WO2007060426A1 - A rf device - Google Patents

A rf device Download PDF

Info

Publication number
WO2007060426A1
WO2007060426A1 PCT/GB2006/004369 GB2006004369W WO2007060426A1 WO 2007060426 A1 WO2007060426 A1 WO 2007060426A1 GB 2006004369 W GB2006004369 W GB 2006004369W WO 2007060426 A1 WO2007060426 A1 WO 2007060426A1
Authority
WO
WIPO (PCT)
Prior art keywords
transponder
data
digital signature
computer memory
memory
Prior art date
Application number
PCT/GB2006/004369
Other languages
French (fr)
Inventor
Peter Symons
Phillip Royston
Ian Keen
Steven E. Kelly
Colin Brooks
Original Assignee
Innovision Research & Technology Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Innovision Research & Technology Plc filed Critical Innovision Research & Technology Plc
Publication of WO2007060426A1 publication Critical patent/WO2007060426A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0723Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips the record carrier comprising an arrangement for non-contact communication, e.g. wireless communication circuits on transponder cards, non-contact smart cards or RFIDs
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/74Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems
    • G01S13/75Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems using transponders powered from received waves, e.g. using passive transponders, or using passive reflectors
    • G01S13/751Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems using transponders powered from received waves, e.g. using passive transponders, or using passive reflectors wherein the responder or reflector radiates a coded signal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/346Cards serving only as information carrier of service
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • G07B15/02Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points taking into account a variable factor such as distance or time, e.g. for passenger transport, parking systems or car rental systems
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0813Specific details related to card security
    • G07F7/082Features insuring the integrity of the data on or in the card
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • G11C16/06Auxiliary circuits, e.g. for writing into memory
    • G11C16/34Determination of programming status, e.g. threshold voltage, overprogramming or underprogramming, retention
    • G11C16/3436Arrangements for verifying correct programming or erasure
    • G11C16/3468Prevention of overerasure or overprogramming, e.g. by verifying whilst erasing or writing

