U.S. patent application number 09/228231 was filed with the patent office on 2002-12-12 for method and apparatus for securely determining aspects of the history of a good.
Invention is credited to CHAINER, TIMOTHY J., GREENGARD, CLAUDE A., PULLEYBLANK, WILLIAM R., TRESSER, CHARLES P., WU, CHAI W..
Application Number | 20020186145 09/228231 |
Document ID | / |
Family ID | 22856337 |
Filed Date | 2002-12-12 |
United States Patent
Application |
20020186145 |
Kind Code |
A1 |
CHAINER, TIMOTHY J. ; et
al. |
December 12, 2002 |
METHOD AND APPARATUS FOR SECURELY DETERMINING ASPECTS OF THE
HISTORY OF A GOOD
Abstract
The present invention provides methods and apparatus to detect
and reliably record the physical history of a product including
effects due to one or more of the following: 1) product use 2)
handling 3) tampering and 4) environment of the product (as changes
in the environment, such as excessive temperatures, humidity, or
shocks, can result in degradation to a product). The apparatus
includes a "smart card", or, more generally, "smart token", in
combination with one or more sensors which record the external
influences on the product and/or the environment and records those
changes in an encrypted form. This information can then be verified
by any individual who is equipped with a (possibly public)
decryption key, but capability to modify this information,
depending on the application, is restricted to those with access to
the encrypting key. Furthermore, the apparatus contains
authentication information which can be reliably verified, in
particular to confirm that the apparatus is attached to the product
it supposed to be attached to.
Inventors: |
CHAINER, TIMOTHY J.;
(MAHOPAC, NY) ; GREENGARD, CLAUDE A.; (CHAPPAQUA,
NY) ; PULLEYBLANK, WILLIAM R.; (CROTON-ON-HUDSON,
NY) ; TRESSER, CHARLES P.; (MAMARONECK, NY) ;
WU, CHAI W.; (POUGHQUAG, NY) |
Correspondence
Address: |
WHITHAM, CURTIS & CHRISTOFFERSON, P.C.
11491 SUNSET HILLS ROAD
SUITE 340
RESTON
VA
20190
US
|
Family ID: |
22856337 |
Appl. No.: |
09/228231 |
Filed: |
January 11, 1999 |
Current U.S.
Class: |
340/870.16 |
Current CPC
Class: |
A61M 5/5086 20130101;
A61M 2205/273 20130101; G06K 19/0717 20130101; G06K 19/07372
20130101; G07F 9/02 20130101; G06K 19/0723 20130101; G07G 1/0054
20130101; G06K 19/07381 20130101; A61M 2205/6054 20130101; A61M
2205/27 20130101; G06K 19/073 20130101 |
Class at
Publication: |
340/870.16 |
International
Class: |
G08C 019/04 |
Claims
We claim:
1. A method of securely recording and storing information in an
integrated smart tag about at least one of physical, chemical and
environmental effects on an object, over time, comprising the steps
of: sensing data regarding a state of said object or an environment
of said object, with at least one of a plurality of sensors;
securely sending a signal from said sensor to a storage device
embedded within the smart tag; and securely recording using
encryption of said signal in said storage device for later
retrieval.
2. A method as in claim 1 further comprising the step of recording
a time in said storage device for each said signal recorded in said
storage device.
3. A method as in claim 1 wherein said sensors detect changes in
one or more states of the of the object selected from the group
comprising temperature, humidity, pressure, light, vibration,
shock, electromagnetic field, and chemical composition.
4. The method of claim 1, wherein said object is a motor vehicle
and said sensors detects at least one of the group comprising:
time, mileage, shock, temperature, geographic location, speed, and
securely records using encryption said signals in said storage
device, creating a time sequence history of said motor vehicle.
5. The method of claim 1, wherein said object is a packaging
container which encloses pharmacological products, food products,
or chemical products, and said sensors detect at least one of the
group of temperature, humidity, pressure, light, vibration, shock,
electromagnetic field, chemical composition, and opening of said
packaging container.
6. The method of claim 1, wherein said object is an electronic
consumer product and said sensors detect a number of power on hours
of said consumer product.
7. A method of recording and storing information in an integrated
smart tag about at least one of physical, chemical and
environmental effects on an object over time comprising the steps
of: sensing data regarding a state of said object or an environment
of said object, with at least one of a plurality of sensors;
processing said data to compute at least one of a plurality of
functions of said data; and storing a combination of said data and
values of said functions in a storage device.
