Threats in supply chains, such as counterfeiting, product piracy and product recall, are growing dramatically in terms of volume, sophistication, and countries affected. No longer is the phenomenon specific for certain products or markets. The high dimensional problem of piracy goods calls for multi-faceted and diverse solution approaches that go beyond today’s techniques, such as paper pedigree and optical security features. For these reasons we study trust and security in RFID-based product authentication systems.
We first present a formal definition for product authentication process and then derive the general chain of trust as well as functional and nonfunctional security requirements for product authentication. Most of the scientific literature that covers the topic focuses on cryptographic tag authentication only. This paper, however, provides a broader view including also other known approaches, most notably location-based authentication. To derive the functional security requirements, we employ the concept of misuse cases that extends the use case paradigm well known in the field of requirements engineering.We argue that the level of security of any RFIDbased product authentication application is determined by how it fulfills the derived set of functional and nonfunctional requirements. The security of different RFID-based product authentication approaches is analyzed. To study how RFID supports secure product authentication in practice, we investigate how the current EPC standards conform to the functional security requirements of product authentication and show how the unaddressed requirements could be fulfilled. The benefits of implementing a service that detects the cloned tags in the level of the network’s core services are identified.