Definitions

  • the invention relates to RF devices, in particular, but not exclusively to RFID transponders for use in secure applications such as transport ticketing, payment, medical applications and vending.
  • RFID Radio Frequency Identification
  • transceiver initiates communication and the transponder will respond in accordance with a set communication protocol . Examples of such systems include those described in ISO 14443A, ISO 15693A etc.
  • RFID device shall be used to include any device which communicates through inductive coupling of " radio frequency signals
  • RFID transponder shall be used to include a transponder, for example a tag, operable to respond to the receipt of an RF signal (whether in modulated or un-modulated form) . Such response may trigger for example further communication by the RFID transponder, the writing of data to the RFID transponder, the communication of data from the RFID transponder, the activation or bringing into effect of some system response (for example where the RFID transponder forms part of a larger system, receipt of an RF signal may trigger a response in the larger system) .
  • the RFID transponder is being used to carry monetary or credit information or other secure information it is important that the RFID transponder is secure.
  • the RFID transponder comprises part of a transport ticket which holds £50 worth of train journeys, it is important that someone can not take that ticket and re-program the RFID transponder with another £50 worth of train journeys.
  • Conventionally encryption is used to ensure security and prevent fraud. However encryption can be expensive to implement and requires decryption systems to be present in the interrogating reader .
  • a transponder comprising: a first computer memory wherein such first computer memory is lockable and is configured to store identification data for the transponder; a second computer memory wherein such second computer memory is one time programmable and is configured to represent use of the transponder; a third (writeable) computer memory wherein such third computer memory can be written-to in accordance with or as a result of received instructions and/or data; an inductive coupler configured to communicate data; and a controller configured to provide to said inductive coupler data from each and every one of said first computer memory, second computer memory and third computer memory for outbound communication.
  • Providing the capability to communicate data from each and every one of the three memories provides sufficient data for a receiving party, for example a transceiver as discussed below, to compare the data that was stored in more than one of the memory devices and determine whether or not there are any inconsistencies between the data. This can reduce the chances that a user of the transponder can fraudulently reprogram the transponder, as any inconsistencies can be determined from the data stored in more than one of the memories .
  • the inductive coupler may be an antenna that is configured to be exposed to a RF signal and modulate the received RF signal such that the modulated signal can be received by a corresponding transceiver.
  • a transponder comprising: lockable computer memory configured to store transponder identification data; one time programmable (OTP) computer memory configured to store transponder use data; writeable computer memory configured to store transponder use data; and an inductive coupler configured to inductively couple an RF signal and modulate such RF signal with data comprising the transponder identification data and the transponder use data from each computer memory.
  • OTP time programmable
  • the lockable computer memory will store data that cannot be changed once the computer memory has been locked.
  • Examples of lockable computer memory include EEPROM, Flash, ROM, etc.
  • the one time programmable (OTP) computer memory can store data which cannot be overwritten once it has been programmed.
  • One time programmable memory may use single bit sectors that are available on an EEPROM. The single bit sectors may be locked by a fuse, or antifuse, such that the fuse or antifuse can only be blown once, irreversibly, in order to program that bit .
  • the writeable computer memory can store data which can be written-over or changed depending on data and or instructions received by the transponder controller. Examples of writeable computer memory included EEPROM, flash, ROM etc.
  • Storing the transponder identification data on lockable computer memory, and storing the transponder use data on one time programmable computer memory enables the security of the transponder to be increased, when compared with the prior art.
  • Such a configuration inhibits a user tampering with the transponder identification data and the transponder use data in order to fraudulently use the transponder. For example, by adjusting the computer memory on the transponder to show that there is more credit remaining to be used by the transponder than has been purchased.
  • the transponder may be associated with a ticket, and the ticket may comprise part of a contact-less ticket system.
  • the transponder may prove particularly advantageous when associated with a ticket, preferably as part of a contact-less ticket system, as known ticketing systems use encryption to encrypt the data that is stored on the transponder.
  • encryption can be expensive to implement and requires decryption systems to be present in the interrogating reader.
  • the transponder may further comprise a computer processor configured to calculate a digital signature as a function of at least some of the transponder identification data.
  • the digital signature may also be calculated as a function of at least some of the transponder use data.
  • the transponder may be further configured to inductively couple the digital signature to a corresponding transceiver.
  • the computer processor may be configured to store the digital signature in the lockable computer memory. Using a digital signature can provide a further level of security for the data that is stored in computer memory on the transponder.
  • the digital signature can be generated by a function that is stored in computer memory or controller on the transponder, and a transceiver which receives the signal that is transmitted by the transponder can also have access to the function that has been used to generate the digital signature such that the digital signature can be independently generated at the transceiver.
  • This enables the transceiver to compare the received digital signature that has been generated by the transponder, and stored in transponder computer memory, with a digital signature which has been independently generated at the transceiver. If a user has fraudulently altered any of the transponder identification data that is stored in lockable computer memory on the transponder, this can be determined by the transceiver as there will be a difference between the calculated and received digital signatures .
  • transponder may require the transceiver to supply a digital signature for comparison with an internally generated digital signature. If the transceiver is not an authorized transceiver i.e. it does not have access to the correct function for generating the digital signature, then there will be an inconsistency between the supplied digital signature and the internally generated digital signature. This inconsistency can be determined by the transponder.
  • a new digital signature may be generated from the transponder identification data when the transponder is reloaded/rewritten.
  • the transponder may be capable of being used more than once. That is, credit may be reloaded or rewritten onto the transponder.
  • the transponder identification data may be altered when the transponder is reloaded/rewritten, and therefore a new digital signature should be generated as a function of the new transponder identification data.
  • Transponder identification data may comprise one, or more, of: digital signature data; unique identification data; operator specific data; project specific data; product type; date of issue; date of expiry; and data in relation to a point of sale (POS) terminal or validator.
  • the transponder identification data may be written into the lockable computer memory when the transponder is first manufactured, programmed, acquired by an end user, for example purchased from a point of sale, or alternatively once the transponder has been validated for use.
  • the lockable memory may be locked before the transponder is delivered to an operator, or locked at a point of sale (POS) for the transponder.
  • the lockable memory is locked soon after the transponder identification data has been written into the lockable computer memory.
  • Transponder use data may comprise one, or more, of: a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder .
  • the transponder use data may provide details of how many times, and to what extent, the transponder has been used, or alternatively how many times, and to what extent, the transponder remains to be used.
  • the OTP computer memory may comprise one or more OTP bits, whereby one (or more) OTP bit is programmed each time the transponder is used.
  • the transponder may further comprise dynamic memory configured to store temporary data.
  • the temporary data may be stored in the third (writeable) memory.
  • Temporary data may comprise one, or more, of: date of last use; time of last use; a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder.
  • a transceiver comprising: a receiver configured to receive a signal comprising transponder identification data and multiple sets of transponder use data from a transponder; and a computer processor configured to process the multiple sets of transponder use data and/or the transponder identification data to determine if there are any inconsistencies between any one or more of the transponder identification data and/or the multiple sets of transponder use data.
  • the transceiver may comprise part of a contact- less ticket system.
  • the receiver may be further configured to receive a digital signature.
  • the computer processor may be further configured to: calculate a digital signature as a function of the received transponder identification data, compare the calculated digital signature with the received digital signature; and generate an inconsistency if there is a difference between the calculated digital signature and the received digital signature .
  • the computer processor may be further configured to: compare the amount of credit remaining on the transponder as determined from the transponder identification data and/or one set of transponder use data with the amount of credit remaining on the transponder as determined from the remaining transponder use data; and generate an inconsistency if there is a difference between the two.
  • the computer processor may be further configured to: compare the amount of credit that has been used by the transponder as determined from the transponder identification data with the amount of credit that has been used by the transponder as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
  • the computer processor may be further configured to: compare the number of times that the transponder has been used as determined from the transponder identification data with the number of times that the transponder has been used as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
  • the computer processor may be further configured to: compare the number of times that the transponder remains to be used as determined from the transponder identification data with the number of times that the transponder remains to be used as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
  • the computer processor may be further configured to: compare a date that is part of the transponder identification data with a date that is part of the transponder use data and/or with the present date,- and generate an inconsistency if there is a discrepancy between any of the dates.
  • a contact-less ticket system comprising: a transponder comprising: lockable computer memory configured to store transponder identification data; one time programmable (OTP) computer memory configured to store transponder use data,- writeable computer memory configured to store transponder use data; and an inductive coupler configured to inductive couple RF signal and modulate such RF signal with the transponder identification data and the transponder use data from each computer memory; and a transceiver comprising: a receiver configured to receive a signal comprising transponder identification data and transponder use data from the transponder; and a computer processor configured to process the transponder identification data and the transponder use data to determine if there are any inconsistencies between the transponder identification data and the transponder use data.
