NL1044006B1 - Method, system and chip for centralised authentication - Google Patents

Method, system and chip for centralised authentication Download PDF

Info

Publication number
NL1044006B1
NL1044006B1 NL1044006A NL1044006A NL1044006B1 NL 1044006 B1 NL1044006 B1 NL 1044006B1 NL 1044006 A NL1044006 A NL 1044006A NL 1044006 A NL1044006 A NL 1044006A NL 1044006 B1 NL1044006 B1 NL 1044006B1
Authority
NL
Netherlands
Prior art keywords
identifier
authentication
code
integrated circuit
centralized
Prior art date
Application number
NL1044006A
Other languages
Dutch (nl)
Other versions
NL1044006A (en
Inventor
Casparus Anthonius Henricus Juffermans Ir
Ir Pieter Werner Hooijmans Dr
Drs Jeroen Mathlas Doumen Dr
Original Assignee
Sandgrain B V
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sandgrain B V filed Critical Sandgrain B V
Publication of NL1044006A publication Critical patent/NL1044006A/en
Application granted granted Critical
Publication of NL1044006B1 publication Critical patent/NL1044006B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • G11C16/06Auxiliary circuits, e.g. for writing into memory
    • G11C16/10Programming or data input circuits
    • G11C16/20Initialising; Data preset; Chip identification

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Economics (AREA)
  • Signal Processing (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Finance (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

An authentication method comprising: storing, in a centralized code registration system (3), an identification code representative of an identifier of an integrated circuit (4a, 4b), wherein 5 the identifier is hard-coded in the integrated circuit and wherein the identifier is a bit-code of predefined length; requesting, by a verifying device (5), the identifier from the integrated circuit via an end node device (2); reading, by the end node device, the identifier from the integrated circuit and transmitting the identifier to the centralized code registration system; and verifying, in the centralized code registration system, the identifier received from the end 10 node device against the stored identification code to obtain and output a verification result. [+FIG. ij 1044006

