If the indicia do not match, indicating that the courier bag has been tampered with, the status of the courier bag may be indicated by setting an indicator associated with the courier bag. The communicator for communicating between the key and the PAMS server may be integrated into the courier bag with the key (e.g., an integrated device) or may be a separate device that communicates with the key for each of the sender, recipient and en-route location.

If there is a problem with the integrity of the bag and/or its seal (e.g., the key indicates that there is tampering), a new set of files is sent and the tampered bag and files are not used. If the indicia indicates that the pouch has not been tampered with, the recipient of the mailer (and its accompanying documents) can ensure that the documents have not been replaced or tampered with.

In another exemplary, non-limiting embodiment, the key may be embedded and/or attached to an artwork, including wall hanging and pictures (e.g., a master oil painting), and embedded in a three-dimensional artwork, such as a sculpture. In one example, an optical key (or integrated communicator/optical key device) may be attached to the back of the master drawing, making it possible to measure a portion of the drawing canvas or other drawing substrate and report whether the key has been detached or tampered with. The PUA of the figurine can measure using a resistive key mounted thereon (or measure the resistance of the mounting adhesive) and report whether the key was removed or tampered with.

In a final illustrative, non-limiting example, RFID and resistive mesh keys may be embedded in a fashion watch to authenticate it. The RFID key is used to measure the presence of an integrated RFID tag within the watch body, while the resistive key grid measures the PUA associated with the integrity and structure of the watch case. In this way, the two keys together protect the RFID tag within the watch from replacement attacks and verify that the manufacturer's watch components have not been tampered with. The key is initialized at manufacture and registered with the PAMS server of the manufacturer. The combination of the two keys can continue to generate the correct (e.g. manufacturer's) mark to prove that the watch has not been tampered with since manufacture. Failure of one or both keys indicates that the watch may have been tampered with or may be counterfeit. Where maintenance and/or servicing work is performed at an authorized service center, resetting the indicia requires re-registering and updating the source information of the watch (e.g., repaired and/or serviced).

It is to be understood that while the invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, the invention is not to be limited to the disclosed embodiment, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (18)

1. An authentication member for use with an article,

a component that is integrated as part of the article, such that subsequent removal of the component reduces the value of the article,

the component is characterized by at least one physical unclonable property of the item,

the component is further configured to interface with an authentication circuit that includes a sensor that senses the at least one physically unclonable property, calculates an authenticity signature based on sensing the at least one physically unclonable property, and provides the calculated authenticity signature derived from the component.

2. The authentication component of claim 1, further characterized in that the authentication circuit measures a resistance of at least a portion of the component.

3. The authentication component of claim 1, further characterized in that the authentication circuit provides the genuine mark wirelessly.

4. The authentication component of claim 1, further characterized in that the genuine mark is unique to the item.

5. The authentication component of any of claims 1-4, further characterized in that the component is non-changeably bound to the item, thereby preventing the component from being separated from the item in a manner that does not cause a change in the calculated genuine mark.

6. The authentication component of any of claims 1-4, further characterized in that the component is non-changeably bound to the item, thereby preventing the component from being separated from the item in a manner that does not induce a change in the physically unclonable property.

7. The authentication member of claim 1 further characterized in that the member forms a structural aspect of the article.

8. The authentication member of claim 1 further characterized in that the member provides a decorative aspect of the article.

9. The authentication component of claim 1, further characterized in that the component provides at least one functional aspect of the item unrelated to the authentication.

10. The authentication member of claim 1 further characterized in that the physical unclonable property is inherent to a material of manufacture of the article.

11. The authentication component of claim 1, further characterized in that the authentication circuit comprises a cryptographic element configured to receive the sensed physical unclonable property and to calculate the encrypted genuine mark based on the sensed physical unclonable property and at least one key.

12. The authentication component of claim 1, further characterized in that the authentication circuit comprises a wireless communication device.

13. The authentication component of claim 1, further characterized in that the sensor comprises at least one of a resistive sensor and an optical sensor that detects the physically unclonable property that is inherent to the item and is difficult to alter or copy.

14. The authentication member of claim 1, further characterized in that the at least one physically unclonable property is a characteristic of a substrate material comprising at least one of fabric, leather, polymer, carbon fiber, metal, or any combination thereof.

15. An article comprising an authentication member according to any one of claims 1-14.

16. The article of claim 15, wherein the article is a fashion article.

17. The article of claim 15, further characterized by: removal of the component would damage the structure and/or appearance of the article.

18. The article of claim 15, further characterized by: the item comprises a customs document.

Images