8. A method of recording and storing information in an integrated
smart tag as in claim 7, further comprising the step of encrypting
at least one of said data and said values of said functions prior
to storage in said storage device.
9. A method of recording and storing information in an integrated
smart tag as in claim 7 further comprising displaying a result from
said processing step.
10. A smart tag security system comprising: a storage device; a
sensor securely sending a signal to said storage device; and an
encryption module altering data from said signal being securely
recorded in said storage device, for later retrieval.
11. The smart tag security system of claim 10 further comprising a
processing unit which acts upon said signals from said sensor.
12. The smart tag security system of claim 11 wherein said
processing unit acts upon said signal to determine if said signal
meets a threshold for recording in said storage device.
13. The smart tag security system of claim 11 wherein said
processing unit acts upon said signal to execute an algorithm to
process said signal to determine a state of an object.
14. The smart tag security system of claims 11 further comprising a
display displaying a result determined by said processing unit.
15. The smart tag security system of claim 14 wherein said display
includes a secure access.
16. The smart tag security system as in claim 10, wherein said
smart tag is integrated onto a single silicon substrate.
17. The smart tag security system as in claim 10, further
comprising a timing unit which sends a time stamp to said storage
device to be recorded for each signal recorded from said
sensor.
18. The smart tag security system as in claim 10, wherein said
sensor is comprised of a pressure sensor sending signals to said
storage device in response to changes in pressure around said
sensor.
19. The smart tag security system as in claim 10, wherein said
sensor is comprised of a light sensor sending a signal to said
storage device when light exposure to said sensor is changed.
20. The smart tag security system as in claim 10, wherein said
sensor is composed of an electrical connection which if broken
sends a signal to said storage device.
21. The smart tag security system as in claim 10, further
comprising an identification code encrypted in said storage device
specific to an object protected by said security system.
22. A security system as in claim 21 wherein said identification
code is authenticated using a zero-knowledge protocol.
23. A smart tag security system for recording and storing
information in an integrated smart tag about at least one of
physical, chemical and environmental effects on an object over
time, said system comprising a sensor for sensing data regarding a
state of said object or an environment of said object, a processor
for computing one of a plurality of functions of said data, and a
storage device for storing said data and values of said functions
of said data in a storage device.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] The present invention generally relates to security of
consumer goods and, more particularly, to the use of smart tags in
maintaining product security.
[0003] 2. Background Description
[0004] There is a need for certain products to be equipped with
some apparatus which can provide information about the current
state of the product as a result of events the product was
subjected to prior to becoming in the possession of a potential
consumer. Examples include the state of medical or food products
prior to their being used by a consumer.
[0005] Also, consumers sometimes have the right and/or the need to
know whether a product is brand new or not. This is especially true
of expensive items. There is also a need for a product to be
equipped by some apparatus which can record some aspects of the
product history, for example in the case of automobiles where today
odometers indicate, not very securely, one aspect of the history of
the automobile.
[0006] Another context for the invention is the fact that, in some
cases, the containers of some products are reused by the
manufacturer, and the consumer would like to know if the product in
the container is new or not, and if the container has been reused
by a third, unauthorized, party. There is also a need for a method
to detect whether the product has deteriorated, either because of
defects, or because its expiration date has passed, or because of
unwanted change in the environment, for instance in the form of
excessive cold, heat or humidity. These scenarios require an
apparatus which can detect the physical forces a product was
subjected to as a result of use, handling, tampering or
environmental factors. For either human intervention or
environmental factors, it may be important in some circumstances
that the recorded history of such events be very difficult to
modify or counterfeit.
[0007] The prior art contains many methods involving seals and
enclosures which allow one to detect when a package has been
tampered with. Such prior art go way back in history, and a
multitude of improvements, with very general or very specific uses,
have been proposed which benefit from the general progress of
technology. For example, U.S. Pat. No. 5,159,629 to Glen P. Double
and Steve H. Weingart describes an intrusion barrier for protecting
an electronic assembly from tampering. The prior art also contains
methods of recording chronological information such as a data
logger which stores information on a product as described in U.S.
Pat. No. 5,010,560 to Mark A. Janney, Roger Newey, and Irwin J.
