With the rise of ready access to cheap offshore manufacturing and Internet-based retailing, it has become harder to make sure your customers aren’t unknowingly purchasing counterfeit products. With NFC and modern cryptographic techniques, it is now possible to make the authenticity of your products verifiable with a simple phone application.
How it works
Standard NFC tags contain between 48 bytes and a few kilobytes of information. While this may not sound like much, it is easily enough space to store a cryptographic signature using one of many digital signature algorithms.
When digital signature algorithms based on asymmetric ‘public key’ encryption algorithms such as elliptic curve cryptography (ECC) and RSA are used, a very unique capability arises - offline verification. In classic ‘symmetric’ encryption algorithms, a single key is used for both decryption and encryption, while public key algorithms allow these operations to be split. In other words, with public key cryptography, you have a ‘public’ key that can be used for encryption and a ‘private’ key that is used for decryption.
When used as the basis of a digital signature algorithm such as ECC DSA, these split keys allow the content to be signed with one key and its authenticity verified with the other. The verification key can then be publically distributed without fear of the signing key being comprimised. As a result, the public can be provided with an application that can verify the authenticity of the product without exposing the signing key for counterfeiters to use to fradualantly sign products.
While tags with asymmetric signatures can provide offline cryptographically secure verification, it is also necessary to make sure that a tag cannot be removed from an authentic product and placed instead on a counterfeit one. In order to do this, it is necessary to use anti-tamper tags. For general use, there are readily availble sticker-format tags that are designed to be irrecovably destroyed when a person attempts to remove them from the surface they’re adhered to. Additionally, tags can be customized for specific applications; for instance, a tag could be integrated into the cork on a whisky bottle that is destroyed upon opening in order to guarantee that a bottle isn’t refilled with an inferior beverage.
TapTrack has produced a basic demonstration of an offline verification system called TrustTap, the app for which is available on the Play store. It should be noted that since this app must both encode as well as verify tags, it uses a symmetric cryptographic hash-based algorithm instead of an asymmetric encryption based algorithm.