Description

ole METHOD, SYSTEM AND CHIP FOR CENTRALISED AUTHENTICATION
TECHNICAL FIELD {0001] The present invention relates to an authentication system, an integrated circuit, an end node device and a security method for centralized authentication,
BACKGROUND ART
[0002] Over the last three decades, integrated circuit (1C)-based identification and security- based technologies and associated devices have reached a broad set of applications, Well- known examples are public transport ticketing, smart card conditional access systems for TV subscriptions, SIM cards in mobile phones, electronic passports, banking or credit cards, and labeling for tracking and managing logistic flows aud transport, Volames associated with these applications run in the billions of ICs per year. However, there are potentially many more applications that could use these technologies, that could further multiply these volumes by several orders of magnitude, so indeed hundreds of billions or trillions of IC's. So far this is not happening for two fundamental reasons: security and cost, [00031 A main problem in the world of identification and security is hacking. Existing identification and security applications are typically built around so-called secure microcontrollers, Microcontroller units (MCU) ars required for fonctions lke authentication or security key generation, and storing of the relevant data in such a way that it is not accessible for intruders. Because MCUs typically operate under an operating system and a specific program, e.g. firmware program, to execute the required fimctions, they are typically a combined hardware (HW) and software (SW) solntion. foo04] Known systems have as a major drawback that they can be hacked, This in practice 28 means reverse engineering the function of the device by analyzing its HW and/or SW behavior, resulting in the discovery of e.g. a secret (eryptographie) key as typically required in these known systems and stored in a memory. In a worst case scenario the memory content of the device is altered, e.g. by increasing the amount of credits on a transit card or changing the balance on a bank card. Although suppliers of these ICs and systems implement measures to make their ICs robust to hacking, in the end most systems are vulnerable and can be hacked, albeit at often high technological effort.
Je
[0005] The other problem with existing security solutions is related to cost. With high- volume applications of IC related security solutions, an obvious requirement is to have the IC cost as low as possible. Today's IC's typically cost a few dollar cents, which multiplies by a factor four for the final assembled module or package sales price. Elements that increase the IC cost are the MCU infrastructure and the programmable on-chip memories. Typical elements that increase the IC cost are: ~ Secure MCUs are expensive, either as in-house development or as purchased IP, e.g. as ARM™ Secure Cores; - MCUs are complex functions, and although the core is relatively small in advanced technology, it requires all kind of peripheral functionality to make it work properly: communication busses, memories (usually a combination of multiple specific memories, like RAM, ROM, Flash), start-on and advanced power management circuitry. So, the total function is much bigger, and requires serious design effort; «The simplest identification products don’t require re-programmable memories or keys. But even so, during manufacturing of the IC the code needs somehow be written in its memory. In most cases thus is done using One Time Programmable Read Only Memories (OTP-ROM), but these IP blocks are big, and require high voltage supply, making them large and thus expensive; ~ More complex identification and security ICs have programmable key or data storage, which requires re-programmnable Non-Volatile Memory (NVM), often also referred to as flash memory. But flash memories are oxpensive technology features, requiring — depending upon the size of the baseline CMOS node - 10 to 12 additional mask layers in production. This can be a cost adder of typically 35 to 30% compared to non~flash baseline technology wafer cost; - Identification and security ICs have a complex Back End (BE) process in the assembly and packaging fab, since gvery ICs requires pre-programming with its secure SW and ~ in case of non-programmable ICs — the embedded keys or identifiers.
poos] The present invention recognizes as a fundamental problem that security requirements are highest at the end nodes of the system, and in particular in the devices (ICs) that are used by the consmmers at very high volume, hence the system element that is most vulnerable to hacking, At the consumer side volumes are highest, so cost sensitivity is also highest, Because verification of security is typically done locally in the end node, once a
Ze device gets hacked or copied at user level, it cannot be identified as such by the system and misuse essentially goes undetected. Because the verification relies entirely on the end node device being authentic, hacked and copied devices can be deployed in large numbers undetected.
[0097] For many years these main factors block the originally predicted full global proliferation of identification and security solutions. And it is one of the main reasons for the delayed implementation of the Internet-of Things (ToT) at consumer level,
[0008] The reason that the Identification and Security IC solutions of today are not optimal for tomorrow's requirements, is that they are essentially based on 25-year old concepts, At the time the internet and the cloud did not exist, and security had to be provided by an embedded MCU-based IC in the end node, in those days a real breakthrough.
[0009] Yet, authentication method do exist and may in general be typified as comprising the requesting by a verifying device an identifier from an end node device and verifying ina centralized code registration system, the identifier received from the end node device, One example of such system is provided by US patent publication 20150106282, which is directed to a presently underlying problem, in that if indicates that “such genuine product certification technology has a problem in that, when certification information used for genuine product certification is copied and genuine product certification of counterfeits is performed, the counterfeits may be recognized as genuine products.” This disclosure then relates to a device for performing genuine product certification is used in conjunction with a certification information unit, which unit “ray receive the certification identification information including at least one pigee of the certification chip identification information, the product identification information, and the certification verification information of the verification target product from the device for performing genuine product certification”.
23 [0919] Furthermore, the solution as here proposed requires, at least hints towards a solution in which the target product should be a state machine, at indicating that “when the product identification information of the verification target product 300 is not managed by the device for determining a counterfeit 100, the genuine product certification information and the certification identification information are compared as illustrated in FIG. 4, Therefore, it is possible to determine a counterfeit”, In further elaboration as an example of the here | proposed solution, the disclosure indicates that example smbediments “provide a method of
4e determining a counterfeit that can accurately determine a counterfeit by analyzing genuine product certification of a verification target product based on state information of a device”.
[0011] Variations on this known concept can also be known from further publications like US20080282209 and US20179180369, These publications represent alternative embodiments however equally to the pre-described embodiment require the target product, end node device in terms of the present invention, to be a state machine. In case of the first alternative publication e.g., the target device is upon request regaired to provide test type data in addition to its ID. In case of the second altemative publication, the authentication method requires the target devices to avail of an intrinsic chip identification module, in itself a quite complex system, hampering widespread application in a vast amount of often relatively cheap and simple devices like so called IOT end nodes. More in particular the latter known solution proposes the presence of a PUF device, here embodied using ring oscillators rather than somewhat more generally known s-ram chips. fooi2] With such requirement of a target or end node device being capable of providing information in addition to an identifier, the identifier means in practice lays a capability burden onto end node devices which eventually tun out often if not in most of the cases to be way too complicated or costly in order to establish a viable authentication means for an immense amount of relatively simply constructed end node devices, which devices may e.g. form a security threat by way of forming a de facto back-door entrance, or which devices may be desired to economically form a reliable identifier within an asset management system such as may be the case with exchangeable PCB boards within complex machine ov systenus. It is hence an object to arrive at an at least alternative, preferably also economic form of an authentication method, more in particular enabling extensive use in relatively simple if not relatively cheap end node devices such as so-called HOT devices.
SUMMARY OF THE INVENTION
[0013] The present invention hence in general aims to alleviate the security and cost draw backs identified in the background. The present invention is particularly useful ~ but not Hmited to ~ the Internet-of-Things (Io), including the IoT at consumer level which has not been largely adopted vet due to the existing security and cost concerns. oT has had a modest start in industrial applications, where hacking is much lower as risk than at consumer level, It
Ge is another object of the present invention to improve upon essentially outdated MCU-based solutions as are in general known for application in e.g. so-called edge node devices.
[0014] The present invention, while departing from the known authentication system and method comprising defined by requesting by a verifying device of an identifier from an end S node device, and verifying the same in a centralized code registration system, the identifier received from the end node device, enables identification and security solutions that are much cheaper at the high-volume customer or user end of the chain, shift complex security functionality away from those end nodes, and does not require access to state information of an end node to be in the form of a state machine in order to establish an identification and authentication method
[0015] According to an aspect of the invention an authentication method and system is proposed which comprises storing, in a centralized code registration system, an identification code representative of an identifier of an integrated circuit, Herein, storing means the action of putting data in a data storage or having data stored in a data storage available for use. The identifier can be hard-coded in the integrated circuit. The identifier can be a bit-code of predefined length, e.g. 64, 80, 96, 128, 256, 512 or 1024 bits, The method can further comprise requesting, by a verifying device, the identifier from the integrated circuit via an end node device. The method and system can further comprise reading, by the end node device, the identifier from the integrated circuit and transmitting the identifier to the centralized code registration system. The method and system: can further comprise verifying, in the centralized code registration system, the identifier received from the end node device against the stored identification code to obtain and output a verification result. More specifically the method and system can herein comprise the step of transcription of the received identifier into an identification code, and verifying in the centralized code registration system, the thus obtained identification code against the stored identification code in order to obtain and output a verification result. Such transcription be composed of, at least involve a known per se technique such as a look-up table and a cryptographic technique. foots] In an embodiment, the method can further comprise transmitting the identifier to the centralized code registration system via the verifying device. The identifier has then typically been received in the verifying device from the end node device, 00171 Hence, in particular, the present invention relates to improving the known authentication system and method by including the identifier hard coded in the mtegrated
