OR WAIT null SECS
Industry will be challenged to embrace new methods of supply chain collaboration.
In his famous soliloquy, "To be or not to be," Hamlet expresses his dilemma over two opposing forces. More than 400 years later, these same words echo a heated debate taking place in the pharmaceutical industry. Should a pharmaceutical product with a radio-frequency identification (RFID) tag carry encoded product information such as National Drug Code (NDC) data?
Product information should be associated with the RFID tag, but the question remains of whether or not it is needed on the tag itself. Some of the leading manufacturers, distributors, and retailers have diverging views on the issue. Several questions must be answered, including:
When it comes to NDC product information, the US Food and Drug Administration's position is that it should be encrypted or available via an accessible network link. The business value of product data available on the tag to distributors and pharmacies is improved process efficiencies for applications such as smart-shelf inventory management, automatic pick and place, and product returns. When only the NDC is encrypted on the tag to protect consumer privacy, however, only half of the on- versus off-network question is being addressed.
The other part of the question of where data should reside (on the tag or not) involves product authentication. The Pharmaceutical Research and Manufacturers of America supports the potential use of RFID tags as a means of authenticating the original pharmaceutical packaging. But, will the cryptographic data necessary for product authentication be programmed onto the tag, or will authentication be required via a network link?
A broad and flexible approach called the tag data security infrastructure (TDSI) addresses both consumer privacy concerns and product authentication while providing a range of on- and off-network implementation options.
The TDSI always supports network applications and uses an electronic product code (EPC) number as the cornerstone for pharmaceutical product identification. The TDSI augments the pharmaceutical supply chain infrastructure to further allow off-network authentication and product encryption.
For an EPC numbering scheme using a serialized global trade identification number with encryption, the product data portion of the tag's EPC number is digitally scrambled and is only decrypted by a reader with the appropriate corresponding cryptographic software. The product information is then available for local applications such as smart shelves. And, because the EPC number maintains its uniqueness, it can still be used as a unique pointer for network applications such as item-level ePedigree. Any standard reader can read the 96-bit EPC number from an encrypted tag and forward it to the EPCglobal network as a "pointer." Readers equipped with the verification key can both authenticate the tag and decrypt the product class portion of the EPC number off-network.
A new cryptographic standard called the IEEE Standard 1363a uses an elliptic curve cryptographic (ECC) algorithm that can be used as part of the TDSI to provide tag encryption and authentication. For RFID applications, ECC enables very fast digital signature creation ensuring no incremental delays in production line operation. ECC RFID security using IEEE 1363a offers the equivalent level of security as 1024-bit RSA encryption, but with two-thirds less tag memory for a digital signature while also providing the NDC information. The IEEE Standard 1363a delivers a high level of security without increasing the RFID tag's complexity, computing power, or cost.
As item-level tag specifications are developed in the coming year, the pharmaceutical industry will be challenged to embrace new rules and methods of supply chain collaboration. Whether NDC is "to be or not to be" on an item-level tag is an important question to resolve before moving forward, and with the TDSI, fewer opposing forces are at work and more options are at hand.
Joseph Pearson is an associate of Texas Instruments, RFID Systems, firstname.lastname@example.org