US20120298741A1 - Method and System for Deterring Product Counterfeiting, Diversion and Piracy - Google Patents

Abstract

A client system receives a request for a set of unique security codes and also receives product data associated with a product on which the security codes are to be printed. The client sends at least some of the product data to a host system and receives a batch identifier from the host. The host stores received product data with the batch identifier. The client generates the set of security codes and then provides the codes to be printed on the product. After the products enter the stream of commerce, the host can receive an authentication request including a security code, and in response the host will verify that the security code is valid and return to the requestor the authentication result and at least part of the product data associated with the batch identifier.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
• This application is a divisional application of U.S. patent application Ser. No. 12/850,909 filed on Aug. 5, 2010, which is a continuation of U.S. patent application Ser. No. 11/612,209 filed Dec. 18, 2006, which is a continuation of U.S. patent application Ser. No. 11/347,424 filed Feb. 2, 2006, which claims the priority of U.S. Provisional Patent Application No. 60/650,364, filed Feb. 3, 2005, which is incorporated herein by reference.
BACKGROUND OF THE INVENTION
• 1. Field of the Invention
• The present invention relates generally to anti-counterfeiting measures, and in particular, to a method and system for authenticating products, and thereby deterring counterfeiting diversion and/or piracy.
• 2. Description of the Prior Art
• In the consumer goods industry, counterfeiting is a significant and growing problem. While fashion and luxury goods have long been targets of counterfeiters, nearly any branded product can be the subject of counterfeiting. For example, products such as shampoo, automotive parts, baby formula and even beer have been the subjects of counterfeiting. Counterfeiting is difficult to detect, investigate, and quantify. Consequently, it is difficult to know the full extent of the problem. However, by some estimates, between five to seven percent of all world trade is in counterfeit goods, amounting to an annual value that exceeds $250 billion. That figure is likely to increase as globalization continues and supply chains are extended further into developing countries that lack the ability and/or the desire to detect and prevent counterfeiting.
• In a traditional counterfeiting scheme, an individual or group of individuals, produces, packages and attempts to sell products with the intent to deceptively represent the product's authenticity and/or source. In most cases, the quality of a counterfeit is less than the original product that the counterfeit has been designed to emulate. Consequently, consumers that unknowingly purchase counterfeit goods are being defrauded. In some cases, such as with drugs, medicines and automotive parts, when a consumer unknowingly purchases a counterfeit, the results can be dire.
• Counterfeiting has a significant impact on business entities as well. Perhaps the most obvious negative effect counterfeits have on companies is lost revenue and profit. Less obvious but equally important is the potential damage counterfeits can cause to a company's brand equity. For example, a single highly publicized negative incident caused by the use of a counterfeit can cause immeasurable damage to a company's reputation.
• Several techniques have been developed or proposed for preventing counterfeiting. For example, some of the techniques aimed at preventing counterfeiting include marking products, labels or product packaging with an identifying mark using holograms, color shifting inks, tamper labels, intaglio inks, and ultraviolet inks. However, this approach is often ineffective because the identifying mark is easily copied by counterfeiters, and/or is too difficult for consumers to recognize.
• Another approach to preventing counterfeiting is to utilize radio frequency identification (RFID) tags. For example, by attaching a special RFID tag to a product when it is initially packaged, the product can be later authenticated by verifying the unique identifying data transmitted by the RFID tag. However, adding an RFID tag to each product increases the overall cost of the product. Moreover, the equipment (e.g., RFID sensors or readers) needed to verify the RFID tag may only be available to certain entities in the distribution chain of the product, and almost certainly are not available to a consumer of the product. The RFID tags themselves or the codes within them are also subject to counterfeiting. Consequently, there remains a need for an effective and economical anti-counterfeiting system.
SUMMARY
• A method and system for detecting and deterring counterfeits are provided. Consistent with one embodiment of the invention, a system for deterring counterfeits includes a client and a host. The client includes code generation logic that utilizes data received from the host to generate a batch of security codes. Once the security codes are generated, the client directs a printing device to print the batch of security codes on a batch of products without retaining security codes after the printing device has printed the security codes on the products. The host includes code authentication logic that receives a security code that has been printed on a particular product along with a code authentication request. Accordingly, the host authenticates the security code by determining whether the security code was generated by the client.