6e circuit in a manner where the identifier is a bit-code of predefined length, storing (100), in the centralized code registration system (3), an identification code, unique within a set of at least potential identification codes and representative of the identifier of an integrated circuit (4, da, 4b, 4o, 4d), reading, by the end node device, the identifier from the integrated circuit, and tansmitting the identifier to the centralized code registration system; performing a processing step involving transcription of the received identifier inte an identification code, and verifying in the centralized code registration system, the identification code against the stored identification code to obtain and output a verification result. fons] In applying a method in accordance with the present invention, hardcoding of an identity is included as means of hampering ease of copying the ID by way of including the same in a semiconductor device, Forthermore the hardcoding of an identifier is allowed, and for security reasons even preferred to be performed in a simplest possible chip embodiment by way of including security measures, normally extensively applied in and end or edge node, in a centralized data and identification system, i.e. effectively a central computing platform.
The central system collects contextual data, either by itself, e.g. by intelligent review of the munber and frequency of requested ID-checks and/or from the verifying device which may add e.g. geographical information to the identifier as received from the integrated circuit. In conjunction with the contextual data, the identification result is oulpul as verification result. The latter, as being more than an ID check only, may to some as it were be regarded as a rudimentary form of an authentication method. With the burden of security check or securily control being shified to a central point in the solution according to the present invention, the integrated circuit for storing the identifier may be kept simple and small as possible, thereby allowing widespread application thereof in the simplest and/or remotest of end nodes, therewith enabling at least a basic form of protection for such nodes, as it were enabling backdoor protection in IOT, An advantage of having the identifier coding integrated circuit simple as possible, is that tt does not allow any chance of running a program thereon which might be used for eg. spoofing, thereby further enhancing security within the identification if not authentication system as proposed. [00191 In an embodiment, the verification result can be at least partly based on contextual data, the contextual data preferably including one or more of a number of verifying requests made in a predefined time interval, a total number of verifying requests made, a time of a
Fe verifying request, a geographical location of the integrated circuit, a geographical location from where a verifying request is made,
[0020] In an embodiment, the verifying device can transmit at least a part of the contextual data to the centralized code registration system, 3 [00211 In an embodiment, the method can further comprise transmitting the verification result from the centralized code registration system to the verifying device and/or the end node device.
0022] In an embodiment, the authentication method can comprise storing, in the centralized code registration system, the identification code together with a vendor identification code. The vendor identification code can be indicative for a system owner of an asset that is associated with the identification code. The method can further comprise transmitting, from the end node device, a vendor identifier to the centralized code registration system together with the identifier. The method can further comprise verifying, in the centralized code registration system, the identifier and the vendor identifier received from the IS end node device against the identification code and the vendor identification code to obtain the verification result. [00231 In an embodiment, the authentication method can further comprise registering, in the centralized code registration system, the identification code as being invalid mn case the verification result is negative, resulting in future verification results for this identification code to be negative by default,
[0024] The verification result obtained by the authentication method is indicative of the authenticity of the identifier. As such the authentication method enables a basic security system.
[925] According to an aspect of the invention an authentication system is proposed comprising a plurality of end node devices, a verifying device and a centralized registration system. Each end node device can comprise au integrated circuit. The integrated circuit can comprise av identifier that is hard-coded in the integrated cirouit. The identifier can be a bit- code of predefined length, e.g. 64, 80, 96, 128, 256, 512 or 1024 bits. The centralized code registration system can be arranged to store an identification code representative of the identifier of the integrated circuit, The verifying device can be configured to request the identifier from the integrated circuit via the end node device. The end node device can be configured to read the identifier from the integrated circuit and transmit the identifier to the
„8e centralized code registration system, The centralized code registration system can be configured to verify the identifier received from the end node device against the stored identification code to obtain and output a verification result.
[0025] In an embodiment, verification device can be configured to transmit the identifier to 3 the centralized code registration system. The identifier has then typically been received in the verifying device from the end node device,
[0027] In an embodiment, the verification result can be at least partly based on contextual data, the contextual data preferably including one or more of a number of verifying requests made in a predefined time interval, a total number of verifying requests made, a time of a verifying request, a geographical location of the integrated circuit, a geographical location from where a verifying request is made. [00281 In an embodiment, the verifying device can be configured to transmit at least a part of the contextual data to the centralized code registration system, 100297 In an embodiment, the centralized code registration system is configured to transmit the verification result to the verifying device and/or the end node device.
[0030] In an embodiment, the centralized code registration system can be arranged to store the identification code together with an vendor identification codes, The vendor identification code can be indicative for a system owner of an asset that is associated with the identification code. The end node devies can be configured to transmit a vendor identifier to the centralized code registration system together with the identifier. The centralized code registration system can be configured to verify the identifier and the vendor identifier received from the end node device against the identification code and the vendor identification code to obtain the verification result. 0031] The verifying device may be a separate device that is comnwunicatively connected to the centralized code registration system and/or the end node device, The verifying device may be a part of the centralized code registration system. The verifying device may be a part of an asset that includes the end node device. {00321 The verification result obtained by the authentication system is indicative of the authenticity of the identifier, As such the authentication system enables a basic security system. [00331 The following are embodiments of the authentication method and the authentication system,
Qu [00341 In an embodiment, the integrated circuit can comprise a read-only register comprising the identifier and one or more interfaces for reading the identifier from the register and outputting the identifier. 100351 In an embodiment, the functionality of the integrated circuit can be limited to S providing the identifier upon request.
[0036] In an embodiment, the centralized code registration system can comprise an electronic database system for storing the identifiers of each of the integrated circuits, wherein the identifier has been stored in the electronic database system upon implementation of the identifier in the integrated circuit.
[9037] In an embodiment, the electronic database can be secured by at least one of restricted access, data encryption or being located in a secured environment, 10038] In an embodiment, the centralized code registration system can be configured to register the identification code as being invalid in case the verification result is negative, resulting in future verification results for this identification code to be negative by default.
[e039] In an embodiment, the identifier can be a unique identifier used only once amongst the integrated circuits in the plurality of end node devices,
[0040] In an embodiment, the centralized registration system can be implemented as a cloud service. 0941] In an embodiment, the plurality of end node devices can include Internet-of-Things devices.
[0042] According to an aspect of the invention an integrated circuit is proposed comprising an identifier that is hard-coded in the integrated civenit. The identifier can be a bit-code of predefined length, The integrated circuit can be for use in an authentication system having one or more of the above described features.
[00431 In an embodiment, the integrated circuit can comprise an SPI (Serial Peripheral Interface) and control logic for obtaining the identifier from the read-only register on a request received via the control logic, The integrated circuit can further comprise one or more voltage inputs, such as VDDD, VSSD, VIDIO and VSSIO, The integrated circuit can further comprise one or more signal inputs, such as MOS] (Master Output Slave Input), SCLK (Serial CloCK) and CSN (Chip Select Not). The integrated circuit can further comprise a signal output, such as MISO (Master Input Slave Output) for outputting the identifier.
«10 0044] In an embodiment, the integrated cirenit can be miniature SO8-packaged, SSOP8- packaged, TSSOP&-packaged or 8WLCSP-packaged for board-level applications for board- level applications. [00451 In an embodiment, the integrated circuit can be RE-ID compatible.
(0046) In an embodiment, the integrated circuit can be integrated in a multi-chip package.
[0047] In an embodiment, the integrated circuit can be Integrated as IP block in a larger IC.
[0048] According to an aspect of the invention an ond node device is proposed comprising an integrated circuit as described above. The end node device can be configured to read the identifier from the integrated circuit and transnut the identifier to the centralized code registration systent.
[00491 According to an aspect of the invention a use of an integrated circuit having one or more of the above described features of the integrated circuit is proposed in an authentication system having one or more of the above described features of the authentication system. [00507 The authentication method and system of the present invention advantageously enable a secure and cost efficient solution which allows the long targeted wide deployment of secure end nodes in logistics chains, e.p, retail, medicine, industrial, defense, and/or in the consumer Intemet-of-Thinps.
[oosij The authentication method and system of the present invention have several advantages.
[0052] There is no security vulnerability at end node devices through the simple use of the identifier stored in the IC. Cost are reduced since authentication means are performed centralized. No authentication measures are needed at the end node device,
[0053] The authentication system is scalable over orders of magnitude, from tens io billions of nodes. The availability of coding space is no problem at all (e.g, 10°? in case of 128 bit identifiers) and the end nodes can be so small and cheap that they allow deployment in very large numbers.
[0054] The authentication system allows putting individual electronic identifiers at a level not attainable today. Think of tagging all individual products in a supermarket or store, all elements in complex logistics chains {e.g. aircraft or car assembly) or all ICs (by embedding an IC inside a larger IC package).
