An Extended Reselling Protocol for Existing Anti-Counterfeiting Schemes

Abstract

Product counterfeiting is a continuous problem in industry. Recently, an anti-counterfeiting protocol to address this issue via radio-frequency identification (RFID) technology was proposed by researchers. Yet, the use case of reselling the same product has not been fully addressed which might cause serious problems for the exciting and proposed schemes and transactions. This paper proposes an extended RFID-based anti-counterfeiting protocol to address the use case of the original buyer reselling the same item to a second buyer. We will follow the proposed extended scheme with a formal security analysis to prove that the proposed protocol is secure and immune against most known security attacks.

1. Introduction

Radio-frequency identification (RFID) tag counterfeiting can be described as the replication of a tag by either cloning its hardware component or copying its software in a way that the genuine reader or user would not be able to tell the if this tag is genuine or replicated. A number of researchers have proposed methods to address these problems, including track and trace methods and physically unclonable function (PUF)-based methods; however, the existing methods do not provide a sufficiently integrated solution to address the counterfeiting problem in a retail environment. Many researchers address RFID-based product anti-counterfeiting by proposing protocols or schemes to address this issue such as [1,2,3]. The work in [4] is the most recent and secure since the researchers apply the framework to a formal security analysis based on strand space. Yet, their work did not cover the high possibility of the same product or item been resold again by the buyer. This non mentioned transaction will definitely cause confusion and might effect the usability of the framework mentioned above. In this paper, we propose an extended version of the novel RFID-based scheme for anti-counterfeiting in large-scale retail environments proposed in [4], which is supposed to detect counterfeit and stolen items. The extended version proposed here will cover a use case which was not covered by the above-mentioned research paper that can cause confusion and error for the transactions while reselling the product. The extended work, as we described it above, has a different setup and different protocol. Although it uses the previous work as a base of extension, it will be significantly different to the previous one by using many other variables and elements such as the warranty tag as a form of confirmation, as detailed in following sections. In addition, the reselling protocol, which was not proposed before, makes this framework entirely different. The method to verify the security of this extended work is by using a similar formal security analysis based on strand space which was used by many other researchers, protocols and frameworks including our previous work to prove the protocol is immune and secure against known attacks. In theory, the feasibility of our proposed scheme should be clear since it covers the reselling scenario on the existing anti-counterfeiting methods without the need for a new design to be placed other than the extended scheme adjusted. This makes our proposed protocol work with the existing one providing security and privacy as we explain in the security analysis in Section 5. This property will also make the proposed scheme feasible and reliable with no need for extra spending or cost especially when building the scheme from scratch. In the existing literature, we cannot find the reselling scenario for items in the merchandise or retailer environment covered and detailed when using an anti-counterfeiting scheme. Our work in this paper will cove this gap via proposing the extended protocol for the previous existing schemes. In the next section, we will discuss the related work in the literature that addresses goods counterfeiting before we continue to analyze the Ghaith et al. protocol. We propose an extended anti-counterfeiting reselling scheme in Section 3 and later apply a formal security analysis based on strand space in Section 4 to prove that our scheme is secure, correct and resistant to attacks. Section 5 concludes the work.

2. Literature Review

In this section we will first mention some of the related work for anti-counterfeiting before analyzing Ghaith et al. and other related schemes which were designed to address products and items counterfeiting in retailer systems and merchandise.

2.1. Related Work

Counterfeiting goods or products is an ongoing problem which causes a lot of losses in the global market. The losses are estimated between USD$200 billion and USD$250 billion every year [5,6]. It also causes the loss of life and injuries caused by fake medicines [7,8,9]. To address this ongoing problem, researchers used different techniques such unique identification, barcodes and RFID tags. RFID technology is very promising since it has received attention previously in ownership transfer process in the supply chain as well as in an IoT environment [10,11,12,13,14]. Accordingly, the security, privacy as well as anti-counterfeiting were also addressed to prevent RFID tag counterfeiting, as discussed in [15,16].