BRIEF DESCRIPTION OF DRAWINGS
• The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
• FIG. 1 illustrates an anti-counterfeiting system having a host component and a client component, consistent with one embodiment of the present invention;
• FIG. 2 illustrates a method, according to one embodiment of the invention, for generating a plurality of unique security codes to be printed on products;
• FIG. 3 illustrates a method, according to an embodiment of the invention, for authenticating a product on which a security code has been printed;
• FIG. 4 illustrates operations and data flow associated with a method for generating security codes, according to an embodiment of the invention;
• FIG. 5 illustrates operations and data flow associated with a method for authenticating a product containing a security code, according to an embodiment of the invention;
• FIG. 6A illustrates an example of a security code comprising alphanumeric text, according to an embodiment of the invention;
• FIG. 6B illustrates an example of a security code comprising alphanumeric text encoded as a graphic symbol, according to an embodiment of the invention;
• FIG. 7 illustrates a diagrammatic representation of a machine, in the exemplary form of a computer system, within which a set of instructions for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
DETAILED DESCRIPTION OF THE INVENTION
• Methods and systems for detecting and deterring counterfeits are described. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be evident to one skilled in the art, however, that the present invention may be practiced without these specific details. The description and representation herein are the means used by those experienced or skilled in the art to effectively convey the substance of their work to others skilled in the art. In some instances, to avoid unnecessarily obscuring aspects of the present invention, well known operations and components have not been described in detail.
• Reference herein to “one embodiment” or “an embodiment” means that a particular feature, structure, operation, or other characteristic described in connection with the embodiment may be included in at least one implementation of the invention. However, the appearance of the phrase “in one embodiment” in various places in the specification does not necessarily refer to the same embodiment.
• Embodiments of the present invention include methods and systems for authenticating original products, and thereby detecting and deterring product counterfeits. In one embodiment of the invention, a system for detecting counterfeits includes a host component and a client component. Accordingly, the client generates a plurality of security codes utilizing data received from the host, and then directs a printing device to print the security codes on consumer products. However, in contrast to previously known anti-counterfeiting systems, after the security codes have been printed on the products, the security codes are not retained. That is, neither the host nor the client retains the security codes in short- or long-term memory, after the security codes have been printed and the products have been placed in the stream of commerce. Furthermore, in one embodiment of the invention, the security codes are generated at the location where they are printed on products. Consequently, the security codes need not be communicated over a network, where they may be compromised, for example, by a network packet sniffing application.
• As will be described in greater detail below, a product consumer or any other person in the product distribution chain can verify the authenticity of a product on which a security code has been printed by simply communicating the security code to the host. Furthermore, a wide variety of devices and methods may be utilized to communicate a security code to the host for authentication. For example, a telephone may be utilized to communicate a security code to the host by speaking the security code, or alternatively, by inputting the security code using the telephone's touch-tone dial pad. Alternatively, a computing device (e.g., personal computer, personal digital assistant, mobile phone, etc.) may be used to communicate a security code to the host. For example, a security code may be captured with a keyboard, telephone key pad, camera, or barcode reader and then sent to the host. After the security code has been received and authenticated at the host, the host communicates a result of the authentication operation to the consumer.
• It will be appreciated by those skilled in the art that the present invention is particularly applicable to branded products and goods. A branded product may include any product that has an identifiable source (e.g., manufacturer or provider). Often, but certainly not always, a branded product is marked with a proprietary name or feature, such as a trademark. In some cases, a product brand may be recognizable by the design, shape or color of a product or good. A branded product may include, but is by no means limited to: pharmaceuticals, cosmetics, toiletries, hair care products, nutraceuticals, toys, tobacco, food, beverages, automotive parts, apparel and footwear, computer hardware and software, electronics, household goods, cleaning products, eyewear, and luxury items.
• FIG. 1 illustrates ananti-counterfeiting system10, according to one embodiment of the invention, having ahost component12 and aclient component14. In one embodiment of the invention, thehost12 may be maintained and operated by an entity that provides anti-counterfeiting services to one or more product manufacturers. Accordingly, thehost12 may be connected by means of anetwork16 to any number ofclients14. For example, a product manufacturer with several product packaging facilities may employseveral clients14, with oneclient14 at each individual packaging facility. Similarly, thehost12 may service a variety ofclients14 associated with different product manufacturers.
• Thenetwork16, over which thehost12 and theclient14 communicate, may be an open network, such as the Internet, or a private network. In one embodiment of the invention, communications between thehost12 and theclient14 are achieved by means of a secure communications protocol, for example, such as secure sockets layer (SSL) or transport layer security (TLS).
• Referring again toFIG. 1, theclient14 includes acode generation module18,code generation logic22 and acode marking module24. Thecode generation module18 facilitates interaction between theclient14 and users of the client14 (e.g., client-users).
