Xerox Creates Printed Labels With Rewritable Memory

Lucas123 writes: Xerox has announced a line of printed labels that can store up to 36 bits of data that can be used to track shipped products, determine the authenticity and condition of products, and even identify if a medication refill has been authorized, or if a shipping tax has been paid. The key verification features, which are targeted at thwarting counterfeiters, will work offline, allowing secure validation of an object or process without being bound to the Internet. The memory labels can be encrypted for added security and can store up to 68 billion data points.

Computerworld explains what a bit is

[Kohlrabi82]

The memory labels can be encrypted for added security and can store up to 68 billion data points.

I'm surely glad I finally understand what a bit is.

Re:

[michelcolman]

Very clever article. They write some ridiculous bullshit about 36 bits being able to store 68 billion data points, so all the geeks and nerds start talking about how stupid those journalists are, meanwhile they have all seen the product and will remember it. When you see one of these new labels, you'll go "oh, I remember, that's the one where those idiots claimed it could contain so many data points with cryptography and all". If they would have just said "hey, we invented a new label that can store 36 bits

Re:

[U2xhc2hkb3QgU3Vja3M]

They do clearly explain 2^2, 2^4 ... 2^36, in the article.

Re:

[michelcolman]

I've got a piece of paper right here than can store 1.7 googol datapoints. Really. I put 333 little circles on it, every circle can be either filled or empty. That gives 1,7 googol different combinations.

I'm off to the patent office...

In Other News

[konohitowa]

Xerox confirms that 2^36 ~= 68G.

So at any point in time, it has the potential to store one point of data from among 68 billion possible points of data. Because. You know. It's 36 bits. To me, that's completely different from being able to store 68 billion data points. I inferred "simultaneously" from that. If it's any consolation, TFA has the same wording as the summary.

36 bits is kind of a strange size

[Anonymous Coward]

Maybe whoever headed the project is still bitter about the death of the PDP-10.

Re:

[_merlin]

You know I've literally had a nightmare about having to reboot a PDP-10. I thought the same thing.

You cannot do anything secure with 36 bits

[gweihir]

In order to do things like authenticity securely, you need to sign the contained data cryptographically. The very least number of bits needed for a signature that can be called secure in any way is around 80 bits today, and you need the data to that is signed in addition.

I conclude that this thing offers no actual security whatsoever, besides the mechanism needed to write the bits.

Re:

[gweihir]

You really, really do not understand crypto. At all. You do not even use the right language.

Re:

[gweihir]

You cannot sign the 36 bits with the contents of the QR-Code. Not possible. Hence the data may be obscured, but it will not be authenticated or protected. Basic crypto. Which you do not understand. You may want to look up the "Dunning-Kruger Effect".

Re:

[stooo]

So, if it does not need to be secure, we can fake the serial numbers, cool :)

"allowing secure validation of an object or process" -> seems they want it to be secure, though

So we can make millions of copies of a valid one, and these will be seen as legit by the "offline validation" ? Cool.

Re:

[gweihir]

Just my thought. Cloning this is trivial.

Re:

[gweihir]

Also: Unless they have iterated encryption high enough as to make brute-forcing impractical, simply obtain one of the "verification mechanisms" and one of the QR-Codes and then throw all 2^36 values at it until you find something you like. Voila, immediate "authentic" fake, that will pass offline "validation".

In practice, this thing is far less secure than a QR-Code label. Instead of reprogramming the 36 bits, just stick a new label to the box, thereby reprogramming all bits, including a new signature.

Re:

[Trailer Trash]

In order to do things like authenticity securely, you need to sign the contained data cryptographically. The very least number of bits needed for a signature that can be called secure in any way is around 80 bits today, and you need the data to that is signed in addition.

I conclude that this thing offers no actual security whatsoever, besides the mechanism needed to write the bits.

After painfully reading the article they're claiming that the crypto part comes as a separate QR code or something like that - which can store vastly more data. Since the QR code can't change I'm not sure exactly how that helps with the changeable part.

I'm sure there's some sort of big deal here for Xerox to put out a press release, but I can't find it and the writer of the article likely cannot, either. There are 36 bits of rewritable data that can be read with the human eye. That's not a lot. As they

What is the big deal?

