IEEE Computer R&D Cover Article - Author: Fred Thomas
Penny Tag Technologies for Removable Storage
Low-cost authentication and identification methods for removable data storage cartridges are the focus of ongoing research. Unlike other security methods, these “penny tag” technologies must be automated for use in a removable data storage drive. Invented by Fred Thomas while at Iomega Corp.
About Fred C Thomas III
Fred Charles Thomas III - Engineer and Inventor
Fred Thomas received a BS in Mechanical Engineering with a Minor in Physics from Bucknell University in 1982. In 1990 he received a MS in Mechanical Engineering specializing in Control Systems and Non-linear Dynamics.
His awards include the International Design Excellence Award in 2009, Industrial Forum Product Design Award in 2008, "Nano50 Award" for "Subwavelength Optical Data Storage" in 2005, Lemelson-MIT "Inventor of the Week" Award in 2004, Iomega "Exceptional Invention Award" in 1999, and Laser Focus World "Electro-Optic Application of the Year Award" in 1994.
0018-9162/03/$17.00 © 2003 IEEE
2
Computer
Penny Tag Technologies
for Removable
Data Storage
M anufacturers commonly use tags or
markers to authenticate and identify
commercial products. Some typical
applications for authenticating a prod-
uct’s source include visual holograms
on software packaging, fluorescent spectrally
encoded fibers in a garment’s brand label, and hid-
den microscopic brand marking of aerospace parts.
Applications that identify products, either indi-
vidually or within a class, are most ubiquitous in
retail and warehouse logistics. Retailers, manufac-
turers, and distributors spend more than $10 bil-
lion per year to purchase bar codes and their
associated systems for use in tracking countless bil-
lions of dollars in merchandise. These low-cost
structured ink markings allow for quick and reli-
able product identification within a virtually unlim-
ited inventory system. Radio frequency (RF) coil
tags are another product identification technology
used to reduce retail theft. In this case, sensors can
detect the tags if they were not deactivated when
the merchandise was purchased.
Authentication and identification technologies
have also found applications in removable data
storage. For example, cartridge identification sys-
tems can protect a drive from damage that inserting
a foreign object might cause. They can also help
manage forward and backward media format com-
patibility; let drives identify media types for reduced
spin-up and data-access time; and create unique,
unalterable, and authenticatable media serial num-
ber implementations for digital rights management
(DRM) and enterprise security. One beneficial
implementation of the technology is its use to
authenticate parts and prevent counterfeiting in var-
ious industries.
The primary difference between retail and
removable data storage applications is cost con-
straints. The applications for retail settings require
human intervention or instrumentation costing
hundreds, if not thousands, of dollars. However,
the authentication and identification of removable
data storage cartridges must be automated at a very
low cost.
The Massachusetts Institute of Technology
Media Lab has dubbed these low-cost authentica-
tion and identification technologies penny tags.
MIT’s ongoing program to explore and develop
penny tag applications and technology has evolved
into the Auto-ID Center (www.autoidcenter.org),
which focuses on establishing a low-cost RF ID tag
standard.
FIELD-PROVEN TAG TECHNOLOGIES
The varying requirements of specific systems have
driven the progression of Iomega’s penny-tag tech-
nologies, described in the “Evolution of Iomega
Removable Storage Products” sidebar. These tech-
nologies have different features, depending on the
requirements of a particular storage system.
Media unique serialization
High-capacity magnetic removable data storage
typically involves a factory servo write process and
a factory media verification process. These manu-
facturing processes can write a unique serial num-
Low-cost authentication and identification methods for removable data
storage cartridges are the focus of ongoing research. Unlike other security
methods, these “penny tag” technologies must be automated for use in a
removable data storage drive.
Fred Thomas
Iomega
C O V E R F E A T U R E
Published by the IEEE Computer Society
ber to the media in an area that is not rewriteable
by drives in the field, such as in areas for grey codes
and flagged sectors.
Iomega has applied these unique serial numbers
to all its removable magnetic media products dat-
ing back to the Bernoulli boxes of the 1980s.
Retroreflective tags
A retroreflective tag (retrotag) produces a struc-
tured or patterned reflection of light from the
removable data storage cartridge that disk drives
can uniquely discriminate from other types of
reflections. The “Patents for Removable Data
Storage Tag Technologies” sidebar provides addi-
tional information about patents on this and other
related technologies. The Iomega retrotag used on
Zip and Jaz cartridges has an array of corner
cubes molded into a clear, optical plastic tag. This
tag is similar to a roadside retroreflective safety
marker.
July 2003
3
The evolution of building cartridge identification and authen-
tication into a removable data storage drive at Iomega illus-
trates the varied requirements of this technology.
Initially, when Iomega’s researchers created the Zip 100
(super floppy), they felt that the drive needed a means other
than the cartridge’s physical size to discriminate between a func-
tional Zip disk and a foreign object. This was mainly because
the 3.5-inch floppy fit into the Zip drive media opening. A
floppy could, upon insertion, cause the drive to launch its read-
write heads onto the foreign object and destroy the drive.
Hence, the retroreflective tag (retrotag) was introduced and is
used on the Zip 100, Jaz 1 Gbyte, and Jaz 2 Gbyte
products.
The evolution of the Zip 250 and Pocket Zip (Clikl! 40
Mbyte) produced two new sets of requirements. The Zip 250
drive reduced data track size and differing data and servo fre-
quencies from the original Zip 100. Economics and the desire
to have Zip 100 media compatible with the new 250 drove the
decision to make it the same size and shape as the Zip 100 car-
tridge. However, inserting a Zip 250 cartridge into a Zip 100
drive would potentially destroy the drive. A technology that
would cause the Zip 250 cartridge to be ejected automatically
upon insertion into a Zip 100 drive was ultimately necessary.
This new tag system also needed to allow for Zip 100 inser-
tion into a Zip 250 drive and appropriate detection and access
to the previous generation cartridge.