• In one embodiment of the invention, a client-user may initiate the generation of a batch of security codes by entering a number indicating the size of the batch of security codes required. In addition, thecode generation module18 may prompt the client-user to enter product data associated with a product on which the security codes are to be printed. For example, thecode generation module18 may prompt the client-user to enter product data, such as a universal product code (UPC), a product description, a package size or quantity, a packaging image, or some time- or location-specific attributes such as a work order, lot number, manufacturing date, use-by date, operator name, or manufacturing plant. The product data entered into thecode generation module18 may be communicated to thehost12 along with a request to generate security codes.
• During the authentication operation, which is described in greater detail below in connection with the description ofFIG. 5, the product data, or a subset of the product data, entered by the client-user or stored on the host may be displayed or otherwise communicated to a consumer or other person in the supply chain in response to a code authentication request. Moreover, the particular product data that is displayed or communicated may vary depending on the person submitting the code authentication request. In particular, the product data displayed or communicated may vary depending on the position of the person in the overall supply chain or stream of commerce. For example, a customs official that submits a code authentication request may be presented with different product data than a consumer.
• As described in greater detail below, in connection with the description ofFIG. 4, thecode generation logic22 utilizes data received from thehost12 to generate the security codes that are printed on the products. In one embodiment of the invention, thecode marking module24 controls the transfer of security codes to theprinting device26, which may print the security codes directly on the products, or alternatively, on a product label or product packaging. Accordingly, thecode marking module24 may confirm that security codes are transferred correctly from thehost12 to theprinting device26. In addition, thecode marking module24 may keep a running tally of the number of security codes that have been transferred from theclient14 to theprinting device26, and/or the number of security codes that have been printed.
• Theprinting device26 may be any type of printing system suitable for printing security codes on products, labels or product packaging. For example, theprinting device26 may include a high-speed industrial inkjet printer (with visible or invisible ink), a thermal transfer printer (with visible or invisible dye ribbons), a laser marker or other industrial marking system. In certain embodiments, special invisible inks, or other related technologies may be utilized to covertly mark products with invisible security codes. Theprinting device26 may consist of any combination of these printing technologies. It will be appreciated by those skilled in the art that the printing device specifications will be based on the customer's performance requirements, packaging or product substrate material, and operating environment, and will generally reflect the state of the art in such printing or marking systems.
• In one embodiment of the invention, the security codes may be printed on a tamper-evident seal. Accordingly, the tamper-evident seal may be positioned on the product in such a way that the tamper-evident seal is destroyed when the product is opened, or otherwise used. Consequently, once destroyed, the security codes cannot be reused.
• In one embodiment of the invention, theprinting device26 may be connected to, or integrated with, avision system28 or other imaging device. Thevision system28 may scan or read each security code as it is printed to detect whether a printing problem has occurred and to ensure an overall level of print quality is met. Accordingly, upon detecting an error in the printing of a particular security code, thevision system28 may flag the security code by notifying theclient14 orhost12, or otherwise rejecting the low quality printed security code. Thevision system28 may be implemented through use of “machine-vision”, such as an optical or non-contact reader, which has the ability to detect physical attributes of the security codes as they are printed on the product, label or product packaging. Thevision system28, in conjunction with other process control methods, ensures that only high quality security codes are printed on products or packages, while keeping the reject rate extremely low to maintain yield and throughput on a filling or packaging line.
• As illustrated inFIG. 1, theprinting device26 andvision system28 are separate from theclient14. It will be appreciated by those skilled in the art that in an alternative embodiment, theprinting device26 may be integrated with theclient14. Similarly, thecode marking module24 is shown integrated with theclient14 inFIG. 1. It will be appreciated by those skilled in the art that in an alternative embodiment, thecode marking module24 may be integrated with theprinting device26. In one embodiment of the invention, theclient14 may be implemented in a distributed manner, such that one or more client components are geographically separated. For example, in one embodiment of the invention, thecode generation module18 may be located in a business headquarters, while one or more of the other components, including the printing device, are located at a packaging facility. In a distributed embodiment, onecode generation module18 may be integrated to support and work with multiplecode marking modules24 and/orprinting devices26. Accordingly, a distributed embodiment may be implemented when a manufacturer has multiple packaging facilities.
• Thehost12 of theanti-counterfeiting system10 includes an administration module30. Similar to thecode generation module18 of theclient14, the administrative module30 facilitates interaction between thehost12 and a host-user.
• Thehost12 includes a batch identifier (batch ID)generator36 and a batch key generator34. As described in greater detail below, in response to receiving a client request to generate security codes, thebatch ID generator36 generates a batch ID for the set of security codes and the batch key generator34 generates an associated batch key (also referred to as a seed number). The batch ID and batch key are associated with the client request and stored by thehost12, for example, in theproduct database32, along with product data received with the client request. In addition, thehost12 communicates the batch ID and batch key to theclient14, which utilizes batch ID and batch key to generate unique security codes that are printed on products.
