Xerox Creates Printed Labels With Rewritable Memory

Lucas123 writes: Xerox has announced a line of printed labels that can store up to 36 bits of data that can be used to track shipped products, determine the authenticity and condition of products, and even identify if a medication refill has been authorized, or if a shipping tax has been paid. The key verification features, which are targeted at thwarting counterfeiters, will work offline, allowing secure validation of an object or process without being bound to the Internet. The memory labels can be encrypted for added security and can store up to 68 billion data points.

Computerworld explains what a bit is

[Kohlrabi82]

The memory labels can be encrypted for added security and can store up to 68 billion data points.

I'm surely glad I finally understand what a bit is.

Re: Computerworld explains what a bit is

Data point news for nerds, indeed.

Re:Computerworld explains what a bit is

[michelcolman]

Very clever article. They write some ridiculous bullshit about 36 bits being able to store 68 billion data points, so all the geeks and nerds start talking about how stupid those journalists are, meanwhile they have all seen the product and will remember it. When you see one of these new labels, you'll go "oh, I remember, that's the one where those idiots claimed it could contain so many data points with cryptography and all". If they would have just said "hey, we invented a new label that can store 36 bits", nobody would talk about it and it would be quickly forgotten. Negative publicity is good publicity.

Re:Computerworld explains what a bit is

[U2xhc2hkb3QgU3Vja3M]

They do clearly explain 2^2, 2^4 ... 2^36, in the article.

36 bit? 68 billion?

OK, a rough estimate gives 2^36 ~ 64 x 10^9 (aka the inflationary "billion"), but what do they exactly mean? That there are so many different configs for a label? That a label can store so much?

TFA? What's TFA?

Re:36 bit? 68 billion?

[michelcolman]

I've got a piece of paper right here than can store 1.7 googol datapoints. Really. I put 333 little circles on it, every circle can be either filled or empty. That gives 1,7 googol different combinations.

I'm off to the patent office...

Re:36 bit? 68 billion?

Yeah that's a great analogy to this article. You should do comedy as a profession with wit like that. Your insights could make you the next Mark Twain!

In Other News

[konohitowa]

Xerox confirms that 2^36 ~= 68G.

So at any point in time, it has the potential to store one point of data from among 68 billion possible points of data. Because. You know. It's 36 bits. To me, that's completely different from being able to store 68 billion data points. I inferred "simultaneously" from that. If it's any consolation, TFA has the same wording as the summary.

You cannot do anything secure with 36 bits

[gweihir]

In order to do things like authenticity securely, you need to sign the contained data cryptographically. The very least number of bits needed for a signature that can be called secure in any way is around 80 bits today, and you need the data to that is signed in addition.

I conclude that this thing offers no actual security whatsoever, besides the mechanism needed to write the bits.

Re:You cannot do anything secure with 36 bits

[DNS-and-BIND]

I love your black and white view that either something is totally secure, or completely insecure. Look, it's like a lock on your front door, any locksmith can get through it in 30 seconds but it keeps out the riff-raff. When I ship products from the factory and need to make sure they aren't substituted en route, nobody's going to forge certificates because the criminals aren't that smart. Sheesh, get a grip and lose the binary worldview.

Re:You cannot do anything secure with 36 bits

You're a fool. If you bothered to read the article, you'd see they're not using 36 bit encryption. They're using the 36 bits to store information about the package such as tracking data. The encryption is in the form of an encrypted QR code. That has nothing to do with the 36 bits of memory in the label. Read the article before you make a fucking stupid comment.

Re:You cannot do anything secure with 36 bits

It's just a serial number, basically an electronic barcode. It does not need to be secure.

Re:You cannot do anything secure with 36 bits

[stooo]

So, if it does not need to be secure, we can fake the serial numbers, cool :)

"allowing secure validation of an object or process" -> seems they want it to be secure, though

So we can make millions of copies of a valid one, and these will be seen as legit by the "offline validation" ? Cool.

Re:You cannot do anything secure with 36 bits

[gweihir]

You really, really do not understand crypto. At all. You do not even use the right language.

Re:You cannot do anything secure with 36 bits

[gweihir]

Just my thought. Cloning this is trivial.

Re:You cannot do anything secure with 36 bits

[gweihir]

Also: Unless they have iterated encryption high enough as to make brute-forcing impractical, simply obtain one of the "verification mechanisms" and one of the QR-Codes and then throw all 2^36 values at it until you find something you like. Voila, immediate "authentic" fake, that will pass offline "validation".

In practice, this thing is far less secure than a QR-Code label. Instead of reprogramming the 36 bits, just stick a new label to the box, thereby reprogramming all bits, including a new signature.