Iomega needed to retain its foreign-object protection func-
tionality and, if possible, the ability to identify multiple types
of the new tag. This capability would be advantageous for
future cartridge backward and forward compatibility man-
agement scenarios.
The Pocket Zip 40-Mbyte drive’s small size and the reduced
working distances between the cartridge and any identification
system in the drive made the Zip 100 retrotag discrimination
physics unworkable. This product also needed to support the
licensed distribution of music content directly from recording
houses to consumers’ handheld play devices. This made authen-
tication of the media’s source part of the new technology
requirements.
These requirements in aggregate drove the development of
two parallel path tag technologies: the latent-irradiance-tag
and the holographic-tag (X-LSD). The ability of both tech-
nologies to support identification of multiple authenticatable
tag types opens the path for implementing various specialty
media types such as cleaning disks, computer access authenti-
cation disks, drive-calibration disks, and restricted drive
firmware upgrade paths.
The need for a technology that would offer an unalterable
media serial number source for robust DRM implementations
also fueled the development of the laser-marking technology or
disk indelible utility mark (DIUM) for the Pocket Zip. Most
recently, work on robust DRM and enterprise security imple-
mentations has focused on means for including source-protected
cryptographic keys within the removable data storage cartridge.
To this end, the Peerless cartridge includes a smart card-directed
secure memory with cryptographic authentication IC in its
design. This seems to be a good direction for removable media,
which has a native electrical interface with the drive platform.
Evolution of Iomega Removable Storage Products
Patents for Removable Data Storage Tag Technologies
The patents issued for retroreflective tags (retrotags) and other iden-
tification and authentication technologies for removable data storage
include the following:
• F. Thomas, Retroreflective Marker for Data Storage Cartridge, US
patent 5,638,228, Patent and Trademark Office, Washington, D.C.,
1997.
• F. Thomas, Thin Retroreflective Marker for Data Storage Cartridge,
US patent 5,986,838, Patent and Trademark Office, Washington,
D.C., 1999.
• F. Thomas and G. Dixon, Latent Illuminance Discrimination
Marker System for Authenticating Articles, US patent 6,264,107
B1, Patent and Trademark Office, Washington, D.C., 2001.
• F. Thomas, Readable Indelible Mark on Storage Media, US patent
6,324,026 B1, Patent and Trademark Office, Washington, D.C.,
2001.
4
Computer
Figure 1 illustrates retroreflection in contrast
with the two other principal types of reflection from
objects that might be inserted into a drive: specu-
lar and diffuse. Retroreflection is principally light
reflected back at the source of the illuminating radi-
ation. This property clearly defines the reflection’s
location, and its magnitude at that location is large
relative to what equivalently sized diffuse or spec-
ular reflectors would provide.
Another retrotag characteristic is that the illu-
mination and detection system’s location relative
to the tag is flexible. In Iomega drive implementa-
tions, a proximate LED and phototransistor/pho-
todiode pair are positioned on the drive printed cir-
cuit board (PCB) below the retrotag location on the
cartridge when the cartridge is fully in the drive.
As long as a significant portion of the LED irra-
diance is hitting the tag and the emitter/detector
pair is within approximately a 40-degree cone of
the tag’s centroid, the system works well as a reflec-
tion-type discriminator. This latitude in locating the
detection system provides flexibility in designing
future compatible drive platforms. It also allows a
generous tolerance of the retrotag’s alignment to
the detection system during manufacture.
The images in Figure 2 illustrate a bug’s eye view
of the reflection from a Zip retrotag from the loca-
tion where the LED is illuminating the tag in the
drive. A laser beam profiling software program and
a frame-grabber system based on a charge-coupled
device were used to generate these images.
The superposition of the array of 12 corner cubes
found on the tag creates the reflection’s hexagonal
structure. The hexagonal reflection’s size at the short
working distances used in drive implementations is
principally twice the diagonal size of the corner cubes.
To take advantage of this bright structured reflec-
tion, the detection device (phototransistor or pho-
todiode) must be proximal to the LED, which is
located at the hexagonal reflection’s center.
Therefore, the corner cubes’ size must be physically
matched to the separation distance on the PCB
between the emitter and detector the system uses.
In Figure 2, this distance is approximately 2.5 mm.
Figure 2 shows that the reflections from a retro-
tag are essentially localized to a small hexagonal
area. Based on this reflective localization, we can
create an even more effective discrimination sys-
tem by adding a second photodetector positioned
slightly outside this reflective lobe and using the dif-
ference between the signal inside the lobe and out-
side the lobe as the retrotag discrimination signal.
In fact, for the most difficult possible reflective
sources that this system is intended to discrimi-
nate—specular reflectors such as metal foil or a pol-
ished shutter on a 3.5-inch floppy disk—this system
enhancement improves performance significantly.
Figure 3a shows a contour plot for probability of
discrimination of a specular reflector from a retro-
tag for the original single-detector system, and
Figure 3b shows a contour plot for the differential
dual-detector system. A Monte Carlo analysis sys-
tem model generated these plots, which include
empirical data on the reflective variability of the two
different types of reflective markers among 20 other
system variables with their distributions modeled.
The white sloping bands in Figures 3a and 3b
Specular (mirrorlike)
Diffuse
Retroreflection
(b)
(c)
(a)
Figure 1. Principal types of reflection contrasted: (a) specular (mirrorlike),
(b) diffuse, and (c) retroflection.
Figure 2. Reflective irradiance pattern of Zip 100 retrotag. The reflected
irradiance in the structure is brightest in the hexagon’s lobes where the photo-
sensitive detector is placed.
denote the region of 100-percent specular reflec-
tive foreign-object discrimination as a function of
the system’s photodetector gain (y) and the retrotag
detection threshold voltage (x). These figures
demonstrate that adding a $0.20 phototransistor
to the design can broaden the 100-percent dis-
crimination band by more than 60-fold.