In [17], a detailed survey study was conducted on RFID anti-counterfeiting techniques and methods found in the literature. A comparison between those techniques was also introduced that shows the differences between those techniques and shed a light on the weakness and strength for each approach compared to others. It stated that the cryptographic approach will be less costly, yet it needs complicated mathematical calculation to guarantee its security. In [1], there was a work which was done by Tran and Hong where they proposed an anti-counterfeiting system for retail environments. The authors used four key elements (the RFID tag, the reader, the server and the seller). The large use of RFID technology in a variety of fields and industries, as we can see in [18,19,20,21], made it clear that counterfeiting and reselling the items is one of the biggest challenges that will effect the use of the technology widely and openly. In [22], the authors suggested to identify all the cloned tags, just as the work in [23,24]. As well as segregating RFID tags in different places [22,25,26]. In addition, as we can see in [27], there is the scalability issue which is associated with the large use of RFID tags in industries such as labs, libraries, liqueur or supply chains which can be reduced significantly while solving the anti-counterfeiting issue.

The researchers came up with different types of solutions to overcome the anti-counterfeiting issues while using RFID technology. For instance, in [28,29], the authors used ’e-pedigree’, while Cheung proposed a two-layer RFID-based track and trace anti-counterfeiting system which is different than the work in [30] where the researchers proposed the hash function and an XOR operation in their anti-counterfeiting design. Other techniques to overcome anti-counterfeiting can be found in [22,31,32,33] where a distance bounding technique was used to identify cloned tags without the need to use complex cryptography operations. Anti-counterfeiting schemes based on cryptography are shown in [3,15]. Other similar proposed schemes can be found in [21,34,35,36]. According to [37], the IoT can play a crucial role in providing information about the transactions in place which is used by retailers in order to provide a clear statistic about the products, their supply and demand. The use of IoT can be enhanced by applying IoT sensor data to continue monitoring the products’ movements in the supply chain even if they are different from the channels that are used to be purchased from. Finally, a new security mechanism for RFID anti-counterfeiting was proposed in [38], which is based on combining a Rabin encryption scheme with PUF technology. The scheme is based on a three-fight-mutual authentication protocol. The researchers claimed that this design was up to 50 percent more area effective than other schemes which are relying on Elliptic Curve Cryptography (ECC), yet no reselling use case was mentioned.

2.2. Ghaith et al. Scheme Analysis

In this section, we will briefly analyze the Ghaith et al. scheme which was designed to address product anti-counterfeiting for retailer environments. Firstly, the scheme consisted of two sections, the counterfeit verification protocol and the database update protocol. They supported similar work in [1,3,15]. The designed RFID-based anti-counterfeit and anti-theft protocol as we saw above were used to address the problem from the perspective of a potential buyer in a retail environment. The novelty proposed to use UHF Gen-2 tags attached to products and goods which are subject to counterfeit. Those tags were able to handle the operational functions of PRNG and CRC [39] and support a mobile payment via the NFC system [40]. The protocol was subject to formal and informal security analysis in which both prove the protocol is reliable and secure against the known attacks. The formal security analysis which is the most significant was based on strand space. Since it was efficient, we will be using this method here to prove the extended reselling protocol to be immune against known attacks in the security analysis section. Although the protocol was secure and reliable, it did not cover the use case of reselling the same item again which will cause confusion in the transactions especially if this operation was repeated for many items or many times for the same item. This will result in the protocol being useless and not effective or practical. To address this reselling use case, we propose an extended version of the protocol that supports this transaction. In order to achieve this outcome, there are essentially two aspects to the transaction that need to be addressed. Firstly, the new buyer needs to be convinced that the seller is the legitimate owner of the product. In other words, the buyer needs to be convinced that the product is not stolen. Secondly, following the purchase, the ownership of the product needs to be transferred to the new owner in a secure manner as we will see later in the section three.

2.3. The Significance of Reselling Items in Retailer Environments

The need for reselling a product played a crucial role in the retailers transactions success as well as the second hand retailers, informally known as pawn shops. In order for the transaction subject of the reselling process to be successful, there should be many subjects to be covered or to be assessed. One of the major concerns when reselling an item from the buyer is whether this product is genuine or counterfeit. The uncertainty for the buyer, along side other factors, makes him hesitant when buying or purchasing a resold item. In [41], the authors analyzed a hierarchy process (AHP) which is the mechanism of making a decision based on multiple choices and purposes that the decision maker should evaluate to choose from. They designed a table based on four evaluation areas: personal need, experience, value and environment. Each evaluation area was divided into evaluation factors that were assigned weight factors, local priority and global priority. The evaluation area for personal need has the evaluation factors of need for joining, conspicuous need, need for differentiation, cognitive need, need for self-development. The evaluation area of value has the evaluation factors of rarity value, financial value, functional value, emotional value and conditional value. The evaluation area of experience has the evaluation factors of ludic experience, social experience, aesthetic experience, symbolic experience and various experience. The evaluation area of environment has the evaluation factors of technological change, business market change, inter-personal influence, social acceptance and cultural variety. According to the weight assigned to each factor, they were able to determine in the findings the importance of reselling according to [42,43,44,45,46,47,48]. Finally, in [41], authors concluded that aspects of personal needs were important to the decision making of reselling a product. Among 20 sub-factors facilitating the act of reselling, the need for joining turned out to be the most critical factor. Although the financial value was of low importance compared to other motivating factors, the growth of the reselling market and the emergence of resellers were closely related.