• Thehost12 also includescode authentication logic38. As described in greater detail below in connection with the description ofFIG. 5, thecode authentication logic38 receives and authenticates security codes that have been printed on products. For example, after a security code has been printed on a product, a consumer or other person in the supply chain or stream of commerce can communicate the security code to thehost12 for authentication purposes. If thehost12 determines the security code is authentic, thehost12 may report such to the consumer.
• Consistent with an embodiment of the invention, various methods and devices may be utilized to communicate a security code to thehost12 for authentication purposes. For example, in one embodiment, aconsumer40 may utilize a phone-based service (e.g., voice, short messaging system (SMS), web-enabled application), a personal computer, a personal digital assistant, a camera-phone, orother computing device42 with data communications, to communicate a code authentication request (including the security code) to thehost12. After the security code has been communicated to thehost12, thecode authentication logic38 will validate the authenticity of the security code. In one embodiment of the invention, thehost12 may reply to the code authentication request with a message including key attributes associated with the product. For example, the response from thehost12 may include a description of the particular product, including the brand name, size or quantity, expiration date, date of manufacture, place of manufacture, lot number, or any other potentially relevant data.
• In one embodiment of the invention, thehost12 includes an analysis and reportingmodule44. The analysis and reportingmodule44 has two primary functions. First, the analysis component provides a mechanism for identifying potential fraudulent activity by tracking and analyzing code authentication requests. For example, the analysis component records each time a request is received to authenticate a particular security code, and when possible, the source (e.g., person, geographical location, or other device identifier, such as an Internet Protocol address) from which each request is received. Accordingly, by analyzing security codes received with code authentication requests, the analysis component is able to detect suspicious patterns that may indicate counterfeiting activity. For example, if an authentic security code is copied and utilized on a batch of counterfeits, then it is likely that several consumers may attempt to authenticate the same security code (e.g., the copied security code). By detecting suspicious patterns, the analysis and reportingtool44 can notify a manufacturer's brand security personnel to monitor the activities in a particular point of the supply chain.
• The other primary function of the analysis and reportingmodule44 is a reporting function. In one embodiment of the invention, the reporting component of themodule44 provides a mechanism for reporting suspicious activities, as well as general business reports. The reports may present a range of relevant information designed to give insight into fraudulent or suspicious activities in the supply chain and so allow brand security personnel to take rapid preventative action. In addition, the reporting component may generate business reports that include formatted data associated with authentication activities for different products. Reporting functions may be customized through the client, the host, or both. In one embodiment, reporting rules and alerts may be established for the analysis and reportingmodule44 that automatically alert brand security personnel if a counterfeit alert has been triggered, for example by detecting a pattern of code authentication requests indicating a high likelihood that a security code has been copied or cloned.
• It will be appreciated by one skilled in the art that theanti-counterfeiting system10 illustrated inFIG. 1 has been provided as one example or embodiment of the invention, and is not meant to be limiting in nature. The system may include other logic and functional or modular components, the description of which has not been provided to avoid unnecessarily obscuring the invention.
• FIG. 2 illustrates amethod50, according to one embodiment of the invention, for generating a plurality of unique security codes to be printed on products. As illustrated inFIG. 2, the operations associated with themethod50 that are performed at, or by, theclient14 are separated (i.e., to the left of the dotted line51) from those operations that are performed at, or by, thehost12. Atoperation52, theclient14 receives a user-initiated request to generate a number of security codes for a particular product. For example, the user-initiated request may be received via thecode generation module18 of theclient14. Additionally, the user-initiated request may include data associated with a product on which the security codes are to be printed, as well as a number indicating the quantity of security codes to be generated and printed.
• After receiving the user-initiated request, theclient14 formulates a client request and communicates the client request to thehost12 atoperation54. For example, in one embodiment of the invention, theclient14 may extract a portion of the product data entered by the client-user, and include the extracted product data in the client request along with the number entered by the user that indicates the quantity of security codes to be generated and printed. Theclient14 then communicates the client request (e.g., over the network16) to thehost12. In one embodiment of the invention, communications between theclient14 andhost12 are encrypted, or otherwise secured.
