What is the Impinj Authenticity solution engine?
Impinj Authenticity™ solution engine verifies products as genuine to prevent counterfeits, ensure product safety, and secure the supply chain. Impinj solution engines are purpose-built for enterprise IoT application development, delivering high performance, streamlined implementation, and proven reliability. Impinj Authenticity is designed for use in fast, cost-efficient product authentication solutions and includes the Impinj Authentication Service, a cloud service that provides secure verification of a tag chip’s origin, the Impinj M775 RAIN RFID tag chips with cryptographic authentication, and Impinj-based RAIN RFID readers. Select Impinj partners provide additional components of an enterprise solution for end customers.
What is the Impinj Authentication Service?
Impinj Authentication Service is an Impinj-managed cloud-based service that provides tag chip authentication, cryptographically proving Impinj as the tag chip manufacturer. Cryptographic authentication is a method for securing and confirming the authenticity of a chip such as a RAIN RFID chip, following the ISO/IEC 29167 standard which specifies the security services for tag authentication.
Commercial Topics and Partner Engagement:
What is the Impinj Authentication Service launch announcement timing and what will be communicated at the initial launch?
The general availability launch is targeted for late September 2022. The launch includes a whitepaper on RAIN RFID-based product authentication, a web page and sales presentation describing the Impinj Authenticity solution engine, a new Impinj Authentication Services web page, an updated M700 series product page to add the M775 to the series, and a product authentication web page.
What are the requirements for an Impinj partner to be included as an item authentication partner with access to Impinj Authentication Service?
The partner must offer a cloud-based product database that communicates with the Impinj Authentication Service using the Impinj Authentication Service API. Every request to the Impinj Authentication Service requires a valid authentication token and these are only available to our approved partners.
Authentication partners will need to sign Impinj Authentication Service specific contracts, including the commercial conditions and the service level agreement.
Can an Impinj partner service bureau connect its EPC/TID database directly to the Impinj Authentication Service?
This is possible and requires that they use the Impinj Authentication Service API. The partner connects to the Impinj Authentication Service via the API. The partner database must provide an API for customers to readers and needs to be able to validate the tagged item (SKU) based on the database contents, and the tag’s EPC and TID.
How can systems partners or brands purchase tags or inlays with Impinj M775 tag chips?
M775-based tags and inlays will be offered by Impinj tag/inlay OEM partners. As those tags are brought to the market, Impinj will update the partner product listings page on the Impinj website where interested customers can learn more.
Who can purchase Impinj M775 tag chips?
Impinj tag chip partners who are currently authorized to purchase Impinj M700 series tag chips will have access to purchase Impinj M775.
Who is the Impinj corporate commercial contact for Impinj Authentication Service opportunities with Impinj partners?
Contact your Impinj sales representative for commercial inquiries related to Impinj Authenticity solution engine
How does M775 provide tag authentication?
An M775 tag chip contains a cryptographic engine and a cryptographic key. The key is unique to each tag chip and is programmed at wafer test. That key is extremely difficult to read. A cryptographic protocol (known as a challenge-response protocol) is used to test whether the correct secret key is in the M775, thus proving Impinj as its manufacturer.
What is a cryptographic key?
In cryptography, a key is a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it. M775 uses symmetric encryption, meaning that the same key both encrypts and decrypts data. A key is a string of data that, when used in conjunction with a cryptographic algorithm, encrypts or decrypts messages.
In contrast, asymmetric encryption is different on each side; the sender and the recipient use two different keys. Asymmetric encryption, also known as public key encryption, uses a public key-private key pairing: data encrypted with the private key can only be decrypted with the public key, and vice versa. TLS (or SSL), the protocol for HTTPS communication, uses asymmetric encryption and public key-private key pairing.
How is a key generated for the M775?
The key for an M775 is generated from the unique Tag IDentification number (TID) that is programmed into each endpoint IC. The TID is processed, using a secret Issuing Key (a master key) and a key derivation function to give the M775 device key as an output. The master key storage and the key derivation are processed in a security certified high security module (HSM).
How does a challenge-response protocol work?
A challenge-response protocol is used to test for the presence of a specific secret key. The interrogator (e.g., a RAIN RFID reader) sends a random challenge to the M775. The M775 computes a response over the challenge and other data using the secret key and returns it to the reader. Since only Impinj’s HSM can regenerate the secret key, the reader needs to identify which M775 it has challenged. The IC is identified using the TID and the triple of information (TID, challenge, response) can be sent to the cloud-based Impinj Authentication Service to authenticate the M775-based tag.
What reader support is there for Tag Authentication?
For a reader to support the M775 there are two requirements. First, the reader must be able to send the EPCglobal Gen2v2 Authenticate command. And second, the reader must be able to populate the payload to the Authenticate command in a way that is defined by ISO/IEC 29167-11.
Currently, an M775 endpoint IC has been authenticated using an R700 with Octane 7.4 or later firmware version, E310/E510/E710/E910, and R2000 (IndyMac) based readers. These Impinj products support both the Authenticate command and ISO/IEC 29167-11.
How does an Impinj partner get support for enabling their reader to access tag authentication information from a Product Cloud?
For assistance, please contact support at firstname.lastname@example.org
Why is the Impinj Authentication Service needed as part of a secure product authentication system?
The security requirements of a RAIN RFID-based cryptographic authentication are defined in ISO/IEC 29167. The security method that the Impinj Authentication Service uses ensures that each tag is unique, and it is extremely difficult to duplicate its identity. Using a GS1 EPCglobal Gen2 compliant command generates a unique tag response and provides a solution that is highly secure.
By comparison, simply associating a TID and EPC with an item in a product cloud database is much less secure and can be compromised by nefarious duplication of a tag chip’s identity, opening the possibility of tag duplication. This can enable counterfeit products with unauthorized duplicated tags to enter the supply chain.
Where can a partner find more information on the Impinj Authentication Service API?
The OpenAPI specification for the Impinj Authentication Service is available from the Impinj
Authentication user manual, which is available to select partners via the Impinj support site. Please contact Impinj support team for more information.