[00551 Owners of the identification system can choose at which level they want to uniquely code their products, E.g. high turn-over goods (beer bottles or cans, food) could be coded by production batches with codes that have a time-limited validity. This is yet another scalability factor of the present invention. Dose] The authentication method and system of the present invention may be used gs a connected electronic bar code, But whereas todays printed bar codes are identical for all instantiations of the same product, the identities in the ICs are electronic and can, if chosen so, be different at individual product level, The usage of the identities in the ICs may be tracked through a cloud connection, allowing for “big data” analysis and possible interaction with the end node device to take security measures, [00371 The centralized code registration system may be distributed among multiple servers or multiple networked computers whale functioning as a centralized sysiem, [00581 The system enables owners/users to zet up a secure data information system on the use of their products.
[0089] Aspects and embodiments of the invention zee further described in the following description and in the claims.
BRIEF DESCRIPTION OF THE DRAWINGS feos] Embodiments will now be described, by way of example only, with reference fo the accompanying schematic drawings in which corresponding reference symbols indicate corresponding parts, and in which:
[0061] FIG. 1 shows an exemplary authentication system according to an aspect of the invention; oo62j FIG, 2 shows and exemplary IC according ia an aspect of the invention;
[0653] FlGe. 3a-3d show exemplary end node devices including ICs according to an aspect of the invention;
[0964] FIGs 3e-3{ show exemplary assets including ICs according to an aspect of the vention; [00651 FIG. 4 shows a time sequence diagram of an exemplary method of the invention. roosa] The figures are intended for illustrative purposes only, and do not serve as restriction of the scope or the protection as laid down by the claims.
DESCRIPTION OF EMBODIMENTS
“12 0067] FIG, | shows an exemplary authentication system 1 according to an aspect of the invention. The authentication system 1 may include end node devices 2a, 2b each containing an IC da, 4b embedded with a unigue identifier. The authentication system 1 may further include a verifying device 5 for requesting the identifier from the end node device. The $ authentication system 1 may further include a centralized code registration system 3, typically comprising an electronic database system 31. [00681 The IC 4a, 4b is typically linked to an asset, The asset is e.g. an electronic device like a peripheral device, an industrial device or a medical device, or any taggable good like packing material or consumer goods. The assets have in common that they are identifiable by the identifier. It is possible that the end node device itself is the asset. [60681 Querying of an IC da, 4b for its identifier may result in sending the identifier to the centralized code registration system 3, and the centralized code registration system 3 providing a verification result indicative of an authentication result, The identifier is typically transmitted to the centralized code registration system 3 after a request from the verifying device 3, The identifier may be transmitted from the end node device 2a, 2b to the centralized code registration system 3, via the verifying device 3, and/or via any other intermediate conununication device (not shown).
[0670] The unigue identifier may be embedded in the IC 4a, 4b as a bit-code of predefined order of magnitude, hard coded in the IC da, db, typically in the form of a register and an interface for reading out the code, e.g. as shown in the IC 4 of FIG. 2. A non-limiting example of an identifier is a 128-bit code. These 128 bits allow the unique identification of 10° unique elements. It will be understood that identifiers may be defined using any other number of bits, such as 64, 80, 96, 128, 512, 1024 or any other number of bits. The identifier bits may be hard coded in the IC 4, 4a, 4b, so there are no options to re-write or modify the 23 identifiers. foor] FIG. 2 shows an exemplary IC 4 according to an aspect of the present invention. The IC 4 may include a ROM register 41, e.g. a 128-bit (16x8) ROM embedding a 128-bit identifier. The IC 4 includes an interface, here embodied in the form of a Serial Peripheral Interface (SPI) and control logic for outputting the identifier on a request received via the Control logic. The IC 4 may include voltage inputs VDDD, VSSD, VEDIO and VSSIO. The IC 4 may further include signal inputs MOST (Master Output Slave Input), SCLK (Serial
«13 CloCK) and CSN (Chip Select Not). The IC 4 may further include signal output MISO (Master Input Slave Output).
0072} Iwill be understood that the IC 4 is not limited to having SPl-based interfaces.
Other non-limiting examples of interfaces that may be used in the IC 4 are serial interface Like I2C or 128, J-wire, 1-wire, USB or a classical 13,56MHz RF-ID contactless interface.
Moreover, it will be understood that the IC 4 is not hmited to 1638 ROM registers and that any other read-only register may be used for storing identifiers of any bit length.
00731 FlGs. 3a-3d show exemplary end node devices 2a-2d with embedded ICs 4a-4d according to the present invention.
[0074] FIG. 3a shows an exemplary miniature SO8-packaged IC da for board-level applications, which may be similar to the IC 4 of FIG. 2. The IC 4a may be used for authentication on board/system level, Any other suitable packaging may be used, e.g. SSOPS, TSSOPS, BWLCSP, various leadless packages.
[0075] FIG. 3b shows an exemplary RF-ID compatible IC 4b, which may be used for object authentication, Most or all of the RF-ID functionality may be implemented in the end node device 2b interfacing with the IC db,
[0076] Fig. Je shows an exemplary more advanced integrated solutions wherein an IC 4c is integrated in a multi-chip package. The IC 4e may be used for authentication of (big) other ICs.
[0077] FIG. 3d shows an exemplary more advanced integrated solution wherein an IC dd is integrated as IP block in a larger IC. The IC dd may be used for authentication of the larger IC.
[0078] The hardware of the IC 4, 4a-4d is preferably made as simple and cheap as possible, Hereto, the function provided by the IC 4, 4a-4d may be limited to outputting the identifier upon request, such as provided by the exemplary IC 4 of FIG. 2.
[0979] The end node device 2, 2a-2d is typically configured to retrieve the identifier - preferably a unique identifier - from the IC 4, 4a-4d. This is typically triggered by a request hereto from a verifying device $, which may be wirelessly or wiredly communicatively connected to the end node device 2, 2a-2d.
[e080] The identifier is transmitted to the centralized code registration system 3 to authenticate the identifier. Further security measures in the end node device 2, 2a, 2b may be minimized or even discarded.
„14 fo08t] The identifier is typically linked to an asset or article to which the end node device 2, 2a-2d is attached or linked. Hereto the identification code that is stored in the centralized code registration system 3 may be stored together with a vendor identification code, enabling an identifier and vendor identifier combination, both typically obtained by the end node devies 2, Za-2d, to be checked against an expected identification code and vendor identification code combination stored in the centralized code registration system 3. [00821 In case the identifier and vendor identifier are used at the end node device 2, 23-2d in a non-authorized combination, the centralized registration system 3 may return a negative verification result to the end node device 2, Za, 2b, indicative of a failed authentication.
[0083] Alternatively or additionally, in case of a negative verification result the centralized registration system 3 may block the identification code from any future use, resulting in fature verification resulis for this identification code to be negative by default. oerd} FIG, Je shows a non-limiting exemplary asset 6a that includes an end node device, e.g. the end node device 2b of FIG, 3b. The asset 6a may be a non-electronic asset. The identify stored in the IC 4b may be wirelessly requested by verifying device 5a, e.g. using RF-ID or any other suitable wireless comununication technology, The identity received in the verifying device Sa may be transmitted to a centralized code registration system 3 for verification.
[00851 FIG. 3f shows another non-limiting exemplary asset 6b that includes an end node device, e.g. the end node device Za of FIG. Ja, The asset 6b may be an electronic asset. The identify stored in the IC 4a may be requested by verifying device Sb, which in this example is a part of the asset &b but may be external to the asset 6b. The identity received in the verifying device 5b may be transmitted to a centralized code registration system 3 for verification.
[0086] An identifier may be generated before or during the production process of ICs 4, 4a- 4d. This is illustrated in FIG. 1 as the code generation service that generates the identifiers and stores the generated identifiers or identification codes representative of the identifiers in database 31 of the centralized registration system 3. The generated identifiers may be transmitted to the IC Manufacturing (Foundries) as a unique customer and ID encoding instructions.
[00871 The ICs 4, 4a-4d are preferably manufactured in a cost efficient manner, typically involving a lithography back-end processes followed by a so-called mid-end lithographic
-15- process step. In the back-end process the dies on a wafer § may be prepared to a common design, e.g. in a CMOS based, front end lithographic operation typically applying masked lithographic equipment. In the subsequent mid-end process step, a wafer based maskless lithographic operation may manipulate a predefined CMOS based IC for encoding each die of $ a wafer with the identifier — preferably a unique identifier - generated by the code generation service. [008%] The implementation of the identifier in the mid-end lithographic process step advantageously allows commonly known and cost effective front end processes to remain unmodified. The mid-end lithographic process step may be integrated as a maskless lithography operation, which is found to be very suitable for uniquely encoding IC based electronic devices. In such a set-up maximum advantage may be taken from cost reduction as has over the past decades been effected in so called front-end chap manufacturing fab's or so called foundries.
[0089] Advaniageously, in the authentication system 1 according to the present invention, mostor all security may be transferred to the centralized code registration system 3, which is preferably implemented in the cloud. Every application system, e.g. retail, may have a database 31 with the registered identification codes ICs 4, da-dd that have been produced and as many associated data labels as are required (dates, type of product, wandacturer, etcetera). These data labels may be stored as or together with vendor identification codes in the database 31. When an IC 4, 4a-44d is queried for its identifier, the identifier may be sent to the database system 31 for verification of its validity, possibly with a simple “Yes” (or other indication of a positive verification result) or “No” (or other indication of a negative verification result) as outcome, [00907 The database system 31 may advantageously take the context of verification requests into account in processing the current verification request. Examples hereof ate a mumber of requests made in a predefined time interval, the total number of requests made, time of the request, location of the request, and ctcetera, Contextual information may be transmitted as contextual data from the verifying device § to the centralized code registration system 3 and/or generated in the centralized code registration system 3, Part or all of the contextual data may be generated in the end node device 2, 2a-2d.
[0091] Hackers may want to try to replicate or falsify end node devices. Duplication of an end node 2, 2a-2d with IC 4, 4a-4d in an authentication system 1 according to the present invention no longer makes any sense, because this may immediately be detected, and the identity/identification code be blocked for use. Although the identifiers can in principle be public - there is nothing to hide - they may be encrypted during communication with the centralized code registration system 3, which may be implemented as a cloud server 3. In § other words, hacking the end node 2, 2a-2d does not make any sense, all security processing takes place in the cloud server 3, The IC end node thus acts as a hardware anchor (e.g. to attach the code to a physical device) in an otherwise centralized secure system 3. So, although the end nodes 2, 2a-24d could be hacked (e.g. copied), the system 1 remains secure.