• Atoperation56, thehost12 receives the client request. In response to receiving the client request, atoperation58, thehost12 generates a batch identifier and batch key (or seed number). The batch ID may be generated in any way that assures the batch ID is distinct from all previously-used batch IDs, such as a simple numerical progression, a deterministic pseudo-random sequence, or a series of randomly generated values from which duplicates are removed. The batch keys can be generated by a pseudo-random sequence, a hardware random number generator, or any method that generates keys that are difficult to predict. It will be appreciated by one skilled in the art that in order to assure the integrity of the security codes it is important that the batch keys are generated in a way that cannot be predicted by an individual or system attempting to generate counterfeit codes. The batch keys should also be unique to prevent duplicate security codes from being generated by theclient14. The batch ID and batch key are stored along with the product data received from theclient14 in the host's12product database32. Then, after generating the batch ID and batch key, atoperation60, thehost12 communicates the batch ID and batch key to theclient14.
• In one embodiment of the invention, an optional encryption key94 (also known as a scrambling ID), may be communicated from thehost12 to theclient14 along with the batch ID and batch key. As described in greater detail below, theencryption key94 indicates a particular scrambling or encryption method that is to be utilized by theclient14 during the generation of the security codes, and by thehost12 during authentication of a security code. Alternatively, rather than passing the encryption key94 from thehost12 to theclient14, thehost12 andclient14 may be configured to utilize a predetermined scrambling or encryption method.
• Upon receiving, atoperation62, the batch ID and batch key from thehost12, theclient14 utilizes the batch ID and batch key to generate a plurality of security codes atoperation64. In addition, atoperation64, theclient14 directs aprinting device26 to print the security codes on products, without retaining the security codes in a security code repository (e.g., a database or recording medium). Consequently, after theclient14 has directed theprinting device26 to print the security codes on the individual products, neither theclient14 nor thehost12 retains the security codes. That is, the security codes are not retained in memory and are not written to disk storage. Neither do the security codes need to be transmitted to thehost12. This prevents the security codes from being compromised if an unauthorized person gains access to theclient14 or thehost12. Moreover, as the security codes are generated at the printing location, there is no risk that the security codes will be compromised in transit (e.g., over a network) to the printing location. Theclient14 does not retain the batch key after the security codes have been printed, so no additional security codes can be produced without making a new request from theclient14 to thehost12.
• After printing of all security codes for the batch is complete, theclient14 optionally communicates to thehost12 the actual number of security codes that were printed, which may be less than the number originally requested if code generation or printing are interrupted or if the number of products to be produced is less than anticipated.
• FIG. 3 illustrates amethod70, according to an embodiment of the invention, for authenticating a product on which a security code has been printed. As illustrated inFIG. 3 the operations associated with themethod70 that are performed at, or by, thehost12 are separated (i.e., to the right of the dotted line71) from those operations that are performed by a consumer or other person in a product supply or product distribution chain. In one embodiment of the invention, themethod70 for authenticating a product begins atoperation72, when a consumer identifies the security code on the packaging of the product in question.
• Next, at operation74, the consumer communicates a code authentication request, including the security code, to thehost12. In various embodiments of the invention, operation74 may be achieved in one of several ways. If the security code is provided as alphanumeric text on the product, label or product packaging, then the consumer may communicate the security code to the host'scode authentication logic38 utilizing any communication device that enables the consumer to enter the alphanumeric text. For example, a consumer may use a Web-based application executing on a computing device, such as a personal computer, personal digital assistant (PDA), mobile phone, or any other similar device, to communicate the security code over a network to thehost12. In one embodiment of the invention, the host's12code authentication logic38 may include a speech recognition module, computer telephony application, or integrated voice response unit (not shown). Accordingly, a consumer may speak the alphanumeric security code into a telephone to communicate the security code to thehost12. In certain embodiments of the invention, the security code may be alphanumeric text that has been encoded as a graphic symbol, such as a datamatrix, or other barcode. In such a case, the consumer may utilize a device with an image reading or image capturing mechanism to communicate the security code to thehost12. For example, a camera or scanner may be used to capture an image of the security code (e.g., graphic symbol), which is then communicated to the host. In certain embodiments of the invention, the graphic symbol may be decoded, resulting in alphanumeric text, prior to being communicated to thehost12. Alternatively, in certain embodiments of the invention, the host's12code authentication logic38 may include a decoding component that is able to decode scanned images of the graphic symbol into alphanumeric text.
• Referring again to themethod70 illustrated inFIG. 3, atoperation76, thehost12 receives the code authentication request and the security code. Atoperation78, thehost12 authenticates the security code. An example of an authentication operation is provided in the description below with reference toFIG. 5. It will be appreciated by those skilled in the art, that the authentication operation may vary depending upon the particular implementation. However, consistent with the invention, neither the host nor the client store the security code after it has been printed on the product. Consequently, thecode authentication logic38 is able to authenticate the security code without accessing a copy of the security code stored in a repository or database.