  • OTP time programmable
  • POS terminal for providing a transponder of an aspect of the invention, configured to: write the digital signature to the lockable memory of the transponder, or provide an instruction to a computer processor in the transponder to cause the computer processor to write a digital signature to the lockable memory of the transponder .
  • a method of generating a signal indicative of an inconsistency between transponder identification data and transponder use data comprising: receiving transponder identification data and multiple sets of transponder use data; comparing the transponder identification data and/or one or more of the multiple sets of transponder use data to determine if there is an inconsistency between the transponder identification data and/or one or more of the multiple sets of transport use data; and generating a signal indicative of an inconsistency if an inconsistency is determined.
  • An RFID tag may be provided comprising a digital signature, such digital signature comprising a comparison between data held in two separate areas of memory.
  • a digital signature comprising a comparison between data held in two separate areas of memory.
  • one of the separate areas of memory comprises one time programmable memory.
  • An RFID tag may be provided comprising a digital signature, such digital signature comprising a combination of data held within lockable memory of the
  • Such digital signature may additionally comprise data obtained from an RFID reader.
  • a digital signature may be used together with or combined with data from one time programmable memory within the RFID tag.
  • An NFC device may be provided comprising a digital signature, such digital signature comprising a comparison between data held in two separate areas of memory.
  • a digital signature comprising a comparison between data held in two separate areas of memory.
  • one of the separate areas of memory comprises one time programmable memory.
  • An NFC device may be provided comprising a digital signature, such digital signature comprising a combination of data held within lockable memory of the
  • Such digital signature may additionally comprise data obtained from an NFC device.
  • a digital signature may be used together with or combined with data from one time programmable memory within the NFC device.
  • Figure 1 shows an example RFID tag block diagram
  • FIG. 2 shows an example RFID reader block diagram
  • Figure 3 shows a larger device or system, incorporating a tag
  • Figures 3a and 3b show an example computer memory block diagram
  • Figure 4 shows an example NFC device block diagram
  • Figures 4a and 4b show an example access card block diagram
  • FIG. 1 shows an example RFID transponder in accordance with the invention.
  • the RFID transponder is shown as RFID tag 300.
  • the RFID tag comprises a demodulator 301, a controller 304, a modulator 303 and memory 305.
  • the RFID tag will be attached to an antenna, shown as a coil 306.
  • an RFID reader causes a magnetic field 307 to be present around coil 306 a voltage is generated across coil 306.
  • RFID tag 300 may or may not contain power deriver 302, which can if present, use the voltage across coil 306 to derive a power supply for all or part of RFID tag 300.
  • demodulator 301 demodulates the signal and outputs the demodulated data to tag controller 304.
  • the tag controller 304 may also be referred to as a computer. Controller 304 may respond to data from demodulator 301, the presence of power from power deriving means 302, or from some other stimulus, not shown, and may or may not cause data to be read from or written to a data storage means 305, which in this embodiment is computer memory 305. The controller 304 may similarly respond to received data, power or stimulus and cause data, which might be from data storage means 305, to be sent to modulator 303. Modulator 303 when receiving data from the controller 304 causes, according to the data, a modulated signal to be coupled via the antenna 306 to the device originally generating the field, an RFID reader in this example. Tag controller 304 might further contain user interface means or the like.
  • the controller 304 may be a microprocessor, state machine, microcontroller or other similar processor.
  • the type of processor will depend on the RFID tag and functionality required, in particular the complexity of the RFID tag and any applicable cost constraints.
  • the memory 305 may be any suitable form of memory or combination of memory forms, for example EEPROM, flash, ROM and may comprise a certain amount of One Time Programmable (OTP) memory.
  • OTP One Time Programmable
  • the OTP memory may be in the form of virtual OTP i.e. logic controlled OTP, for example in E 2 format or in the form of a fuseable link OTP memory where once fused the OTP can not be re-programmed. In both cases the OTP is operable to provide the necessary security for operation of the RFID transponder 300.
  • the OTP memory may comprise 6 bytes (48 bits) of OTP memory or for greater security the OTP memory may comprise for example up to 16 Bytes (128 bits) .
  • the memory 305 is configured to provide at least two memory areas, at least one of which is OTP memory.
  • a first memory area may be lockable and may be used, for example, to store data programmed into the RFID transponder 300 on manufacture. This data may comprise details of the type of data, for example transport ticket, medical device and a unique identifier or UID for the RFID transponder.
  • a second memory area may comprise an area which is writeable to by a corresponding RFID transceiver.
  • a third memory area may then comprise a series of OTP counters which together with one or other of the other memory areas provide additional security or a digital signature for the RFID transponder. Example embodiments are provided below.
  • the memory 305 may only comprise OTP memory or may comprise different types of memory. Alternatively certain data may also be stored within the controller 304 or within additional data storage means.
  • the memory 305 is shown as a separate functional block in Figure 1. Alternatively it may comprise a part of or be formed wholly within the controller 304. Where the RFID transponder 300 forms part of a larger device or host system the memory 305 may be wholly or partly within the larger device or host system.
  • FIG. 2 illustrates an RFID transceiver/reader 100 which may be used in combination with the RFID transponder 300.
  • the RFID transceiver comprises signal generator 101, antenna 102, controller 104 and demodulator 103.
  • the signal generator 101 is operable (under control by the controller 104) to generate and transmit an RF signal 105 through antenna 102.
  • the RF signal 105 is represented by the magnetic field 307 in Figure 1.
  • This RF signal may or may not be modulated in accordance with data stored within the controller 104 by a variety of modulation means (for example frequency shift key, phase modulation, amplitude modulation, load modulation) . Where modulation is required the signal generator 101 will include a modulator or modulation controller.
  • Demodulator 103 will demodulate any received modulated RF signal at antenna 102 and provide such demodulated signal to the controller 104.
  • RFID reader 100 will transmit a modulated RF signal 105.
  • Any RFID transponder 300 within range of such modulated RF signal will receive the RF signal (referenced 307 in Figure 1) at its antenna 306, and respond or react in accordance with instructions stored in controller 304 and/or memory 305.
  • a variety of methods to generate and/ or modulate RF signals may be used for communication between RFID devices such as the RFID reader 100 and RFID tag 300. These include (i) 'carrier generation' in which an RFID device transmits an RF signal which may or may not be modulated, (ii) ⁇ load modulation' in which an RFID device will modulate the RF signal received from another RFID device; and (iii) 'carrier interference' where an RFID device generates and transmits an RF signal which is used to create interference with an incoming received RF signal.
  • the RFID tag 300 comprises part of a contactless transport ticket.
  • a contactless transport ticket is shown diagrammatically as 306 in figure 3A.
  • Contactless tickets are usually formed from paper or plastic in the shape of the commonly used credit card, and have embedded within them an antenna (not shown) and the RFID tag 300.
  • the RFID tag 300 may be an integrated circuit or custom- made PCB which is then attached to an antenna and placed on or within the plastic or paper surround for the transport ticket.
  • the functionality of the RFID tag 300 may be the same as that described for Figure 3.
  • Figure 3A only the memory 305 is shown for convenience.
  • the memory is sub-divided into three areas, 305a, 305b and 305c.
  • Memory area 305a is locked on manufacture and can not be written to again during subsequent re-use.
  • Memory 305b is not locked and can be read to and written to during use either directly by the RFID tag 300 itself or following, for example, receipt of data or instructions from an RFID reader.
  • Memory 305c is one time programmable memory
  • an RFID transceiver for example RFID reader 100 as shown in Figure 2
  • an RFID transceiver comprised within the ticket gate and which is transmitting an RF signal
  • the RFID tag 300 will activate the RFID tag 300 by providing the power required for tag operation.
  • the RFID tag 300 will respond to the RFID reader to indicate that it is a valid RFID tag and at the same time or subsequently with any data relevant to the journey being undertaken by the passenger.
  • the RFID tag 300 may be intended for once only use, in which case following communication the RFID tag 300 may be deactivated. Alternatively the RFID tag 300 may be intended for multiple use and contain the data necessary for multiple journeys.
  • the RFID reader will then be operable to deduct journeys from the RFID tag 300 or to re-program the RFID tag 300 such that one journey is no longer available.
  • the data stored on the RFID tag 300 may equate to j ourneys , money or any other data required for communication with the RFID reader.
  • the OTP memory 305c of the RFID tag 300 stores a series of counters equating to, for example the number of journeys or money being stored within the memory of the RFID tag.
  • the RFID tag may store £ equating to 10 journeys each worth £1.
  • 10 bits within the OTP memory are set aside for programming during use of the RFID tag. Every time the RFID tag is used as a transport ticket the RFID reader programs one bit in the OTP memory up to the total of 10 bits. Once all 10 bits have been programmed no more journeys are possible. The RFID reader will be able to check whether all the relevant OTP bits have been programmed and therefore whether any more journeys can be undertaken.
  • the RFID reader may also check the number of un-programmed OTP bits remaining, where this doesn' t match the data stored within the rest of the OTP memory, then it will refuse to accept the RFID tag on the assumption that the RFID tag has been re-programmed or tampered with.
  • the combination of programmed and un-programmed OTP memory in comparison with other memory areas specifying the type of ticket (for example a Mega ticket or 10 journeys) acts as a digital signature for the RFID tag and enables the RFID reader to determine whether the RFID tag has been tampered with.
  • the OTP counters (OTP memory area) are altered on each journey issued and can not be changed back, the locked memory specifies the type of ticket and itself can not be re- programmed.
  • the OTP counter may alternatively only operate where a certain value is deducted from the overall value held on the RFID tag. For example where the RFID tag holds Georgia, then the RFID reader may only program an OTP bit when the RFID tag is used to pay for a journey of more than 5Op. Where the value is under the 5Op level then either the OTP bit is not programmed or alternatively the value is stored elsewhere within the RFID tag memory and acts as a cumulative tally of value. Once the cumulative tally exceeds a certain threshold then again the RFID reader will program an OTP bit. In another embodiment the available OTP bits may be used as a transaction counter, again once all OTP bits have been 'used' the RFID tag will not be useable for future journeys. The RFID reader will again detect whether all the OTP bits have been used and therefore be able to assess whether the RFID tag has been tampered with or re-programmed.