[0092] FIG. 4 shows an exemplary method according to an aspect of the invention, in the form of a time-sequence diagram. In step 100 an identification code representative of an identifier of an IC 4, 43-4d may be stored in the centralized code registration system 3, typically in an electronic database system 31 of the centralized code registration system 3. This is typically done before or during the manufacturing process of the IC 4, 4a-4d. The end node device 2, 2a-2d may read 102 the identifier from the IC 4, 4a-4d after a request 101 from the verifying device 5. In steps 103 and 104 the identifier may be transmitted to the centralized code registration system 3, typically via the verifying device (step 103). In step 105 the centralized code registration system 3 may verify the received identifier against the corresponding stored identification code to obtain a verification result, In step 106 the verification result may be transmitted from the centralized code registration system 3 to the verification system 5, additionally or alternatively to the end node device 2, 22-2d or any other device that may use the verification result.
-17-
CLAUSES i. An authentication method comprising: requesting (101), by a verifying device (8), an identifier from an ond node device (2); verifying (105), in a centralized code registration system, the identifier received from the end node device, wherein the method further comprises including the identifier hard coded in the integrated circu! in a manner where the identifier is a bit-code of predefined length, storing (100), in the centralized code registration system (3), an identification code, unique within a set of at least potential identification codes and representative of the identifier of an integrated circuit (4, 4a, 4b, de, 4d); reading (102), by the end node device, the identifier from the integrated circuit, and transmitting (103) the identifier to the centralized code registration system; performing a processing step involving transcription of the received identifier into an identification code; and verifying in the centralized code registration system, the identification code against the stored identification code to obtain and output a verification result.
2 The authentication method according to claim 1, wherein transmitting (103, 104) the identifier to the centralized code registration system via the verifying device.
3. The authentication method according to any one of the preceding claims, wherein the verification result is at least partly based on contextual data, the contextual data including one or more of a number of verifying requests made in a predefined time interval, a total number of verifying requests made, a time of a verifying request, a geographical location of the integrated circuit, a geographical location from where a verifying request is made, 4, The authentication method according to claim 3, wherein the verifying device generates and transmits at least a part of the contextual data to the centralized code registration system,
-18-
3. The authentication method according to any one of the preceding claums, further comprising transmitting {106} the verification result from the centralized code registration system to the verifying device and/or the end node device, S 6 The authentication method according to any one of the preceding claims, wherein the integrated circuit comprises a read-only register (41) comprising the identifier and an interface (MISO) for reading the identifier from the register and outputting (102) the identifier.
7. The authentication method according to any one of the preceding claus, wherein the functionality of the integrated circuit is limited to providing (102) the identifier upon request (161).
8. The authentication method according to any one of the preceding claims, wherein the centralized code registration system comprises an electronic database system (31) for storing the identifiers of zach of the integrated circuits, wherein the identifier has been stored (100) in the electronic database system upon implementation in the integrated circuit.
9. The authentication method according to claim 5, wherein the electronic database is secured by at least one of restricted access, data encryption or being located in a secured environment.
10. The authentication method according to any one of the preceding claims, comprising: storing, in the centralized code registration system, the identification code together with a vendor identification code, the vendor identification code being indicative for a system owner of an asset (Ha, 6b) that is associated with the identification code; transmitting, from the end node device, a vendor identifier to the centralized code registration system together with the identifier, verifying, in the centralized code registration system, the identifier and the vendor identifier received from the end node device against the identification code and the vendor identification code to obtain the verification result.
~19- Il. The suthentication method according to any one of the preceding claims, further comprising registering, in the centralized code registration system, the identification code as being invalid in case the verification result is negative, resulting in future verification results for this identification code to be negative by default.
12. The anthentication method according to any one of the preceding claims, wherein the identifier is a unique identifier used only once amongst the integrated circuits in the plurality of end node devices.
13. The authentication method according io any one of the preceding claims, wherein the centralized registration system is implemented as a cloud service. 14, The authentication method according to any one of the preceding claims, wherein the plurality of end node devices include Internet-of-Things devices.
1$. A method of manufacturing an integrated circuit (4, da, 4b, 4e, 4d), the integrated circuit for use in an authentication method according to any one of the claims 1-19, the method comprising: generating an identifier in a centralized registration system (3), wherein the identifier is a bit-code of predefined length; storing (100), in the centralized code registration system, an identification code representative of the identifier; and providing the identifier to an IC manufacturing facility, wherein the identifier is hard- coded in the integrated circuit.
16. An authentication system (1) comprising a plurality of end node devices (2, 2a, 2b), a verifying device (5) and a centralized registration system (3), wherein each end node device comprises an integrated circuit (4, 4a, 4b, 4c, 4d) comprising an identifier hard-coded in the integrated circuit, wherein the identifier is a bit- code of predefined length, wherein the centralized code registration system is arranged to store an identification cade representative of the identifier of the integrated circuit,
“20- wherein the verifying device is configured to request the identifier from the integrated cirenit via the end node device, wherein the end node device is configured to read the identifier frotn the integrated circuit and transmit the identifier to the centralized code registration system, and wherein the centralized code registration system is configured to verify the identifier received from the end nade device against the stored identification code to obtain and output a verification result.
17. The authentication system according to claim 16, wherein the verifying device is configured to receive the identifier from the end node device and transmit the received identifier to the centralized code registration system.
18. The authentication system according to any one of the claims 16-18, wherein the verification result is at least partly based on contextual data, the contextual data preferably including one or more of a munber of verifying requests made in a predefined time interval, a total number of verifying requests made, a time of a verifying request, a geographical location of the integrated circuit, a geographical location from where a verifying request is made, 19, The authentication system according to claim 18, wherein the verifying device is configured to transmit at least a part of the contextual data to the centralized code registration system.
20. The authentication system according to any one of the claims 16-19, wherein the 23 centralized code registration system is configured to transmit the verification result to the verifying device and/or the end node device.
21. The anthentication system according to any one of the claims 16-20, wherein the integrated circuit comprises a read-only register (41) comprising the identifier and an interfaces (MISO) for reading the identifier from the register and outputting the identifier.
21e
22. The authentication system according to any one of the claims 16-21, wherein the functionality of the integrated circuit is limited to providing the identifier upon request. 23, The authentication system according to any one of the claims 16-22, wherein the 3 centralized code registration system comprises an electronic database system (31) for storing the identifiers of each of the integrated circuits, wherein the identifier has been stored in the electronic database system upon implementation of the identifier in the integrated circuit.
24. The authentication system according to claim 23, wherein the electronic database is secured by at least one of restricted access, data encryption or being located in a secured environment.
25. The authentication system according to any one of the claims 16-24, wherein the centralized code registration system is arranged to store the identification code together with a vendor identification code, the vendor identification code being indicative for a system owner of an asset (6a, 6b) that is associated with the identification code, wherein the end node device is configured to transmit an vendor identifier to the centralized code registration system together with the identifier, and wherein the centralized code registration system is configured to verify the identifier and the vendor identifier received from the end node device against the identification code and the vendor identification code to obtain the verification result.
26. The authentication system according to any one of the claims 16-25, wherein centralized code registration system is configured to register the identification code as being invalid in case the verification result is negative, resulting in futore verification results for this identification code to be negative by default.
27. The authentication system according to any ons of the claims 16-26, wherein the identifier is a unique identifier used only once amongst the integrated circuits in the plurality of end node devices.
“32
28. The authentication system according to any one of the claims 16-27, wherein the centralized registration system is implemented as a cloud service,
29. The authentication system according to any one of the claims 16-28, wherein the phuality of end node devices include Internet-of-Things devices. 30, An integrated circuit (4, da, 4b, de, 4d) comprising an identifier hard-coded in the integrated circuit, wherein the identifier is a bit-code of predefined length, for use in the authentication system (1) according to any one of the claims 16-29.
31 The integrated circuit according to claim 30, wherein the integrated circuit comprises a read-only register (41) comprising the identifier and an interfaces (MISO) for reading the identifier from the register and outputting the identifier.
32. The integrated circuit (4, 48) according to any one of the claims 30-31, comprising: an SPI (Serial Peripheral Interface) and control logie for obtaining the identifier from the read-only register on a request received via the control logic; one or more voltage inputs (VDD, VSSD, VDDIO, VSSIO) one or more signal inputs (MOS, SCLK, CSN): and a signal output (MISO) for outputting the identifier. 33, The integrated circuit (4, 4a) according to any one of the claims 30-32, wherein the integrated eirouit is one off miniature SOB-packaged, SSOP&-packaged, TSSOPS-packaged or SWLUSP- packaged for board-level applications; RE-1D compatible; integrated in a multi-chip package; integrated as IP block in a larger IC. 34, An end node device (2, 2a, 2b) comprising the integrated circuit (4, da, 4b, de, 4d) according to any one of the claims 30-33, wherein the ond node device is configured to read
“23 the identifier from the integrated circuit and transmit the identifier for authentication In the centralized code registration system (3).
35. Use of an integrated circuit (4, 4a, 4b, 4c, 4d) according to any one of the claims 30- $ 33 in an authentication system {1) according to any one of the claims 16-29.