Holographic tags
The large geometric size (2.5 mm) of the corner
cubes used for reflection with the retrotag creates
a structured irradiance pattern around the illumi-
nating source LED. Holographic-tag technology
does principally the same thing but with signifi-
cantly more flexibility in the geometry of the struc-
tured, reflected light pattern. This follow-on
invention uses the combination of a tiny retrore-
flective array material (150 microns across corner
cubes) with a refractive holographic light shaping
diffuser (LSD) material. Laminating these plastic
film materials together creates a reflector, which in
turn creates an assortment of structured light pat-
terns upon reflection.
Figure 4 shows the reflected irradiance pattern that
an X Light Shaping Diffuser (X-LSD), a holographic
tag used on data storage cartridges, generates. The
point at which the axes cross is the illuminating
LED’s location. To use the X-LSD for tag identifica-
tion, three phototransistors are placed on the drive
PCB on three axes separated by 45 degrees around
the LED. The tag-cartridge identification is based on
reflective illumination of the phototransistors. In this
case, in which the tag has three photodetectors, the
system can detect eight separate states.
Latent-irradiance tags
Latent-irradiant materials—more commonly
described as fluorescent and phosphorescent—glow
after being irradiated with light. The characteristic
that distinguishes between fluorescent and phos-
phorescent materials is that the time period of light
re-emission is longer than 10–8 seconds for phos-
phorescent materials and shorter for fluorescent
materials.
The output spectra of different latent-irradiance
materials have a distinguishing amplitude profile
when illuminated with light having color within their
absorption bands. Stokes materials irradiate at wave-
lengths longer than the stimulating irradiance, and
anti-Stokes materials irradiate at shorter wavelengths.
Researchers have historically used the differen-
tiation in spectral profiles of various latent-irradi-
ance materials for authentication. For example, the
fluorescent fibers in a $100 bill glow red when they
are irradiated with a UV source. A respected British
scientist working in this area once told me that MI5
secret agents (made famous by the fictional agent
007, James Bond) wore phosphorescent authenti-
cation rings during World War II. In these cases,
July 2003
5
Figure 4. Reflected irradiance pattern for X-LSD
holographic cartridge tag. The point at which the axes
cross is the illuminating LED’s location.
Figure 3. (a) Single-detector cartridge discrimination performance (retrotag ver-
sus specular reflector). (b) Dual-detector cartridge discrimination performance
(retrotag versus specular reflector).
0
1
2
3
4
5
Detection threshold voltage (volts)
(b)
0
1
2
3
4
5
Detection threshold voltage (volts)
(a)
1
2
3
4
On-axis gain (volts/amp × 105)1
2
3
4
On-axis gain (volts/amp × 105)10
20
30
40
50
60
70
80
90
100
100
100
100
10-90
6
Computer
authentication requires using either simple visual
ID of a color or an elaborate and expensive photo-
spectral analysis instrument.
In Iomega’s patented technology for reducing the
cost of a drive-automatable ID and authentication
system, a single photodetector acquires a combi-
nation of spectral and temporal information from
a latent-irradiance tag. After illuminating the tag
with an LED within the tag’s absorption band, a
photodectector with a low-cost, dye-based poly-
mer filter can monitor both the decay time and the
temporal profile of the latent irradiance that the tag
emits.
Blending combinations or matrices of different
phosphor components can create multiple decay
profiles, much like combining discrete frequencies
in a Fourier series can describe any arbitrary piece-
wise temporal function. Figure 5 illustrates the typ-
ical exponential temporal decay profile of a single
constituent phosphor component used to create
such a matrixed latent-irradiance material. This
temporal information is extracted from the data
storage drive’s microprocessor to identify and
authenticate different tags types.
Security phosphors are a class of latent irradi-
ance materials typically used for authentication
on currency and other financial instruments.
Developers can engineer these latent-irradiance
materials so that they present a significant reverse-
engineering hurdle to those trying to replicate their
spectral and temporal response.
Generally, a phosphor matrix’s response is fab-
rication-process dependent, so that constituent
analysis only partially discloses information. In
addition, numerous masking and obfuscating meth-
ods can further thwart reverse-engineering efforts,
making this a robust means of authentication. A
potential future application that leverages this secu-
rity feature is to use a drive’s read-write laser as the
excitation source for DRM protection of content
on optical data storage media.
Laser-marked media
The disk indelible utility mark (DIUM) is a laser-
marking system that ablates a microscopic bar code
into the media’s magnetic recording layer. In one
sense, this is a high-tech cattle brand for media.
Figure 6 shows a magnified image of a DIUM on a
piece of flexible magnetic data storage media. Four
copies of the same code, which is several data tracks
wide, are ablated for redundancy at the disk’s inner
diameter.
This technology creates an unalterable media ser-
ial number that a drive’s magnetic head can read,
but the drive cannot replicate it with a magnetic
write operation. Because the mark, or code, is
ablated into the media, overwriting it with a mag-
netic tone does not erase it. In practice, the drive
firmware implementation of a DIUM-read consti-
tutes an AC overwrite of the mark to ensure that
the encode data is ablated and genuine.
The amortized costs of this technology for a
removable data storage cartridge can be as low as
one cent per disk. Analogous implementations for
optical phase change media are also possible.
Solid-state secure memory devices
The Iomega Peerless cartridge has a built-in
secure memory device that contains 192 bytes of
memory.1 Selectable portions of this memory are
fusible at the factory, providing absolute in-the-field
inalterability of those locations. Access to this
memory requires the drive’s firmware to engage in
a cryptographic challenge-and-response protocol
that unlocks the device’s secret key.
The secure memory device was developed for
financial transaction security in smart card appli-
cations such as cash-resident debit cards. Peerless
drives leverage the SMD’s unalterable feature to
provide a trusted source for the DRM media serial
number. All Peerless drives support commands for
query and return of this unique cartridge-resident
media serial number.