  • the transport ticket (not shown) comprises an RFID tag 300 and memory store 305. Other RFID tag functionality is not shown for convenience. On manufacture the memory will represent 10 trips. This will be reflected in the locked EEPROM memory area 305a. The nature of the ticket issued can not be altered once issued. The date is also included in this example.
  • the variable EEPROM memory area 305b is used as part of the communication with a point of sale terminal or POS.
  • the POS will contain an RFID reader such as the reader shown in Figure 2. Each time the transport ticket is used the POS will provide instructions to the RFID tag 300 resulting in the writing of new information to EEPROM memory area 305b.
  • This new information will represent the number of journeys or trips used or remaining, for example as shown in 307, 308 and 313.
  • the POS will also request information on the status of the OTP counters within the RFID tag 300. These are held in the one-time-programmable bits in memory area 305c. Following completion of a successful POS/ RFID tag communication the RFID tag will write to a further OTP bit changing a 0 to a 1. This is illustrated as 309, 310, 311. The number of l's reflects the number of OTP bits written to and therefore the number of trips taken. Once changed to a 1 the OTP bit can not be changed back to a 0.
  • OTP memory has no functionality to support the change of an OTP - memory bit from logical 1 to logical 0.
  • the data in the memory area 305b will not match data in the memory area 305c and therefore the data provided to the POS will not be consistent, an example of which is illustrated as 312 which shows that all 10 trips have been used according to the data stored in OTP memory 305c, but that 10 trips remain according to the data stored in dynamic memory 305b.
  • the POS will interpret this as a failure and refuse to accept the transport ticket and therefore refuse transport.
  • the changes to the OTP bits may be as a result of direct programming of the OTP bits by the RFID reader or alternatively as a result of received communication or instructions from the RFID reader which triggers the RFID tag controller to program the relevant OTP bits during communication with the RFID reader or directly following such communication.
  • the OTP memory 305c may only record certain transactions of the transponder. For example where the RFID tag 300 holds 10 credits with each credit being worth Mega. The OTP memory 305c will only be written to where a whole credit i.e. Georgia is used. The variable EEPROM memory 305b may then be used to record how much of each credit is used each time, for example where the user takes 10 trips of £ in value, each trip will result in a change in the EEPROM memory 305b but a change in OTP will only occur following 10 trips.
  • the RFID tag also comprises a message or tag authentication code.
  • the message authentication code is stored in a first memory area which is lockable, for example 305a in Figure 3A.
  • Figure 4A shows this diagrammatically where 400 is an access card.
  • the RFID tag is represented by area 300.
  • the memory 305 comprises two memory areas, 401 and 402.
  • 401 is lockable EEPROM memory. This is split into a series of message/tag authentication or digital signature memory areas 403, 406, 408, 410 and remaining EEPROM memory 412.
  • the remaining EEPROM memory may be used to store information on manufacture, type of access card, UID, operator name and date of issue.
  • f is a function, which may be a multiplier.
  • the function can be the same function or a different function for each of the variables (ticket UID, operator name, date of issue) in the algorithm being used.
  • the above will create a unique identifier or digital signature for the RFID tag which can then be used by a corresponding reader to authenticate the RFID tag. This can be used to control which readers are able to write-to the RFID tag. Only readers with the corresponding algorithm to generate the digital signature will be able to write to the RFID tag.
  • the RFID reader will check the unique identifier before sending any data to the RFID tag. Once the RFID tag has been successfully written-to, the RFID reader may supply a new digital signature. This is shown diagrammaticalIy in figure 4b where just the lockable memory area 401 is shown. On first writing of data to the RFID tag, the first digital signature 404 is written to the first EEPROM memory area 403 and locked. This digital signature can not be re-written or modified subsequently. When an RFID reader comes to write data to the RFID tag a second time, the RFID reader will request the digital signature 404. Provided the digital signature 404 is authenticated, the RFID reader will then supply the required data to the RFID tag. The data will be written into the appropriate memory area within the RFID tag.
  • the RFID reader will then supply a further digital signature which will be written to the memory area 401 and locked.
  • the RFID tag may require validation/ verification of the RFID reader.
  • the RFID reader may automatically send the digital signature it has generated internally following its own validation or alternatively may send it to the RFID tag following receipt of a request from the RFID tag for the digital signature.
  • the RFID tag On receipt the RFID tag will compare its internally generated digital signature with the received signature and only where both signatures agree will the RFID tag controller then write data to the computer memory.
  • the digital authentication signature may also comprise (be generated as a function of) information from the OTP memory area 402. For example part of the
  • OTP memory area may comprise a series of counters which are programmed each time the RFID tag is written to. By combining the number of counters programmed (or alternatively the number of un-programmed counters remaining) with the digital signature, the RFID reader will obtain information on the number of times the RFID tag has been written to. This can then be used to control the number of times the RFID tag is written to. Alternatively the data stored in the OTP memory may simply be used as part of the authentication message generation.
  • an area within the OTP memory may be set aside and programmed with particular date information. This date information may be programmed on manufacture or on first use .
  • the RFID tags can then be given an expiry date either again within the OTP memory or alternatively through communication with the RFID reader. For example the RFID reader may not validate any RFID tags which are more than one month old. Alternatively the RFID reader may request the expiry date from the OTP memory and if exceeded refuse the RFID tag. The RFID reader may also compare the first and expiry dates to ensure that there is no inconsistency.
  • the date of last use is held within the OTP memory and the date of first use is programmed on first communication between tag and reader to another memory location
  • the date of last use will remain within the OTP memory but the date of first use (which is programmed by the RFID reader) will then become earlier than the date of last use and hence could be detected by an RFID reader.
  • This embodiment may also be combined with an earlier embodiment, such that once the date of first use has been programmed into the OTP, the OTP then acts as a counter and counts down over the period of validity. Once expired, the RFID tag can no longer be used, there will be no non-programmed OTP bits which will be detectable by the corresponding RFID reader.
  • the embodiments described above may be used to control access or provide an audit trail, for example in a medical environment.
  • staff may be provided with access cards holding message authentication and, for example date information held within the OTP memory.
  • the message authentication can be specific to a particular member of staff and may enable specific equipment use or authorization within the restricted area.
  • the OTP memory may also be used to control the number of times a particular piece of equipment is used. For example where a piece of equipment must only be used once, the OTP memory can be used to prevent re-use or provide a warning where re-use is attempted. Likewise where the locked memory holds information on expiry date, this can be used together with the OTP memory to ensure that all use is within a required date range and to prevent tampering.
  • the RFID tag may be used to label a syringe containing medicine. The RFID tag has three memory areas, similar to the transport ticket in Figure 3A. The first memory area 305a is used to hold data on the expiry date of the medicine, the manufacturer and other details relating to the medicine.
  • Memory 305b is written to each time the syringe is used.
  • the OTP memory area (305c) is automatically written to each time the syringe is used.
  • an RFID reader will be able to determine whether the medicine is in date and whether the syringe has already been used.
  • the OTP provides additional security and prevents tampering with the dynamic memory area 305b.
  • the embodiments described above may be combined or used in combination to provide additional security.
  • the embodiments may also be randomized or based on the type of RFID reader with which the RFID tag interacts.
  • the embodiments may also be combined with pre-existing encryption techniques, for example other areas of the memory may be encrypted using Data Encryption Standard
  • inventions refer to changes or modifications to single OTP bits, such embodiments may also utilize or involve changes or modifications to multiple OTP bits at any one time.
  • the embodiments described above are described in the context of an RFID transponder interacting with an RF reader.
  • the concepts may also be applied to circumstances where the RFID transponder is interacting with an alternative RF transceiver, for example an NFC device (such as those described in ISO/IEC 21481 or ISO/IEC 18092) .
  • an NFC device such as those described in ISO/IEC 21481 or ISO/IEC 18092
  • the concept may be applied to other RFID devices functioning in a similar fashion to an RFID transponder, for example an NFC device acting in so called target mode (i.e. responding to a received RF signal) .
  • FIG. 3 shows a larger device or system 400, incorporating an RFID tag 300' .
  • Device interface 401 interacts with RFID tag 300' via its tag control means 304, and tag 300' operates in the same way as described for tag 300 in Figure 1.
  • Device interface 401 has connections, not shown, to other functionalities within larger device or system 400, and these other functionalities may incorporate some or all of data storage means 305 and tag control means 304.
  • the OTP memory may be comprised within the larger device rather than within the RFID tag 300.
  • Power deriving means 302 might if present, supply power to some or all of larger device 400. Alternatively power may be supplied by the host system or device 400 through connections not shown.
  • FIG 4 shows an example Near Field Communication (NFC) device 500.
  • An NFC device can operate in two modes, as either an initiator (similar to an RFID reader 100 and as described for Figure 2 above) or a target (similar in operation to an RFID tag 300 and as described for Figure 1 above) .
  • RF signal and modulation means 501, antenna 502, demodulation means 503 and NFC control means 504 all act to have a similar effect as their equivalent functionalities 101, 102, 103, and 104 as described for figure 2 and act to create an RF signal represented by magnetic field 505 which has similar characteristics to the field 105 of figure 2.
  • antenna 502 and demodulation means 503 act to have similar effect as antenna 306 and tag demodulation means 301 in figure 1, and in a similar manner, RF signal and modulation means 501 acts to have similar effect as tag modulation means 303 in figure 1.
  • power deriving means 506, NFC control means 504 and data storage means 507 have similar functionalities to the equivalent functionalities 302, 304 and 305 as described for Figure 1.
  • the embodiments described above are described in the context of transport systems where the RFID tag is comprised within a ticket and the RFID reader is comprised within a ticket gate.
  • the principles may be applied to any similar system in which there is a need for security.
  • the embodiments could be applied for use in access applications where the OTP security is used to prevent cloning of a security pass, vending applications where the OTP security is used to prevent cloning of a vending payment device.
  • embodiments of the invention can also be used with other systems and devices, for example with an NFC device acting as a responder, possibly in a tag emulation mode.