Robinson.
[0008] However, these methods do not overcome the problem of
providing a tamper evident history of a product and/or of its
environment. The prior art does not allow the information about the
history of a product and/or of its environment to be securely
recorded and kept.
SUMMARY OF THE INVENTION
[0009] It is therefore an object of the present invention to
provide a novel improvement on the prior art of tamper evident
packaging which can detect when a product has been tampered with
and resists the efforts of a tamperer, or anyone else who would
benefit from hiding the tampering, or to hide the signs of
tampering.
[0010] In the following, terms such as "impossible to change" or
"tamper-proof" should be understood to describe situations in which
sufficient resistance to tampering is provided to make successful
attacks rare due to cost/benefit issues, since codes, etc., can
theoretically be broken if sufficient resources are brought to bear
on the attack.
[0011] The invention uses a smart card, as described in U.S. Pat.
Nos. 3,971,916, 4,007,355, 4,092,524, and 4,102,493 to Roland
Moreno, or, more generally, a smart token, in combination with
sensors attached to the product and/or to the smart card: upon
tampering, or as a response to other circumstances, the sensors
generate signals which are encrypted and recorded in the memory or
storage device of the smart card attached to the product.
[0012] Recall that, for example, by using a zero-knowledge
protocol, a smart card can be authenticated but cannot be
duplicated. This technology has been disclosed for instance in U.S.
Pat. No. 5,140,634 to Guillou, et al. This is the property which
characterizes a smart card. Accordingly, in the rest of the present
disclosure, any electronic component with these properties and
which has some memories and/or some processing capabilities, will
be called "a smart token" or "a smart card", even if it does not
actually take any form resembling a card. A general reference to
smart card technology and applications can be found in Smart Cards:
A Guide to Building and Managing Smart Card Applications, by Henry
Dreifus and J. Thomas Monk, John Wiley & Sons, 1998.
[0013] When the product or its packaging is tampered with, some
attribute of the product or its environment changes. This change is
what is detected by (at least some of) the sensors attached to a
smart card, and the smart card will record this change irreversibly
by erasing or writing some information within the smart card
memory. The smart card also can be made duplication resistant by
using a zero-knowledge protocol so that only the manufacturer of
the original product, and/or possibly a trusted third party, for
example, can produce or buy such smart cards. The smart card also
can record the history of these changes in its internal memory.
BRIEF DESCRIPTION OF THE DRAWINGS
[0014] The foregoing and other objects, aspects and advantages will
be better understood from the following detailed description of a
preferred embodiment of the invention with reference to the
drawings, in which:
[0015] FIG. 1A is an isometric diagram showing a smart tag attached
to a product;
[0016] FIG. 1B is a plan view showing detail of the smart tag shown
in FIG. 1; and
[0017] FIG. 2 is a schematic diagram showing the path from sensors
to production of an electrical signal.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION
[0018] Referring now to the drawings, and more particularly to FIG.
1A, there is shown a smart card 101 attached to a product 106. As
shown in FIG. 1B, the smart card is powered by a small power source
such as a battery 102. In addition to the normal components in a
smart card, such as memory or storage device 103 and processing
unit 104, and encryption module 107, the smart card is also
connected to a sensor 105 (or some number of sensors) which can
detect changes in the product and/or the environment due to
tampering.
[0019] The encryption module can use any of the well-known (public
or private) encryption algorithms such as Rivest, Shamir and
Adleman (RSA) or Data Encryption Standard (DES), as described for
example in Handbook of Applied Cryptography, by Alfred J. Menezes,
Paul C. van Oorschot and Scott A. Vanstone, CRC Press, 1997. A
discussion on cryptographic issues related to smart cards can be
found in the aforementioned book by Dreifus and Monk. The
encryption algorithms can be implemented as software modules on the
main processor of the smart card, or they can be executed in
specialized hardware. An example of such specialized hardware
currently used as a cryptographic accelerator to a personal
computer is the LunaVPN cryptographic accelerator manufactured by
Chrysalis-ITS, Ontario, Canada.
[0020] The entire smart card can be protected by a tamper proof
package 109, such as the one described in U.S. Pat. No. 5,159,629.