Figure 6. A disk indelible utility mark on Pocket Zip flexible media. DIUM creates
an unalterable media serial number that a drive’s magnetic head can read but not
replicate.
Time (µsec)
Intensity (volts)4.0V
3.6V (90%)
0.4V (10%)
t0
t1
t2
t = t1 – t2
t0 flood LED turned off
Figure 5. Typical temporal signal profile of a latent-irradiance material. The
detection circuitry for this signal can implement automatic gain control (AGC)
techniques. These implementations provide a significant level of system
measurement robustness with varying signal amplitude.
Any removable data storage drive that incorpo-
rates an SMD also can leverage this digital and
physical information safe by storing an assortment
of security information in it. These codes enable
many interesting data security applications includ-
ing robust DRM support. This SMD-embedded
information would include a series of crypto-
graphic keys and sequences as well as the cartridge’s
unique media serial number.
SMD-embedded codes offer an asymmetric,2 or
public-private encryption, technology that imple-
ments a secure-pipe delivery of the media serial
number to host PC DRM applications. In a secure
pipe, the media serial number is provided to the
DRM software application on the drive-attached
host PC in an encrypted string so that it is resilient
to attacks from software shims and emulators.
Content providers in the music, video, and pub-
lishing industries can use this technology to
robustly tie their content to an individual remov-
able data storage cartridge.
A cartridge-supported application of this tech-
nology stores a subset of public-key hashes on the
SMD to facilitate cryptographic drive authentica-
tion of software and hardware querying devices. To
support enterprise-centric data-security solutions,
a second portion of the secure memory device can
store encryption keys. This implementation specif-
ically addresses concerns about employees who are
intent on removing proprietary digital content. It
maintains the flexibility and transportability of data
within the enterprise that removable data storage
cartridge technology inherently provides.
Although SMD offers significant flexibility and
utility, the system architecture requires direct elec-
trical connectivity to the removable data storage
cartridge with the drive.
RELATIVE IMPLEMENTATION COSTS
Depending on the cost, technical, and market
requirements of a particular removable data stor-
age system, one system might prove more com-
pelling than another. For these systems, it is not
enough to have a low-cost tag technology; the
drive-based automated detection system must be
low cost as well.
Table 1 summarizes the approximate costs for
implementing these penny tag systems on a remov-
able data storage cartridge as well as in the mating
drive. The detection cost listed for latent-irradiance
tags assumes that a drive microprocessor is avail-
able with access to a multiplexed analog-to-digital
converter. The fourth column in the table is anno-
tated with six abbreviations that summarize the
principal obstacles of tag forgery and, hence, com-
promise of the tag system’s authentication attrib-
utes. The last column places an order of magnitude
estimate on the number of identifiable different
states that the tag technology and detection system
can support. The infinity symbol means at least tens
if not hundreds of bits.
I omega has developed a cadre of low-cost penny
tag technologies with associated low-cost auto-
mated detection systems for removable data
storage cartridge identification and authentication.
In particular, the latent-irradiance technique
remains under most active development at Iomega.
Patents issued to Iomega on the temporal signal
discrimination techniques for latent-irradiance sig-
nals make licensing this technology to third parties
for other applications a possible future direction for
this work. Potential applications include authenti-
cation or identification of items such as optical data
storage media, aerospace or nuclear facility fasten-
ers, factory authorized auto parts, critical con-
struction components, and financial and business
instruments such as checks and credits cards.
Field-operable detection devices for applications
without leverageable in situ electronics, such as a
disk drive, can be manufactured in low volumes at
July 2003
7
Table 1. Relative cartridge penny tag costs.
Technology
Tag cost ($)
Detection cost ($)
Authentication means
ID states
Written media serial no.
0.00
0.00
Low
∞
Retrotag
0.03
0.75
IP
1 bit
Holographic tag (X-LSD)
0.10
1.00
IP, CI, RE
3+ bits
Latent-irradiance tag
0.07
1.00
IP, CI, SRE
4+ bits
Laser mark (DIUM)
0.01
0.00
IP, CI
∞
Smart-card IC (SMD)
0.40
0.20 to 2.00
Encrypt
∞
Abbreviations: IP: intellectual property; CI: capital investment; RE: reverse engineering; SRE: significant reverse engineering;
Encrypt: encryption and other protected secret methods.
8
Computer
costs comparable to a volt-ohm meter ($20-$100).
With high volume production, such devices could
reasonably cost less than $10. The actual cost would
depend on the desired level of sophistication.
The higher cost of detection presently precludes
using powerless RF tags in removable data storage
cartridges, except in automated cartridge reposi-
tory management for enterprise and government
applications where information security and
accountability are at a premium.
Using security technologies always invokes the
issue of raising the bar relative to attack and com-
promise. Implementing a variety of such means in
tandem further raises that bar. A good example is
the implementation of more than 30 authentication
features for higher denominations of US currency.
Many believe that tag technologies provide inno-
vative physical identification and authentication
methods that have a high associated overall secu-
rity-to-cost quotient. The current use of these tech-
nologies in more than 350 million data storage
cartridges confirms their field worthiness. ■
Acknowledgments
I thank my Iomega colleagues who read the draft
of this article and made several useful comments and
contributions, especially Dave Griffith, Dave Hall,
Todd Shelton, and Tom Wilke. Iomega presently has
patents issued or pending on all the removable data
storage cartridge penny tag approaches described in
this article.
References
1. F. Thomas, “Peerless DRM & Enterprise Security-
Enabled Removable Data Storage Cartridges (A Dis-
cussion of Security Issues and Architectures for
Removable Data Storage),” Proc. RSA E-Security
Conf. 2002, RSA Security, 2002, www.rsaconference.
net/RSApresentations/pdfs/newthu1015_thomas.pdf.