• After the security code has been authenticated by the host's12code authentication logic38, atoperation80, thehost12 may communicate the result of the authentication operation to the consumer. In one embodiment of the invention, the result of the authentication operation will be communicated in the same manner as the code authentication request and security code were received from the consumer. For example, if the request was received via a telephone call, then an automated computer telephony application may communicate the result of the operation to the consumer via the telephone. Alternatively, in one embodiment of the invention, a different means of communication may be used to communicate the result of the authentication operation than was used to receive the security code. In any case, atoperation82, the consumer receives the result of the authentication operation.
• It will be appreciated by those skilled in the art that, in the foregoing examples, operations attributed to a consumer may actually be carried out by a computing device. For example, a result of the authentication process is communicated to a consumer by means of some computing device or telephone. In addition, it will be appreciated by those skilled in the art that the functional components, modules, and logic described herein may be implemented in hardware, software, or any combination thereof.
• FIG. 4 illustrates the operations and data flow associated with a method for generating security codes, according to an embodiment of the invention. The operations illustrated inFIG. 4 serve as one example of the client-side operation64 ofmethod50 illustrated inFIG. 2. Accordingly, after initiating a client request to generate security codes, thecode generation logic22 of theclient14 receives data from thehost12. In particular, the data received from thehost12 includes three portions: abatch ID92, abatch key90, and anoptional encryption key94. In addition to aserial number96 generated by aserial number generator98 that is part of the client'scode generation logic22, the three portions of data received from thehost12 are utilized to generate security codes.
• The operation to generate a security code begins with aserial number96, abatch ID92 and a batch key90 (which may also be known as a seed number). Theserial number96 is a unique identifier of the product within the batch identified by thebatch ID92. Theserial number96 may be generated by theclient14 in any way that assures the serial number is distinct from all previously-generated serial numbers in that batch, such as a simple numerical progression, a deterministic pseudo-random sequence, or a series of randomly generated values from which duplicates are removed.
• Averification value102 is produced by combining one or more of thebatch ID92 andserial number96 with thebatch key90. The verification value can later be used to determine the authenticity of the resulting security code112. In one embodiment of the invention shown inFIG. 4, thebatch key90 is used as the seed for apseudo-random number generator100 to generate a pseudo-random number that is used as theverification value102. After theverification value102 has been generated, theserial number96,batch ID92 andverification value102 are optionally scrambled and/or encrypted byencryption logic104. It will be appreciated by those skilled in the art that a wide variety of well-known encryption/decryption algorithms may be utilized. For example, in one embodiment of the invention, a simple transposition algorithm is utilized to encrypt the data.
• In one embodiment of the invention, the encryption algorithm utilized by theencryption logic104 to encrypt the data (e.g., theserial number96,batch ID92, and verification value102) is associated with anencryption key94. For example, in one embodiment of the invention,encryption logic104 is capable of performing a wide variety of encryption algorithms. Accordingly, anencryption key94 received from thehost12, instructs or directs theencryption logic104 to use a particular encryption algorithm to encrypt theserial number96,batch ID92, andverification value102. Consequently, during an authentication operation, thehost12, which originally selects and assigns theencryption key94, will be able to decrypt theencrypted data106 to realize theserial number96,batch ID92, andverification value102. In one embodiment of the invention, theencryption key94 may be generated and assigned at the time thehost12 communicates thebatch ID92 and batch key90 to the client. Alternatively, theencryption key94 may be assigned prior to the request to generate security codes. For example, in one embodiment of the invention, anencryption key94 may be assigned on a per-client14 basis, such that each client has itsown encryption key94 that is known by thehost12.
• After theserial number96,batch ID92, andverification value102 have been encrypted to form theencrypted data106, optional encryptionkey insertion logic108 may insert all or a portion of theencryption key94 into theencrypted data106 to complete the generation of thesecurity code110. For example, theencryption key94 may be inserted into theencrypted data106 at a known position. Consequently, during an authentication operation, thecode authentication logic38 of thehost12 can extract the encryption key94 from the known position in the security code.
• Once theencryption key94 has been inserted into theencrypted data106, thesecurity code110 is ready to be printed on a product, label or product packaging. In one embodiment of the invention, the resulting security code may be a sequence of sixteen alphanumeric characters. For example, inFIG. 4, thesecurity code110 is shown as a string of sixteen alphanumeric characters112. Alternatively, in one embodiment of the invention, the alphanumeric characters may be encoded into a graphic symbol, such as the datamatrix illustrated inFIG. 6B. In either case, after the security code is generated by thecode generation logic22, thecode marking module24 controls and manages the transfer of the security code to theprinting device26, and the actual printing of the security code onto the product, label, or product packaging.