The smart card should be tamper evident in the sense that any
attempt in determining and/or changing the data in the smart card
would result in erasure of this data and/or destruction of some
element of the smart card. To prevent tampering with the smart card
itself, the packaging can include a trip wire or magnetic circuit
forming a closed connection with the sensor and any tampering with
the product involves opening the packaging in such a way as to
break this connection and trigger an (irreversible) change within
the smart card. In certain circumstances the tamper proof feature
and encryption may not be necessary.
[0021] Other mechanisms can also be used to the same ends of
preventing modifications and/or duplication of the smart card or
its data content, examples being obtained as easy modification of
the invention in U.S. Pat. No. 5,159,629.
[0022] The sensor can also be an on-chip pressure sensor or a
pressure sensor such as the NPP, NPC or NPH series pressure sensor
manufactured by Lucas NovaSensor of Fremont, Calif., with the
product packaged under low pressure. Tampering with the product
necessitates opening the packaging and allowing outside air to
reach this sensor. This change in pressure is recorded by the smart
card. For improved protection, the package can also contain a pump
to randomly vary the pressure inside the package. In this case the
pressure sensor measures the pressure, P.sub.sensor, inside the
package and compares the sensor reading to the processor command,
P.sub.computer, to the pump. A difference signal can be computed
as
P.sub.difference=.vertline.P.sub.computer-P.sub.sensor.vertline.
[0023] If the P.sub.difference is greater than a threshold
P.sub.thresh, then the package is considered to be tampered
with.
[0024] In yet another implementation, the smart card has a light
sensor such as the photodetector MTD3010PM made by Marktech
Optoelectronics, Latham, N.Y. The smart card is then packaged so as
not to be exposed to light. When the product is tampered with,
light will reach this sensor and the smart card will record this
change. One may use an optoelectronic sensor which can detect
electromagnetic radiation beyond the visual spectrum such as
infrared or ultraviolet radiation. Whichever part of the spectrum
is used, supplementary sources of radiation can be used, with
random levels, as described previously in the case of the pressure
sensor, to enhance the security.
[0025] Similarly, a temperature sensor such as the TMP03 series
sensors manufactured by Analog Devices, Norwood, Mass., can be used
to detect changes in temperature, in applications where the
temperature at which a product is shipped has to be maintained in a
certain range.
[0026] In applications such as in motor vehicles where the
detection of shock is needed, an accelerometer such as the Analog
Devices ADXL05 or Lucas NovaSensor NAC series accelerometer can be
used as the sensor (or as one of the sensors).
[0027] In one application of a smart tag vehicle sensor, the smart
card records the output of the ADXL05, generates a time stanip and
encrypts and stores the result into the memory 103 of the smart
tag. In addition, other sensors, such as the TMP03 temperature
sensor may also be logged and stored. The vehicle speedometer
readings and odometer readings may be time stamped, encrypted also
stored in the memory 103. The location of the vehicle is often
important in indentifying the types of weather conditions the
vehicle has been subjected to, and adding a GPS system whose output
is securely recorded in memory may also be added. The combination
of the time history of the shock, temperature, speed history,
mileage history and geographic location can be used to create a
secure vehicle history which can be made available to evaluate the
condition of the vehicle.
[0028] An example of such a history is summarized below:
1 Vehicle History = mileage 50,000 miles max shock 10 g max
temperature 90 F. minimum temperature 50 F. max speed 85 mph
vehicle location Florida 90% of miles other 10% of miles
[0029] Depending on the product, the sensor (or the combination of
sensors) detects mechanical, electromagnetic and thermal
properties, and more generally a physical and/or chemical property
or a combination thereof References for sensors detecting chemical
properties are found in An Introduction to Electronic Nose
Technology, by J. Gardner, Neotronics Scientific, Warwick, 1996.
Once a change is detected beyond some fixed threshold (or when the
data captured by the sensors differs enough from a computed random
sequence) at 105, it will be irreversibly recorded within the smart
card 101. Time stamping of the event provides a recorded history
for the device; secure time stamping can be achieved for instance
by attaching a clock or timing unit to the smart card inside the
tamper proof package 109.
[0030] As shown in FIG. 2, for instance, using such physical
properties as piezoelectricity, the sensor 105 such as a Murata
PDGS-00LA-TC accelerometer produces a voltage 113 in response to an
external force input which results in an acceleration of the
sensor. When the electronic signal 113 exceeds some predetermined
threshold 110 a comparator 111 is triggered to produce a logic
level output to power up the smart card. As a consequence, once a
shock is detected greater than a predetermined threshold, it will
be irreversibly recorded as a change within the smart card 101.