2. B. Schneier, Applied Cryptography, 2nd ed., John
Wiley & Sons, 1996, pp. 21-46.
Fred Thomas is chief technologist in the Advanced
R&D Group at Iomega Corporation. He received
an MS in mechanical engineering from Bucknell
University. He holds 30 US patents. Thomas’s
research interests include developing technologies
that make magnetic recording in removable car-
tridge implementations more robust, novel optical
data storage techniques, low-cost sensors, and dig-
ital information security technologies and their
implementation. He is a member of SPIE and
ASME. Contact him at thomasf@iomega.com.
2
Computer
Penny Tag Technologies
for Removable
Data Storage
M anufacturers commonly use tags or
markers to authenticate and identify
commercial products. Some typical
applications for authenticating a prod-
uct’s source include visual holograms
on software packaging, fluorescent spectrally
encoded fibers in a garment’s brand label, and hid-
den microscopic brand marking of aerospace parts.
Applications that identify products, either indi-
vidually or within a class, are most ubiquitous in
retail and warehouse logistics. Retailers, manufac-
turers, and distributors spend more than $10 bil-
lion per year to purchase bar codes and their
associated systems for use in tracking countless bil-
lions of dollars in merchandise. These low-cost
structured ink markings allow for quick and reli-
able product identification within a virtually unlim-
ited inventory system. Radio frequency (RF) coil
tags are another product identification technology
used to reduce retail theft. In this case, sensors can
detect the tags if they were not deactivated when
the merchandise was purchased.
Authentication and identification technologies
have also found applications in removable data
storage. For example, cartridge identification sys-
tems can protect a drive from damage that inserting
a foreign object might cause. They can also help
manage forward and backward media format com-
patibility; let drives identify media types for reduced
spin-up and data-access time; and create unique,
unalterable, and authenticatable media serial num-
ber implementations for digital rights management
(DRM) and enterprise security. One beneficial
implementation of the technology is its use to
authenticate parts and prevent counterfeiting in var-
ious industries.
The primary difference between retail and
removable data storage applications is cost con-
straints. The applications for retail settings require
human intervention or instrumentation costing
hundreds, if not thousands, of dollars. However,
the authentication and identification of removable
data storage cartridges must be automated at a very
low cost.
The Massachusetts Institute of Technology
Media Lab has dubbed these low-cost authentica-
tion and identification technologies penny tags.
MIT’s ongoing program to explore and develop
penny tag applications and technology has evolved
into the Auto-ID Center (www.autoidcenter.org),
which focuses on establishing a low-cost RF ID tag
standard.
FIELD-PROVEN TAG TECHNOLOGIES
The varying requirements of specific systems have
driven the progression of Iomega’s penny-tag tech-
nologies, described in the “Evolution of Iomega
Removable Storage Products” sidebar. These tech-
nologies have different features, depending on the
requirements of a particular storage system.
Media unique serialization
High-capacity magnetic removable data storage
typically involves a factory servo write process and
a factory media verification process. These manu-
facturing processes can write a unique serial num-
Low-cost authentication and identification methods for removable data
storage cartridges are the focus of ongoing research. Unlike other security
methods, these “penny tag” technologies must be automated for use in a
removable data storage drive.
Fred Thomas
Iomega
C O V E R F E A T U R E
Published by the IEEE Computer Society
ber to the media in an area that is not rewriteable
by drives in the field, such as in areas for grey codes
and flagged sectors.
Iomega has applied these unique serial numbers
to all its removable magnetic media products dat-
ing back to the Bernoulli boxes of the 1980s.
Retroreflective tags
A retroreflective tag (retrotag) produces a struc-
tured or patterned reflection of light from the
removable data storage cartridge that disk drives
can uniquely discriminate from other types of
reflections. The “Patents for Removable Data
Storage Tag Technologies” sidebar provides addi-
tional information about patents on this and other
related technologies. The Iomega retrotag used on
Zip and Jaz cartridges has an array of corner
cubes molded into a clear, optical plastic tag. This
tag is similar to a roadside retroreflective safety
marker.
July 2003
3
The evolution of building cartridge identification and authen-
tication into a removable data storage drive at Iomega illus-
trates the varied requirements of this technology.
Initially, when Iomega’s researchers created the Zip 100
(super floppy), they felt that the drive needed a means other
than the cartridge’s physical size to discriminate between a func-
tional Zip disk and a foreign object. This was mainly because
the 3.5-inch floppy fit into the Zip drive media opening. A
floppy could, upon insertion, cause the drive to launch its read-
write heads onto the foreign object and destroy the drive.
Hence, the retroreflective tag (retrotag) was introduced and is
used on the Zip 100, Jaz 1 Gbyte, and Jaz 2 Gbyte
products.
The evolution of the Zip 250 and Pocket Zip (Clikl! 40
Mbyte) produced two new sets of requirements. The Zip 250
drive reduced data track size and differing data and servo fre-
quencies from the original Zip 100. Economics and the desire
to have Zip 100 media compatible with the new 250 drove the
decision to make it the same size and shape as the Zip 100 car-
tridge. However, inserting a Zip 250 cartridge into a Zip 100
drive would potentially destroy the drive. A technology that
would cause the Zip 250 cartridge to be ejected automatically
upon insertion into a Zip 100 drive was ultimately necessary.
This new tag system also needed to allow for Zip 100 inser-
tion into a Zip 250 drive and appropriate detection and access
to the previous generation cartridge.
Iomega needed to retain its foreign-object protection func-
tionality and, if possible, the ability to identify multiple types
of the new tag. This capability would be advantageous for
future cartridge backward and forward compatibility man-
agement scenarios.
The Pocket Zip 40-Mbyte drive’s small size and the reduced
working distances between the cartridge and any identification
system in the drive made the Zip 100 retrotag discrimination
physics unworkable. This product also needed to support the
licensed distribution of music content directly from recording
houses to consumers’ handheld play devices. This made authen-
tication of the media’s source part of the new technology
requirements.