3. The Reselling Protocol

In this section, we propose a protocol that will be an extended version for the work that was proposed in [3,4]. In order to support the reselling functionality, we assume that the retailer on the completion of the original selling transaction provides the buyer with a warranty tag and updates the database with the details of the buyer including the warranty tag ID ($W{t}_{id}$), a unique ID for the buyer, the current owner ($E{x}_{id}$), tag ID ($T_{id}$) and the $Status$, typically as sold. See

Table 1. Protocol notations.

${\mathit{T}}_{\mathit{i}\mathit{d}}$	ID of the tag attached to the item
$T_s$	shared key between the seller and the server
$T_b$	shared key between the buyer and the server
$k_{pub},k_{pr}$	public and private keys of the server
f	hash function
$E_{k_{pub}},D_{k_{pr}}$	asymmetric encryption and decryption functions
$PRNG(·)$	random number generator
$status$	item status (sold, unsold, stolen)
$E{x}_i{d}^{\prime }$	buyer
$E{x}_{i}d$	seller
$W{t}_{i}d$	warranty card ID
$Ack$	acknowledgment
$Cack$	complete acknowledgment

. We note that the status attribute can take any one of 3 values: sold, unsold, stolen. In the event of an attempted reselling by a claimed owner, the prospective buyer is able to execute the reselling protocol to verify the legitimacy of the owner as well as the status of the object. We also assume that all prospective buyers are registered on the system and have been authenticated by the server prior to the initiation of the reselling protocol. We provide the details of the reselling protocol in the following section. As we saw in the previous work mentioned above in [1,3,4,15], the researchers designed RFID-based anti-counterfeit and anti-theft protocols to address the problem from the perspective of a potential buyer in a retail environment. They did not discuss the case of the same item being resold. They only addressed the use case of a buyer interacting with the retailer. The proposed scheme in [4] consisted of the counterfeit verification protocol and database update protocol. To address the use case of the original buyer reselling the product to a second buyer, we propose an extended version of the protocol that supports this transaction. In order to achieve this outcome, there are essentially two aspects to the transaction that need to be addressed. Firstly, the new buyer needs to be convinced that the seller is the legitimate owner of the product. In other words, the buyer needs to be convinced that the product is not stolen. Secondly, following the purchase, the ownership of the product needs to be transferred to the new owner in a secure manner. In this section, we propose a protocol that integrates both of these aspects. To support this, we extend the proposed frameworks from [3], to propose a ‘reselling protocol’ that can verify the status of an object and also verify the legitimacy of the claimed owner. We adopt a tag yoking-based approach that requires a legitimate owner to be in possession of the tagged object as well as a second warranty tag. The warranty tag ($W{t}_{id}$) is a second tag attached to the box or to the warranty card of the product, and is required to be in possession of an owner attempting to resell an item outside of the store. The system set up is very similar to the counterfeit verification protocol and in-order to verify if a product is stolen or not, we employ a server which will include the details of the tagged object and the associated warranty card which was given to the buyer by the retailer when the item was first purchased. The velocity of the operations in the protocol should be fast and will take only few seconds depending on the server speed and the signal strength. The purpose of the protocol is essentially three-fold: to verify the legitimacy of a tagged item, verify if the item was stolen or not and change the ownership of the tagged item to the new buyer. The protocol is depicted in Figure 1 and we provide the details below.

Step 1

The prospective buyer seeking to verify if a product is valid initiates the protocol by sending a query Q to the seller.

Step 2

The seller (reader) on receiving the query from the buyer generates $R_1$ and then computes $R_2=R_1\oplus E_{k_{pub}}(T_{id}\parallel W{t}_{id}\parallel E{x}_{id})$. The seller then encrypts $R_1$ using the public key of the server such that $R_3=E_{k_{pub}}(R_1\oplus T_s)$ and sends $R_2,R_3$ to the buyer.