Re:You cannot do anything secure with 36 bits

No no.. Security through obscurity is all the rage these days. It's going to be the most secure device ever, as long as no one uses it.

Re:You cannot do anything secure with 36 bits

[Trailer+Trash]

In order to do things like authenticity securely, you need to sign the contained data cryptographically. The very least number of bits needed for a signature that can be called secure in any way is around 80 bits today, and you need the data to that is signed in addition.

I conclude that this thing offers no actual security whatsoever, besides the mechanism needed to write the bits.

After painfully reading the article they're claiming that the crypto part comes as a separate QR code or something like that - which can store vastly more data. Since the QR code can't change I'm not sure exactly how that helps with the changeable part.

I'm sure there's some sort of big deal here for Xerox to put out a press release, but I can't find it and the writer of the article likely cannot, either. There are 36 bits of rewritable data that can be read with the human eye. That's not a lot. As they clumsily say in the article that gives you a number between 0 and ~68 billion - not enough to even store a credit card number. The "crypto" crap is just silliness.

Anyone have any idea what's up here?

Re:You cannot do anything secure with 36 bits

LOL! Someone is butthurt that he didn't RTFA and got called out on it. Again, the 36 bits contain tracking information. The tracking label is accompanied by a QR code that contains encrypted information to verify that the label hasn't been altered. Clearly you have no fucking clue what you're talking about. LOL! LOL! LOL!

Re:You cannot do anything secure with 36 bits

[gweihir]

You cannot sign the 36 bits with the contents of the QR-Code. Not possible. Hence the data may be obscured, but it will not be authenticated or protected. Basic crypto. Which you do not understand. You may want to look up the "Dunning-Kruger Effect".

What is the big deal?

[Michael+Woodhams]

From the article (and the announcement it links to), I'm really struggling to figure out what the big deal is.

A rewritable 36 bit label. Presumably that means you have 36 dots, each of which can be black or white (say) and you can change their state somehow. I could (a little less conveniently) do the same with a sticker with 36 dots on it, each either filled or hollow. Whenever I want to change it, I just print a new sticker with the new bit pattern and stick it over the old one.

How does this give all the cryptographic goodness they talk about?

They say you'll be able to cryptographically confirm authenticity off-line. But 36 bits is easily brute-forcible. If you can check the authenticity of the 36 bit pattern, the man in the middle can check all 2^36 bit patterns for authenticity and use whichever authenticated bit patterns give the message they want.

The engineers at Xerox aren't stupid, so presumably there is something to this. However in going from the minds of the engineers to the mind of the journalist to the article to my mind, somewhere something vital has been lost.

Re:What is the big deal?

[konohitowa]

When the journalist started to explain binary, I sort of lost hope of any technical explanation materializing.

Re:What is the big deal?

The printed memory is licensed from a Norwegian company called ThinFilm. The memory is for tracking information or an ID. It's not encrypted at all. The encryption is in a QR code that's printed on the label, but isn't rewritable. Presumably it would involve public key encryption so that the user can verify that whatever is stored in those 36 bits was put there by whoever created the product being tracked and hasn't been altered later. That's just a guess because nobody has written a decent article about this.

Re:What is the big deal?

[peragrin]

Instead of dots why don't you use variable width black lines? We can call it barcoding.

Re:What is the big deal?

They make a big point about the labels being re-writeable, and I think that's key to how this is meant to be used.

They make a point of these used on medications.

Let's imagine that you print other stuff on the label as well as the data in the 36 bits. Like, say, a UPN bar code to identify the product (say, a drug). And you "print" the refill number, or something like that, in the data bits. So the customer takes the pills, and comes back for a refill. You swipe the empty packet over the reader, and that tells you the drug in question, and the refill details (and the writer re-writes the bits to "refill dispensed")

That's a guess as to how they see it being used.

36 bits should be enough for a refill number plus some confirmation details.

Re:What is the big deal?

[Dr.Dubious+DDQ]

"The encryption is in a QR code that's printed on the label, but isn't rewritable."

That seems to be the key point.

My guess is that the handful of bits in the label will be used in different ways by each company that adopts it, and it will be something like "the first three bits indicate which facility was the last to handle it, with 000 indicating that it has been sent to the pharmacy, the next five bits indicate which employee in this production line last handled the tagged object", etc., with the barcode specifying which internal-to-the-company algorithm was used to shift the bits around before storing them on the rewritable tag.

It's not that anyone who had blank tags and the equipment to write to them couldn't exactly copy any particular tag they got their hands on, but that it shouldn't be feasible for anyone to synthesize a valid fake label, so nobody can get a bunch of manufactured-by-flybynightco-in-china fake tablets or even a pile of "legitimate" pills snuck out of the factory in somebody's socks, stick them in a bottle, and label them to look like they've been legitimately packaged and shipped from the company (for example).