These requirements in aggregate drove the development of
two parallel path tag technologies: the latent-irradiance-tag
and the holographic-tag (X-LSD). The ability of both tech-
nologies to support identification of multiple authenticatable
tag types opens the path for implementing various specialty
media types such as cleaning disks, computer access authenti-
cation disks, drive-calibration disks, and restricted drive
firmware upgrade paths.
The need for a technology that would offer an unalterable
media serial number source for robust DRM implementations
also fueled the development of the laser-marking technology or
disk indelible utility mark (DIUM) for the Pocket Zip. Most
recently, work on robust DRM and enterprise security imple-
mentations has focused on means for including source-protected
cryptographic keys within the removable data storage cartridge.
To this end, the Peerless cartridge includes a smart card-directed
secure memory with cryptographic authentication IC in its
design. This seems to be a good direction for removable media,
which has a native electrical interface with the drive platform.
Evolution of Iomega Removable Storage Products
Patents for Removable Data Storage Tag Technologies
The patents issued for retroreflective tags (retrotags) and other iden-
tification and authentication technologies for removable data storage
include the following:
• F. Thomas, Retroreflective Marker for Data Storage Cartridge, US
patent 5,638,228, Patent and Trademark Office, Washington, D.C.,
1997.
• F. Thomas, Thin Retroreflective Marker for Data Storage Cartridge,
US patent 5,986,838, Patent and Trademark Office, Washington,
D.C., 1999.
• F. Thomas and G. Dixon, Latent Illuminance Discrimination
Marker System for Authenticating Articles, US patent 6,264,107
B1, Patent and Trademark Office, Washington, D.C., 2001.
• F. Thomas, Readable Indelible Mark on Storage Media, US patent
6,324,026 B1, Patent and Trademark Office, Washington, D.C.,
2001.
4
Computer
Figure 1 illustrates retroreflection in contrast
with the two other principal types of reflection from
objects that might be inserted into a drive: specu-
lar and diffuse. Retroreflection is principally light
reflected back at the source of the illuminating radi-
ation. This property clearly defines the reflection’s
location, and its magnitude at that location is large
relative to what equivalently sized diffuse or spec-
ular reflectors would provide.
Another retrotag characteristic is that the illu-
mination and detection system’s location relative
to the tag is flexible. In Iomega drive implementa-
tions, a proximate LED and phototransistor/pho-
todiode pair are positioned on the drive printed cir-
cuit board (PCB) below the retrotag location on the
cartridge when the cartridge is fully in the drive.
As long as a significant portion of the LED irra-
diance is hitting the tag and the emitter/detector
pair is within approximately a 40-degree cone of
the tag’s centroid, the system works well as a reflec-
tion-type discriminator. This latitude in locating the
detection system provides flexibility in designing
future compatible drive platforms. It also allows a
generous tolerance of the retrotag’s alignment to
the detection system during manufacture.
The images in Figure 2 illustrate a bug’s eye view
of the reflection from a Zip retrotag from the loca-
tion where the LED is illuminating the tag in the
drive. A laser beam profiling software program and
a frame-grabber system based on a charge-coupled
device were used to generate these images.
The superposition of the array of 12 corner cubes
found on the tag creates the reflection’s hexagonal
structure. The hexagonal reflection’s size at the short
working distances used in drive implementations is
principally twice the diagonal size of the corner cubes.
To take advantage of this bright structured reflec-
tion, the detection device (phototransistor or pho-
todiode) must be proximal to the LED, which is
located at the hexagonal reflection’s center.
Therefore, the corner cubes’ size must be physically
matched to the separation distance on the PCB
between the emitter and detector the system uses.
In Figure 2, this distance is approximately 2.5 mm.
Figure 2 shows that the reflections from a retro-
tag are essentially localized to a small hexagonal
area. Based on this reflective localization, we can
create an even more effective discrimination sys-
tem by adding a second photodetector positioned
slightly outside this reflective lobe and using the dif-
ference between the signal inside the lobe and out-
side the lobe as the retrotag discrimination signal.
In fact, for the most difficult possible reflective
sources that this system is intended to discrimi-
nate—specular reflectors such as metal foil or a pol-
ished shutter on a 3.5-inch floppy disk—this system
enhancement improves performance significantly.
Figure 3a shows a contour plot for probability of
discrimination of a specular reflector from a retro-
tag for the original single-detector system, and
Figure 3b shows a contour plot for the differential
dual-detector system. A Monte Carlo analysis sys-
tem model generated these plots, which include
empirical data on the reflective variability of the two
different types of reflective markers among 20 other
system variables with their distributions modeled.
The white sloping bands in Figures 3a and 3b
Specular (mirrorlike)
Diffuse
Retroreflection
(b)
(c)
(a)
Figure 1. Principal types of reflection contrasted: (a) specular (mirrorlike),
(b) diffuse, and (c) retroflection.
Figure 2. Reflective irradiance pattern of Zip 100 retrotag. The reflected
irradiance in the structure is brightest in the hexagon’s lobes where the photo-
sensitive detector is placed.
denote the region of 100-percent specular reflec-
tive foreign-object discrimination as a function of
the system’s photodetector gain (y) and the retrotag
detection threshold voltage (x). These figures
demonstrate that adding a $0.20 phototransistor
to the design can broaden the 100-percent dis-
crimination band by more than 60-fold.
Holographic tags
The large geometric size (2.5 mm) of the corner
cubes used for reflection with the retrotag creates
a structured irradiance pattern around the illumi-
nating source LED. Holographic-tag technology
does principally the same thing but with signifi-
cantly more flexibility in the geometry of the struc-
tured, reflected light pattern. This follow-on
invention uses the combination of a tiny retrore-
flective array material (150 microns across corner
cubes) with a refractive holographic light shaping
diffuser (LSD) material. Laminating these plastic
film materials together creates a reflector, which in
turn creates an assortment of structured light pat-
terns upon reflection.