• Referring again toFIG. 4, after a first security code has been generated, the code generation operation continues by generating the next serial number114 for the batch. To generate the second security code, which corresponds to the second serial number, a second verification value is produced by combining the second serial number and/or the batch ID with the batch key. In one embodiment of the invention, therandom number generator100 is run, iteratively, a number of times equal to the serial number. That is, the pseudo-random number generated during the first pass is used as an input (e.g., a seed) into thepseudo-random number generator100 for the second pass. Accordingly, thepseudo-random number generator100 is run twice to generate the verification value for the second security code, which is associated with the second serial number, and three times for the third security code, which is associated with the third serial number, and so on, until all of the security codes have been generated. When the quantity of generated serial numbers, and corresponding security codes, is equal to the number of security codes originally requested by the client, the code generation operation is complete.
• FIG. 5 illustrates the operations and data flow associated with a method for authenticating a product containing a security code, according to an embodiment of the invention. The operations illustrated inFIG. 5 serve as one example of the host-side operation78 ofmethod70 illustrated inFIG. 3.
• As illustrated inFIG. 5, the authentication operation begins with a printed security code112. For example, inFIG. 5 the security code is a combination of 16 characters and numbers. First, optional encryption key extraction logic116 extracts the encryption key94 from the security code112. Because thecode generation logic22 inserted theencryption key94 into the security code in a known position, thecode authentication logic38 has knowledge of the position of theencryption key94 within the security code112. As a result of extracting theencryption key94, the security code is reduced to encrypted data106 (e.g.,serial number96,batch ID92, and verification value102).
• After theencryption key94 has been extracted, theencryption key94 is utilized as an input to decryption logic118 to decrypt theencrypted data106 into its component parts, for example, theserial number96,batch ID92, andverification value102. Next, thebatch identifier92 is utilized in a look-up operation120 to determine the batch key90 that was utilized to generate theverification value102. A copy of thebatch key90, which is initially generated at thehost12 in response to the client's request to generate security codes, is stored at thehost12 along with thebatch ID92 and any product data received from theclient14 as part of the initial request to generate security codes. Consequently, once thebatch ID92 is determined, thecode authentication logic38 can look-up thebatch key90, as well as any product data that is associated with thebatch ID92.
• Finally, thehost12 uses the same method as theclient14 did to produce a second verification value124 by combining theserial number96 and/or thebatch ID92 with thebatch key90. In one embodiment of the invention, after thebatch ID92 is used to look-up thebatch key90, thebatch key90 is used as a seed for a second pseudo-random number generator122, which utilizes the same logic as thepseudo-random number generator100 of theclient12. The second pseudo-random number generator122 is then run, iteratively, a number of times equal to theserial number96, such that each pass uses the result (e.g., the resulting pseudo-random number) of the previous pass as a seed. The resulting pseudo-random number is used as the second verification value124, which is then compared with thefirst verification value102 decrypted by the decryption logic118. If the verification values102 and124 are identical, then thehost12 reports that the security code112 is authentic. However, if the verification values102 and124 are not identical, thehost12 reports that the security code112 is not authentic.
• In one embodiment of the invention, product data associated with a batch ID may be communicated to a consumer, or other person in the distribution chain of a product, in response to that person submitting a code authentication request to the host. For example, in one embodiment of the invention, the product data that is communicated to the consumer may indicate the assigned destination (e.g., geographical location or retail store) for a given product. That is, the product data may indicate the final destination in the distribution chain for that particular product. Accordingly, the consumer can determine whether a product has been diverted from its originally assigned destination. In another embodiment of the invention, product data communicated to the consumer may include data associated with a manufacturing date, a “use-by” or a “sell-by” date. Accordingly, the consumer can determine if someone in the distribution chain of the product has tampered with the product packaging by changing a date associated with the product. In general, by providing product data during a code authentication request, several aspects related to a product can be authenticated.
• FIGS. 6A and 6B illustrate examples of security codes, according to an embodiment of the invention. In one embodiment of the invention, the security code may be a string of sixteen alphanumeric characters consisting of numbers and letters, such as thesecurity code130 shown inFIG. 6A. By utilizing different combinations of sixteen alphanumeric characters, more than a million, billion, billion (10²⁴) unique security codes may be generated. However, it will be appreciated by one skilled in the art that alternative embodiments of the invention may use a security code that is more or less than sixteen characters in length, and may use a security code that makes use of the entire set of ASCII characters.