This same concept could be adapted to accommodate random input as
an additional means to protect against entering a package
containing a product. The recorded data is encrypted and provides a
history of physical events of the product. Anybody in possession of
a (possibly public) key can retrieve the data which, once processed
by proper algorithms, allows determination of the product state,
and allows recognition that the smart card is attached to the
product to which it is supposed to be attached. Such analysis can
include, but is not limited to, the temperature to which the
product was subjected, shocks the product experienced, the first
time the product was powered on, etc.
[0031] In some cases, if needed, the smart card will also keep a
record of the history of changes by also recording the time. In all
cases, the change in the product or its environment causes the
state of the smart card to be changed irreversibly. This can be
effected by the smart card erasing or writing some information in
its internal memory.
[0032] Any person wishing to determine whether the product is new
or not first authenticates the smart card using a zero knowledge
protocol. He or she then queries the smart card for the information
on whether the product has been opened or been tampered with. If
both the authentication is successful and the smart card did not
record any change in state, then it can be concluded that the
product has not been tampered with.
[0033] The smart card can be contactless (by which we mean that no
physical contact with the card is needed when performing the
authentication or querying) and is embedded into the product or its
container: In this case, the authentication and query is made via
some remote means. Such technology is currently available. For
instance, in RFIDs as disclosed in U.S. Pat. No. 5,682,143 to
Michael J. Brady, Thomas Cofino, Harley K. Heinrich, Glen W.
Johnson, Paul k Moskovitz, and George F. Walken. For early
references, see, for example, U.S. Pat. No. 4,063,229 to John Welsh
and Richard N. Vaughan, U.S. Pat. No. 4,242,663 to Leo Slobodin,
and U.S. Pat. No. 4,646,090 to Daniel D. Mawhinney.
[0034] For certain products, the output of the sensor 105 is sent
to processor 104 which executes a mathematical algorithm to
determine a function of the history of the object and/or its
environment. For example, milk containers temperature and time
history can be used to determine the probability that the milk is
sour according to a model, such as shown below: 1 P ( sour ) = t
manufacturedate t currentdate f ( t , T ( t ) ) t
[0035] where T is the temperature of the milk container, t is time,
and f is a function which can be determined experimentally. The
process can result in a message which may or may not be encrypted.
For instance, the message may be a visible indicator to the
consumer.
[0036] Some products (such as wine, food, chemical compounds, or
pharmacological products) can deteriorate with no known cause, in
which case one cannot use only the control of the environment, but
some sensor has to detect intrinsic chemical and/or physical
properties of the product. The inventive device could be used to
record temperature, humidity, pressure, light, vibration, shock,
electromagnetic field, chemical composition, and the opening of the
packaging which contain the products.
[0037] If the passing of the expiration date is to be detected, the
smart card is equipped with a clock or timer which would record the
expiration of the product when it occurs.
[0038] In another embodiment, the inventive device may be used for
detecting and recording changes in consumer electronic products. In
addition, to the changes described previously, hours of in-use time
(power-on hours) for product may be recorded.
[0039] The smart card may be created in an inactive state. After
the smart card is attached to the product, the smart card is
activated by sending a command to the smart card. This can be done
remotely in the case of contactless smart cards. Once activated,
the smart card will start monitoring the product and/or its
environment. For added security, once activated the smart card
cannot be deactivated unless it is destroyed. Alternatively,
deactivation would cause an irreversible change in the smart card
indicating that the smart card was deactivated after
activation.
[0040] In yet another preferred embodiment, the smart card could be
powered externally, for example by an RF (radio-frequency) energy
source. The smart card has micromachined features on chip which are
changed (for example, pieces could be broken off) when the product
is tampered with. When the user needs to determine whether the
product is tampered with, an external power source is applied to
power on the smart card. The authentication phase is as before.
Next, the micromachined features are sensed either by the smart
card or by the user to determined whether tampering has
occurred.
[0041] While the invention has been described in terms of a
preferred embodiment with multiple applications and modifications,
those skilled in the art will recognize that the invention can be
practiced with modification within the spirit and scope of the
appended claims.
* * * * *