Figure 4 shows the reflected irradiance pattern that
an X Light Shaping Diffuser (X-LSD), a holographic
tag used on data storage cartridges, generates. The
point at which the axes cross is the illuminating
LED’s location. To use the X-LSD for tag identifica-
tion, three phototransistors are placed on the drive
PCB on three axes separated by 45 degrees around
the LED. The tag-cartridge identification is based on
reflective illumination of the phototransistors. In this
case, in which the tag has three photodetectors, the
system can detect eight separate states.
Latent-irradiance tags
Latent-irradiant materials—more commonly
described as fluorescent and phosphorescent—glow
after being irradiated with light. The characteristic
that distinguishes between fluorescent and phos-
phorescent materials is that the time period of light
re-emission is longer than 10–8 seconds for phos-
phorescent materials and shorter for fluorescent
materials.
The output spectra of different latent-irradiance
materials have a distinguishing amplitude profile
when illuminated with light having color within their
absorption bands. Stokes materials irradiate at wave-
lengths longer than the stimulating irradiance, and
anti-Stokes materials irradiate at shorter wavelengths.
Researchers have historically used the differen-
tiation in spectral profiles of various latent-irradi-
ance materials for authentication. For example, the
fluorescent fibers in a $100 bill glow red when they
are irradiated with a UV source. A respected British
scientist working in this area once told me that MI5
secret agents (made famous by the fictional agent
007, James Bond) wore phosphorescent authenti-
cation rings during World War II. In these cases,
July 2003
5
Figure 4. Reflected irradiance pattern for X-LSD
holographic cartridge tag. The point at which the axes
cross is the illuminating LED’s location.
Figure 3. (a) Single-detector cartridge discrimination performance (retrotag ver-
sus specular reflector). (b) Dual-detector cartridge discrimination performance
(retrotag versus specular reflector).
0
1
2
3
4
5
Detection threshold voltage (volts)
(b)
0
1
2
3
4
5
Detection threshold voltage (volts)
(a)
1
2
3
4
On-axis gain (volts/amp × 105)1
2
3
4
On-axis gain (volts/amp × 105)10
20
30
40
50
60
70
80
90
100
100
100
100
10-90
6
Computer
authentication requires using either simple visual
ID of a color or an elaborate and expensive photo-
spectral analysis instrument.
In Iomega’s patented technology for reducing the
cost of a drive-automatable ID and authentication
system, a single photodetector acquires a combi-
nation of spectral and temporal information from
a latent-irradiance tag. After illuminating the tag
with an LED within the tag’s absorption band, a
photodectector with a low-cost, dye-based poly-
mer filter can monitor both the decay time and the
temporal profile of the latent irradiance that the tag
emits.
Blending combinations or matrices of different
phosphor components can create multiple decay
profiles, much like combining discrete frequencies
in a Fourier series can describe any arbitrary piece-
wise temporal function. Figure 5 illustrates the typ-
ical exponential temporal decay profile of a single
constituent phosphor component used to create
such a matrixed latent-irradiance material. This
temporal information is extracted from the data
storage drive’s microprocessor to identify and
authenticate different tags types.
Security phosphors are a class of latent irradi-
ance materials typically used for authentication
on currency and other financial instruments.
Developers can engineer these latent-irradiance
materials so that they present a significant reverse-
engineering hurdle to those trying to replicate their
spectral and temporal response.
Generally, a phosphor matrix’s response is fab-
rication-process dependent, so that constituent
analysis only partially discloses information. In
addition, numerous masking and obfuscating meth-
ods can further thwart reverse-engineering efforts,
making this a robust means of authentication. A
potential future application that leverages this secu-
rity feature is to use a drive’s read-write laser as the
excitation source for DRM protection of content
on optical data storage media.
Laser-marked media
The disk indelible utility mark (DIUM) is a laser-
marking system that ablates a microscopic bar code
into the media’s magnetic recording layer. In one
sense, this is a high-tech cattle brand for media.
Figure 6 shows a magnified image of a DIUM on a
piece of flexible magnetic data storage media. Four
copies of the same code, which is several data tracks
wide, are ablated for redundancy at the disk’s inner
diameter.
This technology creates an unalterable media ser-
ial number that a drive’s magnetic head can read,
but the drive cannot replicate it with a magnetic
write operation. Because the mark, or code, is
ablated into the media, overwriting it with a mag-
netic tone does not erase it. In practice, the drive
firmware implementation of a DIUM-read consti-
tutes an AC overwrite of the mark to ensure that
the encode data is ablated and genuine.
The amortized costs of this technology for a
removable data storage cartridge can be as low as
one cent per disk. Analogous implementations for
optical phase change media are also possible.
Solid-state secure memory devices
The Iomega Peerless cartridge has a built-in
secure memory device that contains 192 bytes of
memory.1 Selectable portions of this memory are
fusible at the factory, providing absolute in-the-field
inalterability of those locations. Access to this
memory requires the drive’s firmware to engage in
a cryptographic challenge-and-response protocol
that unlocks the device’s secret key.
The secure memory device was developed for
financial transaction security in smart card appli-
cations such as cash-resident debit cards. Peerless
drives leverage the SMD’s unalterable feature to
provide a trusted source for the DRM media serial
number. All Peerless drives support commands for
query and return of this unique cartridge-resident
media serial number.
Figure 6. A disk indelible utility mark on Pocket Zip flexible media. DIUM creates
an unalterable media serial number that a drive’s magnetic head can read but not
replicate.
Time (µsec)
Intensity (volts)4.0V
3.6V (90%)
0.4V (10%)
t0
t1
t2
t = t1 – t2
t0 flood LED turned off
Figure 5. Typical temporal signal profile of a latent-irradiance material. The
detection circuitry for this signal can implement automatic gain control (AGC)
techniques. These implementations provide a significant level of system
measurement robustness with varying signal amplitude.