[Michael Woodhams]

From the article (and the announcement it links to), I'm really struggling to figure out what the big deal is.

A rewritable 36 bit label. Presumably that means you have 36 dots, each of which can be black or white (say) and you can change their state somehow. I could (a little less conveniently) do the same with a sticker with 36 dots on it, each either filled or hollow. Whenever I want to change it, I just print a new sticker with the new bit pattern and stick it over the old one.

How does this give all the cryptographic goodness they talk about?

They say you'll be able to cryptographically confirm authenticity off-line. But 36 bits is easily brute-forcible. If you can check the authenticity of the 36 bit pattern, the man in the middle can check all 2^36 bit patterns for authenticity and use whichever authenticated bit patterns give the message they want.

The engineers at Xerox aren't stupid, so presumably there is something to this. However in going from the minds of the engineers to the mind of the journalist to the article to my mind, somewhere something vital has been lost.

Re:What is the big deal?

[konohitowa]

When the journalist started to explain binary, I sort of lost hope of any technical explanation materializing.

Re:

[Dr.Dubious DDQ]

"The encryption is in a QR code that's printed on the label, but isn't rewritable."

That seems to be the key point.

My guess is that the handful of bits in the label will be used in different ways by each company that adopts it, and it will be something like "the first three bits indicate which facility was the last to handle it, with 000 indicating that it has been sent to the pharmacy, the next five bits indicate which employee in this production line last handled the tagged object", etc., with the barcode specifying which internal-to-the-company algorithm was used to shift the bits aroun

Re:

[omnichad]

verify that whatever is stored in those 36 bits was put there by whoever created the product being tracked and hasn't been altered later.

Which defeats the purpose of those 36 bits being rewritable.

Re:What is the big deal?

[peragrin]

Instead of dots why don't you use variable width black lines? We can call it barcoding.

Re:

[U2xhc2hkb3QgU3Vja3M]

That's exactly the kind of thing the machines wants you to do. I propose a system with something similar to letters, with each letter representing a value.

Re:

[omnichad]

You swipe the empty packet over the reader, and that tells you the drug in question, and the refill details (and the writer re-writes the bits to "refill dispensed")

And you wouldn't even have to be able to decrypt it if you just set it back to what it was before the refill, assuming you can find a way to flip the bits manually without overly special equipment. Or if the drug is really valuable, you buy the special equipment.

Poor Journalism

[labnet]

Surely the most important thing to mention in the article, is how the reading is performed.

All I could see in TFA, was 'A smart phone based reader'
So what is it. Conact, NFC, UHF Backscatter, pixie dust?
And its read range?
And if it is RF does it handle multiple tags in the field?

The TFA is just a rewording of the press release with an explanation that 2^36 > 1 Billion

36

[Behrooz Amoozad]

even single DES needs more bits and it's as insecure is it gets.
and what the fuck does this have with cryptography?
and what the fuck makes it so special for offline verification?

SIgh

[nospam007]

..." used to track shipped products, determine the authenticity and condition of products, and even identify if a medication refill has been authorized, or if a shipping tax has been paid. "

Hopefully they will also let me change the price before I go to the cashier's desk.

The medication thingie bothers me a bit.

Will there be nerd junkies with pimp-up readers waiting for the people leaving the Chemist and check which goodies they have in their paper bag?

Lossless

[Impy the Impiuos Imp]

> 36 bits...store up to 68 billion data points

Man compression has made a ton of headway.

Re:

[U2xhc2hkb3QgU3Vja3M]

Yeah but it's lossy compression.

Re:

[omnichad]

Later in the same article, they not only reword it to something more like 68 billion permutations, but they also give a rudimentary explanation of binary number storage. I don't know why they even included that "data points" line.

Re:

[omnichad]

QRcode already has a much larger storage space than 36 bytes . They're really limited more by how large you want to print them and how densely.

Label cost

[ITRambo]

So, my $4 Wal-Mart prescriptions will cost $6 because someone has to pay for the label. Just kidding. Wal-Mart would never waste money like that on memory labels. I hope.