Claims (1)

FeFe CONCLUSIES l. Autbentestiewerkwijzes omvattende: het door ven verifivste-inrichting {3} via een eindknooppuntinrichting (2) opvragen § (101) van een identtficator; het in con geoontraliscerd coderegistraticsysteem verifiëren (105) van de van de eindknooppuntinrichting ontvangen klentificator, met het Kenmerk, dat de identificator hard gecodeerd ts in de geïnfegreerde schakeling, en een bitcode van voorgedefinieerde lengte is; in ven gecentraliseerd caderegistratiesystcom (3) cen identificaticcode is opgeslagen (100) dis representatief is voor een idemtificator van een geïntegreerde schakeling (4, 4a, 4b, dc, 4d); het door de eindknooppuntinrichiting lezen {102} van cen wdentificator van de gemtegreerde schakeling, en het verzenden (103) daarvan naar het gecentraliseerde coderegistratiesysteen; waarbij de ontvangen identifivator wordt geverifieerd tegen de opgeslagen wdentificatiocode ton cinde een verificatieresulfaal te verkrijgen, waarbij het verificatieresultant althans deels is gebaseerd op contextuele gegevens verzameld en geregisteerd door het centrale registatiesysteem, 2 Authenticatiewerkwijze volgens conclusie 1, waarbij de identificator naar het geveniraliseerde coderegistraliesysteem via de verificatie-inrichling wordt verzonden (103, 194).CONCLUSIONS l. Authentication methods comprising: querying § (101) an identifier by the verified device {3} via an end node device (2); verifying (105) the coordinated code registration system of the identifier received from the terminal node device, characterized in that the identifier is hard-coded ts in the integrated circuit, and a bit code of predefined length; stored in a centralized code registration system (3) is an identifier code (100) representative of an integrated circuit identifier (4, 4a, 4b, dc, 4d); the end node device reading {102} of a identifier from the integrated circuit, and transmitting (103) it to the centralized code recording system; wherein the received identifier is verified against the stored authentication code to obtain a verification result, wherein the verification result is based at least in part on contextual data collected and registered by the central registration system. Authentication method according to claim 1, wherein the identifier is sent to the authenticated code registration system via the authentication device is sent (103, 194). 3 Authenticatiewerkwijze volgens zen van de voorgaande conclusies, waarbij de contextuele gegevens een of meer omvatten van cen aantal verificatieverzoeken die in cen voorgedefinieerd tijdinterval gedaan zijn, eco totaal aanlal gedane verificatieverzocken, een tijdstip van een verificatieverzoek, een geografische locatie van de geïntegreerde schakeling, cen geografische locatie vanwaar een verificatieverzoek is gedaan,An authentication method according to any one of the preceding claims, wherein the contextual data includes one or more of a number of authentication requests made in a predefined time interval, eco total number of authentication requests made, a time of a authentication request, a geographic location of the integrated circuit, and geographic location from which an authentication request was made, “35“35 4. Anthenticatiewserkwijze volgens conclusie 3, waarbij de verificatie-inrichting ten ninste een deel van de contextuele gegevens naar het gecentraliseerde coderegistratiesysteem verzendt,The authentication method of claim 3, wherein the verification device transmits at least some of the contextual data to the centralized code registration system, 5. Authenticatiewerkwijze volgens een van de voorgaande conclusies, die verder het verzenden (106) van het verificatieresuliaat vanaf het gecentraliseerde coderegistratissysteem naar de verificatie-inrichting en/of de eindknooppuntinrichting omvat,An authentication method according to any one of the preceding claims, further comprising transmitting (106) the verification result from the centralized code recording system to the verification device and/or the end node device, 6. Authenticatiewerkwijze volgens een van de voorgaands conclusies, waarbij de geïntegreerde schakeling een alleen-lezen-register (41) omvat dat de identificator en een interface (MISO) omvat voor het lezen van de identificator uit het register en het uitvoeren (102) van de 1dentificator,An authentication method according to any preceding claim, wherein the integrated circuit comprises a read-only register (41) including the identifier and an interface (MISO) for reading the identifier from the register and executing (102) the 1 identifier, 7. Authenticatiewerkwijze volgens een van de voorgaande conclusies, waarbij de functionaliteit van de geïntegreerde schakeling beperkt is tot het op verzoek (101) verschaffen (102) van de identificator,An authentication method according to any preceding claim, wherein the functionality of the integrated circuit is limited to providing (102) the identifier on request (101), 8. Axutheuticatiewerkwijze volgens een van de voorgaande conclusies, waarbij het gecentraliseerde coderegistratiesysteem een elektronisch databasesysteem (31) omvat voor opslag van de identificatoren van elk van de geïntegreerde schakelingen, waarbij de identificator is opgeslagen (100) in het elektronische databasesysteem bij implementatie in de geïntegreerde schakeling.An authentication method according to any one of the preceding claims, wherein the centralized code registration system comprises an electronic database system (31) for storing the identifiers of each of the integrated circuits, the identifier being stored (100) in the electronic database system upon implementation in the integrated circuit. circuit. 9. Autbenticatiewerkwijze volgens conclusie 5, waarbij de elektronische database wordt beveiligd door ten minste een van beperkte toegang, gegevensverslenteling of door zich in cen beveiligde omgeving te bevinden.The authentication method of claim 5, wherein the electronic database is secured by at least one of restricted access, data encryption or by being in a secure environment. 10. Authenticatiewerkwijze volgens een van de voorgaande conclusies die omvat: het, in het gecentraliseerde coderegistratiesysteem, opslaan van de identificatiecode samen met een leveranciersidentificaticcode, waarbij de leveranciersidentificatiecode indicatief is voor cen systeemeigenaar van een eigenschap (6a, 6b) die is geassocieerd met de identificaliecode;An authentication method according to any preceding claim comprising: storing, in the centralized code registration system, the identification code together with a supplier identification code, the supplier identification code being indicative of a system owner of a feature (6a, 6b) associated with the identification code ; het, vanuit de eindknooppuntinrichting, samen met de identificator verzenden van een leverancieridentificator naar het gecentraliseerde coderegistratiesysteen, het, in het gecentraliseerde coderegistratiesysteem, verifiëren van de van de eindknooppuntinrichting ontvangen identificator en leverancieridentificator tegen de 3 identificatiecode en de leveranciersidentificatiecode orn het verificatieresulfaat te verkrijgen.sending, from the terminal node device, together with the identifier a supplier identifier to the centralized code registration system, verifying, in the centralized code registration system, the identifier and supplier identifier received from the terminal node device against the identification code and the supplier identification code to obtain the verification resulfate. 11. Authenticatiewerkwijze volgens een van de voorgaande conclusies, die verder het, in het gecentraliseerde coderegistratiesysteem, registreren van de identificaticcode als ongeldig omvat in het geval dat het verificatieresultaat negatief is, wat ertoe leidt dat toekomstige verificatieresultaten voor deze identificatiecode standaard negatief zijn.An authentication method according to any one of the preceding claims, further comprising registering, in the centralized code registration system, the identifier code as invalid in case the verification result is negative, resulting in future verification results for this identifier code being negative by default. 12. Authenticatiewerkwijze volgens een van de voorgaande conclusies, waarbij de identificator een unieke identificator is die slechts eenmaal gebruikt wordt in de geïntegreerde schakelingen in de veelheid van eindknooppuntinrichtingen.An authentication method according to any preceding claim, wherein the identifier is a unique identifier used only once in the integrated circuits in the plurality of terminal node devices. 13. Authenticatiewerkwijze volgens een van de voorgaande conclusies, waarbij het geventraliseerde registratiesysteem geïmplementeerd is als een clouddienst. i4, Authenticatiewerkwijze volgens een van de voorgaande conclusies, waarbij de veetheid van eindknooppuntinrichtingen inrichtingen voor het internet der dingen omvat, IS. Werkwijze voor fabricage van een geïntegreerde schakeling (4, 4a, db, de, 4d) waarbij de geïntegreerde schakeling geschikt is voor gebruik in een authenticatiewerkwijze volgens een van de conclusies 1-10, waarbij de werkwijze omvat: het genereren van een identificator in een gecentraliseerd registratiesysteem (3) waarbij de identificator een bitcode met voorgedefinieerde lengte is; het in het gecentraliscerde coderegistratiesysteem, opslaan (100) van een identificatiecode die representatief is voor de identificator; en het beschikbaar stellen van de identificator aan een IC-productiefaciliteit, waarbij de identificator hard gecodeerd is in de geïntegreerde schakeling .An authentication method according to any one of the preceding claims, wherein the vented registration system is implemented as a cloud service. i4, Authentication method according to any one of the preceding claims, wherein the security of terminal node devices comprises devices for the Internet of Things, IS. A method of manufacturing an integrated circuit (4, 4a, db, de, 4d) wherein the integrated circuit is suitable for use in an authentication method according to any one of claims 1-10, the method comprising: generating an identifier in an centralized registration system (3) wherein the identifier is a bit code of predefined length; storing (100) in the centralized code registration system an identification code representative of the identifier; and making the identifier available to an IC manufacturing facility, the identifier being hard-coded into the integrated circuit. „17„17 18. Authenticatiesysteem (1) dat cen veelheid van eindknooppuntinrichtingen (2, Za, 2b), een verificatie-inrichting (5) en een gecentraliseerd registratiesysteem (3) onwat,18. Authentication system (1) comprising a plurality of end node devices (2, Za, 2b), an authentication device (5) and a centralized registration system (3), 17. Auibenticatiesysteem volgens conclusie 16, waarbij de verificatie-intichiing geconfigureerd is om de identifieator van de cindknooppuntinrichting