Step 3

The prospective buyer (reader) on receiving $R_2,R_3$ generates a random number $R_4$ and calculates $R_5=R_4\oplus R_2$ and $R_6=E_{k_{pub}}(R_3\parallel R_4)$. The buyer then proceeds to send $R_5,R_6$ to the server in order to verify if the seller is the legitimate owner of the item and if the item is not stolen. We chose this logical operation in order to keep R₄ and R₂ undetermined in case of eavesdropping or a listener adversary listening to the communication between the buyer and the server.

Step 4

The server decrypts $R_6$ and $R_3$ using its secret key $k_{pr}$ and verifies if $T_{id}$, $W{t}_{id}$ and $E{x}_{id}$ match a record on the server database. Further, it verifies that the ‘status’ of $T_{id}$ was not stolen. If so, the server then prepares a response $Respons{e}_1=OK$ else it prepares a $Respons{e}_1=stolen$ and sends a response $ACK=R_4\oplus Response$ to the buyer.

Step 5

The buyer determines $Respons{e}_1$ from $ACK$. If $Respons{e}_1=OK$, the buyer may decide to buy and sends a request to the seller to buy by sending the hidden value of $R_7=E_{k_{pub}}(E{x}_{id}^{\prime }\parallel T_b)$. Else it aborts the transaction.

Step 6

Upon receiving $R_7$ from the buyer, the seller will check his records if the buyer paid for the item; if so, then he calculates $R_8=E_{k_{pub}}(R_7\oplus T_s)$ and sends it to the database in its encrypted format

Step 7

The server on receiving $R8$ decrypts to obtain $R7$, then determines $E{x}_{id}^{\prime }$ and $T_b$ from $R7$. The server then updates $E{x}_{id}\leftarrow E{x}_{id}^{\prime }$ and $T_s\leftarrow T_b$ for $T_{id}$ to reflect the ownership transfer for the tagged item. It then sends the $AC{K}_c=E{x}_{id}^{\prime }\oplus T_b\oplus R_7$ to the buyer, to confirm the ownership transfer.

Step 8

The buyer verifies that $E{x}_{id}^{\prime }\oplus T_b\oplus R_7=AC{K}_c$ to complete the protocol.

4. Security Analysis

To prove the reselling protocol is immune and resistant to adversary attacks, we commence a formal security analysis that was used previously based on strand spaces [49,50,51,52]. Informally, a strand can be defined as a sequence of transmissions or events that constitute executions of actions by a legitimate party or executions done by an attacker while the strand space is a collection of strands generated by interactions. We can define the point of view principle as a principal that knows that it is involved in actions in its session and wants to determine the maximum possibility on other behaviors that must have, or could not have, occurred.

4.1. The Nonce Test

We suppose that $R_4$ is peculiar and $R_4$ is found in a communication in a skeleton $\mathbb{A}$ at a node $n_1$. Assume that, $n_1$, $R_4$ is found outside all of the encrypted forms of $R_4$. Then, in any enrichment $\mathbb{B}$ of $\mathbb{A}$ such that $\mathbb{B}$ is a probable implementation, either:

• The private key $k_{pr}$ has been revealed before $n_1$ transpires, so that $R_4$ can be mined by the challenger; or
• other regular strand comprises a node $m_1$ where $R_4$ is communicated outside of $R_5$ or $R_6$, yet in all former nodes $m_0{\Rightarrow }^{+}{m}_1$, $m_1$ occurs before $n_1$, and $R_4$ was found only through this encryption.

Proof. 

To setup the secrecy of the nonce $R_4$, suppose a seller A performed at least the second node of a session, communicating the nonce $R_4$ with the a message $\{R_5,R_6\}$. An attacker can potentially get the value of $R_4$ in unprotected or encrypted form in at least two cases. □

• If $k_{pr}$ is compromised, an attacker would be able later to determine $R_4$ from $R_6$. For this to take place, $R_4$ must originate. Since $k_{pr}$ is never transmitted in the protocol, it is therefore non-originating.
• An attacker can determine if there was a lack of randomness in the random number generator that was sent. Since $R_4$ is uniquely originating, the random generator does not lack randomness. See Figure 2 and Figure 3.