Abstract

A transponder comprises a first computer memory wherein such first computer memory is lockable and is configured to store identification data for the transponder, a second computer memory wherein such second computer memory is one time programmable and is configured to represent use of the transponder, a third computer memory wherein such third computer memory can be written-to in accordance with or as a result of received instructions and/or data, and an inductive coupler configured to communicate data, and a controller configured to provide to said inductive coupler data from each and every one of said first computer memory, second computer memory and third computer memory for outbound communication.

Description

A RF DEVICE
Field of the Invention
The invention relates to RF devices, in particular, but not exclusively to RFID transponders for use in secure applications such as transport ticketing, payment, medical applications and vending.
Background to the Invention
Radio Frequency Identification (RFID) is now being used in more and more applications. Conventional RFID systems comprise a transceiver and transponder. The transceiver initiates communication and the transponder will respond in accordance with a set communication protocol . Examples of such systems include those described in ISO 14443A, ISO 15693A etc. In this disclosure, the term RFID device shall be used to include any device which communicates through inductive coupling of " radio frequency signals
(alternatively referred to as inductive coupling of a magnetic field or H field) and/or modulation of radio frequency signals. RFID transponder shall be used to include a transponder, for example a tag, operable to respond to the receipt of an RF signal (whether in modulated or un-modulated form) . Such response may trigger for example further communication by the RFID transponder, the writing of data to the RFID transponder, the communication of data from the RFID transponder, the activation or bringing into effect of some system response (for example where the RFID transponder forms part of a larger system, receipt of an RF signal may trigger a response in the larger system) . Where the RFID transponder is being used to carry monetary or credit information or other secure information it is important that the RFID transponder is secure. For example where the RFID transponder comprises part of a transport ticket which holds £50 worth of train journeys, it is important that someone can not take that ticket and re-program the RFID transponder with another £50 worth of train journeys. Conventionally encryption is used to ensure security and prevent fraud. However encryption can be expensive to implement and requires decryption systems to be present in the interrogating reader .
According to a first aspect of the invention, there is provided a transponder comprising: a first computer memory wherein such first computer memory is lockable and is configured to store identification data for the transponder; a second computer memory wherein such second computer memory is one time programmable and is configured to represent use of the transponder; a third (writeable) computer memory wherein such third computer memory can be written-to in accordance with or as a result of received instructions and/or data; an inductive coupler configured to communicate data; and a controller configured to provide to said inductive coupler data from each and every one of said first computer memory, second computer memory and third computer memory for outbound communication.
Providing the capability to communicate data from each and every one of the three memories provides sufficient data for a receiving party, for example a transceiver as discussed below, to compare the data that was stored in more than one of the memory devices and determine whether or not there are any inconsistencies between the data. This can reduce the chances that a user of the transponder can fraudulently reprogram the transponder, as any inconsistencies can be determined from the data stored in more than one of the memories .
The inductive coupler may be an antenna that is configured to be exposed to a RF signal and modulate the received RF signal such that the modulated signal can be received by a corresponding transceiver.
According to a further aspect of the invention, there is provided a transponder comprising: lockable computer memory configured to store transponder identification data; one time programmable (OTP) computer memory configured to store transponder use data; writeable computer memory configured to store transponder use data; and an inductive coupler configured to inductively couple an RF signal and modulate such RF signal with data comprising the transponder identification data and the transponder use data from each computer memory.
The lockable computer memory will store data that cannot be changed once the computer memory has been locked. Examples of lockable computer memory include EEPROM, Flash, ROM, etc. The one time programmable (OTP) computer memory can store data which cannot be overwritten once it has been programmed. One time programmable memory may use single bit sectors that are available on an EEPROM. The single bit sectors may be locked by a fuse, or antifuse, such that the fuse or antifuse can only be blown once, irreversibly, in order to program that bit . The writeable computer memory can store data which can be written-over or changed depending on data and or instructions received by the transponder controller. Examples of writeable computer memory included EEPROM, flash, ROM etc.
Storing the transponder identification data on lockable computer memory, and storing the transponder use data on one time programmable computer memory enables the security of the transponder to be increased, when compared with the prior art. Such a configuration inhibits a user tampering with the transponder identification data and the transponder use data in order to fraudulently use the transponder. For example, by adjusting the computer memory on the transponder to show that there is more credit remaining to be used by the transponder than has been purchased.
The transponder may be associated with a ticket, and the ticket may comprise part of a contact-less ticket system. The transponder may prove particularly advantageous when associated with a ticket, preferably as part of a contact-less ticket system, as known ticketing systems use encryption to encrypt the data that is stored on the transponder. However, encryption can be expensive to implement and requires decryption systems to be present in the interrogating reader.
The transponder may further comprise a computer processor configured to calculate a digital signature as a function of at least some of the transponder identification data. The digital signature may also be calculated as a function of at least some of the transponder use data. The transponder may be further configured to inductively couple the digital signature to a corresponding transceiver. The computer processor may be configured to store the digital signature in the lockable computer memory. Using a digital signature can provide a further level of security for the data that is stored in computer memory on the transponder. The digital signature can be generated by a function that is stored in computer memory or controller on the transponder, and a transceiver which receives the signal that is transmitted by the transponder can also have access to the function that has been used to generate the digital signature such that the digital signature can be independently generated at the transceiver. This enables the transceiver to compare the received digital signature that has been generated by the transponder, and stored in transponder computer memory, with a digital signature which has been independently generated at the transceiver. If a user has fraudulently altered any of the transponder identification data that is stored in lockable computer memory on the transponder, this can be determined by the transceiver as there will be a difference between the calculated and received digital signatures .
Likewise before a transponder changes any data held in writeable computer memory it may require the transceiver to supply a digital signature for comparison with an internally generated digital signature. If the transceiver is not an authorized transceiver i.e. it does not have access to the correct function for generating the digital signature, then there will be an inconsistency between the supplied digital signature and the internally generated digital signature. This inconsistency can be determined by the transponder.
A new digital signature may be generated from the transponder identification data when the transponder is reloaded/rewritten. In some embodiments, the transponder may be capable of being used more than once. That is, credit may be reloaded or rewritten onto the transponder. When a transponder is used more than once, the transponder identification data may be altered when the transponder is reloaded/rewritten, and therefore a new digital signature should be generated as a function of the new transponder identification data.
Transponder identification data may comprise one, or more, of: digital signature data; unique identification data; operator specific data; project specific data; product type; date of issue; date of expiry; and data in relation to a point of sale (POS) terminal or validator. The transponder identification data may be written into the lockable computer memory when the transponder is first manufactured, programmed, acquired by an end user, for example purchased from a point of sale, or alternatively once the transponder has been validated for use.
The lockable memory may be locked before the transponder is delivered to an operator, or locked at a point of sale (POS) for the transponder. Preferably, the lockable memory is locked soon after the transponder identification data has been written into the lockable computer memory. In some embodiments, it may be possible to lock regions of the lockable computer memory independent of other regions of the lockable computer memory. This enables individual regions of the lockable computer memory to be locked as, and when, data is written into them. Also, where a new digital signature is generated when the transponder is reloaded/rewritten and stored in lockable computer memory, the region in which the new digital signature is written can be locked shortly- after the digital signature is written to memory.
Transponder use data may comprise one, or more, of: a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder .
The transponder use data may provide details of how many times, and to what extent, the transponder has been used, or alternatively how many times, and to what extent, the transponder remains to be used. The OTP computer memory may comprise one or more OTP bits, whereby one (or more) OTP bit is programmed each time the transponder is used.
The transponder may further comprise dynamic memory configured to store temporary data. The temporary data may be stored in the third (writeable) memory.
Temporary data may comprise one, or more, of: date of last use; time of last use; a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder. There may be provided a transceiver comprising: a receiver configured to receive a signal comprising transponder identification data and multiple sets of transponder use data from a transponder; and a computer processor configured to process the multiple sets of transponder use data and/or the transponder identification data to determine if there are any inconsistencies between any one or more of the transponder identification data and/or the multiple sets of transponder use data.
The transceiver may comprise part of a contact- less ticket system.
The receiver may be further configured to receive a digital signature. The computer processor may be further configured to: calculate a digital signature as a function of the received transponder identification data, compare the calculated digital signature with the received digital signature; and generate an inconsistency if there is a difference between the calculated digital signature and the received digital signature .
The computer processor may be further configured to: compare the amount of credit remaining on the transponder as determined from the transponder identification data and/or one set of transponder use data with the amount of credit remaining on the transponder as determined from the remaining transponder use data; and generate an inconsistency if there is a difference between the two. The computer processor may be further configured to: compare the amount of credit that has been used by the transponder as determined from the transponder identification data with the amount of credit that has been used by the transponder as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
The computer processor may be further configured to: compare the number of times that the transponder has been used as determined from the transponder identification data with the number of times that the transponder has been used as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
The computer processor may be further configured to: compare the number of times that the transponder remains to be used as determined from the transponder identification data with the number of times that the transponder remains to be used as determined from the transponder use data; and generate an inconsistency if there is a difference between the two.
The computer processor may be further configured to: compare a date that is part of the transponder identification data with a date that is part of the transponder use data and/or with the present date,- and generate an inconsistency if there is a discrepancy between any of the dates.