te ontvangen en de ontvangen identificator naar het gecentraliseerde coderegistratiesysteem te verzenden,An authentication system according to claim 16, wherein the authentication device is configured to receive the identifier from the cind node device and transmit the received identifier to the centralized code registration system, 18. Authenticatiesysteens volgens cen van de conclusies 16-18, waarbij het verificatieresultaat ten minste gedeeltelijk gebaseerd is op contextoele gegevens, waarbij de contextuele gegevens bij voorkeur een of meer omvatten van een aantal verificatieverzoeken die in een voorgedefinieerd tijdinterval gedaan zijn, een totaal aantal gedane verificalieverzoeken, een tijdstip van cen verificatieverzoek, cen geografische locatie van de geïntegreerde schakeling, een geografische locatie vanwaar cen verificatieverzoek is gedaan.An authentication system according to any one of claims 16-18, wherein the verification result is based at least in part on contextual data, the contextual data preferably comprising one or more of a number of verification requests made in a predefined time interval, a total number of made verification requests, a time of a verification request, a geographic location of the integrated circuit, a geographic location from which a verification request was made. 18, Authenticstiesysteem volgens conclusie 18, waarblj de verificatie-imrichtng geconfigureerd is om ten minste een deel van de contextuele gegevens naar het gecentraliseerde coderegistraliesysteem te verzenden,The authentication system of claim 18, wherein the authentication device is configured to send at least a portion of the contextual data to the centralized code registration system, 20. Authentieatiesysteen volgens een van de conclusies 16-19, waarbij het gecentraliseerde coderegistraliesysteem geconfigureerd is om het verificatieresuliaat naar de verificatie-inrichting en/of de eindknooppuntinrichting te verzenden,An authentication system according to any one of claims 16-19, wherein the centralized code registration system is configured to send the authentication result to the authentication device and/or the end node device, 21. Authenticatiesysteem volgens cen van de conclusies 16-20, waarbij de geïntegreerde 23 schakeling cen alleen-lezen-egister (41) omvat dat de identificator en een interface (MISO) omvat voor het lezen van de identificator uit het register en het uitvoeren (102} van de identificator,The authentication system of any one of claims 16-20, wherein the integrated circuit comprises a read-only register (41) including the identifier and an interface (MISO) for reading the identifier from the register and executing ( 102} of the identifier, 22. Authenticatiesysteem volgens een van de conclusies 16-21, waarbij de functionaliteit van de geïntegreerde schakeling is beperkt om de identificator op verzoek te verschaffen.An authentication system according to any one of claims 16-21, wherein the functionality of the integrated circuit is limited to provide the identifier on request. 23. Authenticatiesysteem volgens con van de conclusies 16-22, waarbij het gecentraliseerde coderegistratiesysteem cen elektronisch databasesysteem (31) omvat voor opslag van de idestificatoren van elk van de geïntegreerde schakelingen, waarbij de dentificator is opgeslagen in het elektronische databasesysteem bij implementatie van de identificator in de geïntegreerde schakeling.An authentication system according to any one of claims 16-22, wherein the centralized code registration system comprises an electronic database system (31) for storing the identifiers of each of the integrated circuits, the identifier being stored in the electronic database system upon implementation of the identifier in the integrated circuit. 24. Autbenticatiesysteem volgens conclusie 23, waarbij de elektronische database wordt beveiligd door ten minste ven van beperkte toegang, gegevensversleuteling of door zich in een beveiligde omgeving te bevinden. 19An authentication system according to claim 23, wherein the electronic database is secured by at least one of restricted access, data encryption or by being in a secure environment. 19 25. Autbentiestiesysteem volgens een van de conclusies 16-24, waarbij het gecentraliseerde codevegistratiesysteem is ingericht om de identificaticcode samen mel een leveranciersidentificatiecode op te slaan, waarbij de leverancicrsidentificatiecode indicatief is voor gen systeemeigenaar van cen eigenschap (62, 6b) die is geassocieerd met de identificaticcode, waarbij de eindknooppuntinrichting geconfigureerd is om samen met de identificator gen leveranciersidentificator naar het gecentraliseerde code-rogistratiesysteer te verzenden, Een waarbij het gecentraliseerde coderegistratiesystcem geconfigureerd is om de van de eindknooppuntinrichiing ontvangen identificator en leveraneciersidentificator te verifiëren tegen de identificztiecode en de leveranciersidentificatiecode om het verificatieresultaat te verkrijgen,The authentication system of any one of claims 16 to 24, wherein the centralized code logging system is arranged to store the identifier code together with a vendor identifier code, the vendor identifier code being indicative of a system owner of a feature (62, 6b) associated with the identifier code, wherein the end node device is configured to transmit a supplier identifier together with the identifier to the centralized code logging system, One wherein the centralized code registration system is configured to verify the identifier and supplier identifier received from the end node device and supplier identifier against the identifier code and the verification result identifier code to to obtain, 20. Authenticatiesysteem volgens een van de conclusies 16-25, waarbij het gecentraliseerde codercgistraticsysteem geconfigureerd is om de identificatiecode als ongeldig te registreren in het geval dat bet verificatieresultaat negatief is, wat ertoe leidt dat toekomstige verificatieresuliaten voor deze identificatiecode standaard negatief zijn.An authentication system according to any one of claims 16 to 25, wherein the centralized coding system is configured to register the identifier code as invalid in the event that the verification result is negative, resulting in future verification results for this identifier code being negative by default. 27. Authenticatiesysteem volgens een van de conclusies 16-26, waarbij de identificator een unieke identificalor is die slechts eenmaal gebruikt wordt in de geïntegreerde schakelingen in de veelheid van eindknooppuntinrichtingen.An authentication system according to any one of claims 16-26, wherein the identifier is a unique identifier used only once in the integrated circuits in the plurality of terminal node devices. 230.230. 28. Authenticatiesysteem volgens een van de conclusies 16-27, waarbij het gecentraliseerde registratiesysteem geïmplementeerd is als cen clouddienst,An authentication system according to any one of claims 16-27, wherein the centralized registration system is implemented as a cloud service, 29. Authentieatiesysteem volgens cen van de conclusies 16-28, waarbij de veelheid van eindknooppuntinrichtingen invichtingen voor het internet der dingen omvat.An authentication system according to any one of claims 16-28, wherein the plurality of terminal node devices comprise IoT devices. 30. Geïntegreerde schakeling (4, 4a, 4b, 4c, 4d) dic een hard gecodeerde identificator in de geïntegreerde schakeling omvat, waarbij de identificator sen bitcode met voorgedefinieerde lengte is, voor gebruik in het authenticatiesystesm (1) volgens een van de conclusies 16-29. 3L Geïntegreerde schakeling volgens couclosie 30 waarbij de geïntegreerde schakeling een alleen-lezen-register (41) omvat dat de identificator en een interface (MISO) omvat voor het lezen van de identificator uit het register en het uitvoeren van de identificator.An integrated circuit (4, 4a, 4b, 4c, 4d) comprising a hard coded identifier in the integrated circuit, the identifier being a bit code of predefined length, for use in the authentication system (1) according to any one of claims 16 -29. 3L Integrated circuit according to coupon 30 wherein the integrated circuit comprises a read-only register (41) that includes the identifier and an interface (MISO) for reading the identifier from the register and outputting the identifier. 32. Geïntegreerde schakeling (4, 4a) volgens con van de conclusies 30-31, omvattende: cen SPI (Serial Peripheral Interface} en besturingslogica voor het verkrijgen van de identificator van het alleen-lezen-register op cen via de besturingslogica ontvangen verzoek; een of meer spanningsingangen (VDDD, VSSD, VDDIO, VSSIO) een of meer signaalingangen (MOSI, SCLK, CSN}; en een signaaluiigang (MISO) voor het uitvoeren van de identificator. 33, Geïntegreerde schakeling (4, 4a) volgens een van de conclusies 30-32, waarbij de geïntegreerde schakeling een is van: miniatuur SOS-verpakt, SSOPS-verpakt, TSSOPS-verpakt of SWLLSP-verpakt voor board-level-applicaties; RF-ID-compatibel; geïntegreerd In een multichip-pakket; geïntegreerd als IP-blok in cen groter IC.An integrated circuit (4, 4a) according to any one of claims 30 to 31, comprising: a Serial Peripheral Interface (SPI) and control logic for obtaining the identifier of the read-only register at a request received through the control logic; one or more voltage inputs (VDDD, VSSD, VDDIO, VSSIO) one or more signal inputs (MOSI, SCLK, CSN}; and a signal output (MISO) for outputting the identifier 33, Integrated circuit (4, 4a) according to any one of claims 30-32, wherein the integrated circuit is one of: miniature SOS packaged, SSOPS packaged, TSSOPS packaged or SWLLSP packaged for board-level applications; integrated as an IP block in a larger IC. 34, Eindknooppuntinrichting (2, Za, 2b) die de geïntegreerde schakeling (4, 4a, 4b, dc, 4d) volgens cen van de conclusies 30-33 omvat, waarbij de eindknooppuntinrichting 1044006 |An end node device (2, Za, 2b) comprising the integrated circuit (4, 4a, 4b, dc, 4d) according to any one of claims 30-33, wherein the end node device is 1044006 | <30. geconfigureerd is om de identificator van de geïntegreerde schakeling fe lezen en de idemtificator voor auihenticatie in het gecentralizeerde codersgistratiesysieem (3) te verzenden. & 35 Gebruik van een peïniegreerde schakeling (4, da, 4h, do, 4d) volgens een van de conclusies 30-33 in zen authenticaticsysteem {1} volgens een van de conclusies 16-29,<30. configured to read the identifier from the integrated circuit fc and transmit the identifier for authentication in the centralized encoder registration system (3). & 35 Use of an integrated circuit (4, da, 4h, do, 4d) according to any one of claims 30-33 in a zen authentication system {1} according to any one of claims 16-29,
NL1044006A 2020-04-20 2021-04-20 Method, system and chip for centralised authentication NL1044006B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US202063012305P 2020-04-20 2020-04-20