Re:What is the big deal?

[U2xhc2hkb3QgU3Vja3M]

That's exactly the kind of thing the machines wants you to do. I propose a system with something similar to letters, with each letter representing a value.

Re:What is the big deal?

[omnichad]

verify that whatever is stored in those 36 bits was put there by whoever created the product being tracked and hasn't been altered later.

Which defeats the purpose of those 36 bits being rewritable.

Re:What is the big deal?

[omnichad]

You swipe the empty packet over the reader, and that tells you the drug in question, and the refill details (and the writer re-writes the bits to "refill dispensed")

And you wouldn't even have to be able to decrypt it if you just set it back to what it was before the refill, assuming you can find a way to flip the bits manually without overly special equipment. Or if the drug is really valuable, you buy the special equipment.

Poor Journalism

[labnet]

Surely the most important thing to mention in the article, is how the reading is performed.

All I could see in TFA, was 'A smart phone based reader'
So what is it. Conact, NFC, UHF Backscatter, pixie dust?
And its read range?
And if it is RF does it handle multiple tags in the field?

The TFA is just a rewording of the press release with an explanation that 2^36 > 1 Billion

36 bits is kind of a strange size

Maybe whoever headed the project is still bitter about the death of the PDP-10.

Re:36 bits is kind of a strange size

[_merlin]

You know I've literally had a nightmare about having to reboot a PDP-10. I thought the same thing.

36

[behrooz0az]

even single DES needs more bits and it's as insecure is it gets.
and what the fuck does this have with cryptography?
and what the fuck makes it so special for offline verification?

nonsensical

... up to 68 billion data points.

Everyone can see that 36 bits does not allow one to store '68 billion data points' about 1 event.

Either a group of events can share the storage space with unique numbers; that is, an identification number. Or a group of events can share the storage space with non-unique numbers; in that case it's a status or history description.

SIgh

[nospam007]

..." used to track shipped products, determine the authenticity and condition of products, and even identify if a medication refill has been authorized, or if a shipping tax has been paid. "

Hopefully they will also let me change the price before I go to the cashier's desk.

The medication thingie bothers me a bit.

Will there be nerd junkies with pimp-up readers waiting for the people leaving the Chemist and check which goodies they have in their paper bag?

Lossless

[Impy+the+Impiuos+Imp]

> 36 bits...store up to 68 billion data points

Man compression has made a ton of headway.

Re:Lossless

[U2xhc2hkb3QgU3Vja3M]

Yeah but it's lossy compression.

Re:Lossless

[omnichad]

Later in the same article, they not only reword it to something more like 68 billion permutations, but they also give a rudimentary explanation of binary number storage. I don't know why they even included that "data points" line.

Re:Lossless

Indeed. At best, it stores 34 billion data points.

For data point 0000000000000000000000000 it can store a 0 or a 1
For data point 0000000000000000000000001 it can store a 0 or a 1
For data point 0000000000000000000000010 it can store a 0 or a 1
etc.

I don't get it. Is it awesome?

Maybe the technology is awesome, but this article says a lot about nothing or nothing about a lot. In the end I have no idea what this does nor what it is good for.

36 re-writable bits.

How do the bits change? Is each individual bit cryptographically secured? What prevents someone else from changing the data? How do authorized parties change the data? How does it work physically/chemically? What are the use cases? What does this do that bar codes or QR codes can't (see how to change bits)? Why would anyone want to change any of 36 bits? Oh, something about offline... huh?

Serial numbers

I don't think most serial numbers will fit directly into 36 bits. It can't even store an arbitrary 11-digit number. It'll store things like an SSN with a handful of bits left over, but those have a pretty dense encoding (I'd guess they're over halfway used up by now). Most serial numbers, model numbers, account numbers, UPS shipping codes, and pretty much everything else won't even fit. It sounds pretty pointless to use by itself, so at best it's something to add to traditional labels.

QR Code

I haven't RTFA, and didn't take the time to read the spec in full detail, but doesn't QRcode already have a much larger storage than 36 bits? Can somebody give me an unified diff of the actual additions this tech brings to the table?

Re:QR Code

[omnichad]

QRcode already has a much larger storage space than 36 bytes . They're really limited more by how large you want to print them and how densely.

Label cost

[ITRambo]

So, my $4 Wal-Mart prescriptions will cost $6 because someone has to pay for the label. Just kidding. Wal-Mart would never waste money like that on memory labels. I hope.

Original Article

http://news.xerox.com/news/Xerox-Launches-Printed-Memory-to-Combat-Counterfeiting

Uhhh

A 36-bit hash could be brute-forced in less than a minute by a standard desktop CPU.