There may be provided a contact-less ticket system comprising: a transponder comprising: lockable computer memory configured to store transponder identification data; one time programmable (OTP) computer memory configured to store transponder use data,- writeable computer memory configured to store transponder use data; and an inductive coupler configured to inductive couple RF signal and modulate such RF signal with the transponder identification data and the transponder use data from each computer memory; and a transceiver comprising: a receiver configured to receive a signal comprising transponder identification data and transponder use data from the transponder; and a computer processor configured to process the transponder identification data and the transponder use data to determine if there are any inconsistencies between the transponder identification data and the transponder use data.
There may be provided a point of sale (POS) terminal for providing a transponder of an aspect of the invention, configured to: write the digital signature to the lockable memory of the transponder, or provide an instruction to a computer processor in the transponder to cause the computer processor to write a digital signature to the lockable memory of the transponder .
There may be provided a method of generating a signal indicative of an inconsistency between transponder identification data and transponder use data comprising: receiving transponder identification data and multiple sets of transponder use data; comparing the transponder identification data and/or one or more of the multiple sets of transponder use data to determine if there is an inconsistency between the transponder identification data and/or one or more of the multiple sets of transport use data; and generating a signal indicative of an inconsistency if an inconsistency is determined.
An RFID tag may be provided comprising a digital signature, such digital signature comprising a comparison between data held in two separate areas of memory. In a preferred embodiment one of the separate areas of memory comprises one time programmable memory.
An RFID tag may be provided comprising a digital signature, such digital signature comprising a combination of data held within lockable memory of the
RFID tag. Such digital signature may additionally comprise data obtained from an RFID reader. A digital signature may be used together with or combined with data from one time programmable memory within the RFID tag.
An NFC device may be provided comprising a digital signature, such digital signature comprising a comparison between data held in two separate areas of memory. In a preferred embodiment one of the separate areas of memory comprises one time programmable memory.
An NFC device may be provided comprising a digital signature, such digital signature comprising a combination of data held within lockable memory of the
NFC device. Such digital signature may additionally comprise data obtained from an NFC device. A digital signature may be used together with or combined with data from one time programmable memory within the NFC device.
All of the above aspects provide increased security and anti-tampering protection without the requirement for encryption or encryption technologies .
The impact on memory required and therefore RFID tag or NFC device size is therefore kept to a minimum.
It will be appreciated that any of the optional features discussed above in relation to any of the aspects of the invention may also be optional features of other aspects of the invention. -
Brief Description of the Drawings
Figure 1 shows an example RFID tag block diagram;
Figure 2 shows an example RFID reader block diagram;
Figure 3 shows a larger device or system, incorporating a tag;
Figures 3a and 3b show an example computer memory block diagram;
Figure 4 shows an example NFC device block diagram; and Figures 4a and 4b show an example access card block diagram.
Detailed Description of the Invention Embodiments of the invention will now be described with reference to the Figures .
Figure 1 shows an example RFID transponder in accordance with the invention. The RFID transponder is shown as RFID tag 300. The RFID tag comprises a demodulator 301, a controller 304, a modulator 303 and memory 305. The RFID tag will be attached to an antenna, shown as a coil 306. When for example an RFID reader causes a magnetic field 307 to be present around coil 306 a voltage is generated across coil 306. RFID tag 300 may or may not contain power deriver 302, which can if present, use the voltage across coil 306 to derive a power supply for all or part of RFID tag 300. If a data signal represented by the magnetic field 307 is modulated, then demodulator 301 demodulates the signal and outputs the demodulated data to tag controller 304. The tag controller 304 may also be referred to as a computer. Controller 304 may respond to data from demodulator 301, the presence of power from power deriving means 302, or from some other stimulus, not shown, and may or may not cause data to be read from or written to a data storage means 305, which in this embodiment is computer memory 305. The controller 304 may similarly respond to received data, power or stimulus and cause data, which might be from data storage means 305, to be sent to modulator 303. Modulator 303 when receiving data from the controller 304 causes, according to the data, a modulated signal to be coupled via the antenna 306 to the device originally generating the field, an RFID reader in this example. Tag controller 304 might further contain user interface means or the like.
The controller 304 may be a microprocessor, state machine, microcontroller or other similar processor. The type of processor will depend on the RFID tag and functionality required, in particular the complexity of the RFID tag and any applicable cost constraints.
The memory 305 may be any suitable form of memory or combination of memory forms, for example EEPROM, flash, ROM and may comprise a certain amount of One Time Programmable (OTP) memory. The OTP memory may be in the form of virtual OTP i.e. logic controlled OTP, for example in E2 format or in the form of a fuseable link OTP memory where once fused the OTP can not be re-programmed. In both cases the OTP is operable to provide the necessary security for operation of the RFID transponder 300. For example the OTP memory may comprise 6 bytes (48 bits) of OTP memory or for greater security the OTP memory may comprise for example up to 16 Bytes (128 bits) .
The memory 305 is configured to provide at least two memory areas, at least one of which is OTP memory. For example a first memory area may be lockable and may be used, for example, to store data programmed into the RFID transponder 300 on manufacture. This data may comprise details of the type of data, for example transport ticket, medical device and a unique identifier or UID for the RFID transponder. A second memory area may comprise an area which is writeable to by a corresponding RFID transceiver. A third memory area may then comprise a series of OTP counters which together with one or other of the other memory areas provide additional security or a digital signature for the RFID transponder. Example embodiments are provided below.
The memory 305 may only comprise OTP memory or may comprise different types of memory. Alternatively certain data may also be stored within the controller 304 or within additional data storage means. The memory 305 is shown as a separate functional block in Figure 1. Alternatively it may comprise a part of or be formed wholly within the controller 304. Where the RFID transponder 300 forms part of a larger device or host system the memory 305 may be wholly or partly within the larger device or host system.
Figure 2 illustrates an RFID transceiver/reader 100 which may be used in combination with the RFID transponder 300.
The RFID transceiver comprises signal generator 101, antenna 102, controller 104 and demodulator 103. The signal generator 101 is operable (under control by the controller 104) to generate and transmit an RF signal 105 through antenna 102. The RF signal 105 is represented by the magnetic field 307 in Figure 1. This RF signal may or may not be modulated in accordance with data stored within the controller 104 by a variety of modulation means (for example frequency shift key, phase modulation, amplitude modulation, load modulation) . Where modulation is required the signal generator 101 will include a modulator or modulation controller. Demodulator 103 will demodulate any received modulated RF signal at antenna 102 and provide such demodulated signal to the controller 104. In operation RFID reader 100 will transmit a modulated RF signal 105. Any RFID transponder 300 within range of such modulated RF signal will receive the RF signal (referenced 307 in Figure 1) at its antenna 306, and respond or react in accordance with instructions stored in controller 304 and/or memory 305.
A variety of methods to generate and/ or modulate RF signals may be used for communication between RFID devices such as the RFID reader 100 and RFID tag 300. These include (i) 'carrier generation' in which an RFID device transmits an RF signal which may or may not be modulated, (ii) Λ load modulation' in which an RFID device will modulate the RF signal received from another RFID device; and (iii) 'carrier interference' where an RFID device generates and transmits an RF signal which is used to create interference with an incoming received RF signal.
In one application the RFID tag 300 comprises part of a contactless transport ticket. Such a contactless transport ticket is shown diagrammatically as 306 in figure 3A. Contactless tickets are usually formed from paper or plastic in the shape of the commonly used credit card, and have embedded within them an antenna (not shown) and the RFID tag 300. The RFID tag 300 may be an integrated circuit or custom- made PCB which is then attached to an antenna and placed on or within the plastic or paper surround for the transport ticket. The functionality of the RFID tag 300 may be the same as that described for Figure 3. In Figure 3A only the memory 305 is shown for convenience. The memory is sub-divided into three areas, 305a, 305b and 305c. Memory area 305a is locked on manufacture and can not be written to again during subsequent re-use. Memory 305b is not locked and can be read to and written to during use either directly by the RFID tag 300 itself or following, for example, receipt of data or instructions from an RFID reader. Memory 305c is one time programmable memory.
As the passenger approaches the ticket gate, an RFID transceiver (for example RFID reader 100 as shown in Figure 2) comprised within the ticket gate and which is transmitting an RF signal will activate the RFID tag 300 by providing the power required for tag operation. Once activated the RFID tag 300 will respond to the RFID reader to indicate that it is a valid RFID tag and at the same time or subsequently with any data relevant to the journey being undertaken by the passenger. The RFID tag 300 may be intended for once only use, in which case following communication the RFID tag 300 may be deactivated. Alternatively the RFID tag 300 may be intended for multiple use and contain the data necessary for multiple journeys. The RFID reader will then be operable to deduct journeys from the RFID tag 300 or to re-program the RFID tag 300 such that one journey is no longer available. The data stored on the RFID tag 300 may equate to j ourneys , money or any other data required for communication with the RFID reader.
In an embodiment of the invention, the OTP memory 305c of the RFID tag 300 stores a series of counters equating to, for example the number of journeys or money being stored within the memory of the RFID tag. For example the RFID tag may store £10 equating to 10 journeys each worth £1. 10 bits within the OTP memory are set aside for programming during use of the RFID tag. Every time the RFID tag is used as a transport ticket the RFID reader programs one bit in the OTP memory up to the total of 10 bits. Once all 10 bits have been programmed no more journeys are possible. The RFID reader will be able to check whether all the relevant OTP bits have been programmed and therefore whether any more journeys can be undertaken. The RFID reader may also check the number of un-programmed OTP bits remaining, where this doesn' t match the data stored within the rest of the OTP memory, then it will refuse to accept the RFID tag on the assumption that the RFID tag has been re-programmed or tampered with. The combination of programmed and un-programmed OTP memory in comparison with other memory areas specifying the type of ticket (for example a £10 ticket or 10 journeys) acts as a digital signature for the RFID tag and enables the RFID reader to determine whether the RFID tag has been tampered with. The OTP counters (OTP memory area) are altered on each journey issued and can not be changed back, the locked memory specifies the type of ticket and itself can not be re- programmed.
The OTP counter may alternatively only operate where a certain value is deducted from the overall value held on the RFID tag. For example where the RFID tag holds £10, then the RFID reader may only program an OTP bit when the RFID tag is used to pay for a journey of more than 5Op. Where the value is under the 5Op level then either the OTP bit is not programmed or alternatively the value is stored elsewhere within the RFID tag memory and acts as a cumulative tally of value. Once the cumulative tally exceeds a certain threshold then again the RFID reader will program an OTP bit. In another embodiment the available OTP bits may be used as a transaction counter, again once all OTP bits have been 'used' the RFID tag will not be useable for future journeys. The RFID reader will again detect whether all the OTP bits have been used and therefore be able to assess whether the RFID tag has been tampered with or re-programmed.