Publications (2)

Publication Number Publication Date
NL1044006A NL1044006A (en) 2021-10-27
NL1044006B1 true NL1044006B1 (en) 2021-11-23

Family

ID=76708361

Family Applications (1)

Application Number Title Priority Date Filing Date
NL1044006A NL1044006B1 (en) 2020-04-20 2021-04-20 Method, system and chip for centralised authentication

Country Status (3)

Country Link
EP (1) EP4140092A1 (en)
NL (1) NL1044006B1 (en)
WO (1) WO2021214663A1 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7877712B2 (en) 2007-05-07 2011-01-25 International Business Machines Corporation System for and method of verifying IC authenticity
KR101373455B1 (en) 2013-10-15 2014-03-13 펜타시큐리티시스템 주식회사 Apparatus for distinguishing the counterfeits and method thereof
US10142335B2 (en) 2015-12-18 2018-11-27 International Business Machines Corporation Dynamic intrinsic chip identification

Also Published As

Publication number Publication date
EP4140092A1 (en) 2023-03-01
WO2021214663A1 (en) 2021-10-28
NL1044006A (en) 2021-10-27

Similar Documents

Publication Publication Date Title
US10832210B2 (en) Tracking assets with a blockchain
US9740847B2 (en) Method and system for authenticating a user by means of an application
CN112232795B (en) Transaction processing method, device, equipment and system
CN111382980B (en) Logistics management method, device, equipment and system based on block chain
CN111371559B (en) Material inventory data providing method, device and system based on block chain
CN105009154A (en) Method for mutual authentication for payment device
CN113221192B (en) Block chain-based digital asset processing method and device
WO2020056597A1 (en) Item identity management method, terminal, micro-processing unit, identification device and system
CN111737686B (en) Processing method, device and equipment of block chain data
CN108519905A (en) Information processing equipment and method, IC chip and storage medium
US10007815B2 (en) Production method, RFID transponder, authentication method, reader device and computer program product
US20150365231A1 (en) Method for configuring a secure element, key derivation program, computer program product and configurable secure element
US10257697B2 (en) Systems and methods for product activation
CN103235995A (en) Electronic anti-counterfeiting and logistics management system based on NFC (near field communication) mobile phone
NL1044006B1 (en) Method, system and chip for centralised authentication
NL1044044B1 (en) Centralized handling of ic identification codes
NL2025375B1 (en) Method, system and chip for centralised authentication
US9749303B2 (en) Method for personalizing a secure element, method for enabling a service, secure element and computer program product
CN100418110C (en) Method to grant modification rights for a smart card
CN111242547A (en) Method, device and equipment for acquiring goods inventory information
CN104200247A (en) Method, device and terminal for processing personalized data
RU2754036C1 (en) System for ensuring authenticity of products, method for identifying authentic products, and radio frequency identification tag used therein
NL2025695B1 (en) Centralized handling of ic identification codes
WO2024218698A1 (en) Data management system and method of validating an identity
TWI765158B (en) Certification Management System