• FIG. 6B illustrates asecurity code132 represented as a graphic symbol. In particular, thesecurity code132 shown inFIG. 6B is a special machine readable graphic symbol known as a datamatrix. A datamatrix is a two-dimensional matrix barcode consisting of black and white square modules arranged in either a square or rectangular pattern. Similar to a traditional barcode, a datamatrix can be read by a machine, such as a matrix barcode reader. Encoding an alphanumeric representation of the security code in a graphic symbol, such as thedatamatrix132 ofFIG. 6B, provides several advantages. First, error correction and redundancy are built-in to thedatamatrix132. Consequently, a security code represented as a datamatrix can still be read if it becomes partially damaged. Another advantage is the small footprint, or size, of the datamatrix. A datamatrix can encode as many as 50 characters in a three by three millimeter square, which can be discretely positioned on a product, a label, or product packaging. Finally, the datamatrix can be quickly and easily read by a machine. Of course, it will be appreciated by those skilled in the art that in various alternative embodiments, security codes may be encoded with other graphic symbologies, for example, such as barcode fonts consistent with the PDF417 or QR Code standards.
• In one embodiment of the invention, both versions of thesecurity code130 and132 may be included on the product, label, or product packaging. For example, the alphanumeric representation of thesecurity code130 and thegraphic symbol representation132 may appear together on the product, label or product packaging. This provides a wide range of possible methods and mechanisms for reading and communicating the security code to thehost12 for authentication.
• In one embodiment of the invention, when extra security is required, the security codes may be applied or printed to the product, label, or product packaging in a covert manner, such that a consumer is not aware of the existence of the security code. For example, the security codes may be applied to the products, labels or product packaging with a special invisible ink or other chemical-based application making the security code invisible to a consumer. According to the type of invisible ink or chemical used to apply the security code, reading the security code may require the application of heat, ultraviolet light, or a chemical. This approach may be utilized when someone in the supply or distribution chain other than the consumer is likely to be authenticating the product. For example, a covert security code may be provided for the purpose of authenticating products by customs officials.
• FIG. 7 shows a diagrammatic representation of a machine in the exemplary form of acomputer system300 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative embodiments, the machine operates as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine may operate in the capacity of a server (e.g., host12) or aclient14 machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a server computer, a client computer, a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Furthermore, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
• Theexemplary computer system300 includes a processor302 (e.g., a central processing unit (CPU) a graphics processing unit (GPU) or both), amain memory304 and anonvolatile memory306, which communicate with each other via abus308. Thecomputer system300 may further include a video display unit310 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)). Thecomputer system300 also includes an alphanumeric input device312 (e.g., a keyboard), a cursor control device314 (e.g., a mouse), adisk drive unit316, a signal generation device318 (e.g., a speaker) and anetwork interface device320.
• Thedisk drive unit316 includes a machine-readable medium322 on which is stored one or more sets of instructions (e.g., software324) embodying any one or more of the methodologies or functions described herein. Thesoftware324 may also reside, completely or at least partially, within themain memory304 and/or within theprocessor302 during execution thereof by thecomputer system300, themain memory304 and theprocessor302 also constituting machine-readable media. Thesoftware324 may further be transmitted or received over anetwork326 via thenetwork interface device320.
• While the machine-readable medium322 is shown in an exemplary embodiment to be a single medium, the term “machine-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical and magnetic media, and carrier wave signals.
• Thus, a method and system for deterring counterfeits have been described. Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
• In the foregoing specification, the invention is described with reference to specific embodiments thereof, but those skilled in the art will recognize that the invention is not limited thereto. Various features and aspects of the above-described invention may be used individually or jointly. Further, the invention can be utilized in any number of environments and applications beyond those described herein without departing from the broader spirit and scope of the specification. The specification and drawings are, accordingly, to be regarded as illustrative rather than restrictive. It will be recognized that the terms “comprising,” “including,” and “having,” as used herein, are specifically intended to be read as open-ended terms of art.

Claims (5)

1. A method comprising:

reading an encrypted security code from a unit of a product;

communicating an authentication request to a host, the authentication request including the encrypted security code;

receiving from the host an indication of authenticity and product data specific to the unit.

2. The method ofclaim 1 wherein the product data comprises a time attribute, a location attribute, a work order, a lot number, a manufacturing date, a use-by date, a sell-by date, an operator name, or a manufacturing plant.

3. The method ofclaim 1 wherein the authentication request identifies a type of requester.

4. The method ofclaim 1 wherein reading the encrypted security code from the unit comprises reading the encrypted security code from an RFID tag affixed to the unit.

5. The method ofclaim 1 wherein reading the encrypted security code from the unit comprises using a camera to capture an image of the encrypted security code.

Images