This is shown diagrammatically in Figure 3B. The transport ticket (not shown) comprises an RFID tag 300 and memory store 305. Other RFID tag functionality is not shown for convenience. On manufacture the memory will represent 10 trips. This will be reflected in the locked EEPROM memory area 305a. The nature of the ticket issued can not be altered once issued. The date is also included in this example. The variable EEPROM memory area 305b is used as part of the communication with a point of sale terminal or POS. The POS will contain an RFID reader such as the reader shown in Figure 2. Each time the transport ticket is used the POS will provide instructions to the RFID tag 300 resulting in the writing of new information to EEPROM memory area 305b. This new information will represent the number of journeys or trips used or remaining, for example as shown in 307, 308 and 313. The POS will also request information on the status of the OTP counters within the RFID tag 300. These are held in the one-time-programmable bits in memory area 305c. Following completion of a successful POS/ RFID tag communication the RFID tag will write to a further OTP bit changing a 0 to a 1. This is illustrated as 309, 310, 311. The number of l's reflects the number of OTP bits written to and therefore the number of trips taken. Once changed to a 1 the OTP bit can not be changed back to a 0. OTP memory has no functionality to support the change of an OTP - memory bit from logical 1 to logical 0. Where the RFID tag has been tampered with the data in the memory area 305b will not match data in the memory area 305c and therefore the data provided to the POS will not be consistent, an example of which is illustrated as 312 which shows that all 10 trips have been used according to the data stored in OTP memory 305c, but that 10 trips remain according to the data stored in dynamic memory 305b. The POS will interpret this as a failure and refuse to accept the transport ticket and therefore refuse transport.
In both of the above embodiments, the changes to the OTP bits may be as a result of direct programming of the OTP bits by the RFID reader or alternatively as a result of received communication or instructions from the RFID reader which triggers the RFID tag controller to program the relevant OTP bits during communication with the RFID reader or directly following such communication.
In another example the OTP memory 305c may only record certain transactions of the transponder. For example where the RFID tag 300 holds 10 credits with each credit being worth £10. The OTP memory 305c will only be written to where a whole credit i.e. £10 is used. The variable EEPROM memory 305b may then be used to record how much of each credit is used each time, for example where the user takes 10 trips of £1 in value, each trip will result in a change in the EEPROM memory 305b but a change in OTP will only occur following 10 trips.
In another embodiment the RFID tag also comprises a message or tag authentication code. The message authentication code is stored in a first memory area which is lockable, for example 305a in Figure 3A. Figure 4A shows this diagrammatically where 400 is an access card. The RFID tag is represented by area 300. As with figure 3A only memory 305 is shown for convenience. The memory 305 comprises two memory areas, 401 and 402. 401 is lockable EEPROM memory. This is split into a series of message/tag authentication or digital signature memory areas 403, 406, 408, 410 and remaining EEPROM memory 412. The remaining EEPROM memory may be used to store information on manufacture, type of access card, UID, operator name and date of issue. The authentication data is generated by using a combination of information stored within the memory store. For example : S (digital signature) = f (ticket UID) + f (operator name) + f(date of issue) + f (Reader UID).
Where f is a function, which may be a multiplier. The function can be the same function or a different function for each of the variables (ticket UID, operator name, date of issue) in the algorithm being used.
The above will create a unique identifier or digital signature for the RFID tag which can then be used by a corresponding reader to authenticate the RFID tag. This can be used to control which readers are able to write-to the RFID tag. Only readers with the corresponding algorithm to generate the digital signature will be able to write to the RFID tag.
Where access card 400 is written to by an RFID reader, the RFID reader will check the unique identifier before sending any data to the RFID tag. Once the RFID tag has been successfully written-to, the RFID reader may supply a new digital signature. This is shown diagrammaticalIy in figure 4b where just the lockable memory area 401 is shown. On first writing of data to the RFID tag, the first digital signature 404 is written to the first EEPROM memory area 403 and locked. This digital signature can not be re-written or modified subsequently. When an RFID reader comes to write data to the RFID tag a second time, the RFID reader will request the digital signature 404. Provided the digital signature 404 is authenticated, the RFID reader will then supply the required data to the RFID tag. The data will be written into the appropriate memory area within the RFID tag. The RFID reader will then supply a further digital signature which will be written to the memory area 401 and locked. In the alternative or additionally prior to the RFID tag writing any data to computer memory, the RFID tag may require validation/ verification of the RFID reader. In such cases the RFID reader may automatically send the digital signature it has generated internally following its own validation or alternatively may send it to the RFID tag following receipt of a request from the RFID tag for the digital signature. On receipt the RFID tag will compare its internally generated digital signature with the received signature and only where both signatures agree will the RFID tag controller then write data to the computer memory.
The digital authentication signature may also comprise (be generated as a function of) information from the OTP memory area 402. For example part of the
OTP memory area may comprise a series of counters which are programmed each time the RFID tag is written to. By combining the number of counters programmed (or alternatively the number of un-programmed counters remaining) with the digital signature, the RFID reader will obtain information on the number of times the RFID tag has been written to. This can then be used to control the number of times the RFID tag is written to. Alternatively the data stored in the OTP memory may simply be used as part of the authentication message generation.
The use of a message authentication signature can be combined with use of the OTP bits as described above and below. This provides extra security and information for the RFID reader on use of the RFID tag and potential tampering.
In a further embodiment an area within the OTP memory may be set aside and programmed with particular date information. This date information may be programmed on manufacture or on first use . The RFID tags can then be given an expiry date either again within the OTP memory or alternatively through communication with the RFID reader. For example the RFID reader may not validate any RFID tags which are more than one month old. Alternatively the RFID reader may request the expiry date from the OTP memory and if exceeded refuse the RFID tag. The RFID reader may also compare the first and expiry dates to ensure that there is no inconsistency. For example where the date of last use is held within the OTP memory and the date of first use is programmed on first communication between tag and reader to another memory location, then where someone re-programs the content of the ticket to look like a new ticket then the date of last use will remain within the OTP memory but the date of first use (which is programmed by the RFID reader) will then become earlier than the date of last use and hence could be detected by an RFID reader. This embodiment may also be combined with an earlier embodiment, such that once the date of first use has been programmed into the OTP, the OTP then acts as a counter and counts down over the period of validity. Once expired, the RFID tag can no longer be used, there will be no non-programmed OTP bits which will be detectable by the corresponding RFID reader.
In a further example the embodiments described above may be used to control access or provide an audit trail, for example in a medical environment. Where access to a particular area is restricted, staff may be provided with access cards holding message authentication and, for example date information held within the OTP memory. The message authentication can be specific to a particular member of staff and may enable specific equipment use or authorization within the restricted area. Each time the message authentication is provided to an RFID reader (whether on accessing the restricted area or on using a particular piece of equipment) the RFID reader will obtain a record of that digital signature together with a date stamp from the OTP memory. This information can then be used to provide an audit trail in addition to secure access to the restricted area.
The OTP memory may also be used to control the number of times a particular piece of equipment is used. For example where a piece of equipment must only be used once, the OTP memory can be used to prevent re-use or provide a warning where re-use is attempted. Likewise where the locked memory holds information on expiry date, this can be used together with the OTP memory to ensure that all use is within a required date range and to prevent tampering. The RFID tag may be used to label a syringe containing medicine. The RFID tag has three memory areas, similar to the transport ticket in Figure 3A. The first memory area 305a is used to hold data on the expiry date of the medicine, the manufacturer and other details relating to the medicine. Memory 305b is written to each time the syringe is used. The OTP memory area (305c) is automatically written to each time the syringe is used. By combining the data from the OTP memory and the other memory areas, an RFID reader will be able to determine whether the medicine is in date and whether the syringe has already been used. The OTP provides additional security and prevents tampering with the dynamic memory area 305b.
The embodiments described above may be combined or used in combination to provide additional security. The embodiments may also be randomized or based on the type of RFID reader with which the RFID tag interacts. The embodiments may also be combined with pre-existing encryption techniques, for example other areas of the memory may be encrypted using Data Encryption Standard
(DES) or other encryption algorithms or software packages .
Certain of the embodiments refer to changes or modifications to single OTP bits, such embodiments may also utilize or involve changes or modifications to multiple OTP bits at any one time. The embodiments described above are described in the context of an RFID transponder interacting with an RF reader. The concepts may also be applied to circumstances where the RFID transponder is interacting with an alternative RF transceiver, for example an NFC device (such as those described in ISO/IEC 21481 or ISO/IEC 18092) . Alternatively the concept may be applied to other RFID devices functioning in a similar fashion to an RFID transponder, for example an NFC device acting in so called target mode (i.e. responding to a received RF signal) .
The embodiments described above may also apply to instances where the RFID transponder forms part of a larger host system or device. Figure 3 shows a larger device or system 400, incorporating an RFID tag 300' . Device interface 401 interacts with RFID tag 300' via its tag control means 304, and tag 300' operates in the same way as described for tag 300 in Figure 1. Device interface 401 has connections, not shown, to other functionalities within larger device or system 400, and these other functionalities may incorporate some or all of data storage means 305 and tag control means 304. Hence the OTP memory may be comprised within the larger device rather than within the RFID tag 300. Power deriving means 302 might if present, supply power to some or all of larger device 400. Alternatively power may be supplied by the host system or device 400 through connections not shown.
Figure 4 shows an example Near Field Communication (NFC) device 500. An NFC device can operate in two modes, as either an initiator (similar to an RFID reader 100 and as described for Figure 2 above) or a target (similar in operation to an RFID tag 300 and as described for Figure 1 above) . In this example, when operating as an initiator, RF signal and modulation means 501, antenna 502, demodulation means 503 and NFC control means 504 all act to have a similar effect as their equivalent functionalities 101, 102, 103, and 104 as described for figure 2 and act to create an RF signal represented by magnetic field 505 which has similar characteristics to the field 105 of figure 2. In this example, when operating as a target, antenna 502 and demodulation means 503 act to have similar effect as antenna 306 and tag demodulation means 301 in figure 1, and in a similar manner, RF signal and modulation means 501 acts to have similar effect as tag modulation means 303 in figure 1. In addition, power deriving means 506, NFC control means 504 and data storage means 507, have similar functionalities to the equivalent functionalities 302, 304 and 305 as described for Figure 1.
The embodiments described above are described in the context of transport systems where the RFID tag is comprised within a ticket and the RFID reader is comprised within a ticket gate. The principles may be applied to any similar system in which there is a need for security. For example the embodiments could be applied for use in access applications where the OTP security is used to prevent cloning of a security pass, vending applications where the OTP security is used to prevent cloning of a vending payment device.
It will be appreciated that the above examples are illustrative and not limited to RFID devices . For example, embodiments of the invention can also be used with other systems and devices, for example with an NFC device acting as a responder, possibly in a tag emulation mode.
It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims .

Claims

1. A transponder comprising: a first computer memory wherein such first computer memory is lockable and is configured to store identification data for the transponder; a second computer memory wherein such second computer memory is one time programmable and is configured to represent use of the transponder; a third computer memory wherein such third computer memory can be written-to in accordance with or as a result of received instructions and/or data; and an inductive coupler configured to communicate data; and a controller configured to provide to said inductive coupler data from each and every one of said first computer memory, second computer memory and third computer memory for outbound communication.
2. The transponder of claim 1 wherein the data in the third computer memory is configured to represent use of the transponder
3 The transponder of any preceding claim wherein the first computer memory is configured to store a digital signature.
4. The transponder of any one of the preceding claims, wherein the transponder is associated with a ticket .
5. The transponder of any preceding claim, wherein the transponder is configurable to store a new digital signature in said first memory each time the transponder is used in a transaction.
6. The transponder of any preceding claim, wherein the transponder is configurable to store a new digital signature in said first memory each time the transponder is reloaded/rewritten.
7. The transponder of claims 3, 4, 5 and 6, wherein the digital signature is derived using one or more of: unique identification data; operator specific data; project specific data; product type; date of issue; date of expiry; amount of credit on the transponder; date of first use; an indication that the transponder has been used at least once; data in relation to a point of sale (POS) terminal that has issued the transponder; and data in relation to a transceiver/validator that has been used with the transponder.
8. The transponder of any preceding claim, wherein at least a part of the first memory is locked during manufacture of the transponder.
9. The transponder of any preceding claim, wherein at least a part of the first memory is locked before the transponder is delivered to an operator.
10. The transponder of any preceding claim, wherein at least a part of the lockable memory is locked at a point of sale (POS) for the transponder.
11. The transponder of any preceding claim, wherein the representation of transponder use comprises one or more of : a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder.
12. A transponder comprising: a lockable computer memory configured to store identification data for the transponder and a digital signature; one time programmable (OTP) computer memory configured to represent use of the transponder; and an inductive coupler configured to provide a signal comprising the digital signature, transponder identification data and the data representative of transponder use .
13. The transponder of claim 12 , wherein the digital signature is derived using one or more of: unique identification data; operator specific data; project specific data; product type ; date of issue; date of expiry; amount of credit on the transponder; date of first use; an indication that the transponder has been used at least once; data in relation to a point of sale (POS) terminal that has issued the transponder; and data in relation to a transceiver/validator that has been used with the transponder.
14. The transponder of any one of the preceding claims, wherein the transponder is associated with one of an access device, medical device or medical treatment .
15. The transponder according to claim 3, or any claim dependent directly or indirectly from claim 3 , wherein the transponder is configured only to write data and/or instructions received from a transceiver to the third computer memory once it has received a digital signature from a transceiver which is identical to the digital signature stored in the first computer memory.
16. A transceiver comprising: a receiver configured to receive a signal from a transponder comprising data from a first lockable computer memory, second one time programmable computer memory and third computer memory of the transponder; and a processor configured to: compare data obtained from at least said second and third memories; and generate an inconsistency if there is a difference between the data obtained from at least said second and third memories.
17. The transceiver in accordance with claim 16 wherein the data being compared is representative of transponder use.
18. A transceiver comprising: a receiver configured to receive a signal from a transponder comprising a digital signature; and a processor configured to: derive a digital signature using at least one of data derived from the transponder and data held by the transceiver; compare the derived digital signature with the received digital signature; and generate an inconsistency if there is a difference between the derived digital signature and the received digital signature.
19. A transceiver comprising: a receiver configured to receive a signal from a transponder comprising a digital signature, identification data and data representative of use of the transponder; and a processor configured to: derive a digital signature using at least one of data derived from the transponder and data held by the transceiver; compare data representative of transponder use; compare the derived digital signature with the received digital signature; and generate an inconsistency if there is a difference between either the derived digital signature and the received digital signature; and/or the data representative of transponder use.
20. The transceiver of claim 19, wherein the transceiver comprises part of a contact-less ticket system.
21. The transceiver of claim 19 or claim 20, wherein: the processor is configured to generate a new digital signature; and the transmitter is configured to transmit the new digital signature to the transponder.
22. The transceiver of any one of claims 19 to 21, wherein the digital signature comprises one or more of, or is derived from one or more of: transponder unique identification data; operator specific data; project specific data; product type; transponder date of issue; transponder date of expiry; amount of credit on the transponder; date of first use of transponder; an indication that the transponder has been used at least once; data in relation to a point of sale (POS) terminal that has issued the transponder; and data in relation to a transceiver/validator that has been used with the transponder.
23. The transceiver of any one of claims 19 to 22, wherein the representation of transponder use comprises one or more of: a count of the number of times the transponder has been used; a count of the number of times the transponder remains to be used; credit, or a proportion of credit, that has been used by the transponder; and credit, or a proportion of credit, that remains for further use by the transponder.
24. A transceiver comprising: a receiver arranged to receive a signal from a transponder comprising a digital signature, identification data for the transponder and data representative of transponder use; and a processor arranged to: derive a digital signature using the transponder identification data and/or the representation of transponder use; calculate an amount of transponder use from the transponder identification data; compare the derived digital signature with the received digital signature; compare the calculated amount of transponder use with the received representation of transponder use,- and generate an inconsistency if there is a difference between the derived digital signature and the received digital signature, or if there is a difference between the calculated amount of transponder use and the received transponder use data.
25. A contact-less ticket system comprising: a transponder comprising: a lockable computer memory configured to store identification data for the transponder and a digital signature; one time programmable (OTP) computer memory configured to represent use of the transponder,- and an inductive coupler configured to emit a signal comprising the digital signature, transponder identification data and the data representative of transponder use; and a transceiver comprising: a receiver configured to receive a signal from the transponder comprising a digital signature, identification data for the transponder and data representative of transponder use; and a processor configured to: derive a digital signature using the transponder identification data and/or the representation of transponder use; calculate an amount of transponder use from the transponder identification data; compare the derived digital signature with the received digital signature; compare the calculated amount of transponder use with the received representation of transponder use,- and generate an inconsistency if there is a difference between the derived digital signature and the received digital signature, or if there is a difference between the calculated amount of transponder use and the received transponder use data.
26. The contact-less ticket system of claim 24, wherein the transponder comprises the transponder of any one of claims 1 to 15.
27. The contact-less ticket system of claim 25 or 26, wherein the transceiver comprises the transceiver of any one of claims 16 to 24.
28. A point of sale (POS) terminal for providing a transponder according to any one of claims 1 to 15, configured to: write transponder identification data to the lockable memory of the transponder; and write a digital signature to the lockable memory of the transponder
29. A method of generating a signal indicative of an inconsistency between transponder identification data and/or transponder use data from one computer memory and/or transponder use data from a second computer memory comprising: receiving transponder identification data and/or transponder use data from one or more computer memory; comparing the transponder identification data and/or transponder use data from one or more computer memory to determine if there is an inconsistency in the transponder use data; and generating a signal indicative of an inconsistency if an inconsistency is determined.
30. A transponder substantially as hereinbefore described, and as illustrated in the accompanying drawings .
31. A transceiver substantially as hereinbefore described, and as illustrated in the accompanying drawings .
32. A contact-less ticket system substantially as hereinbefore described, and as illustrated in the accompanying drawings .
33. A POS terminal substantially as hereinbefore described, and as illustrated in the accompanying drawings .
34. A method of generating an inconsistency between transponder identification data and transponder use data substantially as hereinbefore described, and as illustrated in the accompanying drawings .
PCT/GB2006/004369 2005-11-23 2006-11-23 A rf device WO2007060426A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0523825.8 2005-11-23
GB0523825A GB0523825D0 (en) 2005-11-23 2005-11-23 RFID transponder

Publications (1)

Publication Number Publication Date
WO2007060426A1 true WO2007060426A1 (en) 2007-05-31

Family

ID=35601042

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2006/004369 WO2007060426A1 (en) 2005-11-23 2006-11-23 A rf device

Country Status (2)

Country Link
GB (2) GB0523825D0 (en)
WO (1) WO2007060426A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120223809A1 (en) * 2011-03-01 2012-09-06 Nxp B.V. Transponder, method and reader for monitoring access to application data in the transponder
US8577042B2 (en) 2006-06-21 2013-11-05 Rf Code, Inc. Location-based security, privacy, access control and monitoring system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0758777A2 (en) * 1995-08-10 1997-02-19 Palomar Technologies Corporation Stored value system employing a secure encryption protocol
US5913471A (en) * 1996-11-07 1999-06-22 Man Roland Druckmaschinen Ag Paper web capture device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0013619D0 (en) * 2000-06-06 2000-07-26 Glaxo Group Ltd Sample container
US7307534B2 (en) * 2004-04-21 2007-12-11 Impinj, Inc. RFID tag using hybrid non-volatile memory
US7298272B2 (en) * 2005-04-29 2007-11-20 Hewlett-Packard Development Company, L.P. Remote detection employing RFID

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0758777A2 (en) * 1995-08-10 1997-02-19 Palomar Technologies Corporation Stored value system employing a secure encryption protocol
US5913471A (en) * 1996-11-07 1999-06-22 Man Roland Druckmaschinen Ag Paper web capture device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8577042B2 (en) 2006-06-21 2013-11-05 Rf Code, Inc. Location-based security, privacy, access control and monitoring system
US20120223809A1 (en) * 2011-03-01 2012-09-06 Nxp B.V. Transponder, method and reader for monitoring access to application data in the transponder

Also Published As

Publication number Publication date
GB0523825D0 (en) 2006-01-04
GB2432755A (en) 2007-05-30
GB0623389D0 (en) 2007-01-03

Similar Documents

Publication Publication Date Title
US5841866A (en) Secure token integrated circuit and method of performing a secure authentication function or transaction
EP0758777B1 (en) Stored value system employing a secure encryption protocol
US7872567B2 (en) Method for transponder access control
US20090307491A1 (en) Information processing device, information processing method, program and communication system
RU2224288C2 (en) Intercept-protected memory device
US20090033464A1 (en) Transponder with access protection and method for access to the transponder
JPH0682405B2 (en) Test program start method
CN103391117A (en) Secure near field communication solution and circuit
WO2007060426A1 (en) A rf device
US20100211488A1 (en) License enforcement
EP2342673B1 (en) Safe initialization procedure for a communication system
US10943230B2 (en) Method for monitoring usage patterns and electronic device capable of implementing such a method
EP3985588A1 (en) A payment support
JP2899464B2 (en) Electronic asset data transfer method
US10853476B2 (en) Method for the security of an electronic operation
EP2495690B1 (en) Transponder and method for monitoring access to application data in the transponder
KR100867720B1 (en) System for issuing, circulating, settling and electronically abandoning the electronic securities and the method thereof
WO2009063406A2 (en) Electronic system and method of operating an electronic system
EP0708413B1 (en) Circuit and its method of operation
JP6024575B2 (en) Value medium, reuse processing device, value consumption device, value medium processing system, reuse processing method, and value consumption method
Sabzevar Security in RFID Systems
KR101140640B1 (en) Terminal Devices for Post Issuing Card Applet and Recording Medium
KR100990383B1 (en) System for Operating Card
KR20160028429A (en) Method for Authenticating by using IC Chip
KR20160128948A (en) Method for Authenticating by using IC Chip

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06808646

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 06808646

Country of ref document: EP

Kind code of ref document: A1