Figure 2. Skeleton ${\mathbb{B}}_0$: $t_z$ is $\left\{R7\right\}$.

Figure 2. Skeleton ${\mathbb{B}}_0$: $t_z$ is $\left\{R7\right\}$.

Figure 3. Skeleton ${\mathbb{B}}_1$: $t_0$ is $\{R_5,R_6\}$.

Figure 3. Skeleton ${\mathbb{B}}_1$: $t_0$ is $\{R_5,R_6\}$.

The listener node, which is able to determine the value of $R_4$, means that $R_4$ is disclosed. On the other hand, if E is described by the contents of the messages in the sequence, then the previous member of E is a sender node. As ${\mathbb{A}}_0$ has a node, that $R_4$ value has no encryption at the earliest point and there should be a node that has $R_4$ in unencrypted form according to the minimality principle. In addition, if the attacker was able to generate the same $R_4$, then this generation should be unprotected by $k_{pub}$ in earlier transmission. To obtain $R_4$, the principle should recognize $k_{pr}$, otherwise it can not do this from $R_5$ or $R_6$. See Figure 4.

4.2. The Authentication Guarantee

Firstly, we assume that $\mathtt{non}$ and $\mathtt{unique}$ as we can see from the figures above. In skeleton $\mathbb{B}$, the initiator (A) transmits $R_6$ which means that the first node is unchanged. Yet, the term A which is used to represent the reception of $Ack$ by the buyer needs further elaboration. The probable elaborations are:

• To monitor the discovery of the decryption key $k_{pr}$, a listener node can be added to test this further elaboration in case $k_{pr}$ is discovered by the attacker who prepares a $t_z$ message.
• Otherwise, adding a strand of the protocol which needs to be the second node in the strand to send $t_z$. Yet, other possibilities for the terms in $t_z$ are unconstrained and need further elaboration.

Exploring ${\mathbb{B}}_2$, which has an unsolved node $n_D$ receiving $R_6=E_{k_{pub}}(R_3\parallel R_4)$. If it is so that $E^{\prime }=E$ and $k_{pub}^{\prime }=k_{pub}$, then no extra elaboration is needed. Or else, there was an execution since $R_4$ was seen only in $R_5$ and $R_6$ is received as $E_{k_{pub}^{\prime }}^{\prime }\left(R_4\right)$ on $n_D$. Since, $k_{pr}\in \mathtt{non}$, the first elaboration is not valid which means we are left with the last probability that the a regular strand which accepts $R_4$ in the encrypted procedure $R_5$ was transmitted in an unencrypted form. Since there is no such strand when analyzing ${\mathbb{A}}_0$, we had only one execution left where $E^{\prime }=E$ and $k_{pub}^{\prime }=k_{pub}$, which is acceptable.

4.3. The Secrecy of $R_4$

Since the value of $R_4$ must remain secret in the protocol, we examine its secrecy by observing $R_4$ in an unencrypted form via the listener node in the skeleton $\mathbb{B}$. $R_4$ is supposed to be fresh and unguessable for the protocol to work. Every enrichment of $\mathbb{B}$ requires the structure determined in ${\mathbb{B}}_{21}$ that contains a listener node for $R_4$. This means it has to be the enrichment of ${\mathbb{C}}_{21}$. To observe the discovery of ${\mathbb{C}}_{211}$ by accumulating a listener node for $R_4$, see Figure 5 and Figure 6. Yet, this is basically an enrichment of skeleton ${\mathbb{A}}_0$, ${\mathbb{C}}_{211}$ which is a dead end as well. Therefore, the extension protocol fulfills the security requirements from the buyers point of view.

5. Conclusions

In this paper, a reselling protocol that extends the anti-counterfeiting protocols which were proposed by researchers was presented. The reselling protocol enables owners to sell their items and for the prospective buyers to verify the ownership and legitimacy of the products. The proposed protocol is an integrated protocol that verifies the ownership and status of the item for sale and in addition enables the ownership transfer of the resold item. Detailed security analysis based on strand spaces is presented to show that the proposed extension of the reselling protocol is secure, private and robust against known attacks. The limitation of this work, in our opinion, is there might be buyers who damage or remove the tags from the products. This will damage and limit the proposed protocol significantly. We think that this possible issue needs to be solved in future work by covering this possibility as well as the possibility of the physical removal of the RFID tag during transportation or in the event of an accident.