Any removable data storage drive that incorpo-
rates an SMD also can leverage this digital and
physical information safe by storing an assortment
of security information in it. These codes enable
many interesting data security applications includ-
ing robust DRM support. This SMD-embedded
information would include a series of crypto-
graphic keys and sequences as well as the cartridge’s
unique media serial number.
SMD-embedded codes offer an asymmetric,2 or
public-private encryption, technology that imple-
ments a secure-pipe delivery of the media serial
number to host PC DRM applications. In a secure
pipe, the media serial number is provided to the
DRM software application on the drive-attached
host PC in an encrypted string so that it is resilient
to attacks from software shims and emulators.
Content providers in the music, video, and pub-
lishing industries can use this technology to
robustly tie their content to an individual remov-
able data storage cartridge.
A cartridge-supported application of this tech-
nology stores a subset of public-key hashes on the
SMD to facilitate cryptographic drive authentica-
tion of software and hardware querying devices. To
support enterprise-centric data-security solutions,
a second portion of the secure memory device can
store encryption keys. This implementation specif-
ically addresses concerns about employees who are
intent on removing proprietary digital content. It
maintains the flexibility and transportability of data
within the enterprise that removable data storage
cartridge technology inherently provides.
Although SMD offers significant flexibility and
utility, the system architecture requires direct elec-
trical connectivity to the removable data storage
cartridge with the drive.
RELATIVE IMPLEMENTATION COSTS
Depending on the cost, technical, and market
requirements of a particular removable data stor-
age system, one system might prove more com-
pelling than another. For these systems, it is not
enough to have a low-cost tag technology; the
drive-based automated detection system must be
low cost as well.
Table 1 summarizes the approximate costs for
implementing these penny tag systems on a remov-
able data storage cartridge as well as in the mating
drive. The detection cost listed for latent-irradiance
tags assumes that a drive microprocessor is avail-
able with access to a multiplexed analog-to-digital
converter. The fourth column in the table is anno-
tated with six abbreviations that summarize the
principal obstacles of tag forgery and, hence, com-
promise of the tag system’s authentication attrib-
utes. The last column places an order of magnitude
estimate on the number of identifiable different
states that the tag technology and detection system
can support. The infinity symbol means at least tens
if not hundreds of bits.
I omega has developed a cadre of low-cost penny
tag technologies with associated low-cost auto-
mated detection systems for removable data
storage cartridge identification and authentication.
In particular, the latent-irradiance technique
remains under most active development at Iomega.
Patents issued to Iomega on the temporal signal
discrimination techniques for latent-irradiance sig-
nals make licensing this technology to third parties
for other applications a possible future direction for
this work. Potential applications include authenti-
cation or identification of items such as optical data
storage media, aerospace or nuclear facility fasten-
ers, factory authorized auto parts, critical con-
struction components, and financial and business
instruments such as checks and credits cards.
Field-operable detection devices for applications
without leverageable in situ electronics, such as a
disk drive, can be manufactured in low volumes at
July 2003
7
Table 1. Relative cartridge penny tag costs.
Technology
Tag cost ($)
Detection cost ($)
Authentication means
ID states
Written media serial no.
0.00
0.00
Low
∞
Retrotag
0.03
0.75
IP
1 bit
Holographic tag (X-LSD)
0.10
1.00
IP, CI, RE
3+ bits
Latent-irradiance tag
0.07
1.00
IP, CI, SRE
4+ bits
Laser mark (DIUM)
0.01
0.00
IP, CI
∞
Smart-card IC (SMD)
0.40
0.20 to 2.00
Encrypt
∞
Abbreviations: IP: intellectual property; CI: capital investment; RE: reverse engineering; SRE: significant reverse engineering;
Encrypt: encryption and other protected secret methods.
8
Computer
costs comparable to a volt-ohm meter ($20-$100).
With high volume production, such devices could
reasonably cost less than $10. The actual cost would
depend on the desired level of sophistication.
The higher cost of detection presently precludes
using powerless RF tags in removable data storage
cartridges, except in automated cartridge reposi-
tory management for enterprise and government
applications where information security and
accountability are at a premium.
Using security technologies always invokes the
issue of raising the bar relative to attack and com-
promise. Implementing a variety of such means in
tandem further raises that bar. A good example is
the implementation of more than 30 authentication
features for higher denominations of US currency.
Many believe that tag technologies provide inno-
vative physical identification and authentication
methods that have a high associated overall secu-
rity-to-cost quotient. The current use of these tech-
nologies in more than 350 million data storage
cartridges confirms their field worthiness. ■
Acknowledgments
I thank my Iomega colleagues who read the draft
of this article and made several useful comments and
contributions, especially Dave Griffith, Dave Hall,
Todd Shelton, and Tom Wilke. Iomega presently has
patents issued or pending on all the removable data
storage cartridge penny tag approaches described in
this article.
References
1. F. Thomas, “Peerless DRM & Enterprise Security-
Enabled Removable Data Storage Cartridges (A Dis-
cussion of Security Issues and Architectures for
Removable Data Storage),” Proc. RSA E-Security
Conf. 2002, RSA Security, 2002, www.rsaconference.
net/RSApresentations/pdfs/newthu1015_thomas.pdf.
2. B. Schneier, Applied Cryptography, 2nd ed., John
Wiley & Sons, 1996, pp. 21-46.
Fred Thomas is chief technologist in the Advanced
R&D Group at Iomega Corporation. He received
an MS in mechanical engineering from Bucknell
University. He holds 30 US patents. Thomas’s
research interests include developing technologies
that make magnetic recording in removable car-
tridge implementations more robust, novel optical
data storage techniques, low-cost sensors, and dig-
ital information security technologies and their
implementation. He is a member of SPIE and
ASME. Contact him at thomasf@iomega.com.